token-validator: Don't use hardcoded tsig anymore
This commit is contained in:
parent
8a3160da10
commit
331192ccbe
@ -15,12 +15,12 @@ import (
|
|||||||
"git.nemunai.re/lectures/adlin/libadlin"
|
"git.nemunai.re/lectures/adlin/libadlin"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
var (
|
||||||
ControlSocket = "[2a01:e0a:2b:2250::b]:53"
|
ControlSocket = "[2a01:e0a:2b:2250::b]:53"
|
||||||
|
tsigName = "ddns."
|
||||||
|
tsigSecret = ""
|
||||||
)
|
)
|
||||||
|
|
||||||
var tsigSecret = map[string]string{"ddns.": "so6ZGir4GPAqINNh9U5c3A=="}
|
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
router.GET("/api/adomains/", apiAuthHandler(func(student adlin.Student, ps httprouter.Params, body []byte) (interface{}, error) {
|
router.GET("/api/adomains/", apiAuthHandler(func(student adlin.Student, ps httprouter.Params, body []byte) (interface{}, error) {
|
||||||
return student.GetAssociatedDomains(), nil
|
return student.GetAssociatedDomains(), nil
|
||||||
@ -139,9 +139,9 @@ func parseZoneRead(globalDomain string, domain string) (rr []Entry, err error) {
|
|||||||
t := new(dns.Transfer)
|
t := new(dns.Transfer)
|
||||||
|
|
||||||
m := new(dns.Msg)
|
m := new(dns.Msg)
|
||||||
t.TsigSecret = tsigSecret
|
t.TsigSecret = map[string]string{tsigName: tsigSecret}
|
||||||
m.SetAxfr(globalDomain)
|
m.SetAxfr(globalDomain)
|
||||||
m.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
|
m.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
|
||||||
|
|
||||||
c, err := t.In(m, ControlSocket)
|
c, err := t.In(m, ControlSocket)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -227,8 +227,8 @@ func delAssociatedDomains(student adlin.Student, dn string) (err error) {
|
|||||||
m1.Remove(rrs)
|
m1.Remove(rrs)
|
||||||
|
|
||||||
c := new(dns.Client)
|
c := new(dns.Client)
|
||||||
c.TsigSecret = tsigSecret
|
c.TsigSecret = map[string]string{tsigName: tsigSecret}
|
||||||
m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
|
m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
|
||||||
|
|
||||||
_, _, err = c.Exchange(m1, ControlSocket)
|
_, _, err = c.Exchange(m1, ControlSocket)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -267,8 +267,8 @@ func AddAssociatedDomains(student adlin.Student, aaaa net.IP) (err error) {
|
|||||||
m2.Insert([]dns.RR{rrAAAA})
|
m2.Insert([]dns.RR{rrAAAA})
|
||||||
|
|
||||||
c := new(dns.Client)
|
c := new(dns.Client)
|
||||||
c.TsigSecret = tsigSecret
|
c.TsigSecret = map[string]string{tsigName: tsigSecret}
|
||||||
m2.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
|
m2.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
|
||||||
|
|
||||||
_, _, err = c.Exchange(m2, ControlSocket)
|
_, _, err = c.Exchange(m2, ControlSocket)
|
||||||
return
|
return
|
||||||
@ -314,8 +314,8 @@ func AddNSDelegatedDomain(student adlin.Student, dn string, ttl uint32, ns strin
|
|||||||
m1.Insert([]dns.RR{rrNS})
|
m1.Insert([]dns.RR{rrNS})
|
||||||
|
|
||||||
c := new(dns.Client)
|
c := new(dns.Client)
|
||||||
c.TsigSecret = tsigSecret
|
c.TsigSecret = map[string]string{tsigName: tsigSecret}
|
||||||
m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
|
m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
|
||||||
|
|
||||||
_, _, err = c.Exchange(m1, ControlSocket)
|
_, _, err = c.Exchange(m1, ControlSocket)
|
||||||
}
|
}
|
||||||
@ -342,8 +342,8 @@ func UpdateNSDelegatedDomain(student adlin.Student, dn string, ttl uint32, oldns
|
|||||||
m1.Insert([]dns.RR{rrNS})
|
m1.Insert([]dns.RR{rrNS})
|
||||||
|
|
||||||
c := new(dns.Client)
|
c := new(dns.Client)
|
||||||
c.TsigSecret = tsigSecret
|
c.TsigSecret = map[string]string{tsigName: tsigSecret}
|
||||||
m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
|
m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
|
||||||
|
|
||||||
_, _, err = c.Exchange(m1, ControlSocket)
|
_, _, err = c.Exchange(m1, ControlSocket)
|
||||||
}
|
}
|
||||||
@ -379,8 +379,8 @@ func AddGLUEDelegatedDomain(student adlin.Student, dn string, ttl uint32, aaaa s
|
|||||||
m1.Insert([]dns.RR{rr})
|
m1.Insert([]dns.RR{rr})
|
||||||
|
|
||||||
c := new(dns.Client)
|
c := new(dns.Client)
|
||||||
c.TsigSecret = tsigSecret
|
c.TsigSecret = map[string]string{tsigName: tsigSecret}
|
||||||
m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
|
m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
|
||||||
|
|
||||||
_, _, err = c.Exchange(m1, ControlSocket)
|
_, _, err = c.Exchange(m1, ControlSocket)
|
||||||
|
|
||||||
@ -422,8 +422,8 @@ func UpdateGLUEDelegatedDomain(student adlin.Student, dn string, ttl uint32, old
|
|||||||
m1.Insert([]dns.RR{rr})
|
m1.Insert([]dns.RR{rr})
|
||||||
|
|
||||||
c := new(dns.Client)
|
c := new(dns.Client)
|
||||||
c.TsigSecret = tsigSecret
|
c.TsigSecret = map[string]string{tsigName: tsigSecret}
|
||||||
m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
|
m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
|
||||||
|
|
||||||
_, _, err = c.Exchange(m1, ControlSocket)
|
_, _, err = c.Exchange(m1, ControlSocket)
|
||||||
return
|
return
|
||||||
@ -472,8 +472,8 @@ func AddDSDelegatedDomain(student adlin.Student, dn string, ttl uint32, rdata st
|
|||||||
m1.Insert([]dns.RR{ds})
|
m1.Insert([]dns.RR{ds})
|
||||||
|
|
||||||
c := new(dns.Client)
|
c := new(dns.Client)
|
||||||
c.TsigSecret = tsigSecret
|
c.TsigSecret = map[string]string{tsigName: tsigSecret}
|
||||||
m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
|
m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
|
||||||
|
|
||||||
_, _, err = c.Exchange(m1, ControlSocket)
|
_, _, err = c.Exchange(m1, ControlSocket)
|
||||||
return
|
return
|
||||||
@ -506,8 +506,8 @@ func DeleteRRDelegatedDomain(student adlin.Student, dn string, rr string, values
|
|||||||
m1.Remove([]dns.RR{rrr})
|
m1.Remove([]dns.RR{rrr})
|
||||||
|
|
||||||
c := new(dns.Client)
|
c := new(dns.Client)
|
||||||
c.TsigSecret = tsigSecret
|
c.TsigSecret = map[string]string{tsigName: tsigSecret}
|
||||||
m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
|
m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
|
||||||
|
|
||||||
_, _, err = c.Exchange(m1, ControlSocket)
|
_, _, err = c.Exchange(m1, ControlSocket)
|
||||||
|
|
||||||
|
@ -59,12 +59,25 @@ func StripPrefix(prefix string, h http.Handler) http.Handler {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
|
if v, exists := os.LookupEnv("ADLIN_NS_HOST"); exists {
|
||||||
|
ControlSocket = v
|
||||||
|
}
|
||||||
|
if v, exists := os.LookupEnv("ADLIN_TSIG_NAME"); exists {
|
||||||
|
tsigName = v
|
||||||
|
}
|
||||||
|
if v, exists := os.LookupEnv("ADLIN_TSIG_SECRET"); exists {
|
||||||
|
tsigSecret = v
|
||||||
|
}
|
||||||
|
|
||||||
var bind = flag.String("bind", ":8081", "Bind port/socket")
|
var bind = flag.String("bind", ":8081", "Bind port/socket")
|
||||||
var dsn = flag.String("dsn", adlin.DSNGenerator(), "DSN to connect to the MySQL server")
|
var dsn = flag.String("dsn", adlin.DSNGenerator(), "DSN to connect to the MySQL server")
|
||||||
flag.StringVar(&baseURL, "baseurl", baseURL, "URL prepended to each URL")
|
flag.StringVar(&baseURL, "baseurl", baseURL, "URL prepended to each URL")
|
||||||
flag.StringVar(&adlin.SharedSecret, "sharedsecret", "adelina", "secret used to communicate with remote validator")
|
flag.StringVar(&adlin.SharedSecret, "sharedsecret", "adelina", "secret used to communicate with remote validator")
|
||||||
flag.StringVar(&AuthorizedKeysLocation, "authorizedkeyslocation", AuthorizedKeysLocation, "File for allowing user to SSH to the machine")
|
flag.StringVar(&AuthorizedKeysLocation, "authorizedkeyslocation", AuthorizedKeysLocation, "File for allowing user to SSH to the machine")
|
||||||
flag.StringVar(&SshPiperLocation, "sshPiperLocation", SshPiperLocation, "Directory containing directories for sshpiperd")
|
flag.StringVar(&SshPiperLocation, "sshPiperLocation", SshPiperLocation, "Directory containing directories for sshpiperd")
|
||||||
|
flag.StringVar(&ControlSocket, "ns-host", ControlSocket, "Host:port of the nameserver to use")
|
||||||
|
flag.StringVar(&tsigName, "tsig-name", tsigName, "TSIG name to use to contact NS")
|
||||||
|
flag.StringVar(&tsigSecret, "tsig-secret", tsigSecret, "TSIG secret to use to contact NS")
|
||||||
var dummyauth = flag.Bool("dummyauth", false, "don't perform password check")
|
var dummyauth = flag.Bool("dummyauth", false, "don't perform password check")
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user