Make JSON library configurable.

This sets up the JSON encoding/decoding so you can use a configurable
library, using cjson as the default, but allowing optional usage of
dkjson for a pure-lua library (in environments like ARM where cjson may
be more difficult to get setup).

We keep cjson as the default (since we assume its bundled with
OpenResty), and don't add an explicit dependency for dkjson (since it's
not available on OPM, and trying to keep that in mind for future
installation). But if you manually add dkjson then the dkjson adapter
should work.

See #85

Author: GUI

Makefile

@@ -28,6 +28,9 @@ install:
 	install -m 644 lib/resty/auto-ssl/init_master.lua $(INST_LUADIR)/resty/auto-ssl/init_master.lua
 	install -m 644 lib/resty/auto-ssl/init_worker.lua $(INST_LUADIR)/resty/auto-ssl/init_worker.lua
 	install -d $(INST_LUADIR)/resty/auto-ssl/jobs
+	install -d $(INST_LUADIR)/resty/auto-ssl/json_adapters
+	install -m 644 lib/resty/auto-ssl/json_adapters/cjson.lua $(INST_LUADIR)/resty/auto-ssl/json_adapters/cjson.lua
+	install -m 644 lib/resty/auto-ssl/json_adapters/dkjson.lua $(INST_LUADIR)/resty/auto-ssl/json_adapters/dkjson.lua
 	install -m 644 lib/resty/auto-ssl/jobs/renewal.lua $(INST_LUADIR)/resty/auto-ssl/jobs/renewal.lua
 	install -d $(INST_LUADIR)/resty/auto-ssl/servers
 	install -m 644 lib/resty/auto-ssl/servers/challenge.lua $(INST_LUADIR)/resty/auto-ssl/servers/challenge.lua
@@ -98,6 +101,9 @@ TEST_LUA_LIB_DIR:=$(TEST_VENDOR_DIR)/lib/lua/5.1
 LUACHECK:=luacheck
 LUACHECK_VERSION:=0.19.1-1
 
+DKJSON:=dkjson
+DKJSON_VERSION:=2.5-2
+
 OPENSSL_VERSION:=1.0.2k
 OPENSSL:=openssl-$(OPENSSL_VERSION)
 
@@ -132,6 +138,9 @@ $(TEST_VENDOR_DIR):
 $(TEST_LUAROCKS_DIR)/$(LUACHECK)/$(LUACHECK_VERSION): $(TEST_TMP_DIR)/stamp-$(LUAROCKS) | $(TEST_VENDOR_DIR)
 	$(call test_luarocks_install,LUACHECK)
 
+$(TEST_LUAROCKS_DIR)/$(DKJSON)/$(DKJSON_VERSION): $(TEST_TMP_DIR)/stamp-$(LUAROCKS) | $(TEST_VENDOR_DIR)
+	$(call test_luarocks_install,DKJSON)
+
 $(TEST_TMP_DIR)/cpanm: | $(TEST_TMP_DIR)
 	curl -o $@ -L http://cpanmin.us
 	chmod +x $@
@@ -193,6 +202,7 @@ $(TEST_TMP_DIR)/stamp-$(LUAROCKS): $(TEST_TMP_DIR)/stamp-$(OPENRESTY) | $(TEST_T
 
 test_dependencies: \
 	$(TEST_LUAROCKS_DIR)/$(LUACHECK)/$(LUACHECK_VERSION) \
+	$(TEST_LUAROCKS_DIR)/$(DKJSON)/$(DKJSON_VERSION) \
 	$(TEST_VENDOR_DIR)/$(NGROK)/ngrok \
 	$(TEST_TMP_DIR)/stamp-$(OPENRESTY) \
 	$(TEST_TMP_DIR)/stamp-$(LUAROCKS) \

