Add automated challenge retries, RFC 8555

2020-02-14 13:17:52 -08:00 · 2020-02-14 13:17:52 -08:00 · 66b2c4b1a4
commit 66b2c4b1a4
parent 40d7c42e33
6 changed files with 126 additions and 17 deletions
--- a/acme/api/handler.go
+++ b/acme/api/handler.go
@ -180,8 +180,9 @@ func (h *Handler) GetChallenge(w http.ResponseWriter, r *http.Request) {
 	ch, err = h.Auth.ValidateChallenge(prov, acc.GetID(), chID, acc.GetKey())
 	if err != nil {
 		api.WriteError(w, err)
-	} else if ch.Status != acme.StatusValid && ch.Status != acme.StatusInvalid {
-		w.Header().Add("Retry-After", "60")
+	} else if ch.Retry.Active {
+		retryAfter := int(ch.Retry.Backoffs) * (10 - ch.Retry.Called)
+		w.Header().Add("Retry-After", string(retryAfter))
 		api.JSON(w, ch)
 	} else {
 		getLink := h.Auth.GetLink
--- a/acme/api/handler_test.go
+++ b/acme/api/handler_test.go
@ -589,6 +589,7 @@ func ch() acme.Challenge {
 		URL:     "https://ca.smallstep.com/acme/challenge/chID",
 		ID:      "chID",
 		AuthzID: "authzID",
+		Retry:   &acme.Retry{Called:0, Backoffs:1, Active:false},
 	}
 }

@ -733,6 +734,37 @@ func TestHandlerGetChallenge(t *testing.T) {
 				ch:         ch,
 			}
 		},
+		"ok/retry-after": func(t *testing.T) test {
+			key, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
+			assert.FatalError(t, err)
+			acc := &acme.Account{ID: "accID", Key: key}
+			ctx := context.WithValue(context.Background(), provisionerContextKey, prov)
+			ctx = context.WithValue(ctx, accContextKey, acc)
+			// TODO: Add correct key such that challenge object is already "active"
+			chiCtxInactive := chi.NewRouteContext()
+			chiCtxInactive.URLParams.Add("chID", "chID")
+			//chiCtxInactive.URLParams.Add("Active", "true")
+			ctx = context.WithValue(ctx, chi.RouteCtxKey, chiCtxInactive)
+			ch := ch()
+			ch.Retry.Active = true
+			chJSON, err := json.Marshal(ch)
+			assert.FatalError(t, err)
+			ctx = context.WithValue(ctx, payloadContextKey, &payloadInfo{value: chJSON})
+			return test{
+				auth: &mockAcmeAuthority{
+					validateChallenge: func(p provisioner.Interface, accID, id string, jwk *jose.JSONWebKey) (*acme.Challenge, error) {
+						assert.Equals(t, p, prov)
+						assert.Equals(t, accID, acc.ID)
+						assert.Equals(t, id, ch.ID)
+						assert.Equals(t, jwk.KeyID, key.KeyID)
+						return &ch, nil
+					},
+				},
+				ctx:        ctx,
+				statusCode: 200,
+				ch:         ch,
+			}
+		},
 	}
 	for name, run := range tests {
 		tc := run(t)
@ -760,13 +792,17 @@ func TestHandlerGetChallenge(t *testing.T) {
 				assert.Equals(t, ae.Identifier, prob.Identifier)
 				assert.Equals(t, ae.Subproblems, prob.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
-			} else {
+			} else if res.StatusCode >= 200 && assert.True(t,res.Header["Retry-After"] == nil){
 				expB, err := json.Marshal(tc.ch)
 				assert.FatalError(t, err)
 				assert.Equals(t, bytes.TrimSpace(body), expB)
 				assert.Equals(t, res.Header["Link"], []string{fmt.Sprintf("<https://ca.smallstep.com/acme/authz/%s>;rel=\"up\"", tc.ch.AuthzID)})
 				assert.Equals(t, res.Header["Location"], []string{url})
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/json"})
+			} else {
+				expB, err := json.Marshal(tc.ch)
+				assert.FatalError(t, err)
+				assert.Equals(t, bytes.TrimSpace(body), expB)
 			}
 		})
 	}
--- a/acme/authority.go
+++ b/acme/authority.go
@ -5,6 +5,8 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
+	"math"
+	"math/rand"
 	"net"
 	"net/http"
 	"net/url"
@ -263,21 +265,38 @@ func (a *Authority) ValidateChallenge(p provisioner.Interface, accID, chID strin
 	if accID != ch.getAccountID() {
 		return nil, UnauthorizedErr(errors.New("account does not own challenge"))
 	}
+	retry := ch.getRetry()
+	if retry.Active {
+		return ch.toACME(a.db, a.dir, p)
+	}
+	retry.Mux.Lock()
+	defer retry.Mux.Unlock()
+
 	client := http.Client{
 		Timeout: time.Duration(30 * time.Second),
 	}
 	dialer := &net.Dialer{
 		Timeout: 30 * time.Second,
 	}
-	ch, err = ch.validate(a.db, jwk, validateOptions{
-		httpGet:   client.Get,
-		lookupTxt: net.LookupTXT,
-		tlsDial: func(network, addr string, config *tls.Config) (*tls.Conn, error) {
-			return tls.DialWithDialer(dialer, network, addr, config)
-		},
-	})
-	if err != nil {
-		return nil, Wrap(err, "error attempting challenge validation")
+	for i:=0; i < 10; i++ {
+		ch, err = ch.validate(a.db, jwk, validateOptions{
+			httpGet:   client.Get,
+			lookupTxt: net.LookupTXT,
+			tlsDial: func(network, addr string, config *tls.Config) (*tls.Conn, error) {
+				return tls.DialWithDialer(dialer, network, addr, config)
+			},
+		})
+		if err != nil {
+			return nil, Wrap(err, "error attempting challenge validation")
+		}
+		if ch.getStatus() == StatusValid {
+			break
+		}
+		if ch.getStatus() == StatusInvalid {
+			return ch.toACME(a.db, a.dir, p)
+		}
+		duration := time.Duration(ch.getRetry().Backoffs + math.Mod(rand.Float64(), 5))
+		time.Sleep(duration*time.Second)
 	}
 	return ch.toACME(a.db, a.dir, p)
 }
--- a/acme/authority_test.go
+++ b/acme/authority_test.go
@ -1276,6 +1276,7 @@ func TestAuthorityValidateChallenge(t *testing.T) {
 			assert.Fatal(t, ok)
 			_ch.baseChallenge.Status = StatusValid
 			_ch.baseChallenge.Validated = clock.Now()
+			_ch.baseChallenge.Retry.Called = 0
 			b, err := json.Marshal(ch)
 			assert.FatalError(t, err)
 			auth, err := NewAuthority(&db.MockNoSQLDB{
@ -1309,12 +1310,10 @@ func TestAuthorityValidateChallenge(t *testing.T) {
 				if assert.Nil(t, tc.err) {
 					gotb, err := json.Marshal(acmeCh)
 					assert.FatalError(t, err)
-
 					acmeExp, err := tc.ch.toACME(nil, tc.auth.dir, prov)
 					assert.FatalError(t, err)
 					expb, err := json.Marshal(acmeExp)
 					assert.FatalError(t, err)
-
 					assert.Equals(t, expb, gotb)
 				}
 			}
--- a/acme/challenge.go
+++ b/acme/challenge.go
@ -14,6 +14,7 @@ import (
 	"net"
 	"net/http"
 	"strings"
+	"sync"
 	"time"

