github-mirror/caddy
2
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-05-22 17:49:59 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

acme_server: fix policy parsing in caddyfile (#7006)
Some checks failed
Lint / lint (windows-latest, windows) (push) Has been cancelled
Details
Tests / test (./cmd/caddy/caddy, ~1.24.1, macos-14, 0, 1.24, mac) (push) Has been cancelled
Details
Tests / test (./cmd/caddy/caddy, ~1.24.1, ubuntu-latest, 0, 1.24, linux) (push) Has been cancelled
Details
Tests / test (./cmd/caddy/caddy.exe, ~1.24.1, windows-latest, True, 1.24, windows) (push) Has been cancelled
Details
Tests / test (s390x on IBM Z) (push) Has been cancelled
Details
Lint / govulncheck (push) Has been cancelled
Details
Tests / goreleaser-check (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, aix) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, darwin) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, dragonfly) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, freebsd) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, illumos) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, linux) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, netbsd) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, openbsd) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, solaris) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, windows) (push) Has been cancelled
Details
Lint / lint (macos-14, mac) (push) Has been cancelled
Details
Lint / lint (ubuntu-latest, linux) (push) Has been cancelled
Details

Browse Source 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
This commit is contained in:
Mohammed Al Sahaf
2025-05-08 20:54:07 +03:00
committed by GitHub
parent 051e73aefc
commit 44d078b670
4 changed files with 245 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
caddytest/integration/caddyfile_adapt/acme_server_policy-allow.caddyfiletest Normal file
View File

@ -0,0 +1,72 @@
{
pki {
ca custom-ca {
name "Custom CA"
}
}
}
acme.example.com {
acme_server {
ca custom-ca
allow {
domains host-1.internal.example.com host-2.internal.example.com
}
}
}
----------
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"routes": [
{
"match": [
{
"host": [
"acme.example.com"
]
}
],
"handle": [
{
"handler": "subroute",
"routes": [
{
"handle": [
{
"ca": "custom-ca",
"handler": "acme_server",
"policy": {
"allow": {
"domains": [
"host-1.internal.example.com",
"host-2.internal.example.com"
]
}
}
}
]
}
]
}
],
"terminal": true
}
]
}
}
},
"pki": {
"certificate_authorities": {
"custom-ca": {
"name": "Custom CA"
}
}
}
}
}

80
caddytest/integration/caddyfile_adapt/acme_server_policy-both.caddyfiletest Normal file
View File

@ -0,0 +1,80 @@
{
pki {
ca custom-ca {
name "Custom CA"
}
}
}
acme.example.com {
acme_server {
ca custom-ca
allow {
domains host-1.internal.example.com host-2.internal.example.com
}
deny {
domains dc.internal.example.com
}
}
}
----------
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"routes": [
{
"match": [
{
"host": [
"acme.example.com"
]
}
],
"handle": [
{
"handler": "subroute",
"routes": [
{
"handle": [
{
"ca": "custom-ca",
"handler": "acme_server",
"policy": {
"allow": {
"domains": [
"host-1.internal.example.com",
"host-2.internal.example.com"
]
},
"deny": {
"domains": [
"dc.internal.example.com"
]
}
}
}
]
}
]
}
],
"terminal": true
}
]
}
}
},
"pki": {
"certificate_authorities": {
"custom-ca": {
"name": "Custom CA"
}
}
}
}
}

71
caddytest/integration/caddyfile_adapt/acme_server_policy-deny.caddyfiletest Normal file
View File

@ -0,0 +1,71 @@
{
pki {
ca custom-ca {
name "Custom CA"
}
}
}
acme.example.com {
acme_server {
ca custom-ca
deny {
domains dc.internal.example.com
}
}
}
----------
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"routes": [
{
"match": [
{
"host": [
"acme.example.com"
]
}
],
"handle": [
{
"handler": "subroute",
"routes": [
{
"handle": [
{
"ca": "custom-ca",
"handler": "acme_server",
"policy": {
"deny": {
"domains": [
"dc.internal.example.com"
]
}
}
}
]
}
]
}
],
"terminal": true
}
]
}
}
},
"pki": {
"certificate_authorities": {
"custom-ca": {
"name": "Custom CA"
}
}
}
}
}

48
modules/caddypki/acmeserver/caddyfile.go
View File

@ -91,19 +91,17 @@ func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error
acmeServer.Policy.AllowWildcardNames = true
case "allow":
r := &RuleSet{}
for h.Next() {
for h.NextBlock(h.Nesting() - 1) {
if h.CountRemainingArgs() == 0 {
return nil, h.ArgErr() // TODO:
}
switch h.Val() {
case "domains":
r.Domains = append(r.Domains, h.RemainingArgs()...)
case "ip_ranges":
r.IPRanges = append(r.IPRanges, h.RemainingArgs()...)
default:
return nil, h.Errf("unrecognized 'allow' subdirective: %s", h.Val())
}
for nesting := h.Nesting(); h.NextBlock(nesting); {
if h.CountRemainingArgs() == 0 {
return nil, h.ArgErr() // TODO:
}
switch h.Val() {
case "domains":
r.Domains = append(r.Domains, h.RemainingArgs()...)
case "ip_ranges":
r.IPRanges = append(r.IPRanges, h.RemainingArgs()...)
default:
return nil, h.Errf("unrecognized 'allow' subdirective: %s", h.Val())
}
}
if acmeServer.Policy == nil {
@ -112,19 +110,17 @@ func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error
acmeServer.Policy.Allow = r
case "deny":
r := &RuleSet{}
for h.Next() {
for h.NextBlock(h.Nesting() - 1) {
if h.CountRemainingArgs() == 0 {
return nil, h.ArgErr() // TODO:
}
switch h.Val() {
case "domains":
r.Domains = append(r.Domains, h.RemainingArgs()...)
case "ip_ranges":
r.IPRanges = append(r.IPRanges, h.RemainingArgs()...)
default:
return nil, h.Errf("unrecognized 'deny' subdirective: %s", h.Val())
}
for nesting := h.Nesting(); h.NextBlock(nesting); {
if h.CountRemainingArgs() == 0 {
return nil, h.ArgErr() // TODO:
}
switch h.Val() {
case "domains":
r.Domains = append(r.Domains, h.RemainingArgs()...)
case "ip_ranges":
r.IPRanges = append(r.IPRanges, h.RemainingArgs()...)
default:
return nil, h.Errf("unrecognized 'deny' subdirective: %s", h.Val())
}
}
if acmeServer.Policy == nil {