Merge pull request #1 from ryokdy/merge-mar-2020

Merge auto-ssl/lua-resty-auto-ssl
ryokdy · Jun 26, 2020 · 45bf5a9 · 45bf5a9
2 parents c48b202 + 6bb07db
commit 45bf5a9
Show file tree

Hide file tree

Showing 74 changed files with 3,986 additions and 4,114 deletions.
diff --git a/.busted b/.busted
@@ -0,0 +1,16 @@
+-- vi: set ft=lua:
+
+return {
+  _all = {
+    lua = "spec/support/resty",
+    output = "gtest",
+
+    -- Randomize test order.
+    ["shuffle-files"] = true,
+    ["shuffle-tests"] = true,
+
+    -- Disable auto-insulate so we can persist processes (like redis and ngrok)
+    -- across test files.
+    ["auto-insulate"] = false,
+  },
+}
diff --git a/.dockerignore b/.dockerignore
@@ -1,3 +1,4 @@
 .git
 build
 t/run
+spec/tmp
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -0,0 +1,43 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - "*"
+  pull_request:
+    branches:
+      - "*"
+  schedule:
+    - cron: "18 7 * * *"
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        variant:
+          - centos
+          - alpine
+          - ubuntu
+          - openresty1.13
+          - lua51
+    steps:
+      - uses: actions/checkout@v1
+      - name: Build Container
+        run: docker-compose build ${{ matrix.variant }}
+      - name: Lint
+        run: docker-compose run --rm ${{ matrix.variant }} make lint
+      - name: Test
+        run: docker-compose run --name "${{ matrix.variant }}-test" ${{ matrix.variant }} make test
+      - name: Copy Artifacts
+        if: always()
+        run: |
+          rm -rf /tmp/resty-auto-ssl-test
+          docker cp ${{ matrix.variant }}-test:/tmp/resty-auto-ssl-test /tmp/resty-auto-ssl-test
+      - name: Upload Artifacts
+        if: always()
+        uses: actions/upload-artifact@v1
+        with:
+          name: "${{ matrix.variant }}-logs"
+          path: /tmp/resty-auto-ssl-test
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,5 @@
 /build
 /lib/resty/auto-ssl/vendor/*
-/t/run
+/lua-resty-auto-ssl-*
+!/lua-resty-auto-ssl-*.rockspec
+/spec/tmp
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,65 @@
 # lua-resty-auto-ssl Change Log
 
