acme_server: fix policy parsing in caddyfile (#7006)

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

Author: mohammed90

caddytest/integration/caddyfile_adapt/acme_server_policy-allow.caddyfiletest

@@ -0,0 +1,72 @@
+{
+	pki {
+		ca custom-ca {
+			name "Custom CA"
+		}
+	}
+}
+
+acme.example.com {
+	acme_server {
+		ca custom-ca
+		allow {
+			domains host-1.internal.example.com host-2.internal.example.com
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"acme.example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"ca": "custom-ca",
+													"handler": "acme_server",
+													"policy": {
+														"allow": {
+															"domains": [
+																"host-1.internal.example.com",
+																"host-2.internal.example.com"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"pki": {
+			"certificate_authorities": {
+				"custom-ca": {
+					"name": "Custom CA"
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/acme_server_policy-both.caddyfiletest

@@ -0,0 +1,80 @@
+{
+	pki {
+		ca custom-ca {
+			name "Custom CA"
+		}
+	}
+}
+
+acme.example.com {
+	acme_server {
+		ca custom-ca
+		allow {
+			domains host-1.internal.example.com host-2.internal.example.com
+		}
+		deny {
+			domains dc.internal.example.com
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"acme.example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"ca": "custom-ca",
+													"handler": "acme_server",
+													"policy": {
+														"allow": {
+															"domains": [
+																"host-1.internal.example.com",
+																"host-2.internal.example.com"
+															]
+														},
+														"deny": {
+															"domains": [
+																"dc.internal.example.com"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"pki": {
+			"certificate_authorities": {
+				"custom-ca": {
+					"name": "Custom CA"
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/acme_server_policy-deny.caddyfiletest

@@ -0,0 +1,71 @@
+{
+	pki {
+		ca custom-ca {
+			name "Custom CA"
+		}
+	}
+}
+
+acme.example.com {
+	acme_server {
+		ca custom-ca
+		deny {
+			domains dc.internal.example.com
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"acme.example.com"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"ca": "custom-ca",
+													"handler": "acme_server",
+													"policy": {
+														"deny": {
+															"domains": [
+																"dc.internal.example.com"
+															]
+														}
+													}
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"pki": {
+			"certificate_authorities": {
+				"custom-ca": {
+					"name": "Custom CA"
+				}
+			}
+		}
+	}
+}

modules/caddypki/acmeserver/caddyfile.go

@@ -91,19 +91,17 @@ func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error
 			acmeServer.Policy.AllowWildcardNames = true
 		case "allow":
 			r := &RuleSet{}
-			for h.Next() {
-				for h.NextBlock(h.Nesting() - 1) {
-					if h.CountRemainingArgs() == 0 {
-						return nil, h.ArgErr() // TODO:
-					}
-					switch h.Val() {
-					case "domains":
-						r.Domains = append(r.Domains, h.RemainingArgs()...)
-					case "ip_ranges":
-						r.IPRanges = append(r.IPRanges, h.RemainingArgs()...)
-					default:
-						return nil, h.Errf("unrecognized 'allow' subdirective: %s", h.Val())
-					}
+			for nesting := h.Nesting(); h.NextBlock(nesting); {
+				if h.CountRemainingArgs() == 0 {
+					return nil, h.ArgErr() // TODO:
+				}
+				switch h.Val() {
+				case "domains":
+					r.Domains = append(r.Domains, h.RemainingArgs()...)
+				case "ip_ranges":
+					r.IPRanges = append(r.IPRanges, h.RemainingArgs()...)
+				default:
+					return nil, h.Errf("unrecognized 'allow' subdirective: %s", h.Val())
 				}
 			}
 			if acmeServer.Policy == nil {
@@ -112,19 +110,17 @@ func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error
 			acmeServer.Policy.Allow = r
 		case "deny":
 			r := &RuleSet{}
-			for h.Next() {
-				for h.NextBlock(h.Nesting() - 1) {
-					if h.CountRemainingArgs() == 0 {
-						return nil, h.ArgErr() // TODO:
-					}
-					switch h.Val() {
-					case "domains":
-						r.Domains = append(r.Domains, h.RemainingArgs()...)
-					case "ip_ranges":
-						r.IPRanges = append(r.IPRanges, h.RemainingArgs()...)
-					default:
-						return nil, h.Errf("unrecognized 'deny' subdirective: %s", h.Val())
-					}
+			for nesting := h.Nesting(); h.NextBlock(nesting); {
+				if h.CountRemainingArgs() == 0 {
+					return nil, h.ArgErr() // TODO:
+				}
+				switch h.Val() {
+				case "domains":
+					r.Domains = append(r.Domains, h.RemainingArgs()...)
+				case "ip_ranges":
+					r.IPRanges = append(r.IPRanges, h.RemainingArgs()...)
+				default:
+					return nil, h.Errf("unrecognized 'deny' subdirective: %s", h.Val())
 				}
 			}
 			if acmeServer.Policy == nil {