From 1c193cd59d4720266c6032d355d134d74faf98f0 Mon Sep 17 00:00:00 2001 From: Miraty Date: Tue, 13 Dec 2022 16:52:10 +0100 Subject: [PATCH] Add reg/transfer.php --- config.ini | 4 +++- fn/dns.php | 9 ++++---- pages.php | 4 ++++ pages/auth/register.php | 4 ++-- pages/ns/zone-add.php | 6 +++--- pages/reg/register.php | 4 ++-- pages/reg/transfer.php | 46 +++++++++++++++++++++++++++++++++++++++++ 7 files changed, 64 insertions(+), 13 deletions(-) create mode 100644 pages/reg/transfer.php diff --git a/config.ini b/config.ini index be01278..ce84e74 100644 --- a/config.ini +++ b/config.ini @@ -7,19 +7,21 @@ public_domains[] = "niver.test" [dns] knotc_path = "/usr/sbin/knotc" +kdig_path = "/usr/bin/kdig" [reg] enabled = true registry = "niver.test." registry_file = "/srv/niver/reg/niver.test.zone" ttl = 86400 +; A local address to query the registry nameserver +address = "[::1]:42053" [ns] enabled = true knot_zones_path = "/srv/niver/ns" servers[] = "ns1.niver.test." servers[] = "ns2.niver.test." -kdig_path = "/usr/bin/kdig" kzonecheck_path = "/usr/bin/kzonecheck" ; @ must be replaced by a dot public_soa_email = "hostmaster.niver.invalid." diff --git a/fn/dns.php b/fn/dns.php index c05debd..962961e 100644 --- a/fn/dns.php +++ b/fn/dns.php @@ -20,8 +20,8 @@ function knotcConfExec($cmds) { } } -function knotcZoneExec($zone, $cmd) { - $action = checkAction($_POST['action']); +function knotcZoneExec($zone, $cmd, $action = NULL) { + $action = checkAction($action ?? $_POST['action']); exec(CONF['dns']['knotc_path'] . ' zone-begin ' . $zone, $output['begin'], $code['begin']); if ($code['begin'] !== 0) @@ -48,9 +48,8 @@ function checkIpFormat($ip) { output(403, 'IP address malformed.'); } -function checkAbsoluteDomainFormat($domain) { - // If the domain must end with a dot - if (!filter_var($domain, FILTER_VALIDATE_DOMAIN) OR !preg_match('/^([a-z0-9_-]{1,63}\.){2,127}$/D', $domain)) +function checkAbsoluteDomainFormat($domain) { // If the domain must end with a dot + if (!filter_var($domain, FILTER_VALIDATE_DOMAIN) OR preg_match('/^([a-z0-9_-]{1,63}\.){2,127}$/D', $domain) !== 1) output(403, 'Domain malformed.'); } diff --git a/pages.php b/pages.php index 25369bc..60c8489 100644 --- a/pages.php +++ b/pages.php @@ -65,6 +65,10 @@ define('PAGES', [ 'title' => 'Enregistrements DS', 'description' => 'Déléguer la confiance DNSSEC', ], + 'transfer' => [ + 'title' => 'Recevoir un transfert de domaine', + 'description' => 'Transférer un domaine vers ce compte', + ], 'glue' => [ 'title' => 'Glue Records', 'description' => 'Avancé : Indiquer l\'IP d\'un serveur de noms dont l\'adresse dépend de la zone qu\'il sert', diff --git a/pages/auth/register.php b/pages/auth/register.php index e1f0c2d..be9063d 100644 --- a/pages/auth/register.php +++ b/pages/auth/register.php @@ -63,7 +63,7 @@ if (processForm(false)) {

Une clé de passe sécurisée est trop compliquée à deviner pour une attaque qui testerait automatiquement plein de clés de passe tout en connaissant d'autres informations et secrets sur vous.

Minimum 8 caractères si elle contient minuscule, majuscule et chiffre, ou minimum 10 caractères sinon.

