Mirrors/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-03-23 21:54:51 +01:00
Code Issues Projects Releases Packages Wiki Activity

caddytls: Initialize permission module earlier (fix #6901)

Browse source 
Bug introduced in 4ebcfed9c9
This commit is contained in:
Matthew Holt 2025-03-17 12:02:23 -06:00
parent b3e692ed09
commit e276994174
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5
2 changed files with 16 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
modules/caddytls/automation.go
View file

@ -173,9 +173,6 @@ type AutomationPolicy struct {
subjects []string subjects []string
magic *certmagic.Config magic *certmagic.Config
storage certmagic.Storage storage certmagic.Storage
// Whether this policy had explicit managers configured directly on it.
hadExplicitManagers bool
} }
// Provision sets up ap and builds its underlying CertMagic config. // Provision sets up ap and builds its underlying CertMagic config.
@ -212,8 +209,9 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
// store them on the policy before putting it on the config // store them on the policy before putting it on the config
// load and provision any cert manager modules // load and provision any cert manager modules
var hadExplicitManagers bool
if ap.ManagersRaw != nil { if ap.ManagersRaw != nil {
ap.hadExplicitManagers = true hadExplicitManagers = true
vals, err := tlsApp.ctx.LoadModule(ap, "ManagersRaw") vals, err := tlsApp.ctx.LoadModule(ap, "ManagersRaw")
if err != nil { if err != nil {
return fmt.Errorf("loading external certificate manager modules: %v", err) return fmt.Errorf("loading external certificate manager modules: %v", err)
@ -273,9 +271,9 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
// prevent issuance from Issuers (when Managers don't provide a certificate) if there's no // prevent issuance from Issuers (when Managers don't provide a certificate) if there's no
// permission module configured // permission module configured
noProtections := ap.isWildcardOrDefault() && !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.permission == nil) noProtections := ap.isWildcardOrDefault() && !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.permission == nil)
failClosed := noProtections && !ap.hadExplicitManagers // don't allow on-demand issuance (other than implicit managers) if no managers have been explicitly configured failClosed := noProtections && !hadExplicitManagers // don't allow on-demand issuance (other than implicit managers) if no managers have been explicitly configured
if noProtections { if noProtections {
if !ap.hadExplicitManagers { if !hadExplicitManagers {
// no managers, no explicitly-configured permission module, this is a config error // no managers, no explicitly-configured permission module, this is a config error
return fmt.Errorf("on-demand TLS cannot be enabled without a permission module to prevent abuse; please refer to documentation for details") return fmt.Errorf("on-demand TLS cannot be enabled without a permission module to prevent abuse; please refer to documentation for details")
} }

24
modules/caddytls/tls.go
View file

@ -262,6 +262,18 @@ func (t *TLS) Provision(ctx caddy.Context) error {
} }
} }
// on-demand permission module
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.PermissionRaw != nil {
if t.Automation.OnDemand.Ask != "" {
return fmt.Errorf("on-demand TLS config conflict: both 'ask' endpoint and a 'permission' module are specified; 'ask' is deprecated, so use only the permission module")
}
val, err := ctx.LoadModule(t.Automation.OnDemand, "PermissionRaw")
if err != nil {
return fmt.Errorf("loading on-demand TLS permission module: %v", err)
}
t.Automation.OnDemand.permission = val.(OnDemandPermission)
}
// automation/management policies // automation/management policies
if t.Automation == nil { if t.Automation == nil {
t.Automation = new(AutomationConfig) t.Automation = new(AutomationConfig)
@ -294,18 +306,6 @@ func (t *TLS) Provision(ctx caddy.Context) error {
} }
} }
// on-demand permission module
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.PermissionRaw != nil {
if t.Automation.OnDemand.Ask != "" {
return fmt.Errorf("on-demand TLS config conflict: both 'ask' endpoint and a 'permission' module are specified; 'ask' is deprecated, so use only the permission module")
}
val, err := ctx.LoadModule(t.Automation.OnDemand, "PermissionRaw")
if err != nil {
return fmt.Errorf("loading on-demand TLS permission module: %v", err)
}
t.Automation.OnDemand.permission = val.(OnDemandPermission)
}
// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036) // run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" { if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" {
t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true) t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true)