Merge pull request #765 from urbit/https-acme

adds letsencrypt client :acme, integrates with :dns app and %eyre
This commit is contained in:
Anthony Arroyo 2018-07-19 12:11:04 -07:00 committed by GitHub
commit dc103dcabd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 3023 additions and 39 deletions

2840
app/acme.hoon Normal file

File diff suppressed because it is too large Load Diff

View File

@ -6,16 +6,20 @@
::
|%
+= move (pair bone card)
+= poke $% [%dns-bind for=ship him=ship target]
[%dns-bond for=ship him=ship turf]
[%dns-authority authority]
:: XX some other notification channel?
[%helm-send-hi ship (unit tape)]
==
+= card $% [%tend wire ~]
[%poke wire dock poke]
[%hiss wire [~ ~] %httr %hiss hiss:eyre]
==
+= poke
$% [%dns-bind for=ship him=ship target]
[%dns-bond for=ship him=ship turf]
[%dns-authority authority]
:: XX some other notification channel?
[%helm-send-hi ship (unit tape)]
==
+= card
$% [%tend wire ~]
[%wait wire @da]
[%poke wire dock poke]
[%rule wire %turf %put turf]
[%hiss wire [~ ~] %httr %hiss hiss:eyre]
==
:: +state: complete app state
::
+= state
@ -55,17 +59,16 @@
++ reserved
|= a=@if
^- ?
=/ b (rip 3 a)
?> ?=([@ @ @ @ ~] b)
?| :: 0.0.0.0/8 (software)
::
=(0 i.b)
:: 10.0.0.0/8 (private)
=/ b (flop (rip 3 a))
:: 0.0.0.0/8 (software)
::
?. ?=([@ @ @ @ ~] b) &
?| :: 10.0.0.0/8 (private)
::
=(10 i.b)
:: 100.64.0.0/10 (carrier-grade NAT)
::
&(=(100 i.b) (gte 64 i.t.b) (lte 127 i.t.b))
&(=(100 i.b) (gte i.t.b 64) (lte i.t.b 127))
:: 127.0.0.0/8 (localhost)
::
=(127 i.b)
@ -74,7 +77,7 @@
&(=(169 i.b) =(254 i.t.b))
:: 172.16.0.0/12 (private)
::
&(=(172 i.b) (gte 16 i.t.b) (lte 31 i.t.b))
&(=(172 i.b) (gte i.t.b 16) (lte i.t.b 31))
:: 192.0.0.0/24 (protocol assignment)
::
&(=(192 i.b) =(0 i.t.b) =(0 i.t.t.b))
@ -100,7 +103,7 @@
:: 240.0.0.0/4 (reserved, future)
:: 255.255.255.255/32 (broadcast)
::
(gte 224 i.b)
(gte i.b 224)
==
:: |gcloud: provider-specific functions
::
@ -192,6 +195,11 @@
=/ him=ship (slav %p i.t.wir)
?: =(200 p.rep)
abet:~(bind tell [him (~(get by per) him)])
:: cttp timeout
?: =(504 p.rep)
:: XX backoff, refactor
:_ this :_ ~
[ost.bow %wait wir (add now.bow ~m10)]
:: XX specific messages per status code
~& %direct-confirm-fail
abet:(~(fail tell [him (~(get by per) him)]) %failed-request)
@ -219,6 +227,16 @@
%- (slog saw)
abet:(~(fail tell [him (~(get by per) him)]) %crash)
==
:: +wake: timer callback
::
++ wake
|= [wir=wire ~]
^- (quip move _this)
?. ?=([%check @ ~] wir)
~& [%strange-wake wir]
[~ this]
=/ him=ship (slav %p i.t.wir)
abet:~(check tell [him (~(get by per) him)])
::
:: +poke-dns-authority: configure self as an authority
::
@ -259,9 +277,8 @@
?: =(for him)
~|(%bond-yoself !!)
?: =(our.bow him)
:: XX notify eyre/hood/acme etc
~& [%bound-us dom]
:- ~
:- [[ost.bow %rule /bound %turf %put dom] ~]
this(dom (~(put in ^dom) dom))
?: =(our.bow for)
~& [%bound-him him dom]
@ -281,6 +298,9 @@
++ rove
|= [wir=wire p=ship q=lane:ames]
^- (quip move _this)
:: XX move to %ames
?: =(our.bow p)
[~ this]
?. =(our.bow (sein:title p)) :: XX check will
~& [%rove-false p]
[~ this]
@ -404,9 +424,10 @@
[%direct %if u.adr]
?. ?| ?=(~ rel)
!=(tar tar.u.rel)
!bon.u.rel
==
this
=. rel `[wen=now.bow adr bon=| tar]
=. rel `[wen=now.bow adr bon=| try=0 tar]
?:(?=(%indirect -.tar) bind check)
:: +check: confirm %direct target is accessible
::
@ -416,6 +437,9 @@
?> ?=(%direct -.tar.u.rel)
?: (reserved p.tar.u.rel)
(fail %reserved-ip)
?: (gth try.u.rel 2)
(fail %unreachable)
=. try.u.rel +(try.u.rel)
=/ wir=wire
/check/(scot %p him)
=/ url=purl:eyre

