Add rate limits for HTTPS requests

6 years ago · 1e6aba52dc
12 changed files with 361 additions and 27 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Hooks now have the optional `allow_failure` field.
 - In hooks, the `stdin_str` has been added in replacement of the previous `stdin` behavior.
 - HTTPS request rate limits.
 ### Changed
 - Certificates are renewed in parallel.
--- a/README.md
+++ b/README.md
@ -25,7 +25,8 @@ The Automatic Certificate Management Environment (ACME), is an internet standard
 - Nice and simple configuration file
 - Run as a deamon: no need to set-up timers, crontab or other time-triggered process
 - Retry of HTTPS request rejected with a badNonce or other recoverable errors
 - Optional private-key reuse (useful for [HPKP](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning))
 - Customizable HTTPS requests rate limits.
 - Optional key pair reuse (useful for [HPKP](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning))
 - For a given certificate, each domain names may be validated using a different challenge.
 - A standalone server dedicated to the tls-alpn-01 challenge validation
--- a/acme_common/src/error.rs
+++ b/acme_common/src/error.rs
@ -51,6 +51,12 @@ impl From<std::string::FromUtf8Error> for Error {
    }
 }
 impl From<std::sync::mpsc::RecvError> for Error {
    fn from(error: std::sync::mpsc::RecvError) -> Self {
        format!("MSPC receiver error: {}", error).into()
    }
 }
 impl From<syslog::Error> for Error {
    fn from(error: syslog::Error) -> Self {
        format!("syslog error: {}", error).into()
--- a/acmed/Cargo.toml
+++ b/acmed/Cargo.toml
@ -17,6 +17,7 @@ clap = "2.32"
 handlebars = "2.0.0-beta.1"
 http_req = "0.4"
 log = "0.4"
 nom = "5.0.0-beta2"
 openssl = "0.10"
 openssl-sys = "0.9"
 serde = { version = "1.0", features = ["derive"] }
--- a/acmed/config/acmed.toml
+++ b/acmed/config/acmed.toml
@ -2,12 +2,19 @@ include = [
    "default_hooks.toml"
 ]
 [[rate-limit]]
 name = "LE min"
 number = 20
 period = "1s"
 [[endpoint]]
 name = "letsencrypt v2 prod"
 url = "https://acme-v02.api.letsencrypt.org/directory"
 rate_limits = ["LE min"]
 tos_agreed = false
 [[endpoint]]
 name = "letsencrypt v2 staging"
 url = "https://acme-staging-v02.api.letsencrypt.org/directory"
 rate_limits = ["LE min"]
 tos_agreed = false
--- a/acmed/src/acme_proto/http.rs
+++ b/acmed/src/acme_proto/http.rs
@ -1,7 +1,8 @@
 use crate::acme_proto::structs::{AcmeError, ApiError, Directory, HttpApiError};
 use crate::certificate::Certificate;
 use crate::rate_limits;
 use acme_common::error::Error;
 use http_req::request::{Method, Request};
 use http_req::request::{self, Method};
 use http_req::response::Response;
 use http_req::uri::Uri;
 use std::path::Path;
@ -11,6 +12,12 @@ use std::{thread, time};
 const CONTENT_TYPE_JOSE: &str = "application/jose+json";
 const CONTENT_TYPE_JSON: &str = "application/json";
 struct Request<'a> {
    r: request::Request<'a>,
    uri: &'a Uri,
    method: Method,
 }
 struct DummyString {
    pub content: String,
 }
@ -25,13 +32,7 @@ impl FromStr for DummyString {
    }
 }
 fn new_request<'a>(
    cert: &Certificate,
    root_certs: &'a [String],
    uri: &'a Uri,
