a

2022-02-05 00:05:45 +08:00
parent 3564e6738c
commit 41f81ebdd9
2 changed files with 204 additions and 197 deletions
--- a/src/acme.rs
+++ b/src/acme.rs
@@ -0,0 +1,198 @@
 use std::sync::RwLock;
 use std::collections::BTreeMap;
 use std::fs;
 use acme_lib::{create_p256_key, create_p384_key, create_rsa_key};
 use acme_lib::persist::FilePersist;
 use acme_lib::Directory;
 use aliyun_openapi_core_rust_sdk::RPClient;
 use rust_util::XResult;
 use crate::util::parse_dns_record;
 use crate::network::{get_resolver, resolve_first_ipv4};
 use crate::ali_dns::{add_txt_dns_record, build_dns_client, delete_dns_record, list_dns, simple_parse_aliyun_supplier};
 use crate::config::{AcmeChallenge, AcmeMode};
 use crate::x509::{X509PublicKeyAlgo, X509EcPublicKeyAlgo};
 lazy_static! {
    pub static ref TOKEN_MAP: RwLock<BTreeMap<String, String>> = RwLock::new(BTreeMap::new());
 }
 #[derive(Debug, Default)]
 pub struct AcmeRequest<'a> {
    pub challenge: AcmeChallenge,
    // issue, single acme request can only process one supplier
    pub credential_supplier: Option<&'a str>,
    pub allow_interact: bool,
    pub contract_email: &'a str,
    pub primary_name: &'a str,
    pub alt_names: &'a [&'a str],
    pub algo: X509PublicKeyAlgo,
    pub mode: AcmeMode,
    pub account_dir: &'a str,
    pub timeout: u64,
    pub local_public_ip: Option<&'a str>,
    pub key_file: Option<String>,
    pub cert_file: Option<String>,
    pub outputs_file: Option<String>,
 }
 pub fn request_acme_certificate(acme_request: AcmeRequest, dns_cleaned_domains: &mut Vec<String>) -> XResult<()> {
    if let Some(local_public_ip) = acme_request.local_public_ip {
        let mut all_domains = vec![acme_request.primary_name.to_string()];
        for alt_name in acme_request.alt_names {
            all_domains.push(alt_name.to_string());
        }
        information!("Checking domain dns records, domains: {:?}", all_domains);
        let resolver = opt_result!(get_resolver(), "Get resolver failed: {}");
        if acme_request.challenge == AcmeChallenge::Http {
            for domain in &all_domains {
                debugging!("Checking domain: {}", domain);
                let ipv4 = opt_result!(resolve_first_ipv4(&resolver, domain), "{}");
                match ipv4 {
                    None => return simple_error!("Resolve domain ip failed: {}", domain),
                    Some(ipv4) => if local_public_ip != ipv4 {
                        return simple_error!("Check domain ip: {}, mis-match, local: {} vs domain: {}", domain, local_public_ip, ipv4);
                    }
                }
            }
        }
    }
    information!("Acme mode: {:?}", acme_request.mode);
    let url = acme_request.mode.directory_url();
    let persist = FilePersist::new(acme_request.account_dir);
    let dir = opt_result!(Directory::from_url(persist, url), "Create directory from url failed: {}");
    let acc = opt_result!(dir.account(acme_request.contract_email), "Directory set account failed: {}");
    let mut ord_new = opt_result!( acc.new_order(acme_request.primary_name, acme_request.alt_names), "Create order failed: {}");
    let ali_yun_client: Option<RPClient> = match acme_request.credential_supplier {
        Some(credential_supplier) => Some(build_dns_client(
            &opt_result!(simple_parse_aliyun_supplier(credential_supplier), "Parse credential supplier failed: {}"))),
        None => None,
    };
    let mut order_csr_index = 0;
    let ord_csr = loop {
        if let Some(ord_csr) = ord_new.confirm_validations() {
            debugging!("Valid acme certificate http challenge success");
            break ord_csr;
        }
        information!("Loop for acme challenge auth, #{}", order_csr_index);
        order_csr_index += 1;
        debugging!("Start acme certificate http challenge");
        let auths = opt_result!(ord_new.authorizations(), "Order auth failed: {}");
        for auth in &auths {
            match acme_request.challenge {
                AcmeChallenge::Http => {
                    let chall = auth.http_challenge();
                    let token = chall.http_token();
                    let proof = chall.http_proof();
                    {
                        information!("Add acme http challenge: {} -> {}",token, proof);
                        TOKEN_MAP.write().unwrap().insert(token.to_string(), proof);
