1// Copyright 2018 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package acme
6
7import (
8	"bytes"
9	"context"
10	"crypto"
11	"crypto/rand"
12	"encoding/json"
13	"fmt"
14	"io/ioutil"
15	"math/big"
16	"net/http"
17	"strconv"
18	"strings"
19	"time"
20)
21
22// retryTimer encapsulates common logic for retrying unsuccessful requests.
23// It is not safe for concurrent use.
24type retryTimer struct {
25	// backoffFn provides backoff delay sequence for retries.
26	// See Client.RetryBackoff doc comment.
27	backoffFn func(n int, r *http.Request, res *http.Response) time.Duration
28	// n is the current retry attempt.
29	n int
30}
31
32func (t *retryTimer) inc() {
33	t.n++
34}
35
36// backoff pauses the current goroutine as described in Client.RetryBackoff.
37func (t *retryTimer) backoff(ctx context.Context, r *http.Request, res *http.Response) error {
38	d := t.backoffFn(t.n, r, res)
39	if d <= 0 {
40		return fmt.Errorf("acme: no more retries for %s; tried %d time(s)", r.URL, t.n)
41	}
42	wakeup := time.NewTimer(d)
43	defer wakeup.Stop()
44	select {
45	case <-ctx.Done():
46		return ctx.Err()
47	case <-wakeup.C:
48		return nil
49	}
50}
51
52func (c *Client) retryTimer() *retryTimer {
53	f := c.RetryBackoff
54	if f == nil {
55		f = defaultBackoff
56	}
57	return &retryTimer{backoffFn: f}
58}
59
60// defaultBackoff provides default Client.RetryBackoff implementation
61// using a truncated exponential backoff algorithm,
62// as described in Client.RetryBackoff.
63//
64// The n argument is always bounded between 1 and 30.
65// The returned value is always greater than 0.
66func defaultBackoff(n int, r *http.Request, res *http.Response) time.Duration {
67	const max = 10 * time.Second
68	var jitter time.Duration
69	if x, err := rand.Int(rand.Reader, big.NewInt(1000)); err == nil {
70		// Set the minimum to 1ms to avoid a case where
71		// an invalid Retry-After value is parsed into 0 below,
72		// resulting in the 0 returned value which would unintentionally
73		// stop the retries.
74		jitter = (1 + time.Duration(x.Int64())) * time.Millisecond
75	}
76	if v, ok := res.Header["Retry-After"]; ok {
77		return retryAfter(v[0]) + jitter
78	}
79
80	if n < 1 {
81		n = 1
82	}
83	if n > 30 {
84		n = 30
85	}
86	d := time.Duration(1<<uint(n-1))*time.Second + jitter
87	if d > max {
88		return max
89	}
90	return d
91}
92
93// retryAfter parses a Retry-After HTTP header value,
94// trying to convert v into an int (seconds) or use http.ParseTime otherwise.
95// It returns zero value if v cannot be parsed.
96func retryAfter(v string) time.Duration {
97	if i, err := strconv.Atoi(v); err == nil {
98		return time.Duration(i) * time.Second
99	}
100	t, err := http.ParseTime(v)
101	if err != nil {
102		return 0
103	}
104	return t.Sub(timeNow())
105}
106
107// resOkay is a function that reports whether the provided response is okay.
108// It is expected to keep the response body unread.
109type resOkay func(*http.Response) bool
110
111// wantStatus returns a function which reports whether the code
112// matches the status code of a response.
113func wantStatus(codes ...int) resOkay {
114	return func(res *http.Response) bool {
115		for _, code := range codes {
116			if code == res.StatusCode {
117				return true
118			}
119		}
120		return false
121	}
122}
123
124// get issues an unsigned GET request to the specified URL.
125// It returns a non-error value only when ok reports true.
126//
127// get retries unsuccessful attempts according to c.RetryBackoff
128// until the context is done or a non-retriable error is received.
129func (c *Client) get(ctx context.Context, url string, ok resOkay) (*http.Response, error) {
130	retry := c.retryTimer()
131	for {
132		req, err := http.NewRequest("GET", url, nil)
133		if err != nil {
134			return nil, err
135		}
136		res, err := c.doNoRetry(ctx, req)
137		switch {
138		case err != nil:
139			return nil, err
140		case ok(res):
141			return res, nil
142		case isRetriable(res.StatusCode):
143			retry.inc()
144			resErr := responseError(res)
145			res.Body.Close()
146			// Ignore the error value from retry.backoff
147			// and return the one from last retry, as received from the CA.
148			if retry.backoff(ctx, req, res) != nil {
149				return nil, resErr
150			}
151		default:
152			defer res.Body.Close()
153			return nil, responseError(res)
154		}
155	}
156}
157
158// post issues a signed POST request in JWS format using the provided key
159// to the specified URL.
