rewrite api package

api/acme/acme.go

@@ -0,0 +1,28 @@
+// Package acme abstracts away various ACME libraries
+package acme
+
+import (
+	"crypto/tls"
+	"errors"
+	"net"
+)
+
+var (
+	// ErrProviderNotImplemented can be returned when attempting to
+	// instantiate an unimplemented provider
+	ErrProviderNotImplemented = errors.New("Provider not implemented")
+)
+
+// Provider is a ACME provider interface
+type Provider interface {
+	// Listen returns a new listener
+	Listen(...string) (net.Listener, error)
+	// TLSConfig returns a tls config
+	TLSConfig(...string) (*tls.Config, error)
+}
+
+// The Let's Encrypt ACME endpoints
+const (
+	LetsEncryptStagingCA    = "https://acme-staging-v02.api.letsencrypt.org/directory"
+	LetsEncryptProductionCA = "https://acme-v02.api.letsencrypt.org/directory"
+)

api/acme/autocert/autocert.go

@@ -0,0 +1,46 @@
+// Package autocert is the ACME provider from golang.org/x/crypto/acme/autocert
+// This provider does not take any config.
+package autocert
+
+import (
+	"crypto/tls"
+	"net"
+	"os"
+
+	"github.com/micro/go-micro/v3/api/acme"
+	"github.com/micro/go-micro/v3/logger"
+	"golang.org/x/crypto/acme/autocert"
+)
+
+// autoCertACME is the ACME provider from golang.org/x/crypto/acme/autocert
+type autocertProvider struct{}
+
+// Listen implements acme.Provider
+func (a *autocertProvider) Listen(hosts ...string) (net.Listener, error) {
+	return autocert.NewListener(hosts...), nil
+}
+
+// TLSConfig returns a new tls config
+func (a *autocertProvider) TLSConfig(hosts ...string) (*tls.Config, error) {
+	// create a new manager
+	m := &autocert.Manager{
+		Prompt: autocert.AcceptTOS,
+	}
+	if len(hosts) > 0 {
+		m.HostPolicy = autocert.HostWhitelist(hosts...)
+	}
+	dir := cacheDir()
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		if logger.V(logger.InfoLevel, logger.DefaultLogger) {
+			logger.Infof("warning: autocert not using a cache: %v", err)
+		}
+	} else {
+		m.Cache = autocert.DirCache(dir)
+	}
+	return m.TLSConfig(), nil
+}
+
+// New returns an autocert acme.Provider
+func NewProvider() acme.Provider {
+	return &autocertProvider{}
+}

api/acme/autocert/autocert_test.go

@@ -0,0 +1,16 @@
+package autocert
+
+import (
+	"testing"
+)
+
+func TestAutocert(t *testing.T) {
+	l := NewProvider()
+	if _, ok := l.(*autocertProvider); !ok {
+		t.Error("NewProvider() didn't return an autocertProvider")
+	}
+	// TODO: Travis CI doesn't let us bind :443
+	// if _, err := l.NewListener(); err != nil {
+	// 	t.Error(err.Error())
+	// }
+}

api/acme/autocert/cache.go

@@ -0,0 +1,37 @@
+package autocert
+
+import (
+	"os"
+	"path/filepath"
+	"runtime"
+)
+
+func homeDir() string {
+	if runtime.GOOS == "windows" {
+		return os.Getenv("HOMEDRIVE") + os.Getenv("HOMEPATH")
+	}
+	if h := os.Getenv("HOME"); h != "" {
+		return h
+	}
+	return "/"
+}
+
+func cacheDir() string {
+	const base = "golang-autocert"
+	switch runtime.GOOS {
+	case "darwin":
+		return filepath.Join(homeDir(), "Library", "Caches", base)
+	case "windows":
+		for _, ev := range []string{"APPDATA", "CSIDL_APPDATA", "TEMP", "TMP"} {
+			if v := os.Getenv(ev); v != "" {
+				return filepath.Join(v, base)
+			}
+		}
+		// Worst case:
+		return filepath.Join(homeDir(), base)
+	}
+	if xdg := os.Getenv("XDG_CACHE_HOME"); xdg != "" {
+		return filepath.Join(xdg, base)
+	}
+	return filepath.Join(homeDir(), ".cache", base)
+}

