github-mirror/caddy
github-mirror/caddy
2
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-04-19 10:49:17 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

caddytls: Initialize permission module earlier (fix #6901)
Some checks failed
Cross-Build / build (~1.24.1, 1.24, darwin) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, dragonfly) (push) Has been cancelled
Details
Tests / test (./cmd/caddy/caddy, ~1.24.1, macos-14, 0, 1.24, mac) (push) Has been cancelled
Details
Tests / test (./cmd/caddy/caddy, ~1.24.1, ubuntu-latest, 0, 1.24, linux) (push) Has been cancelled
Details
Tests / test (./cmd/caddy/caddy.exe, ~1.24.1, windows-latest, True, 1.24, windows) (push) Has been cancelled
Details
Tests / test (s390x on IBM Z) (push) Has been cancelled
Details
Tests / goreleaser-check (push) Has been cancelled
Details
Lint / lint (macos-14, mac) (push) Has been cancelled
Details
Lint / lint (ubuntu-latest, linux) (push) Has been cancelled
Details
Lint / lint (windows-latest, windows) (push) Has been cancelled
Details
Lint / govulncheck (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, aix) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, freebsd) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, illumos) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, linux) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, netbsd) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, openbsd) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, solaris) (push) Has been cancelled
Details
Cross-Build / build (~1.24.1, 1.24, windows) (push) Has been cancelled
Details

Browse Source 
Bug introduced in 4ebcfed9c942c59f473f12f8108e1d0fa92e0855
This commit is contained in:
Matthew Holt 2025-03-17 12:02:23 -06:00
parent b3e692ed09
commit e276994174
No known key found for this signature in database
GPG Key ID: 2A349DD577D586A5
2 changed files with 16 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
modules/caddytls/automation.go
View File

@ -173,9 +173,6 @@ type AutomationPolicy struct {
subjects []string subjects []string
magic *certmagic.Config magic *certmagic.Config
storage certmagic.Storage storage certmagic.Storage
// Whether this policy had explicit managers configured directly on it.
hadExplicitManagers bool
} }
// Provision sets up ap and builds its underlying CertMagic config. // Provision sets up ap and builds its underlying CertMagic config.
@ -212,8 +209,9 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
// store them on the policy before putting it on the config // store them on the policy before putting it on the config
// load and provision any cert manager modules // load and provision any cert manager modules
var hadExplicitManagers bool
if ap.ManagersRaw != nil { if ap.ManagersRaw != nil {
ap.hadExplicitManagers = true hadExplicitManagers = true
vals, err := tlsApp.ctx.LoadModule(ap, "ManagersRaw") vals, err := tlsApp.ctx.LoadModule(ap, "ManagersRaw")
if err != nil { if err != nil {
return fmt.Errorf("loading external certificate manager modules: %v", err) return fmt.Errorf("loading external certificate manager modules: %v", err)
@ -273,9 +271,9 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
// prevent issuance from Issuers (when Managers don't provide a certificate) if there's no // prevent issuance from Issuers (when Managers don't provide a certificate) if there's no
// permission module configured // permission module configured
noProtections := ap.isWildcardOrDefault() && !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.permission == nil) noProtections := ap.isWildcardOrDefault() && !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.permission == nil)
failClosed := noProtections && !ap.hadExplicitManagers // don't allow on-demand issuance (other than implicit managers) if no managers have been explicitly configured failClosed := noProtections && !hadExplicitManagers // don't allow on-demand issuance (other than implicit managers) if no managers have been explicitly configured
if noProtections { if noProtections {
if !ap.hadExplicitManagers { if !hadExplicitManagers {
// no managers, no explicitly-configured permission module, this is a config error // no managers, no explicitly-configured permission module, this is a config error
return fmt.Errorf("on-demand TLS cannot be enabled without a permission module to prevent abuse; please refer to documentation for details") return fmt.Errorf("on-demand TLS cannot be enabled without a permission module to prevent abuse; please refer to documentation for details")
} }

24
modules/caddytls/tls.go
View File

@ -262,6 +262,18 @@ func (t *TLS) Provision(ctx caddy.Context) error {
} }
} }
// on-demand permission module
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.PermissionRaw != nil {
if t.Automation.OnDemand.Ask != "" {
return fmt.Errorf("on-demand TLS config conflict: both 'ask' endpoint and a 'permission' module are specified; 'ask' is deprecated, so use only the permission module")
}
val, err := ctx.LoadModule(t.Automation.OnDemand, "PermissionRaw")
if err != nil {
return fmt.Errorf("loading on-demand TLS permission module: %v", err)
}
t.Automation.OnDemand.permission = val.(OnDemandPermission)
}
// automation/management policies // automation/management policies
if t.Automation == nil { if t.Automation == nil {
t.Automation = new(AutomationConfig) t.Automation = new(AutomationConfig)
@ -294,18 +306,6 @@ func (t *TLS) Provision(ctx caddy.Context) error {
} }
} }
// on-demand permission module
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.PermissionRaw != nil {
if t.Automation.OnDemand.Ask != "" {
return fmt.Errorf("on-demand TLS config conflict: both 'ask' endpoint and a 'permission' module are specified; 'ask' is deprecated, so use only the permission module")
}
val, err := ctx.LoadModule(t.Automation.OnDemand, "PermissionRaw")
if err != nil {
return fmt.Errorf("loading on-demand TLS permission module: %v", err)
}
t.Automation.OnDemand.permission = val.(OnDemandPermission)
}
// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036) // run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" { if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" {
t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true) t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true)