From 44d078b6705c7abcabb2a60f501568ff7f5a57a1 Mon Sep 17 00:00:00 2001
From: Mohammed Al Sahaf <msaa1990@gmail.com>
Date: Thu, 8 May 2025 20:54:07 +0300
Subject: [PATCH] acme_server: fix policy parsing in caddyfile (#7006)

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
---
 .../acme_server_policy-allow.caddyfiletest    | 72 +++++++++++++++++
 .../acme_server_policy-both.caddyfiletest     | 80 +++++++++++++++++++
 .../acme_server_policy-deny.caddyfiletest     | 71 ++++++++++++++++
 modules/caddypki/acmeserver/caddyfile.go      | 48 +++++------
 4 files changed, 245 insertions(+), 26 deletions(-)
 create mode 100644 caddytest/integration/caddyfile_adapt/acme_server_policy-allow.caddyfiletest
 create mode 100644 caddytest/integration/caddyfile_adapt/acme_server_policy-both.caddyfiletest
 create mode 100644 caddytest/integration/caddyfile_adapt/acme_server_policy-deny.caddyfiletest

diff --git a/caddytest/integration/caddyfile_adapt/acme_server_policy-allow.caddyfiletest b/caddytest/integration/caddyfile_adapt/acme_server_policy-allow.caddyfiletest
new file mode 100644
index 000000000..5d1d8a3bc
--- /dev/null
+++ b/caddytest/integration/caddyfile_adapt/acme_server_policy-allow.caddyfiletest
@@ -0,0 +1,72 @@
+{
+	pki {
+		ca custom-ca {
+			name "Custom CA"
+		}
+	}
+}
+
+acme.example.com {
+	acme_server {
+		ca custom-ca
+		allow {
+			domains host-1.internal.example.com host-2.internal.example.com
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"acme.example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"ca": "custom-ca",
+													"handler": "acme_server",
+													"policy": {
+														"allow": {
+															"domains": [
+																"host-1.internal.example.com",
+																"host-2.internal.example.com"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"pki": {
+			"certificate_authorities": {
+				"custom-ca": {
+					"name": "Custom CA"
+				}
+			}
+		}
+	}
+}
diff --git a/caddytest/integration/caddyfile_adapt/acme_server_policy-both.caddyfiletest b/caddytest/integration/caddyfile_adapt/acme_server_policy-both.caddyfiletest
new file mode 100644
index 000000000..15cdbba90
--- /dev/null
+++ b/caddytest/integration/caddyfile_adapt/acme_server_policy-both.caddyfiletest
@@ -0,0 +1,80 @@
+{
+	pki {
+		ca custom-ca {
+			name "Custom CA"
+		}
+	}
+}
+
+acme.example.com {
+	acme_server {
+		ca custom-ca
+		allow {
+			domains host-1.internal.example.com host-2.internal.example.com
+		}
+		deny {
+			domains dc.internal.example.com
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"acme.example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"ca": "custom-ca",
+													"handler": "acme_server",
+													"policy": {
+														"allow": {
+															"domains": [
+																"host-1.internal.example.com",
+																"host-2.internal.example.com"
+															]
+														},
+														"deny": {
+															"domains": [
+																"dc.internal.example.com"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"pki": {
+			"certificate_authorities": {
+				"custom-ca": {
+					"name": "Custom CA"
+				}
+			}
+		}
+	}
+}
diff --git a/caddytest/integration/caddyfile_adapt/acme_server_policy-deny.caddyfiletest b/caddytest/integration/caddyfile_adapt/acme_server_policy-deny.caddyfiletest
new file mode 100644
index 000000000..0478088c9
--- /dev/null
+++ b/caddytest/integration/caddyfile_adapt/acme_server_policy-deny.caddyfiletest
@@ -0,0 +1,71 @@
+{
+	pki {
+		ca custom-ca {
+			name "Custom CA"
+		}
+	}
+}
+
+acme.example.com {
+	acme_server {
+		ca custom-ca
+		deny {
+			domains dc.internal.example.com
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"acme.example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"ca": "custom-ca",
+													"handler": "acme_server",
+													"policy": {
+														"deny": {
+															"domains": [
+																"dc.internal.example.com"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"pki": {
+			"certificate_authorities": {
+				"custom-ca": {
+					"name": "Custom CA"
+				}
+			}
+		}
+	}
+}
diff --git a/modules/caddypki/acmeserver/caddyfile.go b/modules/caddypki/acmeserver/caddyfile.go
index c4d85716f..a7dc8e337 100644
--- a/modules/caddypki/acmeserver/caddyfile.go
+++ b/modules/caddypki/acmeserver/caddyfile.go
@@ -91,19 +91,17 @@ func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error
 			acmeServer.Policy.AllowWildcardNames = true
 		case "allow":
 			r := &RuleSet{}
-			for h.Next() {
-				for h.NextBlock(h.Nesting() - 1) {
-					if h.CountRemainingArgs() == 0 {
-						return nil, h.ArgErr() // TODO:
-					}
-					switch h.Val() {
-					case "domains":
-						r.Domains = append(r.Domains, h.RemainingArgs()...)
-					case "ip_ranges":
-						r.IPRanges = append(r.IPRanges, h.RemainingArgs()...)
-					default:
-						return nil, h.Errf("unrecognized 'allow' subdirective: %s", h.Val())
-					}
+			for nesting := h.Nesting(); h.NextBlock(nesting); {
+				if h.CountRemainingArgs() == 0 {
+					return nil, h.ArgErr() // TODO:
+				}
+				switch h.Val() {
+				case "domains":
+					r.Domains = append(r.Domains, h.RemainingArgs()...)
+				case "ip_ranges":
+					r.IPRanges = append(r.IPRanges, h.RemainingArgs()...)
+				default:
+					return nil, h.Errf("unrecognized 'allow' subdirective: %s", h.Val())
 				}
 			}
 			if acmeServer.Policy == nil {
@@ -112,19 +110,17 @@ func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error
 			acmeServer.Policy.Allow = r
 		case "deny":
 			r := &RuleSet{}
-			for h.Next() {
-				for h.NextBlock(h.Nesting() - 1) {
-					if h.CountRemainingArgs() == 0 {
-						return nil, h.ArgErr() // TODO:
-					}
-					switch h.Val() {
-					case "domains":
-						r.Domains = append(r.Domains, h.RemainingArgs()...)
-					case "ip_ranges":
-						r.IPRanges = append(r.IPRanges, h.RemainingArgs()...)
-					default:
-						return nil, h.Errf("unrecognized 'deny' subdirective: %s", h.Val())
-					}
+			for nesting := h.Nesting(); h.NextBlock(nesting); {
+				if h.CountRemainingArgs() == 0 {
+					return nil, h.ArgErr() // TODO:
+				}
+				switch h.Val() {
+				case "domains":
+					r.Domains = append(r.Domains, h.RemainingArgs()...)
+				case "ip_ranges":
+					r.IPRanges = append(r.IPRanges, h.RemainingArgs()...)
+				default:
+					return nil, h.Errf("unrecognized 'deny' subdirective: %s", h.Val())
 				}
 			}
 			if acmeServer.Policy == nil {