 	"github.com/pkg/errors"
@ -31,10 +32,18 @@ type Challenge struct {
 	Validated string  `json:"validated,omitempty"`
 	URL       string  `json:"url"`
 	Error     *AError `json:"error,omitempty"`
+	Retry     *Retry   `json:"retry"`
 	ID        string  `json:"-"`
 	AuthzID   string  `json:"-"`
 }

+type Retry struct {
+	Called    int         `json:"id"`
+	Backoffs  float64     `json:"backoffs"`
+	Active    bool        `json:"active"`
+	Mux	      sync.Mutex  `json:"mux"`
+}
+
 // ToLog enables response logging.
 func (c *Challenge) ToLog() (interface{}, error) {
 	b, err := json.Marshal(c)
@ -75,6 +84,7 @@ type challenge interface {
 	getID() string
 	getAuthzID() string
 	getToken() string
+	getRetry() *Retry
 	clone() *baseChallenge
 	getAccountID() string
 	getValidated() time.Time
@ -101,6 +111,7 @@ type baseChallenge struct {
 	Validated time.Time `json:"validated"`
 	Created   time.Time `json:"created"`
 	Error     *AError   `json:"error"`
+	Retry     *Retry     `json:"retry"`
 }

 func newBaseChallenge(accountID, authzID string) (*baseChallenge, error) {
@ -120,6 +131,7 @@ func newBaseChallenge(accountID, authzID string) (*baseChallenge, error) {
 		Status:    StatusPending,
 		Token:     token,
 		Created:   clock.Now(),
+		Retry:     &Retry{Called:0, Backoffs:1, Active:false},
 	}, nil
 }

@ -158,6 +170,11 @@ func (bc *baseChallenge) getToken() string {
 	return bc.Token
 }

+// getRetry returns the retry state of the baseChallenge
+func (bc *baseChallenge) getRetry() *Retry {
+	return bc.Retry
+}
+
 // getValidated returns the validated time of the baseChallenge.
 func (bc *baseChallenge) getValidated() time.Time {
 	return bc.Validated
@ -190,6 +207,9 @@ func (bc *baseChallenge) toACME(db nosql.DB, dir *directory, p provisioner.Inter
 	if bc.Error != nil {
 		ac.Error = bc.Error
 	}
+	if bc.Retry != nil {
+		ac.Retry = bc.Retry
+	}
 	return ac, nil
 }

