Remove unnecessary complexity and accept all tokens (#54)

Controllers/HttpChallengeController.cs

@@ -26,12 +26,7 @@ public HttpChallengeController(ILogger<HttpChallengeController> log, CertClient
     public IActionResult GetChallengeResults(string token)
     {
         _log.LogInformation("Received ACME Challenge: {token}", token);
-        var thumb = _cert.GetThumbprint(token);
-        if (thumb == null)
-        {
-            return NotFound();
-        }
-
+        var thumb = _cert.GetThumbprint();
         return Ok($"{token}.{thumb}");
     }
 }

Services/CertClient.cs

@@ -20,7 +20,6 @@ public class CertClient
     private const string SanOid = "2.5.29.17";
 
     private readonly RSA _rsa = RSA.Create(2048);
-    private readonly HashSet<string> _validKeys = new();
     private readonly KCertConfig _cfg;
     private readonly ILogger<CertClient> _log;
 
@@ -64,18 +63,9 @@ public static string GenerateNewKey()
         var key = sign.ExportECPrivateKey();
         return Base64UrlTextEncoder.Encode(key);
     }
-    public void AddChallengeToken(string token) => _validKeys.Add(token);
 
-    public void ClearChallengeTokens() => _validKeys.Clear();
-
-    public string GetThumbprint(string token)
+    public string GetThumbprint()
     {
-        if (!_cfg.AcceptAllChallenges && !_validKeys.Contains(token))
-        {
-            _log.LogWarning("Rejected thumb request for {k}", token);
-            return null;
-        }
-
         var sign = GetSigner(_cfg.AcmeKey);
         var jwk = GetJwk(sign);
         var jwkJson = JsonSerializer.Serialize(jwk);

Services/KCertConfig.cs

@@ -17,7 +17,6 @@ public KCertConfig(IConfiguration cfg)
 
     public bool WatchIngresses => GetBool("KCert:WatchIngresses");
     public string K8sConfigFile => _cfg["Config"];
-    public bool AcceptAllChallenges => GetBool("KCert:AcceptAllChallenges");
     public string KCertNamespace => GetString("KCert:Namespace");
     public string KCertSecretName => GetString("KCert:SecretName");
     public string KCertServiceName => GetString("KCert:ServiceName");

Services/RenewalHandler.cs

@@ -27,7 +27,6 @@ public RenewalHandler(BufferedLogger<RenewalHandler> log, AcmeClient acme, K8sCl
 
     public async Task RenewCertAsync(string ns, string secretName, string[] hosts)
     {
-        _cert.ClearChallengeTokens();
         _log.Clear();
 
         try
@@ -61,10 +60,6 @@ public async Task RenewCertAsync(string ns, string secretName, string[] hosts)
                 Logs = _log.Dump(),
             };
         }
-        finally
-        {
-            _cert.ClearChallengeTokens();
-        }
     }
 
     private async Task<(string KID, string Nonce)> InitAsync(string key, Uri acmeDir, string email, bool termsAccepted)
@@ -94,7 +89,6 @@ private async Task<string> ValidateAuthorizationAsync(string key, string kid, st
 
         var challengeUri = new Uri(auth.Challenges.FirstOrDefault(c => c.Type == "http-01")?.Url);
         var chall = await _acme.TriggerChallengeAsync(key, challengeUri, kid, nonce);
-        _cert.AddChallengeToken(chall.Token);
         nonce = chall.Nonce;
         _log.LogInformation("TriggerChallenge {challengeUri}: {status}", challengeUri, chall.Status);
 

appsettings.json

@@ -5,7 +5,6 @@
     "SecretName": "kcert",
     "ServiceName": "kcert",
     "ServicePort": 80,
-    "AcceptAllChallenges": false,
     "WatchIngresses": true,
     "ShowRenewButton": false,
     "InitialSleepOnFailure": 30