chore(acme): use Uri when possible

Author: gmelodie

libp2p/autotls/acme/api.nim

@@ -1,4 +1,4 @@
-import options, base64, sequtils, strutils, json
+import options, base64, sequtils, strutils, json, uri
 from times import DateTime, parse
 import chronos/apps/http/httpclient, jwt, results, bearssl/pem
 
@@ -32,7 +32,7 @@ type ACMEDirectory* = object
 type ACMEApi* = ref object of RootObj
   directory: ACMEDirectory
   session: HttpSessionRef
-  acmeServerURL*: string
+  acmeServerURL*: Uri
 
 type HTTPResponse* = object
   body*: JsonNode
@@ -51,22 +51,24 @@ type ACMERequestType = enum
 type ACMERequestHeader = object
   alg: string
   typ: string
-  nonce: string
+  nonce: Nonce
   url: string
   case kind: ACMERequestType
   of ACMEJwkRequest:
     jwk: JWK
   of ACMEKidRequest:
     kid: Kid
 
+type Email = string
+
 type ACMERegisterRequest* = object
   termsOfServiceAgreed: bool
-  contact: seq[string]
+  contact: seq[Email]
 
 type ACMEAccountStatus = enum
-  valid
-  deactivated
-  revoked
+  valid = "valid"
+  deactivated = "deactivated"
+  revoked = "revoked"
 
 type ACMERegisterResponseBody = object
   status*: ACMEAccountStatus
@@ -81,11 +83,18 @@ type ACMEChallengeStatus* {.pure.} = enum
   valid = "valid"
   invalid = "invalid"
 
+type ACMEChallengeType* {.pure.} = enum
+  dns01 = "dns-01"
+  http01 = "http-01"
+  tlsalpn01 = "tls-alpn-01"
+
+type ACMEChallengeToken* = string
+
 type ACMEChallenge = object
   url*: string
-  `type`*: string
+  `type`*: ACMEChallengeType
   status*: ACMEChallengeStatus
-  token*: string
+  token*: ACMEChallengeToken
 
 type ACMEChallengeIdentifier = object
   `type`: string
@@ -96,18 +105,18 @@ type ACMEChallengeRequest = object
 
 type ACMEChallengeResponseBody = object
   status: ACMEChallengeStatus
-  authorizations: seq[string]
+  authorizations: seq[Authorization]
   finalize: string
 
 type ACMEChallengeResponse* = object
   status*: ACMEChallengeStatus
-  authorizations*: seq[string]
+  authorizations*: seq[Authorization]
   finalize*: string
-  orderURL*: string
+  order*: string
 
 type ACMEChallengeResponseWrapper* = object
-  finalizeURL*: string
-  orderURL*: string
+  finalize*: string
+  order*: string
   dns01*: ACMEChallenge
 
 type ACMEAuthorizationsResponse* = object
@@ -163,24 +172,26 @@ template handleError*(msg: string, body: untyped): untyped =
     raise newException(ACMEError, msg & ": Unexpected error", exc)
 
 method post*(
-  self: ACMEApi, url: string, payload: string
+  self: ACMEApi, uri: Uri, payload: string
 ): Future[HTTPResponse] {.
   async: (raises: [ACMEError, HttpError, CancelledError]), base
 .}
 
 method get*(
-  self: ACMEApi, url: string
+  self: ACMEApi, uri: Uri
 ): Future[HTTPResponse] {.
   async: (raises: [ACMEError, HttpError, CancelledError]), base
 .}
 
 proc new*(
-    T: typedesc[ACMEApi], acmeServerURL: string = LetsEncryptURL
+    T: typedesc[ACMEApi], acmeServerURL: Uri = parseUri(LetsEncryptURL)
 ): Future[ACMEApi] {.async: (raises: [ACMEError, CancelledError]).} =
   let session = HttpSessionRef.new()
   let directory = handleError("new API"):
-    let rawResponse =
-      await HttpClientRequestRef.get(session, acmeServerURL & "/directory").get().send()
+    let rawResponse = await HttpClientRequestRef
+    .get(session, $(acmeServerURL / "directory"))
+    .get()
+    .send()
     let body = await rawResponse.getResponseBody()
     body.to(ACMEDirectory)
 
