goldilocks.js/lib/goldilocks.js

'use strict';

module.exports.create = function (deps, config) {
  console.log('config', config);

  //var PromiseA = global.Promise;
  var PromiseA = require('bluebird');
  var greenlock = require('greenlock');
  var listeners = require('./servers').listeners;
  var parseSni = require('sni');
  var modules = { };
  var program = {
    tlsOptions: require('localhost.daplie.me-certificates').merge({})
//  , acmeDirectoryUrl: 'https://acme-v01.api.letsencrypt.org/directory'
  , acmeDirectoryUrl: 'https://acme-staging.api.letsencrypt.org/directory'
//  , challengeType: 'tls-sni-01' // won't work with a tunnel
  , challengeType: 'http-01'
  };
  var secureContexts = {};
  var tunnelAdminTlsOpts = {};
  var tls = require('tls');
  var domainMatches = require('./match-domain').match;

  var tlsRouter = {
    proxy: function (socket, opts, mod) {
      var newConn = deps.net.createConnection({
        port: mod.port
      , host: mod.address || '127.0.0.1'

      , servername: opts.servername
      , data: opts.data
      , remoteFamily: opts.family || socket.remoteFamily || socket._remoteFamily || socket._handle._parent.owner.stream.remoteFamily
      , remoteAddress: opts.address || socket.remoteAddress || socket._remoteAddress || socket._handle._parent.owner.stream.remoteAddress
      , remotePort: opts.port || socket.remotePort || socket._remotePort || socket._handle._parent.owner.stream.remotePort
      }, function () {
        // this will happen before 'data' is triggered
      });

      newConn.pipe(socket);
      socket.pipe(newConn);
    }
  , terminate: function (socket) {
      // We terminate the TLS by emitting the connections of the TLS server and it should handle
      // everything we need to do for us.
      program.tlsTunnelServer.emit('connection', socket);
    }

  , handleModules: function (socket, opts) {
      // needs to wind up in one of 2 states:
      // 1. SNI-based Proxy / Tunnel (we don't even need to put it through the tlsSocket)
      // 2. Terminated (goes on to a particular module or route, including the admin interface)

      var handled = (config.tls.modules || []).some(function (mod) {
        var relevant = mod.domains.some(function (pattern) {
          return domainMatches(pattern, opts.servername);
        });
        if (!relevant) {
          return false;
        }

        if (mod.name === 'proxy') {
          tlsRouter.proxy(socket, opts, mod);
        }
        else if (mod.name === 'terminate') {
          tlsRouter.terminate(socket);
        }
        else {
          console.error('saw unknown TLS module', mod);
          return false;
        }

        return true;
      });

      // We gotta do something, so when in doubt terminate the TLS since we don't really have
      // any good place to default to when proxying.
      if (!handled) {
        tlsRouter.terminate(socket);
      }
    }

  , processSocket: function (socket, firstChunk, opts) {
      if (opts.hyperPeek) {
        // See "PEEK COMMENT" for more info
        // This was already peeked at by the tunneler and this connection has been created
        // in a way that should work with node's TLS server, so we don't need to do any
        // of the myDuplex stuff that we need to do with non-tunnel connections.
        tlsRouter.handleModules(socket, opts);
        return;
      }

      // Why all this wacky-do with the myDuplex?
      // because https://github.com/nodejs/node/issues/8854, that's why
      // (because node's internal networking layer == 💩  sometimes)
      var myDuplex = require('tunnel-packer').Stream.create(socket);
      myDuplex.remoteAddress = opts.remoteAddress || myDuplex.remoteAddress;
      myDuplex.remotePort = opts.remotePort || myDuplex.remotePort;

      socket.on('data', function (chunk) {
        console.log('[' + Date.now() + '] tls socket data', chunk.byteLength);
        myDuplex.push(chunk);
      });
      socket.on('error', function (err) {
        console.error('[error] httpsTunnel (Admin) TODO close');
        console.error(err);
        myDuplex.emit('error', err);
      });
      socket.on('close', function () {
        myDuplex.end();
      });

      var address = opts.localAddress || socket.localAddress;
      var port = opts.localPort || socket.localPort;
      console.log('[tlsRouter] ' + address + ':' + port + ' servername', opts.servername, myDuplex.remoteAddress);

      tlsRouter.handleModules(myDuplex, opts);
      process.nextTick(function () {
        // this must happen after the socket is emitted to the next in the chain,
        // but before any more data comes in via the network
        socket.unshift(firstChunk);
      });
    }
  };