@ -241,6 +261,11 @@ func (bc *baseChallenge) storeError(db nosql.DB, err *Error) error {
 	return clone.save(db, bc)
 }

+func (bc *baseChallenge) storeRetry(db nosql.DB, retry *Retry) error {
+	clone := bc.clone()
+	return clone.save(db, bc)
+}
+
 // unmarshalChallenge unmarshals a challenge type into the correct sub-type.
 func unmarshalChallenge(data []byte) (challenge, error) {
 	var getType struct {
@ -303,7 +328,18 @@ func newHTTP01Challenge(db nosql.DB, ops ChallengeOptions) (challenge, error) {
 // updated.
 func (hc *http01Challenge) validate(db nosql.DB, jwk *jose.JSONWebKey, vo validateOptions) (challenge, error) {
 	// If already valid or invalid then return without performing validation.
-	if hc.getStatus() == StatusValid || hc.getStatus() == StatusInvalid {
+	if hc.getStatus() == StatusValid {
+		return hc, nil
+	}
+	if hc.getStatus() == StatusInvalid {
+		// TODO: Resolve segfault on upd.save
+		upd := hc.clone()
+		upd.Status = StatusPending
+		if err := upd.save(db, hc); err != nil {
+			fmt.Printf("Error in save: %s\n\n\n", err)
+			return nil, err
+		}
+		fmt.Print("Through Save\n\n")
 		return hc, nil
 	}
 	url := fmt.Sprintf("http://%s/.well-known/acme-challenge/%s", hc.Value, hc.Token)
@ -343,10 +379,18 @@ func (hc *http01Challenge) validate(db nosql.DB, jwk *jose.JSONWebKey, vo valida
 		upd := hc.clone()
 		upd.Error = rejectedErr.ToACME()
 		upd.Error.Subproblems = append(upd.Error.Subproblems, rejectedErr)
+		upd.Retry.Called ++
+		upd.Retry.Active = true
+		if upd.Retry.Called >= 10 {
+			upd.Status = StatusInvalid
+			upd.Retry.Backoffs *= 2
+			upd.Retry.Active = false
+			upd.Retry.Called = 0
+		}
 		if err = upd.save(db, hc); err != nil {
 			return nil, err
 		}
-		return hc, nil
+		return hc, err
 	}

 	// Update and store the challenge.
@ -354,6 +398,7 @@ func (hc *http01Challenge) validate(db nosql.DB, jwk *jose.JSONWebKey, vo valida
 	upd.Status = StatusValid
 	upd.Error = nil
 	upd.Validated = clock.Now()
+	upd.Retry.Active = false

 	if err := upd.save(db, hc); err != nil {
 		return nil, err
@ -567,6 +612,14 @@ func (dc *dns01Challenge) validate(db nosql.DB, jwk *jose.JSONWebKey, vo validat
 		upd := dc.clone()
 		upd.Error = dnsErr.ToACME()
 		upd.Error.Subproblems = append(upd.Error.Subproblems, dnsErr)
+		upd.Retry.Called ++
+		upd.Retry.Active = true
+		if upd.Retry.Called >= 10 {
+			upd.Status = StatusInvalid
+			upd.Retry.Backoffs *= 2
+			upd.Retry.Active = false
+			upd.Retry.Called = 0
+		}
 		if err = upd.save(db, dc); err != nil {
 			return nil, err
 		}
@ -602,6 +655,7 @@ func (dc *dns01Challenge) validate(db nosql.DB, jwk *jose.JSONWebKey, vo validat
 	upd.Status = StatusValid
 	upd.Error = nil
 	upd.Validated = time.Now().UTC()
+	upd.Retry.Active = false

 	if err := upd.save(db, dc); err != nil {
 		return nil, err
--- a/acme/challenge_test.go
+++ b/acme/challenge_test.go
@ -772,7 +772,6 @@ func TestHTTP01Validate(t *testing.T) {
 			assert.FatalError(t, err)
 			oldb, err := json.Marshal(ch)
 			assert.FatalError(t, err)
-
 			expErr := ConnectionErr(errors.Errorf("error doing http GET for url "+
 				"http://zap.internal/.well-known/acme-challenge/%s with status code 400", ch.getToken()))
 			baseClone := ch.clone()
@ -984,6 +983,7 @@ func TestHTTP01Validate(t *testing.T) {
 					assert.Equals(t, tc.res.getCreated(), ch.getCreated())
 					assert.Equals(t, tc.res.getValidated(), ch.getValidated())
 					assert.Equals(t, tc.res.getError(), ch.getError())
+					assert.Equals(t, tc.res.getRetry(), ch.getRetry())
 				}
 			}
 		})