diff options
| author | Francis Lavoie <lavofr@gmail.com> | 2021-06-07 14:18:49 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-06-07 12:18:49 -0600 |
| commit | 658772ff24b9e1eabf6f254d039d91e8abfcb775 (patch) | |
| tree | fe33063ee596c339066c71ff02034f4f2834a259 | |
| parent | 323ffd20764e0f31a26ac700952adbb937b9eb69 (diff) | |
httpcaddyfile: Add `skip_install_trust` global option (#4153)
Fixes https://github.com/caddyserver/caddy/issues/4002
| -rw-r--r-- | caddyconfig/httpcaddyfile/options.go | 1 | ||||
| -rw-r--r-- | caddyconfig/httpcaddyfile/pkiapp.go | 20 | ||||
| -rw-r--r-- | caddytest/integration/caddyfile_adapt/global_options_skip_install_trust.txt | 56 |
3 files changed, 77 insertions, 0 deletions
diff --git a/caddyconfig/httpcaddyfile/options.go b/caddyconfig/httpcaddyfile/options.go index 905ecae..fe8e319 100644 --- a/caddyconfig/httpcaddyfile/options.go +++ b/caddyconfig/httpcaddyfile/options.go @@ -39,6 +39,7 @@ func init() { RegisterGlobalOption("acme_dns", parseOptACMEDNS) RegisterGlobalOption("acme_eab", parseOptACMEEAB) RegisterGlobalOption("cert_issuer", parseOptCertIssuer) + RegisterGlobalOption("skip_install_trust", parseOptTrue) RegisterGlobalOption("email", parseOptSingleString) RegisterGlobalOption("admin", parseOptAdmin) RegisterGlobalOption("on_demand_tls", parseOptOnDemand) diff --git a/caddyconfig/httpcaddyfile/pkiapp.go b/caddyconfig/httpcaddyfile/pkiapp.go index 3abcc6b..a21951d 100644 --- a/caddyconfig/httpcaddyfile/pkiapp.go +++ b/caddyconfig/httpcaddyfile/pkiapp.go @@ -27,15 +27,35 @@ func (st ServerType) buildPKIApp( pkiApp := &caddypki.PKI{CAs: make(map[string]*caddypki.CA)} + skipInstallTrust := false + if _, ok := options["skip_install_trust"]; ok { + skipInstallTrust = true + } + falseBool := false + for _, p := range pairings { for _, sblock := range p.serverBlocks { // find all the CAs that were defined and add them to the app config + // i.e. from any "acme_server" directives for _, caCfgValue := range sblock.pile["pki.ca"] { ca := caCfgValue.Value.(*caddypki.CA) + if skipInstallTrust { + ca.InstallTrust = &falseBool + } pkiApp.CAs[ca.ID] = ca } } } + // if there was no CAs defined in any of the servers, + // and we were requested to not install trust, then + // add one for the default/local CA to do so + if len(pkiApp.CAs) == 0 && skipInstallTrust { + ca := new(caddypki.CA) + ca.ID = caddypki.DefaultCAID + ca.InstallTrust = &falseBool + pkiApp.CAs[ca.ID] = ca + } + return pkiApp, warnings, nil } diff --git a/caddytest/integration/caddyfile_adapt/global_options_skip_install_trust.txt b/caddytest/integration/caddyfile_adapt/global_options_skip_install_trust.txt new file mode 100644 index 0000000..f949ac1 --- /dev/null +++ b/caddytest/integration/caddyfile_adapt/global_options_skip_install_trust.txt @@ -0,0 +1,56 @@ +{ + skip_install_trust +} + +a.example.com { + tls internal +} +---------- +{ + "apps": { + "http": { + "servers": { + "srv0": { + "listen": [ + ":443" + ], + "routes": [ + { + "match": [ + { + "host": [ + "a.example.com" + ] + } + ], + "terminal": true + } + ] + } + } + }, + "pki": { + "certificate_authorities": { + "local": { + "install_trust": false + } + } + }, + "tls": { + "automation": { + "policies": [ + { + "subjects": [ + "a.example.com" + ], + "issuers": [ + { + "module": "internal" + } + ] + } + ] + } + } + } +}
\ No newline at end of file |