Promisify boot

ishitatsuyuki · ishitatsuyuki · commit 7af38e0bd04f · 2018-03-22T12:48:23.000+09:00
diff --git a/app.js b/app.js
@@ -15,11 +15,11 @@ const machines = require('./lib/machines');
 const routes = require('./lib/routes');
 const users = require('./lib/users');
 
-boot.executeInParallel([
+Promise.all([
   boot.forwardHttp,
   boot.ensureHttpsCertificates,
   boot.ensureDockerTlsCertificates
-], () => {
+]).then(() => {
   // You can customize these values in './db.json'.
   const hostname = db.get('hostname', 'localhost');
   const https = db.get('https');
diff --git a/join.js b/join.js
@@ -24,13 +24,14 @@ if (!hostname || hostname === 'localhost') {
 
 log('[ok] will try to join cluster as [hostname = ' + hostname + ']');
 
-boot.executeInParallel([
-  boot.forwardHttp,
-  boot.ensureHttpsCertificates,
-  boot.ensureDockerTlsCertificates,
-  boot.verifyJanitorOAuth2Access
-], () => {
-  boot.registerDockerClient(() => {
+Promise.all([
+  boot.forwardHttp(),
+  boot.ensureHttpsCertificates(),
+  boot.ensureDockerTlsCertificates(),
+  boot.verifyJanitorOAuth2Access()
+])
+  .then(() => boot.registerDockerClient())
+  .then(() => {
     log('[ok] joined cluster as [hostname = ' + hostname + ']');
 
     const https = db.get('https');
@@ -80,7 +81,6 @@ boot.executeInParallel([
       });
     });
   });
-});
 
 // Associate some non-persistent data to sessions.
 const oauth2States = {};
diff --git a/lib/boot.js b/lib/boot.js
@@ -3,6 +3,10 @@
 
 const fs = require('fs');
 const http = require('http');
+const {promisify} = require('util');
+const chmod = promisify(fs.chmod);
+const readFile = promisify(fs.readFile);
+const writeFile = promisify(fs.writeFile);
 
 const certificates = require('./certificates');
 const db = require('./db');
@@ -11,26 +15,8 @@ const oauth2 = require('./oauth2');
 
 const hostname = db.get('hostname', 'localhost');
 
-// Run given tasks in parrallel, and only call `next()` when all have succeeded.
-exports.executeInParallel = function (tasks, next) {
-  let complete = 0;
-
-  for (const task of tasks) {
-    try {
-      task(() => {
-        complete++;
-        if (complete === tasks.length) {
-          next();
-        }
-      });
-    } catch (error) {
-      log('[fail] boot task', error);
-    }
-  }
-};
-
 // Permanently redirect all HTTP requests to HTTPS.
-exports.forwardHttp = function (next) {
+exports.forwardHttp = function () {
   const ports = db.get('ports');
   if (!ports.http || !ports.https) {
     // Use `make ports` to set up this unprivileged HTTP port.
@@ -55,17 +41,14 @@ exports.forwardHttp = function (next) {
     response.end();
   });
 
-  forwarder.listen(ports.http, () => {
-    log('[ok] forwarding http:// → https://');
-    next();
-  });
+  const listen = promisify(forwarder.listen);
+  return listen(ports.http);
 };
 
 // Verify HTTPS certificates and generate new ones if necessary.
-exports.ensureHttpsCertificates = function (next) {
+exports.ensureHttpsCertificates = async function () {
   if (db.get('security').forceHttp) {
     log('[warning] skipped https credentials verification');
-    next();
     return;
   }
 
@@ -79,7 +62,6 @@ exports.ensureHttpsCertificates = function (next) {
 
   if (valid) {
     log('[ok] verified https credentials');
-    next();
     return;
   }
 
@@ -100,38 +82,34 @@ exports.ensureHttpsCertificates = function (next) {
   }
 
   log('requesting new https credentials…');
-  certificates.createHTTPSCertificate(parameters)
-    .then(({ certificate, accountKey }) => {
-      https.ca = [ certificate.ca ];
+  return certificates.createHTTPSCertificate(parameters)
+    .then(({certificate, accountKey}) => {
+      https.ca = [certificate.ca];
       https.crt = certificate.cert;
       https.key = certificate.privkey;
       letsencrypt.key = accountKey;
       db.save();
       log('[ok] new https credentials installed');
-      next();
-    })
-    .catch(error => {
-      log('[fail] letsencrypt', error);
     });
 };
 