  // opts = { servername, encrypted, peek, data, remoteAddress, remotePort }
  function peek(conn, firstChunk, opts) {
    // TODO port/service-based routing can do here

    // TLS byte 1 is handshake and byte 6 is client hello
    if (0x16 === firstChunk[0]/* && 0x01 === firstChunk[5]*/) {
      opts.servername = (parseSni(firstChunk)||'').toLowerCase() || 'localhost.invalid';
      tlsRouter.processSocket(conn, firstChunk, opts);
      return;
    }

    // This doesn't work with TLS, but now that we know this isn't a TLS connection we can
    // unshift the first chunk back onto the connection for future use. The unshift should
    // happen after any listeners are attached to it but before any new data comes in.
    if (!opts.hyperPeek) {
      process.nextTick(function () {
        conn.unshift(firstChunk);
      });
    }

    // Connection is not TLS, check for HTTP next.
    if (firstChunk[0] > 32 && firstChunk[0] < 127) {
      var firstStr = firstChunk.toString();
      if (/HTTP\//i.test(firstStr)) {
        if (!modules.http) {
          modules.http = require('./modules/http.js').create(deps, config);
        }

        conn.__opts = opts;
        modules.http.emit('connection', conn);
        return;
      }
    }

    console.warn('failed to identify protocol from first chunk', firstChunk);
    conn.close();
  }
  function netHandler(conn, opts) {
    opts = opts || {};
    console.log('[netHandler]', conn.localAddres, conn.localPort, opts.encrypted);

    // XXX PEEK COMMENT XXX
    // TODO we can have our cake and eat it too
    // we can skip the need to wrap the TLS connection twice
    // because we've already peeked at the data,
    // but this needs to be handled better before we enable that
    // (because it creates new edge cases)
    if (opts.hyperPeek) {
      console.log('hyperpeek');
      peek(conn, opts.firstChunk, opts);
      return;
    }

    conn.once('data', function (chunk) {
      peek(conn, chunk, opts);
    });
  }

  function dnsListener(msg) {
    var dgram = require('dgram');
    var socket = dgram.createSocket('udp4');
    socket.send(msg, config.dns.proxy.port, config.dns.proxy.address || '127.0.0.1');
  }

  function createTcpForwarder(mod) {
    var destination = mod.address.split(':');

    return function (conn) {
      var newConn = deps.net.createConnection({
        port: destination[1]
      , host: destination[0] || '127.0.0.1'

      , remoteFamily:  conn.remoteFamily
      , remoteAddress: conn.remoteAddress
      , remotePort:    conn.remotePort
      }, function () {

      });

      newConn.pipe(conn);
      conn.pipe(newConn);
    };
  }

  function approveDomains(opts, certs, cb) {
    // This is where you check your database and associated
    // email addresses with domains and agreements and such

    // The domains being approved for the first time are listed in opts.domains
    // Certs being renewed are listed in certs.altnames

    function complete(err, stuff) {
      opts.email = stuff.email;
      opts.agreeTos = stuff.agreeTos;
      opts.server = stuff.server;
      opts.challengeType = stuff.challengeType;

      cb(null, { options: opts, certs: certs });
    }

    if (certs) {
      // TODO make sure the same options are used for renewal as for registration?
      opts.domains = certs.altnames;

