cmd

package
v0.0.0-...-4dde762 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 26, 2016 License: MPL-2.0 Imports: 27 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrDurationMustBeString = errors.New("cannot JSON unmarshal something other than a string into a ConfigDuration")

ErrDurationMustBeString is returned when a non-string value is presented to be deserialized as a ConfigDuration

Functions

func Clock

func Clock() clock.Clock

Clock functions similarly to clock.Default(), but the returned value can be changed using the FAKECLOCK environment variable if the 'integration' build flag is set.

This function returns the default Clock.

func DebugServer

func DebugServer(addr string)

DebugServer starts a server to receive debug information. Typical usage is to start it in a goroutine, configured with an address from the appropriate configuration object:

go cmd.DebugServer(c.XA.DebugAddr)

func FailOnError

func FailOnError(err error, msg string)

FailOnError exits and prints an error message if we encountered a problem

func LoadCert

func LoadCert(path string) (cert []byte, err error)

LoadCert loads a PEM-formatted certificate from the provided path, returning it as a byte array, or an error if it couldn't be decoded.

func ProfileCmd

func ProfileCmd(profileName string, stats statsd.Statter)

ProfileCmd runs forever, sending Go runtime statistics to StatsD.

func StatsAndLogging

func StatsAndLogging(statConf StatsdConfig, logConf SyslogConfig) (statsd.Statter, *blog.AuditLogger)

StatsAndLogging constructs a Statter and an AuditLogger based on its config parameters, and return them both. Crashes if any setup fails. Also sets the constructed AuditLogger as the default logger.

func Version

func Version() string

Version returns a string representing the version of boulder running.

Types

type AMQPConfig

type AMQPConfig struct {
	// A file from which the AMQP Server URL will be read. This allows secret
	// values (like the password) to be stored separately from the main config.
	ServerURLFile string
	// AMQP server URL, including username and password.
	Server    string
	Insecure  bool
	RA        *RPCServerConfig
	VA        *RPCServerConfig
	SA        *RPCServerConfig
	CA        *RPCServerConfig
	Publisher *RPCServerConfig
	TLS       *TLSConfig
	// Queue name on which to listen, if this is an RPC service (vs acting only as
	// an RPC client).
	ServiceQueue      string
	ReconnectTimeouts struct {
		Base ConfigDuration
		Max  ConfigDuration
	}
}

AMQPConfig describes how to connect to AMQP, and how to speak to each of the RPC services we offer via AMQP.

func (*AMQPConfig) ServerURL

func (a *AMQPConfig) ServerURL() (string, error)

ServerURL returns the appropriate server URL for this object, which may involve reading from a file.

type AllowedSigningAlgos

type AllowedSigningAlgos struct {
	RSA           bool
	ECDSANISTP256 bool
	ECDSANISTP384 bool
	ECDSANISTP521 bool
}

AllowedSigningAlgos defines which algorithms be used for keys that we will sign.

type AppShell

type AppShell struct {
	Action func(Config, statsd.Statter, *blog.AuditLogger)
	Config func(*cli.Context, Config) Config
	App    *cli.App
}

AppShell contains CLI Metadata

func NewAppShell

func NewAppShell(name, usage string) (shell *AppShell)

NewAppShell creates a basic AppShell object containing CLI metadata

func (*AppShell) Run

func (as *AppShell) Run()

Run begins the application context, reading config and passing control to the default commandline action.

func (*AppShell) VersionString

func (as *AppShell) VersionString() string

VersionString produces a friendly Application version string

type CAConfig

type CAConfig struct {
	ServiceConfig
	DBConfig
	HostnamePolicyConfig

	RSAProfile   string
	ECDSAProfile string
	TestMode     bool
	SerialPrefix int
	// TODO(jsha): Remove Key field once we've migrated to Issuers
	Key *IssuerConfig
	// Issuers contains configuration information for each issuer cert and key
	// this CA knows about. The first in the list is used as the default.
	Issuers []IssuerConfig
	// LifespanOCSP is how long OCSP responses are valid for; It should be longer
	// than the minTimeToExpiry field for the OCSP Updater.
	LifespanOCSP ConfigDuration
	// How long issued certificates are valid for, should match expiry field
	// in cfssl config.
	Expiry string
	// The maximum number of subjectAltNames in a single certificate
	MaxNames int
	CFSSL    cfsslConfig.Config

