Merge tag 'v1.6.3' into master

2018-06-05 22:55:19 +02:00 · 2018-06-05 22:55:19 +02:00 · a5beeb4f04
commit a5beeb4f04
parent 67a0b4b4b1 446d73fcf5
142 changed files with 5276 additions and 1868 deletions
--- a/acme/account.go
+++ b/acme/account.go
@ -8,6 +8,7 @@ import (
 	"crypto/x509"
 	"fmt"
 	"reflect"
+	"regexp"
 	"sort"
 	"strings"
 	"sync"
@ -16,7 +17,7 @@ import (
 	"github.com/containous/traefik/log"
 	acmeprovider "github.com/containous/traefik/provider/acme"
 	"github.com/containous/traefik/types"
-	acme "github.com/xenolf/lego/acmev2"
+	"github.com/xenolf/lego/acme"
 )

 // Account is used to store lets encrypt registration info
@ -44,6 +45,11 @@ func (a *Account) Init() error {
 		return err
 	}

+	err = a.RemoveAccountV1Values()
+	if err != nil {
+		log.Errorf("Unable to remove ACME Account V1 values during account initialization: %v", err)
+	}
+
 	for _, cert := range a.ChallengeCerts {
 		if cert.certificate == nil {
 			certificate, err := tls.X509KeyPair(cert.Certificate, cert.PrivateKey)
@ -108,6 +114,29 @@ func (a *Account) GetPrivateKey() crypto.PrivateKey {
 	return nil
 }

+// RemoveAccountV1Values removes ACME account V1 values
+func (a *Account) RemoveAccountV1Values() error {
+	// Check if ACME Account is in ACME V1 format
+	if a.Registration != nil {
+		isOldRegistration, err := regexp.MatchString(acmeprovider.RegistrationURLPathV1Regexp, a.Registration.URI)
+		if err != nil {
+			return err
+		}
+
+		if isOldRegistration {
+			a.reset()
+		}
+	}
+	return nil
+}
+
+func (a *Account) reset() {
+	log.Debug("Reset ACME account object.")
+	a.Email = ""
+	a.Registration = nil
+	a.PrivateKey = nil
+}
+
 // Certificate is used to store certificate info
 type Certificate struct {
 	Domain        string
@ -157,11 +186,23 @@ func (dc *DomainsCertificates) removeDuplicates() {
 	}
 }

+func (dc *DomainsCertificates) removeEmpty() {
+	certs := []*DomainsCertificate{}
+	for _, cert := range dc.Certs {
+		if cert.Certificate != nil && len(cert.Certificate.Certificate) > 0 && len(cert.Certificate.PrivateKey) > 0 {
+			certs = append(certs, cert)
+		}
+	}
+	dc.Certs = certs
+}
+
 // Init DomainsCertificates
 func (dc *DomainsCertificates) Init() error {
 	dc.lock.Lock()
 	defer dc.lock.Unlock()

+	dc.removeEmpty()
+
 	for _, domainsCertificate := range dc.Certs {
 		tlsCert, err := tls.X509KeyPair(domainsCertificate.Certificate.Certificate, domainsCertificate.Certificate.PrivateKey)
 		if err != nil {
--- a/acme/acme.go
+++ b/acme/acme.go
@ -25,8 +25,10 @@ import (
 	"github.com/containous/traefik/safe"
 	"github.com/containous/traefik/tls/generate"
 	"github.com/containous/traefik/types"
+	"github.com/containous/traefik/version"
 	"github.com/eapache/channels"
-	acme "github.com/xenolf/lego/acmev2"
+	"github.com/xenolf/lego/acme"
+	legolog "github.com/xenolf/lego/log"
 	"github.com/xenolf/lego/providers/dns"
 )

@ -42,7 +44,7 @@ type ACME struct {
 	Domains               []types.Domain              `description:"SANs (alternative domains) to each main domain using format: --acme.domains='main.com,san1.com,san2.com' --acme.domains='main.net,san1.net,san2.net'"`
 	Storage               string                      `description:"File or key used for certificates storage."`
 	StorageFile           string                      // Deprecated
-	OnDemand              bool                        `description:"(Deprecated) Enable on demand certificate generation. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."` //deprecated
+	OnDemand              bool                        `description:"(Deprecated) Enable on demand certificate generation. This will request a certificate from Let's Encrypt during the first TLS handshake for a hostname that does not yet have a certificate."` // Deprecated
 	OnHostRule            bool                        `description:"Enable certificate generation on frontends Host rules."`
 	CAServer              string                      `description:"CA server to use."`
 	EntryPoint            string                      `description:"Entrypoint to proxy acme challenge to."`
@ -64,10 +66,11 @@ type ACME struct {
 }

 func (a *ACME) init() error {
+	acme.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version)
 	if a.ACMELogging {
-		acme.Logger = fmtlog.New(os.Stderr, "legolog: ", fmtlog.LstdFlags)
+		legolog.Logger = fmtlog.New(os.Stderr, "legolog: ", fmtlog.LstdFlags)
 	} else {
-		acme.Logger = fmtlog.New(ioutil.Discard, "", 0)
+		legolog.Logger = fmtlog.New(ioutil.Discard, "", 0)
 	}
 	// no certificates in TLS config, so we add a default one
 	cert, err := generate.DefaultCertificate()
@ -180,6 +183,10 @@ func (a *ACME) leadershipListener(elected bool) error {

