1f349/orchid
4
0
Fork 0
mirror of https://github.com/1f349/orchid.git synced 2024-11-09 23:02:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use access token permissions to find owned domains

Browse Source
This commit is contained in:
Melon 2023-07-12 20:55:53 +01:00
parent 4188dccd1d
commit a0dc818f5f
Signed by: melon
GPG Key ID: 6C9D970C50D26A25
2 changed files with 8 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
servers/api.go
View File

@ -5,9 +5,9 @@ import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"github.com/MrMelon54/mjwt" "github.com/MrMelon54/mjwt"
"github.com/MrMelon54/mjwt/claims"
oUtils "github.com/MrMelon54/orchid/utils" oUtils "github.com/MrMelon54/orchid/utils"
vUtils "github.com/MrMelon54/violet/utils" vUtils "github.com/MrMelon54/violet/utils"
"github.com/golang-jwt/jwt/v4"
"github.com/julienschmidt/httprouter" "github.com/julienschmidt/httprouter"
"net/http" "net/http"
"strconv" "strconv"
@ -53,8 +53,8 @@ func NewApiServer(listen string, db *sql.DB, signer mjwt.Verifier, domains oUtil
})) }))
// Endpoint for adding/removing domains to/from a certificate // Endpoint for adding/removing domains to/from a certificate
manageGet, managePutDelete := certDomainManageGET(db, signer), certDomainManagePUTandDELETE(db, signer, domains) managePutDelete := certDomainManagePUTandDELETE(db, signer, domains)
r.GET("/cert/:id/domains", manageGet) r.GET("/cert/:id/domains", certDomainManageGET(db, signer))
r.PUT("/cert/:id/domains", managePutDelete) r.PUT("/cert/:id/domains", managePutDelete)
r.DELETE("/cert/:id/domains", managePutDelete) r.DELETE("/cert/:id/domains", managePutDelete)
@ -164,15 +164,13 @@ func safeTransaction(rw http.ResponseWriter, db *sql.DB, cb func(rw http.Respons
return nil return nil
} }
// validateDomainAudienceClaims validates if the audience claims contain the // validateDomainOwnershipClaims validates if the claims contain the
// `owns=<fqdn>` field with the matching top level domain // `owns=<fqdn>` field with the matching top level domain
func validateDomainAudienceClaims(a string, aud jwt.ClaimStrings) bool { func validateDomainOwnershipClaims(a string, perms *claims.PermStorage) bool {
if fqdn, ok := vUtils.GetTopFqdn(a); ok { if fqdn, ok := vUtils.GetTopFqdn(a); ok {
for _, i := range aud { if perms.Has("owns=" + fqdn) {
if i == "owns="+fqdn {
return true return true
} }
} }
}
return false return false
} }

7
servers/certDomainManage.go
View File

@ -46,11 +46,6 @@ func certDomainManagePUTandDELETE(db *sql.DB, signer mjwt.Verifier, domains util
// check request type // check request type
isAdd := req.Method == http.MethodPut isAdd := req.Method == http.MethodPut
if len(b.Audience) == 0 {
apiError(rw, http.StatusForbidden, "Missing audience tag, to specify owned domains")
return
}
// read domains from request body // read domains from request body
var d []string var d []string
if json.NewDecoder(req.Body).Decode(&d) != nil { if json.NewDecoder(req.Body).Decode(&d) != nil {
@ -60,7 +55,7 @@ func certDomainManagePUTandDELETE(db *sql.DB, signer mjwt.Verifier, domains util
// validate all domains // validate all domains
for _, i := range d { for _, i := range d {
if !validateDomainAudienceClaims(i, b.Audience) { if !validateDomainOwnershipClaims(i, b.Claims.Perms) {
apiError(rw, http.StatusBadRequest, "Token cannot modify a specified domain") apiError(rw, http.StatusBadRequest, "Token cannot modify a specified domain")
return return
} }