Create a usecase from API to extract domain creation on provider

Fixes a security issue where a user can create a domain on a provider while DisableProviders option was set
2025-06-09 10:45:46 +02:00 · 2025-06-09 10:45:46 +02:00 · ce91b49a73
commit ce91b49a73
parent b0e0ab6d9e
5 changed files with 84 additions and 33 deletions
--- a/internal/api/controller/provider.go
+++ b/internal/api/controller/provider.go
@ -246,23 +246,12 @@ func (pc *ProviderController) GetDomainsHostedByProvider(c *gin.Context) {
 //	@Failure		401	{object}	happydns.ErrorResponse	"Authentication failure"
 //	@Failure		404	{object}	happydns.ErrorResponse	"Provider not found"
 //	@Router			/providers/{providerId}/domains/{fqdn} [get]
-func (pc *ProviderController) CreateDomainsOnProvider(c *gin.Context) {
+func (pc *ProviderController) CreateDomainOnProvider(c *gin.Context) {
 	provider := c.MustGet("provider").(*happydns.Provider)
-	p, err := provider.InstantiateProvider()
+	err := pc.providerService.CreateDomainOnProvider(provider, c.Param("fqdn"))
 	if err != nil {
-		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": fmt.Sprintf("Unable to instantiate the provider: %s", err.Error())})
+		middleware.ErrorResponse(c, http.StatusBadRequest, err)
 		return
 	}
 	if !p.CanCreateDomain() {
 		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": "Provider doesn't support domain creation."})
 		return
 	}
 	err = p.CreateDomain(c.Param("fqdn"))
 	if err != nil {
 		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})
 		return
 	}
--- a/internal/api/route/provider.go
+++ b/internal/api/route/provider.go
@ -47,5 +47,5 @@ func DeclareProviderRoutes(router *gin.RouterGroup, dependancies happydns.Usecas
 	apiProviderRoutes.PUT("", pc.UpdateProvider)
 	apiProviderRoutes.GET("/domains", pc.GetDomainsHostedByProvider)
-	apiProviderRoutes.POST("/domains/:fqdn", pc.CreateDomainsOnProvider)
+	apiProviderRoutes.POST("/domains/:fqdn", pc.CreateDomainOnProvider)
 }
--- a/internal/usecase/provider/create_domain.go
+++ b/internal/usecase/provider/create_domain.go
@ -0,0 +1,47 @@
 // This file is part of the happyDomain (R) project.
 // Copyright (c) 2020-2025 happyDomain
 // Authors: Pierre-Olivier Mercier, et al.
 //
 // This program is offered under a commercial and under the AGPL license.
 // For commercial licensing, contact us at <contact@happydomain.org>.
 //
 // For AGPL licensing:
 // This program is free software: you can redistribute it and/or modify
 // it under the terms of the GNU Affero General Public License as published by
 // the Free Software Foundation, either version 3 of the License, or
 // (at your option) any later version.
 //
 // This program is distributed in the hope that it will be useful,
 // but WITHOUT ANY WARRANTY; without even the implied warranty of
 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 // GNU Affero General Public License for more details.
 //
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <https://www.gnu.org/licenses/>.
