fix: Fix username extraction
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful

This commit is contained in:
PapaTutuWawa 2024-01-06 20:29:18 +01:00
parent c0b87be246
commit 412e5d2fac

View File

@ -2,6 +2,7 @@ package server
import ( import (
"crypto/tls" "crypto/tls"
"errors"
"strings" "strings"
"sync" "sync"
@ -63,31 +64,38 @@ func getDomainKey(domain, pagesDomain string) string {
return domain return domain
} }
func usernameFromDomain(domain string) string {
return strings.Split(domain, ".")[0]
}
func getUsername(sni, pagesDomain string) (string, error) {
if !strings.HasSuffix(sni, pagesDomain) {
log.Debugf("'%s' is not a subdomain of '%s'", sni, pagesDomain)
// Note: We do not check err here because err != nil
// always implies that cname == "", which does not have
// pagesDomain as a suffix.
query, err := dns.LookupCNAME(sni)
if !strings.HasSuffix(query, pagesDomain) {
log.Warnf("Got ServerName for Domain %s that we're not responsible for. CNAME '%s', err: %v", sni, query, err)
return "", errors.New("CNAME does not resolve to subdomain of pages domain")
}
return usernameFromDomain(query), nil
}
return usernameFromDomain(sni), nil
}
func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.CertificatesCache, acmeClient *lego.Client, giteaClient *repo.GiteaClient) *tls.Config { func MakeTlsConfig(pagesDomain, cachePath string, cache *certificates.CertificatesCache, acmeClient *lego.Client, giteaClient *repo.GiteaClient) *tls.Config {
return &tls.Config{ return &tls.Config{
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
// Validate that we should even care about this domain // Validate that we should even care about this domain
isPagesDomain := info.ServerName == pagesDomain isPagesDomain := info.ServerName == pagesDomain
cname := "" username, err := getUsername(info.ServerName, pagesDomain)
if !strings.HasSuffix(info.ServerName, pagesDomain) { if err != nil {
// Note: We do not check err here because err != nil log.Warnf("Failed to get username for %s: %v", info.ServerName, err)
// always implies that cname == "", which does not have return cache.FallbackCertificate.TlsCertificate, nil
// pagesDomain as a suffix.
cname, err := dns.LookupCNAME(info.ServerName)
if !strings.HasSuffix(cname, pagesDomain) {
log.Warnf("Got ServerName for Domain %s that we're not responsible for. CNAME '%s', err: %v", info.ServerName, cname, err)
return cache.FallbackCertificate.TlsCertificate, nil
}
}
// Figure out a username for later username checks
username := ""
if cname == "" {
// domain ends on pagesDomain
username = strings.Split(info.ServerName, ".")[0]
} else {
// cname ends on pagesDomain
username = strings.Split(cname, ".")[0]
} }
// Find the correct certificate // Find the correct certificate