      cb(null, { options: opts, certs: certs });
      return;
    }

    // check config for domain name
    if (-1 !== config.tls.servernames.indexOf(opts.domain)) {
      // TODO how to handle SANs?
      // TODO fetch domain-specific email
      // TODO fetch domain-specific acmeDirectory
      // NOTE: you can also change other options such as `challengeType` and `challenge`
      // opts.challengeType = 'http-01';
      // opts.challenge = require('le-challenge-fs').create({}); // TODO this doesn't actually work yet
      complete(null, {
        email: config.tls.email, agreeTos: true, server: program.acmeDirectoryUrl, challengeType: program.challengeType });
      return;
    }
    // TODO ask http module about the default path (/srv/www/:hostname)
    // (if it exists, we can allow and add to config)
    if (!modules.http) {
      modules.http = require('./modules/http.js').create(deps, config);
    }
    modules.http.checkServername(opts.domain).then(function (stuff) {
      if (!stuff || !stuff.domains) {
        // TODO once precheck is implemented we can just let it pass if it passes, yknow?
        cb(new Error('domain is not allowed'));
        return;
      }

      complete(null, {
        domain: stuff.domain || stuff.domains[0]
      , domains: stuff.domains
      , email: stuff.email || program.email
      , server: stuff.acmeDirectoryUrl || program.acmeDirectoryUrl
      , challengeType: stuff.challengeType || program.challengeType
      , challenge: stuff.challenge
      });
      return;
    }, cb);
  }

  function getAcme() {
    return greenlock.create({

      //server: 'staging'
      server: 'https://acme-v01.api.letsencrypt.org/directory'

    , challenges: {
        // TODO dns-01
        'http-01': require('le-challenge-fs').create({ webrootPath: '/tmp/acme-challenges', debug: config.debug })
      , 'tls-sni-01': require('le-challenge-sni').create({ debug: config.debug })
      //, 'dns-01': require('le-challenge-ddns').create()
      }

    , store: require('le-store-certbot').create({ webrootPath: '/tmp/acme-challenges' })

    //, email: program.email

    //, agreeTos: program.agreeTos

    , approveDomains: approveDomains

    //, approvedDomains: program.servernames

    });
  }

  deps.tunnel = deps.tunnel || {};
  deps.tunnel.net = {
    createConnection: function (opts, cb) {
      console.log('[gl.tunnel] creating connection');

      // here "reader" means the socket that looks like the connection being accepted
      // here "writer" means the remote-looking part of the socket that driving the connection
      var writer;
      var wrapOpts = {};
      var rawTls = opts.tls || (0x16 === opts.data[0]) && (0x01 === opts.data[5]);

      function usePair(err, reader) {
        if (err) {
          process.nextTick(function () {
            writer.emit('error', err);
          });
          return;
        }

        // this has the normal net/tcp stuff plus our custom stuff
        // opts = { address, port,
        //          hostname, servername, tls, encrypted, data, localAddress, localPort, remoteAddress, remotePort, remoteFamily }
        Object.keys(opts).forEach(function (key) {
          wrapOpts[key] = opts[key];
          try {
            reader[key] = opts[key];
          } catch(e) {
            // can't set real socket getters, like remoteAddr
          }
        });

        // A few more extra specialty options
        wrapOpts.localAddress = wrapOpts.localAddress || '127.0.0.2'; // TODO use the tunnel's external address
        wrapOpts.localPort = wrapOpts.localPort || 'tunnel-0';
        try {
          reader._remoteAddress = wrapOpts.remoteAddress;
          reader._remotePort = wrapOpts.remotePort;
          reader._remoteFamily = wrapOpts.remoteFamily;
          reader._localAddress = wrapOpts.localAddress;
          reader._localPort = wrapOpts.localPort;
          reader._localFamily = wrapOpts.localFamily;
        } catch(e) {
        }

        netHandler(reader, wrapOpts);

        process.nextTick(function () {
          //opts.data = wrapOpts.data;

          // this cb will cause the stream to emit its (actually) first data event
          // (even though it already gave a peek into that first data chunk)
          console.log('[tunnel] callback, data should begin to flow');
          cb();
        });
      }

      wrapOpts.firstChunk = opts.data;
      wrapOpts.hyperPeek = !!opts.data;
      // encrypted meaning is *terminated* TLS
      // tls meaning is *raw* TLS
      if (rawTls) {
        // TLS sockets must actually use a socket with a file descriptor
        // https://nodejs.org/api/net.html#net_class_net_socket

        writer = require('socket-pair').create(function (err, other) {
          usePair(err, other);
        });
      }
      else {
        // stream-pair can only be used by TCP sockets, not tls
        writer = require('stream-pair').create();
        usePair(null, writer.other);
      }

      return writer;
    }
  };

