Update Lego

2019-01-07 18:30:06 +01:00 · 2019-01-07 18:30:06 +01:00 · 9b2423aaba
commit 9b2423aaba
parent fc8c24e987
192 changed files with 11105 additions and 8535 deletions
--- a/vendor/github.com/xenolf/lego/challenge/dns01/dns_challenge.go
+++ b/vendor/github.com/xenolf/lego/challenge/dns01/dns_challenge.go
@ -0,0 +1,176 @@
+package dns01
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"time"
+
+	"github.com/xenolf/lego/acme"
+	"github.com/xenolf/lego/acme/api"
+	"github.com/xenolf/lego/challenge"
+	"github.com/xenolf/lego/log"
+	"github.com/xenolf/lego/platform/wait"
+)
+
+const (
+	// DefaultPropagationTimeout default propagation timeout
+	DefaultPropagationTimeout = 60 * time.Second
+
+	// DefaultPollingInterval default polling interval
+	DefaultPollingInterval = 2 * time.Second
+
+	// DefaultTTL default TTL
+	DefaultTTL = 120
+)
+
+type ValidateFunc func(core *api.Core, domain string, chlng acme.Challenge) error
+
+type ChallengeOption func(*Challenge) error
+
+// CondOption Conditional challenge option.
+func CondOption(condition bool, opt ChallengeOption) ChallengeOption {
+	if !condition {
+		// NoOp options
+		return func(*Challenge) error {
+			return nil
+		}
+	}
+	return opt
+}
+
+// Challenge implements the dns-01 challenge
+type Challenge struct {
+	core       *api.Core
+	validate   ValidateFunc
+	provider   challenge.Provider
+	preCheck   preCheck
+	dnsTimeout time.Duration
+}
+
+func NewChallenge(core *api.Core, validate ValidateFunc, provider challenge.Provider, opts ...ChallengeOption) *Challenge {
+	chlg := &Challenge{
+		core:       core,
+		validate:   validate,
+		provider:   provider,
+		preCheck:   newPreCheck(),
+		dnsTimeout: 10 * time.Second,
+	}
+
+	for _, opt := range opts {
+		err := opt(chlg)
+		if err != nil {
+			log.Infof("challenge option error: %v", err)
+		}
+	}
+
+	return chlg
+}
+
+// PreSolve just submits the txt record to the dns provider.
+// It does not validate record propagation, or do anything at all with the acme server.
+func (c *Challenge) PreSolve(authz acme.Authorization) error {
+	domain := challenge.GetTargetedDomain(authz)
+	log.Infof("[%s] acme: Preparing to solve DNS-01", domain)
+
+	chlng, err := challenge.FindChallenge(challenge.DNS01, authz)
+	if err != nil {
+		return err
+	}
+
+	if c.provider == nil {
+		return fmt.Errorf("[%s] acme: no DNS Provider configured", domain)
+	}
+
+	// Generate the Key Authorization for the challenge
+	keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)
+	if err != nil {
+		return err
+	}
+
+	err = c.provider.Present(authz.Identifier.Value, chlng.Token, keyAuth)
+	if err != nil {
+		return fmt.Errorf("[%s] acme: error presenting token: %s", domain, err)
+	}
+
+	return nil
+}
+
+func (c *Challenge) Solve(authz acme.Authorization) error {
+	domain := challenge.GetTargetedDomain(authz)
+	log.Infof("[%s] acme: Trying to solve DNS-01", domain)
+
+	chlng, err := challenge.FindChallenge(challenge.DNS01, authz)
+	if err != nil {
+		return err
+	}
+
+	// Generate the Key Authorization for the challenge
+	keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)
+	if err != nil {
+		return err
+	}
+
+	fqdn, value := GetRecord(authz.Identifier.Value, keyAuth)
+
+	var timeout, interval time.Duration
+	switch provider := c.provider.(type) {
+	case challenge.ProviderTimeout:
+		timeout, interval = provider.Timeout()
+	default:
+		timeout, interval = DefaultPropagationTimeout, DefaultPollingInterval
+	}
+
+	log.Infof("[%s] acme: Checking DNS record propagation using %+v", domain, recursiveNameservers)
+
+	err = wait.For("propagation", timeout, interval, func() (bool, error) {
+		stop, errP := c.preCheck.call(fqdn, value)
+		if !stop || errP != nil {
+			log.Infof("[%s] acme: Waiting for DNS record propagation.", domain)
+		}
+		return stop, errP
+	})
+	if err != nil {
+		return err
+	}
+
+	chlng.KeyAuthorization = keyAuth
+	return c.validate(c.core, authz.Identifier.Value, chlng)
+}
+
+// CleanUp cleans the challenge.