 package provider
 import (
 	"fmt"
 	"git.happydns.org/happyDomain/model"
 )
 type CreateDomainOnProviderUsecase struct{}
 func NewCreateDomainOnProviderUsecase() *CreateDomainOnProviderUsecase {
 	return &CreateDomainOnProviderUsecase{}
 }
 func (uc *CreateDomainOnProviderUsecase) Create(provider *happydns.Provider, fqdn string) error {
 	p, err := provider.InstantiateProvider()
 	if err != nil {
 		return fmt.Errorf("unable to instantiate the provider: %w", err)
 	}
 	if !p.CanCreateDomain() {
 		return fmt.Errorf("the provider doesn't support domain creation")
 	}
 	return p.CreateDomain(fqdn)
 }
--- a/internal/usecase/provider/factory.go
+++ b/internal/usecase/provider/factory.go
@ -26,15 +26,16 @@ import (
 )
 type Service struct {
-	CreateProviderUC    *CreateProviderUsecase
+	CreateProviderUC         *CreateProviderUsecase
-	DeleteProviderUC    *DeleteProviderUsecase
+	CreateDomainOnProviderUC *CreateDomainOnProviderUsecase
-	UpdateProviderUC    *UpdateProviderUsecase
+	DeleteProviderUC         *DeleteProviderUsecase
-	ListHostedDomainsUC *ListHostedDomainsUsecase
+	UpdateProviderUC         *UpdateProviderUsecase
-	GetProviderUC       *GetProviderUsecase
+	ListHostedDomainsUC      *ListHostedDomainsUsecase
-	ListProvidersUC     *ListProvidersUsecase
+	GetProviderUC            *GetProviderUsecase
-	RetrieveZoneUC      *ZoneRetrieverUsecase
+	ListProvidersUC          *ListProvidersUsecase
-	ZoneCorrectionsUC   *ZoneCorrectorUsecase
+	RetrieveZoneUC           *ZoneRetrieverUsecase
-	DomainExistenceUC   *DomainExistenceUsecase
+	ZoneCorrectionsUC        *ZoneCorrectorUsecase
 	DomainExistenceUC        *DomainExistenceUsecase
 }
 func NewProviderUsecases(store ProviderStorage) *Service {
@ -42,15 +43,16 @@ func NewProviderUsecases(store ProviderStorage) *Service {
 	validator := &DefaultProviderValidator{}
 	return &Service{
-		CreateProviderUC:    NewCreateProviderUsecase(store, validator),
+		CreateProviderUC:         NewCreateProviderUsecase(store, validator),
-		DeleteProviderUC:    NewDeleteProviderUsecase(store),
+		CreateDomainOnProviderUC: NewCreateDomainOnProviderUsecase(),
-		UpdateProviderUC:    NewUpdateProviderUsecase(store, getProvider, validator),
+		DeleteProviderUC:         NewDeleteProviderUsecase(store),
-		ListHostedDomainsUC: NewListHostedDomainsUsecase(),
+		UpdateProviderUC:         NewUpdateProviderUsecase(store, getProvider, validator),
-		GetProviderUC:       getProvider,
+		ListHostedDomainsUC:      NewListHostedDomainsUsecase(),
-		ListProvidersUC:     NewListProvidersUsecase(store),
+		GetProviderUC:            getProvider,
-		RetrieveZoneUC:      NewZoneRetrieverUsecase(),
+		ListProvidersUC:          NewListProvidersUsecase(store),
-		ZoneCorrectionsUC:   NewZoneCorrectorUsecase(),
+		RetrieveZoneUC:           NewZoneRetrieverUsecase(),
-		DomainExistenceUC:   NewDomainExistenceUsecase(),
+		ZoneCorrectionsUC:        NewZoneCorrectorUsecase(),
 		DomainExistenceUC:        NewDomainExistenceUsecase(),
 	}
 }
@ -58,6 +60,10 @@ func (s *Service) CreateProvider(user *happydns.User, msg *happydns.ProviderMess
 	return s.CreateProviderUC.Create(user, msg)
 }
 func (s *Service) CreateDomainOnProvider(provider *happydns.Provider, fqdn string) error {
 	return s.CreateDomainOnProviderUC.Create(provider, fqdn)
 }
 func (s *Service) DeleteProvider(user *happydns.User, providerID happydns.Identifier) error {
 	return s.DeleteProviderUC.Delete(user, providerID)
 }
@ -119,6 +125,14 @@ func (s *RestrictedService) CreateProvider(user *happydns.User, msg *happydns.Pr
 	return s.Service.CreateProvider(user, msg)
 }
 func (s *RestrictedService) CreateDomainOnProvider(provider *happydns.Provider, fqdn string) error {
 	if s.config.DisableProviders {
 		return happydns.ForbiddenError{Msg: "cannot create domain on provider as DisableProviders parameter is set."}
 	}
 	return s.Service.CreateDomainOnProvider(provider, fqdn)
 }
 func (s *RestrictedService) DeleteProvider(user *happydns.User, providerID happydns.Identifier) error {
 	if s.config.DisableProviders {
 		return happydns.ForbiddenError{Msg: "cannot delete provider as DisableProviders parameter is set."}
--- a/model/provider.go
+++ b/model/provider.go
@ -124,6 +124,7 @@ func (p *Provider) Meta() *ProviderMeta {
 type ProviderUsecase interface {
 	CreateProvider(*User, *ProviderMessage) (*Provider, error)
 	CreateDomainOnProvider(*Provider, string) error
 	DeleteProvider(*User, Identifier) error
 	GetUserProvider(*User, Identifier) (*Provider, error)
 	GetUserProviderMeta(*User, Identifier) (*ProviderMeta, error)