ACME: HTTP-01 challenge solver implementation.

Author: bavshin-f5

src/acme/solvers.rs

@@ -4,6 +4,8 @@ use super::types::{Challenge, ChallengeKind};
 use super::AuthorizationContext;
 use crate::conf::identifier::Identifier;
 
+pub mod http;
+
 #[derive(Debug, Error)]
 #[error("challenge registration failed: {0}")]
 pub enum SolverError {

src/acme/solvers/http.rs

@@ -0,0 +1,164 @@
+use core::ptr;
+
+use nginx_sys::{
+    ngx_array_push, ngx_buf_t, ngx_chain_t, ngx_conf_t, ngx_http_discard_request_body,
+    ngx_http_finalize_request, ngx_http_handler_pt, ngx_http_output_filter,
+    ngx_http_phases_NGX_HTTP_POST_READ_PHASE, ngx_http_request_t,
+};
+use ngx::allocator::TryCloneIn;
+use ngx::collections::RbTreeMap;
+use ngx::core::{NgxStr, NgxString, SlabPool, Status};
+use ngx::http::HttpModuleMainConf;
+use ngx::sync::RwLock;
+use ngx::{http_request_handler, ngx_log_debug_http};
+
+use crate::acme;
+use crate::conf::identifier::Identifier;
+use crate::conf::AcmeMainConfig;
+
+use super::{ChallengeSolver, SolverError};
+
+/// Registers http-01 challenge handler.
+pub fn postconfiguration(cf: &mut ngx_conf_t, _amcf: &mut AcmeMainConfig) -> Result<(), Status> {
+    let cmcf = ngx::http::NgxHttpCoreModule::main_conf_mut(cf).expect("http core main conf");
+
+    // The handler needs to be set as early as possible, to ensure that it is not affected by the
+    // server configuration.
+    let h: *mut ngx_http_handler_pt = unsafe {
+        ngx_array_push(&mut cmcf.phases[ngx_http_phases_NGX_HTTP_POST_READ_PHASE as usize].handlers)
+    }
+    .cast();
+
+    if h.is_null() {
+        return Err(Status::NGX_ERROR);
+    }
+
+    unsafe { *h = Some(handler) };
+
+    Ok(())
+}
+
+pub type Http01SolverState<A> = RbTreeMap<NgxString<A>, NgxString<A>, A>;
+
+#[derive(Debug)]
+pub struct Http01Solver<'a>(&'a RwLock<Http01SolverState<SlabPool>>);
+
+impl<'a> Http01Solver<'a> {
+    pub fn new(inner: &'a RwLock<Http01SolverState<SlabPool>>) -> Self {
+        Self(inner)
+    }
+}
+
+impl ChallengeSolver for Http01Solver<'_> {
+    fn supports(&self, c: &acme::types::ChallengeKind) -> bool {
+        matches!(c, crate::acme::types::ChallengeKind::Http01)
+    }
+
+    fn register(
+        &self,
+        ctx: &acme::AuthorizationContext,
+        _identifier: &Identifier<&str>,
+        challenge: &acme::types::Challenge,
+    ) -> Result<(), SolverError> {
+        let alloc = self.0.read().allocator().clone();
+
+        let mut key_authorization = NgxString::new_in(alloc.clone());
+        key_authorization.try_reserve_exact(challenge.token.len() + ctx.thumbprint.len() + 1)?;
+        // write to a preallocated buffer of a sufficient size should succeed
+        let _ = key_authorization.append_within_capacity(challenge.token.as_bytes());
+        let _ = key_authorization.append_within_capacity(b".");
+        let _ = key_authorization.append_within_capacity(ctx.thumbprint);
+        let token = NgxString::try_from_bytes_in(&challenge.token, alloc)?;
+        self.0.write().try_insert(token, key_authorization)?;
+        Ok(())
+    }
+
+    fn unregister(
+        &self,
+        _identifier: &Identifier<&str>,
+        challenge: &acme::types::Challenge,
+    ) -> Result<(), SolverError> {
+        self.0.write().remove(challenge.token.as_bytes());
+        Ok(())
+    }
+}
+
+http_request_handler!(handler, |r: &mut ngx::http::Request| {
+    if r.method() != ngx::http::Method::GET {
+        return Status::NGX_DECLINED;
+    }
+
+    let amcf = crate::HttpAcmeModule::main_conf(r).expect("acme config");
+    let Some(amsh) = amcf.data else {
+        return Status::NGX_DECLINED;
+    };
+
+    let Some(token) = r
+        .path()
+        .as_bytes()
+        .strip_prefix(b"/.well-known/acme-challenge/")
+    else {
+        return Status::NGX_DECLINED;
+    };
+
+    let token = NgxStr::from_bytes(token);
+
+    let key_auth = if let Some(resp) = amsh.http_01_state.read().get(token) {
+        resp.try_clone_in(r.pool())
+    } else {
+        ngx_log_debug_http!(r, "acme/http-01: no challenge registered for {token}");
+        return Status::NGX_DECLINED;
+    };
+
+    let Ok(key_auth) = key_auth else {
+        return Status::NGX_ERROR;
+    };
+
+    ngx_log_debug_http!(r, "acme/http-01: challenge for {token}");
+
+    let rc = Status(unsafe { ngx_http_discard_request_body(r.as_mut()) });
+    if rc != Status::NGX_OK {
+        return rc;
+    }
+
+    r.set_status(ngx::http::HTTPStatus::OK);
+
+    r.set_content_length_n(key_auth.len());
+    if r.add_header_out("connection", "close").is_none()
+        || r.add_header_out("content-type", "text/plain").is_none()
+    {
+        return Status::NGX_ERROR;
+    }
+
+    let rc = r.send_header();
+    if rc == Status::NGX_ERROR || rc > Status::NGX_OK {
+        return rc;
+    }
+
+    let buf: *mut ngx_buf_t = r.pool().calloc_type();
+    if buf.is_null() {
+        return Status::NGX_ERROR;
+    }
+
+    let (p, len, _, _) = key_auth.into_raw_parts();
+
+    unsafe {
+        (*buf).set_memory(1);
+        (*buf).set_last_buf(if r.is_main() { 1 } else { 0 });
+        (*buf).set_last_in_chain(1);
+        (*buf).start = p;
+        (*buf).end = p.add(len);
+        (*buf).pos = (*buf).start;
+        (*buf).last = (*buf).end;
+    }
+
+    let mut chain = ngx_chain_t {
+        buf,
+        next: ptr::null_mut(),
+    };
+
+    let r: *mut ngx_http_request_t = r.into();
+    unsafe { ngx_http_finalize_request(r, ngx_http_output_filter(r, &mut chain)) }
+
+    Status::NGX_DONE
+});

