Add support for new Gandi Beta Platform: LiveDNS (#365)
* Add 'dns-01' in CLI usage's solver list * Add Gandi Beta LiveDNS provider * gandiv5: rename provider and enhance error messages * gandiv5: clean old behavior comments * gandiv5: clean old behavior comments
This commit is contained in:
parent
6bddbfd17a
commit
e2b4c3a54f
4 changed files with 366 additions and 2 deletions
3
cli.go
3
cli.go
|
@ -140,7 +140,7 @@ func main() {
|
|||
},
|
||||
cli.StringSliceFlag{
|
||||
Name: "exclude, x",
|
||||
Usage: "Explicitly disallow solvers by name from being used. Solvers: \"http-01\", \"tls-sni-01\".",
|
||||
Usage: "Explicitly disallow solvers by name from being used. Solvers: \"http-01\", \"tls-sni-01\", \"dns-01\",.",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "webroot",
|
||||
|
@ -209,6 +209,7 @@ Here is an example bash command using the CloudFlare DNS provider:
|
|||
fmt.Fprintln(w, "\tdnsmadeeasy:\tDNSMADEEASY_API_KEY, DNSMADEEASY_API_SECRET")
|
||||
fmt.Fprintln(w, "\texoscale:\tEXOSCALE_API_KEY, EXOSCALE_API_SECRET, EXOSCALE_ENDPOINT")
|
||||
fmt.Fprintln(w, "\tgandi:\tGANDI_API_KEY")
|
||||
fmt.Fprintln(w, "\tgandiv5:\tGANDIV5_API_KEY")
|
||||
fmt.Fprintln(w, "\tgcloud:\tGCE_PROJECT, GCE_SERVICE_ACCOUNT_FILE")
|
||||
fmt.Fprintln(w, "\tlinode:\tLINODE_API_KEY")
|
||||
fmt.Fprintln(w, "\tmanual:\tnone")
|
||||
|
|
|
@ -15,8 +15,9 @@ import (
|
|||
"github.com/xenolf/lego/providers/dns/dyn"
|
||||
"github.com/xenolf/lego/providers/dns/exoscale"
|
||||
"github.com/xenolf/lego/providers/dns/gandi"
|
||||
"github.com/xenolf/lego/providers/dns/godaddy"
|
||||
"github.com/xenolf/lego/providers/dns/gandiv5"
|
||||
"github.com/xenolf/lego/providers/dns/googlecloud"
|
||||
"github.com/xenolf/lego/providers/dns/godaddy"
|
||||
"github.com/xenolf/lego/providers/dns/linode"
|
||||
"github.com/xenolf/lego/providers/dns/namecheap"
|
||||
"github.com/xenolf/lego/providers/dns/ns1"
|
||||
|
@ -53,6 +54,8 @@ func NewDNSChallengeProviderByName(name string) (acme.ChallengeProvider, error)
|
|||
provider, err = exoscale.NewDNSProvider()
|
||||
case "gandi":
|
||||
provider, err = gandi.NewDNSProvider()
|
||||
case "gandiv5":
|
||||
provider, err = gandiv5.NewDNSProvider()
|
||||
case "gcloud":
|
||||
provider, err = googlecloud.NewDNSProvider()
|
||||
case "godaddy":
|
||||
|
|
203
providers/dns/gandiv5/gandiv5.go
Normal file
203
providers/dns/gandiv5/gandiv5.go
Normal file
|
@ -0,0 +1,203 @@
|
|||
// Package gandiv5 implements a DNS provider for solving the DNS-01
|
||||
// challenge using Gandi LiveDNS api.
|
||||
package gandiv5
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"os"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/xenolf/lego/acme"
|
||||
)
|
||||
|
||||
// Gandi API reference: http://doc.livedns.gandi.net/
|
||||
|
||||
var (
|
||||
// endpoint is the Gandi API endpoint used by Present and
|
||||
// CleanUp. It is overridden during tests.
|
||||
endpoint = "https://dns.api.gandi.net/api/v5"
|
||||
// findZoneByFqdn determines the DNS zone of an fqdn. It is overridden
|
||||
// during tests.
