token-validator: Don't use hardcoded tsig anymore

2021-02-13 18:31:52 +01:00 · 2021-02-13 18:31:52 +01:00 · 331192ccbe
commit 331192ccbe
parent 8a3160da10
2 changed files with 34 additions and 21 deletions
--- a/token-validator/domain.go
+++ b/token-validator/domain.go
@ -15,12 +15,12 @@ import (
 	"git.nemunai.re/lectures/adlin/libadlin"
 )
-const (
+var (
 	ControlSocket = "[2a01:e0a:2b:2250::b]:53"
 	tsigName      = "ddns."
 	tsigSecret    = ""
 )
 var tsigSecret = map[string]string{"ddns.": "so6ZGir4GPAqINNh9U5c3A=="}
 func init() {
 	router.GET("/api/adomains/", apiAuthHandler(func(student adlin.Student, ps httprouter.Params, body []byte) (interface{}, error) {
 		return student.GetAssociatedDomains(), nil
@ -139,9 +139,9 @@ func parseZoneRead(globalDomain string, domain string) (rr []Entry, err error) {
 	t := new(dns.Transfer)
 	m := new(dns.Msg)
-	t.TsigSecret = tsigSecret
+	t.TsigSecret = map[string]string{tsigName: tsigSecret}
 	m.SetAxfr(globalDomain)
-	m.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+	m.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 	c, err := t.In(m, ControlSocket)
 	if err != nil {
@ -227,8 +227,8 @@ func delAssociatedDomains(student adlin.Student, dn string) (err error) {
 	m1.Remove(rrs)
 	c := new(dns.Client)
-	c.TsigSecret = tsigSecret
+	c.TsigSecret = map[string]string{tsigName: tsigSecret}
-	m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+	m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 	_, _, err = c.Exchange(m1, ControlSocket)
 	if err != nil {
@ -267,8 +267,8 @@ func AddAssociatedDomains(student adlin.Student, aaaa net.IP) (err error) {
 	m2.Insert([]dns.RR{rrAAAA})
 	c := new(dns.Client)
-	c.TsigSecret = tsigSecret
+	c.TsigSecret = map[string]string{tsigName: tsigSecret}
-	m2.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+	m2.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 	_, _, err = c.Exchange(m2, ControlSocket)
 	return
@ -314,8 +314,8 @@ func AddNSDelegatedDomain(student adlin.Student, dn string, ttl uint32, ns strin
 		m1.Insert([]dns.RR{rrNS})
 		c := new(dns.Client)
-		c.TsigSecret = tsigSecret
+		c.TsigSecret = map[string]string{tsigName: tsigSecret}
-		m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+		m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 		_, _, err = c.Exchange(m1, ControlSocket)
 	}
@ -342,8 +342,8 @@ func UpdateNSDelegatedDomain(student adlin.Student, dn string, ttl uint32, oldns
 		m1.Insert([]dns.RR{rrNS})
 		c := new(dns.Client)
-		c.TsigSecret = tsigSecret
+		c.TsigSecret = map[string]string{tsigName: tsigSecret}
-		m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+		m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 		_, _, err = c.Exchange(m1, ControlSocket)
 	}
@ -379,8 +379,8 @@ func AddGLUEDelegatedDomain(student adlin.Student, dn string, ttl uint32, aaaa s
 	m1.Insert([]dns.RR{rr})
 	c := new(dns.Client)
-	c.TsigSecret = tsigSecret
+	c.TsigSecret = map[string]string{tsigName: tsigSecret}
-	m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+	m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 	_, _, err = c.Exchange(m1, ControlSocket)
@ -422,8 +422,8 @@ func UpdateGLUEDelegatedDomain(student adlin.Student, dn string, ttl uint32, old
 	m1.Insert([]dns.RR{rr})
 	c := new(dns.Client)
-	c.TsigSecret = tsigSecret
+	c.TsigSecret = map[string]string{tsigName: tsigSecret}
-	m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+	m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 	_, _, err = c.Exchange(m1, ControlSocket)
 	return
@ -472,8 +472,8 @@ func AddDSDelegatedDomain(student adlin.Student, dn string, ttl uint32, rdata st
 	m1.Insert([]dns.RR{ds})
 	c := new(dns.Client)
-	c.TsigSecret = tsigSecret
+	c.TsigSecret = map[string]string{tsigName: tsigSecret}
-	m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+	m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 	_, _, err = c.Exchange(m1, ControlSocket)
 	return
@ -506,8 +506,8 @@ func DeleteRRDelegatedDomain(student adlin.Student, dn string, rr string, values
 	m1.Remove([]dns.RR{rrr})
 	c := new(dns.Client)
-	c.TsigSecret = tsigSecret
+	c.TsigSecret = map[string]string{tsigName: tsigSecret}
-	m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+	m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 	_, _, err = c.Exchange(m1, ControlSocket)
--- a/token-validator/main.go
+++ b/token-validator/main.go
@ -59,12 +59,25 @@ func StripPrefix(prefix string, h http.Handler) http.Handler {
 }
 func main() {
 	if v, exists := os.LookupEnv("ADLIN_NS_HOST"); exists {
 		ControlSocket = v
 	}
 	if v, exists := os.LookupEnv("ADLIN_TSIG_NAME"); exists {
 		tsigName = v
 	}
 	if v, exists := os.LookupEnv("ADLIN_TSIG_SECRET"); exists {
 		tsigSecret = v
 	}
 	var bind = flag.String("bind", ":8081", "Bind port/socket")
 	var dsn = flag.String("dsn", adlin.DSNGenerator(), "DSN to connect to the MySQL server")
 	flag.StringVar(&baseURL, "baseurl", baseURL, "URL prepended to each URL")
 	flag.StringVar(&adlin.SharedSecret, "sharedsecret", "adelina", "secret used to communicate with remote validator")
 	flag.StringVar(&AuthorizedKeysLocation, "authorizedkeyslocation", AuthorizedKeysLocation, "File for allowing user to SSH to the machine")
 	flag.StringVar(&SshPiperLocation, "sshPiperLocation", SshPiperLocation, "Directory containing directories for sshpiperd")
 	flag.StringVar(&ControlSocket, "ns-host", ControlSocket, "Host:port of the nameserver to use")
 	flag.StringVar(&tsigName, "tsig-name", tsigName, "TSIG name to use to contact NS")
 	flag.StringVar(&tsigSecret, "tsig-secret", tsigSecret, "TSIG secret to use to contact NS")
 	var dummyauth = flag.Bool("dummyauth", false, "don't perform password check")
 	flag.Parse()