louis/ovh-dane-companion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added 211 record for 311+211, but flush and reset TLSA is a bit bruteforce-y

Browse Source 
Signed-off-by: Louis Vallat <louis@louis-vallat.xyz>
This commit is contained in:
Louis Vallat 2022-02-15 08:39:39 +01:00
parent 366f7d4361
commit 20ed493e31
No known key found for this signature in database
GPG Key ID: 0C87282F76E61283
4 changed files with 30 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -10,6 +10,8 @@ FROM debian:stable-slim
RUN apt update && apt install -y ca-certificates openssl && rm -rf /var/lib/apt/lists/* RUN apt update && apt install -y ca-certificates openssl && rm -rf /var/lib/apt/lists/*
ADD https://letsencrypt.org/certs/isrgrootx1.pem /root/issuer.pem
COPY --from=builder /root/target/release/tlsa /root/tlsa COPY --from=builder /root/target/release/tlsa /root/tlsa
CMD ["/root/tlsa"] CMD ["/root/tlsa"]

15
src/main.rs
View File

@ -2,7 +2,7 @@ use hyper_tls::HttpsConnector;
use hyper::{Client, client::HttpConnector}; use hyper::{Client, client::HttpConnector};
use walkdir::WalkDir; use walkdir::WalkDir;
use crate::{ use crate::{
utils::{OVHClient, get_delta, get_subdomain_zone_domain_from_pem, compute_certificate}, utils::{OVHClient, get_delta, get_subdomain_zone_domain_from_pem, compute_certificate, get_hash_from_cert},
records::{get_all_records_from_zone, flush_tlsa_record_for_subdomain}}; records::{get_all_records_from_zone, flush_tlsa_record_for_subdomain}};
use publicsuffix::List; use publicsuffix::List;
use notify::{Watcher, RecursiveMode, RawEvent, raw_watcher, Op}; use notify::{Watcher, RecursiveMode, RawEvent, raw_watcher, Op};
@ -12,7 +12,7 @@ mod utils;
mod records; mod records;
async fn scan_and_update_whole_folder(base_cert_dir: &str, list: &List, async fn scan_and_update_whole_folder(base_cert_dir: &str, list: &List,
ovh_client: &OVHClient, ovh_client: &OVHClient, issuer_hash: &str,
client: &Client<HttpsConnector<HttpConnector>>) { client: &Client<HttpsConnector<HttpConnector>>) {
let interesting_records = vec!["A", "AAAA", "MX", "CNAME"]; let interesting_records = vec!["A", "AAAA", "MX", "CNAME"];
for entry in WalkDir::new(base_cert_dir).into_iter().filter_map(|e| e.ok()) { for entry in WalkDir::new(base_cert_dir).into_iter().filter_map(|e| e.ok()) {
@ -30,14 +30,14 @@ async fn scan_and_update_whole_folder(base_cert_dir: &str, list: &List,
println!(); println!();
continue; continue;
} }
compute_certificate(ovh_client, client, &entry.path(), base_cert_dir, list).await; compute_certificate(ovh_client, client, &entry.path(), base_cert_dir, issuer_hash, list).await;
println!(); println!();
} }
} }
async fn watch_folder(base_cert_dir: &str, ovh_client: &OVHClient, list: &List, async fn watch_folder(base_cert_dir: &str, ovh_client: &OVHClient, list: &List,
client: &Client<HttpsConnector<HttpConnector>>, client: &Client<HttpsConnector<HttpConnector>>,
rx: &Receiver<RawEvent>) { rx: &Receiver<RawEvent>, issuer_hash: &str) {
loop { loop {
match rx.recv() { match rx.recv() {
Ok(RawEvent{path: Some(path), op: Ok(op), cookie: _c}) => { Ok(RawEvent{path: Some(path), op: Ok(op), cookie: _c}) => {
@ -45,7 +45,7 @@ async fn watch_folder(base_cert_dir: &str, ovh_client: &OVHClient, list: &List,
|| (op != Op::CLOSE_WRITE && op != Op::REMOVE) { continue; } || (op != Op::CLOSE_WRITE && op != Op::REMOVE) { continue; }
if op == Op::CLOSE_WRITE { if op == Op::CLOSE_WRITE {
println!("Certificate '{}' modified or created. Updating.", path.display()); println!("Certificate '{}' modified or created. Updating.", path.display());
compute_certificate(ovh_client, client, &path.as_path(), base_cert_dir, list).await; compute_certificate(ovh_client, client, &path.as_path(), base_cert_dir, issuer_hash, list).await;
} }
if op == Op::REMOVE { if op == Op::REMOVE {
println!("Certificate '{}' deleted. Flushing.", path.display()); println!("Certificate '{}' deleted. Flushing.", path.display());
@ -69,6 +69,7 @@ async fn main() {
let list = List::fetch().unwrap(); let list = List::fetch().unwrap();
let base_cert_dir = "/etc/nginx/certs/"; let base_cert_dir = "/etc/nginx/certs/";
let issuer_hash = get_hash_from_cert("./issuer.pem");
let mut ovh_client = OVHClient { let mut ovh_client = OVHClient {
app_key: env::var("OVH_APP_KEY") app_key: env::var("OVH_APP_KEY")
.expect("Missing key value 'OVH_APP_KEY'."), .expect("Missing key value 'OVH_APP_KEY'."),
@ -89,9 +90,9 @@ async fn main() {
println!("Starting initialization procedure."); println!("Starting initialization procedure.");
scan_and_update_whole_folder(base_cert_dir, &list, &ovh_client, scan_and_update_whole_folder(base_cert_dir, &list, &ovh_client,
&client).await; issuer_hash.as_str(), &client).await;
println!("Initializing sequence finished. Entering sentinel mode."); println!("Initializing sequence finished. Entering sentinel mode.");
watch_folder(base_cert_dir, &ovh_client, &list, &client, &rx).await; watch_folder(base_cert_dir, &ovh_client, &list, &client, &rx, issuer_hash.as_str()).await;
} }

29
src/records.rs
View File

@ -118,30 +118,23 @@ pub async fn flush_tlsa_record_for_subdomain(ovh_client: &OVHClient,
pub async fn update_tlsa_for_subdomain(ovh_client: &OVHClient, pub async fn update_tlsa_for_subdomain(ovh_client: &OVHClient,
client: &Client<HttpsConnector<HttpConnector>>, client: &Client<HttpsConnector<HttpConnector>>,
zone: &str, subdomain: &str, hash: &str, port: u32, protocol: &str) { zone: &str, subdomain: &str, hash: &str,
let mut tlsa = get_records_from_zone(ovh_client, client, zone, "TLSA", issuer_hash: &str, port: u32, protocol: &str) {
get_tlsa_subdomain(subdomain, port, protocol) flush_tlsa_record_for_subdomain(ovh_client, client, zone, subdomain).await;
.as_str()).await;
if tlsa.is_empty() {
add_record_to_zone(ovh_client, client, zone, &Record { add_record_to_zone(ovh_client, client, zone, &Record {
sub_domain: get_tlsa_subdomain(subdomain, port, protocol), sub_domain: get_tlsa_subdomain(subdomain, port, protocol),
target: format!("3 1 1 {}", hash).to_string(), target: format!("3 1 1 {}", hash).to_string(),
field_type: "TLSA".to_string(), field_type: "TLSA".to_string(),
ttl: 60, ttl: 0,
id: 0
}).await;
add_record_to_zone(ovh_client, client, zone, &Record {
sub_domain: get_tlsa_subdomain(subdomain, port, protocol),
target: format!("2 1 1 {}", issuer_hash).to_string(),
field_type: "TLSA".to_string(),
ttl: 0,
id: 0 id: 0
}).await; }).await;
} else {
let (mut first, others) = tlsa.split_first_mut().unwrap();
let target = format!("3 1 1 {}", hash).to_string();
if first.target != target || first.ttl != 60 {
first.target = target;
first.ttl = 60;
update_record_in_zone(ovh_client, client, zone, first).await;
}
for record in others {
delete_record_from_zone(ovh_client, client, zone, record.id).await;
}
}
refresh_zone(ovh_client, client, zone).await; refresh_zone(ovh_client, client, zone).await;
} }

6
src/utils.rs
View File

@ -79,7 +79,7 @@ pub fn get_tlsa_subdomain(subdomain: &str, port: u32, protocol: &str) -> String
pub async fn compute_certificate(ovh_client: &OVHClient, pub async fn compute_certificate(ovh_client: &OVHClient,
client: &Client<HttpsConnector<HttpConnector>>, client: &Client<HttpsConnector<HttpConnector>>,
path: &Path, base_cert_dir: &str, list: &List) { path: &Path, base_cert_dir: &str, issuer_hash: &str, list: &List) {
let (subdomain, zone, domain) = get_subdomain_zone_domain_from_pem(path, base_cert_dir, list); let (subdomain, zone, domain) = get_subdomain_zone_domain_from_pem(path, base_cert_dir, list);
let (subdomain, zone, domain) = (subdomain.as_str(), zone.as_str(), domain.as_str()); let (subdomain, zone, domain) = (subdomain.as_str(), zone.as_str(), domain.as_str());
let records = get_all_records_from_zone(&ovh_client, &client, zone, subdomain).await; let records = get_all_records_from_zone(&ovh_client, &client, zone, subdomain).await;
@ -88,11 +88,11 @@ pub async fn compute_certificate(ovh_client: &OVHClient,
|| r.field_type == "CNAME") { || r.field_type == "CNAME") {
println!("\tDomain '{}' is associated with website. Updating.", domain); println!("\tDomain '{}' is associated with website. Updating.", domain);
update_tlsa_for_subdomain(&ovh_client, &client, zone, subdomain, update_tlsa_for_subdomain(&ovh_client, &client, zone, subdomain,
hash.as_str(), 443, "tcp").await; hash.as_str(), issuer_hash, 443, "tcp").await;
} }
if records.iter().any(|r| r.field_type == "MX" && r.sub_domain == subdomain) { if records.iter().any(|r| r.field_type == "MX" && r.sub_domain == subdomain) {
println!("\tDomain '{}' is associated with mail. Updating.", domain); println!("\tDomain '{}' is associated with mail. Updating.", domain);
update_tlsa_for_subdomain(&ovh_client, &client, zone, subdomain, update_tlsa_for_subdomain(&ovh_client, &client, zone, subdomain,
hash.as_str(), 25, "tcp").await; hash.as_str(), issuer_hash, 25, "tcp").await;
} }
} }