From 58b757cd76acf841d84a7251e33fd60745d9e103 Mon Sep 17 00:00:00 2001 From: Fernandez Ludovic Date: Thu, 8 Nov 2018 18:51:13 +0100 Subject: [PATCH 1/4] feat: add provider httpreq. --- cli.go | 2 + providers/dns/httpreq/httpreq.go | 193 +++++++++++++++++ providers/dns/httpreq/httpreq_test.go | 286 ++++++++++++++++++++++++++ providers/dns/httpreq/readme.md | 33 +++ 4 files changed, 514 insertions(+) create mode 100644 providers/dns/httpreq/httpreq.go create mode 100644 providers/dns/httpreq/httpreq_test.go create mode 100644 providers/dns/httpreq/readme.md diff --git a/cli.go b/cli.go index c39aa762..319d9a7e 100644 --- a/cli.go +++ b/cli.go @@ -226,6 +226,7 @@ Here is an example bash command using the CloudFlare DNS provider: fmt.Fprintln(w, "\tglesys:\tGLESYS_API_USER, GLESYS_API_KEY") fmt.Fprintln(w, "\tgodaddy:\tGODADDY_API_KEY, GODADDY_API_SECRET") fmt.Fprintln(w, "\thostingde:\tHOSTINGDE_API_KEY, HOSTINGDE_ZONE_NAME") + fmt.Fprintln(w, "\thttpreq:\tHTTPREQ_ENDPOINT, HTTPREQ_MODE, HTTPREQ_USERNAME, HTTPREQ_PASSWORD") fmt.Fprintln(w, "\tiij:\tIIJ_API_ACCESS_KEY, IIJ_API_SECRET_KEY, IIJ_DO_SERVICE_CODE") fmt.Fprintln(w, "\tinwx:\tINWX_USERNAME, INWX_PASSWORD") fmt.Fprintln(w, "\tlightsail:\tAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, DNS_ZONE") @@ -275,6 +276,7 @@ Here is an example bash command using the CloudFlare DNS provider: fmt.Fprintln(w, "\tglesys:\tGLESYS_POLLING_INTERVAL, GLESYS_PROPAGATION_TIMEOUT, GLESYS_TTL, GLESYS_HTTP_TIMEOUT") fmt.Fprintln(w, "\tgodaddy:\tGODADDY_POLLING_INTERVAL, GODADDY_PROPAGATION_TIMEOUT, GODADDY_TTL, GODADDY_HTTP_TIMEOUT") fmt.Fprintln(w, "\thostingde:\tHOSTINGDE_POLLING_INTERVAL, HOSTINGDE_PROPAGATION_TIMEOUT, HOSTINGDE_TTL, HOSTINGDE_HTTP_TIMEOUT") + fmt.Fprintln(w, "\thttpreq:\t,HTTPREQ_POLLING_INTERVAL, HTTPREQ_PROPAGATION_TIMEOUT, HTTPREQ_HTTP_TIMEOUT") fmt.Fprintln(w, "\tiij:\tIIJ_POLLING_INTERVAL, IIJ_PROPAGATION_TIMEOUT, IIJ_TTL") fmt.Fprintln(w, "\tinwx:\tINWX_POLLING_INTERVAL, INWX_PROPAGATION_TIMEOUT, INWX_TTL, INWX_SANDBOX") fmt.Fprintln(w, "\tlightsail:\tLIGHTSAIL_POLLING_INTERVAL, LIGHTSAIL_PROPAGATION_TIMEOUT") diff --git a/providers/dns/httpreq/httpreq.go b/providers/dns/httpreq/httpreq.go new file mode 100644 index 00000000..cf957d41 --- /dev/null +++ b/providers/dns/httpreq/httpreq.go @@ -0,0 +1,193 @@ +// Package httpreq implements a DNS provider for solving the DNS-01 challenge through a HTTP server. +package httpreq + +import ( + "bytes" + "encoding/json" + "errors" + "fmt" + "io/ioutil" + "net/http" + "net/url" + "os" + "time" + + "github.com/xenolf/lego/acme" + "github.com/xenolf/lego/platform/config/env" +) + +type message struct { + FQDN string `json:"fqdn"` + Value string `json:"value"` +} + +type messageRaw struct { + Domain string `json:"domain"` + Token string `json:"token"` + KeyAuth string `json:"keyAuth"` +} + +// Config is used to configure the creation of the DNSProvider +type Config struct { + Endpoint *url.URL + Mode string + Username string + Password string + PropagationTimeout time.Duration + PollingInterval time.Duration + HTTPClient *http.Client +} + +// NewDefaultConfig returns a default configuration for the DNSProvider +func NewDefaultConfig() *Config { + return &Config{ + PropagationTimeout: env.GetOrDefaultSecond("HTTPREQ_PROPAGATION_TIMEOUT", acme.DefaultPropagationTimeout), + PollingInterval: env.GetOrDefaultSecond("HTTPREQ_POLLING_INTERVAL", acme.DefaultPollingInterval), + HTTPClient: &http.Client{ + Timeout: env.GetOrDefaultSecond("HTTPREQ_HTTP_TIMEOUT", 30*time.Second), + }, + } +} + +// DNSProvider describes a provider for acme-proxy +type DNSProvider struct { + config *Config +} + +// NewDNSProvider returns a DNSProvider instance. +func NewDNSProvider() (*DNSProvider, error) { + values, err := env.Get("HTTPREQ_ENDPOINT") + if err != nil { + return nil, fmt.Errorf("httpreq: %v", err) + } + + endpoint, err := url.Parse(values["HTTPREQ_ENDPOINT"]) + if err != nil { + return nil, fmt.Errorf("httpreq: %v", err) + } + + config := NewDefaultConfig() + config.Mode = os.Getenv("HTTPREQ_MODE") + config.Username = os.Getenv("HTTPREQ_USERNAME") + config.Password = os.Getenv("HTTPREQ_PASSWORD") + config.Endpoint = endpoint + return NewDNSProviderConfig(config) +} + +// NewDNSProviderConfig return a DNSProvider . +func NewDNSProviderConfig(config *Config) (*DNSProvider, error) { + if config == nil { + return nil, errors.New("httpreq: the configuration of the DNS provider is nil") + } + + if config.Endpoint == nil { + return nil, errors.New("httpreq: the endpoint is missing") + } + + return &DNSProvider{config: config}, nil +} + +// Timeout returns the timeout and interval to use when checking for DNS propagation. +// Adjusting here to cope with spikes in propagation times. +func (d *DNSProvider) Timeout() (timeout, interval time.Duration) { + return d.config.PropagationTimeout, d.config.PollingInterval +} + +// Present creates a TXT record to fulfill the dns-01 challenge +func (d *DNSProvider) Present(domain, token, keyAuth string) error { + if d.config.Mode == "RAW" { + msg := &messageRaw{ + Domain: domain, + Token: token, + KeyAuth: keyAuth, + } + + err := d.doPost("/present", msg) + if err != nil { + return fmt.Errorf("httpreq: %v", err) + } + return nil + } + + fqdn, value, _ := acme.DNS01Record(domain, keyAuth) + msg := &message{ + FQDN: fqdn, + Value: value, + } + + err := d.doPost("/present", msg) + if err != nil { + return fmt.Errorf("httpreq: %v", err) + } + return nil +} + +// CleanUp removes the TXT record matching the specified parameters +func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error { + if d.config.Mode == "RAW" { + msg := &messageRaw{ + Domain: domain, + Token: token, + KeyAuth: keyAuth, + } + + err := d.doPost("/cleanup", msg) + if err != nil { + return fmt.Errorf("httpreq: %v", err) + } + return nil + } + + fqdn, value, _ := acme.DNS01Record(domain, keyAuth) + msg := &message{ + FQDN: fqdn, + Value: value, + } + + err := d.doPost("/cleanup", msg) + if err != nil { + return fmt.Errorf("httpreq: %v", err) + } + return nil +} + +func (d *DNSProvider) doPost(uri string, msg interface{}) error { + reqBody := &bytes.Buffer{} + err := json.NewEncoder(reqBody).Encode(msg) + if err != nil { + return err + } + + endpoint, err := d.config.Endpoint.Parse(uri) + if err != nil { + return err + } + + req, err := http.NewRequest(http.MethodPost, endpoint.String(), reqBody) + if err != nil { + return err + } + + req.Header.Set("Content-Type", "application/json") + + if len(d.config.Username) > 0 && len(d.config.Password) > 0 { + req.SetBasicAuth(d.config.Username, d.config.Password) + } + + resp, err := d.config.HTTPClient.Do(req) + if err != nil { + return err + } + defer resp.Body.Close() + + if resp.StatusCode >= http.StatusBadRequest { + body, err := ioutil.ReadAll(resp.Body) + if err != nil { + return fmt.Errorf("%d: failed to read response