Skip to content

[SE-2869] Forbid registering domains/subdomains which would trick our DNS settings

Boros Gábor requested to merge gabor/forbid-used-domain-registration into master

This PR implements a domain/subdomain validation for custom and managed past/archived/active instances. The implementation uses three approaches to validate the domain:

  1. If the domain starts with a reserved word (preview/studio/ecommerence/discovery), the validation will fail
  2. If the subdomain starts with a reserved word (preview/studio/ecommerence/discovery), the validation will fail
  3. If the domain is a subdomain of an existing instance's domain, the registration will fail
  4. If the subdomain is already in our DNS settings (like haproxy.net.opencraft.com or ldp.opencraft.hosting), the validation will fail

Dependencies: None

Screenshots:

Requiring ack from the user before submission Screenshot 2020-09-18 at 13 35 12

(1) Domain starts with a reserved word Screenshot 2020-09-16 at 22 16 32

(2) Subdomain starts with a reserved word Screenshot 2020-09-16 at 22 14 34 Screenshot 2020-09-16 at 22 14 44 Screenshot 2020-09-16 at 22 14 52

(3) Subdomain of an existing instance's domain Screenshot 2020-09-16 at 22 11 03 Screenshot 2020-09-16 at 22 11 40

(4) Subdomain is already in our DNS settings Screenshot 2020-09-17 at 8 22 47 Screenshot 2020-09-17 at 8 22 55

Merge deadline: None

Testing instructions:

  1. Start the backend service
  2. Start the frontend by executing REACT_APP_INTERNAL_DOMAIN_NAME=".<YOUR_DOMAIN>" npm start where YOUR_DOMAIN is equal to the DEFAULT_INSTANCE_BASE_DOMAIN and be aware of the . at the beginning.
  3. Navigate to http://localhost:3000/registration/domain
  4. Try any of the scenarios shown on the screenshots above (please note that the DEFAULT_INSTANCE_BASE_DOMAIN defaults to plebia.net where only some DNS records are set)

Author notes and concerns:

  • BetaTestApplication's BASE_DOMAIN is set to the DEFAULT_INSTANCE_BASE_DOMAIN as it seems that's the correct approach, since setting opencraft.hosting domain for every beta test app does not make sense if someone sets DEFAULT_INSTANCE_BASE_DOMAIN to something else (like plebia.net) and has no control over opencraft.hosting domain's DNS records.
  • The scenario discussed in test_external_domain_forbidden_domain_not_causing_issue does not exists for subdomains
  • In case we cannot access the DEFAULT_INSTANCE_BASE_DOMAIN DNS records, we won't allow registering users with the given subdomain to make sure we are not overriding possibly existing DNS records because of a network glitch or similar.
  • Watch out for betatestapplication 0018 migration! (that's only a help text and validator error code change though)
  • The domain accept text is required for subdomains as well on the registration page when not registering with custom domain (this could make sense in some cases)
  • The js/ts client is updated (npm run update-api-client), hence some changes which may not be related completely to this change
  • There is a really-really small chance that we will raise an error for the user if an OC member manually registers a subdomain on Gandi but that's not in the cache (since we have no callback from Gandi to OCIM)

Merge request reports