@@ -190,12 +201,12 @@ method requestNonce*(
     self: ACMEApi
 ): Future[Nonce] {.async: (raises: [ACMEError, CancelledError]), base.} =
   handleError("requestNonce"):
-    let acmeResponse = await self.get(self.directory.newNonce)
+    let acmeResponse = await self.get(parseUri(self.directory.newNonce))
     Nonce(acmeResponse.headers.keyOrError("Replay-Nonce"))
 
 # TODO: save n and e in account so we don't have to recalculate every time
 proc acmeHeader(
-    self: ACMEApi, url: string, key: KeyPair, needsJwk: bool, kid: Opt[Kid]
+    self: ACMEApi, uri: Uri, key: KeyPair, needsJwk: bool, kid: Opt[Kid]
 ): Future[ACMERequestHeader] {.async: (raises: [ACMEError, CancelledError]).} =
   if not needsJwk and kid.isNone:
     raise newException(ACMEError, "kid not set")
@@ -213,7 +224,7 @@ proc acmeHeader(
       alg: Alg,
       typ: "JWT",
       nonce: newNonce,
-      url: url,
+      url: $uri,
       jwk: JWK(kty: "RSA", n: base64UrlEncode(nArray), e: base64UrlEncode(eArray)),
     )
   else:
@@ -222,34 +233,34 @@ proc acmeHeader(
       alg: Alg,
       typ: "JWT",
       nonce: newNonce,
-      url: url,
+      url: $uri,
       kid: kid.get(),
     )
 
 method post*(
-    self: ACMEApi, url: string, payload: string
+    self: ACMEApi, uri: Uri, payload: string
 ): Future[HTTPResponse] {.
     async: (raises: [ACMEError, HttpError, CancelledError]), base
 .} =
   let rawResponse = await HttpClientRequestRef
-  .post(self.session, url, body = payload, headers = ACMEHttpHeaders)
+  .post(self.session, $uri, body = payload, headers = ACMEHttpHeaders)
   .get()
   .send()
   let body = await rawResponse.getResponseBody()
   HTTPResponse(body: body, headers: rawResponse.headers)
 
 method get*(
-    self: ACMEApi, url: string
+    self: ACMEApi, uri: Uri
 ): Future[HTTPResponse] {.
     async: (raises: [ACMEError, HttpError, CancelledError]), base
 .} =
-  let rawResponse = await HttpClientRequestRef.get(self.session, url).get().send()
+  let rawResponse = await HttpClientRequestRef.get(self.session, $uri).get().send()
   let body = await rawResponse.getResponseBody()
   HTTPResponse(body: body, headers: rawResponse.headers)
 
 proc createSignedAcmeRequest(
     self: ACMEApi,
-    url: string,
+    uri: Uri,
     payload: auto,
     key: KeyPair,
     needsJwk: bool = false,
@@ -258,7 +269,7 @@ proc createSignedAcmeRequest(
   if key.pubkey.scheme != PKScheme.RSA or key.seckey.scheme != PKScheme.RSA:
     raise newException(ACMEError, "Unsupported signing key type")
 
-  let acmeHeader = await self.acmeHeader(url, key, needsJwk, kid)
+  let acmeHeader = await self.acmeHeader(uri, key, needsJwk, kid)
   handleError("createSignedAcmeRequest"):
     var token = toJWT(%*{"header": acmeHeader, "claims": payload})
     let derPrivKey = key.seckey.rsakey.getBytes.get
@@ -272,62 +283,69 @@ proc requestRegister*(
   let registerRequest = ACMERegisterRequest(termsOfServiceAgreed: true)
   handleError("acmeRegister"):
     let payload = await self.createSignedAcmeRequest(
-      self.directory.newAccount, registerRequest, key, needsJwk = true
+      parseUri(self.directory.newAccount), registerRequest, key, needsJwk = true
     )
-    let acmeResponse = await self.post(self.directory.newAccount, payload)
+    let acmeResponse = await self.post(parseUri(self.directory.newAccount), payload)
     let acmeResponseBody = acmeResponse.body.to(ACMERegisterResponseBody)
 
