Disallow using the same domaine for association and delegation
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/push Build is passing
Details
This commit is contained in:
parent
0e7b829b46
commit
db9254174a
|
|
@ -789,11 +789,18 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
|
|||
|
||||
// SNI check: validate if this check + HTTPS on delegation is validated
|
||||
if snicheck1 {
|
||||
if verbose {
|
||||
log.Printf("%s just unlocked HTTPS-SNI challenge\n", std.Login)
|
||||
}
|
||||
if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPSSNI], ""); err != nil {
|
||||
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
|
||||
if std.MyAssociatedDomain() == std.MyDelegatedDomain() {
|
||||
std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSSNI], fmt.Errorf("associated and delegated domains have to be different. Please use eg. adlin.example.com as associated domain and wonderfulwebsite.example.com as delegation. Feel free to choose whatever you want that doesn't already exists in your zone!"))
|
||||
if verbose {
|
||||
log.Printf("%s and HTTPS-SNI: %s\n", std.Login, "associated and delegated domains not accessible at the same time through HTTPS")
|
||||
}
|
||||
} else {
|
||||
if verbose {
|
||||
log.Printf("%s just unlocked HTTPS-SNI challenge\n", std.Login)
|
||||
}
|
||||
if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPSSNI], ""); err != nil {
|
||||
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -47,6 +47,12 @@ func init() {
|
|||
return true, nil
|
||||
} else if ue.CNAME != "" {
|
||||
cname := dns.Fqdn(ue.CNAME)
|
||||
|
||||
// Ensure delegation and association differs
|
||||
if student.DelegatedDomain != nil && *student.DelegatedDomain == cname {
|
||||
return nil, fmt.Errorf("Le domaine pour l'association CNAME doit être différent du domaine délégué.")
|
||||
}
|
||||
|
||||
student.AssociatedDomain = &cname
|
||||
|
||||
if _, err := student.Update(); err != nil {
|
||||
|
|
@ -90,6 +96,11 @@ func init() {
|
|||
} else {
|
||||
ns := dns.Fqdn(ue.NS)
|
||||
|
||||
// Ensure delegation and association differs
|
||||
if student.AssociatedDomain != nil && *student.AssociatedDomain == ns {
|
||||
return nil, fmt.Errorf("Le domaine pour la délégation doit être différent du CNAME associé précédemment.")
|
||||
}
|
||||
|
||||
// Ensure ns doesn't belong to one of our domain
|
||||
for _, ddomain := range adlin.DelegatedDomainSuffixes {
|
||||
if strings.HasSuffix(ns, ddomain) {
|
||||
|
|
|
|||
Reference in New Issue