Add DigitalOcean DNS provider

Also a few vet/lint fixes and improved some error messages
This commit is contained in:
Matthew Holt 2016-01-26 17:57:55 -07:00
parent 50031525c9
commit b42b256d5c
6 changed files with 261 additions and 7 deletions

View file

@ -0,0 +1,136 @@
package acme
import (
"bytes"
"encoding/json"
"fmt"
"net/http"
"sync"
)
// DNSProviderDigitalOcean is an implementation of the DNSProvider interface
// that uses DigitalOcean's REST API to manage TXT records for a domain.
type DNSProviderDigitalOcean struct {
apiAuthToken string
recordIDs map[string]int
recordIDsMu sync.Mutex
}
// NewDNSProviderDigitalOcean returns a new DNSProviderDigitalOcean instance.
// apiAuthToken is the personal access token created in the DigitalOcean account
// control panel, and it will be sent in bearer authorization headers.
func NewDNSProviderDigitalOcean(apiAuthToken string) (*DNSProviderDigitalOcean, error) {
return &DNSProviderDigitalOcean{
apiAuthToken: apiAuthToken,
recordIDs: make(map[string]int),
}, nil
}
// Present creates a TXT record using the specified parameters
func (d *DNSProviderDigitalOcean) Present(domain, token, keyAuth string) error {
// txtRecordRequest represents the request body to DO's API to make a TXT record
type txtRecordRequest struct {
RecordType string `json:"type"`
Name string `json:"name"`
Data string `json:"data"`
}
// txtRecordResponse represents a response from DO's API after making a TXT record
type txtRecordResponse struct {
DomainRecord struct {
ID int `json:"id"`
Type string `json:"type"`
Name string `json:"name"`
Data string `json:"data"`
} `json:"domain_record"`
}
fqdn, value, _ := DNS01Record(domain, keyAuth)
reqURL := fmt.Sprintf("%s/v2/domains/%s/records", digitalOceanBaseURL, domain)
reqData := txtRecordRequest{RecordType: "TXT", Name: fqdn, Data: value}
body, err := json.Marshal(reqData)
if err != nil {
return err
}
req, err := http.NewRequest("POST", reqURL, bytes.NewReader(body))
if err != nil {
return err
}
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", d.apiAuthToken))
var client http.Client
resp, err := client.Do(req)
if err != nil {
return err
}
defer resp.Body.Close()
if resp.StatusCode >= 400 {
var errInfo digitalOceanAPIError
json.NewDecoder(resp.Body).Decode(&errInfo)
return fmt.Errorf("HTTP %d: %s: %s", resp.StatusCode, errInfo.ID, errInfo.Message)
}
// Everything looks good; but we'll need the ID later to delete the record
var respData txtRecordResponse
err = json.NewDecoder(resp.Body).Decode(&respData)
if err != nil {
return err
}
d.recordIDsMu.Lock()
d.recordIDs[fqdn] = respData.DomainRecord.ID
d.recordIDsMu.Unlock()
return nil
}
// CleanUp removes the TXT record matching the specified parameters
func (d *DNSProviderDigitalOcean) CleanUp(domain, token, keyAuth string) error {
fqdn, _, _ := DNS01Record(domain, keyAuth)
// get the record's unique ID from when we created it
d.recordIDsMu.Lock()
recordID, ok := d.recordIDs[fqdn]
d.recordIDsMu.Unlock()
if !ok {
return fmt.Errorf("unknown record ID for '%s'", fqdn)
}
reqURL := fmt.Sprintf("%s/v2/domains/%s/records/%d", digitalOceanBaseURL, domain, recordID)
req, err := http.NewRequest("DELETE", reqURL, nil)
if err != nil {
return err
}
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", d.apiAuthToken))
var client http.Client
resp, err := client.Do(req)
if err != nil {
return err
}
defer resp.Body.Close()
if resp.StatusCode >= 400 {
var errInfo digitalOceanAPIError
json.NewDecoder(resp.Body).Decode(&errInfo)
return fmt.Errorf("HTTP %d: %s: %s", resp.StatusCode, errInfo.ID, errInfo.Message)
}
// Delete record ID from map
d.recordIDsMu.Lock()
delete(d.recordIDs, fqdn)
d.recordIDsMu.Unlock()
return nil
}
type digitalOceanAPIError struct {
ID string `json:"id"`
Message string `json:"message"`
}
var digitalOceanBaseURL = "https://api.digitalocean.com"

