lego/providers/dns/route53/route53.go

// Package route53 implements a DNS provider for solving the DNS-01 challenge using route53 DNS.
package route53

import (
	"fmt"
	"strings"
	"time"

	"github.com/mitchellh/goamz/aws"
	"github.com/mitchellh/goamz/route53"
	"github.com/xenolf/lego/acme"
)

// DNSProvider is an implementation of the acme.ChallengeProvider interface
type DNSProvider struct {
	client *route53.Route53
}

// NewDNSProvider returns a DNSProvider instance with a configured route53 client.
// Authentication is either done using the passed credentials or - when empty - falling back to
// the customary AWS credential mechanisms, including the file referenced by $AWS_CREDENTIAL_FILE
// (defaulting to $HOME/.aws/credentials) optionally scoped to $AWS_PROFILE, credentials
// supplied by the environment variables AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY [ + AWS_SECURITY_TOKEN ],
// and finally credentials available via the EC2 instance metadata service.
func NewDNSProvider(awsAccessKey, awsSecretKey, awsRegionName string) (*DNSProvider, error) {
	region, ok := aws.Regions[awsRegionName]
	if !ok {
		return nil, fmt.Errorf("Invalid AWS region name %s", awsRegionName)
	}

	// use aws.GetAuth, which tries really hard to find credentails:
	//   - uses awsAccessKey and awsSecretKey, if provided
	//   - uses AWS_PROFILE / AWS_CREDENTIAL_FILE, if provided
	//   - uses AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY and optionally AWS_SECURITY_TOKEN, if provided
	//   - uses EC2 instance metadata credentials (http://169.254.169.254/latest/meta-data/…), if available
	//  ...and otherwise returns an error
	auth, err := aws.GetAuth(awsAccessKey, awsSecretKey)
	if err != nil {
		return nil, err
	}

	client := route53.New(auth, region)
	return &DNSProvider{client: client}, nil
}

// Present creates a TXT record using the specified parameters
func (r *DNSProvider) Present(domain, token, keyAuth string) error {
	fqdn, value, ttl := acme.DNS01Record(domain, keyAuth)
	value = `"` + value + `"`
	return r.changeRecord("UPSERT", fqdn, value, ttl)
}

// CleanUp removes the TXT record matching the specified parameters
func (r *DNSProvider) CleanUp(domain, token, keyAuth string) error {
	fqdn, value, ttl := acme.DNS01Record(domain, keyAuth)
	value = `"` + value + `"`
	return r.changeRecord("DELETE", fqdn, value, ttl)
}

func (r *DNSProvider) changeRecord(action, fqdn, value string, ttl int) error {
	hostedZoneID, err := r.getHostedZoneID(fqdn)
	if err != nil {
		return err
	}
	recordSet := newTXTRecordSet(fqdn, value, ttl)
	update := route53.Change{Action: action, Record: recordSet}
	changes := []route53.Change{update}
	req := route53.ChangeResourceRecordSetsRequest{Comment: "Created by Lego", Changes: changes}
	resp, err := r.client.ChangeResourceRecordSets(hostedZoneID, &req)
	if err != nil {
		return err
	}

	return acme.WaitFor(90, 5, func() (bool, error) {
		status, err := r.client.GetChange(resp.ChangeInfo.ID)
		if err != nil {
			return false, err
		}
		if status == "INSYNC" {
			return true, nil
		}
		return false, nil
	})
}

func (r *DNSProvider) getHostedZoneID(fqdn string) (string, error) {
	zones := []route53.HostedZone{}
	zoneResp, err := r.client.ListHostedZones("", 0)
	if err != nil {
		return "", err
	}
	zones = append(zones, zoneResp.HostedZones...)

	for zoneResp.IsTruncated {
		resp, err := r.client.ListHostedZones(zoneResp.Marker, 0)
		if err != nil {
			if rateExceeded(err) {
				time.Sleep(time.Second)
				continue
			}
			return "", err
		}
		zoneResp = resp
		zones = append(zones, zoneResp.HostedZones...)
	}

	var hostedZone route53.HostedZone
	for _, zone := range zones {
		if strings.HasSuffix(fqdn, zone.Name) {
			if len(zone.Name) > len(hostedZone.Name) {
				hostedZone = zone
			}
		}
	}
	if hostedZone.ID == "" {
		return "", fmt.Errorf("No Route53 hosted zone found for domain %s", fqdn)
	}

	return hostedZone.ID, nil
}

func newTXTRecordSet(fqdn, value string, ttl int) route53.ResourceRecordSet {
	return route53.ResourceRecordSet{
		Name:    fqdn,
		Type:    "TXT",
		Records: []string{value},
		TTL:     ttl,
	}

