forked from TrueCloudLab/lego
Add DigitalOcean DNS provider
Also a few vet/lint fixes and improved some error messages
This commit is contained in:
parent
50031525c9
commit
b42b256d5c
6 changed files with 261 additions and 7 deletions
136
acme/dns_challenge_digitalocean.go
Normal file
136
acme/dns_challenge_digitalocean.go
Normal file
|
@ -0,0 +1,136 @@
|
||||||
|
package acme
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"sync"
|
||||||
|
)
|
||||||
|
|
||||||
|
// DNSProviderDigitalOcean is an implementation of the DNSProvider interface
|
||||||
|
// that uses DigitalOcean's REST API to manage TXT records for a domain.
|
||||||
|
type DNSProviderDigitalOcean struct {
|
||||||
|
apiAuthToken string
|
||||||
|
recordIDs map[string]int
|
||||||
|
recordIDsMu sync.Mutex
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewDNSProviderDigitalOcean returns a new DNSProviderDigitalOcean instance.
|
||||||
|
// apiAuthToken is the personal access token created in the DigitalOcean account
|
||||||
|
// control panel, and it will be sent in bearer authorization headers.
|
||||||
|
func NewDNSProviderDigitalOcean(apiAuthToken string) (*DNSProviderDigitalOcean, error) {
|
||||||
|
return &DNSProviderDigitalOcean{
|
||||||
|
apiAuthToken: apiAuthToken,
|
||||||
|
recordIDs: make(map[string]int),
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Present creates a TXT record using the specified parameters
|
||||||
|
func (d *DNSProviderDigitalOcean) Present(domain, token, keyAuth string) error {
|
||||||
|
// txtRecordRequest represents the request body to DO's API to make a TXT record
|
||||||
|
type txtRecordRequest struct {
|
||||||
|
RecordType string `json:"type"`
|
||||||
|
Name string `json:"name"`
|
||||||
|
Data string `json:"data"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// txtRecordResponse represents a response from DO's API after making a TXT record
|
||||||
|
type txtRecordResponse struct {
|
||||||
|
DomainRecord struct {
|
||||||
|
ID int `json:"id"`
|
||||||
|
Type string `json:"type"`
|
||||||
|
Name string `json:"name"`
|
||||||
|
Data string `json:"data"`
|
||||||
|
} `json:"domain_record"`
|
||||||
|
}
|
||||||
|
|
||||||
|
fqdn, value, _ := DNS01Record(domain, keyAuth)
|
||||||
|
|
||||||
|
reqURL := fmt.Sprintf("%s/v2/domains/%s/records", digitalOceanBaseURL, domain)
|
||||||
|
reqData := txtRecordRequest{RecordType: "TXT", Name: fqdn, Data: value}
|
||||||
|
body, err := json.Marshal(reqData)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
req, err := http.NewRequest("POST", reqURL, bytes.NewReader(body))
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
req.Header.Set("Content-Type", "application/json")
|
||||||
|
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", d.apiAuthToken))
|
||||||
|
|
||||||
|
var client http.Client
|
||||||
|
resp, err := client.Do(req)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode >= 400 {
|
||||||
|
var errInfo digitalOceanAPIError
|
||||||
|
json.NewDecoder(resp.Body).Decode(&errInfo)
|
||||||
|
return fmt.Errorf("HTTP %d: %s: %s", resp.StatusCode, errInfo.ID, errInfo.Message)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Everything looks good; but we'll need the ID later to delete the record
|
||||||
|
var respData txtRecordResponse
|
||||||
|
err = json.NewDecoder(resp.Body).Decode(&respData)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
d.recordIDsMu.Lock()
|
||||||
|
d.recordIDs[fqdn] = respData.DomainRecord.ID
|
||||||
|
d.recordIDsMu.Unlock()
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// CleanUp removes the TXT record matching the specified parameters
|
||||||
|
func (d *DNSProviderDigitalOcean) CleanUp(domain, token, keyAuth string) error {
|
||||||
|
fqdn, _, _ := DNS01Record(domain, keyAuth)
|
||||||
|
|
||||||
|
// get the record's unique ID from when we created it
|
||||||
|
d.recordIDsMu.Lock()
|
||||||
|
recordID, ok := d.recordIDs[fqdn]
|
||||||
|
d.recordIDsMu.Unlock()
|
||||||
|
if !ok {
|
||||||
|
return fmt.Errorf("unknown record ID for '%s'", fqdn)
|
||||||
|
}
|
||||||
|
|
||||||
|
reqURL := fmt.Sprintf("%s/v2/domains/%s/records/%d", digitalOceanBaseURL, domain, recordID)
|
||||||
|
req, err := http.NewRequest("DELETE", reqURL, nil)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
req.Header.Set("Content-Type", "application/json")
|
