public
/
pyceo
24
1
Fork 2
Code Issues 14 Pull Requests 2 Projects Releases 1 Wiki Activity
Labels Milestones
New Issue

[Feature Request] Automate custom domain VHOST support in CSC Cloud #87

Open
opened 4 months ago by n4chung · 5 comments
n4chung commented 4 months ago
Collaborator

Currently, creating vhosts with custom domains require manual verification on an individual basis as it's not currently possible to verify a particular user's ownership of a domain name.

A few ideas for domain verification:

  • Verify using CNAME/TXT DNS record
  • File upload/host a file at the desired domain/subdomain.

For verifying ownership of an entire domain, it should be sufficient to prove verification for the root of the domain. Verification through CNAME/TXT is probably the best.

For verifying a subdomain (where the user doesn't own the entire domain, eg. third level domains), file upload is likely the only option.

Other Considerations

  • How long should verification last? Should it be checked periodically? Every 3 months?? And every time a verification is requested (through Pyceo)?

  • If multiple users use subdomains from the same domain, how would verification work? If they verify subdomains, there shouldn't be a problem. But if one verifies the entire domain, should that user be the only person able to control vhosts from that domain?

  • Pyceo is currently stateless...

Reference: https://docs.cloud.csclub.uwaterloo.ca/vhosts/

Currently, creating vhosts with custom domains require manual verification on an individual basis as it's not currently possible to verify a particular user's ownership of a domain name. **A few ideas for domain verification**: - Verify using CNAME/TXT DNS record - File upload/host a file at the desired domain/subdomain. For verifying ownership of an entire domain, it should be sufficient to prove verification for the root of the domain. Verification through CNAME/TXT is probably the best. For verifying a subdomain (where the user doesn't own the entire domain, eg. third level domains), file upload is likely the only option. **Other Considerations** - How long should verification last? Should it be checked periodically? Every 3 months?? And every time a verification is requested (through Pyceo)? - If multiple users use subdomains from the same domain, how would verification work? If they verify subdomains, there shouldn't be a problem. But if one verifies the entire domain, should that user be the only person able to control vhosts from that domain? - Pyceo is currently stateless... Reference: https://docs.cloud.csclub.uwaterloo.ca/vhosts/
n4chung changed title from Automate custom domain VHOST support in CSC Cloud to [Feature Request] Automate custom domain VHOST support in CSC Cloud 4 months ago
n4chung commented 3 months ago
Poster
Collaborator

To automatically verify vhosts for custom domain names, we need to automatically verify a user's ownership of a domain/subdomain name. If ownership could be proven, then a VHOST record should be created for the user.

Verification Methods:

METHOD #​1 (DNS TXT verification):

  1. ceo cloud vhosts code: A unique checksum (SHA256 perhaps?) is generated for a particular user who wishes to prove their ownership of a domain.
  2. A TXT needs to be created at the ROOT of a domain name based on the unique checksum (eg. csc-verification).
  3. ceo cloud vhosts add <custom domain/subdomain> <forwarded ip> Whenever a vhost is created (that requires verification), CEO would query the TXT record before creating the TXT record.

METHOD #​2 (File based verification):
tbd...

To automatically verify vhosts for custom domain names, we need to automatically verify a user's ownership of a domain/subdomain name. If ownership could be proven, then a VHOST record should be created for the user. **Verification Methods**: METHOD \#​1 (DNS TXT verification): 1. `ceo cloud vhosts code`: A unique checksum (SHA256 perhaps?) is generated for a particular user who wishes to prove their ownership of a domain. 2. A `TXT` needs to be created at the ROOT of a domain name based on the **unique checksum** (eg. `csc-verification`). 3. `ceo cloud vhosts add <custom domain/subdomain> <forwarded ip>` Whenever a vhost is created (that requires verification), CEO would query the TXT record before creating the TXT record. METHOD \#​2 (File based verification): tbd...
n4chung commented 3 months ago
Poster
Collaborator

Checks need to be added here:
779e35a08e/ceod/model/VHostManager.py (L93)

Checks need to be added here: https://git.csclub.uwaterloo.ca/public/pyceo/src/commit/779e35a08e0d724ffacb7864e0cb490464bc892e/ceod/model/VHostManager.py#L93
y3285wan commented 3 months ago
Collaborator

You could use a long enough uuid when wanting a random string.

For file-based verification, user can upload a file containing a random string, then the ceo can download the file and verify.

You could use a long enough uuid when wanting a random string. For file-based verification, user can upload a file containing a random string, then the ceo can download the file and verify.
n4chung commented 3 months ago
Poster
Collaborator

Tests need to be added here:
779e35a08e/tests/ceod/api/test_cloud.py (L90)

Tests need to be added here: https://git.csclub.uwaterloo.ca/public/pyceo/src/commit/779e35a08e0d724ffacb7864e0cb490464bc892e/tests/ceod/api/test_cloud.py#L90
n4chung commented 3 months ago
Poster
Collaborator

@y3285wan Yup. For the UUID, it needs to be associated with a particular user. Perhaps it could be generated from the CSC username.

For file-based verification, the same UUID (unique to the user) could be used as well.

@y3285wan Yup. For the UUID, it needs to be associated with a particular user. Perhaps it could be generated from the **CSC username**. For file-based verification, the same UUID (unique to the user) could be used as well.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
60-group-lookup
63-fix-ci
feature-80
master
Labels
Apply labels
Clear labels
No items
No Label
Milestone
Set milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Assign users
Clear assignees
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: public/pyceo#87
Write Preview
Loading…
Cancel
Save
There is no content yet.
Delete Branch '%!s(<nil>)'

Deleting a branch is permanent. It CANNOT be undone. Continue?

No
Yes