+## 0.13.1 - 2019-10-01
+
+### Changed
+- Eliminate dependency on GNU version of the `date` command line utility to improve compatibility with Alpine Linux, BSDs, and others. Fixes warnings that may have started getting logged in v0.13.0. ([#196](https://github.com/GUI/lua-resty-auto-ssl/pull/196), [#195](https://github.com/GUI/lua-resty-auto-ssl/issues/195))
+- Enable PCRE-JIT compilation of regular expressions used in code.
+
+## 0.13.0 - 2019-09-30
+
+### Upgrade Notes
+
+This version upgrades the bundled version of the dehydrated library to fix certificate registration due to recent changes in the Let's Encrypt service. It also brings support for ACMEv2 which will be required for new account registration in November. Upgrading is recommended or certificate registration and renewal may fail. See [#192](https://github.com/GUI/lua-resty-auto-ssl/issues/192), [#189](https://github.com/GUI/lua-resty-auto-ssl/issues/189) for more details.
+
+### Added
+- Allow for additional Redis connect options to be specified. ([#191](https://github.com/GUI/lua-resty-auto-ssl/issues/191))
+- Pass `ssl_options` and `renewal` arguments to the `allow_domain` callback. Thanks to [@gohai](https://github.com/gohai). ([#123](https://github.com/GUI/lua-resty-auto-ssl/pull/123), [#176](https://github.com/GUI/lua-resty-auto-ssl/pull/176))
+- Add support for specifying HTTP proxy options for OCSP requests. Thanks to [@Unknown22](https://github.com/Unknown22). ([#133](https://github.com/GUI/lua-resty-auto-ssl/pull/133))
+
+### Changed
+- Upgrade dehydrated to v0.6.5. This fixes "badNonce" errors cropping up since 2019-09-23 and also supports ACMEv2 which will be required for new account registration in November. Thanks to [@luto](https://github.com/luto). ([#190](https://github.com/GUI/lua-resty-auto-ssl/pull/190), [#192](https://github.com/GUI/lua-resty-auto-ssl/issues/192), [#189](https://github.com/GUI/lua-resty-auto-ssl/issues/189))
+- Check whether domains are allowed (by calling `allow_domain` callback) on renewals. Thanks to [@yveslaroche](https://github.com/yveslaroche). ([#176](https://github.com/GUI/lua-resty-auto-ssl/pull/176))
+- Remove certificates that cannot be successfully renewed. Thanks to [@gohai](https://github.com/gohai). ([#128](https://github.com/GUI/lua-resty-auto-ssl/pull/128))
+- Don't store backups of previous versions of certificates. Thanks to [@gohai](https://github.com/gohai). ([#124](https://github.com/GUI/lua-resty-auto-ssl/pull/124))
+- Cleanup unused cert files after successfully adding certs to permanent storage. Thanks to [@gohai](https://github.com/gohai). ([#155](https://github.com/GUI/lua-resty-auto-ssl/pull/155))
+- Randomize order of certificate renewal processing. Thanks to [@luto](https://github.com/luto). ([#154](https://github.com/GUI/lua-resty-auto-ssl/pull/154))
+- Upgrade sockproc to newer version to fix compiling under FreeBSD. Thanks to [@imerr](https://github.com/imerr). ([#118](https://github.com/GUI/lua-resty-auto-ssl/pull/118))
+- Improve shell command escaping and handling. This could potentially fix issues if trying to store files in directories with spaces in the name. ([#175](https://github.com/GUI/lua-resty-auto-ssl/pull/175))
+- Switch the test suite to be written in Lua to better align with the code base, and hopefully make it easier to debug and maintain. ([#193](https://github.com/GUI/lua-resty-auto-ssl/pull/193))
+
+### Fixed
+- Fix documentation errors. Thanks to [@jfreax](https://github.com/jfreax), [@Ephemera](https://github.com/Ephemera). ([#118](https://github.com/GUI/lua-resty-auto-ssl/pull/120), [#183](https://github.com/GUI/lua-resty-auto-ssl/pull/183))
+
+## 0.12.0 - 2018-02-04
+
+### Upgrade Notes
+
+This version upgrades the bundled version of the dehydrated library to deal with recent redirect changes in the Let's Encrypt service. The issue could lead to certificate registration failures in dehydrated and quota exhaustion, so upgrading is recommended. See [4aed490](https://github.com/GUI/lua-resty-auto-ssl/commit/4aed490c1d76b8bf09a8151aad2373c3e0cac6ce) or https://community.letsencrypt.org/t/dehydrated-caused-rate-limits-to-be-reached/52477/2 for more details.
+
+### Added
+- Allow for the Redis `db` number to be configured. Thanks to [@RainFlying](https://github.com/RainFlying). ([#103](https://github.com/GUI/lua-resty-auto-ssl/pull/103))
+- Expose the storage adapter instance in the `allow_domain` callback so the Redis connection can be reused. ([#38](https://github.com/GUI/lua-resty-auto-ssl/issues/38))
+- Add `generate_certs` option to allow for disabling SSL certification generation within specific server blocks. Thanks to [@mklauber](https://github.com/mklauber). ([#91](https://github.com/GUI/lua-resty-auto-ssl/issues/91), [#92](https://github.com/GUI/lua-resty-auto-ssl/pull/92))
+- Add `json_adapter` option for choosing a different JSON encoder/decoder library. Thanks to [@meyskens](https://github.com/meyskens). ([#85](https://github.com/GUI/lua-resty-auto-ssl/pull/85), [#84](https://github.com/GUI/lua-resty-auto-ssl/issues/84))
+
+### Changed
+- Upgrade dehydrated to latest version from master to fix recent redirect changes in Let's Encrypt. The issue could lead to certificate registration failures in dehydrated and quota exhaustion. ([4aed490](https://github.com/GUI/lua-resty-auto-ssl/commit/4aed490c1d76b8bf09a8151aad2373c3e0cac6ce))
+- Make the renewal process more efficient so the dehydrated shell script is only executed when certificates are up for renewal (rather than every night). This can reduce CPU usage in environments with lots of certificates. Thanks to [@brianlund](https://github.com/brianlund). ([#111](https://github.com/GUI/lua-resty-auto-ssl/pull/111), [#110](https://github.com/GUI/lua-resty-auto-ssl/issues/110))
+- Only call the `allow_domain` callback if a certificate is not present in shared memory. This may improve efficiency in cases where the `allow_domain` callback is more costly or takes longer. Thanks to [@gohai](https://github.com/gohai). ([#107](https://github.com/GUI/lua-resty-auto-ssl/pull/107))
+- The internal APIs for `storage:get_cert()` and `ssl_provider.issue_cert()` has changed to return a single table of data instead of multiple values (so it's easier to pass along other metadata).
+
+### Deprecated
+- If accessing the storage object off of the auto-ssl instance, use `auto_ssl.storage` instead of `auto_ssl:get("storage")`.
+
+### Fixed
+- Fix renewals when using the file adapter and too many certificate files were present for shell globbing ([#109](https://github.com/GUI/lua-resty-auto-ssl/issues/109))
+
+## 0.11.1 - 2017-11-17
+
+### Fixed
+- Update dehydrated to v0.4.0 to account for new [Let's Encrypt Subscriber Agreement](https://letsencrypt.org/documents/2017.11.15-LE-SA-v1.2.pdf) as of November 15, 2017. This would lead to certificate registration errors for new users (but should not have affected existing lua-resty-auto-ssl users). ([#13](https://github.com/GUI/lua-resty-auto-ssl/issues/13), [#104](https://github.com/GUI/lua-resty-auto-ssl/issues/104))
+
 ## 0.11.0 - 2017-06-18
 