-
- + +
diff --git a/pages/ns/zone-add.php b/pages/ns/zone-add.php index 2f25954..98a697b 100644 --- a/pages/ns/zone-add.php +++ b/pages/ns/zone-add.php @@ -6,14 +6,14 @@ if (processForm()) { if (query('select', 'zones', ['zone' => $_POST['domain']], 'zone') !== []) output(403, 'Cette zone existe déjà sur ce service.'); - exec(CONF['ns']['kdig_path'] . ' ' . ltrim(strstr($_POST['domain'], '.'), '.') . ' NS +short', $parentAuthoritatives); + exec(CONF['dns']['kdig_path'] . ' ' . ltrim(strstr($_POST['domain'], '.'), '.') . ' NS +short', $parentAuthoritatives); if ($parentAuthoritatives === []) output(403, 'Serveurs de noms de la zone parente introuvables'); foreach ($parentAuthoritatives as $parentAuthoritative) checkAbsoluteDomainFormat($parentAuthoritative); - exec(CONF['ns']['kdig_path'] . ' ' . $_POST['domain'] . ' NS @' . $parentAuthoritatives[0] . ' +noidn', $results); - if (preg_match('/^' . preg_quote($_POST['domain'], '/') . '[\t ]+[0-9]{1,8}[\t ]+IN[\t ]+NS[\t ]+(?[0-9a-f]{8})-(?[0-9a-f]{32})\._domain-verification\.' . preg_quote(SERVER_NAME, '/') . '$/Dm', implode(LF, $results), $matches) !== 1) + exec(CONF['dns']['kdig_path'] . ' ' . $_POST['domain'] . ' NS @' . $parentAuthoritatives[0] . ' +noidn', $results); + if (preg_match('/^' . preg_quote($_POST['domain'], '/') . '[\t ]+[0-9]{1,8}[\t ]+IN[\t ]+NS[\t ]+(?[0-9a-f]{8})-(?[0-9a-f]{32})\._domain-verification\.' . preg_quote(SERVER_NAME, '/') . '\.$/Dm', implode(LF, $results), $matches) !== 1) output(403, 'Enregistrement d\'authentification introuvable'); checkAuthToken($matches['salt'], $matches['hash']); diff --git a/pages/reg/register.php b/pages/reg/register.php index dacacf4..12955ed 100644 --- a/pages/reg/register.php +++ b/pages/reg/register.php @@ -32,7 +32,7 @@ if (processForm()) {

- . + .
- +
diff --git a/pages/reg/transfer.php b/pages/reg/transfer.php new file mode 100644 index 0000000..2289612 --- /dev/null +++ b/pages/reg/transfer.php @@ -0,0 +1,46 @@ + $_SESSION['id'], 'domain' => $domain], 'domain') !== []) + output(403, 'Le compte présent possède déjà ce domaine.'); + + exec(CONF['dns']['kdig_path'] . ' ' . $domain . ' NS @' . CONF['reg']['address'] . ' +noidn', $results); + if (preg_match('/^' . preg_quote($domain, '/') . '[\t ]+[0-9]{1,8}[\t ]+IN[\t ]+NS[\t ]+(?[0-9a-f]{8})-(?[0-9a-f]{32})\._transfer-verification\.' . preg_quote(SERVER_NAME, '/') . '\.$/Dm', implode(LF, $results), $matches) !== 1) + output(403, 'Enregistrement d\'authentification introuvable'); + + checkAuthToken($matches['salt'], $matches['hash']); + + $stmt = DB->prepare('UPDATE registry SET username = :username WHERE domain = :domain'); + $stmt->bindValue(':username', $_SESSION['id']); + $stmt->bindValue(':domain', $domain); + $stmt->execute(); + + knotcZoneExec(CONF['reg']['registry'], [ + $domain, + 'NS', + $matches['salt'] . '-' . $matches['hash'] . '._transfer-verification.' . SERVER_NAME . '.' + ], 'delete'); + + output(200, 'Le domaine a été transféré vers le compte présent, l\'enregistrement d\'authentification a été automatiquement retiré.'); +} + +$proof = getAuthToken(); + +?> + +

+ Pour prouver que vous êtes autorisé à recevoir le domaine par san possessaire actuele, ledit domaine doit posséder un égal à ._transfer-verification.. lors du traitement de ce formulaire. Cet enregistrement sera automatiquement retiré une fois validé. +

+ +
+ +
+ . +
+ +