View File

@ -81,6 +81,7 @@
?: ?=($pawn myr)
[[%base %collections] [%base %hall] [%base %talk] [%base %dojo] ~]
:~ [%home %collections]
[%home %acme]
[%home %dns]
[%home %dojo]
[%home %hall]

View File

@ -102,7 +102,7 @@
|= a/$@(@t purl) ^- hiss
(post-quay (parse-url a) oauth-callback+oauth-callback ~)
::
++ our-host .^(hart %e /(scot %p our)/host/fake)
++ our-host .^(hart %e /(scot %p our)/host/real)
++ oauth-callback
~& [%oauth-warning "Make sure this urbit ".
"is running on {(en-purl:html our-host `~ ~)}"]

View File

@ -101,7 +101,7 @@
%+ rap 3 :- (wack a)
(turn b |=(c/knot (cat 3 '_' (wack c))))
::
++ our-host .^(hart %e /(scot %p our)/host/fake)
++ our-host .^(hart %e /(scot %p our)/host/real)
++ redirect-uri
%- crip %- en-purl
%^ into-url:interpolate 'https://our-host/~/ac/:domain/:user/in'

9
mar/acme/order.hoon Normal file
View File

@ -0,0 +1,9 @@
::
:::: /mar/acme/order/hoon
::
|_ a=(set (list @t))
++ grab
|%
++ noun (set (list @t))
--
--

View File

@ -15,6 +15,7 @@
++ noun recoverable-error
++ httr
|= a/^httr ^- recoverable-error
~& [%recoverable-httr a]
~! a
?+ p.a ~|(non-recoverable+p.a !!)
$429 :+ p.a %rate-limit