                    }
                    debugging!("Valid acme certificate http challenge");
                    opt_result!(chall.validate(acme_request.timeout), "Validate http challenge failed: {}");
                }
                AcmeChallenge::Dns => {
                    let chall = auth.dns_challenge();
                    let record = format!("_acme-challenge.{}.", auth.domain_name());
                    let proof = chall.dns_proof();
                    information!("Add acme dns challenge: {} -> {}", record, proof);
                    let rr_and_domain = opt_result!(parse_dns_record(&record), "Parse record to rr&domain failed: {}");
                    if !dns_cleaned_domains.contains(&rr_and_domain.1) {
                        information!("Clearing domain: {}", &rr_and_domain.1);
                        dns_cleaned_domains.push(rr_and_domain.1.clone());
                        ali_yun_client.as_ref().map(|client| {
                            match list_dns(client, &rr_and_domain.1) {
                                Err(e) => warning!("List dns for: {}, failed: {}", &rr_and_domain.1, e),
                                Ok(Err(e)) => warning!("List dns for: {}, failed: {:?}", &rr_and_domain.1, e),
                                Ok(Ok(s)) => {
                                    for r in &s.domain_records.record {
                                        let rr = &r.rr;
                                        if rr == "_acme-challenge" || rr.starts_with("_acme-challenge.") {
                                            match delete_dns_record(client, &r.record_id) {
                                                Err(e) => warning!("Delete dns: {}.{}, failed: {}", r.rr, r.domain_name, e),
                                                Ok(Err(e)) => warning!("Delete dns: {}.{}, failed: {:?}", r.rr, r.domain_name, e),
                                                Ok(Ok(_)) => success!("Delete dns: {}.{}", r.rr, r.domain_name),
                                            }
                                        }
                                    }
                                }
                            }
                        });
                    }
                    match &ali_yun_client {
                        Some(client) => {
                            let add_txt_dns_result = opt_result!(add_txt_dns_record(client, &rr_and_domain.1, &rr_and_domain.0, &proof), "Add DNS TXT record failed: {}");
                            match add_txt_dns_result {
                                Ok(s) => success!("Add dns txt record successes: {}", s.record_id),
                                Err(e) => return simple_error!("Add dns txt record failed: {:?}", e),
                            }
                        }
                        None => if acme_request.allow_interact {
                            let mut line = String::new();
                            information!("You need to config dns manually, press enter to continue...");
                            let _ = std::io::stdin().read_line(&mut line).unwrap();
                        } else {
                            return simple_error!("Interact is not allowed, --allow-interact to allow interact");
                        }
                    }
                    debugging!("Valid acme certificate dns challenge");
                    opt_result!(chall.validate(acme_request.timeout), "Validate dns challenge failed: {}");
                }
            }
        }
        debugging!("Refresh acme certificate order");
        opt_result!(ord_new.refresh(), "Refresh order failed: {}");
    };
    information!("Generate private key, key type: {:?}", acme_request.algo);
    let pkey_pri = match acme_request.algo {
        X509PublicKeyAlgo::EcKey(X509EcPublicKeyAlgo::Secp256r1) => create_p256_key(),
        X509PublicKeyAlgo::EcKey(X509EcPublicKeyAlgo::Secp384r1) => create_p384_key(),
        X509PublicKeyAlgo::EcKey(X509EcPublicKeyAlgo::Secp521r1) => return simple_error!("Algo ec521 is not supported"),
        X509PublicKeyAlgo::Rsa(bits) => create_rsa_key(bits),
    };
    debugging!("Invoking csr finalize pkey");
    let ord_cert = opt_result!( ord_csr.finalize_pkey(pkey_pri, acme_request.timeout), "Submit CSR failed: {}");
    debugging!("Downloading and save cert");
