MCPcopy
hub / github.com/caddyserver/caddy / makeCertMagicConfig

Method makeCertMagicConfig

modules/caddytls/automation.go:272–381  ·  view source on GitHub ↗

makeCertMagicConfig constructs a certmagic.Config for this policy using the provided issuers and storage. It encapsulates common logic shared between Provision and RebuildCertMagic so we don't duplicate code.

(tlsApp *TLS, issuers []certmagic.Issuer, storage certmagic.Storage)

Source from the content-addressed store, hash-verified

270// provided issuers and storage. It encapsulates common logic shared between
271// Provision and RebuildCertMagic so we don't duplicate code.
272func (ap *AutomationPolicy) makeCertMagicConfig(tlsApp *TLS, issuers []certmagic.Issuer, storage certmagic.Storage) (certmagic.Config, error) {
273 // key source
274 keyType := ap.KeyType
275 if keyType != "" {
276 var err error
277 keyType, err = caddy.NewReplacer().ReplaceOrErr(ap.KeyType, true, true)
278 if err != nil {
279 return certmagic.Config{}, fmt.Errorf("invalid key type %s: %s", ap.KeyType, err)
280 }
281 if _, ok := supportedCertKeyTypes[keyType]; !ok {
282 return certmagic.Config{}, fmt.Errorf("unrecognized key type: %s", keyType)
283 }
284 }
285 keySource := certmagic.StandardKeyGenerator{
286 KeyType: supportedCertKeyTypes[keyType],
287 }
288
289 if storage == nil {
290 storage = tlsApp.ctx.Storage()
291 }
292
293 // on-demand TLS
294 var ond *certmagic.OnDemandConfig
295 if ap.OnDemand || len(ap.Managers) > 0 {
296 // permission module is now required after a number of negligence cases that allowed abuse;
297 // but it may still be optional for explicit subjects (bounded, non-wildcard), for the
298 // internal issuer since it doesn't cause public PKI pressure on ACME servers; subtly, it
299 // is useful to allow on-demand TLS to be enabled so Managers can be used, but to still
300 // prevent issuance from Issuers (when Managers don't provide a certificate) if there's no
301 // permission module configured
302 noProtections := ap.isWildcardOrDefault() && !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.permission == nil)
303 failClosed := noProtections && !ap.hadExplicitManagers // don't allow on-demand issuance (other than implicit managers) if no managers have been explicitly configured
304 if noProtections {
305 if !ap.hadExplicitManagers {
306 // no managers, no explicitly-configured permission module, this is a config error
307 return certmagic.Config{}, fmt.Errorf("on-demand TLS cannot be enabled without a permission module to prevent abuse; please refer to documentation for details")
308 }
309 // allow on-demand to be enabled but only for the purpose of the Managers; issuance won't be allowed from Issuers
310 tlsApp.logger.Warn("on-demand TLS can only get certificates from the configured external manager(s) because no ask endpoint / permission module is specified")
311 }
312 ond = &certmagic.OnDemandConfig{
313 DecisionFunc: func(ctx context.Context, name string) error {
314 if failClosed {
315 return fmt.Errorf("no permission module configured; certificates not allowed except from external Managers")
316 }
317 if tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil {
318 return nil
319 }
320
321 // logging the remote IP can be useful for servers that want to count
322 // attempts from clients to detect patterns of abuse -- it should NOT be
323 // used solely for decision making, however
324 var remoteIP string
325 if hello, ok := ctx.Value(certmagic.ClientHelloInfoCtxKey).(*tls.ClientHelloInfo); ok && hello != nil {
326 if remote := hello.Conn.RemoteAddr(); remote != nil {
327 remoteIP, _, _ = net.SplitHostPort(remote.String())
328 }
329 }

Calls 11

isWildcardOrDefaultMethod · 0.95
onlyInternalIssuerMethod · 0.95
ReplaceOrErrMethod · 0.80
StorageMethod · 0.80
RemoteAddrMethod · 0.80
CertificateAllowedMethod · 0.65
ValueMethod · 0.45
StringMethod · 0.45
CheckMethod · 0.45
WriteMethod · 0.45
ErrorMethod · 0.45