From b9f238ad4de8f7b4a3d66d0161ee35fc56f0d684 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Mon, 24 Oct 2022 22:37:57 +0200 Subject: [PATCH] Add additional ACME `meta` properties to provisioner configuration --- acme/api/handler.go | 39 +++++++++++++++++++++++++++++------ authority/provisioner/acme.go | 11 ++++++++++ 2 files changed, 44 insertions(+), 6 deletions(-) diff --git a/acme/api/handler.go b/acme/api/handler.go index 5a41e4d9..d482f869 100644 --- a/acme/api/handler.go +++ b/acme/api/handler.go @@ -234,15 +234,42 @@ func GetDirectory(w http.ResponseWriter, r *http.Request) { NewOrder: linker.GetLink(ctx, acme.NewOrderLinkType), RevokeCert: linker.GetLink(ctx, acme.RevokeCertLinkType), KeyChange: linker.GetLink(ctx, acme.KeyChangeLinkType), + Meta: createMetaObject(acmeProv), } - // Only add the ACME `meta` object when one (or more) of its - // properties is set. - if acmeProv.RequireEAB { - directory.Meta = &Meta{ - ExternalAccountRequired: acmeProv.RequireEAB, + + render.JSON(w, directory) +} + +// createMetaObject creates a Meta object if the ACME provisioner +// has one or more properties that are written in the ACME directory output. +// It returns nil if none of the properties are set. +func createMetaObject(p *provisioner.ACME) *Meta { + if shouldAddMetaObject(p) { + return &Meta{ + TermsOfService: p.TermsOfService, + Website: p.Website, + CaaIdentities: p.CaaIdentities, + ExternalAccountRequired: p.RequireEAB, } } - render.JSON(w, directory) + return nil +} + +// shouldAddMetaObject returns whether or not the ACME provisioner +// has properties configured that must be added to the ACME directory object. +func shouldAddMetaObject(p *provisioner.ACME) bool { + switch { + case p.TermsOfService != "": + return true + case p.Website != "": + return true + case len(p.CaaIdentities) > 0 && p.CaaIdentities[0] != "": + return true + case p.RequireEAB: + return true + default: + return false + } } // NotImplemented returns a 501 and is generally a placeholder for functionality which diff --git a/authority/provisioner/acme.go b/authority/provisioner/acme.go index 67a24919..688a3532 100644 --- a/authority/provisioner/acme.go +++ b/authority/provisioner/acme.go @@ -84,6 +84,17 @@ type ACME struct { Type string `json:"type"` Name string `json:"name"` ForceCN bool `json:"forceCN,omitempty"` + // TermsOfService contains a URL pointing to the ACME server's + // terms of service. Defaults to empty. + TermsOfService string `json:"termsOfService,omitempty"` + // Website contains an URL pointing to more information about + // the ACME server. Defaults to empty. + Website string `json:"website,omitempty"` + // CaaIdentities is an array of hostnames that the ACME server + // identifies itself with. These hostnames can be used by ACME + // clients to determine the correct issuer domain name to use + // when configuring CAA records. Defaults to empty array. + CaaIdentities []string `json:"caaIdentities,omitempty"` // RequireEAB makes the provisioner require ACME EAB to be provided // by clients when creating a new Account. If set to true, the provided // EAB will be verified. If set to false and an EAB is provided, it is