||||||
|
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", d.apiAuthToken))
|
||||||
|
|
||||||
|
var client http.Client
|
||||||
|
resp, err := client.Do(req)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
if resp.StatusCode >= 400 {
|
||||||
|
var errInfo digitalOceanAPIError
|
||||||
|
json.NewDecoder(resp.Body).Decode(&errInfo)
|
||||||
|
return fmt.Errorf("HTTP %d: %s: %s", resp.StatusCode, errInfo.ID, errInfo.Message)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Delete record ID from map
|
||||||
|
d.recordIDsMu.Lock()
|
||||||
|
delete(d.recordIDs, fqdn)
|
||||||
|
d.recordIDsMu.Unlock()
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
type digitalOceanAPIError struct {
|
||||||
|
ID string `json:"id"`
|
||||||
|
Message string `json:"message"`
|
||||||
|
}
|
||||||
|
|
||||||
|
var digitalOceanBaseURL = "https://api.digitalocean.com"
|
117
acme/dns_challenge_digitalocean_test.go
Normal file
117
acme/dns_challenge_digitalocean_test.go
Normal file
|
@ -0,0 +1,117 @@
|
||||||
|
package acme
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
|
"net/http"
|
||||||
|
"net/http/httptest"
|
||||||
|
"testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
var fakeDigitalOceanAuth = "asdf1234"
|
||||||
|
|
||||||
|
func TestDigitalOceanPresent(t *testing.T) {
|
||||||
|
var requestReceived bool
|
||||||
|
|
||||||
|
mock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
requestReceived = true
|
||||||
|
|
||||||
|
if got, want := r.Method, "POST"; got != want {
|
||||||
|
t.Errorf("Expected method to be '%s' but got '%s'", want, got)
|
||||||
|
}
|
||||||
|
if got, want := r.URL.Path, "/v2/domains/example.com/records"; got != want {
|
||||||
|
t.Errorf("Expected path to be '%s' but got '%s'", want, got)
|
||||||
|
}
|
||||||
|
if got, want := r.Header.Get("Content-Type"), "application/json"; got != want {
|
||||||
|
t.Errorf("Expected Content-Type to be '%s' but got '%s'", want, got)
|
||||||
|
}
|
||||||
|
if got, want := r.Header.Get("Authorization"), "Bearer asdf1234"; got != want {
|
||||||
|
t.Errorf("Expected Authorization to be '%s' but got '%s'", want, got)
|
||||||
|
}
|
||||||
|
|
||||||
|
reqBody, err := ioutil.ReadAll(r.Body)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Error reading request body: %v", err)
|
||||||
|
}
|
||||||
|
if got, want := string(reqBody), `{"type":"TXT","name":"_acme-challenge.example.com.","data":"w6uP8Tcg6K2QR905Rms8iXTlksL6OD1KOWBxTK7wxPI"}`; got != want {
|
||||||
|
t.Errorf("Expected body data to be: `%s` but got `%s`", want, got)
|
||||||
|
}
|
||||||
|
|
||||||
|
w.WriteHeader(http.StatusCreated)
|
||||||
|
fmt.Fprintf(w, `{
|
||||||
|
"domain_record": {
|
||||||
|
"id": 1234567,
|
||||||
|
"type": "TXT",
|
||||||
|
"name": "_acme-challenge",
|
||||||
|
"data": "w6uP8Tcg6K2QR905Rms8iXTlksL6OD1KOWBxTK7wxPI",
|
||||||
|
"priority": null,
|
||||||
|
"port": null,
|
||||||
|
"weight": null
|
||||||
|
}
|
||||||
|
}`)
|
||||||
|
}))
|
||||||
|
defer mock.Close()
|
||||||
|
digitalOceanBaseURL = mock.URL
|
||||||
|
|
||||||
|
doprov, err := NewDNSProviderDigitalOcean(fakeDigitalOceanAuth)
|
||||||
|
if doprov == nil {
|
||||||
|
t.Fatal("Expected non-nil DigitalOcean provider, but was nil")
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Expected no error creating provider, but got: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
err = doprov.Present("example.com", "", "foobar")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Expected no error creating TXT record, but got: %v", err)
|
||||||
|
}
|
||||||
|
if !requestReceived {
|
||||||
|
t.Error("Expected request to be received by mock backend, but it wasn't")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestDigitalOceanCleanUp(t *testing.T) {
|
||||||
|
var requestReceived bool
|
||||||
|
|
||||||
|
mock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
requestReceived = true
|
||||||
|
|
||||||
|
if got, want := r.Method, "DELETE"; got != want {
|
||||||
|
t.Errorf("Expected method to be '%s' but got '%s'", want, got)
|
||||||
|
}
|
||||||
|
if got, want := r.URL.Path, "/v2/domains/example.com/records/1234567"; got != want {
|
||||||
|
t.Errorf("Expected path to be '%s' but got '%s'", want, got)
|
||||||
|
}
|
||||||
|
// NOTE: Even though the body is empty, DigitalOcean API docs still show setting this Content-Type...
