Update Lego

2019-01-07 18:30:06 +01:00 · 2019-01-07 18:30:06 +01:00 · 9b2423aaba
commit 9b2423aaba
parent fc8c24e987
192 changed files with 11105 additions and 8535 deletions
--- a/vendor/github.com/xenolf/lego/challenge/resolver/errors.go
+++ b/vendor/github.com/xenolf/lego/challenge/resolver/errors.go
@ -0,0 +1,25 @@
+package resolver
+
+import (
+	"bytes"
+	"fmt"
+	"sort"
+)
+
+// obtainError is returned when there are specific errors available per domain.
+type obtainError map[string]error
+
+func (e obtainError) Error() string {
+	buffer := bytes.NewBufferString("acme: Error -> One or more domains had a problem:\n")
+
+	var domains []string
+	for domain := range e {
+		domains = append(domains, domain)
+	}
+	sort.Strings(domains)
+
+	for _, domain := range domains {
+		buffer.WriteString(fmt.Sprintf("[%s] %s\n", domain, e[domain]))
+	}
+	return buffer.String()
+}
--- a/vendor/github.com/xenolf/lego/challenge/resolver/prober.go
+++ b/vendor/github.com/xenolf/lego/challenge/resolver/prober.go
@ -0,0 +1,173 @@
+package resolver
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/xenolf/lego/acme"
+	"github.com/xenolf/lego/challenge"
+	"github.com/xenolf/lego/log"
+)
+
+// Interface for all challenge solvers to implement.
+type solver interface {
+	Solve(authorization acme.Authorization) error
+}
+
+// Interface for challenges like dns, where we can set a record in advance for ALL challenges.
+// This saves quite a bit of time vs creating the records and solving them serially.
+type preSolver interface {
+	PreSolve(authorization acme.Authorization) error
+}
+
+// Interface for challenges like dns, where we can solve all the challenges before to delete them.
+type cleanup interface {
+	CleanUp(authorization acme.Authorization) error
+}
+
+type sequential interface {
+	Sequential() (bool, time.Duration)
+}
+
+// an authz with the solver we have chosen and the index of the challenge associated with it
+type selectedAuthSolver struct {
+	authz  acme.Authorization
+	solver solver
+}
+
+type Prober struct {
+	solverManager *SolverManager
+}
+
+func NewProber(solverManager *SolverManager) *Prober {
+	return &Prober{
+		solverManager: solverManager,
+	}
+}
+
+// Solve Looks through the challenge combinations to find a solvable match.
+// Then solves the challenges in series and returns.
+func (p *Prober) Solve(authorizations []acme.Authorization) error {
+	failures := make(obtainError)
+
+	var authSolvers []*selectedAuthSolver
+	var authSolversSequential []*selectedAuthSolver
+
+	// Loop through the resources, basically through the domains.
+	// First pass just selects a solver for each authz.
+	for _, authz := range authorizations {
+		domain := challenge.GetTargetedDomain(authz)
+		if authz.Status == acme.StatusValid {
+			// Boulder might recycle recent validated authz (see issue #267)
+			log.Infof("[%s] acme: authorization already valid; skipping challenge", domain)
+			continue
+		}
+
+		if solvr := p.solverManager.chooseSolver(authz); solvr != nil {
+			authSolver := &selectedAuthSolver{authz: authz, solver: solvr}
+
+			switch s := solvr.(type) {
+			case sequential:
+				if ok, _ := s.Sequential(); ok {
+					authSolversSequential = append(authSolversSequential, authSolver)
+				} else {
+					authSolvers = append(authSolvers, authSolver)
+				}
+			default:
+				authSolvers = append(authSolvers, authSolver)
+			}
+		} else {
+			failures[domain] = fmt.Errorf("[%s] acme: could not determine solvers", domain)
+		}
+	}
+
+	parallelSolve(authSolvers, failures)
+
+	sequentialSolve(authSolversSequential, failures)
+
+	// Be careful not to return an empty failures map,
