From 65dd0d51ca3452980e6762882456573556f40a14 Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Fri, 29 Apr 2022 22:34:12 +0200
Subject: [PATCH] checker: Test SNAT configuration on HTTPonIP

---
 checker/checker.go | 96 ++++++++++++++++++++++++++++++++++++++--------
 libadlin/tunnel.go |  4 ++
 2 files changed, 83 insertions(+), 17 deletions(-)

diff --git a/checker/checker.go b/checker/checker.go
index eea975c..fb02729 100644
--- a/checker/checker.go
+++ b/checker/checker.go
@@ -658,11 +658,31 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
 					if glueErr != nil {
 						std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonDelegatedDomain], fmt.Errorf("Unable to perform the test due to GLUE problem: %w", glueErr))
 					} else if err := check_http(addr.String(), std.MyDelegatedDomain()); err == nil {
-						if verbose {
-							log.Printf("%s just unlocked HTTP challenge\n", std.Login)
-						}
-						if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPonDelegatedDomain], ""); err != nil {
-							log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+						if tunnel_version == 3 {
+							// Try port 80 on miniflux => should not respond if SNAT is correctly configured
+							minifluxIP := tun.GetServerIP(6)
+							if err := check_http(minifluxIP, std.MyDelegatedDomain()); err == nil {
+								if verbose {
+									log.Printf("%s and HTTP (with DNS ip=%s): %s\n", std.Login, addr.String(), "Bad SNAT config")
+								}
+								if errreg := std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonDelegatedDomain], fmt.Errorf("Your SNAT on IPv6 is badly configured. See HTTP IP result.")); errreg != nil {
+									log.Printf("Unable to register challenge error for %s: %s\n", std.Login, errreg)
+								}
+							} else {
+								if verbose {
+									log.Printf("%s just unlocked HTTP challenge\n", std.Login)
+								}
+								if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPonDelegatedDomain], ""); err != nil {
+									log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+								}
+							}
+						} else {
+							if verbose {
+								log.Printf("%s just unlocked HTTP challenge\n", std.Login)
+							}
+							if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPonDelegatedDomain], ""); err != nil {
+								log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+							}
 						}
 					} else {
 						std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonDelegatedDomain], err)
@@ -675,13 +695,35 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
 					if glueErr != nil {
 						std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSonDelegatedDomain], fmt.Errorf("Unable to perform the test due to GLUE problem: %w", glueErr))
 					} else if err := check_https(std.MyDelegatedDomain(), addr.String()); err == nil {
-						snicheck1 = true
-						snicheck1_tested = true
-						if verbose {
-							log.Printf("%s just unlocked HTTPS challenge\n", std.Login)
-						}
-						if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPSonDelegatedDomain], ""); err != nil {
-							log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+						if tunnel_version == 3 {
+							// Try port 443 on miniflux => should not respond if SNAT is correctly configured
+							minifluxIP := tun.GetServerIP(6)
+							if err := check_https(std.MyDelegatedDomain(), minifluxIP); err == nil {
+								if verbose {
+									log.Printf("%s and HTTPS (with DNS ip=%s): %s\n", std.Login, addr.String(), "Bad SNAT config")
+								}
+								if errreg := std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSonDelegatedDomain], fmt.Errorf("Your SNAT on IPv6 is badly configured. You should not have SNAT on 443 port.")); errreg != nil {
+									log.Printf("Unable to register challenge error for %s: %s\n", std.Login, errreg)
+								}
+							} else {
+								snicheck1 = true
+								snicheck1_tested = true
+								if verbose {
+									log.Printf("%s just unlocked HTTPS challenge\n", std.Login)
+								}
+								if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPSonDelegatedDomain], ""); err != nil {
+									log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+								}
+							}
+						} else {
+							snicheck1 = true
+							snicheck1_tested = true
+							if verbose {
+								log.Printf("%s just unlocked HTTPS challenge\n", std.Login)
+							}
+							if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPSonDelegatedDomain], ""); err != nil {
+								log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+							}
 						}
 					} else {
 						snicheck1_tested = true
@@ -752,11 +794,31 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
 
 			// Check HTTP without DNS
 			if err := check_http(stdIP, ""); err == nil {
-				if verbose {
-					log.Printf("%s just unlocked HTTP IP (without DNS) challenge\n", std.Login)
-				}
-				if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPonIP], ""); err != nil {
-					log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+				if tunnel_version == 3 {
+					// Try port 80 on miniflux => should not respond if SNAT is correctly configured
+					minifluxIP := tun.GetServerIP(6)
+					if err := check_http(minifluxIP, ""); err == nil {
+						if verbose {
+							log.Printf("%s and HTTP IP (without DNS): %s\n", std.Login, "Bad SNAT config")
+						}
+						if errreg := std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonIP], fmt.Errorf("Your SNAT on IPv6 is too large: it seems that all requests to port 80 behind the router are redirected to web host. Eg. [news]:80 should not respond, however it responds with contents.")); errreg != nil {
+							log.Printf("Unable to register challenge error for %s: %s\n", std.Login, errreg)
+						}
+					} else {
+						if verbose {
+							log.Printf("%s just unlocked HTTP IP (without DNS) challenge\n", std.Login)
+						}
+						if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPonIP], ""); err != nil {
+							log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+						}
+					}
+				} else {
+					if verbose {
+						log.Printf("%s just unlocked HTTP IP (without DNS) challenge\n", std.Login)
+					}
+					if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPonIP], ""); err != nil {
+						log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+					}
 				}
 			} else {
 				std.RegisterChallengeError(CheckMap[tunnel_version][HTTPonIP], err)
diff --git a/libadlin/tunnel.go b/libadlin/tunnel.go
index 264c602..7cbabe2 100644
--- a/libadlin/tunnel.go
+++ b/libadlin/tunnel.go
@@ -132,6 +132,10 @@ func (tt *TunnelToken) GetStudentIP() string {
 	}
 }
 
+func (tt *TunnelToken) GetServerIP(suffix int) string {
+	return fmt.Sprintf("%s%x", StudentIP(tt.IdStudent).String(), suffix)
+}
+
 func (tt *TunnelToken) GenKeySign() []byte {
 	stdprivkey := ed25519.NewKeyFromSeed(tt.token[:ed25519.SeedSize])