goldilocks.js/lib/modules/tls.js

'use strict';

module.exports.create = function (deps, config, netHandler) {
  var tls = require('tls');
  var parseSni = require('sni');
  var greenlock = require('greenlock');
  var localhostCerts = require('localhost.daplie.me-certificates');
  var domainMatches = require('../domain-utils').match;

  function extractSocketProp(socket, propName) {
    // remoteAddress, remotePort... ugh... https://github.com/nodejs/node/issues/8854
    var value = socket[propName] || socket['_' + propName];
    try {
      value = value || socket._handle._parent.owner.stream[propName];
    } catch (e) {}

    try {
      value = value || socket._handle._parentWrap[propName];
      value = value || socket._handle._parentWrap._handle.owner.stream[propName];
    } catch (e) {}

    return value || '';
  }

  var addressNames = [
    'remoteAddress'
  , 'remotePort'
  , 'remoteFamily'
  , 'localAddress'
  , 'localPort'
  ];
  function wrapSocket(socket, opts) {
    var reader = require('socket-pair').create(function (err, writer) {
      if (err) {
        reader.emit('error', err);
        return;
      }

      process.nextTick(function () {
        socket.unshift(opts.firstChunk);
      });

      socket.pipe(writer);
      writer.pipe(socket);

      socket.on('error', function (err) {
        console.log('wrapped TLS socket error', err);
        reader.emit('error', err);
      });
      writer.on('error', function (err) {
        console.error('socket-pair writer error', err);
        // If the writer had an error the reader probably did too, and I don't think we'll
        // get much out of emitting this on the original socket, so logging is enough.
      });
    });

    // We can't set these properties the normal way because there is a getter without a setter,
    // but we can use defineProperty. We reuse the descriptor even though we will be manipulating
    // it because we will only ever set the value and we set it every time.
    var descriptor = {enumerable: true, configurable: true, writable: true};
    addressNames.forEach(function (name) {
      descriptor.value = opts[name] || extractSocketProp(socket, name);
      Object.defineProperty(reader, name, descriptor);
    });

    return reader;
  }

  var le = greenlock.create({
    // server: 'staging'
    server: 'https://acme-v01.api.letsencrypt.org/directory'

  , challenges: {
      'http-01': require('le-challenge-fs').create({ webrootPath: '/tmp/acme-challenges', debug: config.debug })
    , 'tls-sni-01': require('le-challenge-sni').create({ debug: config.debug })
      // TODO dns-01
      //, 'dns-01': require('le-challenge-ddns').create()
    }

  , store: require('le-store-certbot').create({ webrootPath: '/tmp/acme-challenges' })

  , approveDomains: function (opts, certs, cb) {
      // This is where you check your database and associated
      // email addresses with domains and agreements and such

      // The domains being approved for the first time are listed in opts.domains
      // Certs being renewed are listed in certs.altnames
      if (certs) {
        // TODO make sure the same options are used for renewal as for registration?
        opts.domains = certs.altnames;

        cb(null, { options: opts, certs: certs });
        return;
      }

      function complete(optsOverride) {
        Object.keys(optsOverride).forEach(function (key) {
          opts[key] = optsOverride[key];
        });

        cb(null, { options: opts, certs: certs });
      }


      // check config for domain name
      if (-1 !== (config.tls.servernames || []).indexOf(opts.domain)) {
        // TODO how to handle SANs?
        // TODO fetch domain-specific email
        // TODO fetch domain-specific acmeDirectory
        // NOTE: you can also change other options such as `challengeType` and `challenge`
        // opts.challengeType = 'http-01';
        // opts.challenge = require('le-challenge-fs').create({}); // TODO this doesn't actually work yet
        complete({
          email: config.tls.email
        , agreeTos: true
        , server: config.tls.acmeDirectoryUrl || le.server
        , challengeType: config.tls.challengeType || 'http-01'
        });
        return;
      }

      // TODO ask http module (and potentially all other modules) about what domains it can
      // handle. We can allow any domains that other modules will handle after we terminate TLS.
      cb(new Error('domain is not allowed'));
      // if (!modules.http) {
      //   modules.http = require('./modules/http.js').create(deps, config);
      // }
      // modules.http.checkServername(opts.domain).then(function (stuff) {
      //   if (!stuff || !stuff.domains) {
      //     // TODO once precheck is implemented we can just let it pass if it passes, yknow?
      //     cb(new Error('domain is not allowed'));
      //     return;
      //   }

      //   complete({
      //     domain: stuff.domain || stuff.domains[0]
      //   , domains: stuff.domains
      //   , email: stuff.email || program.email
      //   , server: stuff.acmeDirectoryUrl || program.acmeDirectoryUrl
      //   , challengeType: stuff.challengeType || program.challengeType
      //   , challenge: stuff.challenge
      //   });
      //   return;
      // }, cb);
    }
  });
  le.tlsOptions = le.tlsOptions || le.httpsOptions;

  var secureContexts = {};
  var terminatorOpts = require('localhost.daplie.me-certificates').merge({});
  terminatorOpts.SNICallback = function (sni, cb) {
    console.log("[tlsOptions.SNICallback] SNI: '" + sni + "'");

    var tlsOptions;

