niki/vendor/golang.org/x/crypto/acme/autocert/renewal.go

// Copyright 2016 The Go Authors. All rights reserved.

// Use of this source code is governed by a BSD-style

// license that can be found in the LICENSE file.

package autocert

import (
	"context"
	"crypto"
	"sync"
	"time"
)

// renewJitter is the maximum deviation from Manager.RenewBefore.

const renewJitter = time.Hour

// domainRenewal tracks the state used by the periodic timers

// renewing a single domain's cert.

type domainRenewal struct {
	m *Manager

	ck certKey

	key crypto.Signer

	timerMu sync.Mutex

	timer *time.Timer

	timerClose chan struct{} // if non-nil, renew closes this channel (and nils out the timer fields) instead of running

}

// start starts a cert renewal timer at the time

// defined by the certificate expiration time exp.

//

// If the timer is already started, calling start is a noop.

func (dr *domainRenewal) start(exp time.Time) {

	dr.timerMu.Lock()

	defer dr.timerMu.Unlock()

	if dr.timer != nil {

		return

	}

	dr.timer = time.AfterFunc(dr.next(exp), dr.renew)

}

// stop stops the cert renewal timer and waits for any in-flight calls to renew

// to complete. If the timer is already stopped, calling stop is a noop.

func (dr *domainRenewal) stop() {

	dr.timerMu.Lock()

	defer dr.timerMu.Unlock()

	for {

		if dr.timer == nil {

			return

		}

		if dr.timer.Stop() {

			dr.timer = nil

			return

		} else {

			// dr.timer fired, and we acquired dr.timerMu before the renew callback did.

			// (We know this because otherwise the renew callback would have reset dr.timer!)

			timerClose := make(chan struct{})

			dr.timerClose = timerClose

			dr.timerMu.Unlock()

			<-timerClose

			dr.timerMu.Lock()

		}

	}

}

// renew is called periodically by a timer.

// The first renew call is kicked off by dr.start.

func (dr *domainRenewal) renew() {

	dr.timerMu.Lock()

	defer dr.timerMu.Unlock()

	if dr.timerClose != nil {

		close(dr.timerClose)

		dr.timer, dr.timerClose = nil, nil

		return

	}

	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)

	defer cancel()

	// TODO: rotate dr.key at some point?

	next, err := dr.do(ctx)

	if err != nil {

		next = renewJitter / 2

		next += time.Duration(pseudoRand.int63n(int64(next)))

	}

	testDidRenewLoop(next, err)

	dr.timer = time.AfterFunc(next, dr.renew)

}

// updateState locks and replaces the relevant Manager.state item with the given

// state. It additionally updates dr.key with the given state's key.

func (dr *domainRenewal) updateState(state *certState) {

	dr.m.stateMu.Lock()

	defer dr.m.stateMu.Unlock()

	dr.key = state.key

	dr.m.state[dr.ck] = state

}

// do is similar to Manager.createCert but it doesn't lock a Manager.state item.

// Instead, it requests a new certificate independently and, upon success,

// replaces dr.m.state item with a new one and updates cache for the given domain.

//

// It may lock and update the Manager.state if the expiration date of the currently

// cached cert is far enough in the future.

//

// The returned value is a time interval after which the renewal should occur again.

func (dr *domainRenewal) do(ctx context.Context) (time.Duration, error) {

	// a race is likely unavoidable in a distributed environment

	// but we try nonetheless

	if tlscert, err := dr.m.cacheGet(ctx, dr.ck); err == nil {

		next := dr.next(tlscert.Leaf.NotAfter)

		if next > dr.m.renewBefore()+renewJitter {

			signer, ok := tlscert.PrivateKey.(crypto.Signer)

			if ok {

				state := &certState{

					key: signer,

					cert: tlscert.Certificate,

					leaf: tlscert.Leaf,
				}

				dr.updateState(state)

				return next, nil

			}

		}

	}

	der, leaf, err := dr.m.authorizedCert(ctx, dr.key, dr.ck)

	if err != nil {

		return 0, err

	}

	state := &certState{

		key: dr.key,

		cert: der,

		leaf: leaf,
	}

	tlscert, err := state.tlscert()

	if err != nil {

		return 0, err

	}

	if err := dr.m.cachePut(ctx, dr.ck, tlscert); err != nil {

		return 0, err

	}

	dr.updateState(state)

	return dr.next(leaf.NotAfter), nil

}

func (dr *domainRenewal) next(expiry time.Time) time.Duration {

	d := expiry.Sub(dr.m.now()) - dr.m.renewBefore()

	// add a bit of randomness to renew deadline

	n := pseudoRand.int63n(int64(renewJitter))

	d -= time.Duration(n)

	if d < 0 {

		return 0

	}

	return d

}

var testDidRenewLoop = func(next time.Duration, err error) {}