|
||||
findZoneByFqdn = acme.FindZoneByFqdn
|
||||
)
|
||||
|
||||
// inProgressInfo contains information about an in-progress challenge
|
||||
type inProgressInfo struct {
|
||||
fieldName string
|
||||
authZone string
|
||||
}
|
||||
|
||||
// DNSProvider is an implementation of the
|
||||
// acme.ChallengeProviderTimeout interface that uses Gandi's LiveDNS
|
||||
// API to manage TXT records for a domain.
|
||||
type DNSProvider struct {
|
||||
apiKey string
|
||||
inProgressFQDNs map[string]inProgressInfo
|
||||
inProgressMu sync.Mutex
|
||||
}
|
||||
|
||||
// NewDNSProvider returns a DNSProvider instance configured for Gandi.
|
||||
// Credentials must be passed in the environment variable: GANDIV5_API_KEY.
|
||||
func NewDNSProvider() (*DNSProvider, error) {
|
||||
apiKey := os.Getenv("GANDIV5_API_KEY")
|
||||
return NewDNSProviderCredentials(apiKey)
|
||||
}
|
||||
|
||||
// NewDNSProviderCredentials uses the supplied credentials to return a
|
||||
// DNSProvider instance configured for Gandi.
|
||||
func NewDNSProviderCredentials(apiKey string) (*DNSProvider, error) {
|
||||
if apiKey == "" {
|
||||
return nil, fmt.Errorf("Gandi DNS: No Gandi API Key given")
|
||||
}
|
||||
return &DNSProvider{
|
||||
apiKey: apiKey,
|
||||
inProgressFQDNs: make(map[string]inProgressInfo),
|
||||
}, nil
|
||||
}
|
||||
|
||||
// Present creates a TXT record using the specified parameters.
|
||||
func (d *DNSProvider) Present(domain, token, keyAuth string) error {
|
||||
fqdn, value, ttl := acme.DNS01Record(domain, keyAuth)
|
||||
if ttl < 300 {
|
||||
ttl = 300 // 300 is gandi minimum value for ttl
|
||||
}
|
||||
// find authZone
|
||||
authZone, err := findZoneByFqdn(fqdn, acme.RecursiveNameservers)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Gandi DNS: findZoneByFqdn failure: %v", err)
|
||||
}
|
||||
// determine name of TXT record
|
||||
if !strings.HasSuffix(
|
||||
strings.ToLower(fqdn), strings.ToLower("."+authZone)) {
|
||||
return fmt.Errorf(
|
||||
"Gandi DNS: unexpected authZone %s for fqdn %s", authZone, fqdn)
|
||||
}
|
||||
name := fqdn[:len(fqdn)-len("."+authZone)]
|
||||
// acquire lock and check there is not a challenge already in
|
||||
// progress for this value of authZone
|
||||
d.inProgressMu.Lock()
|
||||
defer d.inProgressMu.Unlock()
|
||||
// add TXT record into authZone
|
||||
err = d.addTXTRecord(acme.UnFqdn(authZone), name, value, ttl)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// save data necessary for CleanUp
|
||||
d.inProgressFQDNs[fqdn] = inProgressInfo{
|
||||
authZone: authZone,
|
||||
fieldName: name,
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// CleanUp removes the TXT record matching the specified parameters.
|
||||
func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
|
||||
fqdn, _, _ := acme.DNS01Record(domain, keyAuth)
|
||||
// acquire lock and retrieve authZone
|
||||
d.inProgressMu.Lock()
|
||||
defer d.inProgressMu.Unlock()
|
||||
if _, ok := d.inProgressFQDNs[fqdn]; !ok {
|
||||
// if there is no cleanup information then just return
|
||||
return nil
|
||||
}
|
||||
fieldName := d.inProgressFQDNs[fqdn].fieldName
|
||||
authZone := d.inProgressFQDNs[fqdn].authZone
|
||||
delete(d.inProgressFQDNs, fqdn)
|
||||
// delete TXT record from authZone
|
||||
err := d.deleteTXTRecord(acme.UnFqdn(authZone), fieldName)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Timeout returns the values (20*time.Minute, 20*time.Second) which
|
||||
// are used by the acme package as timeout and check interval values
|
||||
// when checking for DNS record propagation with Gandi.
