Eliminate dependency on GNU version of "date".

GUI · GUI · commit 0b3d9d5cccb3 · 2019-09-30T17:54:19.000-06:00
Handle parsing the OpenSSL expiry times ourselves, since the BusyBox and and BSD versions of the "date" command don't support parsing like the GNU version does. #195
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # lua-resty-auto-ssl Change Log
 
+## 0.13.1 - Unreleased
+
+### Changed
+- Eliminate dependency on GNU version of the `date` command line utility to improve compatibility with Alpine Linux, BSDs, and others. Fixes warnings that may have started getting logged in v0.13.0. [#195](https://github.com/GUI/lua-resty-auto-ssl/issues/195)
+
 ## 0.13.0 - 2019-09-30
 
 ### Upgrade Notes
diff --git a/Dockerfile-test-alpine b/Dockerfile-test-alpine
@@ -6,7 +6,6 @@ WORKDIR /app
 # Runtime dependencies
 RUN apk add --no-cache \
     bash \
-    coreutils \
     curl \
     diffutils \
     grep \
@@ -27,6 +26,7 @@ RUN apk add --no-cache \
     procps \
     redis \
     sudo \
+    tzdata \
     wget && \
   curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/a/naDTyS8Kyxv/ngrok-2.3.34-linux-386.tar.gz && \
   tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \
diff --git a/Makefile b/Makefile
@@ -47,6 +47,7 @@ install: check-dependencies
 	install -m 644 lib/resty/auto-ssl/storage_adapters/file.lua $(INST_LUADIR)/resty/auto-ssl/storage_adapters/file.lua
 	install -m 644 lib/resty/auto-ssl/storage_adapters/redis.lua $(INST_LUADIR)/resty/auto-ssl/storage_adapters/redis.lua
 	install -d $(INST_LUADIR)/resty/auto-ssl/utils
+	install -m 644 lib/resty/auto-ssl/utils/parse_openssl_time.lua $(INST_LUADIR)/resty/auto-ssl/utils/parse_openssl_time.lua
 	install -m 644 lib/resty/auto-ssl/utils/random_seed.lua $(INST_LUADIR)/resty/auto-ssl/utils/random_seed.lua
 	install -m 644 lib/resty/auto-ssl/utils/shell_execute.lua $(INST_LUADIR)/resty/auto-ssl/utils/shell_execute.lua
 	install -m 644 lib/resty/auto-ssl/utils/shuffle_table.lua $(INST_LUADIR)/resty/auto-ssl/utils/shuffle_table.lua
@@ -105,6 +106,7 @@ lint:
 	luacheck lib spec
 
 test:
+	luarocks --tree=/tmp/resty-auto-ssl-test-luarocks make ./lua-resty-auto-ssl-git-1.rockspec
 	rm -rf /tmp/resty-auto-ssl-server-luarocks
 	luarocks --tree=/tmp/resty-auto-ssl-server-luarocks make ./lua-resty-auto-ssl-git-1.rockspec
 	luarocks --tree=/tmp/resty-auto-ssl-server-luarocks install dkjson 2.5-2
diff --git a/bin/letsencrypt_hooks b/bin/letsencrypt_hooks
@@ -34,7 +34,7 @@ clean_challenge() {
 deploy_cert() {
   local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
   local EXPIRY
-  if ! EXPIRY=$(date --date="$(openssl x509 -enddate -noout -in "$CERTFILE"|cut -d= -f 2)" +%s); then
+  if ! EXPIRY=$(openssl x509 -enddate -noout -in "$CERTFILE"); then
     echo "failed to get the expiry date"
   fi
 
diff --git a/lib/resty/auto-ssl/jobs/renewal.lua b/lib/resty/auto-ssl/jobs/renewal.lua
@@ -1,4 +1,5 @@
 local lock = require "resty.lock"
+local parse_openssl_time = require "resty.auto-ssl.utils.parse_openssl_time"
 local shell_blocking = require "shell-games"
 local shuffle_table = require "resty.auto-ssl.utils.shuffle_table"
 local ssl_provider = require "resty.auto-ssl.ssl_providers.lets_encrypt"
@@ -97,12 +98,16 @@ local function renew_check_cert(auto_ssl_instance, storage, domain)
       file:write(cert["fullchain_pem"])
       file:close()
 
