diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2020-04-09 13:09:48 -0600 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2020-04-09 13:09:48 -0600 |
commit | 85f5f47f31f09f8dda6f6ab77749edddb17551a1 (patch) | |
tree | 641944dce493d83155653226ebbe16c9c797c14c /modules | |
parent | 6e4132eb89ccf399c97c9439f6f9ff9fcac21956 (diff) |
caddytls: Don't initialize default internal issuer unless necessary
Otherwise, a password prompt can occur unnecessarily.
Diffstat (limited to 'modules')
-rw-r--r-- | modules/caddyhttp/autohttps.go | 2 | ||||
-rw-r--r-- | modules/caddytls/automation.go | 2 | ||||
-rw-r--r-- | modules/caddytls/tls.go | 62 |
3 files changed, 37 insertions, 29 deletions
diff --git a/modules/caddyhttp/autohttps.go b/modules/caddyhttp/autohttps.go index ecb988a..44cf581 100644 --- a/modules/caddyhttp/autohttps.go +++ b/modules/caddyhttp/autohttps.go @@ -339,7 +339,7 @@ uniqueDomainsLoop: } redirTo += "{http.request.uri}" routes = append(routes, Route{ - MatcherSets: []MatcherSet{MatcherSet{MatchProtocol("http")}}, + MatcherSets: []MatcherSet{{MatchProtocol("http")}}, Handlers: []MiddlewareHandler{ StaticResponse{ StatusCode: WeakString(strconv.Itoa(http.StatusPermanentRedirect)), diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index c623b82..df76fd9 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -54,7 +54,7 @@ type AutomationConfig struct { RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"` defaultPublicAutomationPolicy *AutomationPolicy - defaultInternalAutomationPolicy *AutomationPolicy + defaultInternalAutomationPolicy *AutomationPolicy // only initialized if necessary } // AutomationPolicy designates the policy for automating the diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index ea80fa9..0e92f05 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -89,29 +89,6 @@ func (t *TLS) Provision(ctx caddy.Context) error { } t.certCache = certmagic.NewCache(cacheOpts) - // automation/management policies - if t.Automation == nil { - t.Automation = new(AutomationConfig) - } - t.Automation.defaultPublicAutomationPolicy = new(AutomationPolicy) - err := t.Automation.defaultPublicAutomationPolicy.Provision(t) - if err != nil { - return fmt.Errorf("provisioning default public automation policy: %v", err) - } - t.Automation.defaultInternalAutomationPolicy = &AutomationPolicy{ - IssuerRaw: json.RawMessage(`{"module":"internal"}`), - } - err = t.Automation.defaultInternalAutomationPolicy.Provision(t) - if err != nil { - return fmt.Errorf("provisioning default internal automation policy: %v", err) - } - for i, ap := range t.Automation.Policies { - err := ap.Provision(t) - if err != nil { - return fmt.Errorf("provisioning automation policy %d: %v", i, err) - } - } - // certificate loaders val, err := ctx.LoadModule(t, "CertificatesRaw") if err != nil { @@ -119,9 +96,8 @@ func (t *TLS) Provision(ctx caddy.Context) error { } for modName, modIface := range val.(map[string]interface{}) { if modName == "automate" { - // special case; these will be loaded in later - // using our automation facilities, which we - // want to avoid during provisioning + // special case; these will be loaded in later using our automation facilities, + // which we want to avoid doing during provisioning if automateNames, ok := modIface.(*AutomateLoader); ok && automateNames != nil { t.automateNames = []string(*automateNames) } else { @@ -132,6 +108,38 @@ func (t *TLS) Provision(ctx caddy.Context) error { t.certificateLoaders = append(t.certificateLoaders, modIface.(CertificateLoader)) } + // automation/management policies + if t.Automation == nil { + t.Automation = new(AutomationConfig) + } + t.Automation.defaultPublicAutomationPolicy = new(AutomationPolicy) + err = t.Automation.defaultPublicAutomationPolicy.Provision(t) + if err != nil { + return fmt.Errorf("provisioning default public automation policy: %v", err) + } + for _, n := range t.automateNames { + // if any names specified by the "automate" loader do not qualify for a public + // certificate, we should initialize a default internal automation policy + // (but we don't want to do this unnecessarily, since it may prompt for password!) + if certmagic.SubjectQualifiesForPublicCert(n) { + continue + } + t.Automation.defaultInternalAutomationPolicy = &AutomationPolicy{ + IssuerRaw: json.RawMessage(`{"module":"internal"}`), + } + err = t.Automation.defaultInternalAutomationPolicy.Provision(t) + if err != nil { + return fmt.Errorf("provisioning default internal automation policy: %v", err) + } + break + } + for i, ap := range t.Automation.Policies { + err := ap.Provision(t) + if err != nil { + return fmt.Errorf("provisioning automation policy %d: %v", i, err) + } + } + // session ticket ephemeral keys (STEK) service and provider if t.SessionTickets != nil { err := t.SessionTickets.provision(ctx) @@ -340,7 +348,7 @@ func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy { } } } - if certmagic.SubjectQualifiesForPublicCert(name) { + if certmagic.SubjectQualifiesForPublicCert(name) || t.Automation.defaultInternalAutomationPolicy == nil { return t.Automation.defaultPublicAutomationPolicy } return t.Automation.defaultInternalAutomationPolicy |