lego/providers/dns/designate/designate.go

292 lines
8.1 KiB
Go
Raw Normal View History

// Package designate implements a DNS provider for solving the DNS-01 challenge using the Designate DNSaaS for Openstack.
2019-03-11 16:56:48 +00:00
package designate
import (
"errors"
"fmt"
"log"
"os"
2024-02-08 02:16:48 +00:00
"slices"
"sync"
"time"
2020-09-02 01:20:01 +00:00
"github.com/go-acme/lego/v4/challenge/dns01"
"github.com/go-acme/lego/v4/platform/config/env"
"github.com/gophercloud/gophercloud"
"github.com/gophercloud/gophercloud/openstack"
"github.com/gophercloud/gophercloud/openstack/dns/v2/recordsets"
"github.com/gophercloud/gophercloud/openstack/dns/v2/zones"
"github.com/gophercloud/utils/openstack/clientconfig"
)
// Environment variables names.
const (
envNamespace = "DESIGNATE_"
EnvTTL = envNamespace + "TTL"
EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
EnvPollingInterval = envNamespace + "POLLING_INTERVAL"
EnvZoneName = envNamespace + "ZONE_NAME"
envNamespaceClient = "OS_"
EnvAuthURL = envNamespaceClient + "AUTH_URL"
EnvUsername = envNamespaceClient + "USERNAME"
EnvPassword = envNamespaceClient + "PASSWORD"
EnvUserID = envNamespaceClient + "USER_ID"
EnvAppCredID = envNamespaceClient + "APPLICATION_CREDENTIAL_ID"
EnvAppCredName = envNamespaceClient + "APPLICATION_CREDENTIAL_NAME"
EnvAppCredSecret = envNamespaceClient + "APPLICATION_CREDENTIAL_SECRET"
EnvTenantName = envNamespaceClient + "TENANT_NAME"
EnvRegionName = envNamespaceClient + "REGION_NAME"
EnvProjectID = envNamespaceClient + "PROJECT_ID"
EnvCloud = envNamespaceClient + "CLOUD"
)
2020-05-08 17:35:25 +00:00
// Config is used to configure the creation of the DNSProvider.
type Config struct {
PropagationTimeout time.Duration
PollingInterval time.Duration
TTL int
opts gophercloud.AuthOptions
}
2020-05-08 17:35:25 +00:00
// NewDefaultConfig returns a default configuration for the DNSProvider.
func NewDefaultConfig() *Config {
return &Config{
TTL: env.GetOrDefaultInt(EnvTTL, 10),
PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 10*time.Minute),
PollingInterval: env.GetOrDefaultSecond(EnvPollingInterval, 10*time.Second),
}
}
2020-05-08 17:35:25 +00:00
// DNSProvider implements the challenge.Provider interface.
type DNSProvider struct {
config *Config
client *gophercloud.ServiceClient
dnsEntriesMu sync.Mutex
}
// NewDNSProvider returns a DNSProvider instance configured for Designate.
// Credentials must be passed in the environment variables:
// OS_AUTH_URL, OS_USERNAME, OS_PASSWORD, OS_REGION_NAME.
// Or you can specify OS_CLOUD to read the credentials from the according cloud entry.
func NewDNSProvider() (*DNSProvider, error) {
config := NewDefaultConfig()
val, err := env.Get(EnvCloud)
if err == nil {
opts, erro := clientconfig.AuthOptions(&clientconfig.ClientOpts{
Cloud: val[EnvCloud],
})
if erro != nil {
return nil, fmt.Errorf("designate: %w", erro)
}
config.opts = *opts
} else {
opts, err := openstack.AuthOptionsFromEnv()
if err != nil {
return nil, fmt.Errorf("designate: %w", err)
}
config.opts = opts
}
return NewDNSProviderConfig(config)
}
// NewDNSProviderConfig return a DNSProvider instance configured for Designate.
func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
if config == nil {
return nil, errors.New("designate: the configuration of the DNS provider is nil")
}
provider, err := openstack.AuthenticatedClient(config.opts)
if err != nil {
2020-02-27 18:14:46 +00:00
return nil, fmt.Errorf("designate: failed to authenticate: %w", err)
}
dnsClient, err := openstack.NewDNSV2(provider, gophercloud.EndpointOpts{
Region: os.Getenv("OS_REGION_NAME"),
})
if err != nil {
2020-02-27 18:14:46 +00:00
return nil, fmt.Errorf("designate: failed to get DNS provider: %w", err)
}
return &DNSProvider{client: dnsClient, config: config}, nil
}
// Timeout returns the timeout and interval to use when checking for DNS propagation.
