From 412e5d2fac5b56389f2fb4a4facd80a2a8dd603f Mon Sep 17 00:00:00 2001 From: "Alexander \"PapaTutuWawa" Date: Sat, 6 Jan 2024 20:29:18 +0100 Subject: [PATCH] fix: Fix username extraction --- internal/server/tls.go | 48 ++++++++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 20 deletions(-) diff --git a/internal/server/tls.go b/internal/server/tls.go index 0691d0a..7474563 100644 --- a/internal/server/tls.go +++ b/internal/server/tls.go @@ -2,6 +2,7 @@ package server import ( "crypto/tls" + "errors" "strings" "sync" @@ -63,31 +64,38 @@ func getDomainKey(domain, pagesDomain string) string { return domain } +func usernameFromDomain(domain string) string { + return strings.Split(domain, ".")[0] +} + +func getUsername(sni, pagesDomain string) (string, error) { + if !strings.HasSuffix(sni, pagesDomain) { + log.Debugf("'%s' is not a subdomain of '%s'", sni, pagesDomain) + + // Note: We do not check err here because err != nil + // always implies that cname == "", which does not have + // pagesDomain as a suffix. + query, err := dns.LookupCNAME(sni) + if !strings.HasSuffix(query, pagesDomain) { + log.Warnf("Got ServerName for Domain %s that we're not responsible for. CNAME '%s', err: %v", sni, query, err) + return "", errors.New("CNAME does not resolve to subdomain of pages domain") + } + + return usernameFromDomain(query), nil + } + + return usernameFromDomain(sni), nil +} + func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.CertificatesCache, acmeClient *lego.Client, giteaClient *repo.GiteaClient) *tls.Config { return &tls.Config{ GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { // Validate that we should even care about this domain isPagesDomain := info.ServerName == pagesDomain - cname := "" - if !strings.HasSuffix(info.ServerName, pagesDomain) { - // Note: We do not check err here because err != nil - // always implies that cname == "", which does not have - // pagesDomain as a suffix. - cname, err := dns.LookupCNAME(info.ServerName) - if !strings.HasSuffix(cname, pagesDomain) { - log.Warnf("Got ServerName for Domain %s that we're not responsible for. CNAME '%s', err: %v", info.ServerName, cname, err) - return cache.FallbackCertificate.TlsCertificate, nil - } - } - - // Figure out a username for later username checks - username := "" - if cname == "" { - // domain ends on pagesDomain - username = strings.Split(info.ServerName, ".")[0] - } else { - // cname ends on pagesDomain - username = strings.Split(cname, ".")[0] + username, err := getUsername(info.ServerName, pagesDomain) + if err != nil { + log.Warnf("Failed to get username for %s: %v", info.ServerName, err) + return cache.FallbackCertificate.TlsCertificate, nil } // Find the correct certificate