|
||||
func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
|
||||
return 20 * time.Minute, 20 * time.Second
|
||||
}
|
||||
|
||||
// types for JSON method calls and parameters
|
||||
|
||||
type addFieldRequest struct {
|
||||
RRSetTTL int `json:"rrset_ttl"`
|
||||
RRSetValues []string `json:"rrset_values"`
|
||||
}
|
||||
|
||||
type deleteFieldRequest struct {
|
||||
Delete bool `json:"delete"`
|
||||
}
|
||||
|
||||
// types for JSON responses
|
||||
|
||||
type responseStruct struct {
|
||||
Message string `json:"message"`
|
||||
}
|
||||
|
||||
// POSTing/Marshalling/Unmarshalling
|
||||
|
||||
func (d *DNSProvider) sendRequest(method string, resource string, payload interface{}) (*responseStruct, error) {
|
||||
url := fmt.Sprintf("%s/%s", endpoint, resource)
|
||||
|
||||
body, err := json.Marshal(payload)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
req, err := http.NewRequest(method, url, bytes.NewReader(body))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
if len(d.apiKey) > 0 {
|
||||
req.Header.Set("X-Api-Key", d.apiKey)
|
||||
}
|
||||
|
||||
client := &http.Client{Timeout: time.Duration(10 * time.Second)}
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
if resp.StatusCode >= 400 {
|
||||
return nil, fmt.Errorf("Gandi DNS: request failed with HTTP status code %d", resp.StatusCode)
|
||||
}
|
||||
var response responseStruct
|
||||
err = json.NewDecoder(resp.Body).Decode(&response)
|
||||
if err != nil && method != "DELETE" {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &response, nil
|
||||
}
|
||||
|
||||
// functions to perform API actions
|
||||
|
||||
func (d *DNSProvider) addTXTRecord(domain string, name string, value string, ttl int) error {
|
||||
target := fmt.Sprintf("domains/%s/records/%s/TXT", domain, name)
|
||||
response, err := d.sendRequest("PUT", target, addFieldRequest{
|
||||
RRSetTTL: ttl,
|
||||
RRSetValues: []string{value},
|
||||
})
|
||||
if response != nil {
|
||||
fmt.Printf("Gandi DNS: %s\n", response.Message)
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
func (d *DNSProvider) deleteTXTRecord(domain string, name string) error {
|
||||
target := fmt.Sprintf("domains/%s/records/%s/TXT", domain, name)
|
||||
response, err := d.sendRequest("DELETE", target, deleteFieldRequest{
|
||||
Delete: true,
|
||||
})
|
||||
if response != nil && response.Message == "" {
|
||||
fmt.Printf("Gandi DNS: Zone record deleted\n")
|
||||
}
|
||||
return err
|
||||
}
|
157
providers/dns/gandiv5/gandiv5_test.go
Normal file
157
providers/dns/gandiv5/gandiv5_test.go
Normal file
|
@ -0,0 +1,157 @@
|
|||
package gandiv5
|
||||
|
||||
import (
|
||||
"crypto"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"os"
|
||||
"regexp"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/xenolf/lego/acme"
|
||||
)
|
||||
|
||||
// stagingServer is the Let's Encrypt staging server used by the live test
|
||||
const stagingServer = "https://acme-staging.api.letsencrypt.org/directory"
|
||||
|
||||
// user implements acme.User and is used by the live test
|
||||
type user struct {
|
||||
Email string
|
||||
Registration *acme.RegistrationResource
|
||||
key crypto.PrivateKey
|
||||
}
|
||||
|
||||
func (u *user) GetEmail() string {
|
||||
return u.Email
|
||||
}
|
||||
func (u *user) GetRegistration() *acme.RegistrationResource {
|
||||
return u.Registration
|
||||
}
|
||||
func (u *user) GetPrivateKey() crypto.PrivateKey {
|
||||
return u.key
|
||||
}
|
||||
|
||||
// TestDNSProvider runs Present and CleanUp against a fake Gandi RPC
|
||||
// Server, whose responses are predetermined for particular requests.