View File

@ -53,6 +53,7 @@
$: wen=@da
wer=(unit @if)
bon=?
try=@ud
tar=target
==
--

View File

@ -85,7 +85,11 @@
-- ::
|% :: models
++ bolo :: eyre state
$: $0 :: version
$: $1 :: version
dom/(set (list @t)) :: domain names
fig/http-config :: config
por/{clr/@ud sek/(unit @ud)} :: live ports
wel/wank :: .well-known
gub/@t :: random identity
hov/(unit ship) :: master for remote
top/beam :: ford serve prefix
@ -173,6 +177,9 @@
{$html p/manx} :: successful page
{$htme p/manx} :: authentication fail
==
::
++ wank :: .well-known ankh
{p/(unit mime) q/(map @ta wank)}
-- ::
|%
++ eat-headers
@ -222,6 +229,25 @@
^- wall
(zing (turn tan |=(a/tank (wash 0^wid a))))
::
++ yank :: get .well-known
|= [wel=wank pat=path]
^- (unit mime)
?~ pat p.wel
=/ wan (~(get by q.wel) i.pat)
?~ wan ~
$(wel u.wan, pat t.pat)
::
++ dank :: put/del .well-known
|= [wel=wank pat=path mim=(unit mime)]
^- wank
?~ pat wel(p mim)
=/ wan (~(get by q.wel) i.pat)
?: &(?=(~ wan) ?=(~ mim))
wel
:- p.wel
%+ ~(put by q.wel)
i.pat
$(wel ?~(wan *wank u.wan), pat t.pat)
::
++ add-cookies
|= {cug/(list @t) hit/httr} ^- httr
@ -637,12 +663,44 @@
=. p.top our :: XX necessary?
?- -.kyz
$born
:: XX capture IPs too
=/ mod/(set (list @t))
%- ~(gas in *(set (list @t)))
%+ turn
(skim p.kyz |=(a=host ?=(%& -.a)))
|=(a=host ?>(?=(%& -.a) p.a))
=/ dif/(set (list @t)) (~(dif in mod) dom)
=? dom ?=(^ dif) (~(uni in dom) mod)
=? mow ?=(^ dif)
=/ cmd [%acme %poke `cage`[%acme-order !>(dom)]]
:_(mow [hen %pass /acme/order %g %deal [our our] cmd])
%= +>.$
ged hen :: register external
mow :_(mow [hen [%give %form [~ ?=(%king our) & &]]])
mow :_(mow [hen [%give %form fig]])
==
::
$live +>.$ :: XX save ports
$live
+>.$(clr.por p.kyz, sek.por q.kyz)
::
$rule
?- -.p.kyz
$cert
?: =(secure.fig p.p.kyz) +>.$
=. secure.fig p.p.kyz
+>.$(mow :_(mow [ged [%give %form fig]]))
::
$turf
=/ mod/(set (list @t))
?: ?=(%put p.p.kyz)
(~(put in dom) q.p.kyz)
(~(del in dom) q.p.kyz)
?: =(dom mod) +>.$
=/ cmd [%acme %poke `cage`[%acme-order !>(mod)]]
%= +>.$
dom mod
mow :_(mow [hen %pass /acme/order %g %deal [our our] cmd])
==
==
::
$serv
=< ~&([%serving (en-beam top)] .)
@ -653,6 +711,7 @@
::
$init :: register ownership
=. our ?~(hov p.kyz (min u.hov p.kyz))
=. fig [~ ?=(%king our) & &]
+>.$(hov [~ our], top [[our %home ud+0] /web])
::
?($chis $this) :: inbound request
@ -739,6 +798,9 @@
?~ p.lid +>.^$
(del-deps:$(p.lid t.p.lid) i.p.lid %& hen)
==
::
$well
+>.$(wel (dank wel p.kyz q.kyz))
::
$went
:: this won't happen until we send responses.
@ -802,12 +864,12 @@
[[%$ deps+!>(dep)] [%vale res]]
==
::
$not +>.$(mow :_(mow [ged [%give %that q.p.kyz p.u.mez q.u.mez]]))
$not +>.$(mow :_(mow [ged [%give %that q.p.kyz p.u.mez]]))
==
::
$wegh !! :: handled elsewhere
::
$wise (ames-gram p.kyz [%not ~] q.kyz r.kyz) :: proxy notification
$wise (ames-gram p.kyz [%not ~] q.kyz) :: proxy notification
==
::
::++ axom :: old response
@ -1228,6 +1290,11 @@
:~ 'User-agent: *'
'Disallow: '
==
::
{@tas $'.well-known' ^} :: XX file extension?
=/ mim (yank wel (tail q.pok))
?~ mim ~
`(resp 200 p.u.mim q.q.u.mim)
==
::
++ is-spur |(?~(q.pok & ((sane %ta) i.q.pok)))
@ -2094,10 +2161,14 @@
~
::
++ load :: take previous state
::|= * %. (bolo +<)
|= old/?(bolo) ^+ ..^$
=> |%
++ bolo-old (cork bolo |=(bolo [%0 |5.+<]))
--
|= old/?(bolo-old bolo)
^+ ..^$
?- -.old
$0 ..^$(+>- old)
$0 $(old [%1 ~ *http-config [8.080 ~] [~ ~] +.old])
$1 ..^$(+>- old)
==
::
++ scry
@ -2125,7 +2196,14 @@
?+ p.lot [~ ~]
{$tas $fake} ``[& [~ 8.443] %& /localhost] :: XX from unix
{$tas $real}
``~(our-host ye [`duct`~[/] [now eny our sky] ~] bol)
=/ hot=host [%& ?^(dom n.dom /localhost)]
=/ sek=? &(?=(^ sek.por) !?=(hoke hot))
=/ por=(unit @ud)
?. sek
?:(=(80 clr.por) ~ `clr.por)
?> ?=(^ sek.por)
?:(=(443 u.sek.por) ~ sek.por)
``[sek por hot]
==
==
::

