enhance: validate certificate content before save

2025-05-11 18:35:51 +02:00 · 2024-01-28 14:00:47 +08:00 · 2024-01-28 14:00:47 +08:00 · 8581bdd3c6
commit 8581bdd3c6
parent d67b8428e4
7 changed files with 286 additions and 149 deletions
--- a/api/certificate/certificate.go
+++ b/api/certificate/certificate.go
@ -1,174 +1,174 @@
 package certificate

 import (
-	"github.com/0xJacky/Nginx-UI/api"
-	"github.com/0xJacky/Nginx-UI/api/cosy"
-	"github.com/0xJacky/Nginx-UI/internal/cert"
-	"github.com/0xJacky/Nginx-UI/model"
-	"github.com/0xJacky/Nginx-UI/query"
-	"github.com/gin-gonic/gin"
-	"github.com/spf13/cast"
-	"net/http"
-	"os"
+    "github.com/0xJacky/Nginx-UI/api"
+    "github.com/0xJacky/Nginx-UI/api/cosy"
+    "github.com/0xJacky/Nginx-UI/internal/cert"
+    "github.com/0xJacky/Nginx-UI/model"
+    "github.com/0xJacky/Nginx-UI/query"
+    "github.com/gin-gonic/gin"
+    "github.com/spf13/cast"
+    "net/http"
+    "os"
 )

 type APICertificate struct {
-	*model.Cert
-	SSLCertificate    string     `json:"ssl_certificate,omitempty"`
-	SSLCertificateKey string     `json:"ssl_certificate_key,omitempty"`
-	CertificateInfo   *cert.Info `json:"certificate_info,omitempty"`
+    *model.Cert
+    SSLCertificate    string     `json:"ssl_certificate,omitempty"`
+    SSLCertificateKey string     `json:"ssl_certificate_key,omitempty"`
+    CertificateInfo   *cert.Info `json:"certificate_info,omitempty"`
 }

 func Transformer(certModel *model.Cert) (certificate *APICertificate) {
-	var sslCertificationBytes, sslCertificationKeyBytes []byte
-	var certificateInfo *cert.Info
-	if certModel.SSLCertificatePath != "" {
-		if _, err := os.Stat(certModel.SSLCertificatePath); err == nil {
-			sslCertificationBytes, _ = os.ReadFile(certModel.SSLCertificatePath)
-		}
+    var sslCertificationBytes, sslCertificationKeyBytes []byte
+    var certificateInfo *cert.Info
+    if certModel.SSLCertificatePath != "" {
+        if _, err := os.Stat(certModel.SSLCertificatePath); err == nil {
+            sslCertificationBytes, _ = os.ReadFile(certModel.SSLCertificatePath)
+            if !cert.IsPublicKey(string(sslCertificationBytes)) {
+                sslCertificationBytes = []byte{}
+            }
+        }

-		certificateInfo, _ = cert.GetCertInfo(certModel.SSLCertificatePath)
-	}
+        certificateInfo, _ = cert.GetCertInfo(certModel.SSLCertificatePath)
+    }

-	if certModel.SSLCertificateKeyPath != "" {
-		if _, err := os.Stat(certModel.SSLCertificateKeyPath); err == nil {
-			sslCertificationKeyBytes, _ = os.ReadFile(certModel.SSLCertificateKeyPath)
-		}
-	}
+    if certModel.SSLCertificateKeyPath != "" {
+        if _, err := os.Stat(certModel.SSLCertificateKeyPath); err == nil {
+            sslCertificationKeyBytes, _ = os.ReadFile(certModel.SSLCertificateKeyPath)
+            if !cert.IsPrivateKey(string(sslCertificationKeyBytes)) {
+                sslCertificationKeyBytes = []byte{}
+            }
+        }
+    }

