restrict access to a preconfigured domain list

42b32088 · Gaël Berthaud-Müller · 401cf87f · 42b32088 · 42b32088
Commit 42b32088 authored Mar 19, 2022 by Gaël Berthaud-Müller
--- a/internal/api/js/join_server.go
+++ b/internal/api/js/join_server.go
@@ -26,6 +26,7 @@ var (
 	tlsKey  string
 	enableDane bool
 	resolvConf string
+	allowedDomains []string
 )

 // Setup configures the package.
@@ -36,6 +37,7 @@ func Setup(conf config.Config) error {
 	tlsKey = conf.JoinServer.TLSKey
 	enableDane = conf.JoinServer.EnableDane
 	resolvConf = conf.JoinServer.ResolvConf
+	allowedDomains = conf.JoinServer.AllowedDomains

 	log.WithFields(log.Fields{
 		"bind":     bind,
@@ -65,7 +67,15 @@ func Setup(conf config.Config) error {

 	if enableDane {
 		go func() {
-			err := dance.HttpServeAndListen(bind, tlsCert, tlsKey, resolvConf, handler)
+			danceConfig := dance.Config {
+				CertFile: tlsCert,
+				KeyFile: tlsKey,
+				ResolverConf: resolvConf,
+			}
+			if len(allowedDomains) > 0 {
+				danceConfig.AuthorizationCallback = dance.GetDomainAllowListCallback(allowedDomains)
+			}
+			err := dance.HttpServeAndListen(bind, &danceConfig, handler)
 			log.WithError(err).Fatal("api/js: join-server api error")
 		}()


--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -96,6 +96,7 @@ type Config struct {
 		TLSCert string `mapstructure:"tls_cert"`
 		TLSKey  string `mapstructure:"tls_key"`
 		EnableDane bool `mapstructure:"enable_dane"`
+		AllowedDomains []string `mapstructure:"allowed_client_domains"`
 		ResolvConf string `mapstructure:"resolv_conf"`

 		KEK struct {