mirror of
https://github.com/ilyakooo0/urbit.git
synced 2024-11-10 18:21:34 +03:00
Merge pull request #765 from urbit/https-acme
adds letsencrypt client :acme, integrates with :dns app and %eyre
This commit is contained in:
commit
dc103dcabd
2840
app/acme.hoon
Normal file
2840
app/acme.hoon
Normal file
File diff suppressed because it is too large
Load Diff
68
app/dns.hoon
68
app/dns.hoon
@ -6,16 +6,20 @@
|
||||
::
|
||||
|%
|
||||
+= move (pair bone card)
|
||||
+= poke $% [%dns-bind for=ship him=ship target]
|
||||
[%dns-bond for=ship him=ship turf]
|
||||
[%dns-authority authority]
|
||||
:: XX some other notification channel?
|
||||
[%helm-send-hi ship (unit tape)]
|
||||
==
|
||||
+= card $% [%tend wire ~]
|
||||
[%poke wire dock poke]
|
||||
[%hiss wire [~ ~] %httr %hiss hiss:eyre]
|
||||
==
|
||||
+= poke
|
||||
$% [%dns-bind for=ship him=ship target]
|
||||
[%dns-bond for=ship him=ship turf]
|
||||
[%dns-authority authority]
|
||||
:: XX some other notification channel?
|
||||
[%helm-send-hi ship (unit tape)]
|
||||
==
|
||||
+= card
|
||||
$% [%tend wire ~]
|
||||
[%wait wire @da]
|
||||
[%poke wire dock poke]
|
||||
[%rule wire %turf %put turf]
|
||||
[%hiss wire [~ ~] %httr %hiss hiss:eyre]
|
||||
==
|
||||
:: +state: complete app state
|
||||
::
|
||||
+= state
|
||||
@ -55,17 +59,16 @@
|
||||
++ reserved
|
||||
|= a=@if
|
||||
^- ?
|
||||
=/ b (rip 3 a)
|
||||
?> ?=([@ @ @ @ ~] b)
|
||||
?| :: 0.0.0.0/8 (software)
|
||||
::
|
||||
=(0 i.b)
|
||||
:: 10.0.0.0/8 (private)
|
||||
=/ b (flop (rip 3 a))
|
||||
:: 0.0.0.0/8 (software)
|
||||
::
|
||||
?. ?=([@ @ @ @ ~] b) &
|
||||
?| :: 10.0.0.0/8 (private)
|
||||
::
|
||||
=(10 i.b)
|
||||
:: 100.64.0.0/10 (carrier-grade NAT)
|
||||
::
|
||||
&(=(100 i.b) (gte 64 i.t.b) (lte 127 i.t.b))
|
||||
&(=(100 i.b) (gte i.t.b 64) (lte i.t.b 127))
|
||||
:: 127.0.0.0/8 (localhost)
|
||||
::
|
||||
=(127 i.b)
|
||||
@ -74,7 +77,7 @@
|
||||
&(=(169 i.b) =(254 i.t.b))
|
||||
:: 172.16.0.0/12 (private)
|
||||
::
|
||||
&(=(172 i.b) (gte 16 i.t.b) (lte 31 i.t.b))
|
||||
&(=(172 i.b) (gte i.t.b 16) (lte i.t.b 31))
|
||||
:: 192.0.0.0/24 (protocol assignment)
|
||||
::
|
||||
&(=(192 i.b) =(0 i.t.b) =(0 i.t.t.b))
|
||||
@ -100,7 +103,7 @@
|
||||
:: 240.0.0.0/4 (reserved, future)
|
||||
:: 255.255.255.255/32 (broadcast)
|
||||
::
|
||||
(gte 224 i.b)
|
||||
(gte i.b 224)
|
||||
==
|
||||
:: |gcloud: provider-specific functions
|
||||
::
|
||||
@ -192,6 +195,11 @@
|
||||
=/ him=ship (slav %p i.t.wir)
|
||||
?: =(200 p.rep)
|
||||
abet:~(bind tell [him (~(get by per) him)])
|
||||
:: cttp timeout
|
||||
?: =(504 p.rep)
|
||||
:: XX backoff, refactor
|
||||
:_ this :_ ~
|
||||
[ost.bow %wait wir (add now.bow ~m10)]
|
||||
:: XX specific messages per status code
|
||||
~& %direct-confirm-fail
|
||||
abet:(~(fail tell [him (~(get by per) him)]) %failed-request)
|
||||
@ -219,6 +227,16 @@
|
||||
%- (slog saw)
|
||||
abet:(~(fail tell [him (~(get by per) him)]) %crash)
|
||||
==
|
||||
:: +wake: timer callback
|
||||
::
|
||||
++ wake
|
||||
|= [wir=wire ~]
|
||||
^- (quip move _this)
|
||||
?. ?=([%check @ ~] wir)
|
||||
~& [%strange-wake wir]
|
||||
[~ this]
|
||||
=/ him=ship (slav %p i.t.wir)
|
||||
abet:~(check tell [him (~(get by per) him)])
|
||||
::
|
||||
:: +poke-dns-authority: configure self as an authority
|
||||
::
|
||||
@ -259,9 +277,8 @@
|
||||
?: =(for him)
|
||||
~|(%bond-yoself !!)
