forked from TrueCloudLab/lego
Azure DNS Provider (#307)
This is a first attempt at a working Azure DNS challenge provider. Fixes #180
This commit is contained in:
parent
72914df00f
commit
85200a157c
4 changed files with 235 additions and 0 deletions
1
cli.go
1
cli.go
|
@ -201,6 +201,7 @@ Here is an example bash command using the CloudFlare DNS provider:
|
||||||
w := tabwriter.NewWriter(os.Stdout, 0, 8, 1, '\t', 0)
|
w := tabwriter.NewWriter(os.Stdout, 0, 8, 1, '\t', 0)
|
||||||
fmt.Fprintln(w, "Valid providers and their associated credential environment variables:")
|
fmt.Fprintln(w, "Valid providers and their associated credential environment variables:")
|
||||||
fmt.Fprintln(w)
|
fmt.Fprintln(w)
|
||||||
|
fmt.Fprintln(w, "\tazure:\tAZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID, AZURE_RESROUCE_GROUP")
|
||||||
fmt.Fprintln(w, "\tauroradns:\tAURORA_USER_ID, AURORA_KEY, AURORA_ENDPOINT")
|
fmt.Fprintln(w, "\tauroradns:\tAURORA_USER_ID, AURORA_KEY, AURORA_ENDPOINT")
|
||||||
fmt.Fprintln(w, "\tcloudflare:\tCLOUDFLARE_EMAIL, CLOUDFLARE_API_KEY")
|
fmt.Fprintln(w, "\tcloudflare:\tCLOUDFLARE_EMAIL, CLOUDFLARE_API_KEY")
|
||||||
fmt.Fprintln(w, "\tdigitalocean:\tDO_AUTH_TOKEN")
|
fmt.Fprintln(w, "\tdigitalocean:\tDO_AUTH_TOKEN")
|
||||||
|
|
|
@ -15,6 +15,7 @@ import (
|
||||||
|
|
||||||
"github.com/urfave/cli"
|
"github.com/urfave/cli"
|
||||||
"github.com/xenolf/lego/acme"
|
"github.com/xenolf/lego/acme"
|
||||||
|
"github.com/xenolf/lego/providers/dns/azure"
|
||||||
"github.com/xenolf/lego/providers/dns/auroradns"
|
"github.com/xenolf/lego/providers/dns/auroradns"
|
||||||
"github.com/xenolf/lego/providers/dns/cloudflare"
|
"github.com/xenolf/lego/providers/dns/cloudflare"
|
||||||
"github.com/xenolf/lego/providers/dns/digitalocean"
|
"github.com/xenolf/lego/providers/dns/digitalocean"
|
||||||
|
@ -132,6 +133,8 @@ func setup(c *cli.Context) (*Configuration, *Account, *acme.Client) {
|
||||||
var err error
|
var err error
|
||||||
var provider acme.ChallengeProvider
|
var provider acme.ChallengeProvider
|
||||||
switch c.GlobalString("dns") {
|
switch c.GlobalString("dns") {
|
||||||
|
case "azure":
|
||||||
|
provider, err = azure.NewDNSProvider()
|
||||||
case "auroradns":
|
case "auroradns":
|
||||||
provider, err = auroradns.NewDNSProvider()
|
provider, err = auroradns.NewDNSProvider()
|
||||||
case "cloudflare":
|
case "cloudflare":
|
||||||
|
|
142
providers/dns/azure/azure.go
Normal file
142
providers/dns/azure/azure.go
Normal file
|
@ -0,0 +1,142 @@
|
||||||
|
// Package azure implements a DNS provider for solving the DNS-01
|
||||||
|
// challenge using azure DNS.
|
||||||
|
// Azure doesn't like trailing dots on domain names, most of the acme code does.
|
||||||
|
package azure
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/Azure/azure-sdk-for-go/arm/dns"
|
||||||
|
|
||||||
|
"github.com/Azure/go-autorest/autorest/azure"
|
||||||
|
"github.com/Azure/go-autorest/autorest/to"
|
||||||
|
"github.com/xenolf/lego/acme"
|
||||||
|
"strings"
|
||||||
|
)
|
||||||
|
|
||||||
|
// DNSProvider is an implementation of the acme.ChallengeProvider interface
|
||||||
|
type DNSProvider struct {
|
||||||
|
clientId string
|
||||||
|
clientSecret string
|
||||||
|
subscriptionId string
|
||||||
|
tenantId string
|
||||||
|
resourceGroup string
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewDNSProvider returns a DNSProvider instance configured for azure.
