makeCertMagicConfig constructs a certmagic.Config for this policy using the provided issuers and storage. It encapsulates common logic shared between Provision and RebuildCertMagic so we don't duplicate code.
(tlsApp *TLS, issuers []certmagic.Issuer, storage certmagic.Storage)
| 270 | // provided issuers and storage. It encapsulates common logic shared between |
| 271 | // Provision and RebuildCertMagic so we don't duplicate code. |
| 272 | func (ap *AutomationPolicy) makeCertMagicConfig(tlsApp *TLS, issuers []certmagic.Issuer, storage certmagic.Storage) (certmagic.Config, error) { |
| 273 | // key source |
| 274 | keyType := ap.KeyType |
| 275 | if keyType != "" { |
| 276 | var err error |
| 277 | keyType, err = caddy.NewReplacer().ReplaceOrErr(ap.KeyType, true, true) |
| 278 | if err != nil { |
| 279 | return certmagic.Config{}, fmt.Errorf("invalid key type %s: %s", ap.KeyType, err) |
| 280 | } |
| 281 | if _, ok := supportedCertKeyTypes[keyType]; !ok { |
| 282 | return certmagic.Config{}, fmt.Errorf("unrecognized key type: %s", keyType) |
| 283 | } |
| 284 | } |
| 285 | keySource := certmagic.StandardKeyGenerator{ |
| 286 | KeyType: supportedCertKeyTypes[keyType], |
| 287 | } |
| 288 | |
| 289 | if storage == nil { |
| 290 | storage = tlsApp.ctx.Storage() |
| 291 | } |
| 292 | |
| 293 | // on-demand TLS |
| 294 | var ond *certmagic.OnDemandConfig |
| 295 | if ap.OnDemand || len(ap.Managers) > 0 { |
| 296 | // permission module is now required after a number of negligence cases that allowed abuse; |
| 297 | // but it may still be optional for explicit subjects (bounded, non-wildcard), for the |
| 298 | // internal issuer since it doesn't cause public PKI pressure on ACME servers; subtly, it |
| 299 | // is useful to allow on-demand TLS to be enabled so Managers can be used, but to still |
| 300 | // prevent issuance from Issuers (when Managers don't provide a certificate) if there's no |
| 301 | // permission module configured |
| 302 | noProtections := ap.isWildcardOrDefault() && !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.permission == nil) |
| 303 | failClosed := noProtections && !ap.hadExplicitManagers // don't allow on-demand issuance (other than implicit managers) if no managers have been explicitly configured |
| 304 | if noProtections { |
| 305 | if !ap.hadExplicitManagers { |
| 306 | // no managers, no explicitly-configured permission module, this is a config error |
| 307 | return certmagic.Config{}, fmt.Errorf("on-demand TLS cannot be enabled without a permission module to prevent abuse; please refer to documentation for details") |
| 308 | } |
| 309 | // allow on-demand to be enabled but only for the purpose of the Managers; issuance won't be allowed from Issuers |
| 310 | tlsApp.logger.Warn("on-demand TLS can only get certificates from the configured external manager(s) because no ask endpoint / permission module is specified") |
| 311 | } |
| 312 | ond = &certmagic.OnDemandConfig{ |
| 313 | DecisionFunc: func(ctx context.Context, name string) error { |
| 314 | if failClosed { |
| 315 | return fmt.Errorf("no permission module configured; certificates not allowed except from external Managers") |
| 316 | } |
| 317 | if tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil { |
| 318 | return nil |
| 319 | } |
| 320 | |
| 321 | // logging the remote IP can be useful for servers that want to count |
| 322 | // attempts from clients to detect patterns of abuse -- it should NOT be |
| 323 | // used solely for decision making, however |
| 324 | var remoteIP string |
| 325 | if hello, ok := ctx.Value(certmagic.ClientHelloInfoCtxKey).(*tls.ClientHelloInfo); ok && hello != nil { |
| 326 | if remote := hello.Conn.RemoteAddr(); remote != nil { |
| 327 | remoteIP, _, _ = net.SplitHostPort(remote.String()) |
| 328 | } |
| 329 | } |