File Coverage

blib/lib/Net/ACME2/HTTP.pm

Criterion	Covered	Total	%
statement	73	93	78.4
branch	9	24	37.5
condition	4	9	44.4
subroutine	19	20	95.0
pod	0	6	0.0
total	105	152	69.0

line	stmt	bran	cond	sub	pod	time	code
1							package Net::ACME2::HTTP;
2
3							=encoding utf-8
4
5							=head1 NAME
6
7							Net::ACME2::HTTP - transport logic for C.
8
9							=head1 DESCRIPTION
10
11							This module handles communication with an ACME server at the HTTP level.
12							It wraps POSTs in JWSes (JSON Web Signatures) as needed.
13
14							There should be no reason to interact with this class in production.
15
16							=cut
17
18	2			2		10	use strict;
	2					4
	2					40
19	2			2		7	use warnings;
	2					4
	2					40
20
21	2			2		487	use JSON ();
	2					9202
	2					41
22
23	2			2		637	use Net::ACME2::Error ();
	2					5
	2					29
24	2			2		296	use Net::ACME2::HTTP_Tiny ();
	2					4
	2					30
25	2			2		647	use Net::ACME2::HTTP::Response ();
	2					3
	2					27
26	2			2		8	use Net::ACME2::X ();
	2					4
	2					27
27
28	2			2		7	use constant _CONTENT_TYPE => 'application/jose+json';
	2					3
	2					1633
29
30							#accessed from tests
31							our $_NONCE_HEADER = 'replay-nonce';
32
33							#Used in testing
34							our $verify_SSL = 1;
35
36							#NB: “key” isn’t needed if we’re just doing GETs.
37							sub new {
38	2			2	0	345690	my ( $class, %opts ) = @_;
39
40	2	50				9	die Net::ACME2::X->create('Generic', 'need “key”!') if !$opts{'key'};
41
42	2					15	my $ua = Net::ACME2::HTTP_Tiny->new( verify_SSL => $verify_SSL );
43
44							my $self = bless {
45							_ua => $ua,
46							_acme_key => $opts{'key'},
47							_key_id => $opts{'key_id'},
48	2					19	_jws_format => $opts{'jws_format'},
49							}, $class;
50
51	2					9	return bless $self, $class;
52							}
53
54							sub set_key_id {
55	2			2	0	6	my ($self, $key_id) = @_;
56
57	2					4	$self->{'_key_id'} = $key_id;
58
59	2					3	return $self;
60							}
61
62							sub set_new_nonce_url {
63	5			5	0	8	my ($self, $url) = @_;
64
65	5					7	$self->{'_nonce_url'} = $url;
66
67	5					9	return $self;
68							}
69
70							#GETs submit no data and thus are not signed.
71							sub get {
72	1			1	0	2	my ( $self, $url ) = @_;
73
74	1					5	return $self->_request( 'GET', $url );
75							}
76
77							# ACME spec 6.2: for all requests not signed using an existing account,
78							# e.g., newAccount
79							sub post_full_jwt {
80	2			2	0	3	my $self = shift;
81
82	2					18	return $self->_post( 'create_full_jws', @_ );
83							}
84
85							# ACME spec 6.2: for all requests signed using an existing account
86							sub post_key_id {
87	0			0	0	0	my $self = shift;
88
89	0					0	return $self->_post(
90							'create_key_id_jws',
91							@_,
92							);
93							}
94
95							#----------------------------------------------------------------------
96
97							#POSTs are signed.
98							sub _post {
99	2			2		7	my ( $self, $jwt_method, $url, $data, $opts_hr ) = @_;
100
101							# Shouldn’t be needed because the constructor requires “key”,
102							# but just in case.
103	2	50				7	die "Constructor needed “key” to do POST! ($url)" if !$self->{'_acme_key'};
104
105	2					6	my $jws = $self->_create_jwt( $jwt_method, $url, $data );
106
107	2					10	local $opts_hr->{'headers'}{'Content-Type'} = 'application/jose+json';
108
109	2		33			21	return $self->_request_and_set_last_nonce(
110							'POST',
111							$url,
112							{
113							content => $jws,
114							headers => {
115							'content-type' => _CONTENT_TYPE,
116							},
117							},
118							$opts_hr \|\| (),
119							);
120							}
121
122							sub _ua_request {
123	4			4		10	my ( $self, $type, @args ) = @_;
124
125	4					22	return $self->{'_ua'}->request( $type, @args );
126							}
127
128							#overridden in tests
129							sub _request {
130	4			4		9	my ( $self, $type, @args ) = @_;
131
132	4					6	my $resp;
133
134							#cf. eval_bug.readme
135	4					6	my $eval_err = $@;
