fixup! ACME: certificate issue and renewal implementation.

Author: bavshin-f5

src/acme.rs

@@ -2,7 +2,6 @@ use core::cell::RefCell;
 use core::ptr::NonNull;
 use core::time::Duration;
 use std::collections::VecDeque;
-use std::io;
 use std::string::{String, ToString};
 
 use anyhow::{anyhow, Result};
@@ -30,7 +29,6 @@ pub mod types;
 const DEFAULT_RETRY_INTERVAL: Duration = Duration::from_secs(1);
 static REPLAY_NONCE: http::HeaderName = http::HeaderName::from_static("replay-nonce");
 
-#[derive(Debug)]
 pub struct NewCertificateOutput {
     pub chain: Bytes,
     pub x509: Vec<X509>,
@@ -64,12 +62,12 @@ impl NoncePool {
     }
 
     pub fn add(&self, nonce: String) {
-        self.0.borrow_mut().push_back(nonce.to_string());
+        self.0.borrow_mut().push_back(nonce);
     }
 
     pub fn add_from_response<T>(&self, res: &http::Response<T>) {
         if let Some(nonce) = try_get_header(res.headers(), &REPLAY_NONCE) {
-            self.0.borrow_mut().push_back(nonce.to_string());
+            self.add(nonce.to_string());
         }
     }
 }
@@ -130,51 +128,6 @@ where
             .map(String::from)
     }
 
-    pub async fn poll<T, P, F>(
-        &self,
-        url: &Uri,
-        payload: P,
-        mut tries: usize,
-        predicate: F,
-    ) -> Result<T>
-    where
-        T: serde::de::DeserializeOwned,
-        P: AsRef<[u8]>,
-        F: Fn(&T) -> bool,
-    {
-        loop {
-            let res = self.post(url, &payload).await?;
-
-            let retry_after = res
-                .headers()
-                .get(http::header::RETRY_AFTER)
-                .and_then(parse_retry_after)
-                .unwrap_or(DEFAULT_RETRY_INTERVAL);
-
-            let result = serde_json::from_slice(res.body())?;
-
-            if predicate(&result) {
-                return Ok(result);
-            }
-
-            tries -= 1;
-            if tries == 0 {
-                return Err(io::Error::from(io::ErrorKind::TimedOut).into());
-            }
-
-            sleep(retry_after).await;
-        }
-    }
-
-    pub async fn post_json<T: serde::de::DeserializeOwned, P: AsRef<[u8]>>(
-        &self,
-        url: &Uri,
-        payload: P,
-    ) -> Result<T> {
-        let res = self.post(url, payload).await?;
-        Ok(serde_json::from_slice(res.body())?)
-    }
-
     pub async fn get(&self, url: &Uri) -> Result<http::Response<Bytes>> {
         let req = http::Request::builder()
             .uri(url)
@@ -238,12 +191,6 @@ where
                 .ok_or(anyhow!("no nonce in response"))?
                 .to_string();
 
-            let retry_after = res
-                .headers()
-                .get(http::header::RETRY_AFTER)
-                .and_then(parse_retry_after)
-                .unwrap_or(DEFAULT_RETRY_INTERVAL);
-
             let err: types::Problem = serde_json::from_slice(res.body())?;
 
             let retriable = matches!(
@@ -257,7 +204,8 @@ where
             }
 
             fails += 1;
-            sleep(retry_after).await;
+
+            wait_for_retry(&res).await;
             ngx_log_debug!(self.log.as_ptr(), "retrying: {} of 3", fails + 1);
         };
 
@@ -339,7 +287,8 @@ where
 
         let mut authorizations: Vec<(http::Uri, types::Authorization)> = Vec::new();
         for auth_url in order.authorizations {
-            let mut authorization: types::Authorization = self.post_json(&auth_url, &[]).await?;
+            let res = self.post(&auth_url, b"").await?;
+            let mut authorization: types::Authorization = serde_json::from_slice(res.body())?;
 
             authorization
                 .challenges
@@ -379,8 +328,8 @@ where
             self.do_authorization(&order, url, authorization).await?;
         }
 
-        let mut bytes = self.post(&order_url, &[]).await?.into_body();
-        let mut order: types::Order = serde_json::from_slice(&bytes)?;
+        let mut res = self.post(&order_url, b"").await?;
+        let mut order: types::Order = serde_json::from_slice(res.body())?;
 
         if order.status != OrderStatus::Ready {
             anyhow::bail!("not ready");
@@ -390,10 +339,10 @@ where
         let payload = std::format!(r#"{{"csr":"{}"}}"#, crate::jws::base64url(csr));
 
         match self.post(&order.finalize, payload).await {
-            Ok(res) => {
+            Ok(x) => {
                 drop(order);
-                bytes = res.into_body();
-                order = serde_json::from_slice(&bytes)?;
+                res = x;
+                order = serde_json::from_slice(res.body())?;
             }
             Err(err) => {
                 if !err.to_string().contains("orderNotReady") {
@@ -403,25 +352,20 @@ where
             }
         };
 