 // Verify Docker TLS certificates, generate new ones if necessary.
-exports.ensureDockerTlsCertificates = function (next) {
+exports.ensureDockerTlsCertificates = async function () {
   // Read all TLS certificates.
   const tls = db.get('tls');
   const ca = tls.ca || {};
   const client = tls.client || {};
   const server = {};
 
   try {
-    server.ca = fs.readFileSync('./docker.ca', 'utf8');
-    server.crt = fs.readFileSync('./docker.crt', 'utf8');
-    server.key = fs.readFileSync('./docker.key', 'utf8');
+    server.ca = await readFile('./docker.ca', 'utf8');
+    server.crt = await readFile('./docker.crt', 'utf8');
+    server.key = await readFile('./docker.key', 'utf8');
   } catch (error) {
     if (error.code !== 'ENOENT') {
       log('[fail] could not read docker-tls certificates', error);
-      return;
     }
+    throw error;
   }
 
   let caValid = certificates.isValid({
@@ -142,42 +120,41 @@ exports.ensureDockerTlsCertificates = function (next) {
   let serverValid = false;
 
   if (!caValid) {
-    resetAllCertificates();
+    await resetAllCertificates();
     return;
   }
 
   clientValid = certificates.isValid({
-    ca: [ ca.crt ],
+    ca: [ca.crt],
     crt: client.crt,
     key: client.key
   });
 
   serverValid = certificates.isValid({
-    ca: [ ca.crt ],
+    ca: [ca.crt],
     crt: server.crt,
     key: server.key,
     hostname: hostname
   }) && (server.ca.trim() === ca.crt.trim());
 
   if (caValid && clientValid && serverValid) {
     log('[ok] verified docker-tls credentials');
-    next();
     return;
   }
 
   if (!clientValid) {
-    resetClientCertificate();
+    await resetClientCertificate();
   }
 
   if (!serverValid) {
-    resetServerCertificate();
+    await resetServerCertificate();
   }
 
   // Task: Reset the TLS certificate authority, then all depending certificates.
-  function resetAllCertificates () {
+  async function resetAllCertificates () {
     const parameters = {
       commonName: 'ca',
-      basicConstraints: { cA: true },
+      basicConstraints: {cA: true},
       keyUsage: {
         keyCertSign: true,
         digitalSignature: true,
@@ -186,16 +163,13 @@ exports.ensureDockerTlsCertificates = function (next) {
     };
 
     log('generating new docker-tls certificate authority…');
-    certificates.createTLSCertificate(parameters).then(({ crt, key }) => {
-      ca.crt = crt;
-      ca.key = key;
-      tls.ca = ca;
-      caValid = true;
-      resetClientCertificate();
-      resetServerCertificate();
-    }).catch(error => {
-      log('[fail] tls', error);
-    });
+    const {crt, key} = await certificates.createTLSCertificate(parameters);
+    ca.crt = crt;
+    ca.key = key;
+    tls.ca = ca;
+    caValid = true;
+    await resetClientCertificate();
+    await resetServerCertificate();
   }
 
   // Task: Reset the TLS client certificate.
@@ -210,103 +184,80 @@ exports.ensureDockerTlsCertificates = function (next) {
     };
 
     log('generating new docker-tls client certificate…');
-    certificates.createTLSCertificate(parameters).then(({ crt, key }) => {
+    return certificates.createTLSCertificate(parameters).then(({crt, key}) => {
       client.crt = crt;
       client.key = key;
       tls.client = client;
       clientValid = true;
-      done();
-    }).catch(error => {
-      log('[fail] tls', error);
     });
   }
 
