simon/acme-dns
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Removed register GET request in favor of POST, and did required HTTP api changes

Browse Source
This commit is contained in:
Joona Hoikkala 2016-12-02 15:42:10 +02:00
parent c3ac7a211c
commit 5f68d84ca5
No known key found for this signature in database
GPG Key ID: C14AAE0F5ADCB854
4 changed files with 75 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
acmetxt.go
View File

@ -41,6 +41,22 @@ func (c *cidrslice) ValidEntries() []string {
return valid return valid
} }
// Check if IP belongs to an allowed net
func (a ACMETxt) allowedFrom(ip string) bool {
remoteIP := net.ParseIP(ip)
// Range not limited
if len(a.AllowFrom.ValidEntries()) == 0 {
return true
}
for _, v := range a.AllowFrom.ValidEntries() {
_, vnet, _ := net.ParseCIDR(v)
if vnet.Contains(remoteIP) {
return true
}
}
return false
}
func newACMETxt() ACMETxt { func newACMETxt() ACMETxt {
var a = ACMETxt{} var a = ACMETxt{}
password := generatePassword(40) password := generatePassword(40)

17
api.go
View File

@ -23,8 +23,9 @@ func (a authMiddleware) Serve(ctx *iris.Context) {
} else { } else {
if correctPassword(password, au.Password) { if correctPassword(password, au.Password) {
// Password ok // Password ok
if au.allowedFrom(ctx.RequestIP()) {
// Update is allowed from remote addr
if err := ctx.ReadJSON(&postData); err == nil { if err := ctx.ReadJSON(&postData); err == nil {
// Check that the subdomain belongs to the user
if au.Subdomain == postData.Subdomain { if au.Subdomain == postData.Subdomain {
ctx.Next() ctx.Next()
return return
@ -34,6 +35,7 @@ func (a authMiddleware) Serve(ctx *iris.Context) {
ctx.JSON(iris.StatusBadRequest, iris.Map{"error": "bad data"}) ctx.JSON(iris.StatusBadRequest, iris.Map{"error": "bad data"})
return return
} }
}
} else { } else {
// Wrong password // Wrong password
log.WithFields(log.Fields{"username": username}).Warning("Failed password check") log.WithFields(log.Fields{"username": username}).Warning("Failed password check")
@ -44,17 +46,19 @@ func (a authMiddleware) Serve(ctx *iris.Context) {
} }
func webRegisterPost(ctx *iris.Context) { func webRegisterPost(ctx *iris.Context) {
// Create new user
nu, err := DB.Register(cidrslice{})
var regJSON iris.Map var regJSON iris.Map
var regStatus int var regStatus int
cslice := cidrslice{}
_ = ctx.ReadJSON(&cslice)
// Create new user
nu, err := DB.Register(cslice)
if err != nil { if err != nil {
errstr := fmt.Sprintf("%v", err) errstr := fmt.Sprintf("%v", err)
regJSON = iris.Map{"error": errstr} regJSON = iris.Map{"error": errstr}
regStatus = iris.StatusInternalServerError regStatus = iris.StatusInternalServerError
log.WithFields(log.Fields{"error": err.Error()}).Debug("Error in registration") log.WithFields(log.Fields{"error": err.Error()}).Debug("Error in registration")
} else { } else {
regJSON = iris.Map{"username": nu.Username, "password": nu.Password, "fulldomain": nu.Subdomain + "." + DNSConf.General.Domain, "subdomain": nu.Subdomain} regJSON = iris.Map{"username": nu.Username, "password": nu.Password, "fulldomain": nu.Subdomain + "." + DNSConf.General.Domain, "subdomain": nu.Subdomain, "allowfrom": nu.AllowFrom.JSON()}
regStatus = iris.StatusCreated regStatus = iris.StatusCreated
log.WithFields(log.Fields{"user": nu.Username.String()}).Debug("Created new user") log.WithFields(log.Fields{"user": nu.Username.String()}).Debug("Created new user")
@ -62,11 +66,6 @@ func webRegisterPost(ctx *iris.Context) {
ctx.JSON(regStatus, regJSON) ctx.JSON(regStatus, regJSON)
} }
func webRegisterGet(ctx *iris.Context) {
// This is placeholder for now
webRegisterPost(ctx)
}
func webUpdatePost(ctx *iris.Context) { func webUpdatePost(ctx *iris.Context) {
// User auth done in middleware // User auth done in middleware
a := ACMETxt{} a := ACMETxt{}

