(ctx context.Context, name string)
| 117 | } |
| 118 | |
| 119 | func (p PermissionByHTTP) CertificateAllowed(ctx context.Context, name string) error { |
| 120 | // run replacer on endpoint URL (for environment variables) -- return errors to prevent surprises (#5036) |
| 121 | askEndpoint, err := p.replacer.ReplaceOrErr(p.Endpoint, true, true) |
| 122 | if err != nil { |
| 123 | return fmt.Errorf("preparing 'ask' endpoint: %v", err) |
| 124 | } |
| 125 | |
| 126 | askURL, err := url.Parse(askEndpoint) |
| 127 | if err != nil { |
| 128 | return fmt.Errorf("parsing ask URL: %v", err) |
| 129 | } |
| 130 | qs := askURL.Query() |
| 131 | qs.Set("domain", name) |
| 132 | askURL.RawQuery = qs.Encode() |
| 133 | askURLString := askURL.String() |
| 134 | |
| 135 | var remote string |
| 136 | if chi, ok := ctx.Value(certmagic.ClientHelloInfoCtxKey).(*tls.ClientHelloInfo); ok && chi != nil { |
| 137 | remote = chi.Conn.RemoteAddr().String() |
| 138 | } |
| 139 | |
| 140 | if c := p.logger.Check(zapcore.DebugLevel, "asking permission endpoint"); c != nil { |
| 141 | c.Write( |
| 142 | zap.String("remote", remote), |
| 143 | zap.String("domain", name), |
| 144 | zap.String("url", askURLString), |
| 145 | ) |
| 146 | } |
| 147 | |
| 148 | resp, err := onDemandAskClient.Get(askURLString) |
| 149 | if err != nil { |
| 150 | return fmt.Errorf("checking %v to determine if certificate for hostname '%s' should be allowed: %v", |
| 151 | askEndpoint, name, err) |
| 152 | } |
| 153 | resp.Body.Close() |
| 154 | |
| 155 | if c := p.logger.Check(zapcore.DebugLevel, "response from permission endpoint"); c != nil { |
| 156 | c.Write( |
| 157 | zap.String("remote", remote), |
| 158 | zap.String("domain", name), |
| 159 | zap.String("url", askURLString), |
| 160 | zap.Int("status", resp.StatusCode), |
| 161 | ) |
| 162 | } |
| 163 | |
| 164 | if resp.StatusCode < 200 || resp.StatusCode > 299 { |
| 165 | return fmt.Errorf("%s: %w %s - non-2xx status code %d", name, ErrPermissionDenied, askEndpoint, resp.StatusCode) |
| 166 | } |
| 167 | |
| 168 | return nil |
| 169 | } |
| 170 | |
| 171 | // ErrPermissionDenied is an error that should be wrapped or returned when the |
| 172 | // configured permission module does not allow a certificate to be issued, |
nothing calls this directly
no test coverage detected