Commit 42b32088 authored by Gaël Berthaud-Müller's avatar Gaël Berthaud-Müller
Browse files

restrict access to a preconfigured domain list

parent 401cf87f
......@@ -26,6 +26,7 @@ var (
tlsKey string
enableDane bool
resolvConf string
allowedDomains []string
)
// Setup configures the package.
......@@ -36,6 +37,7 @@ func Setup(conf config.Config) error {
tlsKey = conf.JoinServer.TLSKey
enableDane = conf.JoinServer.EnableDane
resolvConf = conf.JoinServer.ResolvConf
allowedDomains = conf.JoinServer.AllowedDomains
log.WithFields(log.Fields{
"bind": bind,
......@@ -65,7 +67,15 @@ func Setup(conf config.Config) error {
if enableDane {
go func() {
err := dance.HttpServeAndListen(bind, tlsCert, tlsKey, resolvConf, handler)
danceConfig := dance.Config {
CertFile: tlsCert,
KeyFile: tlsKey,
ResolverConf: resolvConf,
}
if len(allowedDomains) > 0 {
danceConfig.AuthorizationCallback = dance.GetDomainAllowListCallback(allowedDomains)
}
err := dance.HttpServeAndListen(bind, &danceConfig, handler)
log.WithError(err).Fatal("api/js: join-server api error")
}()
......
......@@ -96,6 +96,7 @@ type Config struct {
TLSCert string `mapstructure:"tls_cert"`
TLSKey string `mapstructure:"tls_key"`
EnableDane bool `mapstructure:"enable_dane"`
AllowedDomains []string `mapstructure:"allowed_client_domains"`
ResolvConf string `mapstructure:"resolv_conf"`
KEK struct {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment