[jira] [Commented] (TS-4320) Implement a letsencrypt / ACME plugin for ATS

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/TS-4320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15237267#comment-15237267
 ] 

ASF GitHub Bot commented on TS-4320:
------------------------------------

Github user jpeach commented on a diff in the pull request:

    https://github.com/apache/trafficserver/pull/560#discussion_r59386188
  
    --- Diff: plugins/experimental/acme/acme.c ---
    @@ -0,0 +1,347 @@
    +/** @file
    +
    +@section license
    +
    +Licensed under the Apache License, Version 2.0 (the "License");
    +you may not use this file except in compliance with the License.
    +You may obtain a copy of the License at
    +
    +http://www.apache.org/licenses/LICENSE-2.0
    +
    +Unless required by applicable law or agreed to in writing, software
    +distributed under the License is distributed on an "AS IS" BASIS,
    +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    +See the License for the specific language governing permissions and
    +limitations under the License.
    + */
    +
    +#include <stdio.h>
    +#include <stdlib.h>
    +#include <ctype.h>
    +#include <string.h>
    +#include <sys/types.h>
    +#include <unistd.h>
    +#include <getopt.h>
    +#include <sys/stat.h>
    +
    +#include "ts/ts.h"
    +#include "ts/ink_platform.h"
    +#include "ts/ink_defs.h"
    +
    +static const char PLUGIN_NAME[] = "acme";
    +static const char ACME_WK_PATH[] = ".well-known/acme-challenge/";
    +static const char ACME_OK_RESP[] = "HTTP/1.1 200 OK\r\nContent-Type: 
application/jose\r\nCache-Control: no-cache\r\n";
    +static const char ACME_DENIED_RESP[] = "HTTP/1.1 404 Not 
Found\r\nContent-Type: application/jose\r\nCache-Control: no-cache\r\n";
    +
    +#define MAX_PATH_LEN 4096
    +
    +/* This should hold all configurations going forward. */
    +typedef struct AcmeConfig_t {
    +  char *proof;
    +} AcmeConfig;
    +AcmeConfig gConfig;
    +
    +/* State used for the intercept plugin. ToDo: Can this be improved ? */
    +typedef struct AcmeState_t {
    +  TSVConn net_vc;
    +  TSVIO read_vio;
    +  TSVIO write_vio;
    +
    +  TSIOBuffer req_buffer;
    +  TSIOBuffer resp_buffer;
    +  TSIOBufferReader resp_reader;
    +
    +  int output_bytes;
    +  int fd;
    +  struct stat stat_buf;
    +} AcmeState;
    +
    +
    +inline static AcmeState *
    +make_acme_state()
    +{
    +  AcmeState *state = (AcmeState *)TSmalloc(sizeof(AcmeState));
    +
    +  memset(state, 0, sizeof(AcmeState));
    +  state->fd = -1;
    +
    +  return state;
    +}
    +
    +/* Create a safe pathname to the proof-type file, the destination must be 
sufficiently large. */
    +static int
    +make_absolute_path(char *dest, int dest_len, const char *file, int 
file_len)
    +{
    +  int i;
    +
    +  for (i = 0; i < file_len; ++i) {
    +    char c = file[i];
    +
    +    /* Assure that only Base64-URL chracter are in the path */
    +    if (!(c == 45 || c == 95 || (c >= 48 && c <= 57) || (c >= 65 && c <= 
90) || (c >= 97 && c <= 122))) {
    +      TSDebug(PLUGIN_NAME, "Invalid Base64 character found, error");
    +      return 0;
    +    }
    +  }
    +
    +  return snprintf(dest, dest_len - 1, "%s/%.*s", gConfig.proof, file_len, 
file);
    +}
    +
    +static void
    +open_acme_file(AcmeState *state, const char *file, int file_len)
    +{
    +  char fname[MAX_PATH_LEN];
    +  int len = make_absolute_path(fname, MAX_PATH_LEN - 1, file, file_len);
    +
    +  /* 1. Make sure the filename is reasonable */
    +  if (!len || (len >= (MAX_PATH_LEN - 1))) {
    +    TSDebug(PLUGIN_NAME, "invalid filename");
    +    return;
    +  }
    +
    +  /* 2. Open and stat() the file */
    +  state->fd = open(fname, O_RDONLY);
    +  if (-1 == state->fd) {
    +    TSDebug(PLUGIN_NAME, "can not open file %s", fname);
    +    return;
    +  } else if (fstat(state->fd, &state->stat_buf)) {
    +    TSDebug(PLUGIN_NAME, "can not stat() file %s", fname);
    +    close(state->fd);
    +    state->fd = -1;
    +
    +    return;
    +  }
    +
    +  TSDebug(PLUGIN_NAME, "opened filename of %s for read()", fname);
    +  return;
    +}
    +
    +
    +/* Cleanup after intercept has completed */
    +static void
    +cleanup(TSCont contp, AcmeState *my_state)
    +{
    +  if (my_state->req_buffer) {
    +    TSIOBufferDestroy(my_state->req_buffer);
    +    my_state->req_buffer = NULL;
    +  }
    +
    +  if (my_state->resp_buffer) {
    +    TSIOBufferDestroy(my_state->resp_buffer);
    +    my_state->resp_buffer = NULL;
    +  }
    +
    --- End diff --
    
    Close the file descriptor?


> Implement a letsencrypt / ACME plugin for ATS
> ---------------------------------------------
>
>                 Key: TS-4320
>                 URL: https://issues.apache.org/jira/browse/TS-4320
>             Project: Traffic Server
>          Issue Type: New Feature
>          Components: Plugins
>            Reporter: Leif Hedstrom
>            Assignee: Phil Sorber
>             Fix For: 6.2.0
>
>
> We should implement the ACME protocols as part of the letsencrypt  services 
> for ATS. This allows easier (zero work) TLS setup when configuring an web 
> server based on ATS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)