ACME: new directive to indicate TOS agreement.

RFC8555 Section 7.3:

> Clients SHOULD NOT automatically agree to terms by default. Rather,
> they SHOULD require some user interaction for agreement to terms.

Right now this only sets the flag, the corresponding logic will appear
with the client implementation.

Author: bavshin-f5

README.md

@@ -203,6 +203,20 @@ help with rate-limiting ACME servers.
 The directory, if configured, will contain sensitive content:
 the account key, the issued certificates and private keys.
 
+### terms_of_service_agreed 
+
+**Syntax:** terms_of_service_agreed
+
+**Default:** -
+
+**Context:** acme_issuer
+
+Agree to the terms under which the ACME server is to be used.
+
+Some servers require the user to agree with the terms of service before
+registering an account. The text is usually available on the ACME server's
+website and the URL will be printed to the error log if necessary.
+
 ### acme_shared_zone
 
 **Syntax:** acme_shared_zone `zone` = `name:size`

src/conf.rs

@@ -3,8 +3,9 @@ use core::{mem, ptr};
 
 use nginx_sys::{
     ngx_command_t, ngx_conf_parse, ngx_conf_t, ngx_http_core_srv_conf_t, ngx_str_t, ngx_uint_t,
-    NGX_CONF_1MORE, NGX_CONF_BLOCK, NGX_CONF_FLAG, NGX_CONF_TAKE1, NGX_HTTP_MAIN_CONF,
-    NGX_HTTP_MAIN_CONF_OFFSET, NGX_HTTP_SRV_CONF, NGX_HTTP_SRV_CONF_OFFSET, NGX_LOG_EMERG,
+    NGX_CONF_1MORE, NGX_CONF_BLOCK, NGX_CONF_FLAG, NGX_CONF_NOARGS, NGX_CONF_TAKE1,
+    NGX_HTTP_MAIN_CONF, NGX_HTTP_MAIN_CONF_OFFSET, NGX_HTTP_SRV_CONF, NGX_HTTP_SRV_CONF_OFFSET,
+    NGX_LOG_EMERG,
 };
 use ngx::collections::Vec;
 use ngx::core::{Pool, Status, NGX_CONF_ERROR, NGX_CONF_OK};
@@ -71,7 +72,7 @@ pub static mut NGX_HTTP_ACME_COMMANDS: [ngx_command_t; 4] = [
     ngx_command_t::empty(),
 ];
 
-static mut NGX_HTTP_ACME_ISSUER_COMMANDS: [ngx_command_t; 9] = [
+static mut NGX_HTTP_ACME_ISSUER_COMMANDS: [ngx_command_t; 10] = [
     ngx_command_t {
         name: ngx_string!("uri"),
         type_: NGX_CONF_TAKE1 as ngx_uint_t,
@@ -136,6 +137,14 @@ static mut NGX_HTTP_ACME_ISSUER_COMMANDS: [ngx_command_t; 9] = [
         offset: mem::offset_of!(Issuer, state_path),
         post: ptr::null_mut(),
     },
+    ngx_command_t {
+        name: ngx_string!("terms_of_service_agreed"),
+        type_: NGX_CONF_NOARGS as ngx_uint_t,
+        set: Some(cmd_issuer_set_tos_agreed),
+        conf: 0,
+        offset: 0,
+        post: ptr::null_mut(),
+    },
     ngx_command_t::empty(),
 ];
 
@@ -400,6 +409,22 @@ extern "C" fn cmd_issuer_set_uri(
     NGX_CONF_OK
 }
 
+extern "C" fn cmd_issuer_set_tos_agreed(
+    _cf: *mut ngx_conf_t,
+    _cmd: *mut ngx_command_t,
+    conf: *mut c_void,
+) -> *mut c_char {
+    let issuer = unsafe { conf.cast::<Issuer>().as_mut().expect("issuer conf") };
+
+    if issuer.terms_of_service_agreed.is_some() {
+        return NGX_CONF_DUPLICATE;
+    }
+
+    issuer.terms_of_service_agreed = Some(true);
+
+    NGX_CONF_OK
+}
+
 /* Methods and trait implementations */
 
 impl AcmeMainConfig {

src/conf/issuer.rs

@@ -38,6 +38,7 @@ pub struct Issuer {
     pub ssl_trusted_certificate: ngx_str_t,
     pub ssl_verify: ngx_flag_t,
     pub state_path: *mut ngx_path_t,
+    pub terms_of_service_agreed: Option<bool>,
     // Generated fields
     // ngx_ssl_t stores a pointer to itself in SSL_CTX ex_data.
     pub ssl: Box<NgxSsl, Pool>,
@@ -80,6 +81,7 @@ impl Issuer {
             ssl_trusted_certificate: ngx_str_t::empty(),
             ssl_verify: NGX_CONF_UNSET_FLAG,
             state_path: ptr::null_mut(),
+            terms_of_service_agreed: None,
             ssl,
             pkey: None,
             orders: RbTreeMap::try_new_in(alloc)?,

t/acme_conf_issuer.t

@@ -72,6 +72,7 @@ acme_issuer example {
     resolver_timeout 5s;
     ssl_verify off;
     state_path %%TESTDIR%%;
+    terms_of_service_agreed;
 }
 
 EOF