Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-03-21 09:10:25 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

caddytls: Avoid default issuers for implicit tailscale policies (#7577)
Some checks failed
Tests / test (./cmd/caddy/caddy, ~1.26.0, macos-14, 0, 1.26, mac) (push) Waiting to run
Details
Tests / test (./cmd/caddy/caddy.exe, ~1.26.0, windows-latest, True, 1.26, windows) (push) Waiting to run
Details
Lint / lint (macos-14, mac) (push) Waiting to run
Details
Lint / lint (windows-latest, windows) (push) Waiting to run
Details
Tests / test (./cmd/caddy/caddy, ~1.26.0, ubuntu-latest, 0, 1.26, linux) (push) Failing after 1m37s
Details
Tests / test (s390x on IBM Z) (push) Has been skipped
Details
Tests / goreleaser-check (push) Has been skipped
Details
Cross-Build / build (~1.26.0, 1.26, aix) (push) Successful in 1m29s
Details
Cross-Build / build (~1.26.0, 1.26, darwin) (push) Successful in 1m28s
Details
Cross-Build / build (~1.26.0, 1.26, dragonfly) (push) Successful in 1m23s
Details
Cross-Build / build (~1.26.0, 1.26, freebsd) (push) Successful in 1m26s
Details
Cross-Build / build (~1.26.0, 1.26, illumos) (push) Successful in 1m24s
Details
Cross-Build / build (~1.26.0, 1.26, linux) (push) Successful in 1m25s
Details
Cross-Build / build (~1.26.0, 1.26, netbsd) (push) Successful in 1m25s
Details
Cross-Build / build (~1.26.0, 1.26, openbsd) (push) Successful in 1m23s
Details
Cross-Build / build (~1.26.0, 1.26, solaris) (push) Successful in 1m34s
Details
Cross-Build / build (~1.26.0, 1.26, windows) (push) Successful in 1m28s
Details
Lint / lint (ubuntu-latest, linux) (push) Successful in 2m22s
Details
Lint / govulncheck (push) Successful in 1m43s
Details
Lint / dependency-review (push) Failing after 59s
Details
OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 36s
Details

Browse Source
This commit is contained in:
Tao 2026-03-21 01:36:03 +10:00 committed by GitHub
parent df65455b1f
commit 5d189aff40
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 61 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
modules/caddytls/automation.go
View File

@ -235,7 +235,7 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
}
issuers := ap.Issuers
if len(issuers) == 0 {
if len(issuers) == 0 && !ap.implicitTailscaleManagersOnly() {
var err error
issuers, err = DefaultIssuersProvisioned(tlsApp.ctx)
if err != nil {
@ -429,6 +429,29 @@ func (ap *AutomationPolicy) AllInternalSubjects() bool {
})
}
// implicitTailscaleManagersOnly returns true if this policy is configured to
// serve only Tailscale names from the Tailscale manager at handshake-time.
func (ap *AutomationPolicy) implicitTailscaleManagersOnly() bool {
if len(ap.subjects) == 0 {
return false
}
for _, subject := range ap.subjects {
if !strings.HasSuffix(strings.ToLower(subject), tailscaleDomainAliasEnding) {
return false
}
}
for _, manager := range ap.Managers {
switch manager.(type) {
case Tailscale, *Tailscale:
return true
}
}
return false
}
func (ap *AutomationPolicy) onlyInternalIssuer() bool {
if len(ap.Issuers) != 1 {
return false

37
modules/caddytls/automation_test.go Normal file
View File

@ -0,0 +1,37 @@
package caddytls
import (
"testing"
"github.com/caddyserver/certmagic"
"go.uber.org/zap"
)
func TestAutomationPolicyMakeCertMagicConfigImplicitTailscaleManagersOnly(t *testing.T) {
ap := AutomationPolicy{
Managers: []certmagic.Manager{Tailscale{}},
subjects: []string{"test-node.example.ts.net"},
}
cfg, err := ap.makeCertMagicConfig(&TLS{
logger: zap.NewNop(),
}, nil, &certmagic.FileStorage{Path: t.TempDir()})
if err != nil {
t.Fatalf("making certmagic config: %v", err)
}
if cfg.OnDemand == nil {
t.Fatal("expected on-demand config to be set")
}
if len(cfg.Issuers) != 0 {
t.Fatalf("expected no issuers for tailscale-managed ts.net policy, got %d", len(cfg.Issuers))
}
}
func TestAutomationPolicyImplicitTailscaleManagersOnlyCatchAll(t *testing.T) {
ap := AutomationPolicy{
Managers: []certmagic.Manager{Tailscale{}},
}
if ap.implicitTailscaleManagersOnly() {
t.Fatal("expected catch-all manager policy to remain outside tailscale-only special case")
}
}