limit generating non-wildcard cert to user and org that exists

2024-02-17 02:27:14 +01:00 · 2024-02-17 02:27:14 +01:00 · 62bff5d1b7
parent 83b1c4f9e4
commit 62bff5d1b7
4 changed files with 49 additions and 2 deletions
--- a/server/certificates/certificates.go
+++ b/server/certificates/certificates.go
@ -34,6 +34,7 @@ func TLSConfig(mainDomainSuffix string,
 	keyCache, challengeCache, dnsLookupCache, canonicalDomainCache cache.ICache,
 	certDB database.CertDB,
 	noDNS01 bool,
 	rawDomain string,
 ) *tls.Config {
 	return &tls.Config{
 		// check DNS name & get certificate from Let's Encrypt
@ -68,8 +69,17 @@ func TLSConfig(mainDomainSuffix string,
 			if strings.HasSuffix(domain, mainDomainSuffix) || strings.EqualFold(domain, mainDomainSuffix[1:]) {
 				if noDNS01 {
-					//TODO check if the domain is served to avoid DOSing ourseflve
+					// Limit the domains allowed to request a certificate to pages-server domains
-					mayObtainCert = true
+					// and domains for an existing user of org
 					if !strings.EqualFold(domain, mainDomainSuffix[1:]) && !strings.EqualFold(domain, rawDomain) {
 						targetOwner := strings.TrimSuffix(domain, mainDomainSuffix)
 						owner_exist, err := giteaClient.GiteaCheckIfOwnerExists(targetOwner)
 						mayObtainCert = owner_exist
 						if err != nil {
 							log.Error().Err(err).Msgf("Failed to check '%s' existance on the forge: %s", targetOwner, err)
 							mayObtainCert = false
 						}
 					}
 				} else {
 					// deliver default certificate for the main domain (*.codeberg.page)
 					domain = mainDomainSuffix
--- a/server/gitea/cache.go
+++ b/server/gitea/cache.go
@ -26,6 +26,9 @@ const (
 	// TODO: move as option into cache interface
 	fileCacheTimeout = 5 * time.Minute
 	// ownerExistanceCacheTimeout specifies the timeout for the existance of a repo/org
 	ownerExistanceCacheTimeout = 5 * time.Minute
 	// fileCacheSizeLimit limits the maximum file size that will be cached, and is set to 1 MB by default.
 	fileCacheSizeLimit = int64(1000 * 1000)
 )
--- a/server/gitea/client.go
+++ b/server/gitea/client.go
@ -28,6 +28,7 @@ const (
 	branchTimestampCacheKeyPrefix = "branchTime"
 	defaultBranchCacheKeyPrefix   = "defaultBranch"
 	rawContentCacheKeyPrefix      = "rawContent"
 	ownerExistance                = "ownerExist"
 	// pages server
 	PagesCacheIndicatorHeader = "X-Pages-Cache"
@ -263,6 +264,38 @@ func (client *Client) GiteaGetRepoDefaultBranch(repoOwner, repoName string) (str
 	return branch, nil
 }
 func (client *Client) GiteaCheckIfOwnerExists(owner string) (bool, error) {
 	cacheKey := fmt.Sprintf("%s/%s", ownerExistance, owner)
 	if exist, ok := client.responseCache.Get(cacheKey); ok && exist != nil {
 		return exist.(bool), nil
 	}
 	_, resp, err := client.sdkClient.GetUserInfo(owner)
 	if resp.StatusCode == http.StatusOK && err == nil {
 		if err := client.responseCache.Set(cacheKey, true, ownerExistanceCacheTimeout); err != nil {
 			log.Error().Err(err).Msg("[cache] error on cache write")
 		}
 		return true, nil
 	} else if resp.StatusCode != http.StatusNotFound {
 		return false, err
 	}
 	_, resp, err = client.sdkClient.GetOrg(owner)
 	if resp.StatusCode == http.StatusOK && err == nil {
 		if err := client.responseCache.Set(cacheKey, true, ownerExistanceCacheTimeout); err != nil {
 			log.Error().Err(err).Msg("[cache] error on cache write")
 		}
 		return true, nil
 	} else if resp.StatusCode != http.StatusNotFound {
 		return false, err
 	}
 	if err := client.responseCache.Set(cacheKey, false, ownerExistanceCacheTimeout); err != nil {
 		log.Error().Err(err).Msg("[cache] error on cache write")
 	}
 	return false, nil
 }
 func (client *Client) getMimeTypeByExtension(resource string) string {
 	mimeType := mime.TypeByExtension(path.Ext(resource))
 	mimeTypeSplit := strings.SplitN(mimeType, ";", 2)
--- a/server/startup.go
+++ b/server/startup.go
@ -111,6 +111,7 @@ func Serve(ctx *cli.Context) error {
 		keyCache, challengeCache, dnsLookupCache, canonicalDomainCache,
 		certDB,
 		cfg.ACME.NoDNS01,
 		cfg.Server.RawDomain,
 	))
 	interval := 12 * time.Hour