From a79b4055e56dc4e2f2caaae9aea555d1be471948 Mon Sep 17 00:00:00 2001
From: Francis Lavoie <lavofr@gmail.com>
Date: Tue, 18 Jan 2022 14:19:50 -0500
Subject: [PATCH] caddytls: Add internal Caddyfile `lifetime`, `sign_with_root`
 opts (#4513)

---
 .../caddyfile_adapt/tls_internal_options.txt  | 54 +++++++++++++++++++
 modules/caddytls/internalissuer.go            | 21 +++++++-
 2 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 caddytest/integration/caddyfile_adapt/tls_internal_options.txt

diff --git a/caddytest/integration/caddyfile_adapt/tls_internal_options.txt b/caddytest/integration/caddyfile_adapt/tls_internal_options.txt
new file mode 100644
index 000000000..7298a3707
--- /dev/null
+++ b/caddytest/integration/caddyfile_adapt/tls_internal_options.txt
@@ -0,0 +1,54 @@
+a.example.com {
+	tls {
+		issuer internal {
+			ca foo
+			lifetime 24h
+			sign_with_root
+		}
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"a.example.com"
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"tls": {
+			"automation": {
+				"policies": [
+					{
+						"subjects": [
+							"a.example.com"
+						],
+						"issuers": [
+							{
+								"ca": "foo",
+								"lifetime": 86400000000000,
+								"module": "internal",
+								"sign_with_root": true
+							}
+						]
+					}
+				]
+			}
+		}
+	}
+}
\ No newline at end of file
diff --git a/modules/caddytls/internalissuer.go b/modules/caddytls/internalissuer.go
index 5de3af56c..ba6055edd 100644
--- a/modules/caddytls/internalissuer.go
+++ b/modules/caddytls/internalissuer.go
@@ -149,7 +149,9 @@ func (iss InternalIssuer) Issue(ctx context.Context, csr *x509.CertificateReques
 // UnmarshalCaddyfile deserializes Caddyfile tokens into iss.
 //
 //     ... internal {
-//         ca <name>
+//         ca       <name>
+//         lifetime <duration>
+//         sign_with_root
 //     }
 //
 func (iss *InternalIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
@@ -160,6 +162,23 @@ func (iss *InternalIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 				if !d.AllArgs(&iss.CA) {
 					return d.ArgErr()
 				}
+
+			case "lifetime":
+				if !d.NextArg() {
+					return d.ArgErr()
+				}
+				dur, err := caddy.ParseDuration(d.Val())
+				if err != nil {
+					return err
+				}
+				iss.Lifetime = caddy.Duration(dur)
+
+			case "sign_with_root":
+				if d.NextArg() {
+					return d.ArgErr()
+				}
+				iss.SignWithRoot = true
+
 			}
 		}
 	}