-      local date_result, date_err = shell_blocking.run_raw('date --date="$(openssl x509 -enddate -noout -in "' .. shell_blocking.quote(cert_pem_path) .. '"|cut -d= -f 2)" +%s', { capture = true, stderr = "&1" })
+      local date_result, date_err = shell_blocking.capture_combined({ "openssl", "x509", "-enddate", "-noout", "-in", cert_pem_path })
       if date_err then
         ngx.log(ngx.ERR, "auto-ssl: failed to extract expiry date from cert: ", date_err)
       else
-        cert["expiry"] = tonumber(date_result["output"])
-        if cert["expiry"] then
+        local expiry, parse_err = parse_openssl_time(date_result["output"])
+        if parse_err then
+          ngx.log(ngx.ERR, "auto-ssl: failed to parse expiry date: ", parse_err)
+        else
+          cert["expiry"] = expiry
+
           -- Update stored certificate to include expiry information
           ngx.log(ngx.NOTICE, "auto-ssl: setting expiration date of ",  domain, " to ", cert["expiry"])
           local _, set_cert_err = storage:set_cert(domain, cert["fullchain_pem"], cert["privkey_pem"], cert["cert_pem"], cert["expiry"])
diff --git a/lib/resty/auto-ssl/servers/hook.lua b/lib/resty/auto-ssl/servers/hook.lua
@@ -1,3 +1,4 @@
+local parse_openssl_time = require "resty.auto-ssl.utils.parse_openssl_time"
 local shell_blocking = require "shell-games"
 
 -- This server provides an internal-only API for the dehydrated bash hook
@@ -42,7 +43,13 @@ return function(auto_ssl_instance)
     assert(params["fullchain"])
     assert(params["privkey"])
     assert(params["expiry"])
-    local _, err = storage:set_cert(params["domain"], params["fullchain"], params["privkey"], params["cert"], tonumber(params["expiry"]))
+
+    local expiry, parse_err = parse_openssl_time(params["expiry"])
+    if parse_err then
+      ngx.log(ngx.ERR, "auto-ssl: failed to parse expiry date: ", parse_err)
+    end
+
+    local _, err = storage:set_cert(params["domain"], params["fullchain"], params["privkey"], params["cert"], expiry)
     if err then
       ngx.log(ngx.ERR, "auto-ssl: failed to set cert: ", err)
       return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
diff --git a/lib/resty/auto-ssl/utils/parse_openssl_time.lua b/lib/resty/auto-ssl/utils/parse_openssl_time.lua
@@ -0,0 +1,59 @@
+local floor = math.floor
+
+local months = {
+  Jan = 1,
+  Feb = 2,
+  Mar = 3,
+  Apr = 4,
+  May = 5,
+  Jun = 6,
+  Jul = 7,
+  Aug = 8,
+  Sep = 9,
+  Oct = 10,
+  Nov = 11,
+  Dec = 12,
+}
+
+return function(time_str)
+  local matches, match_err = ngx.re.match(time_str, [[(?<month>[A-Za-z]{3}) +(?<day>\d{1,2}) +(?<hour>\d{2}):(?<minute>\d{2}):(?<second>\d{2})(?:\.\d+)? +(?<year>-?\d{4})]], "jo")
+  if match_err then
+    return nil, match_err
+  elseif not matches then
+    return nil, "could not parse openssl time string: " .. (tostring(time_str) or "")
+  end
+
+  local month = months[matches["month"]]
+  if not month then
+    return nil, "could not parse month in openssl time string: " .. (tostring(time_str) or "")
+  end
+
+  local year = tonumber(matches["year"])
+  local day = tonumber(matches["day"])
+  local hour = tonumber(matches["hour"])
+  local minute = tonumber(matches["minute"])
+  local second = tonumber(matches["second"])
+
+  -- Convert the parsed time into a unix epoch timestamp. Since the unix
+  -- timestamp should always be returned according to UTC, we can't use Lua's
+  -- "os.time", since it returns values based on local time
+  -- (http://lua-users.org/lists/lua-l/2012-04/msg00557.html), and workarounds
+  -- seem tricky (http://lua-users.org/lists/lua-l/2012-04/msg00588.html).
+  --
+  -- So instead, manually calculate the days since UTC epoch and output based
+  -- on this math. The algorithm behind this is based on
+  -- http://howardhinnant.github.io/date_algorithms.html#civil_from_days
+  if month <= 2 then
+    year = year - 1
+    month = month + 9
+  else
+    month = month - 3
+  end
+  local era = floor(year / 400)
+  local yoe = year - era * 400
+  local doy = floor((153 * month + 2) / 5) + day - 1
+  local doe = (yoe * 365) + floor(yoe / 4) - floor(yoe / 100) + doy
+  local days = era * 146097 + doe - 719468
+
+  return (days * 86400) + (hour * 3600) + (minute * 60) + second
+end
diff --git a/spec/expiry_spec.lua b/spec/expiry_spec.lua
@@ -8,6 +8,37 @@ describe("expiry", function()
   before_each(server.stop)
   after_each(server.stop)
 
