forked from TrueCloudLab/lego
a1585a7b9a
* refactor: create log.Infof and log.Warnf * refactor: review DNS providers. - use one `http.Client` by provider instead of one client by request - use the same receiver name `d` for all `DNSProvider` - use `http.MethodXXX` * refactor: logger init.
349 lines
7.4 KiB
Go
349 lines
7.4 KiB
Go
// Package pdns implements a DNS provider for solving the DNS-01
|
|
// challenge using PowerDNS nameserver.
|
|
package pdns
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"net/url"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/xenolf/lego/acme"
|
|
"github.com/xenolf/lego/log"
|
|
"github.com/xenolf/lego/platform/config/env"
|
|
)
|
|
|
|
// DNSProvider is an implementation of the acme.ChallengeProvider interface
|
|
type DNSProvider struct {
|
|
apiKey string
|
|
host *url.URL
|
|
apiVersion int
|
|
client *http.Client
|
|
}
|
|
|
|
// NewDNSProvider returns a DNSProvider instance configured for pdns.
|
|
// Credentials must be passed in the environment variable:
|
|
// PDNS_API_URL and PDNS_API_KEY.
|
|
func NewDNSProvider() (*DNSProvider, error) {
|
|
values, err := env.Get("PDNS_API_KEY", "PDNS_API_URL")
|
|
if err != nil {
|
|
return nil, fmt.Errorf("PDNS: %v", err)
|
|
}
|
|
|
|
hostURL, err := url.Parse(values["PDNS_API_URL"])
|
|
if err != nil {
|
|
return nil, fmt.Errorf("PDNS: %v", err)
|
|
}
|
|
|
|
return NewDNSProviderCredentials(hostURL, values["PDNS_API_KEY"])
|
|
}
|
|
|
|
// NewDNSProviderCredentials uses the supplied credentials to return a
|
|
// DNSProvider instance configured for pdns.
|
|
func NewDNSProviderCredentials(host *url.URL, key string) (*DNSProvider, error) {
|
|
if key == "" {
|
|
return nil, fmt.Errorf("PDNS API key missing")
|
|
}
|
|
|
|
if host == nil || host.Host == "" {
|
|
return nil, fmt.Errorf("PDNS API URL missing")
|
|
}
|
|
|
|
d := &DNSProvider{
|
|
host: host,
|
|
apiKey: key,
|
|
client: &http.Client{Timeout: 30 * time.Second},
|
|
}
|
|
|
|
apiVersion, err := d.getAPIVersion()
|
|
if err != nil {
|
|
log.Warnf("PDNS: failed to get API version %v", err)
|
|
}
|
|
d.apiVersion = apiVersion
|
|
|
|
return d, nil
|
|
}
|
|
|
|
// Timeout returns the timeout and interval to use when checking for DNS
|
|
// propagation. Adjusting here to cope with spikes in propagation times.
|
|
func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
|
|
return 120 * time.Second, 2 * time.Second
|
|
}
|
|
|
|
// Present creates a TXT record to fulfil the dns-01 challenge
|
|
func (d *DNSProvider) Present(domain, token, keyAuth string) error {
|
|
fqdn, value, _ := acme.DNS01Record(domain, keyAuth)
|
|
zone, err := d.getHostedZone(fqdn)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
name := fqdn
|
|
|
|
// pre-v1 API wants non-fqdn
|
|
if d.apiVersion == 0 {
|
|
name = acme.UnFqdn(fqdn)
|
|
}
|
|
|
|
rec := pdnsRecord{
|
|
Content: "\"" + value + "\"",
|
|
Disabled: false,
|
|
|
|
// pre-v1 API
|
|
Type: "TXT",
|
|
Name: name,
|
|
TTL: 120,
|
|
}
|
|
|
|
rrsets := rrSets{
|
|
RRSets: []rrSet{
|
|
{
|
|
Name: name,
|
|
ChangeType: "REPLACE",
|
|
Type: "TXT",
|
|
Kind: "Master",
|
|
TTL: 120,
|
|
Records: []pdnsRecord{rec},
|
|
},
|
|
},
|
|
}
|
|
|
|
body, err := json.Marshal(rrsets)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
_, err = d.makeRequest(http.MethodPatch, zone.URL, bytes.NewReader(body))
|
|
return err
|
|
}
|
|
|
|
// CleanUp removes the TXT record matching the specified parameters
|
|
func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
|
|
fqdn, _, _ := acme.DNS01Record(domain, keyAuth)
|
|
|
|
zone, err := d.getHostedZone(fqdn)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
set, err := d.findTxtRecord(fqdn)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
rrsets := rrSets{
|
|
RRSets: []rrSet{
|
|
{
|
|
Name: set.Name,
|
|
Type: set.Type,
|
|
ChangeType: "DELETE",
|
|
},
|
|
},
|
|
}
|
|
body, err := json.Marshal(rrsets)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
_, err = d.makeRequest(http.MethodPatch, zone.URL, bytes.NewReader(body))
|
|
return err
|
|
}
|
|
|
|
func (d *DNSProvider) getHostedZone(fqdn string) (*hostedZone, error) {
|
|
var zone hostedZone
|
|
authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
url := "/servers/localhost/zones"
|
|
