MCPcopy
hub / github.com/caddyserver/caddy / CertificateAllowed

Method CertificateAllowed

modules/caddytls/ondemand.go:119–169  ·  view source on GitHub ↗
(ctx context.Context, name string)

Source from the content-addressed store, hash-verified

117}
118
119func (p PermissionByHTTP) CertificateAllowed(ctx context.Context, name string) error {
120 // run replacer on endpoint URL (for environment variables) -- return errors to prevent surprises (#5036)
121 askEndpoint, err := p.replacer.ReplaceOrErr(p.Endpoint, true, true)
122 if err != nil {
123 return fmt.Errorf("preparing 'ask' endpoint: %v", err)
124 }
125
126 askURL, err := url.Parse(askEndpoint)
127 if err != nil {
128 return fmt.Errorf("parsing ask URL: %v", err)
129 }
130 qs := askURL.Query()
131 qs.Set("domain", name)
132 askURL.RawQuery = qs.Encode()
133 askURLString := askURL.String()
134
135 var remote string
136 if chi, ok := ctx.Value(certmagic.ClientHelloInfoCtxKey).(*tls.ClientHelloInfo); ok && chi != nil {
137 remote = chi.Conn.RemoteAddr().String()
138 }
139
140 if c := p.logger.Check(zapcore.DebugLevel, "asking permission endpoint"); c != nil {
141 c.Write(
142 zap.String("remote", remote),
143 zap.String("domain", name),
144 zap.String("url", askURLString),
145 )
146 }
147
148 resp, err := onDemandAskClient.Get(askURLString)
149 if err != nil {
150 return fmt.Errorf("checking %v to determine if certificate for hostname '%s' should be allowed: %v",
151 askEndpoint, name, err)
152 }
153 resp.Body.Close()
154
155 if c := p.logger.Check(zapcore.DebugLevel, "response from permission endpoint"); c != nil {
156 c.Write(
157 zap.String("remote", remote),
158 zap.String("domain", name),
159 zap.String("url", askURLString),
160 zap.Int("status", resp.StatusCode),
161 )
162 }
163
164 if resp.StatusCode < 200 || resp.StatusCode > 299 {
165 return fmt.Errorf("%s: %w %s - non-2xx status code %d", name, ErrPermissionDenied, askEndpoint, resp.StatusCode)
166 }
167
168 return nil
169}
170
171// ErrPermissionDenied is an error that should be wrapped or returned when the
172// configured permission module does not allow a certificate to be issued,

Callers

nothing calls this directly

Calls 10

ReplaceOrErrMethod · 0.80
RemoteAddrMethod · 0.80
GetMethod · 0.65
SetMethod · 0.45
StringMethod · 0.45
ValueMethod · 0.45
CheckMethod · 0.45
WriteMethod · 0.45
CloseMethod · 0.45
IntMethod · 0.45

Tested by

no test coverage detected