forked from letsencrypt/boulder
-
Notifications
You must be signed in to change notification settings - Fork 0
/
config.go
422 lines (348 loc) · 10.7 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
// Copyright 2015 ISRG. All rights reserved
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
package cmd
import (
"encoding/json"
"errors"
"fmt"
"io/ioutil"
"strings"
"time"
cfsslConfig "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/config"
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/crypto/pkcs11key"
"github.com/letsencrypt/boulder/core"
"github.com/letsencrypt/boulder/va"
)
// Config stores configuration parameters that applications
// will need. For simplicity, we just lump them all into
// one struct, and use encoding/json to read it from a file.
//
// Note: NO DEFAULTS are provided.
type Config struct {
ActivityMonitor struct {
ServiceConfig
}
// Default AMQPConfig for services that don't specify one.
// TODO(jsha): Delete this after a deploy.
AMQP *AMQPConfig
WFE struct {
ServiceConfig
BaseURL string
ListenAddress string
AllowOrigins []string
CertCacheDuration string
CertNoCacheExpirationWindow string
IndexCacheDuration string
IssuerCacheDuration string
ShutdownStopTimeout string
ShutdownKillTimeout string
}
CA CAConfig
RA struct {
ServiceConfig
RateLimitPoliciesFilename string
MaxConcurrentRPCServerRequests int64
MaxContactsPerRegistration int
// UseIsSafeDomain determines whether to call VA.IsSafeDomain
UseIsSafeDomain bool // TODO(jmhodges): remove after va IsSafeDomain deploy
}
SA struct {
ServiceConfig
DBConfig
MaxConcurrentRPCServerRequests int64
}
VA struct {
ServiceConfig
UserAgent string
IssuerDomain string
PortConfig va.PortConfig
MaxConcurrentRPCServerRequests int64
GoogleSafeBrowsing *GoogleSafeBrowsingConfig
}
SQL struct {
SQLDebug bool
}
Statsd StatsdConfig
Syslog SyslogConfig
Revoker struct {
DBConfig
// The revoker isn't a long running service, so doesn't get a full
// ServiceConfig, just an AMQPConfig.
AMQP *AMQPConfig
}
Mailer struct {
ServiceConfig
DBConfig
Server string
Port string
Username string
Password string
CertLimit int
NagTimes []string
// How much earlier (than configured nag intervals) to
// send reminders, to account for the expected delay
// before the next expiration-mailer invocation.
NagCheckInterval string
// Path to a text/template email template
EmailTemplate string
}
OCSPResponder struct {
ServiceConfig
DBConfig
// Source indicates the source of pre-signed OCSP responses to be used. It
// can be a DBConnect string or a file URL. The file URL style is used
// when responding from a static file for intermediates and roots.
// If DBConfig has non-empty fields, it takes precedence over this.
Source string
Path string
ListenAddress string
// MaxAge is the max-age to set in the Cache-Controler response
// header. It is a time.Duration formatted string.
MaxAge ConfigDuration
ShutdownStopTimeout string
ShutdownKillTimeout string
}
OCSPUpdater OCSPUpdaterConfig
Publisher struct {
ServiceConfig
MaxConcurrentRPCServerRequests int64
}
ExternalCertImporter struct {
CertsToImportCSVFilename string
DomainsToImportCSVFilename string
CertsToRemoveCSVFilename string
StatsdRate float32
}
PA PAConfig
Common struct {
BaseURL string
// Path to a PEM-encoded copy of the issuer certificate.
IssuerCert string
DNSResolver string
DNSTimeout string
DNSAllowLoopbackAddresses bool
CT struct {
Logs []LogDescription
IntermediateBundleFilename string
}
}
CertChecker struct {
DBConfig
Workers int
ReportDirectoryPath string
}
SubscriberAgreementURL string
}
// ServiceConfig contains config items that are common to all our services, to
// be embedded in other config structs.
type ServiceConfig struct {
// DebugAddr is the address to run the /debug handlers on.
DebugAddr string
AMQP *AMQPConfig
}
// DBConfig defines how to connect to a database. The connect string may be
// stored in a file separate from the config, because it can contain a password,
// which we want to keep out of configs.
type DBConfig struct {
DBConnect string
// A file containing a connect URL for the DB.
DBConnectFile string
}
// URL returns the DBConnect URL represented by this DBConfig object, either
// loading it from disk or returning a default value.
func (d *DBConfig) URL() (string, error) {
if d.DBConnectFile != "" {
url, err := ioutil.ReadFile(d.DBConnectFile)
return string(url), err
}
return d.DBConnect, nil
}
// AMQPConfig describes how to connect to AMQP, and how to speak to each of the
// RPC services we offer via AMQP.
type AMQPConfig struct {
// A file from which the AMQP Server URL will be read. This allows secret
// values (like the password) to be stored separately from the main config.
ServerURLFile string
// AMQP server URL, including username and password.
Server string
Insecure bool
RA *RPCServerConfig
VA *RPCServerConfig
SA *RPCServerConfig
CA *RPCServerConfig
Publisher *RPCServerConfig
TLS *TLSConfig
// Queue name on which to listen, if this is an RPC service (vs acting only as
// an RPC client).