|
||||||
|
// Credentials must be passed in the environment variables: AZURE_CLIENT_ID,
|
||||||
|
// AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID
|
||||||
|
func NewDNSProvider() (*DNSProvider, error) {
|
||||||
|
clientId := os.Getenv("AZURE_CLIENT_ID")
|
||||||
|
clientSecret := os.Getenv("AZURE_CLIENT_SECRET")
|
||||||
|
subscriptionId := os.Getenv("AZURE_SUBSCRIPTION_ID")
|
||||||
|
tenantId := os.Getenv("AZURE_TENANT_ID")
|
||||||
|
resourceGroup := os.Getenv("AZURE_RESOURCE_GROUP")
|
||||||
|
return NewDNSProviderCredentials(clientId, clientSecret, subscriptionId, tenantId, resourceGroup)
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewDNSProviderCredentials uses the supplied credentials to return a
|
||||||
|
// DNSProvider instance configured for azure.
|
||||||
|
func NewDNSProviderCredentials(clientId, clientSecret, subscriptionId, tenantId, resourceGroup string) (*DNSProvider, error) {
|
||||||
|
if clientId == "" || clientSecret == "" || subscriptionId == "" || tenantId == "" || resourceGroup == "" {
|
||||||
|
return nil, fmt.Errorf("Azure configuration missing")
|
||||||
|
}
|
||||||
|
|
||||||
|
return &DNSProvider{
|
||||||
|
clientId: clientId,
|
||||||
|
clientSecret: clientSecret,
|
||||||
|
subscriptionId: subscriptionId,
|
||||||
|
tenantId: tenantId,
|
||||||
|
resourceGroup: resourceGroup,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Timeout returns the timeout and interval to use when checking for DNS
|
||||||
|
// propagation. Adjusting here to cope with spikes in propagation times.
|
||||||
|
func (c *DNSProvider) Timeout() (timeout, interval time.Duration) {
|
||||||
|
return 120 * time.Second, 2 * time.Second
|
||||||
|
}
|
||||||
|
|
||||||
|
// Present creates a TXT record to fulfil the dns-01 challenge
|
||||||
|
func (c *DNSProvider) Present(domain, token, keyAuth string) error {
|
||||||
|
fqdn, value, _ := acme.DNS01Record(domain, keyAuth)
|
||||||
|
zone, err := c.getHostedZoneID(fqdn)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
rsc := dns.NewRecordSetsClient(c.subscriptionId)
|
||||||
|
rsc.Authorizer, err = c.newServicePrincipalTokenFromCredentials(azure.PublicCloud.ResourceManagerEndpoint)
|
||||||
|
relative := toRelativeRecord(fqdn, acme.ToFqdn(zone))
|
||||||
|
rec := dns.RecordSet{
|
||||||
|
Name: &relative,
|
||||||
|
Properties: &dns.RecordSetProperties{
|
||||||
|
TTL: to.Int64Ptr(60),
|
||||||
|
TXTRecords: &[]dns.TxtRecord{dns.TxtRecord{Value: &[]string{value}}},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
_, err = rsc.CreateOrUpdate(c.resourceGroup, zone, relative, dns.TXT, rec, "", "")
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Returns the relative record to the domain
|
||||||
|
func toRelativeRecord(domain, zone string) string {
|
||||||
|
return acme.UnFqdn(strings.TrimSuffix(domain, zone))
|
||||||
|
}
|
||||||
|
|
||||||
|
// CleanUp removes the TXT record matching the specified parameters
|
||||||
|
func (c *DNSProvider) CleanUp(domain, token, keyAuth string) error {
|
||||||
|
fqdn, _, _ := acme.DNS01Record(domain, keyAuth)
|
||||||
|
|
||||||
|
zone, err := c.getHostedZoneID(fqdn)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
relative := toRelativeRecord(fqdn, acme.ToFqdn(zone))
|
||||||
|
rsc := dns.NewRecordSetsClient(c.subscriptionId)
|
||||||
|
rsc.Authorizer, err = c.newServicePrincipalTokenFromCredentials(azure.PublicCloud.ResourceManagerEndpoint)
|
||||||
|
_, err = rsc.Delete(c.resourceGroup, zone, relative, dns.TXT, "", "")
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Checks that azure has a zone for this domain name.
|
||||||
|
func (c *DNSProvider) getHostedZoneID(fqdn string) (string, error) {
|
||||||
|
authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Now we want to to Azure and get the zone.
|
||||||
|
dc := dns.NewZonesClient(c.subscriptionId)
|
||||||
|
dc.Authorizer, err = c.newServicePrincipalTokenFromCredentials(azure.PublicCloud.ResourceManagerEndpoint)
|
||||||
|
zone, err := dc.Get(c.resourceGroup, acme.UnFqdn(authZone))
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
// zone.Name shouldn't have a trailing dot(.)