136
137	4					8	eval { $resp = $self->_ua_request( $type, @args ); };
	4					12
138
139							# Check ref() first to avoid potentially running overload.pm’s
140							# stringification.
141	4	50	33			23	if (ref($@) \|\| $@) {
142	0					0	my $exc = $@;
143
144	0	0				0	if ( eval { $exc->isa('Net::ACME2::X::HTTP::Protocol') } ) {
	0					0
145	0					0	my $_nonce_header_lc = $_NONCE_HEADER;
146	0					0	$_nonce_header_lc =~ tr;
147
148	0					0	my $nonce = $exc->get('headers')->{$_nonce_header_lc};
149	0	0				0	$self->{'_last_nonce'} = $nonce if $nonce;
150
151							#If the exception is able to be made into a Net::ACME2::Error,
152							#then do so to get a nicer error message.
153	0					0	my $acme_error = eval {
154							Net::ACME2::Error->new(
155	0					0	%{ JSON::decode_json( $exc->get('content') ) },
	0					0
156							);
157							};
158
159	0	0				0	if ($acme_error) {
160	0					0	die Net::ACME2::X->create(
161							'ACME',
162							{
163							http => $exc,
164							acme => $acme_error,
165							},
166							);
167							}
168							}
169
170	0					0	$@ = $exc;
171	0					0	die;
172							}
173
174	4					7	$@ = $eval_err;
175
176	4					21	return Net::ACME2::HTTP::Response->new($resp);
177							}
178
179							sub _request_and_set_last_nonce {
180	3			3		10	my ( $self, $type, $url, @args ) = @_;
181
182	3					12	my $resp = $self->_request( $type, $url, @args );
183
184							#NB: ACME’s replay protection works thus:
185							# - each server response includes a nonce
186							# - each request must include ONE of the nonces that have been sent
187							# - once used, a nonce can’t be reused
188							#
189							#This is subtly different from what was originally in mind (i.e., that
190							#each request must use the most recently sent nonce). It implies that GETs
191							#do not need to send nonces, though each GET will receive a nonce that
192							#may be used.
193	3	50				141	$self->{'_last_nonce'} = $resp->header($_NONCE_HEADER) or do {
194	0					0	die Net::ACME2::X->create('Generic', "Received no $_NONCE_HEADER from $url!");
195							};
196
197	3					59	return $resp;
198							}
199
200							sub _get_first_nonce {
201	1			1		2	my ($self) = @_;
202
203	1	50				3	my $url = $self->{'_nonce_url'} or do {
204
205							# Shouldn’t happen unless there’s an errant refactor.
206	0					0	die Net::ACME2::X->create('Set newNonce URL first!');
207							};
208
209	1					3	$self->_request_and_set_last_nonce( 'HEAD', $url );
210
211	1					8	return;
212							}
213
214							sub _create_jwt {
215	2			2		5	my ( $self, $jwt_method, $url, $data ) = @_;
216
217	2	100				7	$self->_get_first_nonce() if !$self->{'_last_nonce'};
218
219	2		66			8	$self->{'_jwt_maker'} \|\|= do {
220	1					1	my $class;
221
222	1	50				18	if ($self->{'_acme_key'}->isa('Crypt::Perl::RSA::PrivateKey')) {
		0
223	1					2	$class = 'Net::ACME2::JWTMaker::RSA';
224							}
225							elsif ($self->{'_acme_key'}->isa('Crypt::Perl::ECDSA::PrivateKey')) {
226	0					0	$class = 'Net::ACME2::JWTMaker::ECC';
227							}
228							else {
229
230							# As of this writing, Crypt::Perl only does RSA and ECDSA keys.
231							# If we get here, it’s possible that Crypt::Perl now supports
232							# an additional key type that this library doesn’t recognize.
233	0					0	die Net::ACME2::X->create('Generic', "Unrecognized key type: $self->{'_acme_key'}");
234							}
235
236	1	50				8	if (!$class->can('new')) {
237	1					6	require Module::Load;
238	1					5	Module::Load::load($class);
239							}
240
241							$class->new(
242							key => $self->{'_acme_key'},
243	1					14	format => $self->{'_jws_format'},
244							);
245							};
246
247							return $self->{'_jwt_maker'}->$jwt_method(
248							key_id => $self->{'_key_id'},
249							payload => $data,
250							extra_headers => {
251	2					12	nonce => $self->{'_last_nonce'},
252							url => $url,
253							},
254							);
255							}
256
257							1;