ServiceQueue string
ReconnectTimeouts struct {
Base ConfigDuration
Max ConfigDuration
}
}
// ServerURL returns the appropriate server URL for this object, which may
// involve reading from a file.
func (a *AMQPConfig) ServerURL() (string, error) {
if a.ServerURLFile != "" {
url, err := ioutil.ReadFile(a.ServerURLFile)
return strings.TrimRight(string(url), "\n"), err
}
if a.Server == "" {
return "", fmt.Errorf("Missing AMQP server URL")
}
return a.Server, nil
}
// CAConfig structs have configuration information for the certificate
// authority, including database parameters as well as controls for
// issued certificates.
type CAConfig struct {
ServiceConfig
DBConfig
Profile string
TestMode bool
SerialPrefix int
Key KeyConfig
// LifespanOCSP is how long OCSP responses are valid for; It should be longer
// than the minTimeToExpiry field for the OCSP Updater.
LifespanOCSP string
// How long issued certificates are valid for, should match expiry field
// in cfssl config.
Expiry string
// The maximum number of subjectAltNames in a single certificate
MaxNames int
CFSSL cfsslConfig.Config
MaxConcurrentRPCServerRequests int64
HSMFaultTimeout ConfigDuration
}
// PAConfig specifies how a policy authority should connect to its
// database, what policies it should enforce, and what challenges
// it should offer.
type PAConfig struct {
DBConfig
EnforcePolicyWhitelist bool
Challenges map[string]bool
}
// CheckChallenges checks whether the list of challenges in the PA config
// actually contains valid challenge names
func (pc PAConfig) CheckChallenges() error {
if len(pc.Challenges) == 0 {
return errors.New("empty challenges map in the Policy Authority config is not allowed")
}
for name := range pc.Challenges {
if !core.ValidChallenge(name) {
return fmt.Errorf("Invalid challenge in PA config: %s", name)
}
}
return nil
}
// KeyConfig should contain either a File path to a PEM-format private key,
// or a PKCS11Config defining how to load a module for an HSM.
type KeyConfig struct {
// A file from which a pkcs11key.Config will be read and parsed, if present
ConfigFile string
File string
PKCS11 *pkcs11key.Config
}
// TLSConfig reprents certificates and a key for authenticated TLS.
type TLSConfig struct {
CertFile *string
KeyFile *string
CACertFile *string
}
// RPCServerConfig contains configuration particular to a specific RPC server
// type (e.g. RA, SA, etc)
type RPCServerConfig struct {
Server string // Queue name where the server receives requests
RPCTimeout ConfigDuration
}
// OCSPUpdaterConfig provides the various window tick times and batch sizes needed
// for the OCSP (and SCT) updater
type OCSPUpdaterConfig struct {
ServiceConfig
DBConfig
NewCertificateWindow ConfigDuration
OldOCSPWindow ConfigDuration
MissingSCTWindow ConfigDuration
RevokedCertificateWindow ConfigDuration
NewCertificateBatchSize int
OldOCSPBatchSize int
MissingSCTBatchSize int
RevokedCertificateBatchSize int
OCSPMinTimeToExpiry ConfigDuration
OldestIssuedSCT ConfigDuration
AkamaiBaseURL string
AkamaiClientToken string
AkamaiClientSecret string
AkamaiAccessToken string
AkamaiPurgeRetries int
AkamaiPurgeRetryBackoff ConfigDuration
SignFailureBackoffFactor float64
SignFailureBackoffMax ConfigDuration
}
// GoogleSafeBrowsingConfig is the JSON config struct for the VA's use of the
// Google Safe Browsing API.
type GoogleSafeBrowsingConfig struct {
APIKey string
DataDir string
}
// SyslogConfig defines the config for syslogging.
type SyslogConfig struct {
Network string
Server string
StdoutLevel *int
}
// StatsdConfig defines the config for Statsd.
type StatsdConfig struct {
Server string
Prefix string
}
// ConfigDuration is just an alias for time.Duration that allows
// serialization to YAML as well as JSON.
type ConfigDuration struct {
time.Duration
}
// ErrDurationMustBeString is returned when a non-string value is
// presented to be deserialized as a ConfigDuration
var ErrDurationMustBeString = errors.New("cannot JSON unmarshal something other than a string into a ConfigDuration")
// UnmarshalJSON parses a string into a ConfigDuration using
// time.ParseDuration. If the input does not unmarshal as a
// string, then UnmarshalJSON returns ErrDurationMustBeString.
func (d *ConfigDuration) UnmarshalJSON(b []byte) error {
s := ""
err := json.Unmarshal(b, &s)
if err != nil {
if _, ok := err.(*json.UnmarshalTypeError); ok {
return ErrDurationMustBeString
}
return err
}
dd, err := time.ParseDuration(s)
d.Duration = dd
return err
}
// MarshalJSON returns the string form of the duration, as a byte array.
func (d ConfigDuration) MarshalJSON() ([]byte, error) {
return []byte(d.Duration.String()), nil
}
// UnmarshalYAML uses the same frmat as JSON, but is called by the YAML
// parser (vs. the JSON parser).
func (d *ConfigDuration) UnmarshalYAML(unmarshal func(interface{}) error) error {
var s string
if err := unmarshal(&s); err != nil {
return err
}
dur, err := time.ParseDuration(s)
if err != nil {
return err
}
d.Duration = dur
return nil
}
// LogDescription contains the information needed to submit certificates
// to a CT log and verify returned receipts
type LogDescription struct {
URI string
Key string
}