Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Factor acme bits out to a separate file #5521

Merged
merged 1 commit into from
Jun 24, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/5521.misc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Factor acme bits out to a separate file.
62 changes: 9 additions & 53 deletions synapse/handlers/acme.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,42 +15,16 @@

import logging

import attr
from zope.interface import implementer

import twisted
import twisted.internet.error
from twisted.internet import defer
from twisted.python.filepath import FilePath
from twisted.python.url import URL
from twisted.web import server, static
from twisted.web.resource import Resource

from synapse.app import check_bind_error

logger = logging.getLogger(__name__)

try:
from txacme.interfaces import ICertificateStore

@attr.s
@implementer(ICertificateStore)
class ErsatzStore(object):
"""
A store that only stores in memory.
"""

certs = attr.ib(default=attr.Factory(dict))

def store(self, server_name, pem_objects):
self.certs[server_name] = [o.as_bytes() for o in pem_objects]
return defer.succeed(None)


except ImportError:
# txacme is missing
pass


class AcmeHandler(object):
def __init__(self, hs):
Expand All @@ -60,44 +34,26 @@ def __init__(self, hs):

@defer.inlineCallbacks
def start_listening(self):
from synapse.handlers import acme_issuing_service

# Configure logging for txacme, if you need to debug
# from eliot import add_destinations
# from eliot.twisted import TwistedDestination
#
# add_destinations(TwistedDestination())

from txacme.challenges import HTTP01Responder
from txacme.service import AcmeIssuingService
from txacme.endpoint import load_or_create_client_key
from txacme.client import Client
from josepy.jwa import RS256

self._store = ErsatzStore()
responder = HTTP01Responder()

self._issuer = AcmeIssuingService(
cert_store=self._store,
client_creator=(
lambda: Client.from_url(
reactor=self.reactor,
url=URL.from_text(self.hs.config.acme_url),
key=load_or_create_client_key(
FilePath(self.hs.config.config_dir_path)
),
alg=RS256,
)
),
clock=self.reactor,
responders=[responder],
well_known = Resource()

self._issuer = acme_issuing_service.create_issuing_service(
self.reactor,
acme_url=self.hs.config.acme_url,
pem_path=self.hs.config.config_dir_path,
well_known_resource=well_known,
)

well_known = Resource()
well_known.putChild(b"acme-challenge", responder.resource)
responder_resource = Resource()
responder_resource.putChild(b".well-known", well_known)
responder_resource.putChild(b"check", static.Data(b"OK", b"text/plain"))

srv = server.Site(responder_resource)

bind_addresses = self.hs.config.acme_bind_addresses
Expand Down Expand Up @@ -128,7 +84,7 @@ def provision_certificate(self):
logger.exception("Fail!")
raise
logger.warning("Reprovisioned %s, saving.", self._acme_domain)
cert_chain = self._store.certs[self._acme_domain]
cert_chain = self._issuer.cert_store.certs[self._acme_domain]

try:
with open(self.hs.config.tls_private_key_file, "wb") as private_key_file:
Expand Down
84 changes: 84 additions & 0 deletions synapse/handlers/acme_issuing_service.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# -*- coding: utf-8 -*-
# Copyright 2019 New Vector Ltd
# Copyright 2019 The Matrix.org Foundation C.I.C.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

"""
Utility function to create an ACME issuing service.

This file contains the unconditional imports on the acme and cryptography bits that we
only need (and may only have available) if we are doing ACME, so is designed to be
imported conditionally.
"""

import attr
from josepy.jwa import RS256
from txacme.challenges import HTTP01Responder
from txacme.client import Client
from txacme.endpoint import load_or_create_client_key
from txacme.interfaces import ICertificateStore
from txacme.service import AcmeIssuingService
from zope.interface import implementer

from twisted.internet import defer
from twisted.python.filepath import FilePath
from twisted.python.url import URL


def create_issuing_service(reactor, acme_url, pem_path, well_known_resource):
"""Create an ACME issuing service, and attach it to a web Resource

Args:
reactor: twisted reactor
acme_url (str): URL to use to request certificates
pem_path (str): where to store the client key
well_known_resource (twisted.web.IResource): web resource for .well-known.
we will attach a child resource for "acme-challenge".

Returns:
AcmeIssuingService
"""
responder = HTTP01Responder()

well_known_resource.putChild(b"acme-challenge", responder.resource)

store = ErsatzStore()

return AcmeIssuingService(
cert_store=store,
client_creator=(
lambda: Client.from_url(
reactor=reactor,
url=URL.from_text(acme_url),
key=load_or_create_client_key(FilePath(pem_path)),
alg=RS256,
)
),
clock=reactor,
responders=[responder],
)


@attr.s
@implementer(ICertificateStore)
class ErsatzStore(object):
"""
A store that only stores in memory.
"""

certs = attr.ib(default=attr.Factory(dict))

def store(self, server_name, pem_objects):
self.certs[server_name] = [o.as_bytes() for o in pem_objects]
return defer.succeed(None)