Documentation ¶
Index ¶
- Variables
- func Clock() clock.Clock
- func DebugServer(addr string)
- func FailOnError(err error, msg string)
- func LoadCert(path string) (cert []byte, err error)
- func ProfileCmd(profileName string, stats statsd.Statter)
- func StatsAndLogging(statConf StatsdConfig, logConf SyslogConfig) (statsd.Statter, *blog.AuditLogger)
- func Version() string
- type AMQPConfig
- type AllowedSigningAlgos
- type AppShell
- type CAConfig
- type Config
- type ConfigDuration
- type DBConfig
- type GoogleSafeBrowsingConfig
- type KeyConfig
- type LogDescription
- type OCSPUpdaterConfig
- type PAConfig
- type PasswordConfig
- type RPCServerConfig
- type RateLimitConfig
- type RateLimitPolicy
- type ServiceConfig
- type StatsdConfig
- type SyslogConfig
- type TLSConfig
Constants ¶
This section is empty.
Variables ¶
var ErrDurationMustBeString = errors.New("cannot JSON unmarshal something other than a string into a ConfigDuration")
ErrDurationMustBeString is returned when a non-string value is presented to be deserialized as a ConfigDuration
Functions ¶
func Clock ¶
Clock functions similarly to clock.Default(), but the returned value can be changed using the FAKECLOCK environment variable if the 'integration' build flag is set.
This function returns the default Clock.
func DebugServer ¶
func DebugServer(addr string)
DebugServer starts a server to receive debug information. Typical usage is to start it in a goroutine, configured with an address from the appropriate configuration object:
go cmd.DebugServer(c.XA.DebugAddr)
func FailOnError ¶
FailOnError exits and prints an error message if we encountered a problem
func LoadCert ¶
LoadCert loads a PEM-formatted certificate from the provided path, returning it as a byte array, or an error if it couldn't be decoded.
func ProfileCmd ¶
ProfileCmd runs forever, sending Go runtime statistics to StatsD.
func StatsAndLogging ¶
func StatsAndLogging(statConf StatsdConfig, logConf SyslogConfig) (statsd.Statter, *blog.AuditLogger)
StatsAndLogging constructs a Statter and an AuditLogger based on its config parameters, and return them both. Crashes if any setup fails. Also sets the constructed AuditLogger as the default logger.
Types ¶
type AMQPConfig ¶
type AMQPConfig struct { // A file from which the AMQP Server URL will be read. This allows secret // values (like the password) to be stored separately from the main config. ServerURLFile string // AMQP server URL, including username and password. Server string Insecure bool RA *RPCServerConfig VA *RPCServerConfig SA *RPCServerConfig CA *RPCServerConfig Publisher *RPCServerConfig TLS *TLSConfig // Queue name on which to listen, if this is an RPC service (vs acting only as // an RPC client). ServiceQueue string ReconnectTimeouts struct { Base ConfigDuration Max ConfigDuration } }
AMQPConfig describes how to connect to AMQP, and how to speak to each of the RPC services we offer via AMQP.
func (*AMQPConfig) ServerURL ¶
func (a *AMQPConfig) ServerURL() (string, error)
ServerURL returns the appropriate server URL for this object, which may involve reading from a file.
type AllowedSigningAlgos ¶
type AllowedSigningAlgos struct { RSA bool ECDSANISTP256 bool ECDSANISTP384 bool ECDSANISTP521 bool }
AllowedSigningAlgos defines which algorithms be used for keys that we will sign.
type AppShell ¶
type AppShell struct { Action func(Config, statsd.Statter, *blog.AuditLogger) Config func(*cli.Context, Config) Config App *cli.App }
AppShell contains CLI Metadata
func NewAppShell ¶
NewAppShell creates a basic AppShell object containing CLI metadata
func (*AppShell) Run ¶
func (as *AppShell) Run()
Run begins the application context, reading config and passing control to the default commandline action.
func (*AppShell) VersionString ¶
VersionString produces a friendly Application version string
type CAConfig ¶
type CAConfig struct { ServiceConfig DBConfig Profile string RSAProfile string ECDSAProfile string TestMode bool SerialPrefix int Key KeyConfig // LifespanOCSP is how long OCSP responses are valid for; It should be longer // than the minTimeToExpiry field for the OCSP Updater. LifespanOCSP string // How long issued certificates are valid for, should match expiry field // in cfssl config. Expiry string // The maximum number of subjectAltNames in a single certificate MaxNames int CFSSL cfsslConfig.Config MaxConcurrentRPCServerRequests int64 // DoNotForceCN is a temporary config setting. It controls whether // to add a certificate's serial to its Subject, and whether to // not pull a SAN entry to be the CN if no CN was given in a CSR. DoNotForceCN bool // EnableMustStaple governs whether the Must Staple extension in CSRs // triggers issuance of certificates with Must Staple. EnableMustStaple bool }
CAConfig structs have configuration information for the certificate authority, including database parameters as well as controls for issued certificates.
