gitea/cmd/web_acme.go

// Copyright 2020 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

package cmd

import (
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"net/http"
	"os"
	"strconv"
	"strings"

	"code.gitea.io/gitea/modules/graceful"
	"code.gitea.io/gitea/modules/log"
	"code.gitea.io/gitea/modules/setting"

	"github.com/caddyserver/certmagic"
)

func getCARoot(path string) (*x509.CertPool, error) {
	r, err := os.ReadFile(path)
	if err != nil {
		return nil, err
	}
	block, _ := pem.Decode(r)
	if block == nil {
		return nil, fmt.Errorf("no PEM found in the file %s", path)
	}
	caRoot, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		return nil, err
	}
	certPool := x509.NewCertPool()
	certPool.AddCert(caRoot)
	return certPool, nil
}

func runACME(listenAddr string, m http.Handler) error {
	// If HTTP Challenge enabled, needs to be serving on port 80. For TLSALPN needs 443.
	// Due to docker port mapping this can't be checked programmatically
	// TODO: these are placeholders until we add options for each in settings with appropriate warning
	enableHTTPChallenge := true
	enableTLSALPNChallenge := true
	altHTTPPort := 0
	altTLSALPNPort := 0

	if p, err := strconv.Atoi(setting.PortToRedirect); err == nil {
		altHTTPPort = p
	}
	if p, err := strconv.Atoi(setting.HTTPPort); err == nil {
		altTLSALPNPort = p
	}

	magic := certmagic.NewDefault()
	magic.Storage = &certmagic.FileStorage{Path: setting.AcmeLiveDirectory}
	// Try to use private CA root if provided, otherwise defaults to system's trust
	var certPool *x509.CertPool
	if setting.AcmeCARoot != "" {
		var err error
		certPool, err = getCARoot(setting.AcmeCARoot)
		if err != nil {
			log.Warn("Failed to parse CA Root certificate, using default CA trust: %v", err)
		}
	}
	myACME := certmagic.NewACMEManager(magic, certmagic.ACMEManager{
		CA:                      setting.AcmeURL,
		TrustedRoots:            certPool,
		Email:                   setting.AcmeEmail,
		Agreed:                  setting.AcmeTOS,
		DisableHTTPChallenge:    !enableHTTPChallenge,
		DisableTLSALPNChallenge: !enableTLSALPNChallenge,
		ListenHost:              setting.HTTPAddr,
		AltTLSALPNPort:          altTLSALPNPort,
		AltHTTPPort:             altHTTPPort,
	})

	magic.Issuers = []certmagic.Issuer{myACME}

	// this obtains certificates or renews them if necessary
	err := magic.ManageSync(graceful.GetManager().HammerContext(), []string{setting.Domain})
	if err != nil {
		return err
	}

	tlsConfig := magic.TLSConfig()
	tlsConfig.NextProtos = append(tlsConfig.NextProtos, "h2")

	if version := toTLSVersion(setting.SSLMinimumVersion); version != 0 {
		tlsConfig.MinVersion = version
	}
	if version := toTLSVersion(setting.SSLMaximumVersion); version != 0 {
		tlsConfig.MaxVersion = version
	}

	// Set curve preferences
	if curves := toCurvePreferences(setting.SSLCurvePreferences); len(curves) > 0 {
		tlsConfig.CurvePreferences = curves
	}

	// Set cipher suites
	if ciphers := toTLSCiphers(setting.SSLCipherSuites); len(ciphers) > 0 {
		tlsConfig.CipherSuites = ciphers
	}

	if enableHTTPChallenge {
		go func() {
			log.Info("Running Let's Encrypt handler on %s", setting.HTTPAddr+":"+setting.PortToRedirect)
			// all traffic coming into HTTP will be redirect to HTTPS automatically (LE HTTP-01 validation happens here)
			err := runHTTP("tcp", setting.HTTPAddr+":"+setting.PortToRedirect, "Let's Encrypt HTTP Challenge", myACME.HTTPChallengeHandler(http.HandlerFunc(runLetsEncryptFallbackHandler)))
			if err != nil {
				log.Fatal("Failed to start the Let's Encrypt handler on port %s: %v", setting.PortToRedirect, err)
			}
		}()
	}

	return runHTTPSWithTLSConfig("tcp", listenAddr, "Web", tlsConfig, m)
}

func runLetsEncryptFallbackHandler(w http.ResponseWriter, r *http.Request) {
	if r.Method != "GET" && r.Method != "HEAD" {
		http.Error(w, "Use HTTPS", http.StatusBadRequest)
		return
	}
	// Remove the trailing slash at the end of setting.AppURL, the request
	// URI always contains a leading slash, which would result in a double
	// slash
	target := strings.TrimSuffix(setting.AppURL, "/") + r.URL.RequestURI()
	http.Redirect(w, r, target, http.StatusFound)
}
Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`// Copyright 2020 The Gitea Authors. All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`

