Documentation
¶
Index ¶
- Variables
- func DebugServer(addr string)
- func FailOnError(err error, msg string)
- func LoadCert(path string) (cert []byte, err error)
- func ProfileCmd(profileName string, stats statsd.Statter)
- func Version() string
- type AppShell
- type CAConfig
- type Config
- type ConfigDuration
- type KeyConfig
- type OCSPUpdaterConfig
- type PAConfig
- type PKCS11Config
- type Queue
- type RateLimitConfig
- type RateLimitPolicy
- type TLSConfig
Constants ¶
This section is empty.
Variables ¶
var ErrDurationMustBeString = errors.New("cannot JSON unmarshal something other than a string into a ConfigDuration")
ErrDurationMustBeString is returned when a non-string value is presented to be deserialized as a ConfigDuration
Functions ¶
func DebugServer ¶
func DebugServer(addr string)
DebugServer starts a server to receive debug information. Typical usage is to start it in a goroutine, configured with an address from the appropriate configuration object:
go cmd.DebugServer(c.XA.DebugAddr)
func FailOnError ¶
FailOnError exits and prints an error message if we encountered a problem
func LoadCert ¶
LoadCert loads a PEM-formatted certificate from the provided path, returning it as a byte array, or an error if it couldn't be decoded.
func ProfileCmd ¶
ProfileCmd runs forever, sending Go runtime statistics to StatsD.
Types ¶
type AppShell ¶
AppShell contains CLI Metadata
func NewAppShell ¶
NewAppShell creates a basic AppShell object containing CLI metadata
func (*AppShell) Run ¶
func (as *AppShell) Run()
Run begins the application context, reading config and passing control to the default commandline action.
func (*AppShell) VersionString ¶
VersionString produces a friendly Application version string
type CAConfig ¶
type CAConfig struct {
Profile string
TestMode bool
DBConnect string
SerialPrefix int
Key KeyConfig
// LifespanOCSP is how long OCSP responses are valid for; It should be longer
// than the minTimeToExpiry field for the OCSP Updater.
LifespanOCSP string
// How long issued certificates are valid for, should match expiry field
// in cfssl config.
Expiry string
// The maximum number of subjectAltNames in a single certificate
MaxNames int
CFSSL cfsslConfig.Config
MaxConcurrentRPCServerRequests int64
HSMFaultTimeout ConfigDuration
// DebugAddr is the address to run the /debug handlers on.
DebugAddr string
}
CAConfig structs have configuration information for the certificate authority, including database parameters as well as controls for issued certificates.
type Config ¶
type Config struct {
ActivityMonitor struct {
// DebugAddr is the address to run the /debug handlers on.
DebugAddr string
}
// General
AMQP struct {
Server string
Insecure bool
RA Queue
VA Queue
SA Queue
CA Queue
OCSP Queue
Publisher Queue
TLS *TLSConfig
ReconnectTimeouts struct {
Base ConfigDuration
Max ConfigDuration
}
}
WFE struct {
BaseURL string
ListenAddress string
AllowOrigins []string
CertCacheDuration string
CertNoCacheExpirationWindow string
IndexCacheDuration string
IssuerCacheDuration string
ShutdownStopTimeout string
ShutdownKillTimeout string
// DebugAddr is the address to run the /debug handlers on.
DebugAddr string
}
CA CAConfig
Monolith struct {
// DebugAddr is the address to run the /debug handlers on.
DebugAddr string
}
RA struct {
RateLimitPoliciesFilename string
MaxConcurrentRPCServerRequests int64
MaxContactsPerRegistration int
// DebugAddr is the address to run the /debug handlers on.
DebugAddr string
}
SA struct {
DBConnect string
MaxConcurrentRPCServerRequests int64
// DebugAddr is the address to run the /debug handlers on.
DebugAddr string
}
VA struct {
UserAgent string
PortConfig va.PortConfig
MaxConcurrentRPCServerRequests int64
// DebugAddr is the address to run the /debug handlers on.
DebugAddr string
}
SQL struct {
SQLDebug bool
}
Statsd struct {
Server string
Prefix string
}
Syslog struct {
Network string
Server string
Tag string
}
Revoker struct {
DBConnect string
}
Mailer struct {
Server string
Port string
Username string
Password string
DBConnect string
CertLimit int
NagTimes []string
// How much earlier (than configured nag intervals) to
// send reminders, to account for the expected delay
// before the next expiration-mailer invocation.
NagCheckInterval string
// Path to a text/template email template
EmailTemplate string
// DebugAddr is the address to run the /debug handlers on.
DebugAddr string
}
OCSPResponder struct {
// Source indicates the source of pre-signed OCSP responses to be used. It
// can be a DBConnect string or a file URL. The file URL style is used
// when responding from a static file for intermediates and roots.
Source string
Path string
ListenAddress string
// MaxAge is the max-age to set in the Cache-Controler response
// header. It is a time.Duration formatted string.
MaxAge ConfigDuration
ShutdownStopTimeout string
ShutdownKillTimeout string
// DebugAddr is the address to run the /debug handlers on.
DebugAddr string
}
OCSPUpdater OCSPUpdaterConfig
Publisher struct {
MaxConcurrentRPCServerRequests int64
// DebugAddr is the address to run the /debug handlers on.
DebugAddr string
}
ExternalCertImporter struct {
CertsToImportCSVFilename string
DomainsToImportCSVFilename string
CertsToRemoveCSVFilename string
StatsdRate float32
}
PA PAConfig
Common struct {
BaseURL string
// Path to a PEM-encoded copy of the issuer certificate.