    method: Method,
 ) -> Request<'a> {
    cert.debug(&format!("{}: {}", method, uri));
 fn new_request<'a>(root_certs: &'a [String], uri: &'a Uri, method: Method) -> Request<'a> {
    let useragent = format!(
        "{}/{} ({}) {}",
        crate::APP_NAME,
@ -39,27 +40,31 @@ fn new_request<'a>(
        env!("ACMED_TARGET"),
        env!("ACMED_HTTP_LIB_AGENT")
    );
    let mut rb = Request::new(uri);
    let mut rb = request::Request::new(uri);
    for file_name in root_certs.iter() {
        rb.root_cert_file_pem(&Path::new(file_name));
    }
    rb.method(method);
    rb.method(method.to_owned());
    rb.header("User-Agent", &useragent);
    // TODO: allow to configure the language
    rb.header("Accept-Language", "en-US,en;q=0.5");
    rb
    Request { r: rb, method, uri }
 }
 fn send_request(request: &Request) -> Result<(Response, String), Error> {
 fn send_request(cert: &Certificate, request: &Request) -> Result<(Response, String), Error> {
    let mut buffer = Vec::new();
    let res = request.send(&mut buffer)?;
    cert.https_throttle
        .send(rate_limits::Request::HttpsRequest)
        .unwrap();
    cert.debug(&format!("{}: {}", request.method, request.uri));
    let res = request.r.send(&mut buffer)?;
    let res_str = String::from_utf8(buffer)?;
    Ok((res, res_str))
 }
 fn send_request_retry(cert: &Certificate, request: &Request) -> Result<(Response, String), Error> {
    for _ in 0..crate::DEFAULT_HTTP_FAIL_NB_RETRY {
        let (res, res_body) = send_request(request)?;
        let (res, res_body) = send_request(cert, request)?;
        match check_response(&res, &res_body) {
            Ok(()) => {
                return Ok((res, res_body));
@ -110,14 +115,14 @@ fn post_jose_type(
    accept_type: &str,
 ) -> Result<(Response, String), Error> {
    let uri = url.parse::<Uri>()?;
    let mut request = new_request(cert, root_certs, &uri, Method::POST);
    request.header("Content-Type", CONTENT_TYPE_JOSE);
    request.header("Content-Length", &data.len().to_string());
    request.header("Accept", accept_type);
    request.body(data);
    let mut request = new_request(root_certs, &uri, Method::POST);
    request.r.header("Content-Type", CONTENT_TYPE_JOSE);
    request.r.header("Content-Length", &data.len().to_string());
    request.r.header("Accept", accept_type);
    request.r.body(data);
    let rstr = String::from_utf8_lossy(data);
    cert.trace(&format!("request body: {}", rstr));
    let (res, res_body) = send_request(&request)?;
    let (res, res_body) = send_request(cert, &request)?;
    cert.trace(&format!("response body: {}", res_body));
    Ok((res, res_body))
 }
@ -287,8 +292,8 @@ pub fn get_directory(
    url: &str,
 ) -> Result<Directory, Error> {
    let uri = url.parse::<Uri>()?;
    let mut request = new_request(cert, root_certs, &uri, Method::GET);
    request.header("Accept", CONTENT_TYPE_JSON);
    let mut request = new_request(root_certs, &uri, Method::GET);
    request.r.header("Accept", CONTENT_TYPE_JSON);
    let (r, s) = send_request_retry(cert, &request)?;
    check_response(&r, &s)?;
    Directory::from_str(&s)
@ -296,7 +301,7 @@ pub fn get_directory(
