From f7b43c585e0fb380e6c7cf6071b83b0d363b4ad1 Mon Sep 17 00:00:00 2001
From: Vladimir Shushlin <v.shushlin@gmail.com>
Date: Tue, 19 Oct 2021 13:19:34 +0300
Subject: [PATCH] fix: Let's Encrypt integration with /* redirects

Let's Encrypt integration relies on acme challenges being redirected
to main GitLab server and served there.

We also allow serving ACME challenges from project content
just in case users implemented Let's Encrypt integration manually.

But when user adds `/* -> redirect_url` to .redirects, it treated
as project content and will handles as redirect.

Changelog: fixed

This commit just stop handling redirects for any LE challenges.
---
 internal/acme/acme.go                | 4 ++--
 internal/redirects/redirects.go      | 5 +++++
 internal/redirects/redirects_test.go | 8 ++++++++
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/internal/acme/acme.go b/internal/acme/acme.go
index 039be32a7..607dcc23c 100644
--- a/internal/acme/acme.go
+++ b/internal/acme/acme.go
@@ -26,7 +26,7 @@ func (m *Middleware) ServeAcmeChallenges(w http.ResponseWriter, r *http.Request,
 		return false
 	}
 
-	if !isAcmeChallenge(r.URL.Path) {
+	if !IsAcmeChallenge(r.URL.Path) {
 		return false
 	}
 
@@ -37,7 +37,7 @@ func (m *Middleware) ServeAcmeChallenges(w http.ResponseWriter, r *http.Request,
 	return m.redirectToGitlab(w, r)
 }
 
-func isAcmeChallenge(path string) bool {
+func IsAcmeChallenge(path string) bool {
 	return strings.HasPrefix(filepath.Clean(path), "/.well-known/acme-challenge/")
 }
 
diff --git a/internal/redirects/redirects.go b/internal/redirects/redirects.go
index 24ce86920..a0d0a7741 100644
--- a/internal/redirects/redirects.go
+++ b/internal/redirects/redirects.go
@@ -14,6 +14,7 @@ import (
 
 	"gitlab.com/gitlab-org/labkit/log"
 
+	"gitlab.com/gitlab-org/gitlab-pages/internal/acme"
 	"gitlab.com/gitlab-org/gitlab-pages/internal/vfs"
 )
 
@@ -100,6 +101,10 @@ func (r *Redirects) Status() string {
 // Rewrite takes in a URL and uses the parsed Netlify rules to rewrite
 // the URL to the new location if it matches any rule
 func (r *Redirects) Rewrite(originalURL *url.URL) (*url.URL, int, error) {
+	if acme.IsAcmeChallenge(originalURL.Path) {
+		return nil, 0, ErrNoRedirect
+	}
+
 	rule, newPath := r.match(originalURL.Path)
 	if rule == nil {
 		return nil, 0, ErrNoRedirect
diff --git a/internal/redirects/redirects_test.go b/internal/redirects/redirects_test.go
index 8cad98f8a..a15d8413c 100644
--- a/internal/redirects/redirects_test.go
+++ b/internal/redirects/redirects_test.go
@@ -123,6 +123,14 @@ func TestRedirectsRewrite(t *testing.T) {
 			expectedStatus: http.StatusOK,
 			expectedErr:    "",
 		},
+		{
+			name:           "does_not_redirect_acme_challenges",
+			url:            "/.well-known/acme-challenge/token",
+			rule:           "/* /to/path 200",
+			expectedURL:    "",
+			expectedStatus: 0,
+			expectedErr:    ErrNoRedirect.Error(),
+		},
 	}
 
 	for _, tt := range tests {
-- 
GitLab