   // Task: Reset the TLS server certificate.
-  function resetServerCertificate () {
+  async function resetServerCertificate () {
     const parameters = {
       commonName: hostname,
-      altNames: [ 'localhost' ],
+      altNames: ['localhost'],
       caCrt: ca.crt,
       caKey: ca.key
     };
 
     log('generating new docker-tls server certificate…');
-    certificates.createTLSCertificate(parameters).then(({ crt, key }) => {
-      server.crt = crt;
-      server.key = key;
-      const filesToWrite = {
-        './docker.ca': ca.crt,
-        './docker.crt': server.crt,
-        './docker.key': server.key
-      };
-
-      for (const file in filesToWrite) {
-        const path = file;
-        const value = filesToWrite[path];
-        fs.writeFile(path, value, (error) => {
-          if (error) {
-            log('[fail] unable to write ' + path, error);
-            return;
-          }
-
-          fs.chmod(path, 0o600 /* read + write by owner */, (error) => {
-            if (error) {
-              log('[fail] unable to protect ' + path, error);
-              return;
-            }
-
-            delete filesToWrite[path];
-            if (Object.keys(filesToWrite).length === 0) {
-              // FIXME: Can we force the docker daemon to restart here, or to
-              // switch certificates? Maybe we can do something like this:
-              //   `exec('sudo service docker restart')` ?
-              log('[fail] please manually restart the docker daemon');
-              // But continue anyway.
-              serverValid = true;
-              done();
-            }
-          });
-        });
+    const {crt, key} = await certificates.createTLSCertificate(parameters);
+    server.crt = crt;
+    server.key = key;
+    const filesToWrite = {
+      './docker.ca': ca.crt,
+      './docker.crt': server.crt,
+      './docker.key': server.key
+    };
+
+    for (const file in filesToWrite) {
+      const path = file;
+      const value = filesToWrite[path];
+      try {
+        await writeFile(path, value);
+      } catch (error) {
+        log('[fail] unable to write ' + path, error);
+        throw error;
+      }
+      try {
+        await chmod(path, 0o600 /* read + write by owner */);
+      } catch (error) {
+        log('[fail] unable to protect ' + path, error);
+        throw error;
       }
-    }).catch(error => {
-      log('[fail] tls', error);
-    });
-  }
 
-  // Wait for all required tasks to finish before proceeding.
-  function done () {
-    if (!caValid || !clientValid || !serverValid) {
-      // Some tasks are not finished yet. Let's wait.
-      return;
+      delete filesToWrite[path];
+      if (Object.keys(filesToWrite).length === 0) {
+        // FIXME: Can we force the docker daemon to restart here, or to
+        // switch certificates? Maybe we can do something like this:
+        //   `exec('sudo service docker restart')` ?
+        log('[warning] please manually restart the docker daemon');
+        // But continue anyway.
+        serverValid = true;
+      }
     }
-
-    // eslint-disable-next-line no-func-assign
-    done = null;
-    db.save();
-    log('[ok] new docker-tls credentials installed');
-    next();
   }
+
+  db.save();
+  log('[ok] new docker-tls credentials installed');
 };
 
 // Verify OAuth2 client access to a Janitor instance (for cluster hosts).
-exports.verifyJanitorOAuth2Access = function (next) {
+exports.verifyJanitorOAuth2Access = async function () {
   const parameters = {
     provider: 'janitor',
     path: '/api/hosts/' + hostname,
     serviceRequest: true
   };
 
-  oauth2.request(parameters).then(({ body, response }) => {
-    log('[ok] verified janitor-oauth2 access');
-    next();
-  }).catch(error => {
-    log('[fail] janitor-oauth2 access problem', error);
-  });
+  await oauth2.request(parameters);
+  log('[ok] verified janitor-oauth2 access');
 };
 
 // Provide our Docker TLS client certificates to the Janitor instance.
-exports.registerDockerClient = function (next) {
-  const { ca, client } = db.get('tls');
+exports.registerDockerClient = async function () {
+  const {ca, client} = db.get('tls');
   const parameters = {
     provider: 'janitor',
     path: '/api/hosts/' + hostname,
@@ -320,10 +271,6 @@ exports.registerDockerClient = function (next) {
     serviceRequest: true
   };
 
-  oauth2.request(parameters).then(({ body, response }) => {
-    log('[ok] registered docker-tls credentials');
-    next();
-  }).catch(error => {
-    log('[fail] unable to register docker-tls credentials:', error);
-  });
+  await oauth2.request(parameters);
+  log('[ok] registered docker-tls credentials');
 };