IssuerCert string
DNSResolver string
DNSTimeout string
DNSAllowLoopbackAddresses bool
CT publisher.CTConfig
}
CertChecker struct {
Workers int
ReportDirectoryPath string
DBConnect string
}
SubscriberAgreementURL string
}
Config stores configuration parameters that applications will need. For simplicity, we just lump them all into one struct, and use encoding/json to read it from a file.
Note: NO DEFAULTS are provided.
type ConfigDuration ¶
ConfigDuration is just an alias for time.Duration that allows serialization to YAML as well as JSON.
func (ConfigDuration) MarshalJSON ¶
func (d ConfigDuration) MarshalJSON() ([]byte, error)
MarshalJSON returns the string form of the duration, as a byte array.
func (*ConfigDuration) UnmarshalJSON ¶
func (d *ConfigDuration) UnmarshalJSON(b []byte) error
UnmarshalJSON parses a string into a ConfigDuration using time.ParseDuration. If the input does not unmarshal as a string, then UnmarshalJSON returns ErrDurationMustBeString.
func (*ConfigDuration) UnmarshalYAML ¶
func (d *ConfigDuration) UnmarshalYAML(unmarshal func(interface{}) error) error
UnmarshalYAML uses the same frmat as JSON, but is called by the YAML parser (vs. the JSON parser).
type KeyConfig ¶
type KeyConfig struct {
File string
PKCS11 PKCS11Config
}
KeyConfig should contain either a File path to a PEM-format private key, or a PKCS11Config defining how to load a module for an HSM.
type OCSPUpdaterConfig ¶
type OCSPUpdaterConfig struct {
DBConnect string
NewCertificateWindow ConfigDuration
OldOCSPWindow ConfigDuration
MissingSCTWindow ConfigDuration
RevokedCertificateWindow ConfigDuration
NewCertificateBatchSize int
OldOCSPBatchSize int
MissingSCTBatchSize int
RevokedCertificateBatchSize int
OCSPMinTimeToExpiry ConfigDuration
OldestIssuedSCT ConfigDuration
AkamaiBaseURL string
AkamaiClientToken string
AkamaiClientSecret string
AkamaiAccessToken string
AkamaiPurgeRetries int
AkamaiPurgeRetryBackoff ConfigDuration
SignFailureBackoffFactor float64
SignFailureBackoffMax ConfigDuration
// DebugAddr is the address to run the /debug handlers on.
DebugAddr string
}
OCSPUpdaterConfig provides the various window tick times and batch sizes needed for the OCSP (and SCT) updater
type PAConfig ¶
PAConfig specifies how a policy authority should connect to its database, and what policies it should enforce.
type PKCS11Config ¶
PKCS11Config defines how to load a module for an HSM.
type RateLimitConfig ¶
type RateLimitConfig struct {
// Total number of certificates that can be extant at any given time.
// The 2160h window, 90 days, is chosen to match certificate lifetime, since the
// main capacity factor is how many OCSP requests we can sign with available
// hardware.
TotalCertificates RateLimitPolicy `yaml:"totalCertificates"`
// Number of certificates that can be extant containing any given name.
// These are counted by "base domain" aka eTLD+1, so any entries in the
// overrides section must be an eTLD+1 according to the publicsuffix package.
CertificatesPerName RateLimitPolicy `yaml:"certificatesPerName"`
// Number of registrations that can be created per IP.
// Note: Since this is checked before a registration is created, setting a
// RegistrationOverride on it has no effect.
RegistrationsPerIP RateLimitPolicy `yaml:"registrationsPerIP"`
// Number of pending authorizations that can exist per account. Overrides by
// key are not applied, but overrides by registration are.
PendingAuthorizationsPerAccount RateLimitPolicy `yaml:"pendingAuthorizationsPerAccount"`
}
RateLimitConfig contains all application layer rate limiting policies
func LoadRateLimitPolicies ¶
func LoadRateLimitPolicies(filename string) (RateLimitConfig, error)
LoadRateLimitPolicies loads various rate limiting policies from a YAML configuration file
type RateLimitPolicy ¶
type RateLimitPolicy struct {
// How long to count items for
Window ConfigDuration `yaml:"window"`
// The max number of items that can be present before triggering the rate
// limit. Zero means "no limit."
Threshold int `yaml:"threshold"`
// A per-key override setting different limits than the default (higher or lower).
// The key is defined on a per-limit basis and should match the key it counts on.
// For instance, a rate limit on the number of certificates per name uses name as
// a key, while a rate limit on the number of registrations per IP subnet would
// use subnet as a key.
// Note that a zero entry in the overrides map does not mean "not limit," it
// means a limit of zero.
Overrides map[string]int `yaml:"overrides"`
// A per-registration override setting. This can be used, e.g. if there are
// hosting providers that we would like to grant a higher rate of issuance
// than the default. If both key-based and registration-based overrides are
// available, the registration-based on takes priority.
RegistrationOverrides map[int64]int `yaml:"registrationOverrides"`
}
RateLimitPolicy describes a general limiting policy
func (*RateLimitPolicy) Enabled ¶
func (rlp *RateLimitPolicy) Enabled() bool
Enabled returns true iff the RateLimitPolicy is enabled.
func (*RateLimitPolicy) GetThreshold ¶
func (rlp *RateLimitPolicy) GetThreshold(key string, regID int64) int
GetThreshold returns the threshold for this rate limit, taking into account any overrides for `key`.
func (*RateLimitPolicy) WindowBegin ¶
func (rlp *RateLimitPolicy) WindowBegin(windowEnd time.Time) time.Time
WindowBegin returns the time that a RateLimitPolicy's window begins, given a particular end time (typically the current time).
Source Files
Directories