 pub fn get_nonce(cert: &Certificate, root_certs: &[String], url: &str) -> Result<String, Error> {
    let uri = url.parse::<Uri>()?;
    let request = new_request(cert, root_certs, &uri, Method::HEAD);
    let request = new_request(root_certs, &uri, Method::HEAD);
    let (res, res_body) = send_request_retry(cert, &request)?;
    check_response(&res, &res_body)?;
    nonce_from_response(cert, &res)
--- a/acmed/src/certificate.rs
+++ b/acmed/src/certificate.rs
@ -7,6 +7,7 @@ use log::{debug, info, trace, warn};
 use openssl::x509::X509;
 use std::collections::{HashMap, HashSet};
 use std::fmt;
 use std::sync::mpsc::SyncSender;
 use time::{strptime, Duration};
 #[derive(Clone, Debug)]
@ -49,6 +50,7 @@ pub struct Certificate {
    pub kp_reuse: bool,
    pub remote_url: String,
    pub tos_agreed: bool,
    pub https_throttle: SyncSender<crate::rate_limits::Request>,
    pub hooks: Vec<Hook>,
    pub account_directory: String,
    pub crt_directory: String,
@ -245,8 +247,10 @@ impl Certificate {
 mod tests {
    use super::{Algorithm, Certificate};
    use std::collections::HashMap;
    use std::sync::mpsc::sync_channel;
    fn get_dummy_certificate() -> Certificate {
        let (https_throttle, _) = sync_channel(0);
        Certificate {
            account: crate::config::Account {
                name: String::new(),
@ -257,6 +261,7 @@ mod tests {
            kp_reuse: false,
            remote_url: String::new(),
            tos_agreed: false,
            https_throttle,
            hooks: Vec::new(),
            account_directory: String::new(),
            crt_directory: String::new(),
--- a/acmed/src/config.rs
+++ b/acmed/src/config.rs
@ -1,13 +1,15 @@
 use crate::certificate::Algorithm;
 use crate::hooks;
 use crate::rate_limits;
 use acme_common::error::Error;
 use log::info;
 use serde::Deserialize;
 use std::collections::HashMap;
 use std::fmt;
 use std::fs::{self, File};
 use std::io::prelude::*;
 use std::path::{Path, PathBuf};
 use std::sync::mpsc;
 use std::{fmt, thread};
 macro_rules! set_cfg_attr {
    ($to: expr, $from: expr) => {
@ -42,6 +44,8 @@ pub struct Config {
    pub global: Option<GlobalOptions>,
    #[serde(default)]
    pub endpoint: Vec<Endpoint>,
    #[serde(default, rename = "rate-limit")]
    pub rate_limit: Vec<RateLimit>,
    #[serde(default)]
    pub hook: Vec<Hook>,
    #[serde(default)]
@ -55,6 +59,15 @@ pub struct Config {
 }
 impl Config {
    fn get_rate_limit(&self, name: &str) -> Result<(usize, String), Error> {
        for rl in self.rate_limit.iter() {
            if rl.name == name {
                return Ok((rl.number, rl.period.to_owned()));
            }
        }
        Err(format!("{}: rate limit not found", name).into())
    }
    pub fn get_account_dir(&self) -> String {
        let account_dir = match &self.global {
            Some(g) => match &g.accounts_directory {
@ -167,6 +180,27 @@ pub struct Endpoint {
    pub name: String,
    pub url: String,
    pub tos_agreed: bool,
    #[serde(default)]
    pub rate_limits: Vec<String>,
 }
 impl Endpoint {
    fn is_used(&self, config: &Config) -> bool {
        for crt in config.certificate.iter() {
            if crt.endpoint == self.name {
                return true;
            }
