rawlinp commented on a change in pull request #5922:
URL: https://github.com/apache/trafficcontrol/pull/5922#discussion_r652045198
##########
File path: lib/go-tc/deliveryservices.go
##########
@@ -192,18 +194,416 @@ type DeliveryServiceFieldsV31 struct {
// DeliveryServiceV40 is a Delivery Service as it appears in version 4.0 of the
// Traffic Ops API.
type DeliveryServiceV40 struct {
- DeliveryServiceFieldsV31
- DeliveryServiceFieldsV30
- DeliveryServiceFieldsV15
- DeliveryServiceFieldsV14
- DeliveryServiceFieldsV13
- DeliveryServiceNullableFieldsV11
+ // Active dictates whether the Delivery Service is routed by Traffic
Router.
+ Active *bool `json:"active" db:"active"`
+ // AnonymousBlockingEnabled sets whether or not anonymized IP addresses
+ // (e.g. Tor exit nodes) should be restricted from accessing the
Delivery
+ // Service's content.
+ AnonymousBlockingEnabled *bool `json:"anonymousBlockingEnabled"
db:"anonymous_blocking_enabled"`
+ // CCRDNSTTL sets the Time-to-Live - in seconds - for DNS responses for
this
+ // Delivery Service from Traffic Router.
+ CCRDNSTTL *int `json:"ccrDnsTtl" db:"ccr_dns_ttl"`
+ // CDNID is the integral, unique identifier for the CDN to which the
+ // Delivery Service belongs.
+ CDNID *int `json:"cdnId" db:"cdn_id"`
+ // CDNName is the name of the CDN to which the Delivery Service belongs.
+ CDNName *string `json:"cdnName"`
+ // CheckPath is a path which may be requested of the Delivery Service's
+ // origin to ensure it's working properly.
+ CheckPath *string `json:"checkPath" db:"check_path"`
+ // ConsistentHashQueryParams is a list of al of the query string
parameters
+ // which ought to be considered by Traffic Router in client request
URIs for
+ // HTTP-routed Delivery Services in the hashing process.
+ ConsistentHashQueryParams []string `json:"consistentHashQueryParams"`
+ // ConsistentHashRegex is used by Traffic Router to extract meaningful
parts
+ // of a client's request URI for HTTP-routed Delivery Services before
+ // hashing the request to find a cache server to which to direct the
client.
+ ConsistentHashRegex *string `json:"consistentHashRegex"`
+ // DeepCachingType may only legally point to 'ALWAYS' or 'NEVER', which
+ // define whether "deep caching" may or may not be used for this
Delivery
+ // Service, respectively.
+ DeepCachingType *DeepCachingType `json:"deepCachingType"
db:"deep_caching_type"`
+ // DisplayName is a human-friendly name that might be used in some UIs
+ // somewhere.
+ DisplayName *string `json:"displayName" db:"display_name"`
+ // DNSBypassCNAME is a fully qualified domain name to be used in a CNAME
+ // record presented to clients in bypass scenarios.
+ DNSBypassCNAME *string `json:"dnsBypassCname" db:"dns_bypass_cname"`
+ // DNSBypassIP is an IPv4 address to be used in an A record presented to
+ // clients in bypass scenarios.
+ DNSBypassIP *string `json:"dnsBypassIp" db:"dns_bypass_ip"`
+ // DNSBypassIP6 is an IPv6 address to be used in an AAAA record
presented to
+ // clients in bypass scenarios.
+ DNSBypassIP6 *string `json:"dnsBypassIp6" db:"dns_bypass_ip6"`
+ // DNSBypassTTL sets the Time-to-Live - in seconds - of DNS responses
from
+ // the Traffic Router that contain records for bypass destinations.
+ DNSBypassTTL *int `json:"dnsBypassTtl" db:"dns_bypass_ttl"`
+ // DSCP sets the Differentiated Services Code Point for IP packets
+ // transferred between clients, origins, and cache servers when
obtaining
+ // and serving content for this Delivery Service.
+ // See Also: https://en.wikipedia.org/wiki/Differentiated_services
+ DSCP *int `json:"dscp" db:"dscp"`
+ // EcsEnabled describes whether or not the Traffic Router's EDNS0 Client
+ // Subnet extensions should be enabled when serving DNS responses for
this
+ // Delivery Service. Even if this is true, the Traffic Router may still
+ // have the extensions unilaterally disabled in its own configuration.