-	return &APICertificate{
-		Cert:              certModel,
-		SSLCertificate:    string(sslCertificationBytes),
-		SSLCertificateKey: string(sslCertificationKeyBytes),
-		CertificateInfo:   certificateInfo,
-	}
+    return &APICertificate{
+        Cert:              certModel,
+        SSLCertificate:    string(sslCertificationBytes),
+        SSLCertificateKey: string(sslCertificationKeyBytes),
+        CertificateInfo:   certificateInfo,
+    }
 }

 func GetCertList(c *gin.Context) {
-	cosy.Core[model.Cert](c).SetFussy("name", "domain").SetTransformer(func(m *model.Cert) any {
+    cosy.Core[model.Cert](c).SetFussy("name", "domain").SetTransformer(func(m *model.Cert) any {

-		info, _ := cert.GetCertInfo(m.SSLCertificatePath)
+        info, _ := cert.GetCertInfo(m.SSLCertificatePath)

-		return APICertificate{
-			Cert:            m,
-			CertificateInfo: info,
-		}
-	}).PagingList()
+        return APICertificate{
+            Cert:            m,
+            CertificateInfo: info,
+        }
+    }).PagingList()
 }

 func GetCert(c *gin.Context) {
-	q := query.Cert
+    q := query.Cert

-	certModel, err := q.FirstByID(cast.ToInt(c.Param("id")))
+    certModel, err := q.FirstByID(cast.ToInt(c.Param("id")))

-	if err != nil {
-		api.ErrHandler(c, err)
-		return
-	}
+    if err != nil {
+        api.ErrHandler(c, err)
+        return
+    }

-	c.JSON(http.StatusOK, Transformer(certModel))
+    c.JSON(http.StatusOK, Transformer(certModel))
+}
+
+type certJson struct {
+    Name                  string `json:"name"`
+    SSLCertificatePath    string `json:"ssl_certificate_path" binding:"publickey_path"`
+    SSLCertificateKeyPath string `json:"ssl_certificate_key_path" binding:"privatekey_path"`
+    SSLCertificate        string `json:"ssl_certificate" binding:"omitempty,publickey"`
+    SSLCertificateKey     string `json:"ssl_certificate_key" binding:"omitempty,privatekey"`
+    ChallengeMethod       string `json:"challenge_method"`
+    DnsCredentialID       int    `json:"dns_credential_id"`
 }

 func AddCert(c *gin.Context) {
-	var json struct {
-		Name                  string `json:"name"`
-		SSLCertificatePath    string `json:"ssl_certificate_path" binding:"required"`
-		SSLCertificateKeyPath string `json:"ssl_certificate_key_path" binding:"required"`
-		SSLCertificate        string `json:"ssl_certificate"`
-		SSLCertificateKey     string `json:"ssl_certificate_key"`
-		ChallengeMethod       string `json:"challenge_method"`
-		DnsCredentialID       int    `json:"dns_credential_id"`
-	}
-	if !api.BindAndValid(c, &json) {
-		return
-	}
-	certModel := &model.Cert{
-		Name:                  json.Name,
-		SSLCertificatePath:    json.SSLCertificatePath,
-		SSLCertificateKeyPath: json.SSLCertificateKeyPath,
-		ChallengeMethod:       json.ChallengeMethod,
-		DnsCredentialID:       json.DnsCredentialID,
-	}
+    var json certJson
+    if !api.BindAndValid(c, &json) {
+        return
+    }
+    certModel := &model.Cert{
+        Name:                  json.Name,
+        SSLCertificatePath:    json.SSLCertificatePath,
+        SSLCertificateKeyPath: json.SSLCertificateKeyPath,
+        ChallengeMethod:       json.ChallengeMethod,
+        DnsCredentialID:       json.DnsCredentialID,
+    }

-	err := certModel.Insert()
+    err := certModel.Insert()

-	if err != nil {
-		api.ErrHandler(c, err)
-		return
-	}
+    if err != nil {
+        api.ErrHandler(c, err)
+        return
+    }

