acme-dns/acmetxt.go

package main

import (
	"encoding/json"
	"net"

	"github.com/google/uuid"
	log "github.com/sirupsen/logrus"
)

// ACMETxt is the default structure for the user controlled record
type ACMETxt struct {
	Username uuid.UUID
	Password string
	ACMETxtPost
	AllowFrom cidrslice
}

// ACMETxtPost holds the DNS part of the ACMETxt struct
type ACMETxtPost struct {
	Subdomain string `json:"subdomain"`
	Value     string `json:"txt"`
}

// cidrslice is a list of allowed cidr ranges
type cidrslice []string

func (c *cidrslice) JSON() string {
	ret, _ := json.Marshal(c.ValidEntries())
	return string(ret)
}

func (c *cidrslice) isValid() error {
	for _, v := range *c {
		_, _, err := net.ParseCIDR(sanitizeIPv6addr(v))
		if err != nil {
			return err
		}
	}
	return nil
}

func (c *cidrslice) ValidEntries() []string {
	valid := []string{}
	for _, v := range *c {
		_, _, err := net.ParseCIDR(sanitizeIPv6addr(v))
		if err == nil {
			valid = append(valid, sanitizeIPv6addr(v))
		}
	}
	return valid
}

// Check if IP belongs to an allowed net
func (a ACMETxt) allowedFrom(ip string) bool {
	remoteIP := net.ParseIP(ip)
	// Range not limited
	if len(a.AllowFrom.ValidEntries()) == 0 {
		return true
	}
	log.WithFields(log.Fields{"ip": remoteIP}).Debug("Checking if update is permitted from IP")
	for _, v := range a.AllowFrom.ValidEntries() {
		_, vnet, _ := net.ParseCIDR(v)
		if vnet.Contains(remoteIP) {
			return true
		}
	}
	return false
}

// Go through list (most likely from headers) to check for the IP.
// Reason for this is that some setups use reverse proxy in front of acme-dns
func (a ACMETxt) allowedFromList(ips []string) bool {
	if len(ips) == 0 {
		// If no IP provided, check if no whitelist present (everyone has access)
		return a.allowedFrom("")
	}
	for _, v := range ips {
		if a.allowedFrom(v) {
			return true
		}
	}
	return false
}

func newACMETxt() ACMETxt {
	var a = ACMETxt{}
	password := generatePassword(40)
	a.Username = uuid.New()
	a.Password = password
	a.Subdomain = uuid.New().String()
	return a
}
DB code for CIDR handling 2016-12-01 05:03:08 +07:00			`package main`

			`import (`
			`"encoding/json"`
			`"net"`

Update dependencies and replace uuid library (#100) 2018-08-10 20:51:32 +07:00			`"github.com/google/uuid"`
Log IP address that we're matching against allowFrom values stored in the DB (#46) * Add logging for IP matching * Fix typo 2018-03-01 21:53:38 +07:00			`log "github.com/sirupsen/logrus"`
DB code for CIDR handling 2016-12-01 05:03:08 +07:00			`)`

			`// ACMETxt is the default structure for the user controlled record`
			`type ACMETxt struct {`
			`Username uuid.UUID`
			`Password string`
			`ACMETxtPost`
Support for multiple TXT records per subdomain (#29) * Support for multiple TXT records per subdomain and database upgrade functionality * Linter fixes * Make sure the database upgrade routine works for PostgreSQL * Move subdomain query outside of the upgrade transaction 2018-01-22 14:53:07 +07:00			`AllowFrom cidrslice`
DB code for CIDR handling 2016-12-01 05:03:08 +07:00			`}`

			`// ACMETxtPost holds the DNS part of the ACMETxt struct`
			`type ACMETxtPost struct {`
			Subdomain string `json:"subdomain"`
			Value string `json:"txt"`
			`}`

			`// cidrslice is a list of allowed cidr ranges`
			`type cidrslice []string`

			`func (c *cidrslice) JSON() string {`
			`ret, _ := json.Marshal(c.ValidEntries())`
			`return string(ret)`
			`}`

Fail closed with malformed allowfrom data in register endpoint (#148) * Prepare readme for release * Fail closed with malformed allowfrom data in register endpoint 2019-02-22 21:53:11 +07:00			`func (c *cidrslice) isValid() error {`
			`for _, v := range *c {`
			`_, _, err := net.ParseCIDR(sanitizeIPv6addr(v))`
			`if err != nil {`
			`return err`
			`}`
			`}`
			`return nil`
			`}`

DB code for CIDR handling 2016-12-01 05:03:08 +07:00			`func (c *cidrslice) ValidEntries() []string {`
			`valid := []string{}`
			`for _, v := range *c {`
Properly parse r.RemoteAddr (#50) * Properly parse r.RemoteAddr * Add tests, and fix net.ParseCIDR issues with IPv6 addresses enclosed in brackets 2018-03-15 05:23:55 +07:00			`_, _, err := net.ParseCIDR(sanitizeIPv6addr(v))`
DB code for CIDR handling 2016-12-01 05:03:08 +07:00			`if err == nil {`
Properly parse r.RemoteAddr (#50) * Properly parse r.RemoteAddr * Add tests, and fix net.ParseCIDR issues with IPv6 addresses enclosed in brackets 2018-03-15 05:23:55 +07:00			`valid = append(valid, sanitizeIPv6addr(v))`
DB code for CIDR handling 2016-12-01 05:03:08 +07:00			`}`
			`}`
			`return valid`
			`}`

Removed register GET request in favor of POST, and did required HTTP api changes 2016-12-02 20:42:10 +07:00			`// Check if IP belongs to an allowed net`
			`func (a ACMETxt) allowedFrom(ip string) bool {`
			`remoteIP := net.ParseIP(ip)`
			`// Range not limited`
			`if len(a.AllowFrom.ValidEntries()) == 0 {`
			`return true`
			`}`
Log IP address that we're matching against allowFrom values stored in the DB (#46) * Add logging for IP matching * Fix typo 2018-03-01 21:53:38 +07:00			`log.WithFields(log.Fields{"ip": remoteIP}).Debug("Checking if update is permitted from IP")`
Removed register GET request in favor of POST, and did required HTTP api changes 2016-12-02 20:42:10 +07:00			`for _, v := range a.AllowFrom.ValidEntries() {`
			`_, vnet, _ := net.ParseCIDR(v)`
			`if vnet.Contains(remoteIP) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

Added config option to check for a header value for clinet IP 2016-12-02 22:04:16 +07:00			`// Go through list (most likely from headers) to check for the IP.`
			`// Reason for this is that some setups use reverse proxy in front of acme-dns`
			`func (a ACMETxt) allowedFromList(ips []string) bool {`
Get rid of Iris and use julienschmidt/httprouter instead (#20) * Replace iris with httprouter * Linter fixes * Finalize iris removal * Vendor dependencies for reproducable builds * Api tests are back 2017-11-15 04:54:29 +07:00			`if len(ips) == 0 {`
			`// If no IP provided, check if no whitelist present (everyone has access)`
			`return a.allowedFrom("")`
			`}`
Added config option to check for a header value for clinet IP 2016-12-02 22:04:16 +07:00			`for _, v := range ips {`
			`if a.allowedFrom(v) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

DB code for CIDR handling 2016-12-01 05:03:08 +07:00			`func newACMETxt() ACMETxt {`
			`var a = ACMETxt{}`
			`password := generatePassword(40)`
Update dependencies and replace uuid library (#100) 2018-08-10 20:51:32 +07:00			`a.Username = uuid.New()`
DB code for CIDR handling 2016-12-01 05:03:08 +07:00			`a.Password = password`
Update dependencies and replace uuid library (#100) 2018-08-10 20:51:32 +07:00			`a.Subdomain = uuid.New().String()`
DB code for CIDR handling 2016-12-01 05:03:08 +07:00			`return a`
			`}`