mirror of
https://codeberg.org/Codeberg/pages-server.git
synced 2025-04-25 06:16:58 +00:00
limit generating non-wildcard cert to user and org that exists
This commit is contained in:
Jean-Marie 'Histausse' Mineau
parent
83b1c4f9e4
commit
62bff5d1b7
4 changed files with 49 additions and 2 deletions
|
|
@ -34,6 +34,7 @@ func TLSConfig(mainDomainSuffix string,
|
||||||
keyCache, challengeCache, dnsLookupCache, canonicalDomainCache cache.ICache,
|
keyCache, challengeCache, dnsLookupCache, canonicalDomainCache cache.ICache,
|
||||||
certDB database.CertDB,
|
certDB database.CertDB,
|
||||||
noDNS01 bool,
|
noDNS01 bool,
|
||||||
|
rawDomain string,
|
||||||
) *tls.Config {
|
) *tls.Config {
|
||||||
return &tls.Config{
|
return &tls.Config{
|
||||||
// check DNS name & get certificate from Let's Encrypt
|
// check DNS name & get certificate from Let's Encrypt
|
||||||
|
|
@ -68,8 +69,17 @@ func TLSConfig(mainDomainSuffix string,
|
||||||
|
|
||||||
if strings.HasSuffix(domain, mainDomainSuffix) || strings.EqualFold(domain, mainDomainSuffix[1:]) {
|
if strings.HasSuffix(domain, mainDomainSuffix) || strings.EqualFold(domain, mainDomainSuffix[1:]) {
|
||||||
if noDNS01 {
|
if noDNS01 {
|
||||||
//TODO check if the domain is served to avoid DOSing ourseflve
|
// Limit the domains allowed to request a certificate to pages-server domains
|
||||||
mayObtainCert = true
|
// and domains for an existing user of org
|
||||||
|
if !strings.EqualFold(domain, mainDomainSuffix[1:]) && !strings.EqualFold(domain, rawDomain) {
|
||||||
|
targetOwner := strings.TrimSuffix(domain, mainDomainSuffix)
|
||||||
|
owner_exist, err := giteaClient.GiteaCheckIfOwnerExists(targetOwner)
|
||||||
|
mayObtainCert = owner_exist
|
||||||
|
if err != nil {
|
||||||
|
log.Error().Err(err).Msgf("Failed to check '%s' existance on the forge: %s", targetOwner, err)
|
||||||
|
mayObtainCert = false
|
||||||
|
}
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
// deliver default certificate for the main domain (*.codeberg.page)
|
// deliver default certificate for the main domain (*.codeberg.page)
|
||||||
domain = mainDomainSuffix
|
domain = mainDomainSuffix
|
||||||
|
|
|
||||||
|
|
@ -26,6 +26,9 @@ const (
|
||||||
// TODO: move as option into cache interface
|
// TODO: move as option into cache interface
|
||||||
fileCacheTimeout = 5 * time.Minute
|
fileCacheTimeout = 5 * time.Minute
|
||||||
|
|
||||||
|
// ownerExistanceCacheTimeout specifies the timeout for the existance of a repo/org
|
||||||
|
ownerExistanceCacheTimeout = 5 * time.Minute
|
||||||
|
|
||||||
// fileCacheSizeLimit limits the maximum file size that will be cached, and is set to 1 MB by default.
|
// fileCacheSizeLimit limits the maximum file size that will be cached, and is set to 1 MB by default.
|
||||||
fileCacheSizeLimit = int64(1000 * 1000)
|
fileCacheSizeLimit = int64(1000 * 1000)
|
||||||
)
|
)
|
||||||
|
|
|
||||||
|
|
@ -28,6 +28,7 @@ const (
|
||||||
branchTimestampCacheKeyPrefix = "branchTime"
|
branchTimestampCacheKeyPrefix = "branchTime"
|
||||||
defaultBranchCacheKeyPrefix = "defaultBranch"
|
defaultBranchCacheKeyPrefix = "defaultBranch"
|
||||||
rawContentCacheKeyPrefix = "rawContent"
|
rawContentCacheKeyPrefix = "rawContent"
|
||||||
|
ownerExistance = "ownerExist"
|
||||||
|
|
||||||
// pages server
|
// pages server
|
||||||
PagesCacheIndicatorHeader = "X-Pages-Cache"
|
PagesCacheIndicatorHeader = "X-Pages-Cache"
|
||||||
|
|
@ -263,6 +264,38 @@ func (client *Client) GiteaGetRepoDefaultBranch(repoOwner, repoName string) (str
|
||||||
return branch, nil
|
return branch, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (client *Client) GiteaCheckIfOwnerExists(owner string) (bool, error) {
|
||||||
|
cacheKey := fmt.Sprintf("%s/%s", ownerExistance, owner)
|
||||||
|
|
||||||
|
if exist, ok := client.responseCache.Get(cacheKey); ok && exist != nil {
|
||||||
|
return exist.(bool), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
_, resp, err := client.sdkClient.GetUserInfo(owner)
|
||||||
|
if resp.StatusCode == http.StatusOK && err == nil {
|
||||||
|
if err := client.responseCache.Set(cacheKey, true, ownerExistanceCacheTimeout); err != nil {
|
||||||
|
log.Error().Err(err).Msg("[cache] error on cache write")
|
||||||
|
}
|
||||||
|
return true, nil
|
||||||
|
} else if resp.StatusCode != http.StatusNotFound {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
_, resp, err = client.sdkClient.GetOrg(owner)
|
||||||
|
if resp.StatusCode == http.StatusOK && err == nil {
|
||||||
|
if err := client.responseCache.Set(cacheKey, true, ownerExistanceCacheTimeout); err != nil {
|
||||||
|
log.Error().Err(err).Msg("[cache] error on cache write")
|
||||||
|
}
|
||||||
|
return true, nil
|
||||||
|
} else if resp.StatusCode != http.StatusNotFound {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
if err := client.responseCache.Set(cacheKey, false, ownerExistanceCacheTimeout); err != nil {
|
||||||
|
log.Error().Err(err).Msg("[cache] error on cache write")
|
||||||
|
}
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
|
||||||
func (client *Client) getMimeTypeByExtension(resource string) string {
|
func (client *Client) getMimeTypeByExtension(resource string) string {
|
||||||
mimeType := mime.TypeByExtension(path.Ext(resource))
|
mimeType := mime.TypeByExtension(path.Ext(resource))
|
||||||
mimeTypeSplit := strings.SplitN(mimeType, ";", 2)
|
mimeTypeSplit := strings.SplitN(mimeType, ";", 2)
|
||||||
|
|
|
||||||
|
|
@ -111,6 +111,7 @@ func Serve(ctx *cli.Context) error {
|
||||||
keyCache, challengeCache, dnsLookupCache, canonicalDomainCache,
|
keyCache, challengeCache, dnsLookupCache, canonicalDomainCache,
|
||||||
certDB,
|
certDB,
|
||||||
cfg.ACME.NoDNS01,
|
cfg.ACME.NoDNS01,
|
||||||
|
cfg.Server.RawDomain,
|
||||||
))
|
))
|
||||||
|
|
||||||
interval := 12 * time.Hour
|
interval := 12 * time.Hour
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue