aboutsummaryrefslogtreecommitdiff
path: root/provider.go
blob: ea8fafc70c0d7eb800e13a1b5054130e979916bd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
package acme

import (
	"encoding/json"
	"errors"
	"io/ioutil"
	"net/http"
	"regexp"
	"time"
)

const (
	// LE1 Let's Encrypt V1
	LE1 = `https://acme-v01.api.letsencrypt.org/directory`
	// LES Let's Encrypt Staging
	LES = `https://acme-staging.api.letsencrypt.org/directory`
)

type Resource string

const (
	ResNewReg     Resource = "new-reg"
	ResNewAuthz   Resource = "new-authz"
	ResNewCert    Resource = "new-cert"
	ResRevokeCert Resource = "revoke-cert"
	ResReg        Resource = "reg"
	ResAuthz      Resource = "authz"
	ResChallenge  Resource = "challenge"
	ResCert       Resource = "cert"
)

// Directory ...
type Directory struct {
	NewReg     string `json:"new-reg"`
	NewAuthz   string `json:"new-authz"`
	NewCert    string `json:"new-cert"`
	RevokeCert string `json:"revoke-cert"`
	Meta       *Meta  `json:"meta,omitemtpy"`
}

type Meta struct {
	TOS     string   `json:"terms-of-service"`
	Website string   `json:"website"`
	CAA     []string `json:"caa-identities"`
}

// Provider ...
type Provider struct {
	Directory
	nonces chan string
	http.Client
	http.Transport
}

var (
	errNoNonces    = errors.New("out of nonces")
	errContentType = errors.New("unknown content type")
	errChalType    = errors.New("unknown challenge")
	errStatus      = errors.New("unexpected status")
)

const (
	mimeJson    = "application/json"
	mimeJose    = "application/jose+json"
	mimeProblem = "application/problem+json"
	mimePkix    = "application/pkix-cert"
	timeout     = time.Second * 30
	poll        = time.Second
)

// RoundTrip extracts nonces from HTTP reponse
func (p Provider) RoundTrip(req *http.Request) (*http.Response, error) {
	resp, err := p.Transport.RoundTrip(req)
	if err != nil {
		return nil, err
	}
	nonce := resp.Header.Get("Replay-Nonce")
	if nonce == "" {
		return nil, errNoNonces
	}
	if len(p.nonces) == cap(p.nonces) {
		<-p.nonces // drop oldest
	}
	p.nonces <- nonce
	return resp, nil
}

// Nonce implements jose nonce provider
func (p Provider) Nonce() (string, error) {
	select {
	case nonce := <-p.nonces:
		return nonce, nil
	case <-time.After(timeout):
		return "", errNoNonces
	}
}

// DialProvider fetches directory and initializes first nonce
func DialProvider(directory string) (*Provider, error) {
	p := &Provider{nonces: make(chan string, 100)}
	p.Client = http.Client{
		Transport: p,
		Timeout:   time.Duration(timeout),
	}
	resp, err := p.Get(directory)
	if err != nil {
		return nil, err
	}
	return p, parseJson(resp, &p.Directory)
}

func (p Provider) post(uri string, s *Signer, v interface{}) (*http.Response, error) {
	msg, err := json.Marshal(v)
	if err != nil {
		return nil, err
	}
	signed, err := s.Sign(msg, p)
	if err != nil {
		return nil, err
	}
	return p.Post(uri, mimeJose, signed)
}

type nextStep struct {
	Link     map[string]string
	Location string
}

var linksRe = regexp.MustCompile(`^<(.*)>;rel="(.*)"`)

func parseHeader(resp *http.Response) nextStep {
	var ns nextStep
	if lo, _ := resp.Location(); lo != nil {
		ns.Location = lo.String()
	}
	ns.Link = make(map[string]string)
	for _, li := range resp.Header["Link"] {
		re := linksRe.FindStringSubmatch(li)
		if len(re) == 3 {
			ns.Link[re[2]] = re[1]
		}
	}
	return ns
}

func parseJson(resp *http.Response, v interface{}) error {
	defer resp.Body.Close()
	switch resp.Header.Get("Content-Type") {
	case mimeJson:
		return json.NewDecoder(resp.Body).Decode(v)
	case mimeProblem:
		return problem(resp.Body)
	default:
		return errContentType
	}
}

func parseCert(resp *http.Response) ([]byte, error) {
	defer resp.Body.Close()
	switch resp.Header.Get("Content-Type") {
	case mimePkix:
		return ioutil.ReadAll(resp.Body)
	case mimeProblem:
		return nil, problem(resp.Body)
	default:
		return nil, errContentType
	}
}