			`package cmd`

			`import (`
Support custom ACME provider (#18340) * Added ACMECAURL option to support custom ACME provider. Closes #18306 * Refactor setting.go https settings, renamed options and variables, and documented app.example.ini * Refactored runLetsEncrypt to runACME * Improved documentation 3 years ago			`"crypto/x509"`
			`"encoding/pem"`
			`"fmt"`
Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`"net/http"`
Support custom ACME provider (#18340) * Added ACMECAURL option to support custom ACME provider. Closes #18306 * Refactor setting.go https settings, renamed options and variables, and documented app.example.ini * Refactored runLetsEncrypt to runACME * Improved documentation 3 years ago			`"os"`
Fix bound address/port for caddy's certmagic library (#15758) * Fix bound address/port for caddy's certmagic library * Fix bug Co-authored-by: zeripath <art27@cantab.net> 4 years ago			`"strconv"`
Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`"strings"`

Upgrade certmagic from v0.14.1 to v0.15.2 (#18138) 3 years ago			`"code.gitea.io/gitea/modules/graceful"`
Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`"code.gitea.io/gitea/modules/log"`
			`"code.gitea.io/gitea/modules/setting"`

			`"github.com/caddyserver/certmagic"`
			`)`

Support custom ACME provider (#18340) * Added ACMECAURL option to support custom ACME provider. Closes #18306 * Refactor setting.go https settings, renamed options and variables, and documented app.example.ini * Refactored runLetsEncrypt to runACME * Improved documentation 3 years ago			`func getCARoot(path string) (*x509.CertPool, error) {`
			`r, err := os.ReadFile(path)`
			`if err != nil {`
			`return nil, err`
			`}`
			`block, _ := pem.Decode(r)`
			`if block == nil {`
			`return nil, fmt.Errorf("no PEM found in the file %s", path)`
			`}`
			`caRoot, err := x509.ParseCertificate(block.Bytes)`
			`if err != nil {`
			`return nil, err`
			`}`
			`certPool := x509.NewCertPool()`
			`certPool.AddCert(caRoot)`
			`return certPool, nil`
			`}`

			`func runACME(listenAddr string, m http.Handler) error {`
Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`// If HTTP Challenge enabled, needs to be serving on port 80. For TLSALPN needs 443.`
Fix various documentation, user-facing, and source comment typos (#16367) * Fix various doc, user-facing, and source comment typos Found via `codespell -q 3 -S ./options/locale,./vendor -L ba,pullrequest,pullrequests,readby` 3 years ago			`// Due to docker port mapping this can't be checked programmatically`
Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`// TODO: these are placeholders until we add options for each in settings with appropriate warning`
			`enableHTTPChallenge := true`
			`enableTLSALPNChallenge := true`
Fix bound address/port for caddy's certmagic library (#15758) * Fix bound address/port for caddy's certmagic library * Fix bug Co-authored-by: zeripath <art27@cantab.net> 4 years ago			`altHTTPPort := 0`
Fix bound address/port for caddy's certmagic library (see #15848) (#15859) 4 years ago			`altTLSALPNPort := 0`
Fix bound address/port for caddy's certmagic library (#15758) * Fix bound address/port for caddy's certmagic library * Fix bug Co-authored-by: zeripath <art27@cantab.net> 4 years ago
			`if p, err := strconv.Atoi(setting.PortToRedirect); err == nil {`
			`altHTTPPort = p`
			`}`
Fix bound address/port for caddy's certmagic library (see #15848) (#15859) 4 years ago			`if p, err := strconv.Atoi(setting.HTTPPort); err == nil {`
			`altTLSALPNPort = p`
			`}`
Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago
			`magic := certmagic.NewDefault()`
Support custom ACME provider (#18340) * Added ACMECAURL option to support custom ACME provider. Closes #18306 * Refactor setting.go https settings, renamed options and variables, and documented app.example.ini * Refactored runLetsEncrypt to runACME * Improved documentation 3 years ago			`magic.Storage = &certmagic.FileStorage{Path: setting.AcmeLiveDirectory}`
			`// Try to use private CA root if provided, otherwise defaults to system's trust`
			`var certPool *x509.CertPool`
			`if setting.AcmeCARoot != "" {`
			`var err error`
			`certPool, err = getCARoot(setting.AcmeCARoot)`
			`if err != nil {`
			`log.Warn("Failed to parse CA Root certificate, using default CA trust: %v", err)`
			`}`
			`}`
Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`myACME := certmagic.NewACMEManager(magic, certmagic.ACMEManager{`
Support custom ACME provider (#18340) * Added ACMECAURL option to support custom ACME provider. Closes #18306 * Refactor setting.go https settings, renamed options and variables, and documented app.example.ini * Refactored runLetsEncrypt to runACME * Improved documentation 3 years ago			`CA: setting.AcmeURL,`
			`TrustedRoots: certPool,`
			`Email: setting.AcmeEmail,`
			`Agreed: setting.AcmeTOS,`
Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`DisableHTTPChallenge: !enableHTTPChallenge,`
			`DisableTLSALPNChallenge: !enableTLSALPNChallenge,`
Fix bound address/port for caddy's certmagic library (see #15848) (#15859) 4 years ago			`ListenHost: setting.HTTPAddr,`
			`AltTLSALPNPort: altTLSALPNPort,`
Fix bound address/port for caddy's certmagic library (#15758) * Fix bound address/port for caddy's certmagic library * Fix bug Co-authored-by: zeripath <art27@cantab.net> 4 years ago			`AltHTTPPort: altHTTPPort,`
Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`})`

