Add ACME store

Signed-off-by: Emile Vauge <emile@vauge.com>
2016-08-18 14:20:11 +02:00 · 2016-08-18 14:20:11 +02:00 · a42845502e
commit a42845502e
parent bea5ad3f13
30 changed files with 781 additions and 374 deletions
--- a/acme/challengeProvider.go
+++ b/acme/challengeProvider.go
@ -4,33 +4,59 @@ import (
 	"crypto/tls"
 	"sync"

+	"bytes"
+	"crypto/rsa"
 	"crypto/x509"
+	"encoding/gob"
+	"github.com/containous/traefik/cluster"
+	"github.com/containous/traefik/log"
 	"github.com/xenolf/lego/acme"
+	"time"
 )

-var _ acme.ChallengeProvider = (*inMemoryChallengeProvider)(nil)
-
-type inMemoryChallengeProvider struct {
-	challengeCerts map[string]*tls.Certificate
-	lock           sync.RWMutex
+func init() {
+	gob.Register(rsa.PrivateKey{})
+	gob.Register(rsa.PublicKey{})
 }

-func newWrapperChallengeProvider() *inMemoryChallengeProvider {
-	return &inMemoryChallengeProvider{
-		challengeCerts: map[string]*tls.Certificate{},
+var _ acme.ChallengeProviderTimeout = (*challengeProvider)(nil)
+
+type challengeProvider struct {
+	store cluster.Store
+	lock  sync.RWMutex
+}
+
+func newMemoryChallengeProvider(store cluster.Store) *challengeProvider {
+	return &challengeProvider{
+		store: store,
 	}
 }

-func (c *inMemoryChallengeProvider) getCertificate(domain string) (cert *tls.Certificate, exists bool) {
+func (c *challengeProvider) getCertificate(domain string) (cert *tls.Certificate, exists bool) {
+	log.Debugf("Challenge GetCertificate %s", domain)
 	c.lock.RLock()
 	defer c.lock.RUnlock()
-	if cert, ok := c.challengeCerts[domain]; ok {
+	account := c.store.Get().(*Account)
+	if account.ChallengeCerts == nil {
+		return nil, false
+	}
+	if certBinary, ok := account.ChallengeCerts[domain]; ok {
+		cert := &tls.Certificate{}
+		var buffer bytes.Buffer
+		buffer.Write(certBinary)
+		dec := gob.NewDecoder(&buffer)
+		err := dec.Decode(cert)
+		if err != nil {
+			log.Errorf("Error unmarshaling challenge cert %s", err.Error())
+			return nil, false
+		}
 		return cert, true
 	}
 	return nil, false
 }

-func (c *inMemoryChallengeProvider) Present(domain, token, keyAuth string) error {
+func (c *challengeProvider) Present(domain, token, keyAuth string) error {
+	log.Debugf("Challenge Present %s", domain)
 	cert, _, err := acme.TLSSNI01ChallengeCert(keyAuth)
 	if err != nil {
 		return err
@ -42,16 +68,40 @@ func (c *inMemoryChallengeProvider) Present(domain, token, keyAuth string) error

 	c.lock.Lock()
 	defer c.lock.Unlock()
-	for i := range cert.Leaf.DNSNames {
-		c.challengeCerts[cert.Leaf.DNSNames[i]] = &cert
+	transaction, object, err := c.store.Begin()
+	if err != nil {
+		return err
 	}
-
-	return nil
+	account := object.(*Account)
+	if account.ChallengeCerts == nil {
+		account.ChallengeCerts = map[string][]byte{}
+	}
+	for i := range cert.Leaf.DNSNames {
+		var buffer bytes.Buffer
+		enc := gob.NewEncoder(&buffer)
+		err := enc.Encode(cert)
+		if err != nil {
+			return err
+		}
+		account.ChallengeCerts[cert.Leaf.DNSNames[i]] = buffer.Bytes()
+		log.Debugf("Challenge Present cert: %s", cert.Leaf.DNSNames[i])
+	}
+	return transaction.Commit(account)
 }

-func (c *inMemoryChallengeProvider) CleanUp(domain, token, keyAuth string) error {
+func (c *challengeProvider) CleanUp(domain, token, keyAuth string) error {
+	log.Debugf("Challenge CleanUp %s", domain)
 	c.lock.Lock()
 	defer c.lock.Unlock()
-	delete(c.challengeCerts, domain)
-	return nil
+	transaction, object, err := c.store.Begin()
+	if err != nil {
+		return err
+	}
+	account := object.(*Account)
+	delete(account.ChallengeCerts, domain)
+	return transaction.Commit(account)
+}
+
+func (c *challengeProvider) Timeout() (timeout, interval time.Duration) {
+	return 60 * time.Second, 5 * time.Second
 }