type Config ¶
type Config struct { ActivityMonitor struct { ServiceConfig } // Default AMQPConfig for services that don't specify one. // TODO(jsha): Delete this after a deploy. AMQP *AMQPConfig WFE struct { ServiceConfig BaseURL string ListenAddress string AllowOrigins []string CertCacheDuration string CertNoCacheExpirationWindow string IndexCacheDuration string IssuerCacheDuration string ShutdownStopTimeout string ShutdownKillTimeout string } CA CAConfig RA struct { ServiceConfig RateLimitPoliciesFilename string MaxConcurrentRPCServerRequests int64 MaxContactsPerRegistration int // UseIsSafeDomain determines whether to call VA.IsSafeDomain UseIsSafeDomain bool // TODO(jmhodges): remove after va IsSafeDomain deploy // The number of times to try a DNS query (that has a temporary error) // before giving up. May be short-circuited by deadlines. A zero value // will be turned into 1. DNSTries int } SA struct { ServiceConfig DBConfig MaxConcurrentRPCServerRequests int64 } VA struct { ServiceConfig UserAgent string IssuerDomain string PortConfig va.PortConfig MaxConcurrentRPCServerRequests int64 GoogleSafeBrowsing *GoogleSafeBrowsingConfig // The number of times to try a DNS query (that has a temporary error) // before giving up. May be short-circuited by deadlines. A zero value // will be turned into 1. DNSTries int } SQL struct { SQLDebug bool } Statsd StatsdConfig Syslog SyslogConfig Revoker struct { DBConfig // The revoker isn't a long running service, so doesn't get a full // ServiceConfig, just an AMQPConfig. AMQP *AMQPConfig } Mailer struct { ServiceConfig DBConfig PasswordConfig Server string Port string Username string From string Subject string CertLimit int NagTimes []string // How much earlier (than configured nag intervals) to // send reminders, to account for the expected delay // before the next expiration-mailer invocation. NagCheckInterval string // Path to a text/template email template EmailTemplate string } OCSPResponder struct { ServiceConfig DBConfig // Source indicates the source of pre-signed OCSP responses to be used. It // can be a DBConnect string or a file URL. The file URL style is used // when responding from a static file for intermediates and roots. // If DBConfig has non-empty fields, it takes precedence over this. Source string Path string ListenAddress string // MaxAge is the max-age to set in the Cache-Control response // header. It is a time.Duration formatted string. MaxAge ConfigDuration ShutdownStopTimeout string ShutdownKillTimeout string } OCSPUpdater OCSPUpdaterConfig Publisher struct { ServiceConfig SubmissionTimeout ConfigDuration MaxConcurrentRPCServerRequests int64 } ExternalCertImporter struct { CertsToImportCSVFilename string DomainsToImportCSVFilename string CertsToRemoveCSVFilename string StatsdRate float32 } PA PAConfig Common struct { BaseURL string // Path to a PEM-encoded copy of the issuer certificate. IssuerCert string DNSResolver string DNSTimeout string DNSAllowLoopbackAddresses bool CT struct { Logs []LogDescription IntermediateBundleFilename string } } CertChecker struct { DBConfig Workers int ReportDirectoryPath string } AllowedSigningAlgos *AllowedSigningAlgos SubscriberAgreementURL string }
Config stores configuration parameters that applications will need. For simplicity, we just lump them all into one struct, and use encoding/json to read it from a file.
Note: NO DEFAULTS are provided.
type ConfigDuration ¶
ConfigDuration is just an alias for time.Duration that allows serialization to YAML as well as JSON.
func (ConfigDuration) MarshalJSON ¶
func (d ConfigDuration) MarshalJSON() ([]byte, error)
MarshalJSON returns the string form of the duration, as a byte array.
func (*ConfigDuration) UnmarshalJSON ¶
func (d *ConfigDuration) UnmarshalJSON(b []byte) error
UnmarshalJSON parses a string into a ConfigDuration using time.ParseDuration. If the input does not unmarshal as a string, then UnmarshalJSON returns ErrDurationMustBeString.
func (*ConfigDuration) UnmarshalYAML ¶
func (d *ConfigDuration) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML uses the same frmat as JSON, but is called by the YAML parser (vs. the JSON parser).
type DBConfig ¶
type DBConfig struct { DBConnect string // A file containing a connect URL for the DB. DBConnectFile string }
DBConfig defines how to connect to a database. The connect string may be stored in a file separate from the config, because it can contain a password, which we want to keep out of configs.
type GoogleSafeBrowsingConfig ¶
GoogleSafeBrowsingConfig is the JSON config struct for the VA's use of the Google Safe Browsing API.
type KeyConfig ¶
type KeyConfig struct { // A file from which a pkcs11key.Config will be read and parsed, if present ConfigFile string File string PKCS11 *pkcs11key.Config }
KeyConfig should contain either a File path to a PEM-format private key, or a PKCS11Config defining how to load a module for an HSM.
type LogDescription ¶
LogDescription contains the information needed to submit certificates to a CT log and verify returned receipts
type OCSPUpdaterConfig ¶
type OCSPUpdaterConfig struct { ServiceConfig DBConfig NewCertificateWindow ConfigDuration OldOCSPWindow ConfigDuration MissingSCTWindow ConfigDuration RevokedCertificateWindow ConfigDuration NewCertificateBatchSize int OldOCSPBatchSize int MissingSCTBatchSize int RevokedCertificateBatchSize int OCSPMinTimeToExpiry ConfigDuration OldestIssuedSCT ConfigDuration AkamaiBaseURL string AkamaiClientToken string AkamaiClientSecret string AkamaiAccessToken string AkamaiPurgeRetries int AkamaiPurgeRetryBackoff ConfigDuration SignFailureBackoffFactor float64 SignFailureBackoffMax ConfigDuration }
OCSPUpdaterConfig provides the various window tick times and batch sizes needed for the OCSP (and SCT) updater
type PAConfig ¶
PAConfig specifies how a policy authority should connect to its database, what policies it should enforce, and what challenges it should offer.
func (PAConfig) CheckChallenges ¶
CheckChallenges checks whether the list of challenges in the PA config actually contains valid challenge names
type PasswordConfig ¶
PasswordConfig either contains a password or the path to a file containing a password
func (*PasswordConfig) Pass ¶
func (pc *PasswordConfig) Pass() (string, error)
Pass returns a password, either directly from the configuration struct or by reading from a specified file
type RPCServerConfig ¶
type RPCServerConfig struct { Server string // Queue name where the server receives requests RPCTimeout ConfigDuration }
RPCServerConfig contains configuration particular to a specific RPC server type (e.g. RA, SA, etc)
type RateLimitConfig ¶
type RateLimitConfig struct { // Total number of certificates that can be extant at any given time. // The 2160h window, 90 days, is chosen to match certificate lifetime, since the // main capacity factor is how many OCSP requests we can sign with available // hardware. TotalCertificates RateLimitPolicy `yaml:"totalCertificates"` // Number of certificates that can be extant containing any given name. // These are counted by "base domain" aka eTLD+1, so any entries in the // overrides section must be an eTLD+1 according to the publicsuffix package. CertificatesPerName RateLimitPolicy `yaml:"certificatesPerName"` // Number of registrations that can be created per IP. // Note: Since this is checked before a registration is created, setting a // RegistrationOverride on it has no effect. RegistrationsPerIP RateLimitPolicy `yaml:"registrationsPerIP"` // Number of pending authorizations that can exist per account. Overrides by // key are not applied, but overrides by registration are. PendingAuthorizationsPerAccount RateLimitPolicy `yaml:"pendingAuthorizationsPerAccount"` // Number of certificates that can be extant containing a specific set // of DNS names. CertificatesPerFQDNSet RateLimitPolicy `yaml:"certificatesPerFQDNSet"` }
RateLimitConfig contains all application layer rate limiting policies
func LoadRateLimitPolicies ¶
func LoadRateLimitPolicies(filename string) (RateLimitConfig, error)
LoadRateLimitPolicies loads various rate limiting policies from a YAML configuration file
type RateLimitPolicy ¶
type RateLimitPolicy struct { // How long to count items for Window ConfigDuration `yaml:"window"` // The max number of items that can be present before triggering the rate // limit. Zero means "no limit." Threshold int `yaml:"threshold"` // A per-key override setting different limits than the default (higher or lower). // The key is defined on a per-limit basis and should match the key it counts on. // For instance, a rate limit on the number of certificates per name uses name as // a key, while a rate limit on the number of registrations per IP subnet would // use subnet as a key. // Note that a zero entry in the overrides map does not mean "not limit," it // means a limit of zero. Overrides map[string]int `yaml:"overrides"` // A per-registration override setting. This can be used, e.g. if there are // hosting providers that we would like to grant a higher rate of issuance // than the default. If both key-based and registration-based overrides are // available, the registration-based on takes priority. RegistrationOverrides map[int64]int `yaml:"registrationOverrides"` }
RateLimitPolicy describes a general limiting policy
func (*RateLimitPolicy) Enabled ¶
func (rlp *RateLimitPolicy) Enabled() bool
Enabled returns true iff the RateLimitPolicy is enabled.
func (*RateLimitPolicy) GetThreshold ¶
func (rlp *RateLimitPolicy) GetThreshold(key string, regID int64) int
GetThreshold returns the threshold for this rate limit, taking into account any overrides for `key`.
func (*RateLimitPolicy) WindowBegin ¶
func (rlp *RateLimitPolicy) WindowBegin(windowEnd time.Time) time.Time
WindowBegin returns the time that a RateLimitPolicy's window begins, given a particular end time (typically the current time).
type ServiceConfig ¶
type ServiceConfig struct { // DebugAddr is the address to run the /debug handlers on. DebugAddr string AMQP *AMQPConfig }
ServiceConfig contains config items that are common to all our services, to be embedded in other config structs.
type StatsdConfig ¶
StatsdConfig defines the config for Statsd.
type SyslogConfig ¶
SyslogConfig defines the config for syslogging.