From 5e485ea6d987004b85d2bbbfbc021aafa2c1104b Mon Sep 17 00:00:00 2001
From: Mike Crute <mike@crute.us>
Date: Fri, 3 Jan 2020 23:13:36 +0000
Subject: Fix ACME permissions

---
 main.go | 38 ++++++++++++++++++++++++++++----------
 1 file changed, 28 insertions(+), 10 deletions(-)

diff --git a/main.go b/main.go
index d883754..269b11e 100644
--- a/main.go
+++ b/main.go
@@ -18,7 +18,7 @@ import (
 )
 
 const (
-	ACME_AUTH_KEY = "ACMEAuthContext"
+	ACME_AUTH_KEY = "ACMEAuthUserID"
 	DDNS_AUTH_KEY = "DDNSAuthZone"
 )
 
@@ -51,6 +51,25 @@ type Secrets struct {
 	ACME map[string]map[string]int
 }
 
+func (s *Secrets) IsACMEClientAllowed(key, zone string) bool {
+	u, ok := s.ACME[key]
+	if !ok {
+		return false
+	}
+
+	p, ok := u[zone]
+	if ok && p == 1 {
+		return true
+	}
+
+	p, ok = u[strings.TrimRight(zone, ".")]
+	if ok && p == 1 {
+		return true
+	}
+
+	return false
+}
+
 type DDNSUpdateRequest struct {
 	Key string `form:"key" binding:"required"`
 }
@@ -134,7 +153,7 @@ func createAcmeChallenge(c *gin.Context) {
 		return
 	}
 
-	if v, ok := c.Get(ACME_AUTH_KEY); !ok || v.(map[string]int)[zone.Name] != 1 {
+	if v := c.GetString(ACME_AUTH_KEY); !secrets.IsACMEClientAllowed(v, zone.Name) {
 		c.JSON(http.StatusForbidden, gin.H{
 			"error": "Zone update not allowed",
 		})
@@ -163,8 +182,6 @@ func createAcmeChallenge(c *gin.Context) {
 		Txt:  []string{ch.Challenge},
 	}
 
-	log.Printf("%+v %+v '%s'", zone, t, t.Name)
-
 	// Cleanup any old challenges before adding a new one
 	if err := dc.RemoveAll(zone, t); err != nil {
 		log.Printf("error RemoveAll: %s", err)
@@ -215,7 +232,7 @@ func deleteAcmeChallenge(c *gin.Context) {
 		return
 	}
 
-	if v, ok := c.Get(ACME_AUTH_KEY); !ok || v.(map[string]int)[zone.Name] != 1 {
+	if v := c.GetString(ACME_AUTH_KEY); !secrets.IsACMEClientAllowed(v, zone.Name) {
 		c.JSON(http.StatusForbidden, gin.H{
 			"error": "Zone update not allowed",
 		})
@@ -242,8 +259,8 @@ func deleteAcmeChallenge(c *gin.Context) {
 func updateDynamicDNS(c *gin.Context) {
 	dc := dns.DNSClient{Server: "172.16.18.52:53"}
 
-	res, ok := c.GetString(DDNS_AUTH_KEY)
-	if !ok {
+	res := c.GetString(DDNS_AUTH_KEY)
+	if res == "" {
 		log.Println("ddns: Unable to get auth key")
 		c.AbortWithStatus(http.StatusForbidden)
 		return
@@ -321,12 +338,11 @@ func acmeAuth(c *gin.Context) {
 		return
 	}
 
-	allowed, ok := secrets.ACME[pwd]
-	if !ok {
+	if _, ok := secrets.ACME[pwd]; !ok {
 		c.AbortWithStatus(http.StatusForbidden)
 		return
 	} else {
-		c.Set(ACME_AUTH_KEY, allowed)
+		c.Set(ACME_AUTH_KEY, pwd)
 	}
 
 	c.Next()
@@ -353,6 +369,8 @@ func ddnsAuth(c *gin.Context) {
 }
 
 func main() {
+	gin.SetMode(gin.DebugMode)
+
 	router := gin.Default()
 
 	router.GET("/reflect-ip", reflectIP)
-- 
cgit v1.2.3