    // Static Certs
    if (/.*localhost.*\.daplie\.me/.test(sni.toLowerCase())) {
      // TODO implement
      if (!secureContexts[sni]) {
        tlsOptions = localhostCerts.mergeTlsOptions(sni, {});
      }
      if (tlsOptions) {
        secureContexts[sni] = tls.createSecureContext(tlsOptions);
      }
      if (secureContexts[sni]) {
        console.log('Got static secure context:', sni, secureContexts[sni]);
        cb(null, secureContexts[sni]);
        return;
      }
    }

    le.tlsOptions.SNICallback(sni, cb);
  };

  var terminateServer = tls.createServer(terminatorOpts, function (socket) {
    console.log('(pre-terminated) tls connection, addr:', socket.remoteAddress);

    netHandler(socket, {
      servername: socket.servername
    , encrypted: true
      // remoteAddress... ugh... https://github.com/nodejs/node/issues/8854
    , remoteAddress: extractSocketProp(socket, 'remoteAddress')
    , remotePort:    extractSocketProp(socket, 'remotePort')
    , remoteFamily:  extractSocketProp(socket, 'remoteFamily')
    });
  });

  function proxy(socket, opts, mod) {
    var newConnOpts = require('../domain-utils').separatePort(mod.address);
    newConnOpts.servername = opts.servername;
    newConnOpts.data = opts.firstChunk;

    newConnOpts.remoteFamily  = opts.family  || extractSocketProp(socket, 'remoteFamily');
    newConnOpts.remoteAddress = opts.address || extractSocketProp(socket, 'remoteAddress');
    newConnOpts.remotePort    = opts.port    || extractSocketProp(socket, 'remotePort');

    deps.proxy(socket, newConnOpts, opts.firstChunk, function () {
      // This function is called in the event of a connection error and should decrypt
      // the socket so the proxy module can send a 502 HTTP response.
      var tlsOpts = localhostCerts.mergeTlsOptions('localhost.daplie.me', {isServer: true});
      if (opts.hyperPeek) {
        return new tls.TLSSocket(socket, tlsOpts);
      } else {
        return new tls.TLSSocket(wrapSocket(socket, opts), tlsOpts);
      }
    });
  }

  function terminate(socket, opts) {
    console.log(
      '[tls-terminate]'
    , opts.localAddress || socket.localAddress +':'+ opts.localPort || socket.localPort
    , 'servername=' + opts.servername
    , opts.remoteAddress || socket.remoteAddress
    );

    if (opts.hyperPeek) {
      // This connection was peeked at using a method that doesn't interferre with the TLS
      // server's ability to handle it properly. Currently the only way this happens is
      // with tunnel connections where we have the first chunk of data before creating the
      // new connection (thus removing need to get data off the new connection).
      terminateServer.emit('connection', socket);
    }
    else {
      // The hyperPeek flag wasn't set, so we had to read data off of this connection, which
      // means we can no longer use it directly in the TLS server.
      // See https://github.com/nodejs/node/issues/8752 (node's internal networking layer == 💩 sometimes)
      terminateServer.emit('connection', wrapSocket(socket, opts));
    }
  }

  function handleConn(socket, opts) {
    opts.servername = (parseSni(opts.firstChunk)||'').toLowerCase() || 'localhost.invalid';
    // needs to wind up in one of 2 states:
    // 1. SNI-based Proxy / Tunnel (we don't even need to put it through the tlsSocket)
    // 2. Terminated (goes on to a particular module or route, including the admin interface)
    // 3. Closed (we don't recognize the SNI servername as something we actually want to handle)

    // We always want to terminate is the SNI matches the challenge pattern, unless a client
    // on the south side has temporarily claimed a particular challenge. For the time being
    // we don't have a way for the south-side to communicate with us, so that part isn't done.
    if (domainMatches('*.acme-challenge.invalid', opts.servername)) {
      terminate(socket, opts);
      return;
    }

    var handled = (config.tls.modules || []).some(function (mod) {
      var relevant = mod.domains.some(function (pattern) {
        return domainMatches(pattern, opts.servername);
      });
      if (!relevant) {
        return false;
      }

      if (mod.name === 'proxy') {
        proxy(socket, opts, mod);
      }
      else {
        console.error('saw unknown TLS module', mod);
        return false;
      }

      return true;
    });

    // TODO: figure out all of the domains that the other modules intend to handle, and only
    // terminate those ones, closing connections for all others.
    if (!handled) {
      terminate(socket, opts);
    }
  }

  return {
    emit: function (type, socket) {
      if (type === 'connection') {
        handleConn(socket, socket.__opts);
      }
    }
  , middleware: le.middleware()
  };
};