View file

@ -0,0 +1,117 @@
package acme
import (
"fmt"
"io/ioutil"
"net/http"
"net/http/httptest"
"testing"
)
var fakeDigitalOceanAuth = "asdf1234"
func TestDigitalOceanPresent(t *testing.T) {
var requestReceived bool
mock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
requestReceived = true
if got, want := r.Method, "POST"; got != want {
t.Errorf("Expected method to be '%s' but got '%s'", want, got)
}
if got, want := r.URL.Path, "/v2/domains/example.com/records"; got != want {
t.Errorf("Expected path to be '%s' but got '%s'", want, got)
}
if got, want := r.Header.Get("Content-Type"), "application/json"; got != want {
t.Errorf("Expected Content-Type to be '%s' but got '%s'", want, got)
}
if got, want := r.Header.Get("Authorization"), "Bearer asdf1234"; got != want {
t.Errorf("Expected Authorization to be '%s' but got '%s'", want, got)
}
reqBody, err := ioutil.ReadAll(r.Body)
if err != nil {
t.Fatalf("Error reading request body: %v", err)
}
if got, want := string(reqBody), `{"type":"TXT","name":"_acme-challenge.example.com.","data":"w6uP8Tcg6K2QR905Rms8iXTlksL6OD1KOWBxTK7wxPI"}`; got != want {
t.Errorf("Expected body data to be: `%s` but got `%s`", want, got)
}
w.WriteHeader(http.StatusCreated)
fmt.Fprintf(w, `{
"domain_record": {
"id": 1234567,
"type": "TXT",
"name": "_acme-challenge",
"data": "w6uP8Tcg6K2QR905Rms8iXTlksL6OD1KOWBxTK7wxPI",
"priority": null,
"port": null,
"weight": null
}
}`)
}))
defer mock.Close()
digitalOceanBaseURL = mock.URL
doprov, err := NewDNSProviderDigitalOcean(fakeDigitalOceanAuth)
if doprov == nil {
t.Fatal("Expected non-nil DigitalOcean provider, but was nil")
}
if err != nil {
t.Fatalf("Expected no error creating provider, but got: %v", err)
}
err = doprov.Present("example.com", "", "foobar")
if err != nil {
t.Fatalf("Expected no error creating TXT record, but got: %v", err)
}
if !requestReceived {
t.Error("Expected request to be received by mock backend, but it wasn't")
}
}
func TestDigitalOceanCleanUp(t *testing.T) {
var requestReceived bool
mock := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
requestReceived = true
if got, want := r.Method, "DELETE"; got != want {
t.Errorf("Expected method to be '%s' but got '%s'", want, got)
}
if got, want := r.URL.Path, "/v2/domains/example.com/records/1234567"; got != want {
t.Errorf("Expected path to be '%s' but got '%s'", want, got)
}
// NOTE: Even though the body is empty, DigitalOcean API docs still show setting this Content-Type...
if got, want := r.Header.Get("Content-Type"), "application/json"; got != want {
t.Errorf("Expected Content-Type to be '%s' but got '%s'", want, got)
}
if got, want := r.Header.Get("Authorization"), "Bearer asdf1234"; got != want {
t.Errorf("Expected Authorization to be '%s' but got '%s'", want, got)
}
w.WriteHeader(http.StatusNoContent)
}))
defer mock.Close()
digitalOceanBaseURL = mock.URL
doprov, err := NewDNSProviderDigitalOcean(fakeDigitalOceanAuth)
if doprov == nil {
t.Fatal("Expected non-nil DigitalOcean provider, but was nil")
}
if err != nil {
t.Fatalf("Expected no error creating provider, but got: %v", err)
}
doprov.recordIDsMu.Lock()
doprov.recordIDs["_acme-challenge.example.com."] = 1234567
doprov.recordIDsMu.Unlock()
err = doprov.CleanUp("example.com", "", "")
if err != nil {
t.Fatalf("Expected no error removing TXT record, but got: %v", err)
}
if !requestReceived {
t.Error("Expected request to be received by mock backend, but it wasn't")
}
}

