Disallow using the same domaine for association and delegation
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
0e7b829b46
commit
db9254174a
@ -789,11 +789,18 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
|
|||||||
|
|
||||||
// SNI check: validate if this check + HTTPS on delegation is validated
|
// SNI check: validate if this check + HTTPS on delegation is validated
|
||||||
if snicheck1 {
|
if snicheck1 {
|
||||||
if verbose {
|
if std.MyAssociatedDomain() == std.MyDelegatedDomain() {
|
||||||
log.Printf("%s just unlocked HTTPS-SNI challenge\n", std.Login)
|
std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSSNI], fmt.Errorf("associated and delegated domains have to be different. Please use eg. adlin.example.com as associated domain and wonderfulwebsite.example.com as delegation. Feel free to choose whatever you want that doesn't already exists in your zone!"))
|
||||||
}
|
if verbose {
|
||||||
if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPSSNI], ""); err != nil {
|
log.Printf("%s and HTTPS-SNI: %s\n", std.Login, "associated and delegated domains not accessible at the same time through HTTPS")
|
||||||
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
|
}
|
||||||
|
} else {
|
||||||
|
if verbose {
|
||||||
|
log.Printf("%s just unlocked HTTPS-SNI challenge\n", std.Login)
|
||||||
|
}
|
||||||
|
if _, err := std.UnlockChallenge(CheckMap[tunnel_version][HTTPSSNI], ""); err != nil {
|
||||||
|
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
@ -47,6 +47,12 @@ func init() {
|
|||||||
return true, nil
|
return true, nil
|
||||||
} else if ue.CNAME != "" {
|
} else if ue.CNAME != "" {
|
||||||
cname := dns.Fqdn(ue.CNAME)
|
cname := dns.Fqdn(ue.CNAME)
|
||||||
|
|
||||||
|
// Ensure delegation and association differs
|
||||||
|
if student.DelegatedDomain != nil && *student.DelegatedDomain == cname {
|
||||||
|
return nil, fmt.Errorf("Le domaine pour l'association CNAME doit être différent du domaine délégué.")
|
||||||
|
}
|
||||||
|
|
||||||
student.AssociatedDomain = &cname
|
student.AssociatedDomain = &cname
|
||||||
|
|
||||||
if _, err := student.Update(); err != nil {
|
if _, err := student.Update(); err != nil {
|
||||||
@ -90,6 +96,11 @@ func init() {
|
|||||||
} else {
|
} else {
|
||||||
ns := dns.Fqdn(ue.NS)
|
ns := dns.Fqdn(ue.NS)
|
||||||
|
|
||||||
|
// Ensure delegation and association differs
|
||||||
|
if student.AssociatedDomain != nil && *student.AssociatedDomain == ns {
|
||||||
|
return nil, fmt.Errorf("Le domaine pour la délégation doit être différent du CNAME associé précédemment.")
|
||||||
|
}
|
||||||
|
|
||||||
// Ensure ns doesn't belong to one of our domain
|
// Ensure ns doesn't belong to one of our domain
|
||||||
for _, ddomain := range adlin.DelegatedDomainSuffixes {
|
for _, ddomain := range adlin.DelegatedDomainSuffixes {
|
||||||
if strings.HasSuffix(ns, ddomain) {
|
if strings.HasSuffix(ns, ddomain) {
|
||||||
|
|||||||
Reference in New Issue
Block a user