Begin protecting autohsts users against renewal failure consequences

certbot-apache/certbot_apache/configurator.py

@@ -2471,5 +2471,25 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
         # Update AutoHSTS storage (We potentially removed vhosts from managed)
         self._autohsts_save_state()
 
+    def handle_autohsts_error(self, lineage, details):
+        self._autohsts_fetch_state()
+        if not self._autohsts:
+            # No autohsts enabled for any vhost
+            return
+        if details != "renewal failure":
+            logger.info("Ignoring unknown error in auto-hsts code: {0}".format(details))
+            return
+
+        # Renewal failure experienced; figure out which vhosts it affects
+        for id_str, config in list(self._autohsts.items()):
+            vhost = self.find_vhost_by_id(id_str)
+            if self._autohsts_vhost_in_lineage(vhost, lineage):
+            config["laststep"]
+
+
+
+
+
+
 
 AutoHSTSEnhancement.register(ApacheConfigurator)  # pylint: disable=no-member

certbot/plugins/enhancements.py

@@ -143,6 +143,19 @@ class AutoHSTSEnhancement(object):
         :type domains: str
         """
 
+    @abc.abstractmethod
+    def handle_autohsts_error(self, lineage, details, *args, **kwargs):
+        """
+        Handle an error that potentially has implications for AutoHSTS safety.
+        For now, this is just details == "renewal failure".
+
+        :param lineage: Certificate lineage object
+        :type lineage: certbot.storage.RenewableCert
+
+        :param details: Helpful string characterizing error
+        :type details: str
+        """
+
 # This is used to configure internal new style enhancements in Certbot. These
 # enhancement interfaces need to be defined in this file. Please do not modify
 # this list from plugin code.
@@ -159,6 +172,7 @@ _INDEX = [
         "class": AutoHSTSEnhancement,
         "updater_function": "update_autohsts",
         "deployer_function": "deploy_autohsts",
-        "enable_function": "enable_autohsts"
+        "enable_function": "enable_autohsts",
+        "error_handler_function", "handle_autohsts_error"
     }
 ]  # type: List[Dict[str, Any]]

certbot/updater.py

@@ -120,3 +120,31 @@ def _run_enhancement_deployers(lineage, installer, config):
     for enh in enhancements._INDEX:  # pylint: disable=protected-access
         if isinstance(installer, enh["class"]) and enh["deployer_function"]:
             getattr(installer, enh["deployer_function"])(lineage)
+
+def _run_enhancement_error_handlers(lineage, installer, config, details):
+    """Iterates through known enhancement interfaces. If the installer implements
+    an enhancement interface and the enhance interface has an updater method, its
+    error_handler method gets run.
+
+    :param lineage: Certificate lineage object
+    :type lineage: storage.RenewableCert
+
+    :param installer: Installer object
+    :type installer: interfaces.IInstaller
+
+    :param config: Configuration object
+    :type config: interfaces.IConfig
+
+    :param code: Helpful and possibly standardized error code! Can be any of:
+                 ["renewal failure"]
+    :type code: str
+    """
+
+    if config.disable_renew_updates:
+        return
+    for enh in enhancements._INDEX:  # pylint: disable=protected-access
+        if isinstance(installer, enh["class"]) and enh["error_handler_function"]:
+            getattr(installer, enh["error_handler_function"])(lineage, details)
+
+
+