  Object.keys(program.tlsOptions).forEach(function (key) {
    tunnelAdminTlsOpts[key] = program.tlsOptions[key];
  });
  tunnelAdminTlsOpts.SNICallback = function (sni, cb) {
    console.log("[tlsOptions.SNICallback] SNI: '" + sni + "'");

    var tlsOptions;

    // Static Certs
    if (/.*localhost.*\.daplie\.me/.test(sni.toLowerCase())) {
      // TODO implement
      if (!secureContexts[sni]) {
        tlsOptions = require('localhost.daplie.me-certificates').mergeTlsOptions(sni, {});
      }
      if (tlsOptions) {
        secureContexts[sni] = tls.createSecureContext(tlsOptions);
      }
      if (secureContexts[sni]) {
        console.log('Got static secure context:', sni, secureContexts[sni]);
        cb(null, secureContexts[sni]);
        return;
      }
    }

    if (!program.greenlock) {
      program.greenlock = getAcme();
    }
    (program.greenlock.tlsOptions||program.greenlock.httpsOptions).SNICallback(sni, cb);
  };

  program.tlsTunnelServer = tls.createServer(tunnelAdminTlsOpts, function (tlsSocket) {
    console.log('(pre-terminated) tls connection, addr:', tlsSocket.remoteAddress);
    // things get a little messed up here
    //tlsSocket.on('data', function (chunk) {
    //  console.log('terminated data:', chunk.toString());
    //});
    //(program.httpTunnelServer || program.httpServer).emit('connection', tlsSocket);
    //tcpRouter.get(conn.localAddress, conn.localPort)(conn, firstChunk, { encrypted: false });
    netHandler(tlsSocket, {
      servername: tlsSocket.servername
    , encrypted: true
      // remoteAddress... ugh... https://github.com/nodejs/node/issues/8854
    , remoteAddress: tlsSocket.remoteAddress || tlsSocket._remoteAddress || tlsSocket._handle._parent.owner.stream.remoteAddress
    , remotePort: tlsSocket.remotePort || tlsSocket._remotePort || tlsSocket._handle._parent.owner.stream.remotePort
    , remoteFamily: tlsSocket.remoteFamily || tlsSocket._remoteFamily || tlsSocket._handle._parent.owner.stream.remoteFamily
    });
  });

  var listenPromises = [];
  var tcpPortMap = {};
  function addPorts(bindList) {
    if (!bindList) {
      return;
    }
    if (Array.isArray(bindList)) {
      bindList.forEach(function (port) {
        tcpPortMap[port] = true;
      });
    }
    else {
      tcpPortMap[bindList] = true;
    }
  }

  addPorts(config.tcp.bind);
  (config.tcp.modules || []).forEach(function (mod) {
    if (mod.name === 'forward') {
      var forwarder = createTcpForwarder(mod);
      mod.ports.forEach(function (port) {
        if (!tcpPortMap[port]) {
          console.log("forwarding port", port, "that wasn't specified in bind");
        } else {
          delete tcpPortMap[port];
        }
        listenPromises.push(listeners.tcp.add(port, forwarder));
      });
    }
    else {
      console.warn('unknown TCP module specified', mod);
    }
  });

  // Even though these ports were specified in different places we treat any TCP
  // connections we haven't been told to just forward exactly as is equal so that
  // we can potentially use the same ports for different protocols.
  addPorts(config.tls.bind);
  addPorts(config.http.bind);

  Object.keys(tcpPortMap).forEach(function (port) {
    listenPromises.push(listeners.tcp.add(port, netHandler));
  });

  if (config.dns.bind) {
    if (Array.isArray(config.dns.bind)) {
      config.dns.bind.map(function (port) {
        listenPromises.push(listeners.udp.add(port, dnsListener));
      });
    } else {
      listenPromises.push(listeners.udp.add(config.dns.bind, dnsListener));
    }
  }

  return PromiseA.all(listenPromises);
};