+ EcsEnabled bool `json:"ecsEnabled" db:"ecs_enabled"`
+ // EdgeHeaderRewrite is a "header rewrite rule" used by ATS at the
Edge-tier
+ // of caching. This has no effect on Delivery Services that don't use a
+ // Topology.
+ EdgeHeaderRewrite *string `json:"edgeHeaderRewrite"
db:"edge_header_rewrite"`
+ // ExampleURLs is a list of all of the URLs from which content may be
+ // requested from the Delivery Service.
+ ExampleURLs []string `json:"exampleURLs"`
+ // FirstHeaderRewrite is a "header rewrite rule" used by ATS at the
first
+ // caching layer encountered in the Delivery Service's Topology, or nil
if
+ // there is no such rule. This has no effect on Delivery Services that
don't
+ // employ Topologies.
+ FirstHeaderRewrite *string `json:"firstHeaderRewrite"
db:"first_header_rewrite"`
+ // FQPacingRate sets the maximum bytes per second a cache server will
deliver
+ // on any single TCP connection for this Delivery Service. This may
never
+ // legally point to a value less than zero.
+ FQPacingRate *int `json:"fqPacingRate" db:"fq_pacing_rate"`
+ // GeoLimit defines whether or not access to a Delivery Service's
content
+ // should be limited based on the requesting client's geographic
location.
+ // Despite that this is a pointer to an arbitrary integer, the only
valid
+ // values are 0 (which indicates that content should not be limited
+ // geographically), 1 (which indicates that content should only be
served to
+ // clients whose IP addresses can be found within a Coverage Zone
File), and
+ // 2 (which indicates that content should be served to clients whose IP
+ // addresses can be found within a Coverage Zone File OR are allowed
access
+ // according to the "array" in GeoLimitCountries).
+ GeoLimit *int `json:"geoLimit" db:"geo_limit"`
+ // GeoLimitCountries is an "array" of "country codes" that itemizes the
+ // countries within which the Delivery Service's content ought to be
made
+ // available. This has no effect if GeoLimit is not a pointer to
exactly the
+ // value 2.
+ GeoLimitCountries *string `json:"geoLimitCountries"
db:"geo_limit_countries"`
+ // GeoLimitRedirectURL is a URL to which clients will be redirected if
their
+ // access to the Delivery Service's content is blocked by GeoLimit
rules.
+ GeoLimitRedirectURL *string `json:"geoLimitRedirectURL"
db:"geolimit_redirect_url"`
+ // GeoProvider names the type of database to be used for providing IP
+ // address-to-geographic-location mapping for this Delivery Service. The
+ // only valid values to which it may point are 0 (which indicates the
use of
+ // a MaxMind GeoIP2 database) and 1 (which indicates the use of a
Neustar
+ // GeoPoint IP address database).
+ GeoProvider *int `json:"geoProvider" db:"geo_provider"`
+ // GlobalMaxMBPS defines a maximum number of MegaBytes Per Second which
may
+ // be served for the Delivery Service before redirecting clients to
bypass
+ // locations.
+ GlobalMaxMBPS *int `json:"globalMaxMbps" db:"global_max_mbps"`
+ // GlobalMaxTPS defines a maximum number of Transactions Per Second
which
+ // may be served for the Delivery Service before redirecting clients to
+ // bypass locations.
+ GlobalMaxTPS *int `json:"globalMaxTps" db:"global_max_tps"`
+ // HTTPBypassFQDN is a network location to which clients will be
redirected
+ // in bypass scenarios using HTTP "Location" headers and appropriate
+ // redirection response codes.
+ HTTPBypassFQDN *string `json:"httpBypassFqdn" db:"http_bypass_fqdn"`
+ // ID is an integral, unique identifier for the Delivery Service.
+ ID *int `json:"id" db:"id"`
+ // InfoURL is a URL to which operators or clients may be directed to
obtain
+ // further information about a Delivery Service.
+ InfoURL *string `json:"infoUrl" db:"info_url"`
+ // InitialDispersion sets the number of cache servers within the first
+ // caching layer ("Edge-tier" in a non-Topology context) across which
+ // content will be dispersed per Cache Group.
+ InitialDispersion *int `json:"initialDispersion"
db:"initial_dispersion"`
+ // InnerHeaderRewrite is a "header rewrite rule" used by ATS at all
caching
+ // layers encountered in the Delivery Service's Topology except the
first
+ // and last, or nil if there is no such rule. This has no effect on
Delivery
+ // Services that don't employ Topologies.
+ InnerHeaderRewrite *string `json:"innerHeaderRewrite"
db:"inner_header_rewrite"`
+ // IPV6RoutingEnabled controls whether or not routing over IPv6 should
be
+ // done for this Delivery Service.
+ IPV6RoutingEnabled *bool `json:"ipv6RoutingEnabled"
db:"ipv6_routing_enabled"`
+ // LastHeaderRewrite is a "header rewrite rule" used by ATS at the first
+ // caching layer encountered in the Delivery Service's Topology, or nil
if
+ // there is no such rule. This has no effect on Delivery Services that
don't
+ // employ Topologies.
+ LastHeaderRewrite *string `json:"lastHeaderRewrite"
db:"last_header_rewrite"`
+ // LastUpdated is the time and date at which the Delivery Service was
last
+ // updated.
+ LastUpdated time.Time `json:"lastUpdated" db:"last_updated"`
+ // LogsEnabled controls nothing. It is kept only for legacy
compatibility.
+ LogsEnabled *bool `json:"logsEnabled" db:"logs_enabled"`
+ // LongDesc is a description of the Delivery Service, having arbitrary
+ // length.
+ LongDesc *string `json:"longDesc" db:"long_desc"`
+ // LongDesc1 is a description of the Delivery Service, having arbitrary
+ // length.
+ LongDesc1 *string `json:"longDesc1" db:"long_desc_1"`
+ // LongDesc2 is a description of the Delivery Service, having arbitrary
+ // length.
+ LongDesc2 *string `json:"longDesc2" db:"long_desc_2"`
+ // MatchList is a list of Regular Expressions used for routing the
Delivery
+ // Service. Order matters, and the array is not allowed to be sparse.
+ MatchList []DeliveryServiceMatch `json:"matchList"`
+ // MaxDNSAnswers sets the maximum number of records which should be
returned
+ // by Traffic Router in DNS responses to requests for resolving names
for
+ // this Delivery Service.
+ MaxDNSAnswers *int `json:"maxDnsAnswers" db:"max_dns_answers"`
+ // MaxOriginConnections defines the total maximum number of connections
+ // that the highest caching layer ("Mid-tier" in a non-Topology
context) is
+ // allowed to have concurrently open to the Delivery Service's Origin.
This
+ // may never legally point to a value less than 0.
+ MaxOriginConnections *int `json:"maxOriginConnections"
db:"max_origin_connections"`
+ // MaxRequestHeaderBytes is the maximum size (in bytes) of the request
+ // header that is allowed for this Delivery Service.
+ MaxRequestHeaderBytes *int `json:"maxRequestHeaderBytes"
db:"max_request_header_bytes"`
+ // MidHeaderRewrite is a "header rewrite rule" used by ATS at the
Mid-tier
+ // of caching. This has no effect on Delivery Services that don't use a
+ // Topology.
+ MidHeaderRewrite *string `json:"midHeaderRewrite"
db:"mid_header_rewrite"`
+ // MissLat is a latitude to default to for clients of this Delivery
Service
+ // when geolocation attempts fail.
+ MissLat *float64 `json:"missLat" db:"miss_lat"`
+ // MissLong is a longitude to default to for clients of this Delivery
+ // Service when geolocation attempts fail.
+ MissLong *float64 `json:"missLong" db:"miss_long"`
+ // MultiSiteOrigin determines whether or not the Delivery Service makes
use
+ // of "Multi-Site Origin".
+ MultiSiteOrigin *bool `json:"multiSiteOrigin" db:"multi_site_origin"`
+ // OriginShield is a field that does nothing. It is kept only for legacy
+ // compatibility reasons.
+ OriginShield *string `json:"originShield" db:"origin_shield"`
+ // OrgServerFQDN is the URL - NOT Fully Qualified Domain Name - of the
+ // origin of the Delivery Service's content.
+ OrgServerFQDN *string `json:"orgServerFqdn" db:"org_server_fqdn"`
+ // ProfileDesc is the Description of the Profile used by the Delivery
+ // Service, if any.
+ ProfileDesc *string `json:"profileDescription"`
+ // ProfileID is the integral, unique identifier of the Profile used by
the
+ // Delivery Service, if any.