+func (c *Challenge) CleanUp(authz acme.Authorization) error {
+	log.Infof("[%s] acme: Cleaning DNS-01 challenge", challenge.GetTargetedDomain(authz))
+
+	chlng, err := challenge.FindChallenge(challenge.DNS01, authz)
+	if err != nil {
+		return err
+	}
+
+	keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)
+	if err != nil {
+		return err
+	}
+
+	return c.provider.CleanUp(authz.Identifier.Value, chlng.Token, keyAuth)
+}
+
+func (c *Challenge) Sequential() (bool, time.Duration) {
+	if p, ok := c.provider.(sequential); ok {
+		return ok, p.Sequential()
+	}
+	return false, 0
+}
+
+type sequential interface {
+	Sequential() time.Duration
+}
+
+// GetRecord returns a DNS record which will fulfill the `dns-01` challenge
+func GetRecord(domain, keyAuth string) (fqdn string, value string) {
+	keyAuthShaBytes := sha256.Sum256([]byte(keyAuth))
+	// base64URL encoding without padding
+	value = base64.RawURLEncoding.EncodeToString(keyAuthShaBytes[:sha256.Size])
+	fqdn = fmt.Sprintf("_acme-challenge.%s.", domain)
+	return
+}
--- a/vendor/github.com/xenolf/lego/challenge/dns01/dns_challenge_manual.go
+++ b/vendor/github.com/xenolf/lego/challenge/dns01/dns_challenge_manual.go
@ -0,0 +1,52 @@
+package dns01
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+)
+
+const (
+	dnsTemplate = `%s %d IN TXT "%s"`
+)
+
+// DNSProviderManual is an implementation of the ChallengeProvider interface
+type DNSProviderManual struct{}
+
+// NewDNSProviderManual returns a DNSProviderManual instance.
+func NewDNSProviderManual() (*DNSProviderManual, error) {
+	return &DNSProviderManual{}, nil
+}
+
+// Present prints instructions for manually creating the TXT record
+func (*DNSProviderManual) Present(domain, token, keyAuth string) error {
+	fqdn, value := GetRecord(domain, keyAuth)
+
+	authZone, err := FindZoneByFqdn(fqdn)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("lego: Please create the following TXT record in your %s zone:\n", authZone)
+	fmt.Printf(dnsTemplate+"\n", fqdn, DefaultTTL, value)
+	fmt.Printf("lego: Press 'Enter' when you are done\n")
+
+	_, err = bufio.NewReader(os.Stdin).ReadBytes('\n')
+
+	return err
+}
+
+// CleanUp prints instructions for manually removing the TXT record
+func (*DNSProviderManual) CleanUp(domain, token, keyAuth string) error {
+	fqdn, _ := GetRecord(domain, keyAuth)
+
+	authZone, err := FindZoneByFqdn(fqdn)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("lego: You can now remove this TXT record from your %s zone:\n", authZone)
+	fmt.Printf(dnsTemplate+"\n", fqdn, DefaultTTL, "...")