	MaxConcurrentRPCServerRequests int64

	// DoNotForceCN is a temporary config setting. It controls whether
	// to add a certificate's serial to its Subject, and whether to
	// not pull a SAN entry to be the CN if no CN was given in a CSR.
	DoNotForceCN bool

	// EnableMustStaple governs whether the Must Staple extension in CSRs
	// triggers issuance of certificates with Must Staple.
	EnableMustStaple bool
}

CAConfig structs have configuration information for the certificate authority, including database parameters as well as controls for issued certificates.

type Config

type Config struct {
	ActivityMonitor struct {
		ServiceConfig
	}

	// Default AMQPConfig for services that don't specify one.
	// TODO(jsha): Delete this after a deploy.
	AMQP *AMQPConfig

	WFE struct {
		ServiceConfig
		BaseURL       string
		ListenAddress string

		AllowOrigins []string

		CertCacheDuration           string
		CertNoCacheExpirationWindow string
		IndexCacheDuration          string
		IssuerCacheDuration         string

		ShutdownStopTimeout string
		ShutdownKillTimeout string
	}

	CA CAConfig

	RA struct {
		ServiceConfig
		HostnamePolicyConfig

		RateLimitPoliciesFilename string

		MaxConcurrentRPCServerRequests int64

		MaxContactsPerRegistration int

		// UseIsSafeDomain determines whether to call VA.IsSafeDomain
		UseIsSafeDomain bool // TODO(jmhodges): remove after va IsSafeDomain deploy

		// UseNewVARPC determines whether to call VA.PerformValidation
		UseNewVARPC bool

		// The number of times to try a DNS query (that has a temporary error)
		// before giving up. May be short-circuited by deadlines. A zero value
		// will be turned into 1.
		DNSTries int
	}

	SA struct {
		ServiceConfig
		DBConfig

		MaxConcurrentRPCServerRequests int64
	}

	VA struct {
		ServiceConfig

		UserAgent string

		IssuerDomain string

		PortConfig va.PortConfig

		MaxConcurrentRPCServerRequests int64

		GoogleSafeBrowsing *GoogleSafeBrowsingConfig

		// The number of times to try a DNS query (that has a temporary error)
		// before giving up. May be short-circuited by deadlines. A zero value
		// will be turned into 1.
		DNSTries int
	}

	SQL struct {
		SQLDebug bool
	}

	Statsd StatsdConfig

	Syslog SyslogConfig

	Revoker struct {
		DBConfig
		// The revoker isn't a long running service, so doesn't get a full
		// ServiceConfig, just an AMQPConfig.
		AMQP *AMQPConfig
	}

	Mailer struct {
		ServiceConfig
		DBConfig
		PasswordConfig

		Server   string
		Port     string
		Username string
		From     string
		Subject  string

		CertLimit int
		NagTimes  []string
		// How much earlier (than configured nag intervals) to
		// send reminders, to account for the expected delay
		// before the next expiration-mailer invocation.
		NagCheckInterval string
		// Path to a text/template email template
		EmailTemplate string
	}

	OCSPResponder struct {
		ServiceConfig
		DBConfig

		// Source indicates the source of pre-signed OCSP responses to be used. It
		// can be a DBConnect string or a file URL. The file URL style is used
		// when responding from a static file for intermediates and roots.
		// If DBConfig has non-empty fields, it takes precedence over this.
		Source string

		Path          string
		ListenAddress string
		// MaxAge is the max-age to set in the Cache-Control response
		// header. It is a time.Duration formatted string.
		MaxAge ConfigDuration

		ShutdownStopTimeout string
		ShutdownKillTimeout string
	}

	OCSPUpdater OCSPUpdaterConfig

	Publisher struct {
		ServiceConfig
		SubmissionTimeout              ConfigDuration
		MaxConcurrentRPCServerRequests int64
	}

	ExternalCertImporter struct {
		CertsToImportCSVFilename   string
		DomainsToImportCSVFilename string
		CertsToRemoveCSVFilename   string
		StatsdRate                 float32
	}

	PA PAConfig

	Common struct {
		BaseURL string
		// Path to a PEM-encoded copy of the issuer certificate.
		IssuerCert string

		DNSResolver               string
		DNSTimeout                string
		DNSAllowLoopbackAddresses bool

		CT struct {
			Logs                       []LogDescription
			IntermediateBundleFilename string
		}
	}

	CertChecker struct {
		DBConfig

		Workers             int
		ReportDirectoryPath string
	}
	AllowedSigningAlgos *AllowedSigningAlgos

	SubscriberAgreementURL string
}

Config stores configuration parameters that applications will need. For simplicity, we just lump them all into one struct, and use encoding/json to read it from a file.

