unpause

package
v0.0.0-...-e8a49c5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 19, 2024 License: MPL-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

View Source
const (

	// Changing this value will invalidate all existing JWTs.
	APIVersion = "v1"
	APIPrefix  = "/sfe/" + APIVersion
	GetForm    = APIPrefix + "/unpause"

	// BatchSize is the maximum number of identifiers that the SA will unpause
	// in a single batch.
	BatchSize = 10000

	// MaxBatches is the maximum number of batches that the SA will unpause in a
	// single request.
	MaxBatches = 5

	// RequestLimit is the maximum number of identifiers that the SA will
	// unpause in a single request. This is used by the SFE to infer whether
	// there are more identifiers to unpause.
	RequestLimit = BatchSize * MaxBatches
)

Variables

View Source
var ErrMalformedJWT = errors.New("malformed JWT")

ErrMalformedJWT is returned when the JWT is malformed.

Functions

func GenerateJWT

func GenerateJWT(signer JWTSigner, regID int64, identifiers []string, lifetime time.Duration, clk clock.Clock) (string, error)

GenerateJWT generates a serialized unpause JWT with the provided claims.

Types

type JWTClaims

type JWTClaims struct {
	jwt.Claims

	// V is the API version this JWT was created for.
	V string `json:"version"`

	// I is set of comma separated ACME identifiers.
	I string `json:"identifiers"`
}

JWTClaims represents the claims of a JWT token issued by the WFE for redemption by the SFE. The following claims required for unpausing:

  • Subject: the account ID of the Subscriber
  • V: the API version this JWT was created for
  • I: a set of ACME identifier values. Identifier types are omitted since DNS and IP string representations do not overlap.

func RedeemJWT

func RedeemJWT(token string, key []byte, version string, clk clock.Clock) (JWTClaims, error)

RedeemJWT deserializes an unpause JWT and returns the validated claims. The key is used to validate the signature of the JWT. The version is the expected API version of the JWT. This function validates that the JWT is:

  • well-formed,
  • valid for the current time (+/- 1 minute leeway),
  • issued by the WFE,
  • intended for the SFE,
  • contains an Account ID as the 'Subject',
  • subject can be parsed as a 64-bit integer,
  • contains a set of paused identifiers as 'Identifiers', and
  • contains the API the expected version as 'Version'.

If the JWT is malformed or invalid in any way, ErrMalformedJWT is returned.

type JWTSigner

type JWTSigner = jose.Signer

JWTSigner is a type alias for jose.Signer. To create a JWTSigner instance, use the NewJWTSigner function provided in this package.

func NewJWTSigner

func NewJWTSigner(hmacKey cmd.HMACKeyConfig) (JWTSigner, error)

NewJWTSigner loads the HMAC key from the provided configuration and returns a new JWT signer.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL