mirror of
https://github.com/1f349/orchid.git
synced 2024-12-22 08:04:10 +00:00
Use access token permissions to find owned domains
This commit is contained in:
parent
4188dccd1d
commit
a0dc818f5f
@ -5,9 +5,9 @@ import (
|
|||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/MrMelon54/mjwt"
|
"github.com/MrMelon54/mjwt"
|
||||||
|
"github.com/MrMelon54/mjwt/claims"
|
||||||
oUtils "github.com/MrMelon54/orchid/utils"
|
oUtils "github.com/MrMelon54/orchid/utils"
|
||||||
vUtils "github.com/MrMelon54/violet/utils"
|
vUtils "github.com/MrMelon54/violet/utils"
|
||||||
"github.com/golang-jwt/jwt/v4"
|
|
||||||
"github.com/julienschmidt/httprouter"
|
"github.com/julienschmidt/httprouter"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strconv"
|
"strconv"
|
||||||
@ -53,8 +53,8 @@ func NewApiServer(listen string, db *sql.DB, signer mjwt.Verifier, domains oUtil
|
|||||||
}))
|
}))
|
||||||
|
|
||||||
// Endpoint for adding/removing domains to/from a certificate
|
// Endpoint for adding/removing domains to/from a certificate
|
||||||
manageGet, managePutDelete := certDomainManageGET(db, signer), certDomainManagePUTandDELETE(db, signer, domains)
|
managePutDelete := certDomainManagePUTandDELETE(db, signer, domains)
|
||||||
r.GET("/cert/:id/domains", manageGet)
|
r.GET("/cert/:id/domains", certDomainManageGET(db, signer))
|
||||||
r.PUT("/cert/:id/domains", managePutDelete)
|
r.PUT("/cert/:id/domains", managePutDelete)
|
||||||
r.DELETE("/cert/:id/domains", managePutDelete)
|
r.DELETE("/cert/:id/domains", managePutDelete)
|
||||||
|
|
||||||
@ -164,14 +164,12 @@ func safeTransaction(rw http.ResponseWriter, db *sql.DB, cb func(rw http.Respons
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// validateDomainAudienceClaims validates if the audience claims contain the
|
// validateDomainOwnershipClaims validates if the claims contain the
|
||||||
// `owns=<fqdn>` field with the matching top level domain
|
// `owns=<fqdn>` field with the matching top level domain
|
||||||
func validateDomainAudienceClaims(a string, aud jwt.ClaimStrings) bool {
|
func validateDomainOwnershipClaims(a string, perms *claims.PermStorage) bool {
|
||||||
if fqdn, ok := vUtils.GetTopFqdn(a); ok {
|
if fqdn, ok := vUtils.GetTopFqdn(a); ok {
|
||||||
for _, i := range aud {
|
if perms.Has("owns=" + fqdn) {
|
||||||
if i == "owns="+fqdn {
|
return true
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return false
|
return false
|
||||||
|
@ -46,11 +46,6 @@ func certDomainManagePUTandDELETE(db *sql.DB, signer mjwt.Verifier, domains util
|
|||||||
// check request type
|
// check request type
|
||||||
isAdd := req.Method == http.MethodPut
|
isAdd := req.Method == http.MethodPut
|
||||||
|
|
||||||
if len(b.Audience) == 0 {
|
|
||||||
apiError(rw, http.StatusForbidden, "Missing audience tag, to specify owned domains")
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// read domains from request body
|
// read domains from request body
|
||||||
var d []string
|
var d []string
|
||||||
if json.NewDecoder(req.Body).Decode(&d) != nil {
|
if json.NewDecoder(req.Body).Decode(&d) != nil {
|
||||||
@ -60,7 +55,7 @@ func certDomainManagePUTandDELETE(db *sql.DB, signer mjwt.Verifier, domains util
|
|||||||
|
|
||||||
// validate all domains
|
// validate all domains
|
||||||
for _, i := range d {
|
for _, i := range d {
|
||||||
if !validateDomainAudienceClaims(i, b.Audience) {
|
if !validateDomainOwnershipClaims(i, b.Claims.Perms) {
|
||||||
apiError(rw, http.StatusBadRequest, "Token cannot modify a specified domain")
|
apiError(rw, http.StatusBadRequest, "Token cannot modify a specified domain")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user