diff options
Diffstat (limited to 'main.go')
-rw-r--r-- | main.go | 38 |
1 files changed, 28 insertions, 10 deletions
@@ -18,7 +18,7 @@ import ( | |||
18 | ) | 18 | ) |
19 | 19 | ||
20 | const ( | 20 | const ( |
21 | ACME_AUTH_KEY = "ACMEAuthContext" | 21 | ACME_AUTH_KEY = "ACMEAuthUserID" |
22 | DDNS_AUTH_KEY = "DDNSAuthZone" | 22 | DDNS_AUTH_KEY = "DDNSAuthZone" |
23 | ) | 23 | ) |
24 | 24 | ||
@@ -51,6 +51,25 @@ type Secrets struct { | |||
51 | ACME map[string]map[string]int | 51 | ACME map[string]map[string]int |
52 | } | 52 | } |
53 | 53 | ||
54 | func (s *Secrets) IsACMEClientAllowed(key, zone string) bool { | ||
55 | u, ok := s.ACME[key] | ||
56 | if !ok { | ||
57 | return false | ||
58 | } | ||
59 | |||
60 | p, ok := u[zone] | ||
61 | if ok && p == 1 { | ||
62 | return true | ||
63 | } | ||
64 | |||
65 | p, ok = u[strings.TrimRight(zone, ".")] | ||
66 | if ok && p == 1 { | ||
67 | return true | ||
68 | } | ||
69 | |||
70 | return false | ||
71 | } | ||
72 | |||
54 | type DDNSUpdateRequest struct { | 73 | type DDNSUpdateRequest struct { |
55 | Key string `form:"key" binding:"required"` | 74 | Key string `form:"key" binding:"required"` |
56 | } | 75 | } |
@@ -134,7 +153,7 @@ func createAcmeChallenge(c *gin.Context) { | |||
134 | return | 153 | return |
135 | } | 154 | } |
136 | 155 | ||
137 | if v, ok := c.Get(ACME_AUTH_KEY); !ok || v.(map[string]int)[zone.Name] != 1 { | 156 | if v := c.GetString(ACME_AUTH_KEY); !secrets.IsACMEClientAllowed(v, zone.Name) { |
138 | c.JSON(http.StatusForbidden, gin.H{ | 157 | c.JSON(http.StatusForbidden, gin.H{ |
139 | "error": "Zone update not allowed", | 158 | "error": "Zone update not allowed", |
140 | }) | 159 | }) |
@@ -163,8 +182,6 @@ func createAcmeChallenge(c *gin.Context) { | |||
163 | Txt: []string{ch.Challenge}, | 182 | Txt: []string{ch.Challenge}, |
164 | } | 183 | } |
165 | 184 | ||
166 | log.Printf("%+v %+v '%s'", zone, t, t.Name) | ||
167 | |||
168 | // Cleanup any old challenges before adding a new one | 185 | // Cleanup any old challenges before adding a new one |
169 | if err := dc.RemoveAll(zone, t); err != nil { | 186 | if err := dc.RemoveAll(zone, t); err != nil { |
170 | log.Printf("error RemoveAll: %s", err) | 187 | log.Printf("error RemoveAll: %s", err) |
@@ -215,7 +232,7 @@ func deleteAcmeChallenge(c *gin.Context) { | |||
215 | return | 232 | return |
216 | } | 233 | } |
217 | 234 | ||
218 | if v, ok := c.Get(ACME_AUTH_KEY); !ok || v.(map[string]int)[zone.Name] != 1 { | 235 | if v := c.GetString(ACME_AUTH_KEY); !secrets.IsACMEClientAllowed(v, zone.Name) { |
219 | c.JSON(http.StatusForbidden, gin.H{ | 236 | c.JSON(http.StatusForbidden, gin.H{ |
220 | "error": "Zone update not allowed", | 237 | "error": "Zone update not allowed", |
221 | }) | 238 | }) |
@@ -242,8 +259,8 @@ func deleteAcmeChallenge(c *gin.Context) { | |||
242 | func updateDynamicDNS(c *gin.Context) { | 259 | func updateDynamicDNS(c *gin.Context) { |
243 | dc := dns.DNSClient{Server: "172.16.18.52:53"} | 260 | dc := dns.DNSClient{Server: "172.16.18.52:53"} |
244 | 261 | ||
245 | res, ok := c.GetString(DDNS_AUTH_KEY) | 262 | res := c.GetString(DDNS_AUTH_KEY) |
246 | if !ok { | 263 | if res == "" { |
247 | log.Println("ddns: Unable to get auth key") | 264 | log.Println("ddns: Unable to get auth key") |
248 | c.AbortWithStatus(http.StatusForbidden) | 265 | c.AbortWithStatus(http.StatusForbidden) |
249 | return | 266 | return |
@@ -321,12 +338,11 @@ func acmeAuth(c *gin.Context) { | |||
321 | return | 338 | return |
322 | } | 339 | } |
323 | 340 | ||
324 | allowed, ok := secrets.ACME[pwd] | 341 | if _, ok := secrets.ACME[pwd]; !ok { |
325 | if !ok { | ||
326 | c.AbortWithStatus(http.StatusForbidden) | 342 | c.AbortWithStatus(http.StatusForbidden) |
327 | return | 343 | return |
328 | } else { | 344 | } else { |
329 | c.Set(ACME_AUTH_KEY, allowed) | 345 | c.Set(ACME_AUTH_KEY, pwd) |
330 | } | 346 | } |
331 | 347 | ||
332 | c.Next() | 348 | c.Next() |
@@ -353,6 +369,8 @@ func ddnsAuth(c *gin.Context) { | |||
353 | } | 369 | } |
354 | 370 | ||
355 | func main() { | 371 | func main() { |
372 | gin.SetMode(gin.DebugMode) | ||
373 | |||
356 | router := gin.Default() | 374 | router := gin.Default() |
357 | 375 | ||
358 | router.GET("/reflect-ip", reflectIP) | 376 | router.GET("/reflect-ip", reflectIP) |