forked from TrueCloudLab/lego
376 lines
8.7 KiB
Go
376 lines
8.7 KiB
Go
// Package otc implements a DNS provider for solving the DNS-01 challenge
|
|
// using Open Telekom Cloud Managed DNS.
|
|
package otc
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"os"
|
|
"time"
|
|
|
|
"github.com/xenolf/lego/acme"
|
|
)
|
|
|
|
// DNSProvider is an implementation of the acme.ChallengeProvider interface that uses
|
|
// OTC's Managed DNS API to manage TXT records for a domain.
|
|
type DNSProvider struct {
|
|
identityEndpoint string
|
|
otcBaseURL string
|
|
domainName string
|
|
projectName string
|
|
userName string
|
|
password string
|
|
token string
|
|
}
|
|
|
|
// NewDNSProvider returns a DNSProvider instance configured for OTC DNS.
|
|
// Credentials must be passed in the environment variables: OTC_USER_NAME,
|
|
// OTC_DOMAIN_NAME, OTC_PASSWORD OTC_PROJECT_NAME and OTC_IDENTITY_ENDPOINT.
|
|
func NewDNSProvider() (*DNSProvider, error) {
|
|
domainName := os.Getenv("OTC_DOMAIN_NAME")
|
|
userName := os.Getenv("OTC_USER_NAME")
|
|
password := os.Getenv("OTC_PASSWORD")
|
|
projectName := os.Getenv("OTC_PROJECT_NAME")
|
|
identityEndpoint := os.Getenv("OTC_IDENTITY_ENDPOINT")
|
|
return NewDNSProviderCredentials(domainName, userName, password, projectName, identityEndpoint)
|
|
}
|
|
|
|
// NewDNSProviderCredentials uses the supplied credentials to return a
|
|
// DNSProvider instance configured for OTC DNS.
|
|
func NewDNSProviderCredentials(domainName, userName, password, projectName, identityEndpoint string) (*DNSProvider, error) {
|
|
if domainName == "" || userName == "" || password == "" || projectName == "" {
|
|
return nil, fmt.Errorf("OTC credentials missing")
|
|
}
|
|
|
|
if identityEndpoint == "" {
|
|
identityEndpoint = "https://iam.eu-de.otc.t-systems.com:443/v3/auth/tokens"
|
|
}
|
|
|
|
return &DNSProvider{
|
|
identityEndpoint: identityEndpoint,
|
|
domainName: domainName,
|
|
userName: userName,
|
|
password: password,
|
|
projectName: projectName,
|
|
}, nil
|
|
}
|
|
|
|
// SendRequest send request
|
|
func (d *DNSProvider) SendRequest(method, resource string, payload interface{}) (io.Reader, error) {
|
|
url := fmt.Sprintf("%s/%s", d.otcBaseURL, resource)
|
|
|
|
body, err := json.Marshal(payload)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
req, err := http.NewRequest(method, url, bytes.NewReader(body))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
req.Header.Set("Content-Type", "application/json")
|
|
if len(d.token) > 0 {
|
|
req.Header.Set("X-Auth-Token", d.token)
|
|
}
|
|
|
|
// Workaround for keep alive bug in otc api
|
|
tr := http.DefaultTransport.(*http.Transport)
|
|
tr.DisableKeepAlives = true
|
|
|
|
client := &http.Client{
|
|
Timeout: 10 * time.Second,
|
|
Transport: tr,
|
|
}
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if resp.StatusCode >= 400 {
|
|
return nil, fmt.Errorf("OTC API request %s failed with HTTP status code %d", url, resp.StatusCode)
|
|
}
|
|
|
|
body1, err := ioutil.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return bytes.NewReader(body1), nil
|
|
}
|
|
|
|
func (d *DNSProvider) loginRequest() error {
|
|
type nameResponse struct {
|
|
Name string `json:"name"`
|
|
}
|
|
|
|
type userResponse struct {
|
|
Name string `json:"name"`
|
|
Password string `json:"password"`
|
|
Domain nameResponse `json:"domain"`
|
|
}
|
|
|
|
type passwordResponse struct {
|
|
User userResponse `json:"user"`
|
|
}
|
|
type identityResponse struct {
|
|
Methods []string `json:"methods"`
|
|
Password passwordResponse `json:"password"`
|
|
}
|
|
|
|
type scopeResponse struct {
|
|
Project nameResponse `json:"project"`
|
|
}
|
|
|
|
type authResponse struct {
|
|
Identity identityResponse `json:"identity"`
|
|
Scope scopeResponse `json:"scope"`
|
|
}
|
|
|
|
type loginResponse struct {
|
|
Auth authResponse `json:"auth"`
|
|
}
|
|
|
|
userResp := userResponse{
|
|
Name: d.userName,
|
|
Password: d.password,
|
|
Domain: nameResponse{
|
|
Name: d.domainName,
|
|
},
|
|
}
|
|
|
|
loginResp := loginResponse{
|
|
Auth: authResponse{
|
|
Identity: identityResponse{
|
|
Methods: []string{"password"},
|
|
Password: passwordResponse{
|
|
User: userResp,
|
|
},
|
|
},
|
|
Scope: scopeResponse{
|
|
Project: nameResponse{
|
|
Name: d.projectName,
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
body, err := json.Marshal(loginResp)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
req, err := http.NewRequest("POST", d.identityEndpoint, bytes.NewReader(body))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
req.Header.Set("Content-Type", "application/json")
|
|
|
|
client := &http.Client{Timeout: 10 * time.Second}
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if resp.StatusCode >= 400 {
|
|
return fmt.Errorf("OTC API request failed with HTTP status code %d", resp.StatusCode)
|
|
}
|
|
|
|
d.token = resp.Header.Get("X-Subject-Token")
|
|
|
|
if d.token == "" {
|
|
return fmt.Errorf("unable to get auth token")
|
|
}
|
|
|
|
type endpointResponse struct {
|
|
Token struct {
|
|
Catalog []struct {
|
|
Type string `json:"type"`
|
|
Endpoints []struct {
|
|
URL string `json:"url"`
|
|
} `json:"endpoints"`
|
|
} `json:"catalog"`
|
|
} `json:"token"`
|
|
}
|
|
var endpointResp endpointResponse
|
|
|
|
err = json.NewDecoder(resp.Body).Decode(&endpointResp)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
for _, v := range endpointResp.Token.Catalog {
|
|
if v.Type == "dns" {
|
|
for _, endpoint := range v.Endpoints {
|
|
d.otcBaseURL = fmt.Sprintf("%s/v2", endpoint.URL)
|
|
continue
|
|
}
|
|
}
|
|
}
|
|
|
|
if d.otcBaseURL == "" {
|
|
return fmt.Errorf("unable to get dns endpoint")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Starts a new OTC API Session. Authenticates using userName, password
|
|
// and receives a token to be used in for subsequent requests.