        }
        false
    }
 }
 #[derive(Clone, Deserialize)]
 #[serde(deny_unknown_fields)]
 pub struct RateLimit {
    pub name: String,
    pub number: usize,
    pub period: String,
 }
 #[derive(Deserialize)]
@ -304,6 +338,11 @@ impl Certificate {
        Ok(ep.url)
    }
    pub fn get_endpoint_name(&self, cnf: &Config) -> Result<String, Error> {
        let ep = self.get_endpoint(cnf)?;
        Ok(ep.name)
    }
    pub fn get_tos_agreement(&self, cnf: &Config) -> Result<bool, Error> {
        let ep = self.get_endpoint(cnf)?;
        Ok(ep.tos_agreed)
@ -368,6 +407,7 @@ fn read_cnf(path: &PathBuf) -> Result<Config, Error> {
        let cnf_path = get_cnf_path(path, cnf_name);
        let mut add_cnf = read_cnf(&cnf_path)?;
        config.endpoint.append(&mut add_cnf.endpoint);
        config.rate_limit.append(&mut add_cnf.rate_limit);
        config.hook.append(&mut add_cnf.hook);
        config.group.append(&mut add_cnf.group);
        config.account.append(&mut add_cnf.account);
@ -407,6 +447,24 @@ fn dispatch_global_env_vars(config: &mut Config) {
    }
 }
 pub fn init_rate_limits(
    config: &Config,
 ) -> Result<HashMap<String, mpsc::SyncSender<rate_limits::Request>>, Error> {
    let mut corresp = HashMap::new();
    for endpoint in config.endpoint.iter() {
        if endpoint.is_used(config) {
            let mut limits = Vec::new();
            for l in endpoint.rate_limits.iter() {
                limits.push(config.get_rate_limit(l)?);
            }
            let mut rl = rate_limits::RateLimit::new(&limits)?;
            corresp.insert(endpoint.name.to_owned(), rl.get_sender());
            thread::spawn(move || rl.run());
        }
    }
    Ok(corresp)
 }
 pub fn from_file(file_name: &str) -> Result<Config, Error> {
    let path = PathBuf::from(file_name);
    let mut config = read_cnf(&path)?;
--- a/acmed/src/main.rs
+++ b/acmed/src/main.rs
@ -8,6 +8,7 @@ mod certificate;
 mod config;
 mod hooks;
 mod main_event_loop;
 mod rate_limits;
 mod storage;
 pub const APP_NAME: &str = "ACMEd";
@ -30,6 +31,8 @@ pub const DEFAULT_POOL_WAIT_SEC: u64 = 5;
 pub const DEFAULT_HTTP_FAIL_NB_RETRY: usize = 10;
 pub const DEFAULT_HTTP_FAIL_WAIT_SEC: u64 = 1;
 pub const DEFAULT_HOOK_ALLOW_FAILURE: bool = false;
 pub const MAX_RATE_LIMIT_SLEEP_MILISEC: u64 = 3_600_000;
 pub const MIN_RATE_LIMIT_SLEEP_MILISEC: u64 = 100;
 fn main() {
    let full_version = format!(
--- a/acmed/src/main_event_loop.rs
+++ b/acmed/src/main_event_loop.rs
@ -31,9 +31,20 @@ pub struct MainEventLoop {
 impl MainEventLoop {
    pub fn new(config_file: &str, root_certs: &[&str]) -> Result<Self, Error> {
        let cnf = config::from_file(config_file)?;
        let rate_limits_corresp = config::init_rate_limits(&cnf)?;
        let mut certs = Vec::new();
        for (i, crt) in cnf.certificate.iter().enumerate() {
            let ep_name = crt.get_endpoint_name(&cnf)?;
            let https_throttle = rate_limits_corresp
                .get(&ep_name)
                .ok_or_else(|| {
                    Error::from(format!(
                        "{}: rate limit not found for this endpoint",
                        ep_name
                    ))
                })?
