Skip to content

Commit 4b9849c

Browse files
httpcaddyfile: Support configuring pki app names via global options (caddyserver#4450)
1 parent 80d7a35 commit 4b9849c

File tree

2 files changed

+185
-3
lines changed

2 files changed

+185
-3
lines changed

caddyconfig/httpcaddyfile/pkiapp.go

Lines changed: 93 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,23 +16,108 @@ package httpcaddyfile
1616

1717
import (
1818
"github.com/caddyserver/caddy/v2/caddyconfig"
19+
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
1920
"github.com/caddyserver/caddy/v2/modules/caddypki"
2021
)
2122

23+
func init() {
24+
RegisterGlobalOption("pki", parsePKIApp)
25+
}
26+
27+
// parsePKIApp parses the global log option. Syntax:
28+
//
29+
// pki {
30+
// ca [<id>] {
31+
// name <name>
32+
// root_cn <name>
33+
// intermediate_cn <name>
34+
// }
35+
// }
36+
//
37+
// When the CA ID is unspecified, 'local' is assumed.
38+
//
39+
func parsePKIApp(d *caddyfile.Dispenser, existingVal interface{}) (interface{}, error) {
40+
pki := &caddypki.PKI{CAs: make(map[string]*caddypki.CA)}
41+
42+
for d.Next() {
43+
for nesting := d.Nesting(); d.NextBlock(nesting); {
44+
switch d.Val() {
45+
case "ca":
46+
pkiCa := new(caddypki.CA)
47+
if d.NextArg() {
48+
pkiCa.ID = d.Val()
49+
if d.NextArg() {
50+
return nil, d.ArgErr()
51+
}
52+
}
53+
if pkiCa.ID == "" {
54+
pkiCa.ID = caddypki.DefaultCAID
55+
}
56+
57+
for nesting := d.Nesting(); d.NextBlock(nesting); {
58+
switch d.Val() {
59+
case "name":
60+
if !d.NextArg() {
61+
return nil, d.ArgErr()
62+
}
63+
pkiCa.Name = d.Val()
64+
65+
case "root_cn":
66+
if !d.NextArg() {
67+
return nil, d.ArgErr()
68+
}
69+
pkiCa.RootCommonName = d.Val()
70+
71+
case "intermediate_cn":
72+
if !d.NextArg() {
73+
return nil, d.ArgErr()
74+
}
75+
pkiCa.IntermediateCommonName = d.Val()
76+
77+
default:
78+
return nil, d.Errf("unrecognized pki ca option '%s'", d.Val())
79+
}
80+
}
81+
82+
pki.CAs[pkiCa.ID] = pkiCa
83+
84+
default:
85+
return nil, d.Errf("unrecognized pki option '%s'", d.Val())
86+
}
87+
}
88+
}
89+
90+
return pki, nil
91+
}
92+
2293
func (st ServerType) buildPKIApp(
2394
pairings []sbAddrAssociation,
2495
options map[string]interface{},
2596
warnings []caddyconfig.Warning,
2697
) (*caddypki.PKI, []caddyconfig.Warning, error) {
2798

28-
pkiApp := &caddypki.PKI{CAs: make(map[string]*caddypki.CA)}
29-
3099
skipInstallTrust := false
31100
if _, ok := options["skip_install_trust"]; ok {
32101
skipInstallTrust = true
33102
}
34103
falseBool := false
35104

105+
// Load the PKI app configured via global options
106+
var pkiApp *caddypki.PKI
107+
unwrappedPki, ok := options["pki"].(*caddypki.PKI)
108+
if ok {
109+
pkiApp = unwrappedPki
110+
} else {
111+
pkiApp = &caddypki.PKI{CAs: make(map[string]*caddypki.CA)}
112+
}
113+
for _, ca := range pkiApp.CAs {
114+
if skipInstallTrust {
115+
ca.InstallTrust = &falseBool
116+
}
117+
pkiApp.CAs[ca.ID] = ca
118+
}
119+
120+
// Add in the CAs configured via directives
36121
for _, p := range pairings {
37122
for _, sblock := range p.serverBlocks {
38123
// find all the CAs that were defined and add them to the app config
@@ -42,7 +127,12 @@ func (st ServerType) buildPKIApp(
42127
if skipInstallTrust {
43128
ca.InstallTrust = &falseBool
44129
}
45-
pkiApp.CAs[ca.ID] = ca
130+
131+
// the CA might already exist from global options, so
132+
// don't overwrite it in that case
133+
if _, ok := pkiApp.CAs[ca.ID]; !ok {
134+
pkiApp.CAs[ca.ID] = ca
135+
}
46136
}
47137
}
48138
}

caddytest/integration/caddyfile_adapt/global_options_skip_install_trust.txt

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,34 @@
11
{
22
skip_install_trust
3+
pki {
4+
ca {
5+
name "Local"
6+
root_cn "Custom Local Root Name"
7+
intermediate_cn "Custom Local Intermediate Name"
8+
}
9+
ca foo {
10+
name "Foo"
11+
root_cn "Custom Foo Root Name"
12+
intermediate_cn "Custom Foo Intermediate Name"
13+
}
14+
}
315
}
416

517
a.example.com {
618
tls internal
719
}
20+
21+
acme.example.com {
22+
acme_server {
23+
ca foo
24+
}
25+
}
26+
27+
acme-bar.example.com {
28+
acme_server {
29+
ca bar
30+
}
31+
}
832
----------
933
{
1034
"apps": {
@@ -15,6 +39,56 @@ a.example.com {
1539
":443"
1640
],
1741
"routes": [
42+
{
43+
"match": [
44+
{
45+
"host": [
46+
"acme-bar.example.com"
47+
]
48+
}
49+
],
50+
"handle": [
51+
{
52+
"handler": "subroute",
53+
"routes": [
54+
{
55+
"handle": [
56+
{
57+
"ca": "bar",
58+
"handler": "acme_server"
59+
}
60+
]
61+
}
62+
]
63+
}
64+
],
65+
"terminal": true
66+
},
67+
{
68+
"match": [
69+
{
70+
"host": [
71+
"acme.example.com"
72+
]
73+
}
74+
],
75+
"handle": [
76+
{
77+
"handler": "subroute",
78+
"routes": [
79+
{
80+
"handle": [
81+
{
82+
"ca": "foo",
83+
"handler": "acme_server"
84+
}
85+
]
86+
}
87+
]
88+
}
89+
],
90+
"terminal": true
91+
},
1892
{
1993
"match": [
2094
{
@@ -31,14 +105,32 @@ a.example.com {
31105
},
32106
"pki": {
33107
"certificate_authorities": {
108+
"bar": {
109+
"install_trust": false
110+
},
111+
"foo": {
112+
"name": "Foo",
113+
"root_common_name": "Custom Foo Root Name",
114+
"intermediate_common_name": "Custom Foo Intermediate Name",
115+
"install_trust": false
116+
},
34117
"local": {
118+
"name": "Local",
119+
"root_common_name": "Custom Local Root Name",
120+
"intermediate_common_name": "Custom Local Intermediate Name",
35121
"install_trust": false
36122
}
37123
}
38124
},
39125
"tls": {
40126
"automation": {
41127
"policies": [
128+
{
129+
"subjects": [
130+
"acme-bar.example.com",
131+
"acme.example.com"
132+
]
133+
},
42134
{
43135
"subjects": [
44136
"a.example.com"

0 commit comments

Comments
 (0)