body: %v", resp.StatusCode, err) + } + + return fmt.Errorf("%d: request failed: %v", resp.StatusCode, string(body)) + } + + return nil +} diff --git a/providers/dns/httpreq/httpreq_test.go b/providers/dns/httpreq/httpreq_test.go new file mode 100644 index 00000000..cec1d8f3 --- /dev/null +++ b/providers/dns/httpreq/httpreq_test.go @@ -0,0 +1,286 @@ +package httpreq + +import ( + "encoding/json" + "fmt" + "net/http" + "net/http/httptest" + "net/url" + "testing" + + "github.com/stretchr/testify/require" + "github.com/xenolf/lego/platform/tester" +) + +var envTest = tester.NewEnvTest("HTTPREQ_ENDPOINT", "HTTPREQ_MODE", "HTTPREQ_USERNAME", "HTTPREQ_PASSWORD") + +func TestNewDNSProvider(t *testing.T) { + testCases := []struct { + desc string + envVars map[string]string + expected string + }{ + { + desc: "success", + envVars: map[string]string{ + "HTTPREQ_ENDPOINT": "http://localhost:8090", + }, + }, + { + desc: "invalid URL", + envVars: map[string]string{ + "HTTPREQ_ENDPOINT": ":", + }, + expected: "httpreq: parse :: missing protocol scheme", + }, + { + desc: "missing endpoint", + envVars: map[string]string{ + "HTTPREQ_ENDPOINT": "", + }, + expected: "httpreq: some credentials information are missing: HTTPREQ_ENDPOINT", + }, + } + + for _, test := range testCases { + t.Run(test.desc, func(t *testing.T) { + defer envTest.RestoreEnv() + envTest.ClearEnv() + + envTest.Apply(test.envVars) + + p, err := NewDNSProvider() + + if len(test.expected) == 0 { + require.NoError(t, err) + require.NotNil(t, p) + require.NotNil(t, p.config) + } else { + require.EqualError(t, err, test.expected) + } + }) + } +} + +func TestNewDNSProviderConfig(t *testing.T) { + testCases := []struct { + desc string + endpoint *url.URL + expected string + }{ + { + desc: "success", + endpoint: mustParse("http://localhost:8090"), + }, + { + desc: "missing endpoint", + expected: "httpreq: the endpoint is missing", + }, + } + + for _, test := range testCases { + t.Run(test.desc, func(t *testing.T) { + config := NewDefaultConfig() + config.Endpoint = test.endpoint + + p, err := NewDNSProviderConfig(config) + + if len(test.expected) == 0 { + require.NoError(t, err) + require.NotNil(t, p) + require.NotNil(t, p.config) + } else { + require.EqualError(t, err, test.expected) + } + }) + } +} + +func TestNewDNSProvider_Present(t *testing.T) { + envTest.RestoreEnv() + + testCases := []struct { + desc string + mode string + username string + password string + handler http.HandlerFunc + expectedError string + }{ + { + desc: "success", + handler: successHandler, + }, + { + desc: "error", + handler: http.NotFound, + expectedError: "httpreq: 404: request failed: 404 page not found\n", + }, + { + desc: "success raw mode", + mode: "RAW", + handler: successRawModeHandler, + }, + { + desc: "error raw mode", + mode: "RAW", + handler: http.NotFound, + expectedError: "httpreq: 404: request failed: 404 page not found\n", + }, + { + desc: "basic auth", + username: "bar", + password: "foo", + handler: func(rw http.ResponseWriter, req *http.Request) { + username, password, ok := req.BasicAuth() + if username != "bar" || password != "foo" || !ok { + http.Error(rw, "invalid credentials", http.StatusUnauthorized) + return + } + + fmt.Fprint(rw, "lego") + }, + }, + } + + for _, test := range testCases { + test := test + t.Run(test.desc, func(t *testing.T) { + t.Parallel() + + mux := http.NewServeMux() + mux.HandleFunc("/present", test.handler) + server := httptest.NewServer(mux) + + config := NewDefaultConfig() + config.Endpoint = mustParse(server.URL) + config.Mode = test.mode + config.Username = test.username + config.Password = test.password + + p, err := NewDNSProviderConfig(config) + require.NoError(t, err) + + err = p.Present("domain", "token", "key") + if test.expectedError == "" { + require.NoError(t, err) + } else { + require.EqualError(t, err, test.expectedError) + } + }) + } +} + +func TestNewDNSProvider_Cleanup(t *testing.T) { + envTest.RestoreEnv() + + testCases := []struct { + desc string + mode string + username string + password string + handler http.HandlerFunc + expectedError string + }{ + { + desc: "success", + handler: successHandler, + }, + { + desc: "error", + handler: http.NotFound, + expectedError: "httpreq: 404: request failed: 404 page not found\n", + }, + { + desc: "success raw mode", + mode: "RAW", + handler: successRawModeHandler, + }, + { + desc: "error raw mode", + mode: "RAW", + handler: http.NotFound, + expectedError: "httpreq: 404: request failed: 404 page not found\n", + }, + { + desc: "basic auth", + username: "bar", + password: "foo", + handler: func(rw http.ResponseWriter, req *http.Request) { + username, password, ok := req.BasicAuth() + if username != "bar" || password != "foo" || !ok { + http.Error(rw, "invalid credentials", http.StatusUnauthorized) + return + } + fmt.Fprint(rw, "lego") + }, + }, + } + + for _, test := range testCases { + test := test + t.Run(test.desc, func(t *testing.T) { + t.Parallel() + + mux := http.NewServeMux() + mux.HandleFunc("/cleanup", test.handler) + server := httptest.NewServer(mux) + + config := NewDefaultConfig() + config.Endpoint = mustParse(server.URL) + config.Mode = test.mode + config.Username = test.username + config.Password = test.password + + p, err := NewDNSProviderConfig(config) + require.NoError(t, err) + + err = p.CleanUp("domain", "token", "key") + if test.expectedError == "" { + require.NoError(t, err) + } else { + require.EqualError(t, err, test.expectedError) + } + }) + } +} + +func successHandler(rw http.ResponseWriter, req *http.Request) { + if req.Method != http.MethodPost { + http.Error(rw, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed) + return + } + + msg := &message{} + err := json.NewDecoder(req.Body).Decode(msg) + if err != nil { + http.Error(rw, err.Error(), http.StatusBadRequest) + return + } + + fmt.Fprint(rw, "lego") +} + +func successRawModeHandler(rw http.ResponseWriter, req *http.Request) { + if req.Method != http.MethodPost { + http.Error(rw, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed) + return + } + + msg := &messageRaw{} + err := json.NewDecoder(req.Body).Decode(msg) + if err != nil { + http.Error(rw, err.Error(), http.StatusBadRequest) + return + } + + fmt.Fprint(rw, "lego") +} + +func mustParse(rawURL string) *url.URL { + uri, err := url.Parse(rawURL) + if err != nil { + panic(err) + } + return uri +} diff --git a/providers/dns/httpreq/readme.md b/providers/dns/httpreq/readme.md new file mode 100644 index 00000000..4ee15a20 --- /dev/null +++ b/providers/dns/httpreq/readme.md @@ -0,0 +1,33 @@ +# HTTP request + +The server must provide: +- `POST` `/present` +- `POST` `/client` + +The URL of the server must be define by `HTTPREQ_ENDPOINT`. + +## Mode + +There are 2 modes (`HTTPREQ_MODE`): +- default mode: +```json +{ + "fqdn": "_acme-challenge.domain.", + "value": "LHDhK3oGRvkiefQnx7OOczTY5Tic_xZ6HcMOc_gmtoM" +} +``` + +- `RAW` +```json +{ + "domain": "domain", + "token": "token", + "keyAuth": "key" +} +``` + +## Authentication + +Basic authentication (optional) can be set with some environment variables: +- `HTTPREQ_USERNAME` and `HTTPREQ_PASSWORD` +- both values must be set, otherwise basic authentication is not defined. From bba525fbce4aeb3519b03b49bc2eb5a772772d4d Mon Sep 17 00:00:00 2001 From: Fernandez Ludovic Date: Thu, 8 Nov 2018 23:39:19 +0100 Subject: [PATCH 2/4] doc: fix readme. --- providers/dns/httpreq/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/providers/dns/httpreq/readme.md b/providers/dns/httpreq/readme.md index 4ee15a20..51bc9a0b 100644 --- a/providers/dns/httpreq/readme.md +++ b/providers/dns/httpreq/readme.md @@ -2,7 +2,7 @@ The server must provide: - `POST` `/present` -- `POST` `/client` +- `POST` `/cleanup` The URL of the server must be define by `HTTPREQ_ENDPOINT`. From 265e523138eb6ee14fc0d58b7f22f916498e7391 Mon Sep 17 00:00:00 2001 From: Fernandez Ludovic Date: Fri, 9 Nov 2018 01:32:09 +0100 Subject: [PATCH 3/4] refactor: add realm because it's fun. --- providers/dns/httpreq/httpreq_test.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/providers/dns/httpreq/httpreq_test.go b/providers/dns/httpreq/httpreq_test.go index cec1d8f3..7b64d297 100644 --- a/providers/dns/httpreq/httpreq_test.go +++ b/providers/dns/httpreq/httpreq_test.go @@ -134,7 +134,8 @@ func TestNewDNSProvider_Present(t *testing.T) { handler: func(rw http.ResponseWriter, req *http.Request) { username, password, ok := req.BasicAuth() if username != "bar" || password != "foo" || !ok { - http.Error(rw, "invalid credentials", http.StatusUnauthorized) + rw.Header().Set("WWW-Authenticate", fmt.Sprintf(`Basic realm="%s"`, "Please enter your username and password.")) + http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) return } @@ -209,7 +210,8 @@ func TestNewDNSProvider_Cleanup(t *testing.T) { handler: func(rw http.ResponseWriter, req *http.Request) { username, password, ok := req.BasicAuth() if username != "bar" || password != "foo" || !ok { - http.Error(rw, "invalid credentials", http.StatusUnauthorized) + rw.Header().Set("WWW-Authenticate", fmt.Sprintf(`Basic realm="%s"`, "Please enter your username and password.")) + http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) return } fmt.Fprint(rw, "lego") From eb04d860c4ab3e3a079cad07aaa392c5449b91a4 Mon Sep 17 00:00:00 2001 From: Fernandez Ludovic Date: Fri, 9 Nov 2018 01:53:21 +0100 Subject: [PATCH 4/4] feat: add to list. --- providers/dns/dns_providers.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/providers/dns/dns_providers.go b/providers/dns/dns_providers.go index 7002effb..604137d5 100644 --- a/providers/dns/dns_providers.go +++ b/providers/dns/dns_providers.go @@ -28,6 +28,7 @@ import ( "github.com/xenolf/lego/providers/dns/glesys" "github.com/xenolf/lego/providers/dns/godaddy" "github.com/xenolf/lego/providers/dns/hostingde" + "github.com/xenolf/lego/providers/dns/httpreq" "github.com/xenolf/lego/providers/dns/iij" "github.com/xenolf/lego/providers/dns/inwx" "github.com/xenolf/lego/providers/dns/lightsail" @@ -105,6 +106,8 @@ func NewDNSChallengeProviderByName(name string) (acme.ChallengeProvider, error) return godaddy.NewDNSProvider() case "hostingde": return hostingde.NewDNSProvider() + case "httpreq": + return httpreq.NewDNSProvider() case "iij": return iij.NewDNSProvider() case "inwx":