-	content := &cert.Content{
-		SSLCertificatePath:    json.SSLCertificatePath,
-		SSLCertificateKeyPath: json.SSLCertificateKeyPath,
-		SSLCertificate:        json.SSLCertificate,
-		SSLCertificateKey:     json.SSLCertificateKey,
-	}
+    content := &cert.Content{
+        SSLCertificatePath:    json.SSLCertificatePath,
+        SSLCertificateKeyPath: json.SSLCertificateKeyPath,
+        SSLCertificate:        json.SSLCertificate,
+        SSLCertificateKey:     json.SSLCertificateKey,
+    }

-	err = content.WriteFile()
+    err = content.WriteFile()

-	if err != nil {
-		api.ErrHandler(c, err)
-		return
-	}
+    if err != nil {
+        api.ErrHandler(c, err)
+        return
+    }

-	c.JSON(http.StatusOK, Transformer(certModel))
+    c.JSON(http.StatusOK, Transformer(certModel))
 }

 func ModifyCert(c *gin.Context) {
-	id := cast.ToInt(c.Param("id"))
+    id := cast.ToInt(c.Param("id"))

-	var json struct {
-		Name                  string `json:"name"`
-		SSLCertificatePath    string `json:"ssl_certificate_path" binding:"required"`
-		SSLCertificateKeyPath string `json:"ssl_certificate_key_path" binding:"required"`
-		SSLCertificate        string `json:"ssl_certificate"`
-		SSLCertificateKey     string `json:"ssl_certificate_key"`
-		ChallengeMethod       string `json:"challenge_method"`
-		DnsCredentialID       int    `json:"dns_credential_id"`
-	}
+    var json certJson

-	if !api.BindAndValid(c, &json) {
-		return
-	}
+    if !api.BindAndValid(c, &json) {
+        return
+    }

-	q := query.Cert
+    q := query.Cert

-	certModel, err := q.FirstByID(id)
-	if err != nil {
-		api.ErrHandler(c, err)
-		return
-	}
+    certModel, err := q.FirstByID(id)
+    if err != nil {
+        api.ErrHandler(c, err)
+        return
+    }

-	err = certModel.Updates(&model.Cert{
-		Name:                  json.Name,
-		SSLCertificatePath:    json.SSLCertificatePath,
-		SSLCertificateKeyPath: json.SSLCertificateKeyPath,
-		ChallengeMethod:       json.ChallengeMethod,
-		DnsCredentialID:       json.DnsCredentialID,
-	})
+    err = certModel.Updates(&model.Cert{
+        Name:                  json.Name,
+        SSLCertificatePath:    json.SSLCertificatePath,
+        SSLCertificateKeyPath: json.SSLCertificateKeyPath,
+        ChallengeMethod:       json.ChallengeMethod,
+        DnsCredentialID:       json.DnsCredentialID,
+    })

-	if err != nil {
-		api.ErrHandler(c, err)
-		return
-	}
+    if err != nil {
+        api.ErrHandler(c, err)
+        return
+    }

-	content := &cert.Content{
-		SSLCertificatePath:    json.SSLCertificatePath,
-		SSLCertificateKeyPath: json.SSLCertificateKeyPath,
-		SSLCertificate:        json.SSLCertificate,
-		SSLCertificateKey:     json.SSLCertificateKey,
-	}
+    content := &cert.Content{
+        SSLCertificatePath:    json.SSLCertificatePath,
+        SSLCertificateKeyPath: json.SSLCertificateKeyPath,
+        SSLCertificate:        json.SSLCertificate,
+        SSLCertificateKey:     json.SSLCertificateKey,
+    }

-	err = content.WriteFile()
+    err = content.WriteFile()

-	if err != nil {
-		api.ErrHandler(c, err)
-		return
-	}
+    if err != nil {
+        api.ErrHandler(c, err)
+        return
+    }

-	GetCert(c)
+    GetCert(c)
 }

 func RemoveCert(c *gin.Context) {
-	cosy.Core[model.Cert](c).Destroy()
+    cosy.Core[model.Cert](c).Destroy()
 }