[Vendor] update certmagic (#15590) * update github.com/caddyserver/certmagic v0.12.0 -> v0.13.0 * migrate 4 years ago			`magic.Issuers = []certmagic.Issuer{myACME}`
Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago
			`// this obtains certificates or renews them if necessary`
Support custom ACME provider (#18340) * Added ACMECAURL option to support custom ACME provider. Closes #18306 * Refactor setting.go https settings, renamed options and variables, and documented app.example.ini * Refactored runLetsEncrypt to runACME * Improved documentation 3 years ago			`err := magic.ManageSync(graceful.GetManager().HammerContext(), []string{setting.Domain})`
Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`if err != nil {`
			`return err`
			`}`

			`tlsConfig := magic.TLSConfig()`
Support HTTP/2 in Let's Encrypt (#16371) Modify the tlsConfig.NextProtos for Let's Encrypt and built-in HTTPS server in order to support HTTP/2. Co-authored-by: 6543 <6543@obermui.de> 3 years ago			`tlsConfig.NextProtos = append(tlsConfig.NextProtos, "h2")`
Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago
Make SSL cipher suite configurable (#17440) 3 years ago			`if version := toTLSVersion(setting.SSLMinimumVersion); version != 0 {`
			`tlsConfig.MinVersion = version`
			`}`
			`if version := toTLSVersion(setting.SSLMaximumVersion); version != 0 {`
			`tlsConfig.MaxVersion = version`
			`}`

			`// Set curve preferences`
			`if curves := toCurvePreferences(setting.SSLCurvePreferences); len(curves) > 0 {`
			`tlsConfig.CurvePreferences = curves`
			`}`

			`// Set cipher suites`
			`if ciphers := toTLSCiphers(setting.SSLCipherSuites); len(ciphers) > 0 {`
			`tlsConfig.CipherSuites = ciphers`
			`}`

Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`if enableHTTPChallenge {`
			`go func() {`
			`log.Info("Running Let's Encrypt handler on %s", setting.HTTPAddr+":"+setting.PortToRedirect)`
			`// all traffic coming into HTTP will be redirect to HTTPS automatically (LE HTTP-01 validation happens here)`
format with gofumpt (#18184) * gofumpt -w -l . * gofumpt -w -l -extra . * Add linter * manual fix * change make fmt 3 years ago			`err := runHTTP("tcp", setting.HTTPAddr+":"+setting.PortToRedirect, "Let's Encrypt HTTP Challenge", myACME.HTTPChallengeHandler(http.HandlerFunc(runLetsEncryptFallbackHandler)))`
Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`if err != nil {`
			`log.Fatal("Failed to start the Let's Encrypt handler on port %s: %v", setting.PortToRedirect, err)`
			`}`
			`}()`
			`}`

Simplify Gothic to use our session store instead of creating a different store (#17507) * Simplify Gothic to use our session store instead of creating a different store We have been using xormstore to provide a separate session store for our OAuth2 logins however, this relies on using gorilla context and some doubling of our session storing. We can however, simplify and simply use our own chi-based session store. Thus removing a cookie and some of the weirdness with missing contexts. Signed-off-by: Andrew Thornton <art27@cantab.net> * as per review Signed-off-by: Andrew Thornton <art27@cantab.net> * as per review Signed-off-by: Andrew Thornton <art27@cantab.net> * Handle MaxTokenLength Signed-off-by: Andrew Thornton <art27@cantab.net> * oops Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: Lauris BH <lauris@nix.lv> 3 years ago			`return runHTTPSWithTLSConfig("tcp", listenAddr, "Web", tlsConfig, m)`
Use caddy's certmagic library for extensible/robust ACME handling (#14177) * use certmagic for more extensible/robust ACME cert handling * accept TOS based on config option Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv> 4 years ago			`}`

			`func runLetsEncryptFallbackHandler(w http.ResponseWriter, r *http.Request) {`
			`if r.Method != "GET" && r.Method != "HEAD" {`
			`http.Error(w, "Use HTTPS", http.StatusBadRequest)`
			`return`
			`}`
			`// Remove the trailing slash at the end of setting.AppURL, the request`
			`// URI always contains a leading slash, which would result in a double`
			`// slash`
			`target := strings.TrimSuffix(setting.AppURL, "/") + r.URL.RequestURI()`
			`http.Redirect(w, r, target, http.StatusFound)`
			`}`