Note: NO DEFAULTS are provided.

func (*Config) KeyPolicy

func (config *Config) KeyPolicy() core.KeyPolicy

KeyPolicy returns a KeyPolicy reflecting the Boulder configuration.

type ConfigDuration

type ConfigDuration struct {
	time.Duration
}

ConfigDuration is just an alias for time.Duration that allows serialization to YAML as well as JSON.

func (ConfigDuration) MarshalJSON

func (d ConfigDuration) MarshalJSON() ([]byte, error)

MarshalJSON returns the string form of the duration, as a byte array.

func (*ConfigDuration) UnmarshalJSON

func (d *ConfigDuration) UnmarshalJSON(b []byte) error

UnmarshalJSON parses a string into a ConfigDuration using time.ParseDuration. If the input does not unmarshal as a string, then UnmarshalJSON returns ErrDurationMustBeString.

func (*ConfigDuration) UnmarshalYAML

func (d *ConfigDuration) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML uses the same frmat as JSON, but is called by the YAML parser (vs. the JSON parser).

type DBConfig

type DBConfig struct {
	DBConnect string
	// A file containing a connect URL for the DB.
	DBConnectFile string
}

DBConfig defines how to connect to a database. The connect string may be stored in a file separate from the config, because it can contain a password, which we want to keep out of configs.

func (*DBConfig) URL

func (d *DBConfig) URL() (string, error)

URL returns the DBConnect URL represented by this DBConfig object, either loading it from disk or returning a default value.

type GoogleSafeBrowsingConfig

type GoogleSafeBrowsingConfig struct {
	APIKey  string
	DataDir string
}

GoogleSafeBrowsingConfig is the JSON config struct for the VA's use of the Google Safe Browsing API.

type HostnamePolicyConfig

type HostnamePolicyConfig struct {
	HostnamePolicyFile string
}

HostnamePolicyConfig specifies a file from which to load a policy regarding what hostnames to issue for.

type IssuerConfig

type IssuerConfig struct {
	// A file from which a pkcs11key.Config will be read and parsed, if present
	ConfigFile string
	File       string
	PKCS11     *pkcs11key.Config
	CertFile   string
}

IssuerConfig contains info about an issuer: private key and issuer cert. It should contain either a File path to a PEM-format private key, or a PKCS11Config defining how to load a module for an HSM.

type LogDescription

type LogDescription struct {
	URI string
	Key string
}

LogDescription contains the information needed to submit certificates to a CT log and verify returned receipts

type OCSPUpdaterConfig

type OCSPUpdaterConfig struct {
	ServiceConfig
	DBConfig

	NewCertificateWindow     ConfigDuration
	OldOCSPWindow            ConfigDuration
	MissingSCTWindow         ConfigDuration
	RevokedCertificateWindow ConfigDuration

	NewCertificateBatchSize     int
	OldOCSPBatchSize            int
	MissingSCTBatchSize         int
	RevokedCertificateBatchSize int

	OCSPMinTimeToExpiry ConfigDuration
	OldestIssuedSCT     ConfigDuration

	AkamaiBaseURL           string
	AkamaiClientToken       string
	AkamaiClientSecret      string
	AkamaiAccessToken       string
	AkamaiPurgeRetries      int
	AkamaiPurgeRetryBackoff ConfigDuration

	SignFailureBackoffFactor float64
	SignFailureBackoffMax    ConfigDuration
}

OCSPUpdaterConfig provides the various window tick times and batch sizes needed for the OCSP (and SCT) updater

type PAConfig

type PAConfig struct {
	DBConfig
	EnforcePolicyWhitelist bool
	Challenges             map[string]bool
}

PAConfig specifies how a policy authority should connect to its database, what policies it should enforce, and what challenges it should offer.

func (PAConfig) CheckChallenges

func (pc PAConfig) CheckChallenges() error

CheckChallenges checks whether the list of challenges in the PA config actually contains valid challenge names

type PasswordConfig

type PasswordConfig struct {
	Password     string
	PasswordFile string
}

PasswordConfig either contains a password or the path to a file containing a password

func (*PasswordConfig) Pass

func (pc *PasswordConfig) Pass() (string, error)

