Enforce more constraints on hostname,port combo provided by client.

davidv1992 · rnijveld · commit 86f169aad189 · 2025-12-19T14:57:36.000Z
This provides new checks for uniqueness, and not being unwanted names
like localhost, .local domains or the pool domain.
diff --git a/nts-pool-management/migrations/20251217083055_timesource_unique.down.sql b/nts-pool-management/migrations/20251217083055_timesource_unique.down.sql
@@ -0,0 +1,4 @@
+-- Add down migration script here
+DROP INDEX time_sources_hostname_port_unique;
+ALTER TABLE time_sources ALTER COLUMN port DROP NOT NULL;
+ALTER TABLE time_sources ALTER COLUMN port DROP DEFAULT;
diff --git a/nts-pool-management/migrations/20251217083055_timesource_unique.up.sql b/nts-pool-management/migrations/20251217083055_timesource_unique.up.sql
@@ -0,0 +1,5 @@
+-- Add up migration script here
+UPDATE time_sources SET port=4460 WHERE port IS NULL;
+ALTER TABLE time_sources ALTER COLUMN port SET DEFAULT 4460;
+ALTER TABLE time_sources ALTER COLUMN port SET NOT NULL;
+CREATE UNIQUE INDEX time_sources_hostname_port_unique ON time_sources (hostname, port) WHERE NOT deleted;
diff --git a/nts-pool-management/src/models/time_source.rs b/nts-pool-management/src/models/time_source.rs
@@ -9,6 +9,7 @@ use sha3::Digest;
 
 use crate::{
     DbConnLike,
+    context::AppContext,
     error::AppError,
     models::{
         monitor::MonitorId,
@@ -46,7 +47,7 @@ pub struct TimeSource {
 #[derive(Debug, Deserialize, Clone, PartialEq, Eq)]
 pub struct NewTimeSource {
     pub hostname: String,
-    pub port: Option<Port>,
+    pub port: Port,
 }
 
 #[derive(Debug, Deserialize, Clone)]
@@ -60,39 +61,47 @@ pub struct UpdateTimeSourceForm {
     pub weight: i32,
 }
 
-impl TryFrom<NewTimeSourceForm> for NewTimeSource {
-    type Error = AppError;
+const DEFAULT_NTSKE_PORT: u16 = 4460;
 
-    fn try_from(form: NewTimeSourceForm) -> Result<Self, Self::Error> {
-        let port = if form.port.is_empty() {
-            None
+impl NewTimeSourceForm {
+    pub fn into_new_source(self, context: &AppContext) -> Result<NewTimeSource, AppError> {
+        let port = if self.port.is_empty() {
+            DEFAULT_NTSKE_PORT
+                .try_into()
+                .wrap_err("Internal app error, 4460 not a valid port")?
         } else {
-            Some(
-                form.port
-                    .parse::<u16>()
-                    .wrap_err("Could not parse into port number")?
-                    .try_into()
-                    .wrap_err("Could not parse into port number")?,
-            )
+            self.port
+                .parse::<u16>()
+                .wrap_err("Could not parse into port number")?
+                .try_into()
+                .wrap_err("Could not parse into port number")?
         };
 
-        // Check domain name is reasonable (cf. RFC 1035)
-        if form.hostname.is_empty()
-            || !form
-                .hostname
-                .chars()
-                .all(|c| matches!(c, '0'..='9' | '.' | '-' | 'a'..='z' | 'A'..='Z'))
-        {
-            return Err(eyre::eyre!("Invalid domain name").into());
-        }
+        check_hostname_reasonable(&self.hostname, context)?;
 
-        Ok(Self {
-            hostname: form.hostname,
+        Ok(NewTimeSource {
+            hostname: self.hostname,
             port,
         })
     }
 }
 
+fn check_hostname_reasonable(hostname: &str, context: &AppContext) -> Result<(), AppError> {
+    if hostname.is_empty()
+        || !hostname
+            .chars()
+            .all(|c| matches!(c, '0'..='9' | '.' | '-' | 'a'..='z' | 'A'..='Z'))
+        || hostname.ends_with(".local")
+        || hostname.ends_with(".")
+        || hostname.ends_with("localhost")
+        || hostname.ends_with(&context.ke_domain)
+    {
+        return Err(eyre::eyre!("Invalid domain name").into());
+    }
+
+    Ok(())
+}
+
 pub async fn infer_regions(
     hostname: impl AsRef<str>,
     geodb: &maxminddb::Reader<impl AsRef<[u8]>>,
@@ -466,131 +475,208 @@ mod tests {
     #[test]
     fn test_time_source_form_valid_without_port_1() {
         assert_eq!(
-            NewTimeSource::try_from(NewTimeSourceForm {
+            NewTimeSourceForm {
                 hostname: "test".into(),
                 port: "".into()
-            })
+            }
+            .into_new_source(&AppContext::default())
             .unwrap(),
             NewTimeSource {
                 hostname: "test".into(),
-                port: None
+                port: 4460.try_into().unwrap()
             }
         );
     }
 
     #[test]
     fn test_time_source_form_valid_without_port_2() {
         assert_eq!(
-            NewTimeSource::try_from(NewTimeSourceForm {
+            NewTimeSourceForm {
                 hostname: "ExAmPlE.com".into(),
                 port: "".into()
-            })
+            }
+            .into_new_source(&AppContext::default())
             .unwrap(),
             NewTimeSource {
                 hostname: "ExAmPlE.com".into(),
-                port: None
+                port: 4460.try_into().unwrap(),
             }
         );
     }
 
     #[test]
     fn test_time_source_form_valid_with_port() {
         assert_eq!(
-            NewTimeSource::try_from(NewTimeSourceForm {
+            NewTimeSourceForm {
                 hostname: "test".into(),
                 port: "456".into()
-            })
+            }
+            .into_new_source(&AppContext::default())
             .unwrap(),
             NewTimeSource {
                 hostname: "test".into(),
-                port: Some(456.try_into().unwrap())
+                port: 456.try_into().unwrap()
             }
         );
     }
 
     #[test]
     fn test_time_source_form_reject_weird_characters_1() {
         assert!(
-            NewTimeSource::try_from(NewTimeSourceForm {
+            NewTimeSourceForm {
                 hostname: "js(.com".into(),
                 port: "".into(),
-            })
+            }
+            .into_new_source(&AppContext::default())
             .is_err()
         );
     }
 
     #[test]
     fn test_time_source_form_reject_weird_characters_2() {
         assert!(
-            NewTimeSource::try_from(NewTimeSourceForm {
+            NewTimeSourceForm {
                 hostname: "jsê.com".into(),
                 port: "".into(),
-            })
+            }
+            .into_new_source(&AppContext::default())
             .is_err()
         );
     }
 
     #[test]
     fn test_time_source_form_reject_weird_characters_3() {
         assert!(
-            NewTimeSource::try_from(NewTimeSourceForm {
+            NewTimeSourceForm {
                 hostname: "js@.com".into(),
                 port: "".into(),
-            })
+            }
+            .into_new_source(&AppContext::default())
             .is_err()
         );
     }
 
     #[test]
     fn test_time_source_form_reject_port_0() {
         assert!(
-            NewTimeSource::try_from(NewTimeSourceForm {
+            NewTimeSourceForm {
                 hostname: "example.com".into(),
                 port: "0".into(),
-            })
+            }
+            .into_new_source(&AppContext::default())
             .is_err()
         );
     }
 
     #[test]
     fn test_time_source_form_reject_port_100000() {
         assert!(
-            NewTimeSource::try_from(NewTimeSourceForm {
+            NewTimeSourceForm {
                 hostname: "example.com".into(),
                 port: "100000".into(),
-            })
+            }
+            .into_new_source(&AppContext::default())
             .is_err()
         );
     }
 
     #[test]
     fn test_time_source_form_reject_non_numeric_port() {
         assert!(
-            NewTimeSource::try_from(NewTimeSourceForm {
+            NewTimeSourceForm {
                 hostname: "example.com".into(),
                 port: "fe".into(),
-            })
+            }
+            .into_new_source(&AppContext::default())
             .is_err()
         );
     }
 
     #[test]
     fn test_time_source_form_reject_port_with_trailing_garbage() {
         assert!(
-            NewTimeSource::try_from(NewTimeSourceForm {
+            NewTimeSourceForm {
                 hostname: "example.com".into(),
                 port: "123 abc".into(),
-            })
+            }
+            .into_new_source(&AppContext::default())
             .is_err()
         );
     }
 
     #[test]
     fn test_time_source_form_require_hostname() {
         assert!(
-            NewTimeSource::try_from(NewTimeSourceForm {
+            NewTimeSourceForm {
                 hostname: "".into(),
                 port: "".into(),
+            }
+            .into_new_source(&AppContext::default())
+            .is_err()
+        );
+    }
+
+    #[test]
+    fn test_time_source_form_reject_local() {
+        assert!(
+            NewTimeSourceForm {
+                hostname: "example.local".into(),
+                port: "123".into(),
+            }
+            .into_new_source(&AppContext::default())
+            .is_err()
+        );
+
+        assert!(
+            NewTimeSourceForm {
+                hostname: "localhost".into(),
+                port: "123".into(),
+            }
+            .into_new_source(&AppContext::default())
+            .is_err()
+        );
+
+        assert!(
+            NewTimeSourceForm {
+                hostname: "example.local.".into(),
+                port: "123".into(),
+            }
+            .into_new_source(&AppContext::default())
+            .is_err()
+        );
+
+        assert!(
+            NewTimeSourceForm {
+                hostname: "example.localhost".into(),
+                port: "123".into(),
+            }
+            .into_new_source(&AppContext::default())
+            .is_err()
+        );
+    }
+
+    #[test]
+    fn test_time_source_form_reject_ke_domain() {
+        assert!(
+            NewTimeSourceForm {
+                hostname: "ke.example.org".into(),
+                port: "123".into(),
+            }
+            .into_new_source(&AppContext {
+                ke_domain: "ke.example.org".into(),
+                ..AppContext::default()
+            })
+            .is_err()
+        );
+
+        assert!(
+            NewTimeSourceForm {
+                hostname: "bla.ke.example.org".into(),
+                port: "123".into(),
+            }
+            .into_new_source(&AppContext {
+                ke_domain: "ke.example.org".into(),
+                ..AppContext::default()
             })
             .is_err()
         );
diff --git a/nts-pool-management/src/routes/management.rs b/nts-pool-management/src/routes/management.rs
@@ -208,7 +208,7 @@ pub async fn create_time_source(
     match time_source::create(
         &state.db,
         user.id,
-        new_time_source.clone().try_into()?,
+        new_time_source.clone().into_new_source(&app)?,
         state.config.base_secret_index,
         &geodb,
     )
@@ -224,11 +224,10 @@ pub async fn create_time_source(
             ),
         })
         .into_response()),
-        Err(_) => Ok((
-            cookies.flash_error("Could not add time source".to_string()),
-            Redirect::to(TIME_SOURCES_ENDPOINT),
-        )
-            .into_response()),
+        Err(_) => {
+            cookies.flash_error("Could not add duplicate time source".to_string());
+            Ok((cookies, Redirect::to(TIME_SOURCES_ENDPOINT)).into_response())
+        }
     }
 }
 