+
+	return nil
+}
--- a/vendor/github.com/xenolf/lego/challenge/dns01/fqdn.go
+++ b/vendor/github.com/xenolf/lego/challenge/dns01/fqdn.go
@ -0,0 +1,19 @@
+package dns01
+
+// ToFqdn converts the name into a fqdn appending a trailing dot.
+func ToFqdn(name string) string {
+	n := len(name)
+	if n == 0 || name[n-1] == '.' {
+		return name
+	}
+	return name + "."
+}
+
+// UnFqdn converts the fqdn into a name removing the trailing dot.
+func UnFqdn(name string) string {
+	n := len(name)
+	if n != 0 && name[n-1] == '.' {
+		return name[:n-1]
+	}
+	return name
+}
--- a/vendor/github.com/xenolf/lego/challenge/dns01/nameserver.go
+++ b/vendor/github.com/xenolf/lego/challenge/dns01/nameserver.go
@ -0,0 +1,232 @@
+package dns01
+
+import (
+	"fmt"
+	"net"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/miekg/dns"
+)
+
+const defaultResolvConf = "/etc/resolv.conf"
+
+// dnsTimeout is used to override the default DNS timeout of 10 seconds.
+var dnsTimeout = 10 * time.Second
+
+var (
+	fqdnToZone   = map[string]string{}
+	muFqdnToZone sync.Mutex
+)
+
+var defaultNameservers = []string{
+	"google-public-dns-a.google.com:53",
+	"google-public-dns-b.google.com:53",
+}
+
+// recursiveNameservers are used to pre-check DNS propagation
+var recursiveNameservers = getNameservers(defaultResolvConf, defaultNameservers)
+
+// ClearFqdnCache clears the cache of fqdn to zone mappings. Primarily used in testing.
+func ClearFqdnCache() {
+	muFqdnToZone.Lock()
+	fqdnToZone = map[string]string{}
+	muFqdnToZone.Unlock()
+}
+
+func AddDNSTimeout(timeout time.Duration) ChallengeOption {
+	return func(_ *Challenge) error {
+		dnsTimeout = timeout
+		return nil
+	}
+}
+
+func AddRecursiveNameservers(nameservers []string) ChallengeOption {
+	return func(_ *Challenge) error {
+		recursiveNameservers = ParseNameservers(nameservers)
+		return nil
+	}
+}
+
+// getNameservers attempts to get systems nameservers before falling back to the defaults
+func getNameservers(path string, defaults []string) []string {
+	config, err := dns.ClientConfigFromFile(path)
+	if err != nil || len(config.Servers) == 0 {
+		return defaults
+	}
+
+	return ParseNameservers(config.Servers)
+}
+
+func ParseNameservers(servers []string) []string {
+	var resolvers []string
+	for _, resolver := range servers {
+		// ensure all servers have a port number
+		if _, _, err := net.SplitHostPort(resolver); err != nil {
+			resolvers = append(resolvers, net.JoinHostPort(resolver, "53"))
+		} else {
+			resolvers = append(resolvers, resolver)
+		}
+	}
+	return resolvers
+}
+
+// lookupNameservers returns the authoritative nameservers for the given fqdn.
+func lookupNameservers(fqdn string) ([]string, error) {
+	var authoritativeNss []string
+
+	zone, err := FindZoneByFqdn(fqdn)
+	if err != nil {
+		return nil, fmt.Errorf("could not determine the zone: %v", err)
+	}
+
+	r, err := dnsQuery(zone, dns.TypeNS, recursiveNameservers, true)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, rr := range r.Answer {
+		if ns, ok := rr.(*dns.NS); ok {
+			authoritativeNss = append(authoritativeNss, strings.ToLower(ns.Ns))
+		}
+	}
+
+	if len(authoritativeNss) > 0 {
+		return authoritativeNss, nil
+	}
+	return nil, fmt.Errorf("could not determine authoritative nameservers")
+}
+
+// FindZoneByFqdn determines the zone apex for the given fqdn
+// by recursing up the domain labels until the nameserver returns a SOA record in the answer section.
+func FindZoneByFqdn(fqdn string) (string, error) {
+	return FindZoneByFqdnCustom(fqdn, recursiveNameservers)
+}
+
+// FindZoneByFqdnCustom determines the zone apex for the given fqdn
+// by recursing up the domain labels until the nameserver returns a SOA record in the answer section.
+func FindZoneByFqdnCustom(fqdn string, nameservers []string) (string, error) {
+	muFqdnToZone.Lock()
+	defer muFqdnToZone.Unlock()
+
+	// Do we have it cached?
+	if zone, ok := fqdnToZone[fqdn]; ok {
+		return zone, nil
+	}
+
+	var err error
+	var in *dns.Msg
+
+	labelIndexes := dns.Split(fqdn)
+	for _, index := range labelIndexes {
+		domain := fqdn[index:]
+
+		in, err = dnsQuery(domain, dns.TypeSOA, nameservers, true)
+		if err != nil {
+			continue
+		}
+
+		if in == nil {
+			continue
+		}
+
+		switch in.Rcode {
+		case dns.RcodeSuccess:
+			// Check if we got a SOA RR in the answer section
+
+			if len(in.Answer) == 0 {
+				continue
+			}
+
+			// CNAME records cannot/should not exist at the root of a zone.
+			// So we skip a domain when a CNAME is found.
+			if dnsMsgContainsCNAME(in) {
+				continue
+			}
+
+			for _, ans := range in.Answer {
+				if soa, ok := ans.(*dns.SOA); ok {
+					zone := soa.Hdr.Name
+					fqdnToZone[fqdn] = zone
+					return zone, nil
+				}
+			}
+		case dns.RcodeNameError:
+			// NXDOMAIN
+		default:
+			// Any response code other than NOERROR and NXDOMAIN is treated as error
+			return "", fmt.Errorf("unexpected response code '%s' for %s", dns.RcodeToString[in.Rcode], domain)
+		}
+	}
+
+	return "", fmt.Errorf("could not find the start of authority for %s%s", fqdn, formatDNSError(in, err))
+}
+
+// dnsMsgContainsCNAME checks for a CNAME answer in msg
+func dnsMsgContainsCNAME(msg *dns.Msg) bool {
+	for _, ans := range msg.Answer {
+		if _, ok := ans.(*dns.CNAME); ok {
+			return true
+		}
+	}
+	return false
+}
+
+func dnsQuery(fqdn string, rtype uint16, nameservers []string, recursive bool) (*dns.Msg, error) {
+	m := createDNSMsg(fqdn, rtype, recursive)
+
+	var in *dns.Msg
+	var err error
+
+	for _, ns := range nameservers {
+		in, err = sendDNSQuery(m, ns)
+		if err == nil && len(in.Answer) > 0 {
+			break
+		}
+	}
+	return in, err
+}
+
+func createDNSMsg(fqdn string, rtype uint16, recursive bool) *dns.Msg {
+	m := new(dns.Msg)
+	m.SetQuestion(fqdn, rtype)
+	m.SetEdns0(4096, false)
+
+	if !recursive {
+		m.RecursionDesired = false
+	}
+
+	return m
+}
+
+func sendDNSQuery(m *dns.Msg, ns string) (*dns.Msg, error) {
+	udp := &dns.Client{Net: "udp", Timeout: dnsTimeout}
+	in, _, err := udp.Exchange(m, ns)
+
+	if in != nil && in.Truncated {
+		tcp := &dns.Client{Net: "tcp", Timeout: dnsTimeout}
+		// If the TCP request succeeds, the err will reset to nil
+		in, _, err = tcp.Exchange(m, ns)
+	}
+
+	return in, err
+}
+
+func formatDNSError(msg *dns.Msg, err error) string {
+	var parts []string
+
+	if msg != nil {
+		parts = append(parts, dns.RcodeToString[msg.Rcode])
+	}
+
+	if err != nil {
+		parts = append(parts, fmt.Sprintf("%v", err))
+	}
+
+	if len(parts) > 0 {
+		return ": " + strings.Join(parts, " ")
+	}
+
+	return ""
+}
--- a/vendor/github.com/xenolf/lego/challenge/dns01/precheck.go
+++ b/vendor/github.com/xenolf/lego/challenge/dns01/precheck.go
@ -0,0 +1,114 @@
+package dns01
+
+import (
+	"fmt"
+	"net"
+	"strings"
+
+	"github.com/miekg/dns"
+)
+
+// PreCheckFunc checks DNS propagation before notifying ACME that the DNS challenge is ready.