 		account := object.(*Account)
 		account.Init()
+		// Reset Account values if caServer changed, thus registration URI can be updated
+		if account != nil && account.Registration != nil && !strings.HasPrefix(account.Registration.URI, a.CAServer) {
+			account.reset()
+		}

 		var needRegister bool
 		if account == nil || len(account.Email) == 0 {
--- a/acme/acme_test.go
+++ b/acme/acme_test.go
@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"reflect"
+	"sort"
 	"sync"
 	"testing"
 	"time"
@ -14,7 +15,7 @@ import (
 	"github.com/containous/traefik/tls/generate"
 	"github.com/containous/traefik/types"
 	"github.com/stretchr/testify/assert"
-	acme "github.com/xenolf/lego/acmev2"
+	"github.com/xenolf/lego/acme"
 )

 func TestDomainsSet(t *testing.T) {
@ -550,3 +551,268 @@ func TestAcme_getCertificateForDomain(t *testing.T) {
 		})
 	}
 }
+
+func TestRemoveEmptyCertificates(t *testing.T) {
+	now := time.Now()
+	fooCert, fooKey, _ := generate.KeyPair("foo.com", now)
+	acmeCert, acmeKey, _ := generate.KeyPair("acme.wtf", now.Add(24*time.Hour))
+	barCert, barKey, _ := generate.KeyPair("bar.com", now)
+	testCases := []struct {
+		desc       string
+		dc         *DomainsCertificates
+		expectedDc *DomainsCertificates
+	}{
+		{
+			desc: "No empty certificate",
+			dc: &DomainsCertificates{
+				Certs: []*DomainsCertificate{
+					{
+						Certificate: &Certificate{
+							Certificate: fooCert,
+							PrivateKey:  fooKey,
+						},
+						Domains: types.Domain{
+							Main: "foo.com",
+						},
+					},
+					{
+						Certificate: &Certificate{
+							Certificate: acmeCert,
+							PrivateKey:  acmeKey,
+						},
+						Domains: types.Domain{
+							Main: "acme.wtf",
+						},
+					},
+					{
+						Certificate: &Certificate{
+							Certificate: barCert,
+							PrivateKey:  barKey,
+						},
+						Domains: types.Domain{
+							Main: "bar.com",
+						},
+					},
+				},
+			},
+			expectedDc: &DomainsCertificates{
+				Certs: []*DomainsCertificate{
+					{
+						Certificate: &Certificate{
+							Certificate: fooCert,
+							PrivateKey:  fooKey,
+						},
+						Domains: types.Domain{
+							Main: "foo.com",
+						},
+					},
+					{
+						Certificate: &Certificate{
+							Certificate: acmeCert,
+							PrivateKey:  acmeKey,
+						},
+						Domains: types.Domain{
+							Main: "acme.wtf",
+						},
+					},
+					{
+						Certificate: &Certificate{
+							Certificate: barCert,
+							PrivateKey:  barKey,
+						},
+						Domains: types.Domain{
+							Main: "bar.com",
+						},
+					},
+				},
+			},
+		},
+		{
+			desc: "First certificate is nil",
+			dc: &DomainsCertificates{
+				Certs: []*DomainsCertificate{
+					{
+						Domains: types.Domain{
+							Main: "foo.com",
+						},
+					},
+					{
+						Certificate: &Certificate{
+							Certificate: acmeCert,
+							PrivateKey:  acmeKey,
+						},
+						Domains: types.Domain{
+							Main: "acme.wtf",
+						},
+					},
+					{
+						Certificate: &Certificate{
+							Certificate: barCert,
+							PrivateKey:  barKey,
+						},
+						Domains: types.Domain{
+							Main: "bar.com",
+						},
+					},
+				},
+			},
+			expectedDc: &DomainsCertificates{
+				Certs: []*DomainsCertificate{
+					{
+						Certificate: &Certificate{
+							Certificate: acmeCert,
+							PrivateKey:  acmeKey,
+						},
+						Domains: types.Domain{
+							Main: "acme.wtf",
+						},
+					},
+					{
+						Certificate: &Certificate{
+							Certificate: nil,
+							PrivateKey:  barKey,
+						},
+						Domains: types.Domain{
+							Main: "bar.com",
+						},
+					},
+				},
+			},
+		},
+		{
+			desc: "Last certificate is empty",
+			dc: &DomainsCertificates{
+				Certs: []*DomainsCertificate{
+					{
+						Certificate: &Certificate{
+							Certificate: fooCert,
+							PrivateKey:  fooKey,
+						},
+						Domains: types.Domain{
+							Main: "foo.com",
+						},
+					},
+					{
+						Certificate: &Certificate{
+							Certificate: acmeCert,
+							PrivateKey:  acmeKey,
+						},
+						Domains: types.Domain{
+							Main: "acme.wtf",
+						},
+					},
+					{
+						Certificate: &Certificate{},
+						Domains: types.Domain{
+							Main: "bar.com",
+						},
+					},
+				},
+			},
+			expectedDc: &DomainsCertificates{
+				Certs: []*DomainsCertificate{
+					{
+						Certificate: &Certificate{
+							Certificate: fooCert,
+							PrivateKey:  fooKey,
+						},
+						Domains: types.Domain{
+							Main: "foo.com",
+						},
+					},
+					{
+						Certificate: &Certificate{
+							Certificate: acmeCert,
+							PrivateKey:  acmeKey,
+						},
+						Domains: types.Domain{
+							Main: "acme.wtf",
+						},
+					},
+				},
+			},
+		},
+		{
+			desc: "First and last certificates are nil or empty",
+			dc: &DomainsCertificates{
+				Certs: []*DomainsCertificate{
+					{
+						Domains: types.Domain{
+							Main: "foo.com",
+						},
+					},
+					{
+						Certificate: &Certificate{
+							Certificate: acmeCert,
+							PrivateKey:  acmeKey,
+						},
+						Domains: types.Domain{
+							Main: "acme.wtf",
+						},
+					},
+					{
+						Certificate: &Certificate{},
+						Domains: types.Domain{
+							Main: "bar.com",
+						},
+					},
+				},
+			},
+			expectedDc: &DomainsCertificates{
+				Certs: []*DomainsCertificate{
+					{
+						Certificate: &Certificate{
+							Certificate: acmeCert,
+							PrivateKey:  acmeKey,
+						},
+						Domains: types.Domain{
+							Main: "acme.wtf",
+						},
+					},
+				},
+			},
+		},
+		{
+			desc: "All certificates are nil or empty",
+			dc: &DomainsCertificates{
+				Certs: []*DomainsCertificate{
+					{
+						Domains: types.Domain{
+							Main: "foo.com",
+						},
+					},
+					{
+						Domains: types.Domain{
+							Main: "foo24.com",
+						},
+					},
+					{
+						Certificate: &Certificate{},
+						Domains: types.Domain{
+							Main: "bar.com",
+						},
+					},
+				},
+			},
+			expectedDc: &DomainsCertificates{
+				Certs: []*DomainsCertificate{},
+			},
+		},
+	}
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			a := &Account{DomainsCertificate: *test.dc}
+			a.Init()
+
+			assert.Equal(t, len(test.expectedDc.Certs), len(a.DomainsCertificate.Certs))
+			sort.Sort(&a.DomainsCertificate)
+			sort.Sort(test.expectedDc)
+			for key, value := range test.expectedDc.Certs {
+				assert.Equal(t, value.Domains.Main, a.DomainsCertificate.Certs[key].Domains.Main)
+			}
+		})
+	}
+}
--- a/acme/challenge_http_provider.go
+++ b/acme/challenge_http_provider.go
@ -9,7 +9,7 @@ import (
 	"github.com/containous/traefik/cluster"
 	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/safe"
-	acme "github.com/xenolf/lego/acmev2"
+	"github.com/xenolf/lego/acme"
 )

