From afca8ac7ba82763c52d4a8d674bfa5699e4aa600 Mon Sep 17 00:00:00 2001
From: Mathieu Ancelin <mathieu.ancelin@gmail.com>
Date: Wed, 11 Dec 2024 17:30:09 +0100
Subject: [PATCH] fix #2051

---
 otoroshi/app/gateway/handlers.scala      |  2 +-
 otoroshi/app/next/plugins/otoroshi.scala |  9 ++++---
 otoroshi/app/ssl/ocsp.scala              | 32 +++++++++++++-----------
 3 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/otoroshi/app/gateway/handlers.scala b/otoroshi/app/gateway/handlers.scala
index f9f806f77..c47aab148 100644
--- a/otoroshi/app/gateway/handlers.scala
+++ b/otoroshi/app/gateway/handlers.scala
@@ -720,7 +720,7 @@ class GatewayRequestHandler(
 
   def aia(id: String) =
     actionBuilder.async { req =>
-      env.ocspResponder.aia(id, req)
+      env.ocspResponder.aia(id, req, Seq.empty)
     }
 
   def letsEncrypt() =
diff --git a/otoroshi/app/next/plugins/otoroshi.scala b/otoroshi/app/next/plugins/otoroshi.scala
index 2ee13b8d0..6a09c3b42 100644
--- a/otoroshi/app/next/plugins/otoroshi.scala
+++ b/otoroshi/app/next/plugins/otoroshi.scala
@@ -551,19 +551,20 @@ class OtoroshiAIAEndpoint extends NgBackendCall {
   override def core: Boolean                               = true
   override def name: String                                = "Otoroshi AIA endpoint"
   override def description: Option[String]                 = "This plugin provide an endpoint to return Otoroshi Authority Information Access for your certificates".some
-  override def defaultConfigObject: Option[NgPluginConfig] = None
+  override def defaultConfigObject: Option[NgPluginConfig] = PossibleCerts.default.some
   override def useDelegates: Boolean                       = false
   override def noJsForm: Boolean                           = true
-  override def configFlow: Seq[String]                     = Seq.empty
-  override def configSchema: Option[JsObject]              = None
+  override def configFlow: Seq[String]                     = PossibleCerts.configFlow
+  override def configSchema: Option[JsObject]              = PossibleCerts.configSchema
 
   override def callBackend(ctx: NgbBackendCallContext, delegates: () => Future[Either[NgProxyEngineError, BackendCallResponse]])(implicit env: Env, ec: ExecutionContext, mat: Materializer): Future[Either[NgProxyEngineError, BackendCallResponse]] = {
+    val config = ctx.cachedConfig(internalName)(PossibleCerts.format).getOrElse(PossibleCerts.default)
     ctx.attrs.get(otoroshi.next.plugins.Keys.MatchedRouteKey) match {
       case None => Left(NgProxyEngineError.NgResultProxyEngineError(Results.InternalServerError(Json.obj("error" -> "matched route not found")))).vfuture
       case Some(matchedRoute) => {
         matchedRoute.pathParams.get("id").orElse(matchedRoute.pathParams.get("cert_id")) match {
           case None => Right(BackendCallResponse(NgPluginHttpResponse.fromResult(BadRequest(Json.obj("error" -> "cert id not available"))), None)).vfuture
-          case Some(id) => env.ocspResponder.aia(id, ctx.rawRequest).map { res =>
+          case Some(id) => env.ocspResponder.aia(id, ctx.rawRequest, config.certIds).map { res =>
             Right(BackendCallResponse(NgPluginHttpResponse.fromResult(res), None))
           }
         }
diff --git a/otoroshi/app/ssl/ocsp.scala b/otoroshi/app/ssl/ocsp.scala
index d3f95227f..ae8d1a6bc 100644
--- a/otoroshi/app/ssl/ocsp.scala
+++ b/otoroshi/app/ssl/ocsp.scala
@@ -107,23 +107,27 @@ class OcspResponder(env: Env, implicit val ec: ExecutionContext) {
   val nextUpdateOffset: Int =
     env.configuration.getOptionalWithFileSupport[Int]("app.ocsp.caching.seconds").getOrElse(3600)
 
-  def aia(id: String, req: RequestHeader)(implicit ec: ExecutionContext): Future[Result] = {
+  def aia(id: String, req: RequestHeader, possibleCerts: Seq[String])(implicit ec: ExecutionContext): Future[Result] = {
     import scala.util._
-    // DynamicSSLEngineProvider.certificates.values.find(c => c.certificate.get.getSerialNumber.toString == id && c.exposed && CertParentHelper.fromOtoroshiRootCa(c.certificate.get)) match {
-    DynamicSSLEngineProvider.certificates.values.find { c =>
-      Try {
-        c.certificate.get.getSerialNumber.toString == id && c.exposed && CertParentHelper.fromOtoroshiRootCa(
-          c.certificate.get
-        )
+    if (possibleCerts.isEmpty || (possibleCerts.nonEmpty && possibleCerts.contains(id))) {
+      // DynamicSSLEngineProvider.certificates.values.find(c => c.certificate.get.getSerialNumber.toString == id && c.exposed && CertParentHelper.fromOtoroshiRootCa(c.certificate.get)) match {
+      DynamicSSLEngineProvider.certificates.values.find { c =>
+        Try {
+          c.certificate.get.getSerialNumber.toString == id && c.exposed && CertParentHelper.fromOtoroshiRootCa(
+            c.certificate.get
+          )
+        } match {
+          case Failure(e) =>
+            e.printStackTrace()
+            false
+          case Success(v) => v
+        }
       } match {
-        case Failure(e) =>
-          e.printStackTrace()
-          false
-        case Success(v) => v
+        case None => Results.NotFound("").as("application/pkix-cert").future
+        case Some(cert) => Results.Ok(cert.certificate.get.asPem).as("application/pkix-cert").future
       }
-    } match {
-      case None       => Results.NotFound("").as("application/pkix-cert").future
-      case Some(cert) => Results.Ok(cert.certificate.get.asPem).as("application/pkix-cert").future
+    } else {
+      Results.NotFound("").as("application/pkix-cert").future
     }
   }