|
|
func (d *DNSProvider) login() error {
|
|
return d.loginRequest()
|
|
}
|
|
|
|
func (d *DNSProvider) getZoneID(zone string) (string, error) {
|
|
type zoneItem struct {
|
|
ID string `json:"id"`
|
|
}
|
|
|
|
type zonesResponse struct {
|
|
Zones []zoneItem `json:"zones"`
|
|
}
|
|
|
|
resource := fmt.Sprintf("zones?name=%s", zone)
|
|
resp, err := d.SendRequest("GET", resource, nil)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
var zonesRes zonesResponse
|
|
err = json.NewDecoder(resp).Decode(&zonesRes)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
if len(zonesRes.Zones) < 1 {
|
|
return "", fmt.Errorf("zone %s not found", zone)
|
|
}
|
|
|
|
if len(zonesRes.Zones) > 1 {
|
|
return "", fmt.Errorf("to many zones found")
|
|
}
|
|
|
|
if zonesRes.Zones[0].ID == "" {
|
|
return "", fmt.Errorf("id not found")
|
|
}
|
|
|
|
return zonesRes.Zones[0].ID, nil
|
|
}
|
|
|
|
func (d *DNSProvider) getRecordSetID(zoneID string, fqdn string) (string, error) {
|
|
type recordSet struct {
|
|
ID string `json:"id"`
|
|
}
|
|
|
|
type recordSetsResponse struct {
|
|
RecordSets []recordSet `json:"recordsets"`
|
|
}
|
|
|
|
resource := fmt.Sprintf("zones/%s/recordsets?type=TXT&name=%s", zoneID, fqdn)
|
|
resp, err := d.SendRequest("GET", resource, nil)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
var recordSetsRes recordSetsResponse
|
|
err = json.NewDecoder(resp).Decode(&recordSetsRes)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
if len(recordSetsRes.RecordSets) < 1 {
|
|
return "", fmt.Errorf("record not found")
|
|
}
|
|
|
|
if len(recordSetsRes.RecordSets) > 1 {
|
|
return "", fmt.Errorf("to many records found")
|
|
}
|
|
|
|
if recordSetsRes.RecordSets[0].ID == "" {
|
|
return "", fmt.Errorf("id not found")
|
|
}
|
|
|
|
return recordSetsRes.RecordSets[0].ID, nil
|
|
}
|
|
|
|
func (d *DNSProvider) deleteRecordSet(zoneID, recordID string) error {
|
|
resource := fmt.Sprintf("zones/%s/recordsets/%s", zoneID, recordID)
|
|
|
|
_, err := d.SendRequest("DELETE", resource, nil)
|
|
return err
|
|
}
|
|
|
|
// Present creates a TXT record using the specified parameters
|
|
func (d *DNSProvider) Present(domain, token, keyAuth string) error {
|
|
fqdn, value, ttl := acme.DNS01Record(domain, keyAuth)
|
|
|
|
if ttl < 300 {
|
|
ttl = 300 // 300 is otc minimum value for ttl
|
|
}
|
|
|
|
authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
err = d.login()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
zoneID, err := d.getZoneID(authZone)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to get zone: %s", err)
|
|
}
|
|
|
|
resource := fmt.Sprintf("zones/%s/recordsets", zoneID)
|
|
|
|
type recordset struct {
|
|
Name string `json:"name"`
|
|
Description string `json:"description"`
|
|
Type string `json:"type"`
|
|
TTL int `json:"ttl"`
|
|
Records []string `json:"records"`
|
|
}
|
|
|
|
r1 := &recordset{
|
|
Name: fqdn,
|
|
Description: "Added TXT record for ACME dns-01 challenge using lego client",
|
|
Type: "TXT",
|
|
TTL: ttl,
|
|
Records: []string{fmt.Sprintf("\"%s\"", value)},
|
|
}
|
|
_, err = d.SendRequest("POST", resource, r1)
|
|
return err
|
|
}
|
|
|
|
// CleanUp removes the TXT record matching the specified parameters
|
|
func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
|
|
fqdn, _, _ := acme.DNS01Record(domain, keyAuth)
|
|
|
|
authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
err = d.login()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
zoneID, err := d.getZoneID(authZone)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
recordID, err := d.getRecordSetID(zoneID, fqdn)
|
|
if err != nil {
|
|
return fmt.Errorf("unable go get record %s for zone %s: %s", fqdn, domain, err)
|
|
}
|
|
|
|
return d.deleteRecordSet(zoneID, recordID)
|
|
}
|