summaryrefslogtreecommitdiff
path: root/modules/caddytls
diff options
context:
space:
mode:
Diffstat (limited to 'modules/caddytls')
-rw-r--r--modules/caddytls/automation.go24
-rw-r--r--modules/caddytls/tls.go21
2 files changed, 32 insertions, 13 deletions
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index 1cfb28c..58ffe4c 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -85,7 +85,7 @@ type AutomationConfig struct {
// TLS app to properly provision a new policy.
type AutomationPolicy struct {
// Which subjects (hostnames or IP addresses) this policy applies to.
- Subjects []string `json:"subjects,omitempty"`
+ SubjectsRaw []string `json:"subjects,omitempty"`
// The modules that may issue certificates. Default: internal if all
// subjects do not qualify for public certificates; othewise acme and
@@ -147,12 +147,21 @@ type AutomationPolicy struct {
Issuers []certmagic.Issuer `json:"-"`
Managers []certmagic.Manager `json:"-"`
- magic *certmagic.Config
- storage certmagic.Storage
+ subjects []string
+ magic *certmagic.Config
+ storage certmagic.Storage
}
// Provision sets up ap and builds its underlying CertMagic config.
func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
+ // replace placeholders in subjects to allow environment variables
+ repl := caddy.NewReplacer()
+ subjects := make([]string, len(ap.SubjectsRaw))
+ for i, sub := range ap.SubjectsRaw {
+ subjects[i] = repl.ReplaceAll(sub, "")
+ }
+ ap.subjects = subjects
+
// policy-specific storage implementation
if ap.StorageRaw != nil {
val, err := tlsApp.ctx.LoadModule(ap, "StorageRaw")
@@ -289,6 +298,11 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
return nil
}
+// Subjects returns the list of subjects with all placeholders replaced.
+func (ap *AutomationPolicy) Subjects() []string {
+ return ap.subjects
+}
+
func (ap *AutomationPolicy) onlyInternalIssuer() bool {
if len(ap.Issuers) != 1 {
return false
@@ -301,10 +315,10 @@ func (ap *AutomationPolicy) onlyInternalIssuer() bool {
// or is the "default" policy (i.e. no subjects) which is unbounded.
func (ap *AutomationPolicy) isWildcardOrDefault() bool {
isWildcardOrDefault := false
- if len(ap.Subjects) == 0 {
+ if len(ap.subjects) == 0 {
isWildcardOrDefault = true
}
- for _, sub := range ap.Subjects {
+ for _, sub := range ap.subjects {
if strings.HasPrefix(sub, "*") {
isWildcardOrDefault = true
break
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 486a58c..9b5b552 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -126,7 +126,12 @@ func (t *TLS) Provision(ctx caddy.Context) error {
// special case; these will be loaded in later using our automation facilities,
// which we want to avoid doing during provisioning
if automateNames, ok := modIface.(*AutomateLoader); ok && automateNames != nil {
- t.automateNames = []string(*automateNames)
+ repl := caddy.NewReplacer()
+ subjects := make([]string, len(*automateNames))
+ for i, sub := range *automateNames {
+ subjects[i] = repl.ReplaceAll(sub, "")
+ }
+ t.automateNames = subjects
} else {
return fmt.Errorf("loading certificates with 'automate' requires array of strings, got: %T", modIface)
}
@@ -231,13 +236,13 @@ func (t *TLS) Validate() error {
var hasDefault bool
hostSet := make(map[string]int)
for i, ap := range t.Automation.Policies {
- if len(ap.Subjects) == 0 {
+ if len(ap.subjects) == 0 {
if hasDefault {
return fmt.Errorf("automation policy %d is the second policy that acts as default/catch-all, but will never be used", i)
}
hasDefault = true
}
- for _, h := range ap.Subjects {
+ for _, h := range ap.subjects {
if first, ok := hostSet[h]; ok {
return fmt.Errorf("automation policy %d: cannot apply more than one automation policy to host: %s (first match in policy %d)", i, h, first)
}
@@ -388,8 +393,8 @@ func (t *TLS) AddAutomationPolicy(ap *AutomationPolicy) error {
// first see if existing is superset of ap for all names
var otherIsSuperset bool
outer:
- for _, thisSubj := range ap.Subjects {
- for _, otherSubj := range existing.Subjects {
+ for _, thisSubj := range ap.subjects {
+ for _, otherSubj := range existing.subjects {
if certmagic.MatchWildcard(thisSubj, otherSubj) {
otherIsSuperset = true
break outer
@@ -398,7 +403,7 @@ func (t *TLS) AddAutomationPolicy(ap *AutomationPolicy) error {
}
// if existing AP is a superset or if it contains fewer names (i.e. is
// more general), then new AP is more specific, so insert before it
- if otherIsSuperset || len(existing.Subjects) < len(ap.Subjects) {
+ if otherIsSuperset || len(existing.SubjectsRaw) < len(ap.SubjectsRaw) {
t.Automation.Policies = append(t.Automation.Policies[:i],
append([]*AutomationPolicy{ap}, t.Automation.Policies[i:]...)...)
return nil
@@ -420,10 +425,10 @@ func (t *TLS) getConfigForName(name string) *certmagic.Config {
// public certificate or not.
func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy {
for _, ap := range t.Automation.Policies {
- if len(ap.Subjects) == 0 {
+ if len(ap.subjects) == 0 {
return ap // no host filter is an automatic match
}
- for _, h := range ap.Subjects {
+ for _, h := range ap.subjects {
if certmagic.MatchWildcard(name, h) {
return ap
}