features

package
v0.30.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 20, 2023 License: Apache-2.0, Apache-2.0, MPL-2.0 Imports: 4 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Enabled 

func Enabled(n FeatureFlag) bool

Enabled returns true if the feature is enabled or false if it isn't, it will panic if passed a feature that it doesn't know.

func Reset 

func Reset()

Reset resets the features to their initial state

func Set 

func Set(featureSet map[string]bool) error

Set accepts a list of features and whether they should be enabled or disabled. In the presence of unrecognized flags, it will return an error or not depending on the value of AllowUnrecognizedFeatures.

Types

type FeatureFlag 

type FeatureFlag int
const (

	//   Deprecated features, these can be removed once stripped from production configs
	PrecertificateRevocation FeatureFlag
	StripDefaultSchemePort
	NonCFSSLSigner
	StoreIssuerInfo
	StreamlineOrderAndAuthzs
	V1DisableNewValidations
	ExpirationMailerDontLookTwice
	OldTLSInbound
	OldTLSOutbound
	ROCSPStage1
	ROCSPStage2
	ROCSPStage3

	//   Currently in-use features
	// Check CAA and respect validationmethods parameter.
	CAAValidationMethods
	// Check CAA and respect accounturi parameter.
	CAAAccountURI
	// EnforceMultiVA causes the VA to block on remote VA PerformValidation
	// requests in order to make a valid/invalid decision with the results.
	EnforceMultiVA
	// MultiVAFullResults will cause the main VA to wait for all of the remote VA
	// results, not just the threshold required to make a decision.
	MultiVAFullResults
	// MandatoryPOSTAsGET forbids legacy unauthenticated GET requests for ACME
	// resources.
	MandatoryPOSTAsGET
	// Allow creation of new registrations in ACMEv1.
	AllowV1Registration
	// StoreRevokerInfo enables storage of the revoker and a bool indicating if the row
	// was checked for extant unrevoked certificates in the blockedKeys table.
	StoreRevokerInfo
	// RestrictRSAKeySizes enables restriction of acceptable RSA public key moduli to
	// the common sizes (2048, 3072, and 4096 bits).
	RestrictRSAKeySizes
	// FasterNewOrdersRateLimit enables use of a separate table for counting the
	// new orders rate limit.
	FasterNewOrdersRateLimit
	// ECDSAForAll enables all accounts, regardless of their presence in the CA's
	// ecdsaAllowedAccounts config value, to get issuance from ECDSA issuers.
	ECDSAForAll
	// ServeRenewalInfo exposes the renewalInfo endpoint in the directory and for
	// GET requests. WARNING: This feature is a draft and highly unstable.
	ServeRenewalInfo
	// GetAuthzReadOnly causes the SA to use its read-only database connection
	// (which is generally pointed at a replica rather than the primary db) when
	// querying the authz2 table.
	GetAuthzReadOnly
	// GetAuthzUseIndex causes the SA to use to add a USE INDEX hint when it
	// queries the authz2 table.
	GetAuthzUseIndex
	// Check the failed authorization limit before doing authz reuse.
	CheckFailedAuthorizationsFirst
	// AllowReRevocation causes the RA to allow the revocation reason of an
	// already-revoked certificate to be updated to `keyCompromise` from any
	// other reason if that compromise is demonstrated by making the second
	// revocation request signed by the certificate keypair.
	AllowReRevocation
	// MozRevocationReasons causes the RA to enforce the following upcoming
	// Mozilla policies regarding revocation:
	// - A subscriber can request that their certificate be revoked with reason
	//   keyCompromise, even without demonstrating that compromise at the time.
	//   However, the cert's pubkey will not be added to the blocked keys list.
	// - When an applicant other than the original subscriber requests that a
	//   certificate be revoked (by demonstrating control over all names in it),
	//   the cert will be revoked with reason cessationOfOperation, regardless of
	//   what revocation reason they request.
	// - When anyone requests that a certificate be revoked by signing the request
	//   with the certificate's keypair, the cert will be revoked with reason
	//   keyCompromise, regardless of what revocation reason they request.
	MozRevocationReasons
	// SHA1CSRs controls whether the /acme/finalize endpoint rejects CSRs that
	// are self-signed using SHA1.
	SHA1CSRs
	// AllowUnrecognizedFeatures is internal to the features package: if true,
	// skip error when unrecognized feature flag names are passed.
	AllowUnrecognizedFeatures
	// RejectDuplicateCSRExtensions enables verification that submitted CSRs do
	// not contain duplicate extensions. This behavior will be on by default in
	// go1.19.
	RejectDuplicateCSRExtensions

	// ROCSPStage6 disables writing full OCSP Responses to MariaDB during
	// (pre)certificate issuance and during revocation. Because Stage 4 involved
	// disabling ocsp-updater, this means that no ocsp response bytes will be
	// written to the database anymore.
	ROCSPStage6
	// ROCSPStage7 disables generating OCSP responses during issuance and
	// revocation. This affects codepaths in both the RA (revocation) and the CA
	// (precert "birth certificates").
	ROCSPStage7
)

func (FeatureFlag) String 

func (i FeatureFlag) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.