+	// for even an empty obtainError is a non-nil error value
+	if len(failures) > 0 {
+		return failures
+	}
+	return nil
+}
+
+func sequentialSolve(authSolvers []*selectedAuthSolver, failures obtainError) {
+	for i, authSolver := range authSolvers {
+		// Submit the challenge
+		domain := challenge.GetTargetedDomain(authSolver.authz)
+
+		if solvr, ok := authSolver.solver.(preSolver); ok {
+			err := solvr.PreSolve(authSolver.authz)
+			if err != nil {
+				failures[domain] = err
+				cleanUp(authSolver.solver, authSolver.authz)
+				continue
+			}
+		}
+
+		// Solve challenge
+		err := authSolver.solver.Solve(authSolver.authz)
+		if err != nil {
+			failures[domain] = err
+			cleanUp(authSolver.solver, authSolver.authz)
+			continue
+		}
+
+		// Clean challenge
+		cleanUp(authSolver.solver, authSolver.authz)
+
+		if len(authSolvers)-1 > i {
+			solvr := authSolver.solver.(sequential)
+			_, interval := solvr.Sequential()
+			log.Infof("sequence: wait for %s", interval)
+			time.Sleep(interval)
+		}
+	}
+}
+
+func parallelSolve(authSolvers []*selectedAuthSolver, failures obtainError) {
+	// For all valid preSolvers, first submit the challenges so they have max time to propagate
+	for _, authSolver := range authSolvers {
+		authz := authSolver.authz
+		if solvr, ok := authSolver.solver.(preSolver); ok {
+			err := solvr.PreSolve(authz)
+			if err != nil {
+				failures[challenge.GetTargetedDomain(authz)] = err
+			}
+		}
+	}
+
+	defer func() {
+		// Clean all created TXT records
+		for _, authSolver := range authSolvers {
+			cleanUp(authSolver.solver, authSolver.authz)
+		}
+	}()
+
+	// Finally solve all challenges for real
+	for _, authSolver := range authSolvers {
+		authz := authSolver.authz
+		domain := challenge.GetTargetedDomain(authz)
+		if failures[domain] != nil {
+			// already failed in previous loop
+			continue
+		}
+
+		err := authSolver.solver.Solve(authz)
+		if err != nil {
+			failures[domain] = err
+		}
+	}
+}
+
+func cleanUp(solvr solver, authz acme.Authorization) {
+	if solvr, ok := solvr.(cleanup); ok {
+		domain := challenge.GetTargetedDomain(authz)
+		err := solvr.CleanUp(authz)
+		if err != nil {
+			log.Warnf("[%s] acme: error cleaning up: %v ", domain, err)
+		}
+	}
+}
--- a/vendor/github.com/xenolf/lego/challenge/resolver/solver_manager.go
+++ b/vendor/github.com/xenolf/lego/challenge/resolver/solver_manager.go
@ -0,0 +1,154 @@
+package resolver
+
+import (
+	"errors"
+	"fmt"
+	"sort"
+	"strconv"
+	"time"
+
+	"github.com/xenolf/lego/acme"
+	"github.com/xenolf/lego/acme/api"
+	"github.com/xenolf/lego/challenge"
+	"github.com/xenolf/lego/challenge/dns01"
+	"github.com/xenolf/lego/challenge/http01"
+	"github.com/xenolf/lego/challenge/tlsalpn01"
+	"github.com/xenolf/lego/log"
+)
+
+type byType []acme.Challenge
+
+func (a byType) Len() int           { return len(a) }
+func (a byType) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
+func (a byType) Less(i, j int) bool { return a[i].Type > a[j].Type }
+
+type SolverManager struct {
+	core    *api.Core
+	solvers map[challenge.Type]solver
+}
+
+func NewSolversManager(core *api.Core) *SolverManager {
+	return &SolverManager{
+		solvers: map[challenge.Type]solver{},
+		core:    core,
+	}
+}
+
+// SetHTTP01Provider specifies a custom provider p that can solve the given HTTP-01 challenge.
+func (c *SolverManager) SetHTTP01Provider(p challenge.Provider) error {
+	c.solvers[challenge.HTTP01] = http01.NewChallenge(c.core, validate, p)
+	return nil
+}
+
+// SetTLSALPN01Provider specifies a custom provider p that can solve the given TLS-ALPN-01 challenge.