 var _ acme.ChallengeProviderTimeout = (*challengeHTTPProvider)(nil)
--- a/acme/localStore.go
+++ b/acme/localStore.go
@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"io/ioutil"
 	"os"
-	"regexp"

 	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/provider/acme"
@ -51,25 +50,6 @@ func (s *LocalStore) Get() (*Account, error) {
 	return account, nil
 }

-// RemoveAccountV1Values removes ACME account V1 values
-func RemoveAccountV1Values(account *Account) error {
-	// Check if ACME Account is in ACME V1 format
-	if account != nil && account.Registration != nil {
-		isOldRegistration, err := regexp.MatchString(acme.RegistrationURLPathV1Regexp, account.Registration.URI)
-		if err != nil {
-			return err
-		}
-
-		if isOldRegistration {
-			account.Email = ""
-			account.Registration = nil
-			account.PrivateKey = nil
-			account.KeyType = "RSA4096"
-		}
-	}
-	return nil
-}
-
 // ConvertToNewFormat converts old acme.json format to the new one and store the result into the file (used for the backward compatibility)
 func ConvertToNewFormat(fileName string) {
 	localStore := acme.NewLocalStore(fileName)
@ -100,13 +80,13 @@ func ConvertToNewFormat(fileName string) {
 		if account != nil && len(account.Email) > 0 {
 			err = backupACMEFile(fileName, account)
 			if err != nil {
-				log.Errorf("Unable to create a backup for the V1 formatted ACME file: %s", err.Error())
+				log.Errorf("Unable to create a backup for the V1 formatted ACME file: %v", err)
 				return
 			}

-			err = RemoveAccountV1Values(account)
+			err = account.RemoveAccountV1Values()
 			if err != nil {
-				log.Errorf("Unable to remove ACME Account V1 values: %s", err.Error())
+				log.Errorf("Unable to remove ACME Account V1 values during format conversion: %v", err)
 				return
 			}