160// It returns a non-error value only when ok reports true.
161//
162// post retries unsuccessful attempts according to c.RetryBackoff
163// until the context is done or a non-retriable error is received.
164// It uses postNoRetry to make individual requests.
165func (c *Client) post(ctx context.Context, key crypto.Signer, url string, body interface{}, ok resOkay) (*http.Response, error) {
166	retry := c.retryTimer()
167	for {
168		res, req, err := c.postNoRetry(ctx, key, url, body)
169		if err != nil {
170			return nil, err
171		}
172		if ok(res) {
173			return res, nil
174		}
175		resErr := responseError(res)
176		res.Body.Close()
177		switch {
178		// Check for bad nonce before isRetriable because it may have been returned
179		// with an unretriable response code such as 400 Bad Request.
180		case isBadNonce(resErr):
181			// Consider any previously stored nonce values to be invalid.
182			c.clearNonces()
183		case !isRetriable(res.StatusCode):
184			return nil, resErr
185		}
186		retry.inc()
187		// Ignore the error value from retry.backoff
188		// and return the one from last retry, as received from the CA.
189		if err := retry.backoff(ctx, req, res); err != nil {
190			return nil, resErr
191		}
192	}
193}
194
195// postNoRetry signs the body with the given key and POSTs it to the provided url.
196// The body argument must be JSON-serializable.
197// It is used by c.post to retry unsuccessful attempts.
198func (c *Client) postNoRetry(ctx context.Context, key crypto.Signer, url string, body interface{}) (*http.Response, *http.Request, error) {
199	nonce, err := c.popNonce(ctx, url)
200	if err != nil {
201		return nil, nil, err
202	}
203	b, err := jwsEncodeJSON(body, key, nonce)
204	if err != nil {
205		return nil, nil, err
206	}
207	req, err := http.NewRequest("POST", url, bytes.NewReader(b))
208	if err != nil {
209		return nil, nil, err
210	}
211	req.Header.Set("Content-Type", "application/jose+json")
212	res, err := c.doNoRetry(ctx, req)
213	if err != nil {
214		return nil, nil, err
215	}
216	c.addNonce(res.Header)
217	return res, req, nil
218}
219
220// doNoRetry issues a request req, replacing its context (if any) with ctx.
221func (c *Client) doNoRetry(ctx context.Context, req *http.Request) (*http.Response, error) {
222	res, err := c.httpClient().Do(req.WithContext(ctx))
223	if err != nil {
224		select {
225		case <-ctx.Done():
226			// Prefer the unadorned context error.
227			// (The acme package had tests assuming this, previously from ctxhttp's
228			// behavior, predating net/http supporting contexts natively)
229			// TODO(bradfitz): reconsider this in the future. But for now this
230			// requires no test updates.
231			return nil, ctx.Err()
232		default:
233			return nil, err
234		}
235	}
236	return res, nil
237}
238
239func (c *Client) httpClient() *http.Client {
240	if c.HTTPClient != nil {
241		return c.HTTPClient
242	}
243	return http.DefaultClient
244}
245
246// isBadNonce reports whether err is an ACME "badnonce" error.
247func isBadNonce(err error) bool {
248	// According to the spec badNonce is urn:ietf:params:acme:error:badNonce.
249	// However, ACME servers in the wild return their versions of the error.
250	// See https://tools.ietf.org/html/draft-ietf-acme-acme-02#section-5.4
251	// and https://github.com/letsencrypt/boulder/blob/0e07eacb/docs/acme-divergences.md#section-66.
252	ae, ok := err.(*Error)
253	return ok && strings.HasSuffix(strings.ToLower(ae.ProblemType), ":badnonce")
254}
255
256// isRetriable reports whether a request can be retried
257// based on the response status code.
258//
259// Note that a "bad nonce" error is returned with a non-retriable 400 Bad Request code.
260// Callers should parse the response and check with isBadNonce.
261func isRetriable(code int) bool {
262	return code <= 399 || code >= 500 || code == http.StatusTooManyRequests
263}
264
265// responseError creates an error of Error type from resp.
266func responseError(resp *http.Response) error {
267	// don't care if ReadAll returns an error:
268	// json.Unmarshal will fail in that case anyway
269	b, _ := ioutil.ReadAll(resp.Body)
270	e := &wireError{Status: resp.StatusCode}
271	if err := json.Unmarshal(b, e); err != nil {
272		// this is not a regular error response:
273		// populate detail with anything we received,
274		// e.Status will already contain HTTP response code value
275		e.Detail = string(b)
276		if e.Detail == "" {
277			e.Detail = resp.Status
278		}
279	}
280	return e.error(resp.Header)
281}
282