// Adjusting here to cope with spikes in propagation times.
func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
return d.config.PropagationTimeout, d.config.PollingInterval
}
2020-05-08 17:35:25 +00:00
// Present creates a TXT record to fulfill the dns-01 challenge.
func (d *DNSProvider) Present(domain, token, keyAuth string) error {
info := dns01.GetChallengeInfo(domain, keyAuth)
zone, err := getAuthZone(info.EffectiveFQDN)
if err != nil {
return fmt.Errorf("designate: %w", err)
}
zoneID, err := d.getZoneID(zone)
if err != nil {
2023-05-05 07:49:38 +00:00
return fmt.Errorf("designate: couldn't get zone ID in Present: %w", err)
}
// use mutex to prevent race condition between creating the record and verifying it
d.dnsEntriesMu.Lock()
defer d.dnsEntriesMu.Unlock()
existingRecord, err := d.getRecord(zoneID, info.EffectiveFQDN)
if err != nil {
2020-02-27 18:14:46 +00:00
return fmt.Errorf("designate: %w", err)
}
if existingRecord != nil {
2024-02-08 02:16:48 +00:00
if slices.Contains(existingRecord.Records, info.Value) {
log.Printf("designate: the record already exists: %s", info.Value)
return nil
}
return d.updateRecord(existingRecord, info.Value)
}
err = d.createRecord(zoneID, info.EffectiveFQDN, info.Value)
if err != nil {
2020-02-27 18:14:46 +00:00
return fmt.Errorf("designate: %w", err)
}
return nil
}
2020-05-08 17:35:25 +00:00
// CleanUp removes the TXT record matching the specified parameters.
func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
info := dns01.GetChallengeInfo(domain, keyAuth)
zone, err := getAuthZone(info.EffectiveFQDN)
if err != nil {
return fmt.Errorf("designate: %w", err)
}
zoneID, err := d.getZoneID(zone)
if err != nil {
2020-02-27 18:14:46 +00:00
return fmt.Errorf("designate: couldn't get zone ID in CleanUp: %w", err)
}
// use mutex to prevent race condition between getting the record and deleting it
d.dnsEntriesMu.Lock()
defer d.dnsEntriesMu.Unlock()
record, err := d.getRecord(zoneID, info.EffectiveFQDN)
if err != nil {
2020-02-27 18:14:46 +00:00
return fmt.Errorf("designate: couldn't get Record ID in CleanUp: %w", err)
}
if record == nil {
// Record is already deleted
return nil
}
err = recordsets.Delete(d.client, zoneID, record.ID).ExtractErr()
if err != nil {
return fmt.Errorf("designate: error for %s in CleanUp: %w", info.EffectiveFQDN, err)
}
return nil
}
func (d *DNSProvider) createRecord(zoneID, fqdn, value string) error {
createOpts := recordsets.CreateOpts{
Name: fqdn,
Type: "TXT",
TTL: d.config.TTL,
Description: "ACME verification record",
Records: []string{value},
}
actual, err := recordsets.Create(d.client, zoneID, createOpts).Extract()
if err != nil {
2020-02-27 18:14:46 +00:00
return fmt.Errorf("error for %s in Present while creating record: %w", fqdn, err)
}
if actual.Name != fqdn || actual.TTL != d.config.TTL {
2020-02-27 18:14:46 +00:00
return errors.New("the created record doesn't match what we wanted to create")
}
return nil
}
func (d *DNSProvider) updateRecord(record *recordsets.RecordSet, value string) error {
2024-02-08 02:16:48 +00:00
if slices.Contains(record.Records, value) {
log.Printf("skip: the record already exists: %s", value)
return nil
}
values := append([]string{value}, record.Records...)
updateOpts := recordsets.UpdateOpts{
Description: &record.Description,
TTL: &record.TTL,
Records: values,
}
result := recordsets.Update(d.client, record.ZoneID, record.ID, updateOpts)
return result.Err
}
func (d *DNSProvider) getZoneID(wanted string) (string, error) {
allPages, err := zones.List(d.client, nil).AllPages()
if err != nil {
return "", err
}
allZones, err := zones.ExtractZones(allPages)
if err != nil {
return "", err
}
for _, zone := range allZones {
if zone.Name == wanted {
return zone.ID, nil
}
}
return "", fmt.Errorf("zone id not found for %s", wanted)
}
2020-07-09 23:48:18 +00:00
func (d *DNSProvider) getRecord(zoneID, wanted string) (*recordsets.RecordSet, error) {
allPages, err := recordsets.ListByZone(d.client, zoneID, nil).AllPages()
if err != nil {
return nil, err
}
allRecords, err := recordsets.ExtractRecordSets(allPages)
if err != nil {
return nil, err
}
for _, record := range allRecords {
if record.Name == wanted && record.Type == "TXT" {
return &record, nil
}
}
return nil, nil
}
func getAuthZone(fqdn string) (string, error) {
authZone := env.GetOrFile(EnvZoneName)
if authZone != "" {
return authZone, nil
}
authZone, err := dns01.FindZoneByFqdn(fqdn)
if err != nil {
return "", fmt.Errorf("could not find zone: %w", err)
}
return authZone, nil
}