 ### Upgrade Notes

diff --git a/Dockerfile-test b/Dockerfile-test
@@ -1,33 +1,43 @@
-FROM alpine:latest
-
-RUN \
-  # Test dependencies
-  apk add \
-    --no-cache \
-    build-base \
-    findutils \
-    pcre-dev \
-    perl-dev \
-    procps \
+FROM openresty/openresty:1.15.8.1-4-centos
+
+# Runtime dependencies
+RUN yum -y install \
+  bash \
+  coreutils \
+  curl \
+  diffutils \
+  grep \
+  openssl \
+  sed
+
+# Build dependencies.
+RUN yum -y install make
+
+# Dependencies for the release process.
+RUN yum -y install git zip
+
+# Test dependencies
+RUN yum -y install epel-release && \
+  yum -y install \
+    gcc \
+    git \
+    lsof \
+    lua \
+    procps-ng \
     redis \
     sudo \
-    zlib-dev && \
-  # Runtime dependencies
-  apk add \
-    --no-cache \
-    bash \
-    coreutils \
-    curl \
-    diffutils \
-    grep \
-    openssl \
-    sed && \
-  # Even though we install full pkill (via the procps package, which we do for
-  # "-U" support in our tests), the /usr/bin version that symlinks BusyBox's
-  # more limited pkill version takes precedence. So manually remove this
-  # BusyBox symlink to the full pkill version is used.
-  if [ -L /usr/bin/pkill ]; then rm /usr/bin/pkill; fi
+    https://bin.equinox.io/a/6iuHhJeWypm/ngrok-2.3.34-linux-amd64.rpm
 