}

// Route53 API has pretty strict rate limits (5req/s globally per account)
// Hence we check if we are being throttled to maybe retry the request
func rateExceeded(err error) bool {
	if strings.Contains(err.Error(), "Throttling") {
		return true
	}
	return false
}
Rename provider types as provider names are already in the package name. Added package level comments and fixed the name of the interface the providers are importing. 2016-03-11 02:46:09 +00:00			`// Package route53 implements a DNS provider for solving the DNS-01 challenge using route53 DNS.`
Move providers out of ACME package. 2016-02-29 02:48:41 +00:00			`package route53`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00
			`import (`
			`"fmt"`
			`"strings"`
Fetch remaining zones when response is truncated. Route53 API won’t return more than 100 zones per request. 2016-01-22 17:50:18 +00:00			`"time"`
Change maximum zone number requested from Route53 to Math.MaxInt32 from MaxInt64. Fixes #79. 2016-01-22 17:18:53 +00:00
			`"github.com/mitchellh/goamz/aws"`
			`"github.com/mitchellh/goamz/route53"`
Move providers out of ACME package. 2016-02-29 02:48:41 +00:00			`"github.com/xenolf/lego/acme"`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`)`

Rename provider types as provider names are already in the package name. Added package level comments and fixed the name of the interface the providers are importing. 2016-03-11 02:46:09 +00:00			`// DNSProvider is an implementation of the acme.ChallengeProvider interface`
			`type DNSProvider struct {`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`client *route53.Route53`
			`}`

Rename provider types as provider names are already in the package name. Added package level comments and fixed the name of the interface the providers are importing. 2016-03-11 02:46:09 +00:00			`// NewDNSProvider returns a DNSProvider instance with a configured route53 client.`
Add support for additional AWS authentication sources AWS client tools commonly support passing credentials via `AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY`, but supporting only this is insufficient. For example, access key IDs provided by STS require passing in `AWS_SECURITY_TOKEN` as a third value, and EC2 instances are often provided dynamic credentials at runtime via the EC2 metadata service. This changeset makes `lego` attempt to find credentials in the same way that the `aws` CLI tool attempts to find credentials. The result is even less auth code than before because `goamz` provides all this with `aws.GetAuth()`. 2016-02-07 00:38:40 +00:00			`// Authentication is either done using the passed credentials or - when empty - falling back to`
Fix a couple of misspelled words and lint errors. 2016-02-15 02:59:43 +00:00			`// the customary AWS credential mechanisms, including the file referenced by $AWS_CREDENTIAL_FILE`
Add support for additional AWS authentication sources AWS client tools commonly support passing credentials via `AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY`, but supporting only this is insufficient. For example, access key IDs provided by STS require passing in `AWS_SECURITY_TOKEN` as a third value, and EC2 instances are often provided dynamic credentials at runtime via the EC2 metadata service. This changeset makes `lego` attempt to find credentials in the same way that the `aws` CLI tool attempts to find credentials. The result is even less auth code than before because `goamz` provides all this with `aws.GetAuth()`. 2016-02-07 00:38:40 +00:00			`// (defaulting to $HOME/.aws/credentials) optionally scoped to $AWS_PROFILE, credentials`
			`// supplied by the environment variables AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY [ + AWS_SECURITY_TOKEN ],`
			`// and finally credentials available via the EC2 instance metadata service.`
Rename provider types as provider names are already in the package name. Added package level comments and fixed the name of the interface the providers are importing. 2016-03-11 02:46:09 +00:00			`func NewDNSProvider(awsAccessKey, awsSecretKey, awsRegionName string) (*DNSProvider, error) {`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`region, ok := aws.Regions[awsRegionName]`
			`if !ok {`
			`return nil, fmt.Errorf("Invalid AWS region name %s", awsRegionName)`
			`}`

