summaryrefslogtreecommitdiff
path: root/vendor/github.com/letsencrypt/boulder/features/features.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/letsencrypt/boulder/features/features.go')
-rw-r--r--vendor/github.com/letsencrypt/boulder/features/features.go158
1 files changed, 158 insertions, 0 deletions
diff --git a/vendor/github.com/letsencrypt/boulder/features/features.go b/vendor/github.com/letsencrypt/boulder/features/features.go
new file mode 100644
index 000000000..4608d1d63
--- /dev/null
+++ b/vendor/github.com/letsencrypt/boulder/features/features.go
@@ -0,0 +1,158 @@
+//go:generate stringer -type=FeatureFlag
+
+package features
+
+import (
+ "fmt"
+ "sync"
+)
+
+type FeatureFlag int
+
+const (
+ unused FeatureFlag = iota // unused is used for testing
+ // Deprecated features, these can be removed once stripped from production configs
+ PrecertificateRevocation
+ StripDefaultSchemePort
+ NonCFSSLSigner
+ StoreIssuerInfo
+ StreamlineOrderAndAuthzs
+ V1DisableNewValidations
+
+ // Currently in-use features
+ // Check CAA and respect validationmethods parameter.
+ CAAValidationMethods
+ // Check CAA and respect accounturi parameter.
+ CAAAccountURI
+ // EnforceMultiVA causes the VA to block on remote VA PerformValidation
+ // requests in order to make a valid/invalid decision with the results.
+ EnforceMultiVA
+ // MultiVAFullResults will cause the main VA to wait for all of the remote VA
+ // results, not just the threshold required to make a decision.
+ MultiVAFullResults
+ // MandatoryPOSTAsGET forbids legacy unauthenticated GET requests for ACME
+ // resources.
+ MandatoryPOSTAsGET
+ // Allow creation of new registrations in ACMEv1.
+ AllowV1Registration
+ // StoreRevokerInfo enables storage of the revoker and a bool indicating if the row
+ // was checked for extant unrevoked certificates in the blockedKeys table.
+ StoreRevokerInfo
+ // RestrictRSAKeySizes enables restriction of acceptable RSA public key moduli to
+ // the common sizes (2048, 3072, and 4096 bits).
+ RestrictRSAKeySizes
+ // FasterNewOrdersRateLimit enables use of a separate table for counting the
+ // new orders rate limit.
+ FasterNewOrdersRateLimit
+ // ECDSAForAll enables all accounts, regardless of their presence in the CA's
+ // ecdsaAllowedAccounts config value, to get issuance from ECDSA issuers.
+ ECDSAForAll
+ // ServeRenewalInfo exposes the renewalInfo endpoint in the directory and for
+ // GET requests. WARNING: This feature is a draft and highly unstable.
+ ServeRenewalInfo
+ // GetAuthzReadOnly causes the SA to use its read-only database connection
+ // (which is generally pointed at a replica rather than the primary db) when
+ // querying the authz2 table.
+ GetAuthzReadOnly
+ // GetAuthzUseIndex causes the SA to use to add a USE INDEX hint when it
+ // queries the authz2 table.
+ GetAuthzUseIndex
+ // Check the failed authorization limit before doing authz reuse.
+ CheckFailedAuthorizationsFirst
+ // AllowReRevocation causes the RA to allow the revocation reason of an
+ // already-revoked certificate to be updated to `keyCompromise` from any
+ // other reason if that compromise is demonstrated by making the second
+ // revocation request signed by the certificate keypair.
+ AllowReRevocation
+ // MozRevocationReasons causes the RA to enforce the following upcoming
+ // Mozilla policies regarding revocation:
+ // - A subscriber can request that their certificate be revoked with reason
+ // keyCompromise, even without demonstrating that compromise at the time.
+ // However, the cert's pubkey will not be added to the blocked keys list.
+ // - When an applicant other than the original subscriber requests that a
+ // certificate be revoked (by demonstrating control over all names in it),
+ // the cert will be revoked with reason cessationOfOperation, regardless of
+ // what revocation reason they request.
+ // - When anyone requests that a certificate be revoked by signing the request
+ // with the certificate's keypair, the cert will be revoked with reason
+ // keyCompromise, regardless of what revocation reason they request.
+ MozRevocationReasons
+)
+
+// List of features and their default value, protected by fMu
+var features = map[FeatureFlag]bool{
+ unused: false,
+ CAAValidationMethods: false,
+ CAAAccountURI: false,
+ EnforceMultiVA: false,
+ MultiVAFullResults: false,
+ MandatoryPOSTAsGET: false,
+ AllowV1Registration: true,
+ V1DisableNewValidations: false,
+ PrecertificateRevocation: false,
+ StripDefaultSchemePort: false,
+ StoreIssuerInfo: false,
+ StoreRevokerInfo: false,
+ RestrictRSAKeySizes: false,
+ FasterNewOrdersRateLimit: false,
+ NonCFSSLSigner: false,
+ ECDSAForAll: false,
+ StreamlineOrderAndAuthzs: false,
+ ServeRenewalInfo: false,
+ GetAuthzReadOnly: false,
+ GetAuthzUseIndex: false,
+ CheckFailedAuthorizationsFirst: false,
+ AllowReRevocation: false,
+ MozRevocationReasons: false,
+}
+
+var fMu = new(sync.RWMutex)
+
+var initial = map[FeatureFlag]bool{}
+
+var nameToFeature = make(map[string]FeatureFlag, len(features))
+
+func init() {
+ for f, v := range features {
+ nameToFeature[f.String()] = f
+ initial[f] = v
+ }
+}
+
+// Set accepts a list of features and whether they should
+// be enabled or disabled, it will return a error if passed
+// a feature name that it doesn't know
+func Set(featureSet map[string]bool) error {
+ fMu.Lock()
+ defer fMu.Unlock()
+ for n, v := range featureSet {
+ f, present := nameToFeature[n]
+ if !present {
+ return fmt.Errorf("feature '%s' doesn't exist", n)
+ }
+ features[f] = v
+ }
+ return nil
+}
+
+// Enabled returns true if the feature is enabled or false
+// if it isn't, it will panic if passed a feature that it
+// doesn't know.
+func Enabled(n FeatureFlag) bool {
+ fMu.RLock()
+ defer fMu.RUnlock()
+ v, present := features[n]
+ if !present {
+ panic(fmt.Sprintf("feature '%s' doesn't exist", n.String()))
+ }
+ return v
+}
+
+// Reset resets the features to their initial state
+func Reset() {
+ fMu.Lock()
+ defer fMu.Unlock()
+ for k, v := range initial {
+ features[k] = v
+ }
+}