+func (c *SolverManager) SetTLSALPN01Provider(p challenge.Provider) error {
+	c.solvers[challenge.TLSALPN01] = tlsalpn01.NewChallenge(c.core, validate, p)
+	return nil
+}
+
+// SetDNS01Provider specifies a custom provider p that can solve the given DNS-01 challenge.
+func (c *SolverManager) SetDNS01Provider(p challenge.Provider, opts ...dns01.ChallengeOption) error {
+	c.solvers[challenge.DNS01] = dns01.NewChallenge(c.core, validate, p, opts...)
+	return nil
+}
+
+// Remove Remove a challenge type from the available solvers.
+func (c *SolverManager) Remove(chlgType challenge.Type) {
+	delete(c.solvers, chlgType)
+}
+
+// Checks all challenges from the server in order and returns the first matching solver.
+func (c *SolverManager) chooseSolver(authz acme.Authorization) solver {
+	// Allow to have a deterministic challenge order
+	sort.Sort(byType(authz.Challenges))
+
+	domain := challenge.GetTargetedDomain(authz)
+	for _, chlg := range authz.Challenges {
+		if solvr, ok := c.solvers[challenge.Type(chlg.Type)]; ok {
+			log.Infof("[%s] acme: use %s solver", domain, chlg.Type)
+			return solvr
+		}
+		log.Infof("[%s] acme: Could not find solver for: %s", domain, chlg.Type)
+	}
+
+	return nil
+}
+
+func validate(core *api.Core, domain string, chlg acme.Challenge) error {
+	chlng, err := core.Challenges.New(chlg.URL)
+	if err != nil {
+		return fmt.Errorf("failed to initiate challenge: %v", err)
+	}
+
+	valid, err := checkChallengeStatus(chlng)
+	if err != nil {
+		return err
+	}
+
+	if valid {
+		log.Infof("[%s] The server validated our request", domain)
+		return nil
+	}
+
+	// After the path is sent, the ACME server will access our server.
+	// Repeatedly check the server for an updated status on our request.
+	for {
+		authz, err := core.Authorizations.Get(chlng.AuthorizationURL)
+		if err != nil {
+			return err
+		}
+
+		valid, err := checkAuthorizationStatus(authz)
+		if err != nil {
+			return err
+		}
+
+		if valid {
+			log.Infof("[%s] The server validated our request", domain)
+			return nil
+		}
+
+		ra, err := strconv.Atoi(chlng.RetryAfter)
+		if err != nil {
+			// The ACME server MUST return a Retry-After.
+			// If it doesn't, we'll just poll hard.
+			// Boulder does not implement the ability to retry challenges or the Retry-After header.
+			// https://github.com/letsencrypt/boulder/blob/master/docs/acme-divergences.md#section-82
+			ra = 5
+		}
+		time.Sleep(time.Duration(ra) * time.Second)
+	}
+}
+
+func checkChallengeStatus(chlng acme.ExtendedChallenge) (bool, error) {
+	switch chlng.Status {
+	case acme.StatusValid:
+		return true, nil
+	case acme.StatusPending, acme.StatusProcessing:
+		return false, nil
+	case acme.StatusInvalid:
+		return false, chlng.Error
+	default:
+		return false, errors.New("the server returned an unexpected state")
+	}
+}
+
+func checkAuthorizationStatus(authz acme.Authorization) (bool, error) {
+	switch authz.Status {
+	case acme.StatusValid:
+		return true, nil
+	case acme.StatusPending, acme.StatusProcessing:
+		return false, nil
+	case acme.StatusDeactivated, acme.StatusExpired, acme.StatusRevoked:
+		return false, fmt.Errorf("the authorization state %s", authz.Status)
+	case acme.StatusInvalid:
+		for _, chlg := range authz.Challenges {
+			if chlg.Status == acme.StatusInvalid && chlg.Error != nil {
+				return false, chlg.Error
+			}
+		}
+		return false, fmt.Errorf("the authorization state %s", authz.Status)
+	default:
+		return false, errors.New("the server returned an unexpected state")
+	}
+}