From 658772ff24b9e1eabf6f254d039d91e8abfcb775 Mon Sep 17 00:00:00 2001 From: Francis Lavoie Date: Mon, 7 Jun 2021 14:18:49 -0400 Subject: httpcaddyfile: Add `skip_install_trust` global option (#4153) Fixes https://github.com/caddyserver/caddy/issues/4002 --- caddyconfig/httpcaddyfile/options.go | 1 + caddyconfig/httpcaddyfile/pkiapp.go | 20 ++++++++ .../global_options_skip_install_trust.txt | 56 ++++++++++++++++++++++ 3 files changed, 77 insertions(+) create mode 100644 caddytest/integration/caddyfile_adapt/global_options_skip_install_trust.txt diff --git a/caddyconfig/httpcaddyfile/options.go b/caddyconfig/httpcaddyfile/options.go index 905ecae..fe8e319 100644 --- a/caddyconfig/httpcaddyfile/options.go +++ b/caddyconfig/httpcaddyfile/options.go @@ -39,6 +39,7 @@ func init() { RegisterGlobalOption("acme_dns", parseOptACMEDNS) RegisterGlobalOption("acme_eab", parseOptACMEEAB) RegisterGlobalOption("cert_issuer", parseOptCertIssuer) + RegisterGlobalOption("skip_install_trust", parseOptTrue) RegisterGlobalOption("email", parseOptSingleString) RegisterGlobalOption("admin", parseOptAdmin) RegisterGlobalOption("on_demand_tls", parseOptOnDemand) diff --git a/caddyconfig/httpcaddyfile/pkiapp.go b/caddyconfig/httpcaddyfile/pkiapp.go index 3abcc6b..a21951d 100644 --- a/caddyconfig/httpcaddyfile/pkiapp.go +++ b/caddyconfig/httpcaddyfile/pkiapp.go @@ -27,15 +27,35 @@ func (st ServerType) buildPKIApp( pkiApp := &caddypki.PKI{CAs: make(map[string]*caddypki.CA)} + skipInstallTrust := false + if _, ok := options["skip_install_trust"]; ok { + skipInstallTrust = true + } + falseBool := false + for _, p := range pairings { for _, sblock := range p.serverBlocks { // find all the CAs that were defined and add them to the app config + // i.e. from any "acme_server" directives for _, caCfgValue := range sblock.pile["pki.ca"] { ca := caCfgValue.Value.(*caddypki.CA) + if skipInstallTrust { + ca.InstallTrust = &falseBool + } pkiApp.CAs[ca.ID] = ca } } } + // if there was no CAs defined in any of the servers, + // and we were requested to not install trust, then + // add one for the default/local CA to do so + if len(pkiApp.CAs) == 0 && skipInstallTrust { + ca := new(caddypki.CA) + ca.ID = caddypki.DefaultCAID + ca.InstallTrust = &falseBool + pkiApp.CAs[ca.ID] = ca + } + return pkiApp, warnings, nil } diff --git a/caddytest/integration/caddyfile_adapt/global_options_skip_install_trust.txt b/caddytest/integration/caddyfile_adapt/global_options_skip_install_trust.txt new file mode 100644 index 0000000..f949ac1 --- /dev/null +++ b/caddytest/integration/caddyfile_adapt/global_options_skip_install_trust.txt @@ -0,0 +1,56 @@ +{ + skip_install_trust +} + +a.example.com { + tls internal +} +---------- +{ + "apps": { + "http": { + "servers": { + "srv0": { + "listen": [ + ":443" + ], + "routes": [ + { + "match": [ + { + "host": [ + "a.example.com" + ] + } + ], + "terminal": true + } + ] + } + } + }, + "pki": { + "certificate_authorities": { + "local": { + "install_trust": false + } + } + }, + "tls": { + "automation": { + "policies": [ + { + "subjects": [ + "a.example.com" + ], + "issuers": [ + { + "module": "internal" + } + ] + } + ] + } + } + } +} \ No newline at end of file -- cgit v1.2.3