README.md

@@ -272,6 +272,20 @@ Additional configuration options can be set on the `auto_ssl` instance that is c
   auto_ssl:set("hook_server_port", 90)
   ```
 
+- **`json_adapter`**
+  *Default:* `resty.auto-ssl.json_adapters.cjson`
+  *Options:* `resty.auto-ssl.json_adapters.cjson`, `resty.auto-ssl.json_adapters.dkjson`
+
+  The JSON adapter to use for encoding and decoding JSON. Defaults to using [cjson](https://github.com/openresty/lua-cjson), which is bundled with OpenResty installations and should probably be used in most cases. However, an adapter using the pure Lua [dkjson](https://luarocks.org/modules/dhkolf/dkjson) can be used for environments where cjson may not be available (you will need to manually install the dkjson dependency via luarocks to use this adapter).
+
+  cjson and dkjson json adapters are supplied, but custom external adapters may also be specified (the value simply needs to be on the `lua_package_path`).
+
+  *Example:*
+
+  ```lua
+  auto_ssl:set("json_adapter", "resty.auto-ssl.json_adapters.dkjson")
+  ```
+
 ### `ssl_certificate` Configuration
 
 - **`generate_certs`**

lib/resty/auto-ssl.lua

@@ -32,6 +32,10 @@ function _M.new(options)
     options["storage_adapter"] = "resty.auto-ssl.storage_adapters.file"
   end
 
+  if not options["json_adapter"] then
+    options["json_adapter"] = "resty.auto-ssl.json_adapters.cjson"
+  end
+
   if not options["ocsp_stapling_error_level"] then
     options["ocsp_stapling_error_level"] = ngx.ERR
   end

lib/resty/auto-ssl/init_master.lua

@@ -80,14 +80,20 @@ local function generate_config(auto_ssl_instance)
 end
 
 local function setup_storage(auto_ssl_instance)
-  local adapter = require(auto_ssl_instance:get("storage_adapter"))
-  local adapter_instance = adapter.new(auto_ssl_instance)
-  if adapter_instance.setup then
-    adapter_instance:setup()
+  local storage_adapter = require(auto_ssl_instance:get("storage_adapter"))
+  local storage_adapter_instance = storage_adapter.new(auto_ssl_instance)
+  if storage_adapter_instance.setup then
+    storage_adapter_instance:setup()
   end
 
+  local json_adapter = require(auto_ssl_instance:get("json_adapter"))
+  local json_adapter_instance = json_adapter.new(auto_ssl_instance)
+
   local storage = require "resty.auto-ssl.storage"
-  local storage_instance = storage.new(adapter_instance)
+  local storage_instance = storage.new({
+    storage_adapter = storage_adapter_instance,
+    json_adapter = json_adapter_instance,
+  })
   auto_ssl_instance:set("storage", storage_instance)
 end
 

lib/resty/auto-ssl/init_worker.lua

@@ -26,9 +26,9 @@ return function(auto_ssl_instance)
   start_sockproc()
 
   local storage = auto_ssl_instance:get("storage")
-  local adapter = storage.adapter
-  if adapter.setup_worker then
-    adapter:setup_worker()
+  local storage_adapter = storage.storage_adapter
+  if storage_adapter.setup_worker then
+    storage_adapter:setup_worker()
   end
 
   renewal_job.spawn(auto_ssl_instance)

lib/resty/auto-ssl/jobs/renewal.lua

@@ -69,7 +69,11 @@ local function renew_check_cert(auto_ssl_instance, storage, domain)
   end
 
   -- Fetch the current certificate.
-  local fullchain_pem, _, cert_pem = storage:get_cert(domain)
+  local fullchain_pem, _, cert_pem, get_cert_err = storage:get_cert(domain)
+  if get_cert_err then
+    ngx.log(ngx.ERR, "auto-ssl: renewal error fetching certificate from storage for ", domain, ": ", get_cert_err)
+  end
+
   if not fullchain_pem then
     ngx.log(ngx.ERR, "auto-ssl: attempting to renew certificate for domain without certificates in storage: ", domain)
     renew_check_cert_unlock(domain, storage, local_lock, distributed_lock_value)

lib/resty/auto-ssl/json_adapters/cjson.lua