    let cert = opt_result!( ord_cert.download_and_save_cert(), "Download and save certificate failed: {}");
    if let (Some(cert_file), Some(key_file)) = (&acme_request.cert_file, &acme_request.key_file) {
        debugging!("Certificate key: {}",  cert.private_key());
        debugging!("Certificate pem: {}",  cert.certificate());
        information!("Write file: {}", cert_file);
        if let Err(e) = fs::write(cert_file, cert.certificate()) {
            failure!("Write file: {}, failed: {}", cert_file, e);
        }
        information!("Write file: {}", key_file);
        if let Err(e) = fs::write(key_file, cert.private_key()) {
            failure!("Write file: {}, failed: {}", key_file, e);
        }
        success!("Write files success: {} and {}", cert_file, key_file);
    } else if let Some(outputs_file) = &acme_request.outputs_file {
        let mut outputs = String::new();
        outputs.push_str("private key:\n");
        outputs.push_str(cert.private_key());
        outputs.push_str("\n\ncertificates:\n");
        outputs.push_str(cert.certificate());
        if let Err(e) = fs::write(outputs_file, outputs) {
            failure!("Write file: {}, failed: {}", outputs_file, e);
        }
    } else {
        information!("Certificate key: {}",  cert.private_key());
        information!("Certificate pem: {}",  cert.certificate());
    }
    Ok(())
 }
--- a/src/main.rs
+++ b/src/main.rs
@@ -3,6 +3,7 @@ extern crate lazy_static;
 #[macro_use]
 extern crate rust_util;
 mod acme;
 mod util;
 mod config;
 mod x509;
@@ -13,15 +14,9 @@ mod ali_dns;
 // mod simple_thread_pool;
 use std::env;
 use rust_util::XResult;
 use acme_lib::Directory;
 use acme_lib::{create_p384_key, create_p256_key, create_rsa_key};
 use acme_lib::persist::FilePersist;
 use clap::{App, Arg};
 use std::fs;
 use std::str::FromStr;
 use std::sync::RwLock;
 use std::collections::BTreeMap;
 use tide::Request;
 use std::process::{Command, exit};
 use std::time::{Duration, SystemTime};
@@ -29,45 +24,20 @@ use async_std::task;
 use async_std::channel;
 use async_std::channel::Sender;
 use config::AcmeMode;
 use crate::config::{AcmeChallenge, CertConfig, CERT_NAME, KEY_NAME};
 use crate::x509::{X509PublicKeyAlgo, X509EcPublicKeyAlgo};
 use std::path::PathBuf;
 use aliyun_openapi_core_rust_sdk::RPClient;
 use rust_util::util_cmd::run_command_and_wait;
-use crate::ali_dns::{add_txt_dns_record, build_dns_client, delete_dns_record, list_dns, simple_parse_aliyun_supplier};
+use crate::config::{AcmeChallenge, CertConfig, CERT_NAME, KEY_NAME};
 use crate::x509::{X509PublicKeyAlgo};
 use crate::dingtalk::send_dingtalk_message;
 use crate::network::{get_local_public_ip, get_resolver, resolve_first_ipv4};
 use crate::statics::{AcmeStatics, AcmeStatus};
-use crate::util::parse_dns_record;
+use crate::acme::{AcmeRequest, request_acme_certificate};
 use crate::network::get_local_public_ip;
 const NAME: &str = env!("CARGO_PKG_NAME");
 const VERSION: &str = env!("CARGO_PKG_VERSION");
 const AUTHORS: &str = env!("CARGO_PKG_AUTHORS");
 const DESCRIPTION: &str = env!("CARGO_PKG_DESCRIPTION");
 lazy_static! {
    static ref TOKEN_MAP: RwLock<BTreeMap<String, String>> = RwLock::new(BTreeMap::new());
 }
 #[derive(Debug, Default)]
 struct AcmeRequest<'a> {
    challenge: AcmeChallenge,
    // issue, single acme request can only process one supplier
    credential_supplier: Option<&'a str>,
    allow_interact: bool,
    contract_email: &'a str,
    primary_name: &'a str,
    alt_names: &'a [&'a str],
    algo: X509PublicKeyAlgo,
    mode: AcmeMode,
    account_dir: &'a str,
    timeout: u64,
    local_public_ip: Option<&'a str>,
    key_file: Option<String>,
    cert_file: Option<String>,
    outputs_file: Option<String>,
 }
 #[async_std::main]
 async fn main() -> tide::Result<()> {
    let matches = App::new(NAME)
@@ -432,167 +402,6 @@ fn check_cert_config(cert_config: &CertConfig) {
    }
 }
 fn request_acme_certificate(acme_request: AcmeRequest, dns_cleaned_domains: &mut Vec<String>) -> XResult<()> {
    if let Some(local_public_ip) = acme_request.local_public_ip {
        let mut all_domains = vec![acme_request.primary_name.to_string()];
        for alt_name in acme_request.alt_names {
            all_domains.push(alt_name.to_string());
        }
        information!("Checking domain dns records, domains: {:?}", all_domains);
        let resolver = opt_result!(get_resolver(), "Get resolver failed: {}");
