-
Notifications
You must be signed in to change notification settings - Fork 4.1k
/
acme_eab_policy.go
69 lines (56 loc) · 2.12 KB
/
acme_eab_policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package pki
import (
"fmt"
"strings"
)
type EabPolicyName string
const (
eabPolicyNotRequired EabPolicyName = "not-required"
eabPolicyNewAccountRequired EabPolicyName = "new-account-required"
eabPolicyAlwaysRequired EabPolicyName = "always-required"
)
func getEabPolicyByString(name string) (EabPolicy, error) {
lcName := strings.TrimSpace(strings.ToLower(name))
switch lcName {
case string(eabPolicyNotRequired):
return getEabPolicyByName(eabPolicyNotRequired), nil
case string(eabPolicyNewAccountRequired):
return getEabPolicyByName(eabPolicyNewAccountRequired), nil
case string(eabPolicyAlwaysRequired):
return getEabPolicyByName(eabPolicyAlwaysRequired), nil
default:
return getEabPolicyByName(eabPolicyAlwaysRequired), fmt.Errorf("unknown eab policy name: %s", name)
}
}
func getEabPolicyByName(name EabPolicyName) EabPolicy {
return EabPolicy{Name: name}
}
type EabPolicy struct {
Name EabPolicyName
}
// EnforceForNewAccount for new account creations, should we require an EAB.
func (ep EabPolicy) EnforceForNewAccount(eabData *eabType) error {
if (ep.Name == eabPolicyAlwaysRequired || ep.Name == eabPolicyNewAccountRequired) && eabData == nil {
return ErrExternalAccountRequired
}
return nil
}
// EnforceForExistingAccount for all operations within ACME, does the account being used require an EAB attached to it.
func (ep EabPolicy) EnforceForExistingAccount(account *acmeAccount) error {
if ep.Name == eabPolicyAlwaysRequired && account.Eab == nil {
return ErrExternalAccountRequired
}
return nil
}
// IsExternalAccountRequired for new accounts incoming does is an EAB required
func (ep EabPolicy) IsExternalAccountRequired() bool {
return ep.Name == eabPolicyAlwaysRequired || ep.Name == eabPolicyNewAccountRequired
}
// OverrideEnvDisablingPublicAcme determines if ACME is enabled but the OS environment variable
// has said to disable public acme support, if we can override that environment variable to
// turn on ACME support
func (ep EabPolicy) OverrideEnvDisablingPublicAcme() bool {
return ep.Name == eabPolicyAlwaysRequired
}