@@ -0,0 +1,17 @@
+local cjson = require "cjson.safe"
+
+local _M = {}
+
+function _M.new()
+  return setmetatable({}, { __index = _M })
+end
+
+function _M.encode(_, data)
+  return cjson.encode(data)
+end
+
+function _M.decode(_, string)
+  return cjson.decode(string)
+end
+
+return _M

lib/resty/auto-ssl/json_adapters/dkjson.lua

@@ -0,0 +1,18 @@
+local dkjson = require "dkjson"
+
+local _M = {}
+
+function _M.new()
+  return setmetatable({}, { __index = _M })
+end
+
+function _M.encode(_, data)
+  return dkjson.encode(data)
+end
+
+function _M.decode(_, string)
+  local data, _, err = dkjson.decode(string)
+  return data, err
+end
+
+return _M

lib/resty/auto-ssl/ssl_certificate.lua

@@ -80,7 +80,11 @@ local function issue_cert(auto_ssl_instance, storage, domain)
 
   -- After obtaining the local and distributed lock, see if the certificate
   -- has already been registered.
-  fullchain_pem, privkey_pem = storage:get_cert(domain)
+  fullchain_pem, privkey_pem, _, err = storage:get_cert(domain)
+  if err then
+    ngx.log(ngx.ERR, "auto-ssl: error fetching certificate from storage for ", domain, ": ", err)
+  end
+
   if fullchain_pem and privkey_pem then
     issue_cert_unlock(domain, storage, local_lock, distributed_lock_value)
     return fullchain_pem, privkey_pem
@@ -107,7 +111,11 @@ local function get_cert(auto_ssl_instance, domain, ssl_options)
   -- Next, look for the certificate in permanent storage (which can be shared
   -- across servers depending on the storage).
   local storage = auto_ssl_instance:get("storage")
-  local fullchain_pem, privkey_pem = storage:get_cert(domain)
+  local fullchain_pem, privkey_pem, _, get_cert_err = storage:get_cert(domain)
+  if get_cert_err then
+    ngx.log(ngx.ERR, "auto-ssl: error fetching certificate from storage for ", domain, ": ", get_cert_err)
+  end
+
   if fullchain_pem and privkey_pem then
     return convert_to_der_and_cache(domain, fullchain_pem, privkey_pem, false)
   end

lib/resty/auto-ssl/ssl_providers/lets_encrypt.lua

@@ -47,7 +47,10 @@ function _M.issue_cert(auto_ssl_instance, domain)
   -- The result of running that command should result in the certs being
   -- populated in our storage (due to the deploy_cert hook triggering).
   local storage = auto_ssl_instance:get("storage")
-  local fullchain_pem, privkey_pem = storage:get_cert(domain)
+  local fullchain_pem, privkey_pem, _, get_cert_err = storage:get_cert(domain)
+  if get_cert_err then
+    ngx.log(ngx.ERR, "auto-ssl: error fetching certificate from storage for ", domain, ": ", get_cert_err)
+  end
 
   -- If dehydrated said it succeeded, but we still don't have any certs in
   -- storage, the issue is likely that the certs have been deleted out of our
@@ -73,7 +76,10 @@ function _M.issue_cert(auto_ssl_instance, domain)
     end
 
     -- Try fetching again.
-    fullchain_pem, privkey_pem = storage:get_cert(domain)
+    fullchain_pem, privkey_pem, _, get_cert_err = storage:get_cert(domain)
+    if get_cert_err then
+      ngx.log(ngx.ERR, "auto-ssl: error fetching certificate from storage for ", domain, ": ", get_cert_err)
+    end
   end
 
   -- Return error if things are still unexpectedly missing.

lib/resty/auto-ssl/storage.lua

@@ -3,33 +3,35 @@ local str = require "resty.string"
 
 local _M = {}
 
-local cjson = require "cjson"
-
-function _M.new(adapter)
-  return setmetatable({ adapter = adapter }, { __index = _M })
+function _M.new(options)
+  return setmetatable(options, { __index = _M })
 end
 
 function _M.get_challenge(self, domain, path)
-  return self.adapter:get(domain .. ":challenge:" .. path)
+  return self.storage_adapter:get(domain .. ":challenge:" .. path)
