Require the explicit terms of service agreement

As stated in the RFC 8555, the client should explicitly ask the user for
the terms of service agreement. In the case of ACMEd, the retained
method is to ask for a `tos_agreed` field to be set to true or false in
the configuration. This field has been set in the endpoint object rather
than in the account one because the same account can be used on multiple
endpoints.

acmed/src/acme_proto/account.rs

@@ -37,7 +37,7 @@ impl AccountManager {
             storage::set_account_pub_key(cert, &pub_key)?;
             (priv_key, pub_key)
         };
-        let account = Account::new(&cert.account);
+        let account = Account::new(cert);
         let account = serde_json::to_string(&account)?;
         let data = encode_jwk(&priv_key, account.as_bytes(), &directory.new_account, nonce)?;
         let (acc_rep, account_url, nonce) =

acmed/src/acme_proto/structs/account.rs

@@ -1,4 +1,4 @@
-use crate::config;
+use crate::certificate::Certificate;
 use crate::error::Error;
 use serde::{Deserialize, Serialize};
 use std::str::FromStr;
@@ -12,10 +12,10 @@ pub struct Account {
 }
 
 impl Account {
-    pub fn new(cnf_account: &config::Account) -> Self {
+    pub fn new(cert: &Certificate) -> Self {
         Account {
-            contact: vec![format!("mailto:{}", cnf_account.email)],
-            terms_of_service_agreed: true,
+            contact: vec![format!("mailto:{}", cert.account.email)],
+            terms_of_service_agreed: cert.tos_agreed,
             only_return_existing: false,
         }
     }

acmed/src/certificate.rs

@@ -46,6 +46,7 @@ pub struct Certificate {
     pub algo: Algorithm,
     pub kp_reuse: bool,
     pub remote_url: String,
+    pub tos_agreed: bool,
     pub challenge: Challenge,
     pub challenge_hooks: Vec<Hook>,
     pub post_operation_hooks: Vec<Hook>,

acmed/src/config.rs

@@ -118,10 +118,11 @@ pub struct GlobalOptions {
     pub pk_file_group: Option<String>,
 }
 
-#[derive(Deserialize)]
+#[derive(Clone, Deserialize)]
 pub struct Endpoint {
     pub name: String,
     pub url: String,
+    pub tos_agreed: bool,
 }
 
 #[derive(Deserialize)]
@@ -223,15 +224,25 @@ impl Certificate {
         crt_directory.to_string()
     }
 
-    pub fn get_remote_url(&self, cnf: &Config) -> Result<String, Error> {
+    fn get_endpoint(&self, cnf: &Config) -> Result<Endpoint, Error> {
         for endpoint in cnf.endpoint.iter() {
             if endpoint.name == self.endpoint {
-                return Ok(endpoint.url.to_owned());
+                return Ok(endpoint.clone());
             }
         }
         Err(format!("{}: unknown endpoint.", self.endpoint).into())
     }
 
+    pub fn get_remote_url(&self, cnf: &Config) -> Result<String, Error> {
+        let ep = self.get_endpoint(cnf)?;
+        Ok(ep.url)
+    }
+
+    pub fn get_tos_agreement(&self, cnf: &Config) -> Result<bool, Error> {
+        let ep = self.get_endpoint(cnf)?;
+        Ok(ep.tos_agreed)
+    }
+
     pub fn get_challenge_hooks(&self, cnf: &Config) -> Result<Vec<hooks::Hook>, Error> {
         get_hooks(&self.challenge_hooks, cnf)
     }

acmed/src/main_event_loop.rs

@@ -22,6 +22,7 @@ impl MainEventLoop {
                 algo: crt.get_algorithm()?,
                 kp_reuse: crt.get_kp_reuse(),
                 remote_url: crt.get_remote_url(&cnf)?,
+                tos_agreed: crt.get_tos_agreement(&cnf)?,
                 challenge: crt.get_challenge()?,
                 challenge_hooks: crt.get_challenge_hooks(&cnf)?,
                 post_operation_hooks: crt.get_post_operation_hooks(&cnf)?,