+  it("stores the expiry date on issuance", function()
+    server.start()
+
+    local httpc = http.new()
+    local _, connect_err = httpc:connect("127.0.0.1", 9443)
+    assert.equal(nil, connect_err)
+
+    local _, ssl_err = httpc:ssl_handshake(nil, server.ngrok_hostname, true)
+    assert.equal(nil, ssl_err)
+
+    local res, request_err = httpc:request({ path = "/foo" })
+    assert.equal(nil, request_err)
+    assert.equal(200, res.status)
+
+    local body, body_err = res:read_body()
+    assert.equal(nil, body_err)
+    assert.equal("foo", body)
+
+    local error_log = server.nginx_error_log_tail:read()
+    assert.matches("issuing new certificate for " .. server.ngrok_hostname, error_log, nil, true)
+    assert.Not.matches("auto-ssl: checking certificate renewals for " .. server.ngrok_hostname, error_log, nil, true)
+    assert.Not.matches("failed to get the expiry date", error_log, nil, true)
+
+    local cert_path = server.current_test_dir .. "/auto-ssl/storage/file/" .. ngx.escape_uri(server.ngrok_hostname .. ":latest")
+    local content = assert(file.read(cert_path))
+    assert.string(content)
+    local data = assert(cjson.decode(content))
+    assert.number(data["expiry"])
+    assert(data["expiry"] > 0, data["expiry"] .. " is not greater than 0")
+  end)
+
   it("fills in missing expiry dates in storage from certificate expiration on renewal", function()
     server.start({
       auto_ssl_pre_new = [[
diff --git a/spec/parse_openssl_time_spec.lua b/spec/parse_openssl_time_spec.lua
@@ -0,0 +1,189 @@
+local parse_openssl_time = require "resty.auto-ssl.utils.parse_openssl_time"
+local stdlib = require "posix.stdlib"
+
+describe("parse_openssl_time", function()
+  local orig_tz
+  before_each(function()
+    orig_tz = os.getenv("TZ")
+  end)
+  after_each(function()
+    stdlib.setenv("TZ", orig_tz)
+  end)
+
+  it("parses basic openssl time", function()
+    local timestamp, err = parse_openssl_time("Jun 22 00:00:00 2036 GMT")
+    assert.Nil(err)
+    assert.equal(2097705600, timestamp)
+  end)
+
+  it("parses single digit days", function()
+    local timestamp, err = parse_openssl_time("Mar  7 12:00:00 2020 GMT")
+    assert.Nil(err)
+    assert.equal(1583582400, timestamp)
+  end)
+
+  it("parses prefixed output from openssl", function()
+    local timestamp, err = parse_openssl_time("notAfter=Dec 17 17:55:50 2019 GMT")
+    assert.Nil(err)
+    assert.equal(1576605350, timestamp)
+  end)
+
+  it("parses times with milliseconds", function()
+    local timestamp, err = parse_openssl_time("Jul 31 22:20:50.123 2017 GMT")
+    assert.Nil(err)
+    assert.equal(1501539650, timestamp)
+  end)
+
+  it("parses times with 1 fractional digit for seconds", function()
+    local timestamp, err = parse_openssl_time("Jul 31 22:20:50.1 2017 GMT")
+    assert.Nil(err)
+    assert.equal(1501539650, timestamp)
+  end)
+
+  it("parses times without GMT suffix", function()
+    local timestamp, err = parse_openssl_time("Nov 28 20:21:47 2019")
+    assert.Nil(err)
+    assert.equal(1574972507, timestamp)
+  end)
+
+  it("returns error for unknown data", function()
+    local timestamp, err = parse_openssl_time("Bad time value")
+    assert.Nil(timestamp)
+    assert.equal("could not parse openssl time string: Bad time value", err)
+  end)
+
+  it("returns error for unknown month", function()
+    local timestamp, err = parse_openssl_time("Abc 22 00:00:00 2036 GMT")
+    assert.Nil(timestamp)
+    assert.equal("could not parse month in openssl time string: Abc 22 00:00:00 2036 GMT", err)
+  end)
+
+  it("months are case sensitive", function()
+    local timestamp, err = parse_openssl_time("jan 22 00:00:00 2036 GMT")
+    assert.Nil(timestamp)
+    assert.equal("could not parse month in openssl time string: jan 22 00:00:00 2036 GMT", err)
+  end)
+
+  it("ignores the system time zone and always outputs in UTC unix timestamps", function()
+    stdlib.setenv("TZ", "Pacific/Honolulu")
