policy, ra: Remove default allows for DNS identifiers (#8233)
Fixes #8184
This commit is contained in:
James Renken
GitHub
parent
48d5ad3c19
commit
0a095e2f6b
|
|
@ -33,6 +33,7 @@ import (
|
|||
berrors "github.com/letsencrypt/boulder/errors"
|
||||
"github.com/letsencrypt/boulder/features"
|
||||
"github.com/letsencrypt/boulder/goodkey"
|
||||
"github.com/letsencrypt/boulder/identifier"
|
||||
"github.com/letsencrypt/boulder/issuance"
|
||||
blog "github.com/letsencrypt/boulder/log"
|
||||
"github.com/letsencrypt/boulder/metrics"
|
||||
|
|
@ -147,7 +148,7 @@ func setup(t *testing.T) *testCtx {
|
|||
fc := clock.NewFake()
|
||||
fc.Add(1 * time.Hour)
|
||||
|
||||
pa, err := policy.New(nil, nil, blog.NewMock())
|
||||
pa, err := policy.New(map[identifier.IdentifierType]bool{"dns": true}, nil, blog.NewMock())
|
||||
test.AssertNotError(t, err, "Couldn't create PA")
|
||||
err = pa.LoadHostnamePolicyFile("../test/hostname-policy.yaml")
|
||||
test.AssertNotError(t, err, "Couldn't set hostname policy")
|
||||
|
|
|
|||
|
|
@ -39,14 +39,6 @@ type AuthorityImpl struct {
|
|||
|
||||
// New constructs a Policy Authority.
|
||||
func New(identifierTypes map[identifier.IdentifierType]bool, challengeTypes map[core.AcmeChallenge]bool, log blog.Logger) (*AuthorityImpl, error) {
|
||||
// If identifierTypes are not configured (i.e. nil), default to allowing DNS
|
||||
// identifiers. This default is temporary, to improve deployability.
|
||||
//
|
||||
// TODO(#8184): Remove this default.
|
||||
if identifierTypes == nil {
|
||||
identifierTypes = map[identifier.IdentifierType]bool{identifier.TypeDNS: true}
|
||||
}
|
||||
|
||||
return &AuthorityImpl{
|
||||
log: log,
|
||||
enabledChallenges: challengeTypes,
|
||||
|
|
|
|||
17
ra/ra.go
17
ra/ra.go
|
|
@ -303,8 +303,8 @@ type ValidationProfileConfig struct {
|
|||
// exists but is empty, the profile is closed to all accounts.
|
||||
AllowList string `validate:"omitempty"`
|
||||
// IdentifierTypes is a list of identifier types that may be issued under
|
||||
// this profile. If none are specified, it defaults to "dns".
|
||||
IdentifierTypes []identifier.IdentifierType `validate:"omitempty,dive,oneof=dns ip"`
|
||||
// this profile.
|
||||
IdentifierTypes []identifier.IdentifierType `validate:"required,dive,oneof=dns ip"`
|
||||
}
|
||||
|
||||
// validationProfile holds the attributes of a given validation profile.
|
||||
|
|
@ -330,7 +330,7 @@ type validationProfile struct {
|
|||
// nil, the profile is open to all accounts (everyone is allowed).
|
||||
allowList *allowlist.List[int64]
|
||||
// identifierTypes is a list of identifier types that may be issued under
|
||||
// this profile. If none are specified, it defaults to "dns".
|
||||
// this profile.
|
||||
identifierTypes []identifier.IdentifierType
|
||||
}
|
||||
|
||||
|
|
@ -384,22 +384,13 @@ func NewValidationProfiles(defaultName string, configs map[string]*ValidationPro
|
|||
}
|
||||
}
|
||||
|
||||
identifierTypes := config.IdentifierTypes
|
||||
// If this profile has no identifier types configured, default to DNS.
|
||||
// This default is temporary, to improve deployability.
|
||||
//
|
||||
// TODO(#8184): Remove this default and use config.IdentifierTypes below.
|
||||
if len(identifierTypes) == 0 {
|
||||
identifierTypes = []identifier.IdentifierType{identifier.TypeDNS}
|
||||
}
|
||||
|
||||
profiles[name] = &validationProfile{
|
||||
pendingAuthzLifetime: config.PendingAuthzLifetime.Duration,
|
||||
validAuthzLifetime: config.ValidAuthzLifetime.Duration,
|
||||
orderLifetime: config.OrderLifetime.Duration,
|
||||
maxNames: config.MaxNames,
|
||||
allowList: allowList,
|
||||
identifierTypes: identifierTypes,
|
||||
identifierTypes: config.IdentifierTypes,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -191,6 +191,9 @@
|
|||
"http-01": true,
|
||||
"dns-01": true,
|
||||
"tls-alpn-01": true
|
||||
},
|
||||
"identifiers": {
|
||||
"dns": true
|
||||
}
|
||||
},
|
||||
"syslog": {
|
||||
|
|
|
|||
|
|
@ -24,6 +24,9 @@
|
|||
"http-01": true,
|
||||
"dns-01": true,
|
||||
"tls-alpn-01": true
|
||||
},
|
||||
"identifiers": {
|
||||
"dns": true
|
||||
}
|
||||
},
|
||||
"syslog": {
|
||||
|
|
|
|||
|
|
@ -41,19 +41,28 @@
|
|||
"pendingAuthzLifetime": "168h",
|
||||
"validAuthzLifetime": "720h",
|
||||
"orderLifetime": "168h",
|
||||
"maxNames": 100
|
||||
"maxNames": 100,
|
||||
"identifierTypes": [
|
||||
"dns"
|
||||
]
|
||||
},
|
||||
"modern": {
|
||||
"pendingAuthzLifetime": "7h",
|
||||
"validAuthzLifetime": "7h",
|
||||
"orderLifetime": "7h",
|
||||
"maxNames": 10
|
||||
"maxNames": 10,
|
||||
"identifierTypes": [
|
||||
"dns"
|
||||
]
|
||||
},
|
||||
"shortlived": {
|
||||
"pendingAuthzLifetime": "7h",
|
||||
"validAuthzLifetime": "7h",
|
||||
"orderLifetime": "7h",
|
||||
"maxNames": 10
|
||||
"maxNames": 10,
|
||||
"identifierTypes": [
|
||||
"dns"
|
||||
]
|
||||
}
|
||||
},
|
||||
"defaultProfileName": "legacy",
|
||||
|
|
@ -182,6 +191,9 @@
|
|||
"http-01": true,
|
||||
"dns-01": true,
|
||||
"tls-alpn-01": true
|
||||
},
|
||||
"identifiers": {
|
||||
"dns": true
|
||||
}
|
||||
},
|
||||
"syslog": {
|
||||
|
|
|
|||
Loading…
Reference in New Issue