goldilocks.js/lib/tcp/tls.js

'use strict';

module.exports.create = function (deps, config, tcpMods) {
  var path = require('path');
  var tls = require('tls');
  var parseSni = require('sni');
  var greenlock = require('greenlock');
  var localhostCerts = require('localhost.daplie.me-certificates');
  var domainMatches = require('../domain-utils').match;

  function extractSocketProp(socket, propName) {
    // remoteAddress, remotePort... ugh... https://github.com/nodejs/node/issues/8854
    var altName = '_' + propName;
    var value = socket[propName] || socket[altName];
    try {
      value = value || socket._handle._parent.owner.stream[propName];
      value = value || socket._handle._parent.owner.stream[altName];
    } catch (e) {}

    try {
      value = value || socket._handle._parentWrap[propName];
      value = value || socket._handle._parentWrap[altName];
      value = value || socket._handle._parentWrap._handle.owner.stream[propName];
      value = value || socket._handle._parentWrap._handle.owner.stream[altName];
    } catch (e) {}

    return value || '';
  }

  function nameMatchesDomains(name, domainList) {
    return domainList.some(function (pattern) {
      return domainMatches(pattern, name);
    });
  }

  var addressNames = [
    'remoteAddress'
  , 'remotePort'
  , 'remoteFamily'
  , 'localAddress'
  , 'localPort'
  ];
  function wrapSocket(socket, opts, cb) {
    var reader = require('socket-pair').create(function (err, writer) {
      if (typeof cb === 'function') {
        process.nextTick(cb);
      }
      if (err) {
        reader.emit('error', err);
        return;
      }

      writer.write(opts.firstChunk);
      socket.pipe(writer);
      writer.pipe(socket);

      socket.on('error', function (err) {
        console.log('wrapped TLS socket error', err);
        reader.emit('error', err);
      });
      writer.on('error', function (err) {
        console.error('socket-pair writer error', err);
        // If the writer had an error the reader probably did too, and I don't think we'll
        // get much out of emitting this on the original socket, so logging is enough.
      });

      socket.on('close', writer.destroy.bind(writer));
      writer.on('close', socket.destroy.bind(socket));
    });

    // We can't set these properties the normal way because there is a getter without a setter,
    // but we can use defineProperty. We reuse the descriptor even though we will be manipulating
    // it because we will only ever set the value and we set it every time.
    var descriptor = {enumerable: true, configurable: true, writable: true};
    addressNames.forEach(function (name) {
      descriptor.value = opts[name] || extractSocketProp(socket, name);
      Object.defineProperty(reader, name, descriptor);
    });

    return reader;
  }

  var le = greenlock.create({
    server: 'https://acme-v01.api.letsencrypt.org/directory'

  , challenges: {
      'http-01': require('le-challenge-fs').create({ debug: config.debug })
    , 'tls-sni-01': require('le-challenge-sni').create({ debug: config.debug })
      // TODO dns-01
      //, 'dns-01': require('le-challenge-ddns').create({ debug: config.debug })
    }
  , challengeType: 'http-01'

  , store: require('le-store-certbot').create({
      debug: config.debug
    , configDir: path.join(require('os').homedir(), 'acme', 'etc')
    , logDir: path.join(require('os').homedir(), 'acme', 'var', 'log')
    , workDir: path.join(require('os').homedir(), 'acme', 'var', 'lib')
    })

  , approveDomains: function (opts, certs, cb) {
      // This is where you check your database and associated
      // email addresses with domains and agreements and such

      // The domains being approved for the first time are listed in opts.domains
      // Certs being renewed are listed in certs.altnames
      if (certs) {
        // TODO make sure the same options are used for renewal as for registration?
        opts.domains = certs.altnames;
        cb(null, { options: opts, certs: certs });
        return;
      }

      function complete(optsOverride, domains) {
        if (!cb) {
          console.warn('tried to complete domain approval multiple times');
          return;
        }

        // // We can't request certificates for wildcard domains, so filter any of those
        // // out of this list and put the domain that triggered this in the list if needed.
        // domains = (domains || []).filter(function (dom) { return dom[0] !== '*'; });
        // if (domains.indexOf(opts.domain) < 0) {
        //   domains.push(opts.domain);
        // }
        domains = [ opts.domain ];
        // TODO: allow user to specify options for challenges or storage.

        Object.assign(opts, optsOverride, { domains: domains, agreeTos: true });
        cb(null, { options: opts, certs: certs });
        cb = null;
      }

      var handled = false;
      if (Array.isArray(config.domains)) {
        handled = config.domains.some(function (dom) {
          if (!dom.modules || !dom.modules.tls) {
            return false;
          }
          if (!nameMatchesDomains(opts.domain, dom.names)) {
            return false;
          }

          return dom.modules.tls.some(function (mod) {
            if (mod.type !== 'acme') {
              return false;
            }
            complete(mod, dom.names);
            return true;
          });
        });
      }
      if (handled) {
        return;
      }

      if (Array.isArray(config.tls.modules)) {
        handled = config.tls.modules.some(function (mod) {
          if (mod.type !== 'acme') {
            return false;
          }
          if (!nameMatchesDomains(opts.domain, mod.domains)) {
            return false;
          }

          complete(mod, mod.domains);
          return true;
        });
      }
      if (handled) {
        return;
      }

      cb(new Error('domain is not allowed'));
    }
  });
  le.tlsOptions = le.tlsOptions || le.httpsOptions;

  var secureContexts = {};
  var terminatorOpts = require('localhost.daplie.me-certificates').merge({});
  terminatorOpts.SNICallback = function (sni, cb) {
    sni = sni.toLowerCase();
    console.log("[tlsOptions.SNICallback] SNI: '" + sni + "'");

    var tlsOptions;

    // Static Certs
    if (/\.invalid$/.test(sni)) {
      sni = 'localhost.daplie.me';
    }
    if (/.*localhost.*\.daplie\.me/.test(sni)) {
      if (!secureContexts[sni]) {
        tlsOptions = localhostCerts.mergeTlsOptions(sni, {});
        if (tlsOptions) {
          secureContexts[sni] = tls.createSecureContext(tlsOptions);
        }
      }
      if (secureContexts[sni]) {
        console.log('Got static secure context:', sni, secureContexts[sni]);
        cb(null, secureContexts[sni]);
        return;
      }
    }

    le.tlsOptions.SNICallback(sni, cb);
  };

  var terminateServer = tls.createServer(terminatorOpts, function (socket) {
    console.log('(post-terminated) tls connection, addr:', extractSocketProp(socket, 'remoteAddress'));

    tcpMods.tcpHandler(socket, {
      servername: socket.servername
    , encrypted: true
      // remoteAddress... ugh... https://github.com/nodejs/node/issues/8854
    , remoteAddress: extractSocketProp(socket, 'remoteAddress')
    , remotePort:    extractSocketProp(socket, 'remotePort')
    , remoteFamily:  extractSocketProp(socket, 'remoteFamily')
    });
  });
  terminateServer.on('error', function (err) {
    console.log('[error] TLS termination server', err);
  });

  function proxy(socket, opts, mod) {
    var newConnOpts = require('../domain-utils').separatePort(mod.address || '');
    newConnOpts.port = newConnOpts.port || mod.port;
    newConnOpts.host = newConnOpts.host || mod.host || 'localhost';
    newConnOpts.servername = opts.servername;
    newConnOpts.data = opts.firstChunk;

    newConnOpts.remoteFamily  = opts.family  || extractSocketProp(socket, 'remoteFamily');
    newConnOpts.remoteAddress = opts.address || extractSocketProp(socket, 'remoteAddress');
    newConnOpts.remotePort    = opts.port    || extractSocketProp(socket, 'remotePort');