        if acme_request.challenge == AcmeChallenge::Http {
            for domain in &all_domains {
                debugging!("Checking domain: {}", domain);
                let ipv4 = opt_result!(resolve_first_ipv4(&resolver, domain), "{}");
                match ipv4 {
                    None => return simple_error!("Resolve domain ip failed: {}", domain),
                    Some(ipv4) => if local_public_ip != ipv4 {
                        return simple_error!("Check domain ip: {}, mis-match, local: {} vs domain: {}", domain, local_public_ip, ipv4);
                    }
                }
            }
        }
    }
    information!("Acme mode: {:?}", acme_request.mode);
    let url = acme_request.mode.directory_url();
    let persist = FilePersist::new(acme_request.account_dir);
    let dir = opt_result!(Directory::from_url(persist, url), "Create directory from url failed: {}");
    let acc = opt_result!(dir.account(acme_request.contract_email), "Directory set account failed: {}");
    let mut ord_new = opt_result!( acc.new_order(acme_request.primary_name, acme_request.alt_names), "Create order failed: {}");
    let ali_yun_client: Option<RPClient> = match acme_request.credential_supplier {
        Some(credential_supplier) => Some(build_dns_client(
            &opt_result!(simple_parse_aliyun_supplier(credential_supplier), "Parse credential supplier failed: {}"))),
        None => None,
    };
    let mut order_csr_index = 0;
    let ord_csr = loop {
        if let Some(ord_csr) = ord_new.confirm_validations() {
            debugging!("Valid acme certificate http challenge success");
            break ord_csr;
        }
        information!("Loop for acme challenge auth, #{}", order_csr_index);
        order_csr_index += 1;
        debugging!("Start acme certificate http challenge");
        let auths = opt_result!(ord_new.authorizations(), "Order auth failed: {}");
        for auth in &auths {
            match acme_request.challenge {
                AcmeChallenge::Http => {
                    let chall = auth.http_challenge();
                    let token = chall.http_token();
                    let proof = chall.http_proof();
                    {
                        information!("Add acme http challenge: {} -> {}",token, proof);
                        TOKEN_MAP.write().unwrap().insert(token.to_string(), proof);
                    }
                    debugging!("Valid acme certificate http challenge");
                    opt_result!(chall.validate(acme_request.timeout), "Validate http challenge failed: {}");
                }
                AcmeChallenge::Dns => {
                    let chall = auth.dns_challenge();
                    let record = format!("_acme-challenge.{}.", auth.domain_name());
                    let proof = chall.dns_proof();
                    information!("Add acme dns challenge: {} -> {}", record, proof);
                    let rr_and_domain = opt_result!(parse_dns_record(&record), "Parse record to rr&domain failed: {}");
                    if !dns_cleaned_domains.contains(&rr_and_domain.1) {
                        information!("Clearing domain: {}", &rr_and_domain.1);
                        dns_cleaned_domains.push(rr_and_domain.1.clone());
                        ali_yun_client.as_ref().map(|client| {
                            match list_dns(client, &rr_and_domain.1) {
                                Err(e) => warning!("List dns for: {}, failed: {}", &rr_and_domain.1, e),
                                Ok(Err(e)) => warning!("List dns for: {}, failed: {:?}", &rr_and_domain.1, e),
                                Ok(Ok(s)) => {
                                    for r in &s.domain_records.record {
                                        let rr = &r.rr;
                                        if rr == "_acme-challenge" || rr.starts_with("_acme-challenge.") {
                                            match delete_dns_record(client, &r.record_id) {
                                                Err(e) => warning!("Delete dns: {}.{}, failed: {}", r.rr, r.domain_name, e),
                                                Ok(Err(e)) => warning!("Delete dns: {}.{}, failed: {:?}", r.rr, r.domain_name, e),
                                                Ok(Ok(_)) => success!("Delete dns: {}.{}", r.rr, r.domain_name),
                                            }
                                        }
                                    }
                                }
                            }
                        });
                    }
                    match &ali_yun_client {
                        Some(client) => {
                            let add_txt_dns_result = opt_result!(add_txt_dns_record(client, &rr_and_domain.1, &rr_and_domain.0, &proof), "Add DNS TXT record failed: {}");
                            match add_txt_dns_result {
                                Ok(s) => success!("Add dns txt record successes: {}", s.record_id),
                                Err(e) => return simple_error!("Add dns txt record failed: {:?}", e),
                            }
                        }
                        None => if acme_request.allow_interact {
                            let mut line = String::new();
                            information!("You need to config dns manually, press enter to continue...");
                            let _ = std::io::stdin().read_line(&mut line).unwrap();
                        } else {
                            return simple_error!("Interact is not allowed, --allow-interact to allow interact");
                        }
                    }
                    debugging!("Valid acme certificate dns challenge");
                    opt_result!(chall.validate(acme_request.timeout), "Validate dns challenge failed: {}");
                }
            }
        }
        debugging!("Refresh acme certificate order");
        opt_result!(ord_new.refresh(), "Refresh order failed: {}");
    };
    information!("Generate private key, key type: {:?}", acme_request.algo);
    let pkey_pri = match acme_request.algo {
        X509PublicKeyAlgo::EcKey(X509EcPublicKeyAlgo::Secp256r1) => create_p256_key(),
        X509PublicKeyAlgo::EcKey(X509EcPublicKeyAlgo::Secp384r1) => create_p384_key(),
        X509PublicKeyAlgo::EcKey(X509EcPublicKeyAlgo::Secp521r1) => return simple_error!("Algo ec521 is not supported"),
        X509PublicKeyAlgo::Rsa(bits) => create_rsa_key(bits),
    };
    debugging!("Invoking csr finalize pkey");
    let ord_cert = opt_result!( ord_csr.finalize_pkey(pkey_pri, acme_request.timeout), "Submit CSR failed: {}");
    debugging!("Downloading and save cert");
    let cert = opt_result!( ord_cert.download_and_save_cert(), "Download and save certificate failed: {}");
    if let (Some(cert_file), Some(key_file)) = (&acme_request.cert_file, &acme_request.key_file) {
        debugging!("Certificate key: {}",  cert.private_key());
        debugging!("Certificate pem: {}",  cert.certificate());
        information!("Write file: {}", cert_file);
        if let Err(e) = fs::write(cert_file, cert.certificate()) {
            failure!("Write file: {}, failed: {}", cert_file, e);
        }
        information!("Write file: {}", key_file);
        if let Err(e) = fs::write(key_file, cert.private_key()) {
            failure!("Write file: {}, failed: {}", key_file, e);
        }
        success!("Write files success: {} and {}", cert_file, key_file);
    } else if let Some(outputs_file) = &acme_request.outputs_file {
        let mut outputs = String::new();
        outputs.push_str("private key:\n");
        outputs.push_str(cert.private_key());
        outputs.push_str("\n\ncertificates:\n");
        outputs.push_str(cert.certificate());
        if let Err(e) = fs::write(outputs_file, outputs) {
            failure!("Write file: {}, failed: {}", outputs_file, e);
        }
    } else {
        information!("Certificate key: {}",  cert.private_key());
        information!("Certificate pem: {}",  cert.certificate());
    }
    Ok(())
 }
 fn startup_http_server(s: Sender<i32>, port: u16) {
    task::spawn(async move {
        information!("Listen at 0.0.0.0:{}", port);
@@ -610,7 +419,7 @@ fn startup_http_server(s: Sender<i32>, port: u16) {
                }
            };
            let peer = req.peer_addr().unwrap_or("none");
-            let auth_token = { TOKEN_MAP.read().unwrap().get(token).cloned() };
+            let auth_token = { crate::acme::TOKEN_MAP.read().unwrap().get(token).cloned() };
            match auth_token {
                Some(auth_token) => {
                    information!("Request acme challenge: {} -> {}, peer: {:?}", token, auth_token, peer);