caddytls: Don't initialize default internal issuer unless necessary

Otherwise, a password prompt can occur unnecessarily.
author: Matthew Holt <mholt@users.noreply.github.com> 2020-04-09 13:09:48 -0600
committer: Matthew Holt <mholt@users.noreply.github.com> 2020-04-09 13:09:48 -0600
commit: 85f5f47f31f09f8dda6f6ab77749edddb17551a1 (patch)
tree: 641944dce493d83155653226ebbe16c9c797c14c /modules/caddytls
parent: 6e4132eb89ccf399c97c9439f6f9ff9fcac21956 (diff)
2 files changed, 36 insertions, 28 deletions
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index c623b82..df76fd9 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -54,7 +54,7 @@ type AutomationConfig struct {
 	RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"`
 
 	defaultPublicAutomationPolicy   *AutomationPolicy
-	defaultInternalAutomationPolicy *AutomationPolicy
+	defaultInternalAutomationPolicy *AutomationPolicy // only initialized if necessary
 }
 
 // AutomationPolicy designates the policy for automating the
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index ea80fa9..0e92f05 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -89,29 +89,6 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 	}
 	t.certCache = certmagic.NewCache(cacheOpts)
 
-	// automation/management policies
-	if t.Automation == nil {
-		t.Automation = new(AutomationConfig)
-	}
-	t.Automation.defaultPublicAutomationPolicy = new(AutomationPolicy)
-	err := t.Automation.defaultPublicAutomationPolicy.Provision(t)
-	if err != nil {
-		return fmt.Errorf("provisioning default public automation policy: %v", err)
-	}
-	t.Automation.defaultInternalAutomationPolicy = &AutomationPolicy{
-		IssuerRaw: json.RawMessage(`{"module":"internal"}`),
-	}
-	err = t.Automation.defaultInternalAutomationPolicy.Provision(t)
-	if err != nil {
-		return fmt.Errorf("provisioning default internal automation policy: %v", err)
-	}
-	for i, ap := range t.Automation.Policies {
-		err := ap.Provision(t)
-		if err != nil {
-			return fmt.Errorf("provisioning automation policy %d: %v", i, err)
-		}
-	}
-
 	// certificate loaders
 	val, err := ctx.LoadModule(t, "CertificatesRaw")
 	if err != nil {
@@ -119,9 +96,8 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 	}
 	for modName, modIface := range val.(map[string]interface{}) {
 		if modName == "automate" {
-			// special case; these will be loaded in later
-			// using our automation facilities, which we
-			// want to avoid during provisioning
+			// special case; these will be loaded in later using our automation facilities,
+			// which we want to avoid doing during provisioning
 			if automateNames, ok := modIface.(*AutomateLoader); ok && automateNames != nil {
 				t.automateNames = []string(*automateNames)
 			} else {
@@ -132,6 +108,38 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 		t.certificateLoaders = append(t.certificateLoaders, modIface.(CertificateLoader))
 	}
 
+	// automation/management policies
+	if t.Automation == nil {
+		t.Automation = new(AutomationConfig)
+	}
+	t.Automation.defaultPublicAutomationPolicy = new(AutomationPolicy)
+	err = t.Automation.defaultPublicAutomationPolicy.Provision(t)
+	if err != nil {
+		return fmt.Errorf("provisioning default public automation policy: %v", err)
+	}
+	for _, n := range t.automateNames {
+		// if any names specified by the "automate" loader do not qualify for a public
+		// certificate, we should initialize a default internal automation policy
+		// (but we don't want to do this unnecessarily, since it may prompt for password!)
+		if certmagic.SubjectQualifiesForPublicCert(n) {
+			continue
+		}
+		t.Automation.defaultInternalAutomationPolicy = &AutomationPolicy{
+			IssuerRaw: json.RawMessage(`{"module":"internal"}`),
+		}
+		err = t.Automation.defaultInternalAutomationPolicy.Provision(t)
+		if err != nil {
+			return fmt.Errorf("provisioning default internal automation policy: %v", err)
+		}
+		break
+	}
+	for i, ap := range t.Automation.Policies {
+		err := ap.Provision(t)
+		if err != nil {
+			return fmt.Errorf("provisioning automation policy %d: %v", i, err)
+		}
+	}
+
 	// session ticket ephemeral keys (STEK) service and provider
 	if t.SessionTickets != nil {
 		err := t.SessionTickets.provision(ctx)
@@ -340,7 +348,7 @@ func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy {
 			}
 		}
 	}
-	if certmagic.SubjectQualifiesForPublicCert(name) {
+	if certmagic.SubjectQualifiesForPublicCert(name) || t.Automation.defaultInternalAutomationPolicy == nil {
 		return t.Automation.defaultPublicAutomationPolicy
 	}
 	return t.Automation.defaultInternalAutomationPolicy
author	Matthew Holt <mholt@users.noreply.github.com>	2020-04-09 13:09:48 -0600
committer	Matthew Holt <mholt@users.noreply.github.com>	2020-04-09 13:09:48 -0600
commit	85f5f47f31f09f8dda6f6ab77749edddb17551a1 (patch)
tree	641944dce493d83155653226ebbe16c9c797c14c /modules/caddytls
parent	6e4132eb89ccf399c97c9439f6f9ff9fcac21956 (diff)