 RUN mkdir /app
 WORKDIR /app
+
+COPY Makefile /app/Makefile
+RUN make install-test-deps
+
+ENV PATH="/tmp/resty-auto-ssl-test-luarocks/bin:${PATH}"
+ENV LUA_PATH="/tmp/resty-auto-ssl-test-luarocks/share/lua/5.1/?.lua;/tmp/resty-auto-ssl-test-luarocks/share/lua/5.1/?/init.lua;${LUA_PATH}"
+ENV LUA_CPATH="/tmp/resty-auto-ssl-test-luarocks/lib/lua/5.1/?.so;${LUA_CPATH}"
+
 COPY . /app
+
+CMD ["bash"]
diff --git a/Dockerfile-test-alpine b/Dockerfile-test-alpine
@@ -0,0 +1,45 @@
+FROM openresty/openresty:1.15.8.2-1-alpine-fat
+
+RUN mkdir /app
+WORKDIR /app
+
+# Runtime dependencies
+RUN apk add --no-cache \
+    bash \
+    curl \
+    diffutils \
+    grep \
+    openssl \
+    sed
+
+# Build dependencies.
+RUN apk add --no-cache \
+  make
+
+# Test dependencies
+RUN apk add --no-cache \
+    findutils \
+    gcc \
+    git \
+    lsof \
+    lua \
+    procps \
+    redis \
+    sudo \
+    tzdata \
+    wget && \
+  curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/a/naDTyS8Kyxv/ngrok-2.3.34-linux-386.tar.gz && \
+  tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \
+  rm -f /tmp/ngrok.tar.gz && \
+  chmod +x /usr/local/bin/ngrok
+
+COPY Makefile /app/Makefile
+RUN make install-test-deps
+
+ENV PATH="/tmp/resty-auto-ssl-test-luarocks/bin:${PATH}"
+ENV LUA_PATH="/tmp/resty-auto-ssl-test-luarocks/share/lua/5.1/?.lua;/tmp/resty-auto-ssl-test-luarocks/share/lua/5.1/?/init.lua;${LUA_PATH}"
+ENV LUA_CPATH="/tmp/resty-auto-ssl-test-luarocks/lib/lua/5.1/?.so;${LUA_CPATH}"
+
+COPY . /app
+
+CMD ["bash"]
diff --git a/Dockerfile-test-lua51 b/Dockerfile-test-lua51
@@ -0,0 +1,44 @@
+FROM openresty/openresty:1.11.2.1-centos
+
+# Runtime dependencies
+RUN yum -y install \
+  bash \
+  coreutils \
+  curl \
+  diffutils \
+  grep \
+  openssl \
+  sed
+
+# Build dependencies.
+RUN yum -y install make
+
+# Test dependencies
+RUN yum -y install epel-release && \
+  yum -y install \
+    gcc \
+    git \
+    lsof \
+    lua \
+    procps-ng \
+    redis \
+    sudo \
+    https://bin.equinox.io/a/6iuHhJeWypm/ngrok-2.3.34-linux-amd64.rpm
+
+ENV PATH /usr/local/openresty/luajit/bin:/usr/local/openresty/bin:/usr/local/openresty/nginx/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV TEST_NGINX_RESOLVER 127.0.0.11 ipv6=off
+
+RUN mkdir /app
+WORKDIR /app
+
+COPY Makefile /app/Makefile
+RUN make install-test-deps
+
+ENV PATH="/tmp/resty-auto-ssl-test-luarocks/bin:${PATH}"
+ENV LUA_PATH="/tmp/resty-auto-ssl-test-luarocks/share/lua/5.1/?.lua;/tmp/resty-auto-ssl-test-luarocks/share/lua/5.1/?/init.lua;;"
+ENV LUA_CPATH="/tmp/resty-auto-ssl-test-luarocks/lib/lua/5.1/?.so;;"
+
+COPY . /app
+
+ENTRYPOINT []
+CMD ["bash"]
diff --git a/Dockerfile-test-openresty1.13 b/Dockerfile-test-openresty1.13
@@ -0,0 +1,40 @@
+FROM openresty/openresty:1.13.6.2-2-centos
+
+# Runtime dependencies
+RUN yum -y install \
+  bash \
+  coreutils \
+  curl \
+  diffutils \
+  grep \
+  openssl \
+  sed
+
+# Build dependencies.
+RUN yum -y install make
+
+# Test dependencies
+RUN yum -y install epel-release && \
+  yum -y install \
+    gcc \
+    git \
+    lsof \
+    lua \
+    procps-ng \
+    redis \
+    sudo \
+    https://bin.equinox.io/a/6iuHhJeWypm/ngrok-2.3.34-linux-amd64.rpm
+
+RUN mkdir /app
+WORKDIR /app
+
+COPY Makefile /app/Makefile
+RUN make install-test-deps
+
+ENV PATH="/tmp/resty-auto-ssl-test-luarocks/bin:${PATH}"
+ENV LUA_PATH="/tmp/resty-auto-ssl-test-luarocks/share/lua/5.1/?.lua;/tmp/resty-auto-ssl-test-luarocks/share/lua/5.1/?/init.lua;${LUA_PATH}"
+ENV LUA_CPATH="/tmp/resty-auto-ssl-test-luarocks/lib/lua/5.1/?.so;${LUA_CPATH}"
+
+COPY . /app
+
+CMD ["bash"]
diff --git a/Dockerfile-test-ubuntu b/Dockerfile-test-ubuntu
@@ -0,0 +1,45 @@
+FROM openresty/openresty:1.15.8.2-1-bionic
+
+ENV DEBIAN_FRONTEND noninteractive
+
+# Runtime dependencies
+RUN apt-get update && \
+  apt-get -y install \
+    bash \
+    coreutils \
+    curl \
+    diffutils \
+    grep \
+    openssl \
+    sed
+
+# Build dependencies.
+RUN apt-get update && \
+  apt-get -y install make
+
+# Test dependencies
+RUN apt-get update && \
+  apt-get -y install \
+    git \
+    lsof \
+    lua5.2 \
+    redis-server \
+    sudo \
+    tzdata && \
+  curl -fsSL -o /tmp/ngrok.deb https://bin.equinox.io/a/b2wQezFbsHk/ngrok-2.3.34-linux-amd64.deb && \
+  dpkg -i /tmp/ngrok.deb || apt-get -fy install && \
+  rm -f /tmp/ngrok.deb
+
+RUN mkdir /app
+WORKDIR /app
+
+COPY Makefile /app/Makefile
+RUN make install-test-deps
+
+ENV PATH="/tmp/resty-auto-ssl-test-luarocks/bin:${PATH}"
+ENV LUA_PATH="/tmp/resty-auto-ssl-test-luarocks/share/lua/5.1/?.lua;/tmp/resty-auto-ssl-test-luarocks/share/lua/5.1/?/init.lua;${LUA_PATH}"
+ENV LUA_CPATH="/tmp/resty-auto-ssl-test-luarocks/lib/lua/5.1/?.so;${LUA_CPATH}"
+
+COPY . /app
+
+CMD ["bash"]