Disallow using the same domaine for association and delegation
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
0e7b829b46
commit
db9254174a
@ -789,6 +789,12 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
|
||||
|
||||
// SNI check: validate if this check + HTTPS on delegation is validated
|
||||
if snicheck1 {
|
||||
if std.MyAssociatedDomain() == std.MyDelegatedDomain() {
|
||||
std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSSNI], fmt.Errorf("associated and delegated domains have to be different. Please use eg. adlin.example.com as associated domain and wonderfulwebsite.example.com as delegation. Feel free to choose whatever you want that doesn't already exists in your zone!"))
|
||||
if verbose {
|
||||
log.Printf("%s and HTTPS-SNI: %s\n", std.Login, "associated and delegated domains not accessible at the same time through HTTPS")
|
||||
}
|
||||
} else {
|
||||
if verbose {
|
||||
log.Printf("%s just unlocked HTTPS-SNI challenge\n", std.Login)
|
||||
}
|
||||
@ -796,6 +802,7 @@ func studentChecker(std *adlin.Student, also_check_matrix bool, offline bool) {
|
||||
log.Printf("Unable to register challenge for %s: %s\n", std.Login, err.Error())
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
std.RegisterChallengeError(CheckMap[tunnel_version][HTTPSonAssociatedDomain], err)
|
||||
if verbose {
|
||||
|
||||
@ -47,6 +47,12 @@ func init() {
|
||||
return true, nil
|
||||
} else if ue.CNAME != "" {
|
||||
cname := dns.Fqdn(ue.CNAME)
|
||||
|
||||
// Ensure delegation and association differs
|
||||
if student.DelegatedDomain != nil && *student.DelegatedDomain == cname {
|
||||
return nil, fmt.Errorf("Le domaine pour l'association CNAME doit être différent du domaine délégué.")
|
||||
}
|
||||
|
||||
student.AssociatedDomain = &cname
|
||||
|
||||
if _, err := student.Update(); err != nil {
|
||||
@ -90,6 +96,11 @@ func init() {
|
||||
} else {
|
||||
ns := dns.Fqdn(ue.NS)
|
||||
|
||||
// Ensure delegation and association differs
|
||||
if student.AssociatedDomain != nil && *student.AssociatedDomain == ns {
|
||||
return nil, fmt.Errorf("Le domaine pour la délégation doit être différent du CNAME associé précédemment.")
|
||||
}
|
||||
|
||||
// Ensure ns doesn't belong to one of our domain
|
||||
for _, ddomain := range adlin.DelegatedDomainSuffixes {
|
||||
if strings.HasSuffix(ns, ddomain) {
|
||||
|
||||
Reference in New Issue
Block a user