-        let mut retry_after = DEFAULT_RETRY_INTERVAL;
+        let mut tries = 10;
 
-        while order.status == OrderStatus::Processing {
-            sleep(retry_after).await;
+        while order.status == OrderStatus::Processing && tries > 0 {
+            tries -= 1;
+            wait_for_retry(&res).await;
 
-            let res = self.post(&order_url, &[]).await?;
-            retry_after = res
-                .headers()
-                .get(http::header::RETRY_AFTER)
-                .and_then(parse_retry_after)
-                .unwrap_or(DEFAULT_RETRY_INTERVAL);
             drop(order);
-            bytes = res.into_body();
-            order = serde_json::from_slice(&bytes)?;
+            res = self.post(&order_url, b"").await?;
+            order = serde_json::from_slice(res.body())?;
         }
 
-        let certificate = order.certificate.ok_or(anyhow!("certifcate not ready"))?;
+        let certificate = order.certificate.ok_or(anyhow!("certificate not ready"))?;
 
-        let chain = self.post(&certificate, &[]).await?.into_body();
+        let chain = self.post(&certificate, b"").await?.into_body();
 
         // FIXME: avoid reallocation from std::vec::Vec.
         let x509 = Vec::from_iter(X509::stack_from_pem(&chain)?);
@@ -453,8 +397,19 @@ where
 
         result?;
 
-        let is_ready = |x: &types::Authorization| x.status != AuthorizationStatus::Pending;
-        let result = self.poll(&url, b"", 5, is_ready).await?;
+        let mut tries = 10;
+
+        let result = loop {
+            let res = self.post(&url, b"").await?;
+            let result: types::Authorization = serde_json::from_slice(res.body())?;
+
+            if result.status != AuthorizationStatus::Pending || tries == 0 {
+                break result;
+            }
+
+            tries -= 1;
+            wait_for_retry(&res).await;
+        };
 
         ngx_log_debug!(
             self.log.as_ptr(),
@@ -476,14 +431,9 @@ where
         identifier: &Identifier<&str>,
         challenge: &types::Challenge,
     ) -> Result<()> {
-        fn is_ready(x: &types::Challenge) -> bool {
-            !matches!(
-                x.status,
-                ChallengeStatus::Pending | ChallengeStatus::Processing,
-            )
-        }
+        let res = self.post(&challenge.url, b"").await?;
+        let result: types::Challenge = serde_json::from_slice(res.body())?;
 
-        let result: types::Challenge = self.post_json(&challenge.url, b"").await?;
         // Previous challenge result is still valid.
         // Should not happen as we already skip valid authorizations.
         if result.status == ChallengeStatus::Valid {
@@ -494,11 +444,25 @@ where
             .ok_or(anyhow!("no solver for {:?}", challenge.kind))?
             .register(ctx, identifier, challenge)?;
 
-        let result: types::Challenge = self.post_json(&challenge.url, b"{}").await?;
-        let result = if is_ready(&result) {
-            result
-        } else {
-            self.poll(&challenge.url, b"", 10, is_ready).await?
+        // "{}" in request payload initiates the challenge, "" checks the status.
+        let mut payload: &[u8] = b"{}";
+        let mut tries = 10;
+
+        let result = loop {
+            let res = self.post(&challenge.url, payload).await?;
+            let result: types::Challenge = serde_json::from_slice(res.body())?;
+
+            if !matches!(
+                result.status,
+                ChallengeStatus::Pending | ChallengeStatus::Processing,
+            ) || tries == 0
+            {
+                break result;
+            }
+
+            tries -= 1;
+            payload = b"";
+            wait_for_retry(&res).await;
         };
 
         if result.status != ChallengeStatus::Valid {
@@ -547,7 +511,17 @@ pub fn make_certificate_request(
     Ok(req.build())
 }
 
-pub fn parse_retry_after(val: &http::HeaderValue) -> Option<Duration> {
+/// Waits until the next retry attempt is allowed.
+async fn wait_for_retry<B>(res: &http::Response<B>) {
+    let retry_after = res
+        .headers()
+        .get(http::header::RETRY_AFTER)
+        .and_then(parse_retry_after)
+        .unwrap_or(DEFAULT_RETRY_INTERVAL);
+    sleep(retry_after).await
+}
+
+fn parse_retry_after(val: &http::HeaderValue) -> Option<Duration> {
     let val = val.to_str().ok()?;
 
     // Retry-After: <http-date>