Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthorityDatabaseImpl ¶
type AuthorityDatabaseImpl struct {
// contains filtered or unexported fields
}
AuthorityDatabaseImpl enforces policy decisions based on various rule lists
func NewAuthorityDatabaseImpl ¶
func NewAuthorityDatabaseImpl(dbMap gorpDbMap) (padb *AuthorityDatabaseImpl, err error)
NewAuthorityDatabaseImpl constructs a Policy Authority Database (and creates tables if they are non-existent)
func (*AuthorityDatabaseImpl) CheckHostLists ¶
func (padb *AuthorityDatabaseImpl) CheckHostLists(host string, requireWhitelisted bool) error
CheckHostLists will query the database for white/blacklist rules that match host, if both whitelist and blacklist rules are found the blacklist will always win Returns errNotWhitelisted, errBlacklisted, or errDBFailure for the appropriate problems, or nil if the host is allowable.
func (*AuthorityDatabaseImpl) DumpRules ¶
func (padb *AuthorityDatabaseImpl) DumpRules() (rs RuleSet, err error)
DumpRules retrieves all domainRules in the database so they can be written to disk
func (*AuthorityDatabaseImpl) LoadRules ¶
func (padb *AuthorityDatabaseImpl) LoadRules(rs RuleSet) error
LoadRules loads the whitelist and blacklist into the database in a transaction deleting any previous content
type AuthorityImpl ¶
type AuthorityImpl struct {
DB *AuthorityDatabaseImpl
// contains filtered or unexported fields
}
AuthorityImpl enforces CA policy decisions.
func New ¶
func New(dbMap *gorp.DbMap, _ bool, challengeTypes map[string]bool) (*AuthorityImpl, error)
New constructs a Policy Authority. TODO(https://github.com/letsencrypt/boulder/issues/1616): Remove the _ bool argument (used to be enforceWhitelist). Update all callers.
func (*AuthorityImpl) ChallengesFor ¶
func (pa *AuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, accountKey *jose.JsonWebKey) ([]core.Challenge, [][]int)
ChallengesFor makes a decision of what challenges, and combinations, are acceptable for the given identifier.
Note: Current implementation is static, but future versions may not be.
func (*AuthorityImpl) SetHostnamePolicyFile ¶
func (pa *AuthorityImpl) SetHostnamePolicyFile(f string) error
SetHostnamePolicyFile will load the given policy file, returning error if it fails. It will also start a reloader in case the file changes.
func (*AuthorityImpl) WillingToIssue ¶
func (pa *AuthorityImpl) WillingToIssue(id core.AcmeIdentifier, regID int64) error
WillingToIssue determines whether the CA is willing to issue for the provided identifier. It expects domains in id to be lowercase to prevent mismatched cases breaking queries.
We place several criteria on identifiers we are willing to issue for:
- MUST self-identify as DNS identifiers
- MUST contain only bytes in the DNS hostname character set
- MUST NOT have more than maxLabels labels
- MUST follow the DNS hostname syntax rules in RFC 1035 and RFC 2181 In particular:
- MUST NOT contain underscores
- MUST NOT contain IDN labels (xn--)
- MUST NOT match the syntax of an IP address
- MUST end in a public suffix
- MUST have at least one label in addition to the public suffix
- MUST NOT be a label-wise suffix match for a name on the black list, where comparison is case-independent (normalized to lower case)
If WillingToIssue returns an error, it will be of type MalformedRequestError.
type BlacklistRule ¶
type BlacklistRule domainRule
BlacklistRule is used to hold rules blacklisting a DNS name
type RawRuleSet ¶
RawRuleSet describes the rule set file format
type RuleSet ¶
type RuleSet struct {
Blacklist []BlacklistRule
Whitelist []WhitelistRule
}
RuleSet describes the rules to load into the policy database
type WhitelistRule ¶
type WhitelistRule domainRule
WhitelistRule is used to hold rules whitelisting a DNS name
Source Files