policy

package

v0.0.0-...-0335a87 Latest Latest Go to latest Published: Oct 19, 2015 License: MPL-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sofuture/boulder

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type BlacklistRule
type InvalidIdentifierError
- func (e InvalidIdentifierError) Error() string
type NonPublicError
- func (e NonPublicError) Error() string
type PolicyAuthorityDatabaseImpl
- func NewPolicyAuthorityDatabaseImpl(dbMap *gorp.DbMap) (padb *PolicyAuthorityDatabaseImpl, err error)
type PolicyAuthorityImpl
- func NewPolicyAuthorityImpl(dbMap *gorp.DbMap, enforceWhitelist bool) (*PolicyAuthorityImpl, error)
- func (pa PolicyAuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, accountKey *jose.JsonWebKey) (challenges []core.Challenge, combinations [][]int, err error)
- func (pa PolicyAuthorityImpl) WillingToIssue(id core.AcmeIdentifier, regID int64) error
type RawRuleSet
type RuleSet
type SyntaxError
- func (e SyntaxError) Error() string
type WhitelistRule

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrBlacklisted = errors.New("Name is blacklisted")

ErrBlacklisted indicates we have blacklisted one or more of these identifiers.

View Source

var ErrICANNTLD = errors.New("Name is an ICANN TLD")

ErrICANNTLD indicates that one or more identifiers was an ICANN-managed TLD

View Source

var ErrNotWhitelisted = errors.New("Name is not whitelisted")

ErrNotWhitelisted indicates we have not whitelisted one or more of these identifiers.

Functions ¶

This section is empty.

Types ¶

type BlacklistRule ¶

type BlacklistRule domainRule

BlacklistRule is used to hold rules blacklisting a DNS name

type InvalidIdentifierError ¶

type InvalidIdentifierError struct{}

InvalidIdentifierError indicates that we didn't understand the IdentifierType provided.

func (InvalidIdentifierError) Error ¶

func (e InvalidIdentifierError) Error() string

type NonPublicError ¶

type NonPublicError struct{}

NonPublicError indicates that one or more identifiers were not on the public Internet.

func (NonPublicError) Error ¶

func (e NonPublicError) Error() string

type PolicyAuthorityDatabaseImpl ¶

type PolicyAuthorityDatabaseImpl struct {
	// contains filtered or unexported fields
}

PolicyAuthorityDatabaseImpl enforces policy decisions based on various rule lists

func NewPolicyAuthorityDatabaseImpl ¶

func NewPolicyAuthorityDatabaseImpl(dbMap *gorp.DbMap) (padb *PolicyAuthorityDatabaseImpl, err error)

NewPolicyAuthorityDatabaseImpl constructs a Policy Authority Database (and creates tables if they are non-existent)

func (*PolicyAuthorityDatabaseImpl) CheckHostLists ¶

func (padb *PolicyAuthorityDatabaseImpl) CheckHostLists(host string, requireWhitelisted bool) error

CheckHostLists will query the database for white/blacklist rules that match host, if both whitelist and blacklist rules are found the blacklist will always win

func (*PolicyAuthorityDatabaseImpl) DumpRules ¶

func (padb *PolicyAuthorityDatabaseImpl) DumpRules() (rs RuleSet, err error)

DumpRules retrieves all domainRules in the database so they can be written to disk

func (*PolicyAuthorityDatabaseImpl) LoadRules ¶

func (padb *PolicyAuthorityDatabaseImpl) LoadRules(rs RuleSet) error

LoadRules loads the whitelist and blacklist into the database in a transaction deleting any previous content

type PolicyAuthorityImpl ¶

type PolicyAuthorityImpl struct {
	DB *PolicyAuthorityDatabaseImpl

	EnforceWhitelist bool
	// contains filtered or unexported fields
}

PolicyAuthorityImpl enforces CA policy decisions.

func NewPolicyAuthorityImpl ¶

func NewPolicyAuthorityImpl(dbMap *gorp.DbMap, enforceWhitelist bool) (*PolicyAuthorityImpl, error)

NewPolicyAuthorityImpl constructs a Policy Authority.

func (PolicyAuthorityImpl) ChallengesFor ¶

func (pa PolicyAuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, accountKey *jose.JsonWebKey) (challenges []core.Challenge, combinations [][]int, err error)

ChallengesFor makes a decision of what challenges, and combinations, are acceptable for the given identifier.

Note: Current implementation is static, but future versions may not be.

func (PolicyAuthorityImpl) WillingToIssue ¶

func (pa PolicyAuthorityImpl) WillingToIssue(id core.AcmeIdentifier, regID int64) error

WillingToIssue determines whether the CA is willing to issue for the provided identifier. It expects domains in id to be lowercase to prevent mismatched cases breaking queries.

We place several criteria on identifiers we are willing to issue for:

MUST self-identify as DNS identifiers
MUST contain only bytes in the DNS hostname character set
MUST NOT have more than maxLabels labels
MUST follow the DNS hostname syntax rules in RFC 1035 and RFC 2181 In particular:
MUST NOT contain underscores
MUST NOT contain IDN labels (xn--)
MUST NOT match the syntax of an IP address
MUST end in a public suffix
MUST have at least one label in addition to the public suffix
MUST NOT be a label-wise suffix match for a name on the black list, where comparison is case-independent (normalized to lower case)

XXX: Is there any need for this method to be constant-time? We're

going to refuse to issue anyway, but timing could leak whether
names are on the blacklist.

type RawRuleSet ¶

type RawRuleSet struct {
	Blacklist []string
	Whitelist []string
}

RawRuleSet describes the rule set file format

type RuleSet ¶

type RuleSet struct {
	Blacklist []BlacklistRule
	Whitelist []WhitelistRule
}

RuleSet describes the rules to load into the policy database

type SyntaxError ¶

type SyntaxError struct{}

SyntaxError indicates that the user input was not well formatted.

func (SyntaxError) Error ¶

func (e SyntaxError) Error() string

type WhitelistRule ¶

type WhitelistRule domainRule

WhitelistRule is used to hold rules whitelisting a DNS name

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL