checker: deep redesign

2021-03-05 15:14:45 +01:00 · 2021-03-05 15:14:45 +01:00 · 853477e54a
commit 853477e54a
parent 4a27c9367e
4 changed files with 132 additions and 38 deletions
--- a/checker/checker.go
+++ b/checker/checker.go
@ -7,6 +7,7 @@ import (
 	"log"
 	"net"
 	"net/http"
+	"strings"
 	"time"

 	"github.com/miekg/dns"
@ -102,21 +103,30 @@ func check_dns(domain, ip string) (aaaa net.IP, err error) {

 // PORT 80

-func check_http(ip string) (err error) {
+func check_http(ip, dn string) (err error) {
 	client := &http.Client{
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		},
 	}

+	req, errr := http.NewRequest("GET", fmt.Sprintf("http://[%s]/", ip), nil)
+	if errr != nil {
+		return errr
+	}
+
+	if dn != "" {
+		req.Header.Add("Host", strings.TrimSuffix(dn, "."))
+	}
+
 	var resp *http.Response
-	resp, err = client.Get(fmt.Sprintf("http://[%s]/", ip))
+	resp, err = client.Do(req)
 	if err != nil {
 		return
 	}
 	defer resp.Body.Close()

-	if resp.StatusCode >= 400 {
+	if dn != "" && resp.StatusCode >= 400 {
 		return fmt.Errorf("Bad status, got: %d (%s)", resp.StatusCode, resp.Status)
 	}

@ -128,12 +138,25 @@ func check_http(ip string) (err error) {

 func check_https(domain, ip string) (err error) {
 	var resp *http.Response
-	resp, err = http.Get(fmt.Sprintf("https://%s/", domain))
+	resp, err = http.Get(fmt.Sprintf("https://%s/", strings.TrimSuffix(domain, ".")))
 	if err != nil {
 		return
 	}
 	defer resp.Body.Close()

+	if resp.StatusCode >= 300 && resp.StatusCode < 400 {
+		loc := resp.Header.Get("Location")
+		if loc != "" && strings.HasSuffix(dns.Fqdn(loc), domain) {
+			if dns.Fqdn(loc) == domain {
+				return fmt.Errorf("Redirection loop %s redirect to %s", domain, loc)
+			} else if err = check_https(dns.Fqdn(loc), ip); err != nil {
+				return fmt.Errorf("Error after following redirection to %s: %w", loc, err)
+			} else {
+				return
+			}
+		}
+	}
+
 	if resp.StatusCode >= 300 {
 		return fmt.Errorf("Bad status, got: %d (%s)", resp.StatusCode, resp.Status)
 	}
@ -212,26 +235,25 @@ func studentsChecker() {
 					if verbose {
 						log.Printf("%s just unlocked DNS challenge\n", std.Login)
 					}
-					if _, err := std.UnlockNewChallenge(100*(tunnel_version-1)+2, ""); err != nil {
-						if _, err := std.UpdateUnlockedChallenge(100*(tunnel_version-1)+2, ""); err != nil {
-							log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
-						}
+					if _, err := std.UnlockChallenge(100*(tunnel_version-1)+3, ""); err != nil {
+						log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
 					}

 					// Check HTTP with DNS
 					if addr == nil {
 						log.Printf("%s and HTTP (with DNS ip=%s): skipped due to empty response\n", std.Login, addr.String())
-					} else if err := check_http(addr.String()); err == nil {
+					} else if err := check_http(addr.String(), std.MyDelegatedDomain()); err == nil {
 						if verbose {
 							log.Printf("%s just unlocked HTTP challenge\n", std.Login)
 						}
-						if _, err := std.UnlockNewChallenge(100*(tunnel_version-1)+0, ""); err != nil {
-							if _, err := std.UpdateUnlockedChallenge(100*(tunnel_version-1)+0, ""); err != nil {
-								log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
-							}
+						if _, err := std.UnlockChallenge(100*(tunnel_version-1)+4, ""); err != nil {
+							log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+						}
+					} else {
+						std.RegisterChallengeError(100*(tunnel_version-1)+4, err)
+						if verbose {
+							log.Printf("%s and HTTP (with DNS ip=%s): %s\n", std.Login, addr.String(), err)
 						}
-					} else if verbose {
-						log.Printf("%s and HTTP (with DNS ip=%s): %s\n", std.Login, addr.String(), err)
 					}

 					// Check HTTPs with DNS
@ -241,27 +263,54 @@ func studentsChecker() {
 						if verbose {
 							log.Printf("%s just unlocked HTTPS challenge\n", std.Login)
 						}
-						if _, err := std.UnlockNewChallenge(100*(tunnel_version-1)+1, ""); err != nil {
-							if _, err := std.UpdateUnlockedChallenge(100*(tunnel_version-1)+1, ""); err != nil {
-								log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
-							}
+						if _, err := std.UnlockChallenge(100*(tunnel_version-1)+5, ""); err != nil {
+							log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+						}
+					} else {
+						std.RegisterChallengeError(100*(tunnel_version-1)+5, err)
+						if verbose {
+							log.Printf("%s and HTTPS (with DNS ip=%s): %s\n", std.Login, addr.String(), err)
 						}
-					} else if verbose {
-						log.Printf("%s and HTTPS (with DNS ip=%s): %s\n", std.Login, addr.String(), err)
 					}
 				} else {
-					// Check HTTP without DNS
-					if err := check_http(stdIP); err == nil {
+					if errreg := std.RegisterChallengeError(100*(tunnel_version-1)+3, err); errreg != nil {
+						log.Printf("Unable to register challenge error for %s: %s\n", std.Login, errreg)
+					}
+					if verbose {
+						log.Printf("%s and DNS: %s\n", std.Login, err)
+					}
+				}
+
+				// Check HTTP without DNS
+				if err := check_http(stdIP, ""); err == nil {
+					if verbose {
+						log.Printf("%s just unlocked HTTP IP (without DNS) challenge\n", std.Login)
+					}
+					if _, err := std.UnlockChallenge(100*(tunnel_version-1)+0, ""); err != nil {
+						log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+					}
+				} else {
+					std.RegisterChallengeError(100*(tunnel_version-1)+0, err)
+					if verbose {
+						log.Printf("%s and HTTP IP (without DNS): %s\n", std.Login, err)
+					}
+				}
+
+				// Check DNS for association
+				if addr, err := check_dns(std.MyAssociatedDomain(), DEFAULT_RESOLVER); err == nil {
+					// Check HTTP on delegated domain
+					if err := check_http(addr.String(), std.MyAssociatedDomain()); err == nil {
 						if verbose {
-							log.Printf("%s just unlocked HTTP challenge\n", std.Login)
+							log.Printf("%s just unlocked HTTP (without DNS) challenge\n", std.Login)
 						}
-						if _, err := std.UnlockNewChallenge(100*(tunnel_version-1)+0, ""); err != nil {
-							if _, err := std.UpdateUnlockedChallenge(100*(tunnel_version-1)+0, ""); err != nil {
-								log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
-							}
+						if _, err := std.UnlockChallenge(100*(tunnel_version-1)+1, ""); err != nil {
+							log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+						}
+					} else {
+						std.RegisterChallengeError(100*(tunnel_version-1)+1, err)
+						if verbose {
+							log.Printf("%s and HTTP (without DNS): %s\n", std.Login, err)
 						}
-					} else if verbose {
-						log.Printf("%s and HTTP (without DNS): %s\n", std.Login, err)
 					}

 					// Check HTTPs without DNS
@ -269,13 +318,14 @@ func studentsChecker() {
 						if verbose {
 							log.Printf("%s just unlocked HTTPS challenge\n", std.Login)
 						}
-						if _, err := std.UnlockNewChallenge(100*(tunnel_version-1)+1, ""); err != nil {
-							if _, err := std.UpdateUnlockedChallenge(100*(tunnel_version-1)+1, ""); err != nil {
-								log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
-							}
+						if _, err := std.UnlockChallenge(100*(tunnel_version-1)+2, ""); err != nil {
+							log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+						}
+					} else {
+						std.RegisterChallengeError(100*(tunnel_version-1)+2, err)
+						if verbose {
+							log.Printf("%s and HTTPS (without DNS): %s\n", std.Login, err)
 						}
-					} else if verbose {
-						log.Printf("%s and HTTPS (without DNS): %s\n", std.Login, err)
 					}
 				}