162 lines
5.2 KiB
Go
162 lines
5.2 KiB
Go
//go:generate stringer -type=FeatureFlag
|
|
|
|
package features
|
|
|
|
import (
|
|
"fmt"
|
|
"sync"
|
|
)
|
|
|
|
type FeatureFlag int
|
|
|
|
const (
|
|
unused FeatureFlag = iota // unused is used for testing
|
|
// Deprecated features, these can be removed once stripped from production configs
|
|
PerformValidationRPC
|
|
ACME13KeyRollover
|
|
SimplifiedVAHTTP
|
|
TLSSNIRevalidation
|
|
AllowRenewalFirstRL
|
|
SetIssuedNamesRenewalBit
|
|
FasterRateLimit
|
|
ProbeCTLogs
|
|
RevokeAtRA
|
|
|
|
// Currently in-use features
|
|
// Check CAA and respect validationmethods parameter.
|
|
CAAValidationMethods
|
|
// Check CAA and respect accounturi parameter.
|
|
CAAAccountURI
|
|
// HEAD requests to the WFE2 new-nonce endpoint should return HTTP StatusOK
|
|
// instead of HTTP StatusNoContent.
|
|
HeadNonceStatusOK
|
|
// NewAuthorizationSchema enables usage of the new authorization storage schema
|
|
// and associated RPCs.
|
|
NewAuthorizationSchema
|
|
// DisableAuthz2Orders prevents returning orders containing authz2 authorizations
|
|
// from the SA. If a order containing authz2 authorizations is queried a NotFound
|
|
// error will be returned. DisableAuthz2Orders should only be enabled if the authz2
|
|
// schema is in place. DisableAuthz2Orders should not be enabled if NewAuthorizationSchema
|
|
// is enabled as all new orders containing v2 authorizations will be hidden.
|
|
DisableAuthz2Orders
|
|
// EarlyOrderRateLimit enables the RA applying certificate per name/per FQDN
|
|
// set rate limits in NewOrder in addition to FinalizeOrder.
|
|
EarlyOrderRateLimit
|
|
// EnforceMultiVA causes the VA to block on remote VA PerformValidation
|
|
// requests in order to make a valid/invalid decision with the results.
|
|
EnforceMultiVA
|
|
// MultiVAFullResults will cause the main VA to wait for all of the remote VA
|
|
// results, not just the threshold required to make a decision.
|
|
MultiVAFullResults
|
|
// RemoveWFE2AccountID will remove the account ID from account objects returned
|
|
// from the new-account endpoint if enabled.
|
|
RemoveWFE2AccountID
|
|
// CheckRenewalFirst will check whether an issuance is a renewal before
|
|
// checking the "certificates per name" rate limit.
|
|
CheckRenewalFirst
|
|
// MandatoryPOSTAsGET forbids legacy unauthenticated GET requests for ACME
|
|
// resources.
|
|
MandatoryPOSTAsGET
|
|
// Use an optimized query for GetOrderForNames.
|
|
FasterGetOrderForNames
|
|
// Allow creation of new registrations in ACMEv1.
|
|
AllowV1Registration
|
|
// Check the failed validation limit in parallel during NewOrder
|
|
ParallelCheckFailedValidation
|
|
// Upon authorization validation, delete the challenges that weren't used.
|
|
DeleteUnusedChallenges
|
|
// V1DisableNewValidations disables validations for new domain names in the V1
|
|
// API.
|
|
V1DisableNewValidations
|
|
// PrecertificateOCSP ensures that we write an OCSP response immediately upon
|
|
// generating a precertificate. This also changes the issuance / storage flow,
|
|
// adding two new calls from CA to SA: AddSerial and AddPrecertificate.
|
|
PrecertificateOCSP
|
|
// PrecertificateRevocation allows revocation of precertificates with the
|
|
// ACMEv2 interface.
|
|
PrecertificateRevocation
|
|
)
|
|
|
|
// List of features and their default value, protected by fMu
|
|
var features = map[FeatureFlag]bool{
|
|
unused: false,
|
|
AllowRenewalFirstRL: false,
|
|
TLSSNIRevalidation: false,
|
|
CAAValidationMethods: false,
|
|
CAAAccountURI: false,
|
|
ACME13KeyRollover: false,
|
|
ProbeCTLogs: false,
|
|
SimplifiedVAHTTP: false,
|
|
PerformValidationRPC: false,
|
|
HeadNonceStatusOK: false,
|
|
NewAuthorizationSchema: false,
|
|
RevokeAtRA: false,
|
|
SetIssuedNamesRenewalBit: false,
|
|
EarlyOrderRateLimit: false,
|
|
EnforceMultiVA: false,
|
|
MultiVAFullResults: false,
|
|
RemoveWFE2AccountID: false,
|
|
FasterRateLimit: false,
|
|
CheckRenewalFirst: false,
|
|
MandatoryPOSTAsGET: false,
|
|
DisableAuthz2Orders: false,
|
|
FasterGetOrderForNames: false,
|
|
AllowV1Registration: true,
|
|
ParallelCheckFailedValidation: false,
|
|
DeleteUnusedChallenges: false,
|
|
V1DisableNewValidations: false,
|
|
PrecertificateOCSP: false,
|
|
PrecertificateRevocation: false,
|
|
}
|
|
|
|
var fMu = new(sync.RWMutex)
|
|
|
|
var initial = map[FeatureFlag]bool{}
|
|
|
|
var nameToFeature = make(map[string]FeatureFlag, len(features))
|
|
|
|
func init() {
|
|
for f, v := range features {
|
|
nameToFeature[f.String()] = f
|
|
initial[f] = v
|
|
}
|
|
}
|
|
|
|
// Set accepts a list of features and whether they should
|
|
// be enabled or disabled, it will return a error if passed
|
|
// a feature name that it doesn't know
|
|
func Set(featureSet map[string]bool) error {
|
|
fMu.Lock()
|
|
defer fMu.Unlock()
|
|
for n, v := range featureSet {
|
|
f, present := nameToFeature[n]
|
|
if !present {
|
|
return fmt.Errorf("feature '%s' doesn't exist", n)
|
|
}
|
|
features[f] = v
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Enabled returns true if the feature is enabled or false
|
|
// if it isn't, it will panic if passed a feature that it
|
|
// doesn't know.
|
|
func Enabled(n FeatureFlag) bool {
|
|
fMu.RLock()
|
|
defer fMu.RUnlock()
|
|
v, present := features[n]
|
|
if !present {
|
|
panic(fmt.Sprintf("feature '%s' doesn't exist", n.String()))
|
|
}
|
|
return v
|
|
}
|
|
|
|
// Reset resets the features to their initial state
|
|
func Reset() {
|
|
fMu.Lock()
|
|
defer fMu.Unlock()
|
|
for k, v := range initial {
|
|
features[k] = v
|
|
}
|
|
}
|