policy

package
v0.0.0-...-a5e779e Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 3, 2015 License: MPL-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type BlacklistRule

type BlacklistRule domainRule

BlacklistRule is used to hold rules blacklisting a DNS name

type PolicyAuthorityDatabaseImpl

type PolicyAuthorityDatabaseImpl struct {
	// contains filtered or unexported fields
}

PolicyAuthorityDatabaseImpl enforces policy decisions based on various rule lists

func NewPolicyAuthorityDatabaseImpl

func NewPolicyAuthorityDatabaseImpl(dbMap *gorp.DbMap) (padb *PolicyAuthorityDatabaseImpl, err error)

NewPolicyAuthorityDatabaseImpl constructs a Policy Authority Database (and creates tables if they are non-existent)

func (*PolicyAuthorityDatabaseImpl) CheckHostLists

func (padb *PolicyAuthorityDatabaseImpl) CheckHostLists(host string, requireWhitelisted bool) error

CheckHostLists will query the database for white/blacklist rules that match host, if both whitelist and blacklist rules are found the blacklist will always win

func (*PolicyAuthorityDatabaseImpl) DumpRules

func (padb *PolicyAuthorityDatabaseImpl) DumpRules() (rs RuleSet, err error)

DumpRules retrieves all domainRules in the database so they can be written to disk

func (*PolicyAuthorityDatabaseImpl) LoadRules

func (padb *PolicyAuthorityDatabaseImpl) LoadRules(rs RuleSet) error

LoadRules loads the whitelist and blacklist into the database in a transaction deleting any previous content

type PolicyAuthorityImpl

type PolicyAuthorityImpl struct {
	DB *PolicyAuthorityDatabaseImpl

	EnforceWhitelist bool
	// contains filtered or unexported fields
}

PolicyAuthorityImpl enforces CA policy decisions.

func NewPolicyAuthorityImpl

func NewPolicyAuthorityImpl(dbMap *gorp.DbMap, enforceWhitelist bool, challengeTypes map[string]bool) (*PolicyAuthorityImpl, error)

NewPolicyAuthorityImpl constructs a Policy Authority.

func (PolicyAuthorityImpl) ChallengesFor

func (pa PolicyAuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, accountKey *jose.JsonWebKey) ([]core.Challenge, [][]int, error)

ChallengesFor makes a decision of what challenges, and combinations, are acceptable for the given identifier.

Note: Current implementation is static, but future versions may not be.

func (PolicyAuthorityImpl) WillingToIssue

func (pa PolicyAuthorityImpl) WillingToIssue(id core.AcmeIdentifier, regID int64) error

WillingToIssue determines whether the CA is willing to issue for the provided identifier. It expects domains in id to be lowercase to prevent mismatched cases breaking queries.

We place several criteria on identifiers we are willing to issue for:

  • MUST self-identify as DNS identifiers
  • MUST contain only bytes in the DNS hostname character set
  • MUST NOT have more than maxLabels labels
  • MUST follow the DNS hostname syntax rules in RFC 1035 and RFC 2181 In particular:
  • MUST NOT contain underscores
  • MUST NOT contain IDN labels (xn--)
  • MUST NOT match the syntax of an IP address
  • MUST end in a public suffix
  • MUST have at least one label in addition to the public suffix
  • MUST NOT be a label-wise suffix match for a name on the black list, where comparison is case-independent (normalized to lower case)

If WillingToIssue returns an error, it will be of type MalformedRequestError.

type RawRuleSet

type RawRuleSet struct {
	Blacklist []string
	Whitelist []string
}

RawRuleSet describes the rule set file format

type RuleSet

type RuleSet struct {
	Blacklist []BlacklistRule
	Whitelist []WhitelistRule
}

RuleSet describes the rules to load into the policy database

type WhitelistRule

type WhitelistRule domainRule

WhitelistRule is used to hold rules whitelisting a DNS name

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL