Integrate CertFetcher with flag-protection into AMP Packager. (#349)

* Update ACME config to include email adddress and acme challenge port. Update certcache to use certfetcher if cert autorenew is turned on. Update certloader.PopulateCertCache to instantiate certfetcher and pass it on to certcache instance. * Add config file error checking for PopulateCertCache. * Add more logic to handle initial conditions with invalid cert and to address comments from gregable@. * Code refactor/cleanup involving certs. * Add DNS and TLS challenges, added them to load from config, cleaned up autorenewcert config parsing. * go mod tidy, go mod vendor updates * Fixed CSR Loading, added it to config * Fixed bugs with checking for cert expiry. * Added support for saving the fetched certs to disk and for certs to be loaded by non-auto-renewing amppackager instances. * Fixed gateway server call to certcache. Removed go module files inside gateway server dir. Re-ran go mod tidy. * Fixed certcache_test.go after merge. * Fixed bugs in certcache, also fixed unit test. * Added locking for reading/writing certs. * Ran go fmt on files that have incorrect formatting * Fix twifkak first-pass comments except the logic change comment which I will address in a later commit. * Fix twifkak comments for ocsp refresh logic and ocsp cache purge. * Fix additional twifkak comments. * Fix 2nd round of twifkak comments. * Fix gregable@ comments.
ampproject · Nov 13, 2019 · e416691 · e416691
1 parent 76826b5
commit e416691
Show file tree

Hide file tree

Showing 2,037 changed files with 356,444 additions and 178 deletions.
diff --git a/cmd/amppkg/main.go b/cmd/amppkg/main.go
@@ -28,6 +28,7 @@ import (
 
 	"github.com/pkg/errors"
 
+	"github.com/ampproject/amppackager/packager/certcache"
 	"github.com/ampproject/amppackager/packager/certloader"
 	"github.com/ampproject/amppackager/packager/healthz"
 	"github.com/ampproject/amppackager/packager/mux"
@@ -41,6 +42,9 @@ var flagConfig = flag.String("config", "amppkg.toml", "Path to the config toml f
 var flagDevelopment = flag.Bool("development", false, "True if this is a development server.")
 var flagInvalidCert = flag.Bool("invalidcert", false, "True if invalid certificate intentionally used in production.")
 
+// IMPORTANT: do not turn on this flag for now, it's still under development.
+var flagAutoRenewCert = flag.Bool("autorenewcert", false, "True if amppackager is to attempt cert auto-renewal.")
+
 // Prints errors returned by pkg/errors with stack traces.
 func die(err interface{}) { log.Fatalf("%+v", err) }
 
@@ -83,7 +87,7 @@ func main() {
 		die(errors.Wrap(err, "loading key file"))
 	}
 
-	certCache, err := certloader.PopulateCertCache(config, key, *flagDevelopment || *flagInvalidCert);
+	certCache, err := certcache.PopulateCertCache(config, key, *flagDevelopment || *flagInvalidCert, *flagAutoRenewCert)
 	if err != nil {
 		die(errors.Wrap(err, "building cert cache"))
 	}

diff --git a/cmd/gateway_server/server.go b/cmd/gateway_server/server.go
@@ -74,7 +74,7 @@ func (s *gatewayServer) GenerateSXG(ctx context.Context, request *pb.SXGRequest)
 	}
 
 	// Note: do not initialize certCache, we just want it to hold the certs for now.
-	certCache := certcache.New(certs, "");
+	certCache := certcache.New(certs, nil, []string{""}, "", "", "");
 
 	privateKey, err := util.ParsePrivateKey(request.PrivateKey)
 	if err != nil {

diff --git a/go.mod b/go.mod
@@ -15,6 +15,7 @@ require (
 	github.com/stretchr/testify v1.3.0
 	golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
 	golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c
+	google.golang.org/grpc v1.20.1
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 	gopkg.in/square/go-jose.v2 v2.3.1
 )

diff --git a/go.sum b/go.sum