checker-dane/checker/interactive.go

//go:build standalone

package checker

import (
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"net"
	"net/http"
	"os"
	"strconv"
	"strings"
	"time"

	"github.com/miekg/dns"

	sdk "git.happydns.org/checker-sdk-go/checker"
	tls "git.happydns.org/checker-tls/checker"
)

// resolverEnvVar names the environment variable that points at the
// DNSSEC-validating resolver this checker queries. The operator MUST point
// this at a trusted, validating resolver (typically 127.0.0.1:53 backed by
// Unbound, BIND, or Knot Resolver). DANE without DNSSEC validation is a
// downgrade primitive: an on-path attacker can forge TLSA responses. To
// fail loudly rather than silently insecure, lookupTLSA returns an error
// when no validating resolver is configured.
const resolverEnvVar = "DANE_CHECKER_RESOLVER"

// dnsClientTimeout bounds each TLSA exchange so a black-holing resolver
// cannot tie up server goroutines indefinitely on the public listener.
const dnsClientTimeout = 5 * time.Second

// tlsaLookup fetches TLSA records for owner via the system resolver and
// reports whether the resolver cryptographically validated the answer
// (AD bit set). It is a package variable so tests can swap it for a
// fixture. The context bounds the underlying DNS exchange so a slow or
// hung resolver cannot outlive the originating HTTP request on the
// public listener.
var tlsaLookup = lookupTLSA

// RenderForm lets a human run this checker standalone. The form only
// collects the endpoint coordinates; the expected TLSA records are read
// from DNS by ParseForm and the live certificate is fetched in-process by
// the SDK running checker-tls as a sibling (see RelatedProviders).
func (p *daneProvider) RenderForm() []sdk.CheckerOptionField {
	return []sdk.CheckerOptionField{
		{Id: OptionDomain, Type: "string", Label: "Domain", Placeholder: "example.com", Required: true},
		{Id: "port", Type: "uint", Label: "Port", Default: float64(443), Required: true},
		{Id: "proto", Type: "string", Label: "Protocol", Choices: []string{"tcp", "udp"}, Default: "tcp"},
		{
			Id:          "starttls",
			Type:        "string",
			Label:       "STARTTLS override",
			Description: "Leave empty to auto-derive from port (25→smtp, 587→submission, 143→imap, …).",
		},
		{
			Id:          OptionProbeTimeoutMs,
			Type:        "uint",
			Label:       "Probe timeout (ms)",
			Default:     float64(tls.DefaultProbeTimeoutMs),
			Description: "Forwarded to checker-tls for the live probe.",
		},
	}
}

// ParseForm turns the submitted endpoint into the same CheckerOptions
// shape happyDomain would feed Collect. The TLSA RRset expected by
// Collect is resolved live from DNS at _<port>._<proto>.<domain>; if
// nothing is published there, no validation is possible and the form is
// re-rendered with the error.
func (p *daneProvider) ParseForm(r *http.Request) (sdk.CheckerOptions, error) {
	domain := strings.TrimSuffix(strings.TrimSpace(r.FormValue(OptionDomain)), ".")
	if domain == "" {
		return nil, errors.New("domain is required")
	}
	portStr := strings.TrimSpace(r.FormValue("port"))
	if portStr == "" {
		return nil, errors.New("port is required")
	}
	port64, err := strconv.ParseUint(portStr, 10, 16)
	if err != nil || port64 == 0 {
		return nil, fmt.Errorf("invalid port %q: must be 1-65535", portStr)
	}
	port := uint16(port64)
	proto := strings.TrimSpace(r.FormValue("proto"))
	if proto == "" {
		proto = "tcp"
	}
	if proto != "tcp" && proto != "udp" {
		return nil, fmt.Errorf("invalid protocol %q: must be tcp or udp", proto)
	}

	owner := tlsaOwnerName(port, proto, domain)
	records, validated, err := tlsaLookup(r.Context(), owner)
	if err != nil {
		return nil, fmt.Errorf("TLSA lookup for %s: %w", owner, err)
	}
	if len(records) == 0 {
		return nil, fmt.Errorf("no TLSA records found at %s", owner)
	}

	tlsaEntries := make([]map[string]any, 0, len(records))
	for _, t := range records {
		tlsaEntries = append(tlsaEntries, map[string]any{
			"Hdr":          map[string]any{"Name": owner},
			"Usage":        t.Usage,
			"Selector":     t.Selector,
			"MatchingType": t.MatchingType,
			"Certificate":  strings.ToLower(t.Certificate),
		})
	}
	body, err := json.Marshal(map[string]any{"tlsa": tlsaEntries})
	if err != nil {
		return nil, fmt.Errorf("marshal TLSAs service: %w", err)
	}

	opts := sdk.CheckerOptions{
		OptionDomain: domain,
		OptionService: serviceMessage{
			Type:    serviceType,
			Domain:  domain,
			Service: body,
		},
	}

	if s := strings.TrimSpace(r.FormValue("starttls")); s != "" {
		opts[OptionSTARTTLS] = map[string]string{
			starttlsKey(port, proto): s,
		}
	}
	if v := strings.TrimSpace(r.FormValue(OptionProbeTimeoutMs)); v != "" {
		if n, err := strconv.Atoi(v); err == nil && n > 0 {
			opts[OptionProbeTimeoutMs] = float64(n)
		}
	}
	opts[OptionDNSSECValidated] = validated
	return opts, nil
}

// RelatedProviders declares checker-tls as the sibling the SDK should run
// in-process during the interactive flow. The SDK harvests the discovery
// entries this checker publishes via DiscoverEntries and auto-fills
// checker-tls's OptionEndpoints (the option tagged
// sdk.AutoFillDiscoveryEntries in its definition), so the probe map the
// rule reads via GetRelated is populated with live data.
func (p *daneProvider) RelatedProviders() []sdk.ObservationProvider {
	return []sdk.ObservationProvider{tls.Provider()}
}

// lookupTLSA queries the configured DNSSEC-validating resolver for TLSA
// records at owner. The second return reports whether the resolver
// cryptographically validated the response (AD bit set). Callers must
// treat unvalidated answers as untrusted: a DANE "match" against
// records that lack DNSSEC protection is meaningless because an on-path
// attacker could have injected them. The records are still returned so
// the absence of validation surfaces as a check rule failure rather
// than a hard error that aborts the whole evaluation.
func lookupTLSA(ctx context.Context, owner string) ([]*dns.TLSA, bool, error) {
	resolver, err := interactiveResolver()
	if err != nil {
		return nil, false, err
	}
	msg := new(dns.Msg)
	msg.SetQuestion(dns.Fqdn(owner), dns.TypeTLSA)
	msg.RecursionDesired = true
	// AuthenticDataRequired = true asks the resolver to set AD on validated
	// answers; SetEdns0 with do=true requests DNSSEC RRs.
	msg.AuthenticatedData = true
	msg.SetEdns0(4096, true)

	c := &dns.Client{Timeout: dnsClientTimeout}
	in, _, err := c.ExchangeContext(ctx, msg, resolver)
	if err != nil {
		return nil, false, err
	}
	if in.Rcode != dns.RcodeSuccess && in.Rcode != dns.RcodeNameError {
		return nil, false, fmt.Errorf("rcode %s", dns.RcodeToString[in.Rcode])
	}
	var out []*dns.TLSA
	for _, rr := range in.Answer {
		if t, ok := rr.(*dns.TLSA); ok {
			out = append(out, t)
		}
	}
	return out, in.AuthenticatedData, nil
}

// interactiveResolver returns the address of the trusted, DNSSEC-validating
// resolver this checker should use. It refuses to silently fall back to a
// public plaintext resolver: that path is a downgrade vector and would make
// every "validation" trivially spoofable on a hostile network. The operator
// must opt in by setting DANE_CHECKER_RESOLVER (e.g. "127.0.0.1:53") or
// providing an /etc/resolv.conf entry that explicitly points at a local
// validating resolver.
func interactiveResolver() (string, error) {
	if v := strings.TrimSpace(os.Getenv(resolverEnvVar)); v != "" {
		// Accept either "host" (port defaults to 53) or "host:port".
		if _, _, err := net.SplitHostPort(v); err != nil {
			v = net.JoinHostPort(v, "53")
		}
		return v, nil
	}
	cfg, err := dns.ClientConfigFromFile("/etc/resolv.conf")
	if err != nil || len(cfg.Servers) == 0 {
		return "", fmt.Errorf("no DNSSEC-validating resolver configured: set %s to a trusted validator (e.g. 127.0.0.1:53)", resolverEnvVar)
	}
	return net.JoinHostPort(cfg.Servers[0], cfg.Port), nil
}