    tcpMods.proxy(socket, newConnOpts, opts.firstChunk, function () {
      // This function is called in the event of a connection error and should decrypt
      // the socket so the proxy module can send a 502 HTTP response.
      var tlsOpts = localhostCerts.mergeTlsOptions('localhost.daplie.me', {isServer: true});
      if (opts.hyperPeek) {
        return new tls.TLSSocket(socket, tlsOpts);
      } else {
        return new tls.TLSSocket(wrapSocket(socket, opts), tlsOpts);
      }
    });
    return true;
  }

  function terminate(socket, opts) {
    console.log(
      '[tls-terminate]'
    , opts.localAddress || socket.localAddress +':'+ opts.localPort || socket.localPort
    , 'servername=' + opts.servername
    , opts.remoteAddress || socket.remoteAddress
    );

    var wrapped;
    // We can't emit the connection to the TLS server until we know the connection is fully
    // opened, otherwise it might hang open when the decrypted side is destroyed.
    // https://github.com/nodejs/node/issues/14605
    function emitSock() {
      terminateServer.emit('connection', wrapped);
    }
    if (opts.hyperPeek) {
      // This connection was peeked at using a method that doesn't interferre with the TLS
      // server's ability to handle it properly. Currently the only way this happens is
      // with tunnel connections where we have the first chunk of data before creating the
      // new connection (thus removing need to get data off the new connection).
      wrapped = socket;
      process.nextTick(emitSock);
    }
    else {
      // The hyperPeek flag wasn't set, so we had to read data off of this connection, which
      // means we can no longer use it directly in the TLS server.
      // See https://github.com/nodejs/node/issues/8752 (node's internal networking layer == 💩 sometimes)
      wrapped = wrapSocket(socket, opts, emitSock);
    }
  }

  function handleConn(socket, opts) {
    opts.servername = (parseSni(opts.firstChunk)||'').toLowerCase() || 'localhost.invalid';
    // needs to wind up in one of 2 states:
    // 1. SNI-based Proxy / Tunnel (we don't even need to put it through the tlsSocket)
    // 2. Terminated (goes on to a particular module or route, including the admin interface)
    // 3. Closed (we don't recognize the SNI servername as something we actually want to handle)

    // We always want to terminate is the SNI matches the challenge pattern, unless a client
    // on the south side has temporarily claimed a particular challenge. For the time being
    // we don't have a way for the south-side to communicate with us, so that part isn't done.
    if (domainMatches('*.acme-challenge.invalid', opts.servername)) {
      terminate(socket, opts);
      return;
    }

    if (deps.stunneld.isClientDomain(opts.servername)) {
      deps.stunneld.handleClientConn(socket);
      if (!opts.hyperPeek) {
        process.nextTick(function () {
          socket.unshift(opts.firstChunk);
        });
      }
      return;
    }

    function checkModule(mod) {
      if (mod.type === 'proxy') {
        return proxy(socket, opts, mod);
      }
      if (mod.type !== 'acme') {
        console.error('saw unknown TLS module', mod);
      }
    }

    var handled = (config.domains || []).some(function (dom) {
      if (!dom.modules || !dom.modules.tls) {
        return false;
      }
      if (!nameMatchesDomains(opts.servername, dom.names)) {
        return false;
      }

      return dom.modules.tls.some(checkModule);
    });
    if (handled) {
      return;
    }

    handled = (config.tls.modules || []).some(function (mod) {
      if (!nameMatchesDomains(opts.servername, mod.domains)) {
        return false;
      }
      return checkModule(mod);
    });
    if (handled) {
      return;
    }

    // TODO: figure out all of the domains that the other modules intend to handle, and only
    // terminate those ones, closing connections for all others.
    terminate(socket, opts);
  }

  return {
    emit: function (type, socket) {
      if (type === 'connection') {
        handleConn(socket, socket.__opts);
      }
    }
  , middleware: le.middleware()
  };
};