+ ProfileID *int `json:"profileId" db:"profile"`
+ // ProfileName is the Name of the Profile used by the Delivery Service,
if
+ // any.
+ ProfileName *string `json:"profileName"`
+ // Protocol defines the protocols by which caching servers may
communicate
+ // with clients. The valid values to which it may point are 0 (which
implies
+ // that only HTTP may be used), 1 (which implies that only HTTPS may be
+ // used), 2 (which implies that either HTTP or HTTPS may be used), and 3
+ // (which implies that clients using HTTP must be redirected to use
HTTPS,
+ // while communications over HTTPS may proceed as normal).
+ Protocol *int `json:"protocol" db:"protocol"`
+ // QStringIgnore sets how query strings in HTTP requests to cache
servers
+ // from clients are treated. The only valid values to which it may
point are
+ // 0 (which implies that all caching layers will pass query strings in
+ // upstream requests and use them in the cache key), 1 (which implies
that
+ // all caching layers will pass query strings in upstream requests, but
not
+ // use them in cache keys), and 2 (which implies that the first
encountered
+ // caching layer - "Edge-tier" in a non-Topology context - will strip
query
+ // strings, effectively preventing them from being passed in upstream
+ // requests, and not use them in the cache key).
+ QStringIgnore *int `json:"qstringIgnore" db:"qstring_ignore"`
+ // RangeRequestHandling defines how HTTP GET requests with a Range
header
+ // will be handled by cache servers serving the Delivery Service's
content.
+ // The only valid values to which it may point are 0 (which implies that
+ // Range requests will not be cached at all), 1 (which implies that the
+ // background_fetch plugin will be used to service the range request
while
+ // caching the whole object), 2 (which implies that the
cache_range_requests
+ // plugin will be used to cache ranges as unique objects), and 3 (which
+ // implies that the slice plugin will be used to slice range based
requests
+ // into deterministic chunks.)
+ RangeRequestHandling *int `json:"rangeRequestHandling"
db:"range_request_handling"`
+ // RangeSliceBlockSize defines the size of range request blocks - or
+ // "slices" - used by the "slice" plugin. This has no effect if
+ // RangeRequestHandling does not point to exactly 3. This may never
legally
+ // point to a value less than zero.
+ RangeSliceBlockSize *int `json:"rangeSliceBlockSize"
db:"range_slice_block_size"`
+ // Regex Remap is a raw line to be inserted into "regex_remap.config"
on the
+ // cache server. Care is necessitated in its use, because the input is
in no
+ // way restricted, validated, or limited in scope to the Delivery
Service.
+ RegexRemap *string `json:"regexRemap" db:"regex_remap"`
+ // RegionalGeoBlocking defines whether or not whatever Regional Geo
Blocking
+ // rules are configured on the Traffic Router serving content for this
+ // Delivery Service will have an effect on the traffic of this Delivery
+ // Service.
+ RegionalGeoBlocking *bool `json:"regionalGeoBlocking"
db:"regional_geo_blocking"`
+ // RemapText is raw text to insert in "remap.config" on the cache
servers
+ // serving content for this Delivery Service. Care is necessitated in
its
+ // use, because the input is in no way restricted, validated, or
limited in
+ // scope to the Delivery Service.
+ RemapText *string `json:"remapText" db:"remap_text"`
+ // RoutingName defines the lowest-level DNS label used by the Delivery
+ // Service, e.g. if trafficcontrol.apache.org were a Delivery Service,
it
+ // would have a RoutingName of "trafficcontrol".
+ RoutingName *string `json:"routingName" db:"routing_name"`
+ // ServiceCategory defines a category to which a Delivery Service may
+ // belong, which will cause HTTP Responses containing content for the
+ // Delivery Service to have the "X-CDN-SVC" header with a value that is
the
+ // XMLID of the Delivery Service.
+ ServiceCategory *string `json:"serviceCategory" db:"service_category"`
+ // Signed is a legacy field. It is allowed to be `true` if and only if
+ // SigningAlgorithm is not nil.
+ Signed bool `json:"signed"`
+ // SigningAlgorithm is the name of the algorithm used to sign CDN URIs
for
+ // this Delivery Service's content, or nil if no URI signing is done
for the
+ // Delivery Service. This may only point to the values "url_sig" or
+ // "uri_signing".
+ SigningAlgorithm *string `json:"signingAlgorithm"
db:"signing_algorithm"`
+ // SSLKeyVersion incremented whenever Traffic Portal generates new SSL
keys
+ // for the Delivery Service, effectively making it a "generational"
marker.
+ SSLKeyVersion *int `json:"sslKeyVersion" db:"ssl_key_version"`
+ // Tenant is the Tenant to which the Delivery Service belongs.
+ Tenant *string `json:"tenant"`
+ // TenantID is the integral, unique identifier for the Tenant to which
the
+ // Delivery Service belongs.
+ TenantID *int `json:"tenantId" db:"tenant_id"`
+ // TLSVersions is the list of explicitly supported TLS versions for
cache
+ // servers serving the Delivery Service's content.
+ TLSVersions []string `json:"tlsVersions" db:"tls_versions"`
+ // Topology is the name of the Topology used by the Delivery Service,
or nil
+ // if no Topology is used.
+ Topology *string `json:"topology" db:"topology"`
+ // TRResponseHeaders is a set of headers (separated by CRLF pairs as
per the
+ // HTTP spec) and their values (separated by a colon as per the HTTP
spec)
+ // which will be sent by Traffic Router in HTTP responses to client
requests
+ // for this Delivery Service's content. This has no effect on
DNS-routed or
+ // un-routed Delivery Service Types.
+ TRResponseHeaders *string `json:"trResponseHeaders"`
+ // TRRequestHeaders is an "array" of HTTP headers which should be logged
+ // from client HTTP requests for this Delivery Service's content by
Traffic
+ // Router, separated by newlines. This has no effect on DNS-routed or
+ // un-routed Delivery Service Types.
+ TRRequestHeaders *string `json:"trRequestHeaders"`
+ // Type describes how content is routed and cached for this Delivery
Service
+ // as well as what other properties have any meaning.
+ Type *DSType `json:"type"`
+ // TypeID is an integral, unique identifier for the Tenant to which the
+ // Delivery Service belongs.
+ TypeID *int `json:"typeId" db:"type"`
+ // XMLID is a unique identifier that is also the second lowest-level DNS
+ // label used by the Delivery Service. For example, if a Delivery
Service's
+ // content may be requested from video.demo1.mycdn.ciab.test, it may be
+ // inferred that the Delivery Service's XMLID is demo1.
+ XMLID *string `json:"xmlId" db:"xml_id"`
}
// DeliveryServiceV4 is a Delivery Service as it appears in version 4 of the
// Traffic Ops API - it always points to the highest minor version in APIv4.
type DeliveryServiceV4 = DeliveryServiceV40
+// These are the TLS Versions known by Apache Traffic Control to exist.
+const (
+ // Deprecated: TLS version 1.0 is known to be insecure.
+ TLSVersion10 = "1.0"
+ // Deprecated: TLS version 1.1 is known to be insecure.
+ TLSVersion11 = "1.1"
+ TLSVersion12 = "1.2"
+ TLSVersion13 = "1.3"
+)
+
+func newerDisallowedMessage(old string, newer []string) string {
+ l := len(newer)
+ if l < 1 {
+ return ""
+ }
+
+ var msg strings.Builder
+ msg.WriteString("old TLS version ")
+ msg.WriteString(old)
+ msg.WriteString(" is allowed, but newer version")
+ if l > 1 {
+ msg.WriteRune('s')
+ }
+ msg.WriteRune(' ')
+ msg.WriteString(newer[0])
+ if l > 1 {
+ msg.WriteString(", ")
+ if l > 2 {
+ msg.WriteString(newer[1])
+ msg.WriteString(", and ")
+ msg.WriteString(newer[2])
+ } else {
+ msg.WriteString("and ")
+ msg.WriteString(newer[1])
+ }
+ msg.WriteString(" are ")
+ } else {
+ msg.WriteString(" is ")
+ }
+ msg.WriteString("disallowed; this configuration may be insecure")
+
+ return msg.String()
+}
+
+// TLSVersionsAlerts generates warning-level alerts for the given TLS versions
+// array. It will warn if newer versions are disallowed while older, less
+// secure versions are allowed, or if there are unrecognized versions present.
+//
+// This does NOT verify that the passed TLS versions are _valid_, it ONLY
+// creates warnings based on conditions that are possibly detrimental to CDN
+// operation, but can, in fact, work.
+func TLSVersionsAlerts(vers []string) Alerts {
Review comment:
That's fine -- I'll mark this resolved
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
