Fix ACME permissions

1 files changed, 28 insertions, 10 deletions

diff --git a/main.go b/main.go
index d883754..269b11e 100644
--- a/main.go
+++ b/main.go
@@ -18,7 +18,7 @@ import (
 )
 
 const (
-        ACME_AUTH_KEY = "ACMEAuthContext"
+        ACME_AUTH_KEY = "ACMEAuthUserID"
         DDNS_AUTH_KEY = "DDNSAuthZone"
 )
 
@@ -51,6 +51,25 @@ type Secrets struct {
         ACME map[string]map[string]int
 }
 
+func (s *Secrets) IsACMEClientAllowed(key, zone string) bool {
+        u, ok := s.ACME[key]
+        if !ok {
+                return false
+        }
+
+        p, ok := u[zone]
+        if ok && p == 1 {
+                return true
+        }
+
+        p, ok = u[strings.TrimRight(zone, ".")]
+        if ok && p == 1 {
+                return true
+        }
+
+        return false
+}
+
 type DDNSUpdateRequest struct {
         Key string `form:"key" binding:"required"`
 }
@@ -134,7 +153,7 @@ func createAcmeChallenge(c *gin.Context) {
                 return
         }
 
-        if v, ok := c.Get(ACME_AUTH_KEY); !ok || v.(map[string]int)[zone.Name] != 1 {
+        if v := c.GetString(ACME_AUTH_KEY); !secrets.IsACMEClientAllowed(v, zone.Name) {
                 c.JSON(http.StatusForbidden, gin.H{
                         "error": "Zone update not allowed",
                 })
@@ -163,8 +182,6 @@ func createAcmeChallenge(c *gin.Context) {
                 Txt:  []string{ch.Challenge},
         }
 
-        log.Printf("%+v %+v '%s'", zone, t, t.Name)
-
         // Cleanup any old challenges before adding a new one
         if err := dc.RemoveAll(zone, t); err != nil {
                 log.Printf("error RemoveAll: %s", err)
@@ -215,7 +232,7 @@ func deleteAcmeChallenge(c *gin.Context) {
                 return
         }
 
-        if v, ok := c.Get(ACME_AUTH_KEY); !ok || v.(map[string]int)[zone.Name] != 1 {
+        if v := c.GetString(ACME_AUTH_KEY); !secrets.IsACMEClientAllowed(v, zone.Name) {
                 c.JSON(http.StatusForbidden, gin.H{
                         "error": "Zone update not allowed",
                 })
@@ -242,8 +259,8 @@ func deleteAcmeChallenge(c *gin.Context) {
 func updateDynamicDNS(c *gin.Context) {
         dc := dns.DNSClient{Server: "172.16.18.52:53"}
 
-        res, ok := c.GetString(DDNS_AUTH_KEY)
-        if !ok {
+        res := c.GetString(DDNS_AUTH_KEY)
+        if res == "" {
                 log.Println("ddns: Unable to get auth key")
                 c.AbortWithStatus(http.StatusForbidden)
                 return
@@ -321,12 +338,11 @@ func acmeAuth(c *gin.Context) {
                 return
         }
 
-        allowed, ok := secrets.ACME[pwd]
-        if !ok {
+        if _, ok := secrets.ACME[pwd]; !ok {
                 c.AbortWithStatus(http.StatusForbidden)
                 return
         } else {
-                c.Set(ACME_AUTH_KEY, allowed)
+                c.Set(ACME_AUTH_KEY, pwd)
         }
 
         c.Next()
@@ -353,6 +369,8 @@ func ddnsAuth(c *gin.Context) {
 }
 
 func main() {
+        gin.SetMode(gin.DebugMode)
+
         router := gin.Default()
 
         router.GET("/reflect-ip", reflectIP)