|
||||||
|
return to.String(zone.Name), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewServicePrincipalTokenFromCredentials creates a new ServicePrincipalToken using values of the
|
||||||
|
// passed credentials map.
|
||||||
|
func (c *DNSProvider) newServicePrincipalTokenFromCredentials(scope string) (*azure.ServicePrincipalToken, error) {
|
||||||
|
oauthConfig, err := azure.PublicCloud.OAuthConfigForTenant(c.tenantId)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
return azure.NewServicePrincipalToken(*oauthConfig, c.clientId, c.clientSecret, scope)
|
||||||
|
}
|
89
providers/dns/azure/azure_test.go
Normal file
89
providers/dns/azure/azure_test.go
Normal file
|
@ -0,0 +1,89 @@
|
||||||
|
package azure
|
||||||
|
|
||||||
|
import (
|
||||||
|
"os"
|
||||||
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
azureLiveTest bool
|
||||||
|
azureClientID string
|
||||||
|
azureClientSecret string
|
||||||
|
azureSubscriptionID string
|
||||||
|
azureTenantID string
|
||||||
|
azureResourceGroup string
|
||||||
|
azureDomain string
|
||||||
|
)
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
azureClientID = os.Getenv("AZURE_CLIENT_ID")
|
||||||
|
azureClientSecret = os.Getenv("AZURE_CLIENT_SECRET")
|
||||||
|
azureSubscriptionID = os.Getenv("AZURE_SUBSCRIPTION_ID")
|
||||||
|
azureTenantID = os.Getenv("AZURE_TENANT_ID")
|
||||||
|
azureResourceGroup = os.Getenv("AZURE_RESOURCE_GROUP")
|
||||||
|
azureDomain = os.Getenv("AZURE_DOMAIN")
|
||||||
|
if len(azureClientID) > 0 && len(azureClientSecret) > 0 {
|
||||||
|
azureLiveTest = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func restoreAzureEnv() {
|
||||||
|
os.Setenv("AZURE_CLIENT_ID", azureClientID)
|
||||||
|
os.Setenv("AZURE_SUBSCRIPTION_ID", azureSubscriptionID)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestNewDNSProviderValid(t *testing.T) {
|
||||||
|
if !azureLiveTest {
|
||||||
|
t.Skip("skipping live test (requires credentials)")
|
||||||
|
}
|
||||||
|
os.Setenv("AZURE_CLIENT_ID", "")
|
||||||
|
_, err := NewDNSProviderCredentials(azureClientID, azureClientSecret, azureSubscriptionID, azureTenantID, azureResourceGroup)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
restoreAzureEnv()
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestNewDNSProviderValidEnv(t *testing.T) {
|
||||||
|
if !azureLiveTest {
|
||||||
|
t.Skip("skipping live test (requires credentials)")
|
||||||
|
}
|
||||||
|
os.Setenv("AZURE_CLIENT_ID", "other")
|
||||||
|
_, err := NewDNSProvider()
|
||||||
|
assert.NoError(t, err)
|
||||||
|
restoreAzureEnv()
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestNewDNSProviderMissingCredErr(t *testing.T) {
|
||||||
|
os.Setenv("AZURE_SUBSCRIPTION_ID", "")
|
||||||
|
_, err := NewDNSProvider()
|
||||||
|
assert.EqualError(t, err, "Azure configuration missing")
|
||||||
|
restoreAzureEnv()
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestLiveAzurePresent(t *testing.T) {
|
||||||
|
if !azureLiveTest {
|
||||||
|
t.Skip("skipping live test")
|
||||||
|
}
|
||||||
|
|
||||||
|
provider, err := NewDNSProviderCredentials(azureClientID, azureClientSecret, azureSubscriptionID, azureTenantID, azureResourceGroup)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
|
||||||
|
err = provider.Present(azureDomain, "", "123d==")
|
||||||
|
assert.NoError(t, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestLiveAzureCleanUp(t *testing.T) {
|
||||||
|
if !azureLiveTest {
|
||||||
|
t.Skip("skipping live test")
|
||||||
|
}
|
||||||
|
|
||||||
|
provider, err := NewDNSProviderCredentials(azureClientID, azureClientSecret, azureSubscriptionID, azureTenantID, azureResourceGroup)
|
||||||
|
time.Sleep(time.Second * 1)
|
||||||
|
|
||||||
|
assert.NoError(t, err)
|
||||||
|
|
||||||
|
err = provider.CleanUp(azureDomain, "", "123d==")
|
||||||
|
assert.NoError(t, err)
|
||||||
|
}
|
Loading…
Reference in a new issue