|
||||
?: =(our.bow him)
|
||||
:: XX notify eyre/hood/acme etc
|
||||
~& [%bound-us dom]
|
||||
:- ~
|
||||
:- [[ost.bow %rule /bound %turf %put dom] ~]
|
||||
this(dom (~(put in ^dom) dom))
|
||||
?: =(our.bow for)
|
||||
~& [%bound-him him dom]
|
||||
@ -281,6 +298,9 @@
|
||||
++ rove
|
||||
|= [wir=wire p=ship q=lane:ames]
|
||||
^- (quip move _this)
|
||||
:: XX move to %ames
|
||||
?: =(our.bow p)
|
||||
[~ this]
|
||||
?. =(our.bow (sein:title p)) :: XX check will
|
||||
~& [%rove-false p]
|
||||
[~ this]
|
||||
@ -404,9 +424,10 @@
|
||||
[%direct %if u.adr]
|
||||
?. ?| ?=(~ rel)
|
||||
!=(tar tar.u.rel)
|
||||
!bon.u.rel
|
||||
==
|
||||
this
|
||||
=. rel `[wen=now.bow adr bon=| tar]
|
||||
=. rel `[wen=now.bow adr bon=| try=0 tar]
|
||||
?:(?=(%indirect -.tar) bind check)
|
||||
:: +check: confirm %direct target is accessible
|
||||
::
|
||||
@ -416,6 +437,9 @@
|
||||
?> ?=(%direct -.tar.u.rel)
|
||||
?: (reserved p.tar.u.rel)
|
||||
(fail %reserved-ip)
|
||||
?: (gth try.u.rel 2)
|
||||
(fail %unreachable)
|
||||
=. try.u.rel +(try.u.rel)
|
||||
=/ wir=wire
|
||||
/check/(scot %p him)
|
||||
=/ url=purl:eyre
|
||||
|
@ -81,6 +81,7 @@
|
||||
?: ?=($pawn myr)
|
||||
[[%base %collections] [%base %hall] [%base %talk] [%base %dojo] ~]
|
||||
:~ [%home %collections]
|
||||
[%home %acme]
|
||||
[%home %dns]
|
||||
[%home %dojo]
|
||||
[%home %hall]
|
||||
|
@ -102,7 +102,7 @@
|
||||
|= a/$@(@t purl) ^- hiss
|
||||
(post-quay (parse-url a) oauth-callback+oauth-callback ~)
|
||||
::
|
||||
++ our-host .^(hart %e /(scot %p our)/host/fake)
|
||||
++ our-host .^(hart %e /(scot %p our)/host/real)
|
||||
++ oauth-callback
|
||||
~& [%oauth-warning "Make sure this urbit ".
|
||||
"is running on {(en-purl:html our-host `~ ~)}"]
|
||||
|
@ -101,7 +101,7 @@
|
||||
%+ rap 3 :- (wack a)
|
||||
(turn b |=(c/knot (cat 3 '_' (wack c))))
|
||||
::
|
||||
++ our-host .^(hart %e /(scot %p our)/host/fake)
|
||||
++ our-host .^(hart %e /(scot %p our)/host/real)
|
||||
++ redirect-uri
|
||||
%- crip %- en-purl
|
||||
%^ into-url:interpolate 'https://our-host/~/ac/:domain/:user/in'
|
||||
|
9
mar/acme/order.hoon
Normal file
9
mar/acme/order.hoon
Normal file
@ -0,0 +1,9 @@
|
||||
::
|
||||
:::: /mar/acme/order/hoon
|
||||
::
|
||||
|_ a=(set (list @t))
|
||||
++ grab
|
||||
|%
|
||||
++ noun (set (list @t))
|
||||
--
|
||||
--
|
@ -15,6 +15,7 @@
|
||||
++ noun recoverable-error
|
||||
++ httr
|
||||
|= a/^httr ^- recoverable-error
|
||||
~& [%recoverable-httr a]
|
||||
~! a
|
||||
?+ p.a ~|(non-recoverable+p.a !!)
