diff --git a/install b/install index 6d1e5d9..a372f36 100755 --- a/install +++ b/install @@ -147,8 +147,8 @@ clone_repo() { if [ "$branch" != "" ]; then cd "$dir" - sudo -u labca git checkout $branch - cd - + sudo -u labca git checkout $branch &>>$installLog + cd - >/dev/null fi } @@ -166,8 +166,8 @@ pull_repo() { if [ "$branch" != "" ]; then cd "$dir" - sudo -u labca git checkout $branch - cd - + sudo -u labca git checkout $branch &>>$installLog + cd - >/dev/null fi } diff --git a/policy_pa.patch b/policy_pa.patch index 65776ff..a9d0fb7 100644 --- a/policy_pa.patch +++ b/policy_pa.patch @@ -1,89 +1,89 @@ diff --git a/policy/pa.go b/policy/pa.go -index 3d097365..ce3c32e3 100644 +index 3d097365..53cf6020 100644 --- a/policy/pa.go +++ b/policy/pa.go @@ -30,6 +30,8 @@ type AuthorityImpl struct { - blocklist map[string]bool - exactBlocklist map[string]bool - wildcardExactBlocklist map[string]bool -+ whitelist map[string]bool -+ lockdown map[string]bool - blocklistMu sync.RWMutex - - enabledChallenges map[string]bool + blocklist map[string]bool + exactBlocklist map[string]bool + wildcardExactBlocklist map[string]bool ++ whitelist map[string]bool ++ lockdown map[string]bool + blocklistMu sync.RWMutex + + enabledChallenges map[string]bool @@ -70,6 +72,9 @@ type blockedNamesPolicy struct { - // time above and beyond the high-risk domains. Managing these entries separately - // from HighRiskBlockedNames makes it easier to vet changes accurately. - AdminBlockedNames []string `yaml:"AdminBlockedNames"` + // time above and beyond the high-risk domains. Managing these entries separately + // from HighRiskBlockedNames makes it easier to vet changes accurately. + AdminBlockedNames []string `yaml:"AdminBlockedNames"` + -+ Whitelist []string `yaml:"Whitelist"` -+ Lockdown []string `yaml:"Lockdown"` ++ Whitelist []string `yaml:"Whitelist"` ++ Lockdown []string `yaml:"Lockdown"` } - + // SetHostnamePolicyFile will load the given policy file, returning error if it @@ -138,10 +143,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error - // wildcardNameMap to block issuance for `*.`+parts[1] - wildcardNameMap[parts[1]] = true - } -+ whiteMap := make(map[string]bool) -+ for _, v := range policy.Whitelist { -+ whiteMap[v] = true -+ } -+ lockMap := make(map[string]bool) -+ for _, v := range policy.Lockdown { -+ lockMap[v] = true -+ } - pa.blocklistMu.Lock() - pa.blocklist = nameMap - pa.exactBlocklist = exactNameMap - pa.wildcardExactBlocklist = wildcardNameMap -+ pa.whitelist = whiteMap -+ pa.lockdown = lockMap - pa.blocklistMu.Unlock() - return nil + // wildcardNameMap to block issuance for `*.`+parts[1] + wildcardNameMap[parts[1]] = true + } ++ whiteMap := make(map[string]bool) ++ for _, v := range policy.Whitelist { ++ whiteMap[v] = true ++ } ++ lockMap := make(map[string]bool) ++ for _, v := range policy.Lockdown { ++ lockMap[v] = true ++ } + pa.blocklistMu.Lock() + pa.blocklist = nameMap + pa.exactBlocklist = exactNameMap + pa.wildcardExactBlocklist = wildcardNameMap ++ pa.whitelist = whiteMap ++ pa.lockdown = lockMap + pa.blocklistMu.Unlock() + return nil } @@ -287,6 +302,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { - } - } - -+ ok, err := pa.checkWhitelist(domain) -+ if err != nil { -+ return err -+ } -+ if ok { -+ return nil -+ } + } + } + ++ ok, err := pa.checkWhitelist(domain) ++ if err != nil { ++ return err ++ } ++ if ok { ++ return nil ++ } + - // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. - icannTLD, err := iana.ExtractSuffix(domain) - if err != nil { + // Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD. + icannTLD, err := iana.ExtractSuffix(domain) + if err != nil { @@ -304,6 +327,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error { - return nil + return nil } - -+func (pa *AuthorityImpl) checkWhitelist(domain string) (bool,error) { -+ pa.blocklistMu.RLock() -+ defer pa.blocklistMu.RUnlock() + ++func (pa *AuthorityImpl) checkWhitelist(domain string) (bool, error) { ++ pa.blocklistMu.RLock() ++ defer pa.blocklistMu.RUnlock() + -+ if (pa.whitelist == nil) || (pa.lockdown == nil) { -+ return false, fmt.Errorf("Hostname policy not yet loaded.") -+ } ++ if (pa.whitelist == nil) || (pa.lockdown == nil) { ++ return false, fmt.Errorf("Hostname policy not yet loaded.") ++ } + -+ labels := strings.Split(domain, ".") -+ for i := range labels { -+ joined := strings.Join(labels[i:], ".") -+ if pa.whitelist[joined] || pa.lockdown[joined] { -+ return true, nil -+ } -+ } ++ labels := strings.Split(domain, ".") ++ for i := range labels { ++ joined := strings.Join(labels[i:], ".") ++ if pa.whitelist[joined] || pa.lockdown[joined] { ++ return true, nil ++ } ++ } + -+ if len(pa.lockdown) > 0 { -+ // In Lockdown mode, the domain MUST be in the list, so return an error if not found -+ return false, errPolicyForbidden -+ } else { -+ // In Whitelist mode, if the domain is not in the list, continue with the other checks -+ return false, nil -+ } ++ if len(pa.lockdown) > 0 { ++ // In Lockdown mode, the domain MUST be in the list, so return an error if not found ++ return false, errPolicyForbidden ++ } else { ++ // In Whitelist mode, if the domain is not in the list, continue with the other checks ++ return false, nil ++ } +} + // WillingToIssueWildcards is an extension of WillingToIssue that accepts DNS