jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

merge userdb.js into users.js

Browse Source
This commit is contained in:
Girish Ramakrishnan
2021-07-15 09:50:11 -07:00
parent 2840bba4bf
commit a1c61facdc
27 changed files with 1021 additions and 1456 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
src/reverseproxy.js
View File

@@ -66,34 +66,29 @@ function nginxLocation(s) {
return `~ ^(?!(${re.slice(1)}))`; // negative regex assertion - https://stackoverflow.com/questions/16302897/nginx-location-not-equal-to-regex
}
function getAcmeApi(domainObject, callback) {
async function getAcmeApi(domainObject) {
assert.strictEqual(typeof domainObject, 'object');
assert.strictEqual(typeof callback, 'function');
const api = acme2;
const acmeApi = acme2;
let options = { prod: false, performHttpAuthorization: false, wildcard: false, email: '' };
options.prod = domainObject.tlsConfig.provider.match(/.*-prod/) !== null; // matches 'le-prod' or 'letsencrypt-prod'
options.performHttpAuthorization = domainObject.provider.match(/noop|manual|wildcard/) !== null;
options.wildcard = !!domainObject.tlsConfig.wildcard;
let apiOptions = { prod: false, performHttpAuthorization: false, wildcard: false, email: '' };
apiOptions.prod = domainObject.tlsConfig.provider.match(/.*-prod/) !== null; // matches 'le-prod' or 'letsencrypt-prod'
apiOptions.performHttpAuthorization = domainObject.provider.match(/noop|manual|wildcard/) !== null;
apiOptions.wildcard = !!domainObject.tlsConfig.wildcard;
// registering user with an email requires A or MX record (https://github.com/letsencrypt/boulder/issues/1197)
// we cannot use admin@fqdn because the user might not have set it up.
// we simply update the account with the latest email we have each time when getting letsencrypt certs
// https://github.com/ietf-wg-acme/acme/issues/30
users.getOwner(function (error, owner) {
options.email = error ? 'webmaster@cloudron.io' : owner.email; // can error if not activated yet
const [error, owner] = await safe(users.getOwner());
apiOptions.email = error ? 'webmaster@cloudron.io' : owner.email; // can error if not activated yet
const blobGet = util.callbackify(blobs.get);
blobGet(blobs.ACME_ACCOUNT_KEY, function (error, accountKeyPem) {
if (error) return callback(error);
if (!accountKeyPem) return callback(new BoxError(BoxError.NOT_FOUND, 'acme account key not found'));
const accountKeyPem = await blobs.get(blobs.ACME_ACCOUNT_KEY);
if (!accountKeyPem) throw new BoxError(BoxError.NOT_FOUND, 'acme account key not found');
options.accountKeyPem = accountKeyPem;
apiOptions.accountKeyPem = accountKeyPem;
callback(null, api, options);
});
});
return { acmeApi, apiOptions };
}
function getExpiryDate(certFilePath) {
@@ -417,43 +412,41 @@ function ensureCertificate(vhost, domain, auditSource, callback) {
return callback(null, getFallbackCertificatePathSync(domain), { renewed: false });
}
getAcmeApi(domainObject, async function (error, acmeApi, apiOptions) {
if (error) return callback(error);
let notAfter = null;
const { acmeApi, apiOptions } = getAcmeApi(domainObject);
let notAfter = null;
const [, currentBundle] = await safe(checkAcmeCertificate(vhost, domainObject));
if (currentBundle) {
debug(`ensureCertificate: ${vhost} certificate already exists at ${currentBundle.keyFilePath}`);
notAfter = getExpiryDate(currentBundle.certFilePath);
const isExpiring = (notAfter - new Date()) <= (30 * 24 * 60 * 60 * 1000); // expiring in a month
if (!isExpiring && providerMatchesSync(domainObject, currentBundle.certFilePath, apiOptions)) return callback(null, currentBundle, { renewed: false });
debug(`ensureCertificate: ${vhost} cert requires renewal`);
} else {
debug(`ensureCertificate: ${vhost} cert does not exist`);
const [, currentBundle] = await safe(checkAcmeCertificate(vhost, domainObject));
if (currentBundle) {
debug(`ensureCertificate: ${vhost} certificate already exists at ${currentBundle.keyFilePath}`);
notAfter = getExpiryDate(currentBundle.certFilePath);
const isExpiring = (notAfter - new Date()) <= (30 * 24 * 60 * 60 * 1000); // expiring in a month
if (!isExpiring && providerMatchesSync(domainObject, currentBundle.certFilePath, apiOptions)) return callback(null, currentBundle, { renewed: false });
debug(`ensureCertificate: ${vhost} cert requires renewal`);
} else {
debug(`ensureCertificate: ${vhost} cert does not exist`);
}
debug('ensureCertificate: getting certificate for %s with options %j', vhost, _.omit(apiOptions, 'accountKeyPem'));
const acmePaths = getAcmeCertificatePathSync(vhost, domainObject);
acmeApi.getCertificate(vhost, domain, acmePaths, apiOptions, async function (error) {
debug(`ensureCertificate: error: ${error ? error.message : 'null'} cert: ${acmePaths.certFilePath || 'null'}`);
await safe(eventlog.add(currentBundle ? eventlog.ACTION_CERTIFICATE_RENEWAL : eventlog.ACTION_CERTIFICATE_NEW, auditSource, { domain: vhost, errorMessage: error ? error.message : '', notAfter }));
if (error && currentBundle && (notAfter - new Date() > 0)) { // still some life left in this certificate
debug('ensureCertificate: continue using existing bundle since renewal failed');
return callback(null, currentBundle, { renewed: false });
}
debug('ensureCertificate: getting certificate for %s with options %j', vhost, _.omit(apiOptions, 'accountKeyPem'));
if (!error) {
[error] = await safe(updateCertBlobs(vhost, domainObject));
if (!error) return callback(null, { certFilePath: acmePaths.certFilePath, keyFilePath: acmePaths.keyFilePath }, { renewed: true });
}
const acmePaths = getAcmeCertificatePathSync(vhost, domainObject);
acmeApi.getCertificate(vhost, domain, acmePaths, apiOptions, async function (error) {
debug(`ensureCertificate: error: ${error ? error.message : 'null'} cert: ${acmePaths.certFilePath || 'null'}`);
debug(`ensureCertificate: renewal of ${vhost} failed. using fallback certificates for ${domain}`);
await safe(eventlog.add(currentBundle ? eventlog.ACTION_CERTIFICATE_RENEWAL : eventlog.ACTION_CERTIFICATE_NEW, auditSource, { domain: vhost, errorMessage: error ? error.message : '', notAfter }));
if (error && currentBundle && (notAfter - new Date() > 0)) { // still some life left in this certificate
debug('ensureCertificate: continue using existing bundle since renewal failed');
return callback(null, currentBundle, { renewed: false });
}
if (!error) {
[error] = await safe(updateCertBlobs(vhost, domainObject));
if (!error) return callback(null, { certFilePath: acmePaths.certFilePath, keyFilePath: acmePaths.keyFilePath }, { renewed: true });
}
debug(`ensureCertificate: renewal of ${vhost} failed. using fallback certificates for ${domain}`);
callback(null, getFallbackCertificatePathSync(domain), { renewed: false });
});
callback(null, getFallbackCertificatePathSync(domain), { renewed: false });
});
});
}
@@ -737,7 +730,7 @@ function renewCerts(options, auditSource, progressCallback, callback) {
if (renewed.length === 0) return callback(null);
async.series([
(next) => { if (renewed.includes(settings.mailFqdn())) mail.handleCertChanged(next); else next(); }, // mail cert renewed
async () => { if (renewed.includes(settings.mailFqdn())) await mail.handleCertChanged(); }, // mail cert renewed
reload, // reload nginx if any certs were updated but the config was not rewritten
(next) => { // restart tls apps on cert change
const tlsApps = allApps.filter(app => app.manifest.addons && app.manifest.addons.tls && renewed.includes(app.fqdn));