Add support for additional AWS authentication sources AWS client tools commonly support passing credentials via `AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY`, but supporting only this is insufficient. For example, access key IDs provided by STS require passing in `AWS_SECURITY_TOKEN` as a third value, and EC2 instances are often provided dynamic credentials at runtime via the EC2 metadata service. This changeset makes `lego` attempt to find credentials in the same way that the `aws` CLI tool attempts to find credentials. The result is even less auth code than before because `goamz` provides all this with `aws.GetAuth()`. 2016-02-07 00:38:40 +00:00			`// use aws.GetAuth, which tries really hard to find credentails:`
			`// - uses awsAccessKey and awsSecretKey, if provided`
			`// - uses AWS_PROFILE / AWS_CREDENTIAL_FILE, if provided`
			`// - uses AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY and optionally AWS_SECURITY_TOKEN, if provided`
			`// - uses EC2 instance metadata credentials (http://169.254.169.254/latest/meta-data/…), if available`
			`// ...and otherwise returns an error`
Use http client with timeout of 10s This will prevent indefinitely-hanging requests in case some service or middle box is malfunctioning. Fix vet errors and lint warnings Add vet to CI check Only get issuer certificate if it would be used No need to make a GET request if the OCSP server is not specified in leaf certificate Fix CI tests Make tests verbose 2016-02-14 06:24:19 +00:00			`auth, err := aws.GetAuth(awsAccessKey, awsSecretKey)`
			`if err != nil {`
Add support for additional AWS authentication sources AWS client tools commonly support passing credentials via `AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY`, but supporting only this is insufficient. For example, access key IDs provided by STS require passing in `AWS_SECURITY_TOKEN` as a third value, and EC2 instances are often provided dynamic credentials at runtime via the EC2 metadata service. This changeset makes `lego` attempt to find credentials in the same way that the `aws` CLI tool attempts to find credentials. The result is even less auth code than before because `goamz` provides all this with `aws.GetAuth()`. 2016-02-07 00:38:40 +00:00			`return nil, err`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`}`
Use http client with timeout of 10s This will prevent indefinitely-hanging requests in case some service or middle box is malfunctioning. Fix vet errors and lint warnings Add vet to CI check Only get issuer certificate if it would be used No need to make a GET request if the OCSP server is not specified in leaf certificate Fix CI tests Make tests verbose 2016-02-14 06:24:19 +00:00
			`client := route53.New(auth, region)`
Rename provider types as provider names are already in the package name. Added package level comments and fixed the name of the interface the providers are importing. 2016-03-11 02:46:09 +00:00			`return &DNSProvider{client: client}, nil`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`}`

Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations 2016-01-15 04:06:25 +00:00			`// Present creates a TXT record using the specified parameters`
Rename provider types as provider names are already in the package name. Added package level comments and fixed the name of the interface the providers are importing. 2016-03-11 02:46:09 +00:00			`func (r *DNSProvider) Present(domain, token, keyAuth string) error {`
Move providers out of ACME package. 2016-02-29 02:48:41 +00:00			`fqdn, value, ttl := acme.DNS01Record(domain, keyAuth)`
Fixes issues with the Present() method of Route53 provider: - InvalidTXTRDATA error when creating TXT record (closes #94) - Present() should poll and wait until the status of the record change becomes INSYNC (thanks @oov) Adds a retry/timeout utility function to dns_challenge.go that may be used in other places 2016-02-03 06:04:12 +00:00			value = `"` + value + `"`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`return r.changeRecord("UPSERT", fqdn, value, ttl)`
			`}`

Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations 2016-01-15 04:06:25 +00:00			`// CleanUp removes the TXT record matching the specified parameters`
Rename provider types as provider names are already in the package name. Added package level comments and fixed the name of the interface the providers are importing. 2016-03-11 02:46:09 +00:00			`func (r *DNSProvider) CleanUp(domain, token, keyAuth string) error {`
Move providers out of ACME package. 2016-02-29 02:48:41 +00:00			`fqdn, value, ttl := acme.DNS01Record(domain, keyAuth)`
Fixes issues with the Present() method of Route53 provider: - InvalidTXTRDATA error when creating TXT record (closes #94) - Present() should poll and wait until the status of the record change becomes INSYNC (thanks @oov) Adds a retry/timeout utility function to dns_challenge.go that may be used in other places 2016-02-03 06:04:12 +00:00			value = `"` + value + `"`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`return r.changeRecord("DELETE", fqdn, value, ttl)`
			`}`

Rename provider types as provider names are already in the package name. Added package level comments and fixed the name of the interface the providers are importing. 2016-03-11 02:46:09 +00:00			`func (r *DNSProvider) changeRecord(action, fqdn, value string, ttl int) error {`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`hostedZoneID, err := r.getHostedZoneID(fqdn)`
			`if err != nil {`
			`return err`
			`}`
			`recordSet := newTXTRecordSet(fqdn, value, ttl)`
Use http client with timeout of 10s This will prevent indefinitely-hanging requests in case some service or middle box is malfunctioning. Fix vet errors and lint warnings Add vet to CI check Only get issuer certificate if it would be used No need to make a GET request if the OCSP server is not specified in leaf certificate Fix CI tests Make tests verbose 2016-02-14 06:24:19 +00:00			`update := route53.Change{Action: action, Record: recordSet}`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`changes := []route53.Change{update}`
			`req := route53.ChangeResourceRecordSetsRequest{Comment: "Created by Lego", Changes: changes}`
Fixes issues with the Present() method of Route53 provider: - InvalidTXTRDATA error when creating TXT record (closes #94) - Present() should poll and wait until the status of the record change becomes INSYNC (thanks @oov) Adds a retry/timeout utility function to dns_challenge.go that may be used in other places 2016-02-03 06:04:12 +00:00			`resp, err := r.client.ChangeResourceRecordSets(hostedZoneID, &req)`
			`if err != nil {`
			`return err`
			`}`

Move functions from dns package back into ACME. 2016-03-11 02:20:25 +00:00			`return acme.WaitFor(90, 5, func() (bool, error) {`
Fixes issues with the Present() method of Route53 provider: - InvalidTXTRDATA error when creating TXT record (closes #94) - Present() should poll and wait until the status of the record change becomes INSYNC (thanks @oov) Adds a retry/timeout utility function to dns_challenge.go that may be used in other places 2016-02-03 06:04:12 +00:00			`status, err := r.client.GetChange(resp.ChangeInfo.ID)`
			`if err != nil {`
			`return false, err`
			`}`
			`if status == "INSYNC" {`
			`return true, nil`
			`}`
			`return false, nil`
			`})`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`}`

Rename provider types as provider names are already in the package name. Added package level comments and fixed the name of the interface the providers are importing. 2016-03-11 02:46:09 +00:00			`func (r *DNSProvider) getHostedZoneID(fqdn string) (string, error) {`
Fetch remaining zones when response is truncated. Route53 API won’t return more than 100 zones per request. 2016-01-22 17:50:18 +00:00			`zones := []route53.HostedZone{}`
			`zoneResp, err := r.client.ListHostedZones("", 0)`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`if err != nil {`
			`return "", err`
			`}`
Fetch remaining zones when response is truncated. Route53 API won’t return more than 100 zones per request. 2016-01-22 17:50:18 +00:00			`zones = append(zones, zoneResp.HostedZones...)`

			`for zoneResp.IsTruncated {`
			`resp, err := r.client.ListHostedZones(zoneResp.Marker, 0)`
			`if err != nil {`
			`if rateExceeded(err) {`
			`time.Sleep(time.Second)`
			`continue`
			`}`
			`return "", err`
			`}`
			`zoneResp = resp`
			`zones = append(zones, zoneResp.HostedZones...)`
			`}`

Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`var hostedZone route53.HostedZone`
Fetch remaining zones when response is truncated. Route53 API won’t return more than 100 zones per request. 2016-01-22 17:50:18 +00:00			`for _, zone := range zones {`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`if strings.HasSuffix(fqdn, zone.Name) {`
			`if len(zone.Name) > len(hostedZone.Name) {`
			`hostedZone = zone`
			`}`
			`}`
			`}`
			`if hostedZone.ID == "" {`
Fetch remaining zones when response is truncated. Route53 API won’t return more than 100 zones per request. 2016-01-22 17:50:18 +00:00			`return "", fmt.Errorf("No Route53 hosted zone found for domain %s", fqdn)`
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`}`

			`return hostedZone.ID, nil`
			`}`

			`func newTXTRecordSet(fqdn, value string, ttl int) route53.ResourceRecordSet {`
			`return route53.ResourceRecordSet{`
			`Name: fqdn,`
			`Type: "TXT",`
			`Records: []string{value},`
			`TTL: ttl,`
			`}`
Fixes issues with the Present() method of Route53 provider: - InvalidTXTRDATA error when creating TXT record (closes #94) - Present() should poll and wait until the status of the record change becomes INSYNC (thanks @oov) Adds a retry/timeout utility function to dns_challenge.go that may be used in other places 2016-02-03 06:04:12 +00:00
Modular DNS challenge - Manual provider - Dynamic DNS Update provider (RFC2136) - Route53 provider - CloudFlare provider 2015-12-03 20:01:46 +00:00			`}`
Fetch remaining zones when response is truncated. Route53 API won’t return more than 100 zones per request. 2016-01-22 17:50:18 +00:00
			`// Route53 API has pretty strict rate limits (5req/s globally per account)`
			`// Hence we check if we are being throttled to maybe retry the request`
Refactor challenge providers to new ChallengeProvider interface * new ChallengeProvider with Present and CleanUp methods * new Challenge type describing `http-01`, `tls-sni-01`, `dns-01` * new client.SetChallengeProvider to support custom implementations 2016-01-15 04:06:25 +00:00			`func rateExceeded(err error) bool {`
Fetch remaining zones when response is truncated. Route53 API won’t return more than 100 zones per request. 2016-01-22 17:50:18 +00:00			`if strings.Contains(err.Error(), "Throttling") {`
			`return true`
			`}`
			`return false`
			`}`