traefik/pkg/provider/acme/local_store.go

package acme

import (
	"encoding/json"
	"fmt"
	"io/ioutil"
	"os"
	"sync"

	"github.com/containous/traefik/v2/pkg/log"
	"github.com/containous/traefik/v2/pkg/safe"
)

var _ Store = (*LocalStore)(nil)

// LocalStore Stores implementation for local file.
type LocalStore struct {
	saveDataChan chan map[string]*StoredData
	filename     string

	lock       sync.RWMutex
	storedData map[string]*StoredData
}

// NewLocalStore initializes a new LocalStore with a file name.
func NewLocalStore(filename string) *LocalStore {
	store := &LocalStore{filename: filename, saveDataChan: make(chan map[string]*StoredData)}
	store.listenSaveAction()
	return store
}

func (s *LocalStore) save(resolverName string, storedData *StoredData) {
	s.lock.Lock()
	defer s.lock.Unlock()

	s.storedData[resolverName] = storedData
	s.saveDataChan <- s.storedData
}

func (s *LocalStore) get(resolverName string) (*StoredData, error) {
	s.lock.Lock()
	defer s.lock.Unlock()

	if s.storedData == nil {
		s.storedData = map[string]*StoredData{}

		hasData, err := CheckFile(s.filename)
		if err != nil {
			return nil, err
		}

		if hasData {
			logger := log.WithoutContext().WithField(log.ProviderName, "acme")

			f, err := os.Open(s.filename)
			if err != nil {
				return nil, err
			}
			defer f.Close()

			file, err := ioutil.ReadAll(f)
			if err != nil {
				return nil, err
			}

			if len(file) > 0 {
				if err := json.Unmarshal(file, &s.storedData); err != nil {
					return nil, err
				}
			}

			// Delete all certificates with no value
			var certificates []*CertAndStore
			for _, storedData := range s.storedData {
				for _, certificate := range storedData.Certificates {
					if len(certificate.Certificate.Certificate) == 0 || len(certificate.Key) == 0 {
						logger.Debugf("Deleting empty certificate %v for %v", certificate, certificate.Domain.ToStrArray())
						continue
					}
					certificates = append(certificates, certificate)
				}
				if len(certificates) < len(storedData.Certificates) {
					storedData.Certificates = certificates
					s.saveDataChan <- s.storedData
				}
			}
		}
	}

	if s.storedData[resolverName] == nil {
		s.storedData[resolverName] = &StoredData{}
	}
	return s.storedData[resolverName], nil
}

// listenSaveAction listens to a chan to store ACME data in json format into `LocalStore.filename`.
func (s *LocalStore) listenSaveAction() {
	safe.Go(func() {
		logger := log.WithoutContext().WithField(log.ProviderName, "acme")
		for object := range s.saveDataChan {
			data, err := json.MarshalIndent(object, "", "  ")
			if err != nil {
				logger.Error(err)
			}

			err = ioutil.WriteFile(s.filename, data, 0600)
			if err != nil {
				logger.Error(err)
			}
		}
	})
}

// GetAccount returns ACME Account.
func (s *LocalStore) GetAccount(resolverName string) (*Account, error) {
	storedData, err := s.get(resolverName)
	if err != nil {
		return nil, err
	}

	return storedData.Account, nil
}

// SaveAccount stores ACME Account.
func (s *LocalStore) SaveAccount(resolverName string, account *Account) error {
	storedData, err := s.get(resolverName)
	if err != nil {
		return err
	}

	storedData.Account = account
	s.save(resolverName, storedData)

	return nil
}

// GetCertificates returns ACME Certificates list.
func (s *LocalStore) GetCertificates(resolverName string) ([]*CertAndStore, error) {
	storedData, err := s.get(resolverName)
	if err != nil {
		return nil, err
	}

	return storedData.Certificates, nil
}

// SaveCertificates stores ACME Certificates list.
func (s *LocalStore) SaveCertificates(resolverName string, certificates []*CertAndStore) error {
	storedData, err := s.get(resolverName)
	if err != nil {
		return err
	}

	storedData.Certificates = certificates
	s.save(resolverName, storedData)

	return nil
}

// LocalChallengeStore is an implementation of the ChallengeStore in memory.
type LocalChallengeStore struct {
	storedData *StoredChallengeData
	lock       sync.RWMutex
}