     ACMERegisterResponse(
       status: acmeResponseBody.status, kid: acmeResponse.headers.keyOrError("location")
     )
 
 proc requestNewOrder*(
-    self: ACMEApi, domains: seq[string], key: KeyPair, kid: Kid
+    self: ACMEApi, domains: seq[Domain], key: KeyPair, kid: Kid
 ): Future[ACMEChallengeResponse] {.async: (raises: [ACMEError, CancelledError]).} =
   # request challenge from ACME server
   let orderRequest = ACMEChallengeRequest(
     identifiers: domains.mapIt(ACMEChallengeIdentifier(`type`: "dns", value: it))
   )
   handleError("requestNewOrder"):
     let payload = await self.createSignedAcmeRequest(
-      self.directory.newOrder, orderRequest, key, kid = Opt.some(kid)
+      parseUri(self.directory.newOrder), orderRequest, key, kid = Opt.some(kid)
     )
-    let acmeResponse = await self.post(self.directory.newOrder, payload)
-
+    let acmeResponse = await self.post(parseUri(self.directory.newOrder), payload)
     let challengeResponseBody = acmeResponse.body.to(ACMEChallengeResponseBody)
     if challengeResponseBody.authorizations.len() == 0:
       raise newException(ACMEError, "Authorizations field is empty")
     ACMEChallengeResponse(
       status: challengeResponseBody.status,
       authorizations: challengeResponseBody.authorizations,
       finalize: challengeResponseBody.finalize,
-      orderURL: acmeResponse.headers.keyOrError("location"),
+      order: acmeResponse.headers.keyOrError("location"),
     )
 
 proc requestAuthorizations*(
     self: ACMEApi, authorizations: seq[Authorization], key: KeyPair, kid: Kid
 ): Future[ACMEAuthorizationsResponse] {.async: (raises: [ACMEError, CancelledError]).} =
   handleError("requestAuthorizations"):
     doAssert authorizations.len > 0
-    let acmeResponse = await self.get(authorizations[0])
+    let acmeResponse = await self.get(parseUri(authorizations[0]))
     acmeResponse.body.to(ACMEAuthorizationsResponse)
 
 proc requestChallenge*(
     self: ACMEApi, domains: seq[Domain], key: KeyPair, kid: Kid
 ): Future[ACMEChallengeResponseWrapper] {.async: (raises: [ACMEError, CancelledError]).} =
   let challengeResponse = await self.requestNewOrder(domains, key, kid)
+  if challengeResponse.status != ACMEChallengeStatus.pending:
+    raise newException(
+      ACMEError, "Invalid new challenge status: " & $challengeResponse.status
+    )
 
   let authorizationsResponse =
     await self.requestAuthorizations(challengeResponse.authorizations, key, kid)
+  if authorizationsResponse.challenges.len == 0:
+    raise newException(ACMEError, "No challenges received")
 
   return ACMEChallengeResponseWrapper(
-    finalizeURL: challengeResponse.finalize,
-    orderURL: challengeResponse.orderURL,
-    dns01: authorizationsResponse.challenges.filterIt(it.`type` == "dns-01")[0],
+    finalize: challengeResponse.finalize,
+    order: challengeResponse.order,
+    dns01: authorizationsResponse.challenges.filterIt(
+      it.`type` == ACMEChallengeType.dns01
+    )[0],
   )
 
 proc requestCheck*(
-    self: ACMEApi, checkURL: string, checkKind: ACMECheckKind, key: KeyPair, kid: Kid
+    self: ACMEApi, checkURL: Uri, checkKind: ACMECheckKind, key: KeyPair, kid: Kid
 ): Future[ACMECheckResponse] {.async: (raises: [ACMEError, CancelledError]).} =
   handleError("requestCheck"):
     let acmeResponse = await self.get(checkURL)
@@ -362,7 +380,7 @@ proc requestCheck*(
         )
 
 proc requestCompleted*(
-    self: ACMEApi, chalURL: string, key: KeyPair, kid: Kid
+    self: ACMEApi, chalURL: Uri, key: KeyPair, kid: Kid
 ): Future[ACMECompletedResponse] {.async: (raises: [ACMEError, CancelledError]).} =
   handleError("requestCompleted (send notify)"):
     let payload =
@@ -372,7 +390,7 @@ proc requestCompleted*(
 