src/lib.rs

@@ -104,6 +104,12 @@ impl HttpModule for HttpAcmeModule {
             return e.into();
         }
 
+        /* http-01 challenge handler */
+
+        if let Err(err) = acme::solvers::http::postconfiguration(cf, amcf) {
+            return err.into();
+        };
+
         Status::NGX_OK.into()
     }
 }
@@ -203,7 +209,7 @@ async fn ngx_http_acme_update_certificates(amcf: &AcmeMainConfig) -> Time {
 }
 
 async fn ngx_http_acme_update_certificates_for_issuer(
-    _amcf: &AcmeMainConfig,
+    amcf: &AcmeMainConfig,
     issuer: &conf::issuer::Issuer,
 ) -> anyhow::Result<Time> {
     let log = ngx_cycle_log();
@@ -216,6 +222,11 @@ async fn ngx_http_acme_update_certificates_for_issuer(
     );
     let mut client = AcmeClient::new(http, issuer, log)?;
 
+    let amsh = amcf.data.expect("acme shared data");
+
+    let http_solver = acme::solvers::http::Http01Solver::new(&amsh.http_01_state);
+    client.add_solver(http_solver);
+
     let mut next = Time::MAX;
 
     for (order, cert) in issuer.orders.iter() {

src/state.rs

@@ -10,6 +10,7 @@ use ngx::log::ngx_cycle_log;
 use ngx::sync::RwLock;
 use ngx::{ngx_log_debug, ngx_log_error};
 
+use crate::acme;
 use crate::conf::shared_zone::SharedZone;
 use crate::conf::AcmeMainConfig;
 
@@ -25,15 +26,18 @@ where
     A: Allocator + Clone,
 {
     pub issuers: Queue<RwLock<IssuerContext>, A>,
+    pub http_01_state: RwLock<acme::solvers::http::Http01SolverState<A>>,
 }
 
 impl<A> AcmeSharedData<A>
 where
     A: Allocator + Clone,
 {
     pub fn try_new_in(alloc: A) -> Result<Self, AllocError> {
+        let http_01_state = acme::solvers::http::Http01SolverState::try_new_in(alloc.clone())?;
         Ok(Self {
             issuers: Queue::try_new_in(alloc)?,
+            http_01_state: RwLock::new(http_01_state),
         })
     }
 }