httpcaddyfile: Revise automation policy generation (#3824)

* httpcaddyfile: Revise automation policy generation

This should fix a frustrating edge case where wildcard subjects are
used, which potentially get shadowed by more specific versions of
themselves; see the new tests for an example. This change is motivated
by an actual customer requirement.

Although all the tests pass, this logic is incredibly complex and
nuanced, and I'm worried it is not correct. But it took me about 4 days
to get this far on a solution. I did my best.

* Fix typo

1 files changed, 80 insertions, 0 deletions

diff --git a/caddytest/integration/caddyfile_adapt/tls_automation_policies.txt b/caddytest/integration/caddyfile_adapt/tls_automation_policies.txt
new file mode 100644
index 0000000..0a90e4a
--- /dev/null
+++ b/caddytest/integration/caddyfile_adapt/tls_automation_policies.txt
@@ -0,0 +1,80 @@
+{
+	local_certs
+}
+
+*.tld, *.*.tld {
+	tls {
+		on_demand
+	}
+}
+
+foo.tld, www.foo.tld {
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"foo.tld",
+										"www.foo.tld"
+									]
+								}
+							],
+							"terminal": true
+						},
+						{
+							"match": [
+								{
+									"host": [
+										"*.tld",
+										"*.*.tld"
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"tls": {
+			"automation": {
+				"policies": [
+					{
+						"subjects": [
+							"foo.tld",
+							"www.foo.tld"
+						],
+						"issuer": {
+							"module": "internal"
+						}
+					},
+					{
+						"subjects": [
+							"*.*.tld",
+							"*.tld"
+						],
+						"issuer": {
+							"module": "internal"
+						},
+						"on_demand": true
+					},
+					{
+						"issuer": {
+							"module": "internal"
+						}
+					}
+				]
+			}
+		}
+	}
+}
\ No newline at end of file