+type PreCheckFunc func(fqdn, value string) (bool, error)
+
+func AddPreCheck(preCheck PreCheckFunc) ChallengeOption {
+	// Prevent race condition
+	check := preCheck
+	return func(chlg *Challenge) error {
+		chlg.preCheck.checkFunc = check
+		return nil
+	}
+}
+
+func DisableCompletePropagationRequirement() ChallengeOption {
+	return func(chlg *Challenge) error {
+		chlg.preCheck.requireCompletePropagation = false
+		return nil
+	}
+}
+
+type preCheck struct {
+	// checks DNS propagation before notifying ACME that the DNS challenge is ready.
+	checkFunc PreCheckFunc
+	// require the TXT record to be propagated to all authoritative name servers
+	requireCompletePropagation bool
+}
+
+func newPreCheck() preCheck {
+	return preCheck{
+		requireCompletePropagation: true,
+	}
+}
+
+func (p preCheck) call(fqdn, value string) (bool, error) {
+	if p.checkFunc == nil {
+		return p.checkDNSPropagation(fqdn, value)
+	}
+	return p.checkFunc(fqdn, value)
+}
+
+// checkDNSPropagation checks if the expected TXT record has been propagated to all authoritative nameservers.
+func (p preCheck) checkDNSPropagation(fqdn, value string) (bool, error) {
+	// Initial attempt to resolve at the recursive NS
+	r, err := dnsQuery(fqdn, dns.TypeTXT, recursiveNameservers, true)
+	if err != nil {
+		return false, err
+	}
+
+	if !p.requireCompletePropagation {
+		return true, nil
+	}
+
+	if r.Rcode == dns.RcodeSuccess {
+		// If we see a CNAME here then use the alias
+		for _, rr := range r.Answer {
+			if cn, ok := rr.(*dns.CNAME); ok {
+				if cn.Hdr.Name == fqdn {
+					fqdn = cn.Target
+					break
+				}
+			}
+		}
+	}
+
+	authoritativeNss, err := lookupNameservers(fqdn)
+	if err != nil {
+		return false, err
+	}
+
+	return checkAuthoritativeNss(fqdn, value, authoritativeNss)
+}
+
+// checkAuthoritativeNss queries each of the given nameservers for the expected TXT record.
+func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, error) {
+	for _, ns := range nameservers {
+		r, err := dnsQuery(fqdn, dns.TypeTXT, []string{net.JoinHostPort(ns, "53")}, false)
+		if err != nil {
+			return false, err
+		}
+
+		if r.Rcode != dns.RcodeSuccess {
+			return false, fmt.Errorf("NS %s returned %s for %s", ns, dns.RcodeToString[r.Rcode], fqdn)
+		}
+
+		var records []string
+
+		var found bool
+		for _, rr := range r.Answer {
+			if txt, ok := rr.(*dns.TXT); ok {
+				record := strings.Join(txt.Txt, "")
+				records = append(records, record)
+				if record == value {
+					found = true
+					break
+				}
+			}
+		}
+
+		if !found {
+			return false, fmt.Errorf("NS %s did not return the expected TXT record [fqdn: %s, value: %s]: %s", ns, fqdn, value, strings.Join(records, " ,"))
+		}
+	}
+
+	return true, nil
+}