View File

@ -1222,12 +1222,14 @@
$nuke `%a
$ogre `%c
$perm `%c
$rule `%e
$serv `%e
$tend `%a
$them `%e
$wait `%b
$want `%a
$warp `%c
$well `%e
$wipe `%f :: XX cache clear
==
--

View File

@ -669,7 +669,7 @@
[%mass p=mass] :: memory usage
[%mack p=(unit tang)] :: message ack
[%sigh p=cage] :: marked http response
[%that p=@p q=@ud r=?] :: get proxied request
[%that p=@p q=prox] :: get proxied request
[%thou p=httr] :: raw http response
[%thus p=@ud q=(unit hiss)] :: http request+cancel
[%veer p=@ta q=path r=@t] :: drop-through
@ -677,11 +677,12 @@
[%velo p=@t q=@t] :: drop-through
== ::
+= task :: in request ->$
$% [%born ~] :: new unix process
$% [%born p=(list host)] :: new unix process
[%crud p=@tas q=(list tank)] :: XX rethink
[%hiss p=(unit user) q=mark r=cage] :: outbound user req
[%init p=@p] :: report install
[%live p=@ud q=(unit @ud)] :: http/s ports
[%rule p=http-rule] :: update config
[%serv p=$@(desk beam)] :: set serving root
[%them p=(unit hiss)] :: outbound request
[%they p=@ud q=httr] :: inbound response
@ -689,9 +690,10 @@
[%this p=? q=clip r=httq] :: inbound request
[%thud ~] :: inbound cancel
[%wegh ~] :: report memory
[%well p=path q=(unit mime)] :: put/del .well-known
[%went p=sack q=path r=@ud s=coop] :: response confirm
[%west p=sack q=[path *]] :: network request
[%wise p=@p q=@ud r=?] :: proxy notification
[%wise p=ship q=prox] :: proxy notification
== ::
-- ::able
::
@ -729,7 +731,7 @@
[[%get-inner ~] p=@uvH q=mark r=coin s=beam] ::TODO details?
[[%got-inner ~] p=@uvH q=(each (cask) tang)] ::TODO details?
::
[[%not ~] p=@ud q=?] :: proxy notification
[[%not ~] p=prox] :: proxy notification
== ::
++ hart {p/? q/(unit @ud) r/host} :: http sec+port+host
++ hate {p/purl q/@p r/moth} :: semi-cooked request
@ -743,9 +745,9 @@
:: +http-config: full http-server configuration
::
+= http-config
$: :: secure: PEM-encoded RSA private key and certificate chain
$: :: secure: PEM-encoded RSA private key and cert or cert chain
::
secure=(unit [key=wain certificate=wain])
secure=(unit [key=wain cert=wain])
:: proxy: reverse TCP proxy HTTP(s)
::
proxy=?
@ -758,6 +760,16 @@
::
redirect=?
==
:: +http-rule: update configuration
::
+= http-rule
$% :: %cert: set or clear certificate and keypair
::
[%cert p=(unit [key=wain cert=wain])]
:: %turf: add or remove established dns binding
::
[%turf p=?(%put %del) q=(list @t)]
==
++ httq :: raw http request
$: p/meth :: method
q/@t :: unparsed url
@ -795,6 +807,22 @@
++ octs {p/@ud q/@t} :: octet-stream
++ oryx @t :: CSRF secret
++ pork {p/(unit @ta) q/(list @t)} :: fully parsed url
:: +prox: proxy notification
::
:: Used on both the proxy (ward) and upstream sides for
:: sending/receiving proxied-request notifications.
::
+= prox
$: :: por: tcp port
::
por=@ud
:: sek: secure?
::
sek=?
:: non: authentication nonce
::
non=@uvJ
==
++ purf (pair purl (unit @t)) :: url with fragment
++ purl {p/hart q/pork r/quay} :: parsed url
++ quay (list {p/@t q/@t}) :: parsed url query