Implement endpoints

Author: liujed

client_registry.go

@@ -2,11 +2,37 @@ package caddydns01proxy
 
 import (
 	"fmt"
+	"net/http"
+	"strings"
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/liujed/goutil/maps"
+	"github.com/liujed/goutil/optionals"
+	"github.com/smallstep/certificates/policy"
 )
 
+type DenyReason string
+
+const (
+	// Indicates that authorization failed because the user's ID was not found in
+	// the client registry.
+	DenyUnknownUser DenyReason = "unknown user"
+
+	// Indicates that authorization failed because the user is not authorized to
+	// answer challenges for the requested domain.
+	DenyDomainNotAllowed DenyReason = "requested domain denied by policy"
+
+	// Indicates that authorization failed because the user requested an invalid
+	// domain.
+	DenyInvalidDomain DenyReason = "requested domain not valid"
+
+	// Indicates that an error occurred during authorization.
+	DenyError DenyReason = "an error occurred"
+)
+
+// DNS names for answering DNS-01 challenges are expected to have this prefix.
+const challengeDomainPrefix = "_acme-challenge."
+
 // A registry of known users and their corresponding policy configuration.
 type ClientRegistry struct {
 	// Maps each client's user ID to its policy configuration.
@@ -45,3 +71,54 @@ func (c *ClientRegistry) Provision(
 
 	return nil
 }
+
+// Determines whether the current authenticated user is allowed to answer a
+// DNS-01 challenge at the given challenge domain. Returns None on success.
+// Otherwise, returns the reason for denial.
+func (r *ClientRegistry) AuthorizeUserChallengeDomain(
+	req *http.Request,
+	challengeDomain string,
+) (optionals.Optional[DenyReason], error) {
+	// Get the authenticated user ID from the context.
+	repl := req.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
+	userID, exists := repl.GetString("http.auth.user.id")
+	if !exists {
+		// Authentication not configured?
+		return optionals.Some(DenyError),
+			fmt.Errorf("unable to determine user ID (is authentication configured?)")
+	}
+
+	config, exists := r.Clients.Get(userID).Get()
+	if !exists {
+		return optionals.Some(DenyUnknownUser), nil
+	}
+
+	// Deny if the challenge domain doesn't have the expected prefix.
+	if !strings.HasPrefix(challengeDomain, challengeDomainPrefix) {
+		return optionals.Some(DenyInvalidDomain), nil
+	}
+
+	// Strip off the prefix and remove any trailing dot. If the result starts with
+	// a dot, then the requested domain is invalid. Otherwise, check the result
+	// against the domain policy.
+	domain := strings.TrimPrefix(challengeDomain, challengeDomainPrefix)
+	domain = strings.TrimSuffix(domain, ".")
+	if strings.HasPrefix(domain, ".") {
+		return optionals.Some(DenyInvalidDomain), nil
+	}
+	err := config.DomainPolicy.IsDNSAllowed(domain)
+	if err != nil {
+		if npe, ok := err.(*policy.NamePolicyError); ok {
+			switch npe.Reason {
+			case policy.NotAllowed:
+				return optionals.Some(DenyDomainNotAllowed), nil
+			case policy.CannotParseDomain:
+				return optionals.Some(DenyInvalidDomain), nil
+			}
+		}
+		return optionals.Some(DenyError),
+			fmt.Errorf("unable to authorize challenge domain: %w", err)
+	}
+
+	return optionals.None[DenyReason](), nil
+}

dns_config.go

@@ -16,6 +16,10 @@ type DNSConfig struct {
 
 	// The TTL to use for the DNS TXT records when answering challenges.
 	TTL optionals.Optional[caddy.Duration] `json:"ttl"`
+
+	// Custom DNS resolvers to prefer over system/built-in defaults. Often
+	// necessary to configure when using split-horizon DNS.
+	Resolvers []string `json:"resolvers,omitempty"`
 }
 
 var _ caddy.Provisioner = (*Handler)(nil)

go.mod

@@ -5,6 +5,7 @@ go 1.24.3
 require (
 	github.com/caddyserver/caddy/v2 v2.10.0
 	github.com/caddyserver/certmagic v0.23.0
+	github.com/libdns/libdns v1.0.0-beta.1
 	github.com/liujed/goutil v0.0.0
 	github.com/smallstep/certificates v0.26.1
 	github.com/spf13/cobra v1.9.1
@@ -60,7 +61,6 @@ require (
 	github.com/jackc/pgx/v4 v4.18.3 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
-	github.com/libdns/libdns v1.0.0-beta.1 // indirect
 	github.com/manifoldco/promptui v0.9.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect

handler.go

@@ -3,13 +3,17 @@ package caddydns01proxy
 import (
 	"fmt"
 	"net/http"
+	"time"
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp/caddyauth"
+	"github.com/caddyserver/certmagic"
+	"github.com/libdns/libdns"
 	"github.com/liujed/caddy-dns01proxy/jsonutil"
 	"github.com/liujed/goutil/optionals"
+	"go.uber.org/zap"
 )
 
 func init() {
@@ -32,6 +36,8 @@ type Handler struct {
 	// Identifies the domains at which each client is allowed to answer DNS-01
 	// challenges. Derived from [AccountsRaw].
 	ClientRegistry ClientRegistry `json:"-"`
+
+	logger *zap.Logger
 }
 
 var _ caddy.Module = (*Handler)(nil)
@@ -53,6 +59,8 @@ func (Handler) CaddyModule() caddy.ModuleInfo {
 }
 
 func (h *Handler) Provision(ctx caddy.Context) error {
+	h.logger = ctx.Logger()
+
 	// Provision DNS.
 	err := h.DNS.Provision(ctx)
 	if err != nil {
@@ -152,7 +160,79 @@ func (h *Handler) handleDNSRequest(
 		req *http.Request,
 		reqBody RequestBody,
 	) (httpStatus int, respBody optionals.Optional[ResponseBody], err error) {
-		// TODO
-		return http.StatusInternalServerError, optionals.None[ResponseBody](), nil
+		// Check that the user gave a valid request body.
+		if !reqBody.IsValid() {
+			return http.StatusBadRequest, optionals.None[ResponseBody](), nil
+		}
+
+		// Log the challenge domain that appears in the request.
+		addLogField(req, zap.String("domain", reqBody.ChallengeFQDN))
+
+		// Check that the user is authorized for the challenge domain in the
+		// request.
+		denyReasonOpt, err := h.ClientRegistry.AuthorizeUserChallengeDomain(
+			req,
+			reqBody.ChallengeFQDN,
+		)
+		if err != nil {
+			return 0, optionals.None[ResponseBody](),
+				fmt.Errorf("unable to authorize user for requested domain: %w", err)
+		}
+		if denyReason, denied := denyReasonOpt.Get(); denied {
+			addLogField(req, zap.String(logAuthorizationFailure, string(denyReason)))
+			return http.StatusForbidden, optionals.None[ResponseBody](), nil
+		}
+
+		// Figure out the challenge domain's DNS zone.
+		zone, err := certmagic.FindZoneByFQDN(
+			req.Context(),
+			h.logger,
+			reqBody.ChallengeFQDN,
+			certmagic.RecursiveNameservers(h.DNS.Resolvers),
+		)
+		if err != nil {
+			return 0, optionals.None[ResponseBody](),
+				fmt.Errorf(
+					"unable to find DNS zone for %q: %w",
+					reqBody.ChallengeFQDN,
+					err,
+				)
+		}
+
+		// Build the DNS record to create/delete.
+		ttl := time.Duration(h.DNS.TTL.GetOrDefault(0))
+		if mode == hmCleanup {
+			ttl = 0
+		}
+		records := []libdns.Record{
+			libdns.TXT{
+				Name: libdns.RelativeName(reqBody.ChallengeFQDN, zone),
+				TTL:  ttl,
+				Text: `"` + reqBody.Value + `"`,
+			},
+		}
+
+		switch mode {
+		case hmPresent:
+			// Create the DNS record.
+			_, err = h.DNS.Provider.AppendRecords(req.Context(), zone, records)
+			if err != nil {
+				return 0, optionals.None[ResponseBody](),
+					fmt.Errorf("error creating DNS record: %w", err)
+			}
+			return http.StatusOK, optionals.Some(reqBody), nil
+
+		case hmCleanup:
+			// Delete the DNS record.
+			_, err = h.DNS.Provider.DeleteRecords(req.Context(), zone, records)
+			if err != nil {
+				return 0, optionals.None[ResponseBody](),
+					fmt.Errorf("error deleting DNS record: %w", err)
+			}
+			return http.StatusOK, optionals.Some(reqBody), nil
+		}
+
+		return 0, optionals.None[ResponseBody](),
+			fmt.Errorf("unknown handler mode: %q", mode)
 	}
 }

logging.go

@@ -0,0 +1,19 @@
+package caddydns01proxy
+
+import (
+	"net/http"
+
+	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
+	"go.uber.org/zap"
+)
+
+const (
+	// Log key for reporting why a user failed authorization.
+	logAuthorizationFailure = "deny_reason"
+)
+
+// Adds the given field to the access logs for the given request.
+func addLogField(req *http.Request, field zap.Field) {
+	extra := req.Context().Value(caddyhttp.ExtraLogFieldsCtxKey).(*caddyhttp.ExtraLogFields)
+	extra.Add(field)
+}