fixing get_dns_challenge() logic so duplicate domains (such as wildcard and not wildcard) do not match the wrong authorziations

2020-03-13 00:03:31 -07:00 · 2020-03-13 00:03:31 -07:00 · 921d52b360
parent 027580cade
commit 921d52b360
1 changed files with 20 additions and 10 deletions
--- a/lemur/plugins/lemur_acme/plugin.py
+++ b/lemur/plugins/lemur_acme/plugin.py
@ -54,18 +54,30 @@ class AcmeHandler(object):
            current_app.logger.error(f"Unable to fetch DNS Providers: {e}")
            self.all_dns_providers = []

-    def find_dns_challenge(self, host, authorizations):
+    def get_dns_challenges(self, host, authorizations):
+        """Get final domain to validate and dns challenges for it"""
+
+        domain_to_validate, is_wildcard = self.strip_wildcard(host)
        dns_challenges = []
        for authz in authorizations:
-            if not authz.body.identifier.value.lower() == host.lower():
+            if not authz.body.identifier.value.lower() == domain_to_validate.lower():
+                continue
+            if is_wildcard and not authz.body.wildcard:
+                continue
+            if not is_wildcard and authz.body.wildcard:
                continue
            for combo in authz.body.challenges:
                if isinstance(combo.chall, challenges.DNS01):
                    dns_challenges.append(combo)
-        return dns_challenges

-    def maybe_remove_wildcard(self, host):
-        return host.replace("*.", "")
+        return domain_to_validate, dns_challenges
+
+    def strip_wildcard(self, host):
+        """Removes the leading *. and returns Host and whether it was removed or not (True/False)"""
+        prefix = "*."
+        if host.startswith(prefix):
+            return host[len(prefix):], True
+        return host, False

    def maybe_add_extension(self, host, dns_provider_options):
        if dns_provider_options and dns_provider_options.get(
@ -86,9 +98,7 @@ class AcmeHandler(object):
        current_app.logger.debug("Starting DNS challenge for {0}".format(host))

        change_ids = []
-
-        host_to_validate = self.maybe_remove_wildcard(host)
-        dns_challenges = self.find_dns_challenge(host_to_validate, order.authorizations)
+        host_to_validate, dns_challenges = self.get_dns_challenges(host, order.authorizations)
        host_to_validate = self.maybe_add_extension(
            host_to_validate, dns_provider_options
        )
@ -325,7 +335,7 @@ class AcmeHandler(object):
                    )
                    dns_provider_options = json.loads(dns_provider.credentials)
                    account_number = dns_provider_options.get("account_id")
-                    host_to_validate = self.maybe_remove_wildcard(authz_record.host)
+                    host_to_validate, _ = self.strip_wildcard(authz_record.host)
                    host_to_validate = self.maybe_add_extension(
                        host_to_validate, dns_provider_options
                    )
@ -357,7 +367,7 @@ class AcmeHandler(object):
                dns_provider_options = json.loads(dns_provider.credentials)
                account_number = dns_provider_options.get("account_id")
                dns_challenges = authz_record.dns_challenge
-                host_to_validate = self.maybe_remove_wildcard(authz_record.host)
+                host_to_validate, _ = self.strip_wildcard(authz_record.host)
                host_to_validate = self.maybe_add_extension(
                    host_to_validate, dns_provider_options
                )