|
||||
$429 :+ p.a %rate-limit
|
||||
|
@ -53,6 +53,7 @@
|
||||
$: wen=@da
|
||||
wer=(unit @if)
|
||||
bon=?
|
||||
try=@ud
|
||||
tar=target
|
||||
==
|
||||
--
|
||||
|
@ -85,7 +85,11 @@
|
||||
-- ::
|
||||
|% :: models
|
||||
++ bolo :: eyre state
|
||||
$: $0 :: version
|
||||
$: $1 :: version
|
||||
dom/(set (list @t)) :: domain names
|
||||
fig/http-config :: config
|
||||
por/{clr/@ud sek/(unit @ud)} :: live ports
|
||||
wel/wank :: .well-known
|
||||
gub/@t :: random identity
|
||||
hov/(unit ship) :: master for remote
|
||||
top/beam :: ford serve prefix
|
||||
@ -173,6 +177,9 @@
|
||||
{$html p/manx} :: successful page
|
||||
{$htme p/manx} :: authentication fail
|
||||
==
|
||||
::
|
||||
++ wank :: .well-known ankh
|
||||
{p/(unit mime) q/(map @ta wank)}
|
||||
-- ::
|
||||
|%
|
||||
++ eat-headers
|
||||
@ -222,6 +229,25 @@
|
||||
^- wall
|
||||
(zing (turn tan |=(a/tank (wash 0^wid a))))
|
||||
::
|
||||
++ yank :: get .well-known
|
||||
|= [wel=wank pat=path]
|
||||
^- (unit mime)
|
||||
?~ pat p.wel
|
||||
=/ wan (~(get by q.wel) i.pat)
|
||||
?~ wan ~
|
||||
$(wel u.wan, pat t.pat)
|
||||
::
|
||||
++ dank :: put/del .well-known
|
||||
|= [wel=wank pat=path mim=(unit mime)]
|
||||
^- wank
|
||||
?~ pat wel(p mim)
|
||||
=/ wan (~(get by q.wel) i.pat)
|
||||
?: &(?=(~ wan) ?=(~ mim))
|
||||
wel
|
||||
:- p.wel
|
||||
%+ ~(put by q.wel)
|
||||
i.pat
|
||||
$(wel ?~(wan *wank u.wan), pat t.pat)
|
||||
::
|
||||
++ add-cookies
|
||||
|= {cug/(list @t) hit/httr} ^- httr
|
||||
@ -637,12 +663,44 @@
|
||||
=. p.top our :: XX necessary?
|
||||
?- -.kyz
|
||||
$born
|
||||
:: XX capture IPs too
|
||||
=/ mod/(set (list @t))
|
||||
%- ~(gas in *(set (list @t)))
|
||||
%+ turn
|
||||
(skim p.kyz |=(a=host ?=(%& -.a)))
|
||||
|=(a=host ?>(?=(%& -.a) p.a))
|
||||
=/ dif/(set (list @t)) (~(dif in mod) dom)
|
||||
=? dom ?=(^ dif) (~(uni in dom) mod)
|
||||
=? mow ?=(^ dif)
|
||||
=/ cmd [%acme %poke `cage`[%acme-order !>(dom)]]
|
||||
:_(mow [hen %pass /acme/order %g %deal [our our] cmd])
|
||||
%= +>.$
|
||||
ged hen :: register external
|
||||
mow :_(mow [hen [%give %form [~ ?=(%king our) & &]]])
|
||||
mow :_(mow [hen [%give %form fig]])
|
||||
==
|
||||
::
|
||||
$live +>.$ :: XX save ports
|
||||
$live
|
||||
+>.$(clr.por p.kyz, sek.por q.kyz)
|
||||
::
|
||||
$rule
|
||||
?- -.p.kyz
|
||||
$cert
|
||||
?: =(secure.fig p.p.kyz) +>.$
|
||||
=. secure.fig p.p.kyz
|
||||
+>.$(mow :_(mow [ged [%give %form fig]]))
|
||||
::
|
||||
$turf
|
||||
=/ mod/(set (list @t))
|
||||
?: ?=(%put p.p.kyz)
|
||||
(~(put in dom) q.p.kyz)
|
||||
(~(del in dom) q.p.kyz)
|
||||
?: =(dom mod) +>.$
|
||||
=/ cmd [%acme %poke `cage`[%acme-order !>(mod)]]
|
||||
%= +>.$
|
||||
dom mod
|
||||
mow :_(mow [hen %pass /acme/order %g %deal [our our] cmd])
|
||||
==
|
||||
==
|
||||
::
|
||||
$serv
|
||||
=< ~&([%serving (en-beam top)] .)