+    -- Sanity check to ensure "os.time" behavior is picking up the TZ that is
+    -- set (which is incorrect for our purposes), and that our values differ.
+    local local_time = os.time({
+      year = 2036,
+      month = 6,
+      day = 22,
+      hour = 0,
+      min = 0,
+      sec = 0,
+    })
+    assert.equal(2097741600, local_time)
+    local timestamp, err = parse_openssl_time("Jun 22 00:00:00 2036 GMT")
+    assert.Nil(err)
+    assert.equal(2097705600, timestamp)
+    assert.Not.equal(timestamp, local_time)
+
+    stdlib.setenv("TZ", "Asia/Kolkata")
+    local_time = os.time({
+      year = 2036,
+      month = 6,
+      day = 22,
+      hour = 0,
+      min = 0,
+      sec = 0,
+    })
+    assert.equal(2097685800, local_time)
+    timestamp, err = parse_openssl_time("Jun 22 00:00:00 2036 GMT")
+    assert.Nil(err)
+    assert.equal(2097705600, timestamp)
+    assert.Not.equal(timestamp, local_time)
+  end)
+
+  -- Based on the eras from
+  -- http://howardhinnant.github.io/date_algorithms.html#civil_from_days, along
+  -- with other boundaries (epoch, Y2038, etc).
+  it("parses various historical, future, and boundary times", function()
+    local timestamp, err = parse_openssl_time("Mar 1 00:00:00 -0800 GMT")
+    assert.Nil(err)
+    assert.equal(-87407596800, timestamp)
+
+    timestamp, err = parse_openssl_time("Feb 29 00:00:00 -0400 GMT")
+    assert.Nil(err)
+    assert.equal(-74784902400, timestamp)
+
+    timestamp, err = parse_openssl_time("Mar 1 00:00:00 -0400 GMT")
+    assert.Nil(err)
+    assert.equal(-74784816000, timestamp)
+
+    timestamp, err = parse_openssl_time("Jan 1 00:00:00 0000 GMT")
+    assert.Nil(err)
+    assert.equal(-62167219200, timestamp)
+
+    timestamp, err = parse_openssl_time("Feb 29 00:00:00 0000 GMT")
+    assert.Nil(err)
+    assert.equal(-62162121600, timestamp)
+
+    timestamp, err = parse_openssl_time("Mar 1 00:00:00 0000 GMT")
+    assert.Nil(err)
+    assert.equal(-62162035200, timestamp)
+
+    timestamp, err = parse_openssl_time("Feb 29 00:00:00 0400 GMT")
+    assert.Nil(err)
+    assert.equal(-49539340800, timestamp)
+
+    timestamp, err = parse_openssl_time("Mar 1 00:00:00 0400 GMT")
+    assert.Nil(err)
+    assert.equal(-49539254400, timestamp)
+
+    timestamp, err = parse_openssl_time("Feb 29 00:00:00 0800 GMT")
+    assert.Nil(err)
+    assert.equal(-36916560000, timestamp)
+
+    timestamp, err = parse_openssl_time("Mar 1 00:00:00 0800 GMT")
+    assert.Nil(err)
+    assert.equal(-36916473600, timestamp)
+
+    timestamp, err = parse_openssl_time("Feb 29 00:00:00 1200 GMT")
+    assert.Nil(err)
+    assert.equal(-24293779200, timestamp)
+
+    timestamp, err = parse_openssl_time("Mar 1 00:00:00 1200 GMT")
+    assert.Nil(err)
+    assert.equal(-24293692800, timestamp)
+
+    timestamp, err = parse_openssl_time("Feb 29 00:00:00 1600 GMT")
+    assert.Nil(err)
+    assert.equal(-11670998400, timestamp)
+
+    timestamp, err = parse_openssl_time("Mar 1 00:00:00 1600 GMT")
+    assert.Nil(err)
+    assert.equal(-11670912000, timestamp)
+
+    timestamp, err = parse_openssl_time("Jan 1 00:00:00 1970 GMT")
+    assert.Nil(err)
+    assert.equal(0, timestamp)
+
+    timestamp, err = parse_openssl_time("Feb 29 00:00:00 2000 GMT")
+    assert.Nil(err)
+    assert.equal(951782400, timestamp)
+
+    timestamp, err = parse_openssl_time("Mar 1 00:00:00 2000 GMT")
+    assert.Nil(err)
+    assert.equal(951868800, timestamp)
+
+    timestamp, err = parse_openssl_time("Jan 18 00:00:00 2038 GMT")
+    assert.Nil(err)
+    assert.equal(2147385600, timestamp)
+
+    timestamp, err = parse_openssl_time("Jan 19 00:00:00 2038 GMT")
+    assert.Nil(err)
+    assert.equal(2147472000, timestamp)
+
+    timestamp, err = parse_openssl_time("Jan 20 00:00:00 2038 GMT")
+    assert.Nil(err)
+    assert.equal(2147558400, timestamp)
+
+    timestamp, err = parse_openssl_time("Feb 29 00:00:00 2400 GMT")
+    assert.Nil(err)
+    assert.equal(13574563200, timestamp)
+  end)
+end)