result, err := d.makeRequest(http.MethodGet, url, nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var zones []hostedZone
|
|
err = json.Unmarshal(result, &zones)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
url = ""
|
|
for _, zone := range zones {
|
|
if acme.UnFqdn(zone.Name) == acme.UnFqdn(authZone) {
|
|
url = zone.URL
|
|
}
|
|
}
|
|
|
|
result, err = d.makeRequest(http.MethodGet, url, nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
err = json.Unmarshal(result, &zone)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// convert pre-v1 API result
|
|
if len(zone.Records) > 0 {
|
|
zone.RRSets = []rrSet{}
|
|
for _, record := range zone.Records {
|
|
set := rrSet{
|
|
Name: record.Name,
|
|
Type: record.Type,
|
|
Records: []pdnsRecord{record},
|
|
}
|
|
zone.RRSets = append(zone.RRSets, set)
|
|
}
|
|
}
|
|
|
|
return &zone, nil
|
|
}
|
|
|
|
func (d *DNSProvider) findTxtRecord(fqdn string) (*rrSet, error) {
|
|
zone, err := d.getHostedZone(fqdn)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
_, err = d.makeRequest(http.MethodGet, zone.URL, nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
for _, set := range zone.RRSets {
|
|
if (set.Name == acme.UnFqdn(fqdn) || set.Name == fqdn) && set.Type == "TXT" {
|
|
return &set, nil
|
|
}
|
|
}
|
|
|
|
return nil, fmt.Errorf("no existing record found for %s", fqdn)
|
|
}
|
|
|
|
func (d *DNSProvider) getAPIVersion() (int, error) {
|
|
type APIVersion struct {
|
|
URL string `json:"url"`
|
|
Version int `json:"version"`
|
|
}
|
|
|
|
result, err := d.makeRequest(http.MethodGet, "/api", nil)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
var versions []APIVersion
|
|
err = json.Unmarshal(result, &versions)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
latestVersion := 0
|
|
for _, v := range versions {
|
|
if v.Version > latestVersion {
|
|
latestVersion = v.Version
|
|
}
|
|
}
|
|
|
|
return latestVersion, err
|
|
}
|
|
|
|
func (d *DNSProvider) makeRequest(method, uri string, body io.Reader) (json.RawMessage, error) {
|
|
type APIError struct {
|
|
Error string `json:"error"`
|
|
}
|
|
|
|
var path = ""
|
|
if d.host.Path != "/" {
|
|
path = d.host.Path
|
|
}
|
|
|
|
if !strings.HasPrefix(uri, "/") {
|
|
uri = "/" + uri
|
|
}
|
|
|
|
if d.apiVersion > 0 && !strings.HasPrefix(uri, "/api/v") {
|
|
uri = "/api/v" + strconv.Itoa(d.apiVersion) + uri
|
|
}
|
|
|
|
url := d.host.Scheme + "://" + d.host.Host + path + uri
|
|
req, err := http.NewRequest(method, url, body)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
req.Header.Set("X-API-Key", d.apiKey)
|
|
|
|
resp, err := d.client.Do(req)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error talking to PDNS API -> %v", err)
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
if resp.StatusCode != http.StatusUnprocessableEntity && (resp.StatusCode < 200 || resp.StatusCode >= 300) {
|
|
return nil, fmt.Errorf("unexpected HTTP status code %d when fetching '%s'", resp.StatusCode, url)
|
|
}
|
|
|
|
var msg json.RawMessage
|
|
err = json.NewDecoder(resp.Body).Decode(&msg)
|
|
switch {
|
|
case err == io.EOF:
|
|
// empty body
|
|
return nil, nil
|
|
case err != nil:
|
|
// other error
|
|
return nil, err
|
|
}
|
|
|
|
// check for PowerDNS error message
|
|
if len(msg) > 0 && msg[0] == '{' {
|
|
var apiError APIError
|
|
err = json.Unmarshal(msg, &apiError)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if apiError.Error != "" {
|
|
return nil, fmt.Errorf("error talking to PDNS API -> %v", apiError.Error)
|
|
}
|
|
}
|
|
return msg, nil
|
|
}
|
|
|
|
type pdnsRecord struct {
|
|
Content string `json:"content"`
|
|
Disabled bool `json:"disabled"`
|
|
|
|
// pre-v1 API
|
|
Name string `json:"name"`
|
|
Type string `json:"type"`
|
|
TTL int `json:"ttl,omitempty"`
|
|
}
|
|
|
|
type hostedZone struct {
|
|
ID string `json:"id"`
|
|
Name string `json:"name"`
|
|
URL string `json:"url"`
|
|
RRSets []rrSet `json:"rrsets"`
|
|
|
|
// pre-v1 API
|
|
Records []pdnsRecord `json:"records"`
|
|
}
|
|
|
|
type rrSet struct {
|
|
Name string `json:"name"`
|
|
Type string `json:"type"`
|
|
Kind string `json:"kind"`
|
|
ChangeType string `json:"changetype"`
|
|
Records []pdnsRecord `json:"records"`
|
|
TTL int `json:"ttl,omitempty"`
|
|
}
|
|
|
|
type rrSets struct {
|
|
RRSets []rrSet `json:"rrsets"`
|
|
}
|