|
||||
@ -653,6 +711,7 @@
|
||||
::
|
||||
$init :: register ownership
|
||||
=. our ?~(hov p.kyz (min u.hov p.kyz))
|
||||
=. fig [~ ?=(%king our) & &]
|
||||
+>.$(hov [~ our], top [[our %home ud+0] /web])
|
||||
::
|
||||
?($chis $this) :: inbound request
|
||||
@ -739,6 +798,9 @@
|
||||
?~ p.lid +>.^$
|
||||
(del-deps:$(p.lid t.p.lid) i.p.lid %& hen)
|
||||
==
|
||||
::
|
||||
$well
|
||||
+>.$(wel (dank wel p.kyz q.kyz))
|
||||
::
|
||||
$went
|
||||
:: this won't happen until we send responses.
|
||||
@ -802,12 +864,12 @@
|
||||
[[%$ deps+!>(dep)] [%vale res]]
|
||||
==
|
||||
::
|
||||
$not +>.$(mow :_(mow [ged [%give %that q.p.kyz p.u.mez q.u.mez]]))
|
||||
$not +>.$(mow :_(mow [ged [%give %that q.p.kyz p.u.mez]]))
|
||||
==
|
||||
::
|
||||
$wegh !! :: handled elsewhere
|
||||
::
|
||||
$wise (ames-gram p.kyz [%not ~] q.kyz r.kyz) :: proxy notification
|
||||
$wise (ames-gram p.kyz [%not ~] q.kyz) :: proxy notification
|
||||
==
|
||||
::
|
||||
::++ axom :: old response
|
||||
@ -1228,6 +1290,11 @@
|
||||
:~ 'User-agent: *'
|
||||
'Disallow: '
|
||||
==
|
||||
::
|
||||
{@tas $'.well-known' ^} :: XX file extension?
|
||||
=/ mim (yank wel (tail q.pok))
|
||||
?~ mim ~
|
||||
`(resp 200 p.u.mim q.q.u.mim)
|
||||
==
|
||||
::
|
||||
++ is-spur |(?~(q.pok & ((sane %ta) i.q.pok)))
|
||||
@ -2094,10 +2161,14 @@
|
||||
~
|
||||
::
|
||||
++ load :: take previous state
|
||||
::|= * %. (bolo +<)
|
||||
|= old/?(bolo) ^+ ..^$
|
||||
=> |%
|
||||
++ bolo-old (cork bolo |=(bolo [%0 |5.+<]))
|
||||
--
|
||||
|= old/?(bolo-old bolo)
|
||||
^+ ..^$
|
||||
?- -.old
|
||||
$0 ..^$(+>- old)
|
||||
$0 $(old [%1 ~ *http-config [8.080 ~] [~ ~] +.old])
|
||||
$1 ..^$(+>- old)
|
||||
==
|
||||
::
|
||||
++ scry
|
||||
@ -2125,7 +2196,14 @@
|
||||
?+ p.lot [~ ~]
|
||||
{$tas $fake} ``[& [~ 8.443] %& /localhost] :: XX from unix
|
||||
{$tas $real}
|
||||
``~(our-host ye [`duct`~[/] [now eny our sky] ~] bol)
|
||||
=/ hot=host [%& ?^(dom n.dom /localhost)]
|
||||
=/ sek=? &(?=(^ sek.por) !?=(hoke hot))
|
||||
=/ por=(unit @ud)
|
||||
?. sek
|
||||
?:(=(80 clr.por) ~ `clr.por)
|
||||
?> ?=(^ sek.por)
|
||||
?:(=(443 u.sek.por) ~ sek.por)
|
||||
``[sek por hot]
|
||||
==
|
||||
==
|
||||
::
|
||||
|
@ -1222,12 +1222,14 @@
|
||||
$nuke `%a
|
||||
$ogre `%c
|
||||
$perm `%c
|
||||
$rule `%e
|
||||
$serv `%e
|
||||
$tend `%a
|
||||
$them `%e
|
||||
$wait `%b
|
||||
$want `%a
|
||||
$warp `%c
|
||||
$well `%e
|
||||
$wipe `%f :: XX cache clear
|
||||
==
|
||||
--
|
||||
|
@ -669,7 +669,7 @@
|
||||
[%mass p=mass] :: memory usage
|
||||
[%mack p=(unit tang)] :: message ack
|
||||
[%sigh p=cage] :: marked http response
|
||||
[%that p=@p q=@ud r=?] :: get proxied request
|
||||
[%that p=@p q=prox] :: get proxied request
|
||||
[%thou p=httr] :: raw http response
|
||||
[%thus p=@ud q=(unit hiss)] :: http request+cancel
|
||||
[%veer p=@ta q=path r=@t] :: drop-through
|
||||
@ -677,11 +677,12 @@
|
||||
[%velo p=@t q=@t] :: drop-through
|
||||
== ::
|
||||
