fix: Fix username extraction

internal/server/tls.go

@@ -2,6 +2,7 @@ package server
 
 import (
 	"crypto/tls"
+	"errors"
 	"strings"
 	"sync"
 
@@ -63,31 +64,38 @@ func getDomainKey(domain, pagesDomain string) string {
 	return domain
 }
 
+func usernameFromDomain(domain string) string {
+	return strings.Split(domain, ".")[0]
+}
+
+func getUsername(sni, pagesDomain string) (string, error) {
+	if !strings.HasSuffix(sni, pagesDomain) {
+		log.Debugf("'%s' is not a subdomain of '%s'", sni, pagesDomain)
+
+		// Note: We do not check err here because err != nil
+		// always implies that cname == "", which does not have
+		// pagesDomain as a suffix.
+		query, err := dns.LookupCNAME(sni)
+		if !strings.HasSuffix(query, pagesDomain) {
+			log.Warnf("Got ServerName for Domain %s that we're not responsible for. CNAME '%s', err: %v", sni, query, err)
+			return "", errors.New("CNAME does not resolve to subdomain of pages domain")
+		}
+
+		return usernameFromDomain(query), nil
+	}
+
+	return usernameFromDomain(sni), nil
+}
+
 func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.CertificatesCache, acmeClient *lego.Client, giteaClient *repo.GiteaClient) *tls.Config {
 	return &tls.Config{
 		GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
 			// Validate that we should even care about this domain
 			isPagesDomain := info.ServerName == pagesDomain
-			cname := ""
+			username, err := getUsername(info.ServerName, pagesDomain)
-			if !strings.HasSuffix(info.ServerName, pagesDomain) {
+			if err != nil {
-				// Note: We do not check err here because err != nil
+				log.Warnf("Failed to get username for %s: %v", info.ServerName, err)
-				// always implies that cname == "", which does not have
+				return cache.FallbackCertificate.TlsCertificate, nil
-				// pagesDomain as a suffix.
-				cname, err := dns.LookupCNAME(info.ServerName)
-				if !strings.HasSuffix(cname, pagesDomain) {
-					log.Warnf("Got ServerName for Domain %s that we're not responsible for. CNAME '%s', err: %v", info.ServerName, cname, err)
-					return cache.FallbackCertificate.TlsCertificate, nil
-				}
-			}
-
-			// Figure out a username for later username checks
-			username := ""
-			if cname == "" {
-				// domain ends on pagesDomain
-				username = strings.Split(info.ServerName, ".")[0]
-			} else {
-				// cname ends on pagesDomain
-				username = strings.Split(cname, ".")[0]
 			}
 
 			// Find the correct certificate