util

package
v0.0.0-...-57974ef Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 8, 2022 License: Apache-2.0 Imports: 18 Imported by: 24

Documentation

Index

Constants

View Source 
const CertURLPrefix = "/amppkg/cert"
View Source 
const HealthzPath = "/healthz"
View Source 
const MetricsPath = "/metrics"
View Source 
const SignerURLPrefix = "/priv/doc"
View Source 
const ValidityMapPath = "/amppkg/validity"

Variables

View Source 
var Comma *regexp.Regexp = regexp.MustCompile(`[ \t]*,[ \t]*`)

A comma, as defined in https://tools.ietf.org/html/rfc7230#section-7, with OWS defined in https://tools.ietf.org/html/rfc7230#appendix-B. This is commonly used as a separator in header field value definitions.

View Source 
var ConditionalRequestHeaders = map[string]bool{
	"If-Match":            true,
	"If-None-Match":       true,
	"If-Modified-Since":   true,
	"If-Unmodified-Since": true,
	"If-Range":            true,
}

Conditional request headers that ServeHTTP may receive and need to be sent with fetchURL. https://developer.mozilla.org/en-US/docs/Web/HTTP/Conditional_requests#Conditional_headers

Functions

func CanSignHttpExchanges 

func CanSignHttpExchanges(cert *x509.Certificate) error

CanSignHttpExchanges returns nil if the given certificate has the CanSignHttpExchanges extension, and a valid lifetime per the SXG spec; otherwise it returns an error. These are not the only requirements for SXGs; it also needs to use the right public key type, which is not checked here.

func CertName 

func CertName(cert *x509.Certificate) string

CertName returns the basename for the given cert, as served by this packager's cert cache. Should be stable and unique (e.g. content-addressing). Clients should url.PathEscape this, just in case its format changes to need escaping in the future.

Given a PEM-encoded certificate, this is equivalent to: $ openssl x509 -in cert.pem -outform DER | 

openssl dgst -sha256 -binary | base64 | tr /+ _- | tr -d =

func CertificateMatches 

func CertificateMatches(cert *x509.Certificate, priv crypto.PrivateKey, domain string) error

Returns nil if the certificate matches the private key and domain, else the appropriate error.

func GetDurationToExpiry 

func GetDurationToExpiry(cert *x509.Certificate, certExpiryDeadline time.Time) (time.Duration, error)

Returns the Duration of time before cert expires with given deadline. Note that the certExpiryDeadline should be the expected SXG expiration time. Returns error if cert is already expired. This will be used to periodically check if cert is still within validity range.

func ParsePrivateKey 

func ParsePrivateKey(keyPem []byte) (crypto.PrivateKey, error)

ParsePrivateKey returns the first PEM block that looks like a private key.

func QuotedString 

func QuotedString(input string) (string, error)

Escapes the input and surrounds it in quotes, so it's a valid quoted-string, per https://tools.ietf.org/html/rfc7230#section-3.2.6. Returns error if the input contains any chars outside of HTAB / SP / VCHAR (https://tools.ietf.org/html/rfc5234#appendix-B.1) and thus isn't even quotable.

func RemoveHopByHopHeaders 

func RemoveHopByHopHeaders(h http.Header)

Remove hop-by-hop headers, per https://tools.ietf.org/html/rfc7230#section-6.1.

func TrimHeaderValue 

func TrimHeaderValue(s string) string

Trim optional whitespace from a header value, adhering to https://tools.ietf.org/html/rfc7230#section-7 with OWS defined in https://tools.ietf.org/html/rfc7230#appendix-B.

func ValidateFetchURLPattern 

func ValidateFetchURLPattern(pattern *URLPattern) error

func ValidateForwardedRequestHeaders 

func ValidateForwardedRequestHeaders(hs []string) error

func ValidateSignURLPattern 

func ValidateSignURLPattern(pattern *URLPattern) error

func ValidateURLPattern 

func ValidateURLPattern(pattern *URLPattern) error

Also sets defaults.

Types

type ACMEConfig 

type ACMEConfig struct {
	Production  *ACMEServerConfig
	Development *ACMEServerConfig
}

type ACMEServerConfig 

type ACMEServerConfig struct {
	// ACME Directory Resource URL
	AccountURL string
	// ACME Account URL. If non-empty, we will auto-renew cert via ACME.
	DiscoURL string
	// Email address registered with ACME CA.
	EmailAddress string
	// Key Identifier from ACME CA. Used for External Account Binding.
	EABKid string
	// MAC Key from ACME CA. Used for External Account Binding. Should be in
	// Base64 URL Encoding without padding format.
	EABHmac string

	// See: https://letsencrypt.org/docs/challenge-types/
	// For non-wildcard domains, only one of HttpChallengePort, HttpWebRootDir or
	// TlsChallengePort needs to be present.
	// HttpChallengePort means AmpPackager will respond to HTTP challenges via this port.
	// HttpWebRootDir means AmpPackager will deposit challenge token in this directory.
	// TlsChallengePort means AmpPackager will respond to TLS challenges via this port.
	// For wildcard domains, DnsProvider must be set to one of the support LEGO configs:
	// https://go-acme.github.io/lego/dns/
	HttpChallengePort int    // ACME HTTP challenge port.
	HttpWebRootDir    string // ACME HTTP web root directory where challenge token will be deposited.
	TlsChallengePort  int    // ACME TLS challenge port.
	DnsProvider       string // ACME DNS Provider used for challenge.
}

type Config 

type Config struct {
	LocalOnly bool
	Port      int
	CertFile  string // This must be the full certificate chain.
	KeyFile   string // Just for the first cert, obviously.
	CSRFile   string // Certificate Signing Request.

	// When set, both CertFile and NewCertFile will be read/write. CertFile and
	// NewCertFile will be set when both are valid and that once CertFile becomes
	// invalid, NewCertFile will replace it (CertFile = NewCertFile) and NewCertFile
	// will be set to empty.  This will also apply to disk copies as well (which
	// we may require to be some sort of shared filesystem, if multiple replicas of
	// ammpackager are running).
	NewCertFile             string // The new full certificate chain replacing the expired one.
	OCSPCache               string
	ForwardedRequestHeaders []string
	URLSet                  []URLSet
	ACMEConfig              *ACMEConfig
}

func ReadConfig 

func ReadConfig(configBytes []byte) (*Config, error)

ReadConfig reads the config file specified at --config and validates it.

type HTTPError 

type HTTPError struct {
	// contains filtered or unexported fields
}

HTTPError encodes an internal message to be logged and an HTTP status code to be used for the external error message. External errors should only be used to signal misconfiguration of the packager. For errors that are transient or a result of downstream server errors, the signer should fall back to proxying the content unsigned.

func NewHTTPError 

func NewHTTPError(statusCode int, msg ...interface{}) *HTTPError

func (*HTTPError) Error 

func (e *HTTPError) Error() string

Implements the error interface.

func (*HTTPError) LogAndRespond 

func (e *HTTPError) LogAndRespond(resp http.ResponseWriter)

type URLPattern 

type URLPattern struct {
	Scheme                 []string
	DomainRE               string
	Domain                 string
	PathRE                 *string
	PathExcludeRE          []string
	QueryRE                *string
	ErrorOnStatefulHeaders bool
	MaxLength              int
	SamePath               *bool
}

type URLSet 

type URLSet struct {
	Fetch *URLPattern
	Sign  *URLPattern
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.