 proc checkChallengeCompleted*(
     self: ACMEApi,
-    checkURL: string,
+    checkURL: Uri,
     key: KeyPair,
     kid: Kid,
     retries: int = DefaultChalCompletedRetries,
@@ -394,7 +412,7 @@ proc checkChallengeCompleted*(
 
 proc completeChallenge*(
     self: ACMEApi,
-    chalURL: string,
+    chalURL: Uri,
     key: KeyPair,
     kid: Kid,
     retries: int = DefaultChalCompletedRetries,
@@ -404,28 +422,28 @@ proc completeChallenge*(
   return await self.checkChallengeCompleted(chalURL, key, kid, retries = retries)
 
 proc requestFinalize*(
-    self: ACMEApi, domain: string, finalizeURL: string, key: KeyPair, kid: Kid
+    self: ACMEApi, domain: Domain, finalize: Uri, key: KeyPair, kid: Kid
 ): Future[ACMEFinalizeResponse] {.async: (raises: [ACMEError, CancelledError]).} =
   let derCSR = createCSR(domain)
   let b64CSR = base64.encode(derCSR.toSeq, safe = true)
 
   handleError("requestFinalize"):
     let payload = await self.createSignedAcmeRequest(
-      finalizeURL, %*{"csr": b64CSR}, key, kid = Opt.some(kid)
+      finalize, %*{"csr": b64CSR}, key, kid = Opt.some(kid)
     )
-    let acmeResponse = await self.post(finalizeURL, payload)
+    let acmeResponse = await self.post(finalize, payload)
     # server responds with updated order response
     acmeResponse.body.to(ACMEFinalizeResponse)
 
 proc checkCertFinalized*(
     self: ACMEApi,
-    orderURL: string,
+    order: Uri,
     key: KeyPair,
     kid: Kid,
     retries: int = DefaultChalCompletedRetries,
 ): Future[bool] {.async: (raises: [ACMEError, CancelledError]).} =
   for i in 0 .. retries:
-    let checkResponse = await self.requestCheck(orderURL, ACMEOrderCheck, key, kid)
+    let checkResponse = await self.requestCheck(order, ACMEOrderCheck, key, kid)
     case checkResponse.orderStatus
     of ACMEOrderStatus.valid:
       return true
@@ -443,28 +461,28 @@ proc checkCertFinalized*(
 
 proc certificateFinalized*(
     self: ACMEApi,
-    domain: string,
-    finalizeURL: string,
-    orderURL: string,
+    domain: Domain,
+    finalize: Uri,
+    order: Uri,
     key: KeyPair,
     kid: Kid,
     retries: int = DefaultFinalizeRetries,
 ): Future[bool] {.async: (raises: [ACMEError, CancelledError]).} =
-  let finalizeResponse = await self.requestFinalize(domain, finalizeURL, key, kid)
+  let finalizeResponse = await self.requestFinalize(domain, finalize, key, kid)
   # keep checking order until cert is valid (done)
-  return await self.checkCertFinalized(orderURL, key, kid, retries = retries)
+  return await self.checkCertFinalized(order, key, kid, retries = retries)
 
 proc requestGetOrder*(
-    self: ACMEApi, orderURL: string
+    self: ACMEApi, order: Uri
 ): Future[ACMEOrderResponse] {.async: (raises: [ACMEError, CancelledError]).} =
   handleError("requestGetOrder"):
-    let acmeResponse = await self.get(orderURL)
+    let acmeResponse = await self.get(order)
     acmeResponse.body.to(ACMEOrderResponse)
 
 proc downloadCertificate*(
-    self: ACMEApi, orderURL: string
+    self: ACMEApi, order: Uri
 ): Future[ACMECertificateResponse] {.async: (raises: [ACMEError, CancelledError]).} =
-  let orderResponse = await self.requestGetOrder(orderURL)
+  let orderResponse = await self.requestGetOrder(order)
 
   handleError("downloadCertificate"):
     let rawResponse = await HttpClientRequestRef