api/acme/certmagic/certmagic.go

@@ -0,0 +1,68 @@
+// Package certmagic is the ACME provider from github.com/caddyserver/certmagic
+package certmagic
+
+import (
+	"crypto/tls"
+	"math/rand"
+	"net"
+	"time"
+
+	"github.com/caddyserver/certmagic"
+	"github.com/micro/go-micro/v3/api/acme"
+	"github.com/micro/go-micro/v3/logger"
+)
+
+type certmagicProvider struct {
+	opts acme.Options
+}
+
+// TODO: set self-contained options
+func (c *certmagicProvider) setup() {
+	certmagic.DefaultACME.CA = c.opts.CA
+	if c.opts.ChallengeProvider != nil {
+		// Enabling DNS Challenge disables the other challenges
+		certmagic.DefaultACME.DNSProvider = c.opts.ChallengeProvider
+	}
+	if c.opts.OnDemand {
+		certmagic.Default.OnDemand = new(certmagic.OnDemandConfig)
+	}
+	if c.opts.Cache != nil {
+		// already validated by new()
+		certmagic.Default.Storage = c.opts.Cache.(certmagic.Storage)
+	}
+	// If multiple instances of the provider are running, inject some
+	// randomness so they don't collide
+	// RenewalWindowRatio [0.33 - 0.50)
+	rand.Seed(time.Now().UnixNano())
+	randomRatio := float64(rand.Intn(17)+33) * 0.01
+	certmagic.Default.RenewalWindowRatio = randomRatio
+}
+
+func (c *certmagicProvider) Listen(hosts ...string) (net.Listener, error) {
+	c.setup()
+	return certmagic.Listen(hosts)
+}
+
+func (c *certmagicProvider) TLSConfig(hosts ...string) (*tls.Config, error) {
+	c.setup()
+	return certmagic.TLS(hosts)
+}
+
+// NewProvider returns a certmagic provider
+func NewProvider(options ...acme.Option) acme.Provider {
+	opts := acme.DefaultOptions()
+
+	for _, o := range options {
+		o(&opts)
+	}
+
+	if opts.Cache != nil {
+		if _, ok := opts.Cache.(certmagic.Storage); !ok {
+			logger.Fatal("ACME: cache provided doesn't implement certmagic's Storage interface")
+		}
+	}
+
+	return &certmagicProvider{
+		opts: opts,
+	}
+}

api/acme/certmagic/storage.go

@@ -0,0 +1,147 @@
+package certmagic
+
+import (
+	"bytes"
+	"encoding/gob"
+	"errors"
+	"fmt"
+	"path"
+	"strings"
+	"time"
+
+	"github.com/caddyserver/certmagic"
+	"github.com/micro/go-micro/v3/store"
+	"github.com/micro/go-micro/v3/sync"
+)
+
+// File represents a "File" that will be stored in store.Store - the contents and last modified time
+type File struct {
+	// last modified time
+	LastModified time.Time
+	// Contents
+	Contents []byte
+}
+
+// storage is an implementation of certmagic.Storage using micro's sync.Map and store.Store interfaces.
+// As certmagic storage expects a filesystem (with stat() abilities) we have to implement
+// the bare minimum of metadata.
+type storage struct {
+	lock  sync.Sync
+	store store.Store
+}
+
+func (s *storage) Lock(key string) error {
+	return s.lock.Lock(key, sync.LockTTL(10*time.Minute))
+}
+
+func (s *storage) Unlock(key string) error {
+	return s.lock.Unlock(key)
+}
+
+func (s *storage) Store(key string, value []byte) error {
+	f := File{
+		LastModified: time.Now(),
+		Contents:     value,
+	}
+	buf := &bytes.Buffer{}
+	e := gob.NewEncoder(buf)
+	if err := e.Encode(f); err != nil {
+		return err
+	}
+	r := &store.Record{
+		Key:   key,
+		Value: buf.Bytes(),
+	}
+	return s.store.Write(r)
+}
+
+func (s *storage) Load(key string) ([]byte, error) {
+	if !s.Exists(key) {
+		return nil, certmagic.ErrNotExist(errors.New(key + " doesn't exist"))
+	}
+	records, err := s.store.Read(key)
+	if err != nil {
+		return nil, err
+	}
+	if len(records) != 1 {
+		return nil, fmt.Errorf("ACME Storage: multiple records matched key %s", key)
+	}
+	b := bytes.NewBuffer(records[0].Value)
+	d := gob.NewDecoder(b)
+	var f File
+	err = d.Decode(&f)
+	if err != nil {
+		return nil, err
+	}
+	return f.Contents, nil
+}
+
+func (s *storage) Delete(key string) error {
+	return s.store.Delete(key)
+}
+
+func (s *storage) Exists(key string) bool {
+	if _, err := s.store.Read(key); err != nil {
+		return false
+	}
+	return true
+}
+
+func (s *storage) List(prefix string, recursive bool) ([]string, error) {
+	keys, err := s.store.List()
+	if err != nil {
+		return nil, err
+	}
+
+	//nolint:prealloc
+	var results []string
+	for _, k := range keys {
+		if strings.HasPrefix(k, prefix) {
+			results = append(results, k)
+		}
+	}
+	if recursive {
+		return results, nil
+	}
+	keysMap := make(map[string]bool)
+	for _, key := range results {
+		dir := strings.Split(strings.TrimPrefix(key, prefix+"/"), "/")
+		keysMap[dir[0]] = true
+	}
+	results = make([]string, 0)
+	for k := range keysMap {
+		results = append(results, path.Join(prefix, k))
+	}
+	return results, nil
+}
+
+func (s *storage) Stat(key string) (certmagic.KeyInfo, error) {
+	records, err := s.store.Read(key)
+	if err != nil {
+		return certmagic.KeyInfo{}, err
+	}
+	if len(records) != 1 {
+		return certmagic.KeyInfo{}, fmt.Errorf("ACME Storage: multiple records matched key %s", key)
+	}
+	b := bytes.NewBuffer(records[0].Value)
+	d := gob.NewDecoder(b)
+	var f File
+	err = d.Decode(&f)
+	if err != nil {
+		return certmagic.KeyInfo{}, err
+	}
+	return certmagic.KeyInfo{
+		Key:        key,
+		Modified:   f.LastModified,
+		Size:       int64(len(f.Contents)),
+		IsTerminal: false,
+	}, nil
+}
+
+// NewStorage returns a certmagic.Storage backed by a go-micro/lock and go-micro/store
+func NewStorage(lock sync.Sync, store store.Store) certmagic.Storage {
+	return &storage{
+		lock:  lock,
+		store: store,
+	}
+}

api/acme/options.go

@@ -0,0 +1,73 @@
+package acme
+
+import "github.com/go-acme/lego/v3/challenge"
+
+// Option (or Options) are passed to New() to configure providers
+type Option func(o *Options)
+
+// Options represents various options you can present to ACME providers
+type Options struct {
+	// AcceptTLS must be set to true to indicate that you have read your
+	// provider's terms of service.
+	AcceptToS bool
+	// CA is the CA to use
+	CA string
+	// ChallengeProvider is a go-acme/lego challenge provider. Set this if you
+	// want to use DNS Challenges. Otherwise, tls-alpn-01 will be used
+	ChallengeProvider challenge.Provider
+	// Issue certificates for domains on demand. Otherwise, certs will be
+	// retrieved / issued on start-up.
+	OnDemand bool
+	// Cache is a storage interface. Most ACME libraries have an cache, but
+	// there's no defined interface, so if you consume this option
+	// sanity check it before using.
+	Cache interface{}
+}
+
+// AcceptToS indicates whether you accept your CA's terms of service
+func AcceptToS(b bool) Option {
+	return func(o *Options) {
+		o.AcceptToS = b
+	}
+}
+
+// CA sets the CA of an acme.Options
+func CA(CA string) Option {
+	return func(o *Options) {
+		o.CA = CA
+	}
+}
+
+// ChallengeProvider sets the Challenge provider of an acme.Options
+// if set, it enables the DNS challenge, otherwise tls-alpn-01 will be used.
+func ChallengeProvider(p challenge.Provider) Option {
+	return func(o *Options) {
+		o.ChallengeProvider = p
+	}
+}
+
+// OnDemand enables on-demand certificate issuance. Not recommended for use
+// with the DNS challenge, as the first connection may be very slow.
+func OnDemand(b bool) Option {
+	return func(o *Options) {
+		o.OnDemand = b
+	}
+}
+
+// Cache provides a cache / storage interface to the underlying ACME library
+// as there is no standard, this needs to be validated by the underlying
+// implentation.
+func Cache(c interface{}) Option {
+	return func(o *Options) {
+		o.Cache = c
+	}
+}
+
+// DefaultOptions uses the Let's Encrypt Production CA, with DNS Challenge disabled.
+func DefaultOptions() Options {
+	return Options{
+		AcceptToS: true,
+		CA:        LetsEncryptProductionCA,
+		OnDemand:  true,
+	}
+}