From 4fa88308bbdb149484896d41aca51e01c56f4392 Mon Sep 17 00:00:00 2001 From: Andreas Kohn Date: Fri, 27 Oct 2023 17:24:49 +0200 Subject: [PATCH 1/2] Optionally pass the context argument down to the OnDemand decision func --- certmagic.go | 11 +++++++++++ handshake.go | 12 +++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/certmagic.go b/certmagic.go index 6bc33d58..27efe1ae 100644 --- a/certmagic.go +++ b/certmagic.go @@ -268,8 +268,19 @@ type OnDemandConfig struct { // whether a certificate can be obtained or renewed // for the given name. If an error is returned, the // request will be denied. + // If both this and DecisionContextFunc are set, only + // DecisionContextFunc will be used. + // Deprecated: Use DecisionContextFunc instead. DecisionFunc func(name string) error + // If set, this function will be called to determine + // whether a certificate can be obtained or renewed + // for the given name. If an error is returned, the + // request will be denied. + // If both this and DecisionContextFunc are set, only + // DecisionContextFunc will be used. + DecisionContextFunc func(ctx context.Context, name string) error + // Sources for getting new, unmanaged certificates. // They will be invoked only during TLS handshakes // before on-demand certificate management occurs, diff --git a/handshake.go b/handshake.go index 1e9928ba..8f80e970 100644 --- a/handshake.go +++ b/handshake.go @@ -313,7 +313,7 @@ func (cfg *Config) getCertDuringHandshake(ctx context.Context, hello *tls.Client // Make sure a certificate is allowed for the given name. If not, it doesn't // make sense to try loading one from storage (issue #185), getting it from a // certificate manager, or obtaining one from an issuer. - if err := cfg.checkIfCertShouldBeObtained(name, false); err != nil { + if err := cfg.checkIfCertShouldBeObtained(ctx, name, false); err != nil { return Certificate{}, fmt.Errorf("certificate is not allowed for server name %s: %v", name, err) } @@ -438,7 +438,7 @@ func (cfg *Config) optionalMaintenance(ctx context.Context, log *zap.Logger, cer // checkIfCertShouldBeObtained checks to see if an on-demand TLS certificate // should be obtained for a given domain based upon the config settings. If // a non-nil error is returned, do not issue a new certificate for name. -func (cfg *Config) checkIfCertShouldBeObtained(name string, requireOnDemand bool) error { +func (cfg *Config) checkIfCertShouldBeObtained(ctx context.Context, name string, requireOnDemand bool) error { if requireOnDemand && cfg.OnDemand == nil { return fmt.Errorf("not configured for on-demand certificate issuance") } @@ -446,6 +446,12 @@ func (cfg *Config) checkIfCertShouldBeObtained(name string, requireOnDemand bool return fmt.Errorf("subject name does not qualify for certificate: %s", name) } if cfg.OnDemand != nil { + if cfg.OnDemand.DecisionContextFunc != nil { + if err := cfg.OnDemand.DecisionContextFunc(ctx, name); err != nil { + return fmt.Errorf("decision func: %w", err) + } + return nil + } if cfg.OnDemand.DecisionFunc != nil { if err := cfg.OnDemand.DecisionFunc(name); err != nil { return fmt.Errorf("decision func: %w", err) @@ -685,7 +691,7 @@ func (cfg *Config) renewDynamicCertificate(ctx context.Context, hello *tls.Clien defer cancel() // Make sure a certificate for this name should be renewed on-demand - err := cfg.checkIfCertShouldBeObtained(name, true) + err := cfg.checkIfCertShouldBeObtained(ctx, name, true) if err != nil { // if not, remove from cache (it will be deleted from storage later) cfg.certCache.mu.Lock() From 8172724f7a7efa4f4562cbfbf708215cbded7949 Mon Sep 17 00:00:00 2001 From: Andreas Kohn Date: Fri, 27 Oct 2023 20:15:37 +0200 Subject: [PATCH 2/2] Remove the "compatibility shims" This "breaks" the API here, but the change should be trivially obvious to an implementor and it gives a lot less headache later. --- certmagic.go | 13 +------------ handshake.go | 8 +------- 2 files changed, 2 insertions(+), 19 deletions(-) diff --git a/certmagic.go b/certmagic.go index 27efe1ae..860f5e76 100644 --- a/certmagic.go +++ b/certmagic.go @@ -268,18 +268,7 @@ type OnDemandConfig struct { // whether a certificate can be obtained or renewed // for the given name. If an error is returned, the // request will be denied. - // If both this and DecisionContextFunc are set, only - // DecisionContextFunc will be used. - // Deprecated: Use DecisionContextFunc instead. - DecisionFunc func(name string) error - - // If set, this function will be called to determine - // whether a certificate can be obtained or renewed - // for the given name. If an error is returned, the - // request will be denied. - // If both this and DecisionContextFunc are set, only - // DecisionContextFunc will be used. - DecisionContextFunc func(ctx context.Context, name string) error + DecisionFunc func(ctx context.Context, name string) error // Sources for getting new, unmanaged certificates. // They will be invoked only during TLS handshakes diff --git a/handshake.go b/handshake.go index 8f80e970..a91d3ebb 100644 --- a/handshake.go +++ b/handshake.go @@ -446,14 +446,8 @@ func (cfg *Config) checkIfCertShouldBeObtained(ctx context.Context, name string, return fmt.Errorf("subject name does not qualify for certificate: %s", name) } if cfg.OnDemand != nil { - if cfg.OnDemand.DecisionContextFunc != nil { - if err := cfg.OnDemand.DecisionContextFunc(ctx, name); err != nil { - return fmt.Errorf("decision func: %w", err) - } - return nil - } if cfg.OnDemand.DecisionFunc != nil { - if err := cfg.OnDemand.DecisionFunc(name); err != nil { + if err := cfg.OnDemand.DecisionFunc(ctx, name); err != nil { return fmt.Errorf("decision func: %w", err) } return nil