acme: add RetryAfter field to the Authorization object returned by GetAuthorization.

When using WaitAuthorization is not practical due to its blocking, for example in Kubernetes controllers, the GetAuthorization can be used. This change adds the RetryAfter field to the Authorization object returned by GetAuthorization so it can be used by these implementations that use their own polling mechanism.

The new RetryAfter field is populated by the "Retry-After" header in the HTTP response.

The WaitAuthorization method will never set this new field, since it does not return while the challenges are still pending.

Signed-off-by: Adam Talbot <[email protected]>

Author: Adam Talbot

acme/acme.go

@@ -381,7 +381,7 @@ func (c *Client) authorize(ctx context.Context, typ, val string) (*Authorization
 	if v.Status != StatusPending && v.Status != StatusValid {
 		return nil, fmt.Errorf("acme: unexpected status: %s", v.Status)
 	}
-	return v.authorization(res.Header.Get("Location")), nil
+	return v.authorization(res.Header.Get("Location"), 0), nil
 }
 
 // GetAuthorization retrieves an authorization identified by the given URL.
@@ -402,7 +402,8 @@ func (c *Client) GetAuthorization(ctx context.Context, url string) (*Authorizati
 	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
 		return nil, fmt.Errorf("acme: invalid response: %v", err)
 	}
-	return v.authorization(url), nil
+	d := retryAfter(res.Header.Get("Retry-After"))
+	return v.authorization(url, d), nil
 }
 
 // RevokeAuthorization relinquishes an existing authorization identified
@@ -460,7 +461,7 @@ func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorizat
 		case err != nil:
 			// Skip and retry.
 		case raw.Status == StatusValid:
-			return raw.authorization(url), nil
+			return raw.authorization(url, 0), nil
 		case raw.Status == StatusInvalid:
 			return nil, raw.error(url)
 		}

acme/types.go

@@ -426,6 +426,14 @@ type Authorization struct {
 	//
 	// This field is unused in RFC 8555.
 	Combinations [][]int
+
+	// RetryAfter specifies how long the client should wait before polling the
+	// authorization resource again, if indicated by the server.
+	// This corresponds to the optional Retry-After HTTP header included in a
+	// 200 (OK) response when the authorization is still StatusPending.
+	//
+	// See RFC 8555 Section 7.5.1.
+	RetryAfter time.Duration
 }
 
 // AuthzID is an identifier that an account is authorized to represent.
@@ -471,7 +479,7 @@ type wireAuthz struct {
 	Error        *wireError
 }
 
-func (z *wireAuthz) authorization(uri string) *Authorization {
+func (z *wireAuthz) authorization(uri string, retryAfter time.Duration) *Authorization {
 	a := &Authorization{
 		URI:          uri,
 		Status:       z.Status,
@@ -480,6 +488,7 @@ func (z *wireAuthz) authorization(uri string) *Authorization {
 		Wildcard:     z.Wildcard,
 		Challenges:   make([]*Challenge, len(z.Challenges)),
 		Combinations: z.Combinations, // shallow copy
+		RetryAfter:   retryAfter,
 	}
 	for i, v := range z.Challenges {
 		a.Challenges[i] = v.challenge()