feat: Only request certificates for existing users and orgs
This commit is contained in:
@@ -7,7 +7,9 @@ import (
|
||||
|
||||
"git.polynom.me/rio/internal/certificates"
|
||||
"git.polynom.me/rio/internal/dns"
|
||||
"git.polynom.me/rio/internal/repo"
|
||||
|
||||
"code.gitea.io/sdk/gitea"
|
||||
"github.com/go-acme/lego/v4/lego"
|
||||
|
||||
log "github.com/sirupsen/logrus"
|
||||
@@ -41,16 +43,16 @@ func unlockDomain(domain string) {
|
||||
delete(workingDomains, domain)
|
||||
}
|
||||
|
||||
func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.CertificatesCache, acmeClient *lego.Client) *tls.Config {
|
||||
func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.CertificatesCache, acmeClient *lego.Client, giteaClient *gitea.Client) *tls.Config {
|
||||
return &tls.Config{
|
||||
InsecureSkipVerify: true,
|
||||
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||
// Validate that we should even care about this domain
|
||||
cname := ""
|
||||
if !strings.HasSuffix(info.ServerName, pagesDomain) {
|
||||
// Note: We do not check err here because err != nil
|
||||
// always implies that cname == "", which does not have
|
||||
// pagesDomain as a suffix.
|
||||
cname, _ := dns.LookupCNAME(info.ServerName)
|
||||
cname, _ = dns.LookupCNAME(info.ServerName)
|
||||
if !strings.HasSuffix(cname, pagesDomain) {
|
||||
log.Warnf("Got ServerName for Domain %s that we're not responsible for", info.ServerName)
|
||||
return cache.FallbackCertificate.TlsCertificate, nil
|
||||
@@ -64,11 +66,31 @@ func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.Certificat
|
||||
domain = "*." + pagesDomain
|
||||
}*/
|
||||
|
||||
// Figure out a username for later username checks
|
||||
username := ""
|
||||
if cname == "" {
|
||||
// domain ends on pagesDomain
|
||||
username = strings.Split(domain, ".")[0]
|
||||
} else {
|
||||
// cname ends on pagesDomain
|
||||
username = strings.Split(cname, ".")[0]
|
||||
}
|
||||
|
||||
// Find the correct certificate
|
||||
cert, found := cache.Certificates[info.ServerName]
|
||||
if found {
|
||||
if cert.IsValid() {
|
||||
return cert.TlsCertificate, nil
|
||||
} else {
|
||||
if !repo.CanRequestCertificate(username, giteaClient) {
|
||||
log.Warnf(
|
||||
"Cannot renew certificate for %s because CanRequestCertificate(%s) returned false",
|
||||
domain,
|
||||
username,
|
||||
)
|
||||
return cert.TlsCertificate, nil
|
||||
}
|
||||
|
||||
// If we're already working on the domain,
|
||||
// return the old certificate
|
||||
if lockIfUnlockedDomain(domain) {
|
||||
@@ -76,7 +98,7 @@ func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.Certificat
|
||||
}
|
||||
defer unlockDomain(domain)
|
||||
|
||||
// Renew
|
||||
// Renew the certificate
|
||||
log.Infof("Certificate for %s expired, renewing", domain)
|
||||
newCert, err := certificates.RenewCertificate(&cert, acmeClient)
|
||||
if err != nil {
|
||||
@@ -89,6 +111,15 @@ func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.Certificat
|
||||
return newCert.TlsCertificate, nil
|
||||
}
|
||||
} else {
|
||||
if !repo.CanRequestCertificate(username, giteaClient) {
|
||||
log.Warnf(
|
||||
"Cannot request certificate for %s because CanRequestCertificate(%s) returned false",
|
||||
domain,
|
||||
username,
|
||||
)
|
||||
return cache.FallbackCertificate.TlsCertificate, nil
|
||||
}
|
||||
|
||||
// Don't request if we're already requesting.
|
||||
if lockIfUnlockedDomain(domain) {
|
||||
return cache.FallbackCertificate.TlsCertificate, nil
|
||||
|
||||
Reference in New Issue
Block a user