                .to_owned();
            let cert = Certificate {
                account: crt.get_account(&cnf)?,
                domains: crt.domains.to_owned(),
@ -41,6 +52,7 @@ impl MainEventLoop {
                kp_reuse: crt.get_kp_reuse(),
                remote_url: crt.get_remote_url(&cnf)?,
                tos_agreed: crt.get_tos_agreement(&cnf)?,
                https_throttle,
                hooks: crt.get_hooks(&cnf)?,
                account_directory: cnf.get_account_dir(),
                crt_directory: crt.get_crt_dir(&cnf),
--- a/acmed/src/rate_limits.rs
+++ b/acmed/src/rate_limits.rs
@ -0,0 +1,188 @@
 use acme_common::error::Error;
 use nom::bytes::complete::take_while_m_n;
 use nom::character::complete::digit1;
 use nom::combinator::map_res;
 use nom::multi::fold_many1;
 use nom::IResult;
 use std::cmp;
 use std::sync::mpsc;
 use std::thread;
 use std::time::{Duration, Instant};
 pub enum Request {
    HttpsRequest,
 }
 pub struct RateLimit {
    limits: Vec<(usize, Duration)>,
    sender: mpsc::SyncSender<Request>,
    receiver: mpsc::Receiver<Request>,
    log: Vec<Instant>,
 }
 impl RateLimit {
    pub fn new(limits: &[(usize, String)]) -> Result<Self, Error> {
        let mut max_size = 0;
        let mut parsed_limits = Vec::new();
        for (nb, raw_duration) in limits.iter() {
            if *nb > max_size {
                max_size = *nb;
            }
            let parsed_duration = parse_duration(raw_duration)?;
            parsed_limits.push((*nb, parsed_duration));
        }
        parsed_limits.sort_by(|a, b| a.1.partial_cmp(&b.1).unwrap());
        parsed_limits.reverse();
        let (sender, receiver) = mpsc::sync_channel::<Request>(0);
        Ok(RateLimit {
            limits: parsed_limits,
            sender,
            receiver,
            log: Vec::with_capacity(max_size),
        })
    }
    pub fn get_sender(&self) -> mpsc::SyncSender<Request> {
        self.sender.clone()
    }
    pub fn run(&mut self) -> Result<(), Error> {
        let sleep_duration = self.get_sleep_duration();
        loop {
            self.prune_log();
            if self.request_allowed() {
                match self.receiver.recv()? {
                    Request::HttpsRequest => {
                        if !self.limits.is_empty() {
                            self.log.push(Instant::now());
                        }
                    }
                }
            } else {
                // TODO: find a better sleep duration
                thread::sleep(sleep_duration);
            }
        }
    }
    fn get_sleep_duration(&self) -> Duration {
        let (nb_req, min_duration) = match self.limits.last() {
            Some((n, d)) => (*n as u64, *d),
            None => {
                return Duration::from_millis(0);
            }
        };
        let nb_mili = match min_duration.as_secs() {
            0 | 1 => crate::MIN_RATE_LIMIT_SLEEP_MILISEC,
            n => {
                let a = n * 200 / nb_req;
                let a = cmp::min(a, crate::MAX_RATE_LIMIT_SLEEP_MILISEC);
                cmp::max(a, crate::MIN_RATE_LIMIT_SLEEP_MILISEC)
            }
        };
        Duration::from_millis(nb_mili)
    }
    fn request_allowed(&self) -> bool {
        for (max_allowed, duration) in self.limits.iter() {
            let max_date = Instant::now() - *duration;
            let nb_req = self.log.iter().filter(move |x| **x > max_date).count();
            if nb_req >= *max_allowed {
                return false;
            }
        }
        true
    }
    fn prune_log(&mut self) {
        if let Some((_, max_limit)) = self.limits.first() {
            let prune_date = Instant::now() - *max_limit;
            self.log.retain(move |&d| d > prune_date);
        }
    }
 }
 fn is_duration_chr(c: char) -> bool {
    c == 's' || c == 'm' || c == 'h' || c == 'd' || c == 'w'
 }
 fn get_multiplicator(input: &str) -> IResult<&str, u64> {
    let (input, nb) = take_while_m_n(1, 1, is_duration_chr)(input)?;
    let mult = match nb.chars().nth(0) {
        Some('s') => 1,