|
||||||
|
if got, want := r.Header.Get("Content-Type"), "application/json"; got != want {
|
||||||
|
t.Errorf("Expected Content-Type to be '%s' but got '%s'", want, got)
|
||||||
|
}
|
||||||
|
if got, want := r.Header.Get("Authorization"), "Bearer asdf1234"; got != want {
|
||||||
|
t.Errorf("Expected Authorization to be '%s' but got '%s'", want, got)
|
||||||
|
}
|
||||||
|
|
||||||
|
w.WriteHeader(http.StatusNoContent)
|
||||||
|
}))
|
||||||
|
defer mock.Close()
|
||||||
|
digitalOceanBaseURL = mock.URL
|
||||||
|
|
||||||
|
doprov, err := NewDNSProviderDigitalOcean(fakeDigitalOceanAuth)
|
||||||
|
if doprov == nil {
|
||||||
|
t.Fatal("Expected non-nil DigitalOcean provider, but was nil")
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Expected no error creating provider, but got: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
doprov.recordIDsMu.Lock()
|
||||||
|
doprov.recordIDs["_acme-challenge.example.com."] = 1234567
|
||||||
|
doprov.recordIDsMu.Unlock()
|
||||||
|
|
||||||
|
err = doprov.CleanUp("example.com", "", "")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Expected no error removing TXT record, but got: %v", err)
|
||||||
|
}
|
||||||
|
if !requestReceived {
|
||||||
|
t.Error("Expected request to be received by mock backend, but it wasn't")
|
||||||
|
}
|
||||||
|
}
|
|
@ -2,12 +2,13 @@ package acme
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"github.com/miekg/dns"
|
|
||||||
"net"
|
"net"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/miekg/dns"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
@ -38,7 +39,7 @@ func TestRFC2136CanaryLocalTestServer(t *testing.T) {
|
||||||
m.SetQuestion("example.com.", dns.TypeTXT)
|
m.SetQuestion("example.com.", dns.TypeTXT)
|
||||||
r, _, err := c.Exchange(m, addrstr)
|
r, _, err := c.Exchange(m, addrstr)
|
||||||
if err != nil || len(r.Extra) == 0 {
|
if err != nil || len(r.Extra) == 0 {
|
||||||
t.Fatalf("Failed to communicate with test server:", err)
|
t.Fatalf("Failed to communicate with test server: %v", err)
|
||||||
}
|
}
|
||||||
txt := r.Extra[0].(*dns.TXT).Txt[0]
|
txt := r.Extra[0].(*dns.TXT).Txt[0]
|
||||||
if txt != "Hello world" {
|
if txt != "Hello world" {
|
||||||
|
|
|
@ -10,7 +10,7 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
)
|
)
|
||||||
|
|
||||||
// UserAgent, if non-empty, will be tacked onto the User-Agent string in requests.
|
// UserAgent (if non-empty) will be tacked onto the User-Agent string in requests.
|
||||||
var UserAgent string
|
var UserAgent string
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
|
|
@ -32,12 +32,12 @@ func (s *httpChallenge) Solve(chlng challenge, domain string) error {
|
||||||
|
|
||||||
err = s.provider.Present(domain, chlng.Token, keyAuth)
|
err = s.provider.Present(domain, chlng.Token, keyAuth)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Error presenting token %s", err)
|
return fmt.Errorf("[%s] error presenting token: %v", domain, err)
|
||||||
}
|
}
|
||||||
defer func() {
|
defer func() {
|
||||||
err := s.provider.CleanUp(domain, chlng.Token, keyAuth)
|
err := s.provider.CleanUp(domain, chlng.Token, keyAuth)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("Error cleaning up %s %v ", domain, err)
|
log.Printf("[%s] error cleaning up: %v", domain, err)
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
||||||
|
|
|
@ -33,12 +33,12 @@ func (t *tlsSNIChallenge) Solve(chlng challenge, domain string) error {
|
||||||
|
|
||||||
err = t.provider.Present(domain, chlng.Token, keyAuth)
|
err = t.provider.Present(domain, chlng.Token, keyAuth)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Error presenting token %s", err)
|
return fmt.Errorf("[%s] error presenting token: %v", domain, err)
|
||||||
}
|
}
|
||||||
defer func() {
|
defer func() {
|
||||||
err := t.provider.CleanUp(domain, chlng.Token, keyAuth)
|
err := t.provider.CleanUp(domain, chlng.Token, keyAuth)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Printf("Error cleaning up %s %v ", domain, err)
|
log.Printf("[%s] error cleaning up: %v", domain, err)
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
return t.validate(t.jws, domain, chlng.URI, challenge{Resource: "challenge", Type: chlng.Type, Token: chlng.Token, KeyAuthorization: keyAuth})
|
return t.validate(t.jws, domain, chlng.URI, challenge{Resource: "challenge", Type: chlng.Type, Token: chlng.Token, KeyAuthorization: keyAuth})
|
||||||
|
|
Loading…
Reference in a new issue