+= task :: in request ->$
|
||||
$% [%born ~] :: new unix process
|
||||
$% [%born p=(list host)] :: new unix process
|
||||
[%crud p=@tas q=(list tank)] :: XX rethink
|
||||
[%hiss p=(unit user) q=mark r=cage] :: outbound user req
|
||||
[%init p=@p] :: report install
|
||||
[%live p=@ud q=(unit @ud)] :: http/s ports
|
||||
[%rule p=http-rule] :: update config
|
||||
[%serv p=$@(desk beam)] :: set serving root
|
||||
[%them p=(unit hiss)] :: outbound request
|
||||
[%they p=@ud q=httr] :: inbound response
|
||||
@ -689,9 +690,10 @@
|
||||
[%this p=? q=clip r=httq] :: inbound request
|
||||
[%thud ~] :: inbound cancel
|
||||
[%wegh ~] :: report memory
|
||||
[%well p=path q=(unit mime)] :: put/del .well-known
|
||||
[%went p=sack q=path r=@ud s=coop] :: response confirm
|
||||
[%west p=sack q=[path *]] :: network request
|
||||
[%wise p=@p q=@ud r=?] :: proxy notification
|
||||
[%wise p=ship q=prox] :: proxy notification
|
||||
== ::
|
||||
-- ::able
|
||||
::
|
||||
@ -729,7 +731,7 @@
|
||||
[[%get-inner ~] p=@uvH q=mark r=coin s=beam] ::TODO details?
|
||||
[[%got-inner ~] p=@uvH q=(each (cask) tang)] ::TODO details?
|
||||
::
|
||||
[[%not ~] p=@ud q=?] :: proxy notification
|
||||
[[%not ~] p=prox] :: proxy notification
|
||||
== ::
|
||||
++ hart {p/? q/(unit @ud) r/host} :: http sec+port+host
|
||||
++ hate {p/purl q/@p r/moth} :: semi-cooked request
|
||||
@ -743,9 +745,9 @@
|
||||
:: +http-config: full http-server configuration
|
||||
::
|
||||
+= http-config
|
||||
$: :: secure: PEM-encoded RSA private key and certificate chain
|
||||
$: :: secure: PEM-encoded RSA private key and cert or cert chain
|
||||
::
|
||||
secure=(unit [key=wain certificate=wain])
|
||||
secure=(unit [key=wain cert=wain])
|
||||
:: proxy: reverse TCP proxy HTTP(s)
|
||||
::
|
||||
proxy=?
|
||||
@ -758,6 +760,16 @@
|
||||
::
|
||||
redirect=?
|
||||
==
|
||||
:: +http-rule: update configuration
|
||||
::
|
||||
+= http-rule
|
||||
$% :: %cert: set or clear certificate and keypair
|
||||
::
|
||||
[%cert p=(unit [key=wain cert=wain])]
|
||||
:: %turf: add or remove established dns binding
|
||||
::
|
||||
[%turf p=?(%put %del) q=(list @t)]
|
||||
==
|
||||
++ httq :: raw http request
|
||||
$: p/meth :: method
|
||||
q/@t :: unparsed url
|
||||
@ -795,6 +807,22 @@
|
||||
++ octs {p/@ud q/@t} :: octet-stream
|
||||
++ oryx @t :: CSRF secret
|
||||
++ pork {p/(unit @ta) q/(list @t)} :: fully parsed url
|
||||
:: +prox: proxy notification
|
||||
::
|
||||
:: Used on both the proxy (ward) and upstream sides for
|
||||
:: sending/receiving proxied-request notifications.
|
||||
::
|
||||
+= prox
|
||||
$: :: por: tcp port
|
||||
::
|
||||
por=@ud
|
||||
:: sek: secure?
|
||||
::
|
||||
sek=?
|
||||
:: non: authentication nonce
|
||||
::
|
||||
non=@uvJ
|
||||
==
|
||||
++ purf (pair purl (unit @t)) :: url with fragment
|
||||
++ purl {p/hart q/pork r/quay} :: parsed url
|
||||
++ quay (list {p/@t q/@t}) :: parsed url query
|
||||
|
Loading…
Reference in New Issue
Block a user