Pass returns a password, either directly from the configuration struct or by reading from a specified file

type RPCServerConfig

type RPCServerConfig struct {
	Server     string // Queue name where the server receives requests
	RPCTimeout ConfigDuration
}

RPCServerConfig contains configuration particular to a specific RPC server type (e.g. RA, SA, etc)

type RateLimitConfig

type RateLimitConfig struct {
	// Total number of certificates that can be extant at any given time.
	// The 2160h window, 90 days, is chosen to match certificate lifetime, since the
	// main capacity factor is how many OCSP requests we can sign with available
	// hardware.
	TotalCertificates RateLimitPolicy `yaml:"totalCertificates"`
	// Number of certificates that can be extant containing any given name.
	// These are counted by "base domain" aka eTLD+1, so any entries in the
	// overrides section must be an eTLD+1 according to the publicsuffix package.
	CertificatesPerName RateLimitPolicy `yaml:"certificatesPerName"`
	// Number of registrations that can be created per IP.
	// Note: Since this is checked before a registration is created, setting a
	// RegistrationOverride on it has no effect.
	RegistrationsPerIP RateLimitPolicy `yaml:"registrationsPerIP"`
	// Number of pending authorizations that can exist per account. Overrides by
	// key are not applied, but overrides by registration are.
	PendingAuthorizationsPerAccount RateLimitPolicy `yaml:"pendingAuthorizationsPerAccount"`
	// Number of certificates that can be extant containing a specific set
	// of DNS names.
	CertificatesPerFQDNSet RateLimitPolicy `yaml:"certificatesPerFQDNSet"`
}

RateLimitConfig contains all application layer rate limiting policies

func LoadRateLimitPolicies

func LoadRateLimitPolicies(filename string) (RateLimitConfig, error)

LoadRateLimitPolicies loads various rate limiting policies from a YAML configuration file

type RateLimitPolicy

type RateLimitPolicy struct {
	// How long to count items for
	Window ConfigDuration `yaml:"window"`
	// The max number of items that can be present before triggering the rate
	// limit. Zero means "no limit."
	Threshold int `yaml:"threshold"`
	// A per-key override setting different limits than the default (higher or lower).
	// The key is defined on a per-limit basis and should match the key it counts on.
	// For instance, a rate limit on the number of certificates per name uses name as
	// a key, while a rate limit on the number of registrations per IP subnet would
	// use subnet as a key.
	// Note that a zero entry in the overrides map does not mean "not limit," it
	// means a limit of zero.
	Overrides map[string]int `yaml:"overrides"`
	// A per-registration override setting. This can be used, e.g. if there are
	// hosting providers that we would like to grant a higher rate of issuance
	// than the default. If both key-based and registration-based overrides are
	// available, the registration-based on takes priority.
	RegistrationOverrides map[int64]int `yaml:"registrationOverrides"`
}

RateLimitPolicy describes a general limiting policy

func (*RateLimitPolicy) Enabled

func (rlp *RateLimitPolicy) Enabled() bool

Enabled returns true iff the RateLimitPolicy is enabled.

func (*RateLimitPolicy) GetThreshold

func (rlp *RateLimitPolicy) GetThreshold(key string, regID int64) int

GetThreshold returns the threshold for this rate limit, taking into account any overrides for `key`.

func (*RateLimitPolicy) WindowBegin

func (rlp *RateLimitPolicy) WindowBegin(windowEnd time.Time) time.Time

WindowBegin returns the time that a RateLimitPolicy's window begins, given a particular end time (typically the current time).

type ServiceConfig

type ServiceConfig struct {
	// DebugAddr is the address to run the /debug handlers on.
	DebugAddr string
	AMQP      *AMQPConfig
}

ServiceConfig contains config items that are common to all our services, to be embedded in other config structs.

type StatsdConfig

type StatsdConfig struct {
	Server string
	Prefix string
}

StatsdConfig defines the config for Statsd.

type SyslogConfig

type SyslogConfig struct {
	Network     string
	Server      string
	StdoutLevel *int
}

SyslogConfig defines the config for syslogging.

type TLSConfig

type TLSConfig struct {
	CertFile   *string
	KeyFile    *string
	CACertFile *string
}

TLSConfig reprents certificates and a key for authenticated TLS.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL