cotugno/AdGuardHome
2
Fork 0
mirror of https://github.com/AdguardTeam/AdGuardHome.git synced 2024-11-16 02:18:28 -07:00
Code Issues Packages Projects Releases Wiki Activity
506d71310c
AdGuardHome/internal/dnsforward/clientid.go
Eugene Burkov 20531de760 Pull request: Pull request: 4884 Update golibs 
Merge in DNS/adguard-home from 4884-upd-golibs to master

Updates #4884.

Squashed commit of the following:

commit 4d076021c2e500a75d0b3662643c0c26fd53f6c3
Merge: d780ad00 91dee098
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Feb 21 16:47:08 2023 +0300

    Merge branch 'master' into 4884-upd-golibs

commit d780ad008b8925a1f499d70f827b79be597c60b5
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Feb 21 14:17:11 2023 +0300

    dnsforward: imp tests

commit ff9963da35d0220af461cdec66a38134f85ec956
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Feb 21 13:50:05 2023 +0300

    all: log changes

commit 5703f7a52a364c2d075ed2d862a38587c2650cae
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Feb 21 13:36:43 2023 +0300

    all: upd golibs and fix breaking changes
2023-02-21 16:52:33 +03:00

188 lines
4.7 KiB
Go
Raw Blame History

package dnsforward
import (
"crypto/tls"
"fmt"
"path"
"strings"
"github.com/AdguardTeam/dnsproxy/proxy"
"github.com/AdguardTeam/golibs/errors"
"github.com/AdguardTeam/golibs/netutil"
"github.com/quic-go/quic-go"
)
// ValidateClientID returns an error if id is not a valid ClientID.
func ValidateClientID(id string) (err error) {
err = netutil.ValidateHostnameLabel(id)
if err != nil {
// Replace the domain name label wrapper with our own.
return fmt.Errorf("invalid clientid %q: %w", id, errors.Unwrap(err))
}
return nil
}
// clientIDFromClientServerName extracts and validates a ClientID. hostSrvName
// is the server name of the host. cliSrvName is the server name as sent by the
// client. When strict is true, and client and host server name don't match,
// clientIDFromClientServerName will return an error.
func clientIDFromClientServerName(
hostSrvName string,
cliSrvName string,
strict bool,
) (clientID string, err error) {
if hostSrvName == cliSrvName {
return "", nil
}
if !netutil.IsImmediateSubdomain(cliSrvName, hostSrvName) {
if !strict {
return "", nil
}
return "", fmt.Errorf(
"client server name %q doesn't match host server name %q",
cliSrvName,
hostSrvName,
)
}
clientID = cliSrvName[:len(cliSrvName)-len(hostSrvName)-1]
err = ValidateClientID(clientID)
if err != nil {
// Don't wrap the error, because it's informative enough as is.
return "", err
}
return strings.ToLower(clientID), nil
}
// clientIDFromDNSContextHTTPS extracts the client's ID from the path of the
// client's DNS-over-HTTPS request.
func clientIDFromDNSContextHTTPS(pctx *proxy.DNSContext) (clientID string, err error) {
r := pctx.HTTPRequest
if r == nil {
return "", fmt.Errorf(
"proxy ctx http request of proto %s is nil",
pctx.Proto,
)
}
origPath := r.URL.Path
parts := strings.Split(path.Clean(origPath), "/")
if parts[0] == "" {
parts = parts[1:]
}
if len(parts) == 0 || parts[0] != "dns-query" {
return "", fmt.Errorf("clientid check: invalid path %q", origPath)
}
switch len(parts) {
case 1:
// Just /dns-query, no ClientID.
return "", nil
case 2:
clientID = parts[1]
default:
return "", fmt.Errorf("clientid check: invalid path %q: extra parts", origPath)
}
err = ValidateClientID(clientID)
if err != nil {
return "", fmt.Errorf("clientid check: %w", err)
}
return strings.ToLower(clientID), nil
}
// tlsConn is a narrow interface for *tls.Conn to simplify testing.
type tlsConn interface {
ConnectionState() (cs tls.ConnectionState)
}
// quicConnection is a narrow interface for quic.Connection to simplify testing.
type quicConnection interface {
ConnectionState() (cs quic.ConnectionState)
}
// clientIDFromDNSContext extracts the client's ID from the server name of the
// client's DoT or DoQ request or the path of the client's DoH. If the protocol
// is not one of these, clientID is an empty string and err is nil.
func (s *Server) clientIDFromDNSContext(pctx *proxy.DNSContext) (clientID string, err error) {
proto := pctx.Proto
if proto == proxy.ProtoHTTPS {
clientID, err = clientIDFromDNSContextHTTPS(pctx)
if err != nil {
return "", fmt.Errorf("checking url: %w", err)
} else if clientID != "" {
return clientID, nil
}
// Go on and check the domain name as well.
} else if proto != proxy.ProtoTLS && proto != proxy.ProtoQUIC {
return "", nil
}
hostSrvName := s.conf.ServerName
if hostSrvName == "" {
return "", nil
}
cliSrvName, err := clientServerName(pctx, proto)
if err != nil {
return "", err
}
clientID, err = clientIDFromClientServerName(
hostSrvName,
cliSrvName,
s.conf.StrictSNICheck,
)
if err != nil {
return "", fmt.Errorf("clientid check: %w", err)
}
return clientID, nil
}
// clientServerName returns the TLS server name based on the protocol. For
// DNS-over-HTTPS requests, it will return the hostname part of the Host header
// if there is one.
func clientServerName(pctx *proxy.DNSContext, proto proxy.Proto) (srvName string, err error) {
switch proto {
case proxy.ProtoHTTPS:
r := pctx.HTTPRequest
if connState := r.TLS; connState != nil {
srvName = connState.ServerName
} else if r.Host != "" {
var host string
host, err = netutil.SplitHost(r.Host)
if err != nil {
return "", fmt.Errorf("parsing host: %w", err)
}
srvName = host
}
case proxy.ProtoQUIC:
qConn := pctx.QUICConnection
conn, ok := qConn.(quicConnection)
if !ok {
return "", fmt.Errorf("pctx conn of proto %s is %T, want quic.Connection", proto, qConn)
}
srvName = conn.ConnectionState().TLS.ServerName
case proxy.ProtoTLS:
conn := pctx.Conn
tc, ok := conn.(tlsConn)
if !ok {
return "", fmt.Errorf("pctx conn of proto %s is %T, want *tls.Conn", proto, conn)
}
srvName = tc.ConnectionState().ServerName
}
return srvName, nil
}
Reference in New Issue View Git Blame Copy Permalink