View file

@ -2,12 +2,13 @@ package acme
import ( import (
"bytes" "bytes"
"github.com/miekg/dns"
"net" "net"
"strings" "strings"
"sync" "sync"
"testing" "testing"
"time" "time"
"github.com/miekg/dns"
) )
var ( var (
@ -38,7 +39,7 @@ func TestRFC2136CanaryLocalTestServer(t *testing.T) {
m.SetQuestion("example.com.", dns.TypeTXT) m.SetQuestion("example.com.", dns.TypeTXT)
r, _, err := c.Exchange(m, addrstr) r, _, err := c.Exchange(m, addrstr)
if err != nil || len(r.Extra) == 0 { if err != nil || len(r.Extra) == 0 {
t.Fatalf("Failed to communicate with test server:", err) t.Fatalf("Failed to communicate with test server: %v", err)
} }
txt := r.Extra[0].(*dns.TXT).Txt[0] txt := r.Extra[0].(*dns.TXT).Txt[0]
if txt != "Hello world" { if txt != "Hello world" {

View file

@ -10,7 +10,7 @@ import (
"strings" "strings"
) )
// UserAgent, if non-empty, will be tacked onto the User-Agent string in requests. // UserAgent (if non-empty) will be tacked onto the User-Agent string in requests.
var UserAgent string var UserAgent string
const ( const (

View file

@ -32,12 +32,12 @@ func (s *httpChallenge) Solve(chlng challenge, domain string) error {
err = s.provider.Present(domain, chlng.Token, keyAuth) err = s.provider.Present(domain, chlng.Token, keyAuth)
if err != nil { if err != nil {
return fmt.Errorf("Error presenting token %s", err) return fmt.Errorf("[%s] error presenting token: %v", domain, err)
} }
defer func() { defer func() {
err := s.provider.CleanUp(domain, chlng.Token, keyAuth) err := s.provider.CleanUp(domain, chlng.Token, keyAuth)
if err != nil { if err != nil {
log.Printf("Error cleaning up %s %v ", domain, err) log.Printf("[%s] error cleaning up: %v", domain, err)
} }
}() }()

View file

@ -33,12 +33,12 @@ func (t *tlsSNIChallenge) Solve(chlng challenge, domain string) error {
err = t.provider.Present(domain, chlng.Token, keyAuth) err = t.provider.Present(domain, chlng.Token, keyAuth)
if err != nil { if err != nil {
return fmt.Errorf("Error presenting token %s", err) return fmt.Errorf("[%s] error presenting token: %v", domain, err)
} }
defer func() { defer func() {
err := t.provider.CleanUp(domain, chlng.Token, keyAuth) err := t.provider.CleanUp(domain, chlng.Token, keyAuth)
if err != nil { if err != nil {
log.Printf("Error cleaning up %s %v ", domain, err) log.Printf("[%s] error cleaning up: %v", domain, err)
} }
}() }()
return t.validate(t.jws, domain, chlng.URI, challenge{Resource: "challenge", Type: chlng.Type, Token: chlng.Token, KeyAuthorization: keyAuth}) return t.validate(t.jws, domain, chlng.URI, challenge{Resource: "challenge", Type: chlng.Type, Token: chlng.Token, KeyAuthorization: keyAuth})