 end
 
 function _M.set_challenge(self, domain, path, value)
-  return self.adapter:set(domain .. ":challenge:" .. path, value)
+  return self.storage_adapter:set(domain .. ":challenge:" .. path, value)
 end
 
 function _M.delete_challenge(self, domain, path)
-  return self.adapter:delete(domain .. ":challenge:" .. path)
+  return self.storage_adapter:delete(domain .. ":challenge:" .. path)
 end
 
 function _M.get_cert(self, domain)
-  local json, err = self.adapter:get(domain .. ":latest")
+  local json, err = self.storage_adapter:get(domain .. ":latest")
   if err then
     return nil, nil, err
   elseif not json then
     return nil
   end
 
-  local data = cjson.decode(json)
+  local data, json_err = self.json_adapter:decode(json)
+  if json_err then
+    return nil, nil, nil, json_err
+  end
+
   return data["fullchain_pem"], data["privkey_pem"], data["cert_pem"]
 end
 
@@ -40,23 +42,26 @@ function _M.set_cert(self, domain, fullchain_pem, privkey_pem, cert_pem)
   -- a single string (regardless of implementation), and we don't have to worry
   -- about race conditions with the public cert and private key being stored
   -- separately and getting out of sync.
-  local data = cjson.encode({
+  local string, err = self.json_adapter:encode({
     fullchain_pem = fullchain_pem,
     privkey_pem = privkey_pem,
     cert_pem = cert_pem,
   })
+  if err then
+    return nil, err
+  end
 
   -- Store the cert with the current timestamp, so the old certs are preserved
   -- in case something goes wrong.
   local time = ngx.now() * 1000
-  self.adapter:set(domain .. ":" .. time, data)
+  self.storage_adapter:set(domain .. ":" .. time, string)
 
   -- Store the cert under the "latest" alias, which is what this app will use.
-  return self.adapter:set(domain .. ":latest", data)
+  return self.storage_adapter:set(domain .. ":latest", string)
 end
 
 function _M.all_cert_domains(self)
-  local keys, err = self.adapter:keys_with_suffix(":latest")
+  local keys, err = self.storage_adapter:keys_with_suffix(":latest")
   if err then
     return nil, err
   end
@@ -91,7 +96,7 @@ function _M.issue_cert_lock(self, domain)
   local sleep_time = 0.5
   local max_time = 30
   repeat
-    local existing_value = self.adapter:get(key)
+    local existing_value = self.storage_adapter:get(key)
     if not existing_value then
       unlocked = true
     else
@@ -101,7 +106,7 @@ function _M.issue_cert_lock(self, domain)
   until unlocked or wait_time > max_time
 
   -- Create a new lock.
-  local ok, err = self.adapter:set(key, lock_rand_value, { exptime = 30 })
+  local ok, err = self.storage_adapter:set(key, lock_rand_value, { exptime = 30 })
   if not ok then
     return nil, err
   else
@@ -113,9 +118,9 @@ function _M.issue_cert_unlock(self, domain, lock_rand_value)
   local key = domain .. ":issue_cert_lock"
 
   -- Remove the existing lock if it matches the expected value.
-  local current_value, err = self.adapter:get(key)
+  local current_value, err = self.storage_adapter:get(key)
   if lock_rand_value == current_value then
-    return self.adapter:delete(key)
+    return self.storage_adapter:delete(key)
   elseif current_value then
     return false, "lock does not match expected value"
   else

t/inc/setup.pl

@@ -16,6 +16,7 @@ sub setup {
   $ENV{TEST_NGINX_NGROK_HOSTNAME} = ($ngrok->matchlist())[0] or die "failed to extract hostname for ngrok";
   $ENV{TEST_NGINX_RESTY_AUTO_SSL_DIR} ||= "/tmp/resty-auto-ssl-test";
   $ENV{TEST_NGINX_RESOLVER} ||= "8.8.8.8 8.8.4.4";
+  $ENV{TEST_NGINX_LUA_SHARE_DIR} ||= $ENV{TEST_LUA_SHARE_DIR};
 
   # If the tests have previously been run, wipe out any test data.
   if(-d $ENV{TEST_NGINX_RESTY_AUTO_SSL_DIR}) {