// NewLocalChallengeStore initializes a new LocalChallengeStore.
func NewLocalChallengeStore() *LocalChallengeStore {
	return &LocalChallengeStore{
		storedData: &StoredChallengeData{
			HTTPChallenges: make(map[string]map[string][]byte),
			TLSChallenges:  make(map[string]*Certificate),
		},
	}
}

// GetHTTPChallengeToken Get the http challenge token from the store.
func (s *LocalChallengeStore) GetHTTPChallengeToken(token, domain string) ([]byte, error) {
	s.lock.RLock()
	defer s.lock.RUnlock()

	if s.storedData.HTTPChallenges == nil {
		s.storedData.HTTPChallenges = map[string]map[string][]byte{}
	}

	if _, ok := s.storedData.HTTPChallenges[token]; !ok {
		return nil, fmt.Errorf("cannot find challenge for token %v", token)
	}

	result, ok := s.storedData.HTTPChallenges[token][domain]
	if !ok {
		return nil, fmt.Errorf("cannot find challenge for token %v", token)
	}
	return result, nil
}

// SetHTTPChallengeToken Set the http challenge token in the store.
func (s *LocalChallengeStore) SetHTTPChallengeToken(token, domain string, keyAuth []byte) error {
	s.lock.Lock()
	defer s.lock.Unlock()

	if s.storedData.HTTPChallenges == nil {
		s.storedData.HTTPChallenges = map[string]map[string][]byte{}
	}

	if _, ok := s.storedData.HTTPChallenges[token]; !ok {
		s.storedData.HTTPChallenges[token] = map[string][]byte{}
	}

	s.storedData.HTTPChallenges[token][domain] = keyAuth
	return nil
}

// RemoveHTTPChallengeToken Remove the http challenge token in the store.
func (s *LocalChallengeStore) RemoveHTTPChallengeToken(token, domain string) error {
	s.lock.Lock()
	defer s.lock.Unlock()

	if s.storedData.HTTPChallenges == nil {
		return nil
	}

	if _, ok := s.storedData.HTTPChallenges[token]; ok {
		delete(s.storedData.HTTPChallenges[token], domain)
		if len(s.storedData.HTTPChallenges[token]) == 0 {
			delete(s.storedData.HTTPChallenges, token)
		}
	}
	return nil
}

// AddTLSChallenge Add a certificate to the ACME TLS-ALPN-01 certificates storage.
func (s *LocalChallengeStore) AddTLSChallenge(domain string, cert *Certificate) error {
	s.lock.Lock()
	defer s.lock.Unlock()

	if s.storedData.TLSChallenges == nil {
		s.storedData.TLSChallenges = make(map[string]*Certificate)
	}

	s.storedData.TLSChallenges[domain] = cert
	return nil
}

// GetTLSChallenge Get a certificate from the ACME TLS-ALPN-01 certificates storage.
func (s *LocalChallengeStore) GetTLSChallenge(domain string) (*Certificate, error) {
	s.lock.Lock()
	defer s.lock.Unlock()

	if s.storedData.TLSChallenges == nil {
		s.storedData.TLSChallenges = make(map[string]*Certificate)
	}

	return s.storedData.TLSChallenges[domain], nil
}

// RemoveTLSChallenge Remove a certificate from the ACME TLS-ALPN-01 certificates storage.
func (s *LocalChallengeStore) RemoveTLSChallenge(domain string) error {
	s.lock.Lock()
	defer s.lock.Unlock()

	if s.storedData.TLSChallenges == nil {
		return nil
	}

	delete(s.storedData.TLSChallenges, domain)
	return nil
}