From db9254174a2fa7b232e4306c265907433be03d04 Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Tue, 29 Mar 2022 12:56:35 +0200
Subject: [PATCH] Disallow using the same domaine for association and
 delegation

---
 checker/checker.go        | 17 ++++++++++++-----
 token-validator/domain.go | 11 +++++++++++
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/checker/checker.go b/checker/checker.go
index 1817a3d..6ca8968 100644
--- a/checker/checker.go
+++ b/checker/checker.go
@@ -789,11 +789,18 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
 
 					// SNI check: validate if this check + HTTPS on delegation is validated
 					if snicheck1 {
-						if verbose {
-							log.Printf("%s just unlocked HTTPS-SNI challenge\n", std.Login)
-						}
-						if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPSSNI], ""); err != nil {
-							log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+						if std.MyAssociatedDomain() == std.MyDelegatedDomain() {
+							std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSSNI], fmt.Errorf("associated and delegated domains have to be different. Please use eg. adlin.example.com as associated domain and wonderfulwebsite.example.com as delegation. Feel free to choose whatever you want that doesn't already exists in your zone!"))
+							if verbose {
+								log.Printf("%s and HTTPS-SNI: %s\n", std.Login, "associated and delegated domains not accessible at the same time through HTTPS")
+							}
+						} else {
+							if verbose {
+								log.Printf("%s just unlocked HTTPS-SNI challenge\n", std.Login)
+							}
+							if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPSSNI], ""); err != nil {
+								log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
+							}
 						}
 					}
 				} else {
diff --git a/token-validator/domain.go b/token-validator/domain.go
index 81ed821..61cfd0c 100644
--- a/token-validator/domain.go
+++ b/token-validator/domain.go
@@ -47,6 +47,12 @@ func init() {
 			return true, nil
 		} else if ue.CNAME != "" {
 			cname := dns.Fqdn(ue.CNAME)
+
+			// Ensure delegation and association differs
+			if student.DelegatedDomain != nil && *student.DelegatedDomain == cname {
+				return nil, fmt.Errorf("Le domaine pour l'association CNAME doit être différent du domaine délégué.")
+			}
+
 			student.AssociatedDomain = &cname
 
 			if _, err := student.Update(); err != nil {
@@ -90,6 +96,11 @@ func init() {
 		} else {
 			ns := dns.Fqdn(ue.NS)
 
+			// Ensure delegation and association differs
+			if student.AssociatedDomain != nil && *student.AssociatedDomain == ns {
+				return nil, fmt.Errorf("Le domaine pour la délégation doit être différent du CNAME associé précédemment.")
+			}
+
 			// Ensure ns doesn't belong to one of our domain
 			for _, ddomain := range adlin.DelegatedDomainSuffixes {
 				if strings.HasSuffix(ns, ddomain) {