        Some('m') => 60,
        Some('h') => 3_600,
        Some('d') => 86_400,
        Some('w') => 604_800,
        _ => 0,
    };
    Ok((input, mult))
 }
 fn get_duration_part(input: &str) -> IResult<&str, Duration> {
    let (input, nb) = map_res(digit1, |s: &str| s.parse::<u64>())(input)?;
    let (input, mult) = get_multiplicator(input)?;
    Ok((input, Duration::from_secs(nb * mult)))
 }
 fn get_duration(input: &str) -> IResult<&str, Duration> {
    fold_many1(
        get_duration_part,
        Duration::new(0, 0),
        |mut acc: Duration, item| {
            acc += item;
            acc
        },
    )(input)
 }
 fn parse_duration(input: &str) -> Result<Duration, Error> {
    match get_duration(input) {
        Ok((r, d)) => match r.len() {
            0 => Ok(d),
            _ => Err(format!("{}: invalid duration", input).into()),
        },
        Err(_) => Err(format!("{}: invalid duration", input).into()),
    }
 }
 #[cfg(test)]
 mod tests {
    use super::{parse_duration, RateLimit};
    #[test]
    fn test_rate_limit_build() {
        let l = vec![
            (5, String::from("5s")),
            (12, String::from("2m")),
            (8, String::from("5m")),
            (1, String::from("1s")),
            (2, String::from("1m")),
        ];
        let rl = RateLimit::new(l.as_slice()).unwrap();
        let ref_t = (8_usize, parse_duration("5m").unwrap());
        assert_eq!(rl.limits.first(), Some(&ref_t));
        assert_eq!(rl.log.len(), 0);
        assert_eq!(rl.log.capacity(), 12);
    }
    #[test]
    fn test_parse_duration() {
        let lst = [
            ("42s", 42),
            ("21m", 1_260),
            ("3h", 10_800),
            ("2d", 172_800),
            ("1w", 604_800),
            ("42m30s", 2_550),
            ("30s42m", 2_550),
            ("3h5m12s", 11_112),
            ("40s2s", 42),
        ];
        for (fmt, ref_sec) in lst.iter() {
            let d = parse_duration(fmt);
            assert!(d.is_ok());
            assert_eq!(d.unwrap().as_secs(), *ref_sec);
        }
    }
 }
--- a/man/en/acmed.toml.5
+++ b/man/en/acmed.toml.5
@ -63,6 +63,18 @@ Specify the group who will own newly-created private-key files. See
 .Xr chown 2
 for more details.
 .El
 .It Ic rate-limit
 Array of table where each element defines a HTTPS rate limit.
 .Bl -tag
 .It Cm name Ar string
 The name the rate limit is registered under. Must be unique.
 .It Cm number Ar integer
 Number of requests authorized withing the time period.
 .It Cm period Ar string
 Period of time during which a maximal number of requests is authorized. The format is described in the
 .Sx TIME PERIODS
 section.
 .El
 .It Ic endpoint
 Array of table where each element defines a Certificate Authority
 .Pq CA
@ -70,11 +82,13 @@ which may be used to request certificates.
 .Bl -tag
 .It Cm name Ar string
 The name the endpoint is registered under. Must be unique.
 .It Cm url Ar string
 The endpoint's directory URL.
 .It Cm rate_limits Ar array
 Array containing the names of the HTTPS rate limits to apply.
 .It Cm tos_agreed Ar boolean
 Set whether or not the user agrees to the Terms Of Service
 .Pq TOS .
 .It Cm url Ar string
 The endpoint's directory URL.
 .El
 .It Ic hook
 Array of table where each element defines a command that will be launched at a defined point. See section
@ -442,6 +456,39 @@ If
 is not specified, it will be set to
 .Pa /run .
 .El
 .Sh TIME PERIODS
 ACMEd uses its own time period format, which is vaguely inspired by the ISO 8601 one. Periods are formatted as
 .Ar PM[PM...]
 where
 .Ar M
 is case sensitive character representing a length and
 .Ar P
 is an integer representing a multiplayer for the following length. The authorized length are:
 .Bl -dash -compact
 .It
 .Ar s :
 second
 .It
 .Ar m :
 minute
 .It
 .Ar h :
 hour
 .It
 .Ar d :
 day
 .It
 .Ar w :
 week
 .El
 The
 .Ar PM
 couples can be specified multiple times and in any order.
 .Pp
 For example,
 .Dq 1d42s and
 .Dq 40s20h4h2s
 both represents a period of one day and forty-two seconds.
 .Sh FILES
 .Bl -tag
 .It Pa /etc/acmed/acmed.toml