feat(acme): (b) HTTP-01 Webroot-Handler in der API

internal/handlers/acme.go: GET /.well-known/acme-challenge/:token
serviert Token-Files aus /var/lib/edgeguard/acme/.well-known/
acme-challenge/ (default; override via EDGEGUARD_ACME_WEBROOT).
Validiert Token-Charset gegen RFC 8555 §8.3 (base64url, 1..128
chars) und prüft mit filepath.Abs+HasPrefix gegen path-traversal.
Mounted auf der bare gin Engine vor SetupGate/RequireAuth — ACME
muss unmittelbar nach HAProxy-Start funktionieren, lange bevor
ein Admin Setup abgeschlossen hat.

4 Unit-Tests (valid/missing/dir/invalid-charset). Live-Smoke gegen
/tmp/eg-acme bestanden.

Test gegen 89.163.205.6 mit echtem certbot wird Teil von (d) —
unnötig Let's-Encrypt-Rate-Limits zu verbrennen ohne stehendes
HAProxy-Frontend auf dem Server.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/handlers/acme.go

@@ -0,0 +1,91 @@
+package handlers
+
+import (
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+)
+
+// ACMEHandler serves HTTP-01 challenge tokens that certbot dropped
+// into a webroot directory. HAProxy proxies all
+// /.well-known/acme-challenge/* requests to edgeguard-api on
+// 127.0.0.1:9443; this handler is what they hit.
+//
+// Layout on disk (matching certbot --webroot's default):
+//
+//	<root>/.well-known/acme-challenge/<token>
+//
+// where <root> defaults to /var/lib/edgeguard/acme. Files are
+// short-lived plaintext (~64 ASCII chars); the handler reads them
+// directly off disk on every request.
+type ACMEHandler struct {
+	WebrootDir string
+}
+
+func NewACMEHandler(webrootDir string) *ACMEHandler {
+	if webrootDir == "" {
+		webrootDir = "/var/lib/edgeguard/acme"
+	}
+	return &ACMEHandler{WebrootDir: webrootDir}
+}
+
+// Register mounts /.well-known/acme-challenge/:token on the bare
+// engine (NOT under /api/v1) and stays outside SetupGate / RequireAuth
+// — ACME runs as soon as HAProxy is up, often before the operator
+// has even completed setup.
+func (h *ACMEHandler) Register(r *gin.Engine) {
+	r.GET("/.well-known/acme-challenge/:token", h.serveToken)
+}
+
+func (h *ACMEHandler) serveToken(c *gin.Context) {
+	token := c.Param("token")
+	if !validToken(token) {
+		c.Status(http.StatusBadRequest)
+		return
+	}
+	full := filepath.Join(h.WebrootDir, ".well-known", "acme-challenge", token)
+	// Defense in depth: refuse paths that escape the webroot even
+	// after the validToken check (symlink / path-resolution edge
+	// cases).
+	abs, err := filepath.Abs(full)
+	if err != nil {
+		c.Status(http.StatusBadRequest)
+		return
+	}
+	rootAbs, err := filepath.Abs(h.WebrootDir)
+	if err != nil || !strings.HasPrefix(abs, rootAbs+string(os.PathSeparator)) {
+		c.Status(http.StatusBadRequest)
+		return
+	}
+	if info, err := os.Stat(abs); err != nil || info.IsDir() {
+		c.Status(http.StatusNotFound)
+		return
+	}
+	// Use c.File so client gets correct Content-Length, ETag, etc.
+	// Content-Type defaults to application/octet-stream which is fine
+	// for ACME — the spec doesn't pin a type.
+	c.File(abs)
+}
+
+// validToken accepts the RFC 8555 §8.3 charset for HTTP-01
+// challenges: base64url alphabet [A-Za-z0-9-_], length 1..128. We
+// reject everything else so the URL parser can never let a `..` or
+// path separator through.
+func validToken(s string) bool {
+	if len(s) == 0 || len(s) > 128 {
+		return false
+	}
+	for _, r := range s {
+		ok := (r >= 'a' && r <= 'z') ||
+			(r >= 'A' && r <= 'Z') ||
+			(r >= '0' && r <= '9') ||
+			r == '-' || r == '_'
+		if !ok {
+			return false
+		}
+	}
+	return true
+}

internal/handlers/acme_test.go

@@ -0,0 +1,84 @@
+package handlers
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+)
+
+func init() { gin.SetMode(gin.TestMode) }
+
+func setupACME(t *testing.T) (*gin.Engine, string) {
+	t.Helper()
+	root := t.TempDir()
+	if err := os.MkdirAll(filepath.Join(root, ".well-known", "acme-challenge"), 0o755); err != nil {
+		t.Fatal(err)
+	}
+	r := gin.New()
+	NewACMEHandler(root).Register(r)
+	return r, root
+}
+
+func TestACME_ServesExistingToken(t *testing.T) {
+	r, root := setupACME(t)
+	tokenContent := "abc123-some-key-authorisation"
+	tokenPath := filepath.Join(root, ".well-known", "acme-challenge", "tok_42")
+	if err := os.WriteFile(tokenPath, []byte(tokenContent), 0o644); err != nil {
+		t.Fatal(err)
+	}
+	rec := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodGet, "/.well-known/acme-challenge/tok_42", nil)
+	r.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status: %d, body=%s", rec.Code, rec.Body.String())
+	}
+	if rec.Body.String() != tokenContent {
+		t.Errorf("body: %q", rec.Body.String())
+	}
+}
+
+func TestACME_MissingToken_Returns404(t *testing.T) {
+	r, _ := setupACME(t)
+	rec := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodGet, "/.well-known/acme-challenge/notthere", nil)
+	r.ServeHTTP(rec, req)
+	if rec.Code != http.StatusNotFound {
+		t.Errorf("status: %d", rec.Code)
+	}
+}
+
+func TestACME_RejectsTraversal(t *testing.T) {
+	// gin parses `:token` as one path segment, so `..` literally
+	// can't reach the handler — but we still want the validToken
+	// guard to reject any non-charset value defensively.
+	cases := []string{
+		"a/b",
+		"..",
+		"a%2Fb",
+		"with space",
+		"semi;colon",
+	}
+	for _, c := range cases {
+		if validToken(c) {
+			t.Errorf("validToken(%q) should be false", c)
+		}
+	}
+}
+
+func TestACME_DirIsNotAFile(t *testing.T) {
+	r, root := setupACME(t)
+	if err := os.Mkdir(filepath.Join(root, ".well-known", "acme-challenge", "subdir"), 0o755); err != nil {
+		t.Fatal(err)
+	}
+	rec := httptest.NewRecorder()
+	req, _ := http.NewRequest(http.MethodGet, "/.well-known/acme-challenge/subdir", nil)
+	r.ServeHTTP(rec, req)
+	if rec.Code != http.StatusNotFound {
+		t.Errorf("expected 404 for directory, got %d", rec.Code)
+	}
+}