|
||||
func TestDNSProvider(t *testing.T) {
|
||||
fakeAPIKey := "123412341234123412341234"
|
||||
fakeKeyAuth := "XXXX"
|
||||
provider, err := NewDNSProviderCredentials(fakeAPIKey)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
regexpToken, err := regexp.Compile(`"rrset_values":\[".+"\]`)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
// start fake RPC server
|
||||
fakeServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Header.Get("Content-Type") != "application/json" {
|
||||
t.Fatalf("Content-Type: application/json header not found")
|
||||
}
|
||||
req, err := ioutil.ReadAll(r.Body)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
req = regexpToken.ReplaceAllLiteral(
|
||||
req, []byte(`"rrset_values":["TOKEN"]`))
|
||||
resp, ok := serverResponses[string(req)]
|
||||
if !ok {
|
||||
t.Fatalf("Server response for request not found")
|
||||
}
|
||||
_, err = io.Copy(w, strings.NewReader(resp))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}))
|
||||
defer fakeServer.Close()
|
||||
// define function to override findZoneByFqdn with
|
||||
fakeFindZoneByFqdn := func(fqdn string, nameserver []string) (string, error) {
|
||||
return "example.com.", nil
|
||||
}
|
||||
// override gandi endpoint and findZoneByFqdn function
|
||||
savedEndpoint, savedFindZoneByFqdn := endpoint, findZoneByFqdn
|
||||
defer func() {
|
||||
endpoint, findZoneByFqdn = savedEndpoint, savedFindZoneByFqdn
|
||||
}()
|
||||
endpoint, findZoneByFqdn = fakeServer.URL, fakeFindZoneByFqdn
|
||||
// run Present
|
||||
err = provider.Present("abc.def.example.com", "", fakeKeyAuth)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
// run CleanUp
|
||||
err = provider.CleanUp("abc.def.example.com", "", fakeKeyAuth)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestDNSProviderLive performs a live test to obtain a certificate
|
||||
// using the Let's Encrypt staging server. It runs provided that both
|
||||
// the environment variables GANDIV5_API_KEY and GANDI_TEST_DOMAIN are
|
||||
// set. Otherwise the test is skipped.
|
||||
//
|
||||
// To complete this test, go test must be run with the -timeout=40m
|
||||
// flag, since the default timeout of 10m is insufficient.
|
||||
func TestDNSProviderLive(t *testing.T) {
|
||||
apiKey := os.Getenv("GANDIV5_API_KEY")
|
||||
domain := os.Getenv("GANDI_TEST_DOMAIN")
|
||||
if apiKey == "" || domain == "" {
|
||||
t.Skip("skipping live test")
|
||||
}
|
||||
// create a user.
|
||||
const rsaKeySize = 2048
|
||||
privateKey, err := rsa.GenerateKey(rand.Reader, rsaKeySize)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
myUser := user{
|
||||
Email: "test@example.com",
|
||||
key: privateKey,
|
||||
}
|
||||
// create a client using staging server
|
||||
client, err := acme.NewClient(stagingServer, &myUser, acme.RSA2048)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
provider, err := NewDNSProviderCredentials(apiKey)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
err = client.SetChallengeProvider(acme.DNS01, provider)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
client.ExcludeChallenges([]acme.Challenge{acme.HTTP01, acme.TLSSNI01})
|
||||
// register and agree tos
|
||||
reg, err := client.Register()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
myUser.Registration = reg
|
||||
err = client.AgreeToTOS()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
// complete the challenge
|
||||
bundle := false
|
||||
_, failures := client.ObtainCertificate([]string{domain}, bundle, nil, false)
|
||||
if len(failures) > 0 {
|
||||
t.Fatal(failures)
|
||||
}
|
||||
}
|
||||
|
||||
// serverResponses is the JSON Request->Response map used by the
|
||||
// fake JSON server.
|
||||
var serverResponses = map[string]string{
|
||||
// Present Request->Response (addTXTRecord)
|
||||
`{"rrset_ttl":300,"rrset_values":["TOKEN"]}`: `{"message": "Zone Record Created"}`,
|
||||
// CleanUp Request->Response (deleteTXTRecord)
|
||||
`{"delete":true}`: ``,
|
||||
}
|
Loading…
Reference in a new issue