Disallow using the same domaine for association and delegation
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
nemunaire 2022-03-29 12:56:35 +02:00
parent 0e7b829b46
commit db9254174a
2 changed files with 23 additions and 5 deletions

View File

@ -789,6 +789,12 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
// SNI check: validate if this check + HTTPS on delegation is validated // SNI check: validate if this check + HTTPS on delegation is validated
if snicheck1 { if snicheck1 {
if std.MyAssociatedDomain() == std.MyDelegatedDomain() {
std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSSNI], fmt.Errorf("associated and delegated domains have to be different. Please use eg. adlin.example.com as associated domain and wonderfulwebsite.example.com as delegation. Feel free to choose whatever you want that doesn't already exists in your zone!"))
if verbose {
log.Printf("%s and HTTPS-SNI: %s\n", std.Login, "associated and delegated domains not accessible at the same time through HTTPS")
}
} else {
if verbose { if verbose {
log.Printf("%s just unlocked HTTPS-SNI challenge\n", std.Login) log.Printf("%s just unlocked HTTPS-SNI challenge\n", std.Login)
} }
@ -796,6 +802,7 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error()) log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
} }
} }
}
} else { } else {
std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSonAssociatedDomain], err) std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSonAssociatedDomain], err)
if verbose { if verbose {

View File

@ -47,6 +47,12 @@ func init() {
return true, nil return true, nil
} else if ue.CNAME != "" { } else if ue.CNAME != "" {
cname := dns.Fqdn(ue.CNAME) cname := dns.Fqdn(ue.CNAME)
// Ensure delegation and association differs
if student.DelegatedDomain != nil && *student.DelegatedDomain == cname {
return nil, fmt.Errorf("Le domaine pour l'association CNAME doit être différent du domaine délégué.")
}
student.AssociatedDomain = &cname student.AssociatedDomain = &cname
if _, err := student.Update(); err != nil { if _, err := student.Update(); err != nil {
@ -90,6 +96,11 @@ func init() {
} else { } else {
ns := dns.Fqdn(ue.NS) ns := dns.Fqdn(ue.NS)
// Ensure delegation and association differs
if student.AssociatedDomain != nil && *student.AssociatedDomain == ns {
return nil, fmt.Errorf("Le domaine pour la délégation doit être différent du CNAME associé précédemment.")
}
// Ensure ns doesn't belong to one of our domain // Ensure ns doesn't belong to one of our domain
for _, ddomain := range adlin.DelegatedDomainSuffixes { for _, ddomain := range adlin.DelegatedDomainSuffixes {
if strings.HasSuffix(ns, ddomain) { if strings.HasSuffix(ns, ddomain) {