Skip to main content

kipuka_dogtag/
config.rs

1//! Configuration types for Dogtag PKI client.
2//!
3//! Provides strongly-typed configuration for connecting to Dogtag CA and KRA
4//! subsystems, including mTLS agent credentials and retry policy.
5
6use serde::Deserialize;
7use url::Url;
8
9/// Configuration for connecting to a Dogtag PKI instance.
10///
11/// Supports deserialization from TOML configuration files. The agent certificate
12/// and key are used for mTLS authentication to the Dogtag REST API, which requires
13/// an agent-level certificate for enrollment and revocation operations.
14///
15/// # Example TOML
16///
17/// ```toml
18/// [dogtag]
19/// ca_url = "https://ca.example.com:8443"
20/// kra_url = "https://kra.example.com:8443"
21/// agent_cert_file = "/etc/kipuka/agent.pem"
22/// agent_key_file = "/etc/kipuka/agent.key"
23/// ca_cert_file = "/etc/pki/tls/certs/ca-bundle.crt"
24/// profile_id = "caServerCert"
25/// timeout_secs = 30
26/// retry_max = 3
27/// retry_delay_ms = 1000
28/// ```
29#[derive(Debug, Clone, Deserialize)]
30pub struct DogtagConfig {
31    /// Base URL of the Dogtag CA subsystem.
32    ///
33    /// Typically `https://<hostname>:8443` for the secure admin/agent port.
34    /// The REST API endpoints are relative to this URL (e.g., `/ca/rest/certs`).
35    pub ca_url: Url,
36
37    /// Base URL of the Dogtag KRA subsystem (optional).
38    ///
39    /// Required only for `/serverkeygen` operations that need server-side key
40    /// generation and archival. Typically on the same host as the CA but may
41    /// be a separate instance.
42    pub kra_url: Option<Url>,
43
44    /// Path to the PEM-encoded agent certificate file.
45    ///
46    /// This certificate authenticates the client to the Dogtag REST API.
47    /// Must be issued by a CA trusted by the Dogtag instance and have
48    /// the appropriate agent privileges.
49    pub agent_cert_file: String,
50
51    /// Path to the PEM-encoded agent private key file.
52    pub agent_key_file: String,
53
54    /// Path to the PEM-encoded CA certificate file for TLS verification.
55    ///
56    /// Used to verify the Dogtag server's TLS certificate. This is typically
57    /// the root CA certificate that issued the Dogtag instance's server cert.
58    pub ca_cert_file: String,
59
60    /// Default enrollment profile ID.
61    ///
62    /// Common profiles include:
63    /// - `caServerCert` — TLS server certificates
64    /// - `caUserCert` — User/client certificates
65    /// - `caIPAserviceCert` — FreeIPA service certificates
66    /// - `caDualCert` — Dual-key (signing + encryption) certificates
67    pub profile_id: String,
68
69    /// HTTP request timeout in seconds.
70    ///
71    /// Applied to each individual HTTP request to the Dogtag REST API.
72    /// Enrollment operations may take longer if the CA profile requires
73    /// approval workflows.
74    #[serde(default = "default_timeout")]
75    pub timeout_secs: u64,
76
77    /// Maximum number of retry attempts for transient failures.
78    ///
79    /// Retries are attempted for HTTP 5xx errors and connection failures.
80    /// Client errors (4xx) are not retried.
81    #[serde(default = "default_retry_max")]
82    pub retry_max: u32,
83
84    /// Delay between retry attempts in milliseconds.
85    ///
86    /// Simple fixed-delay retry. Future versions may support exponential
87    /// backoff.
88    #[serde(default = "default_retry_delay")]
89    pub retry_delay_ms: u64,
90}
91
92fn default_timeout() -> u64 {
93    30
94}
95
96fn default_retry_max() -> u32 {
97    3
98}
99
100fn default_retry_delay() -> u64 {
101    1000
102}