54
api_test.go
View File

@ -26,7 +26,6 @@ func setupIris(t *testing.T, debug bool, noauth bool) *httpexpect.Expect {
} }
DNSConf = dnscfg DNSConf = dnscfg
var ForceAuth = authMiddleware{} var ForceAuth = authMiddleware{}
iris.Get("/register", webRegisterGet)
iris.Post("/register", webRegisterPost) iris.Post("/register", webRegisterPost)
if noauth { if noauth {
iris.Post("/update", webUpdatePost) iris.Post("/update", webUpdatePost)
@ -40,14 +39,6 @@ func setupIris(t *testing.T, debug bool, noauth bool) *httpexpect.Expect {
func TestApiRegister(t *testing.T) { func TestApiRegister(t *testing.T) {
e := setupIris(t, false, false) e := setupIris(t, false, false)
e.GET("/register").Expect().
Status(iris.StatusCreated).
JSON().Object().
ContainsKey("fulldomain").
ContainsKey("subdomain").
ContainsKey("username").
ContainsKey("password").
NotContainsKey("error")
e.POST("/register").Expect(). e.POST("/register").Expect().
Status(iris.StatusCreated). Status(iris.StatusCreated).
JSON().Object(). JSON().Object().
@ -56,6 +47,27 @@ func TestApiRegister(t *testing.T) {
ContainsKey("username"). ContainsKey("username").
ContainsKey("password"). ContainsKey("password").
NotContainsKey("error") NotContainsKey("error")
allowfrom := []interface{}{
"123.123.123.123/32",
"1010.10.10.10/24",
"invalid",
}
response := e.POST("/register").
WithJSON(allowfrom).
Expect().
Status(iris.StatusCreated).
JSON().Object().
ContainsKey("fulldomain").
ContainsKey("subdomain").
ContainsKey("username").
ContainsKey("password").
ContainsKey("allowfrom").
NotContainsKey("error")
response.Value("allowfrom").String().Equal("[\"123.123.123.123/32\"]")
} }
func TestApiRegisterWithMockDB(t *testing.T) { func TestApiRegisterWithMockDB(t *testing.T) {
@ -66,7 +78,7 @@ func TestApiRegisterWithMockDB(t *testing.T) {
defer db.Close() defer db.Close()
mock.ExpectBegin() mock.ExpectBegin()
mock.ExpectPrepare("INSERT INTO records").WillReturnError(errors.New("error")) mock.ExpectPrepare("INSERT INTO records").WillReturnError(errors.New("error"))
e.GET("/register").Expect(). e.POST("/register").Expect().
Status(iris.StatusInternalServerError). Status(iris.StatusInternalServerError).
JSON().Object(). JSON().Object().
ContainsKey("error") ContainsKey("error")
@ -146,10 +158,30 @@ func TestApiManyUpdateWithCredentials(t *testing.T) {
"txt": ""} "txt": ""}
e := setupIris(t, false, false) e := setupIris(t, false, false)
// User without defined CIDR masks
newUser, err := DB.Register(cidrslice{}) newUser, err := DB.Register(cidrslice{})
if err != nil { if err != nil {
t.Errorf("Could not create new user, got error [%v]", err) t.Errorf("Could not create new user, got error [%v]", err)
} }
// User with defined allow from - CIDR masks, all invalid
// (httpexpect doesn't provide a way to mock remote ip)
newUserWithCIDR, err := DB.Register(cidrslice{"192.168.1.1/32", "invalid"})
if err != nil {
t.Errorf("Could not create new user with CIDR, got error [%v]", err)
}
// Another user with valid CIDR mask to match the httpexpect default
newUserWithValidCIDR, err := DB.Register(cidrslice{"0.0.0.0/32", "invalid"})
if err != nil {
t.Errorf("Could not create new user with a valid CIDR, got error [%v]", err)
}
/* newUserWithValidCIDR, err := DB.Register(cidrslice{"192.168.1.1/32", "invalid"})
if err != nil {
t.Errorf("Could not create new user with CIDR, got error [%v]", err)
}
*/
for _, test := range []struct { for _, test := range []struct {
user string user string
pass string pass string
@ -164,6 +196,8 @@ func TestApiManyUpdateWithCredentials(t *testing.T) {
{newUser.Username.String(), newUser.Password, newUser.Subdomain, "tooshortfortxt", 400}, {newUser.Username.String(), newUser.Password, newUser.Subdomain, "tooshortfortxt", 400},
{newUser.Username.String(), newUser.Password, newUser.Subdomain, 1234567890, 400}, {newUser.Username.String(), newUser.Password, newUser.Subdomain, 1234567890, 400},
{newUser.Username.String(), newUser.Password, newUser.Subdomain, validTxtData, 200}, {newUser.Username.String(), newUser.Password, newUser.Subdomain, validTxtData, 200},
{newUserWithCIDR.Username.String(), newUserWithCIDR.Password, newUserWithCIDR.Subdomain, validTxtData, 401},
{newUserWithValidCIDR.Username.String(), newUserWithValidCIDR.Password, newUserWithValidCIDR.Subdomain, validTxtData, 200},
{newUser.Username.String(), "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", newUser.Subdomain, validTxtData, 401}, {newUser.Username.String(), "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", newUser.Subdomain, validTxtData, 401},
} { } {
updateJSON = map[string]interface{}{ updateJSON = map[string]interface{}{

1
main.go
View File

@ -49,7 +49,6 @@ func startHTTPAPI() {
}) })
api.Use(crs) api.Use(crs)
var ForceAuth = authMiddleware{} var ForceAuth = authMiddleware{}
api.Get("/register", webRegisterGet)
api.Post("/register", webRegisterPost) api.Post("/register", webRegisterPost)
api.Post("/update", ForceAuth.Serve, webUpdatePost) api.Post("/update", ForceAuth.Serve, webUpdatePost)
switch DNSConf.API.TLS { switch DNSConf.API.TLS {