diff --git a/cli.go b/cli.go index ae8354b5..2518d2e8 100644 --- a/cli.go +++ b/cli.go @@ -221,6 +221,7 @@ Here is an example bash command using the CloudFlare DNS provider: fmt.Fprintln(w, "\tovh:\tOVH_ENDPOINT, OVH_APPLICATION_KEY, OVH_APPLICATION_SECRET, OVH_CONSUMER_KEY") fmt.Fprintln(w, "\tpdns:\tPDNS_API_KEY, PDNS_API_URL") fmt.Fprintln(w, "\tdnspod:\tDNSPOD_API_KEY") + fmt.Fprintln(w, "\totc:\tOTC_USER_NAME, OTC_PASSWORD, OTC_PROJECT_NAME, OTC_DOMAIN_NAME, OTC_IDENTITY_ENDPOINT") w.Flush() fmt.Println(` diff --git a/providers/dns/dns_providers.go b/providers/dns/dns_providers.go index af6c02cc..94c8879b 100644 --- a/providers/dns/dns_providers.go +++ b/providers/dns/dns_providers.go @@ -19,6 +19,7 @@ import ( "github.com/xenolf/lego/providers/dns/linode" "github.com/xenolf/lego/providers/dns/namecheap" "github.com/xenolf/lego/providers/dns/ns1" + "github.com/xenolf/lego/providers/dns/otc" "github.com/xenolf/lego/providers/dns/ovh" "github.com/xenolf/lego/providers/dns/pdns" "github.com/xenolf/lego/providers/dns/rackspace" @@ -73,6 +74,8 @@ func NewDNSChallengeProviderByName(name string) (acme.ChallengeProvider, error) provider, err = pdns.NewDNSProvider() case "ns1": provider, err = ns1.NewDNSProvider() + case "otc": + provider, err = otc.NewDNSProvider() default: err = fmt.Errorf("Unrecognised DNS provider: %s", name) } diff --git a/providers/dns/otc/mock.go b/providers/dns/otc/mock.go new file mode 100644 index 00000000..0f2acb4b --- /dev/null +++ b/providers/dns/otc/mock.go @@ -0,0 +1,152 @@ +package otc + +import ( + "fmt" + "github.com/stretchr/testify/assert" + "io/ioutil" + "net/http" + "net/http/httptest" + "testing" +) + +var fakeOTCUserName = "test" +var fakeOTCPassword = "test" +var fakeOTCDomainName = "test" +var fakeOTCProjectName = "test" +var fakeOTCToken = "62244bc21da68d03ebac94e6636ff01f" + +type DNSMock struct { + t *testing.T + Server *httptest.Server + Mux *http.ServeMux +} + +func NewDNSMock(t *testing.T) *DNSMock { + return &DNSMock{ + t: t, + } +} + +// Setup creates the mock server +func (m *DNSMock) Setup() { + m.Mux = http.NewServeMux() + m.Server = httptest.NewServer(m.Mux) +} + +// ShutdownServer creates the mock server +func (m *DNSMock) ShutdownServer() { + m.Server.Close() +} + +func (m *DNSMock) HandleAuthSuccessfully() { + m.Mux.HandleFunc("/v3/auth/token", func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("X-Subject-Token", fakeOTCToken) + + fmt.Fprintf(w, `{ + "token": { + "catalog": [ + { + "type": "dns", + "id": "56cd81db1f8445d98652479afe07c5ba", + "name": "", + "endpoints": [ + { + "url": "%s", + "region": "eu-de", + "region_id": "eu-de", + "interface": "public", + "id": "0047a06690484d86afe04877074efddf" + } + ] + } + ] + }}`, m.Server.URL) + }) +} + +func (m *DNSMock) HandleListZonesSuccessfully() { + m.Mux.HandleFunc("/v2/zones", func(w http.ResponseWriter, r *http.Request) { + fmt.Fprintf(w, `{ + "zones":[{ + "id":"123123" + }]} + `) + + assert.Equal(m.t, r.Method, "GET") + assert.Equal(m.t, r.URL.Path, "/v2/zones") + assert.Equal(m.t, r.URL.RawQuery, "name=example.com.") + assert.Equal(m.t, r.Header.Get("Content-Type"), "application/json") + }) +} + +func (m *DNSMock) HandleListZonesEmpty() { + m.Mux.HandleFunc("/v2/zones", func(w http.ResponseWriter, r *http.Request) { + fmt.Fprintf(w, `{ + "zones":[ + ]} + `) + + assert.Equal(m.t, r.Method, "GET") + assert.Equal(m.t, r.URL.Path, "/v2/zones") + assert.Equal(m.t, r.URL.RawQuery, "name=example.com.") + assert.Equal(m.t, r.Header.Get("Content-Type"), "application/json") + }) +} + +func (m *DNSMock) HandleDeleteRecordsetsSuccessfully() { + m.Mux.HandleFunc("/v2/zones/123123/recordsets/321321", func(w http.ResponseWriter, r *http.Request) { + fmt.Fprintf(w, `{ + "zones":[{ + "id":"123123" + }]} + `) + + assert.Equal(m.t, r.Method, "DELETE") + assert.Equal(m.t, r.URL.Path, "/v2/zones/123123/recordsets/321321") + assert.Equal(m.t, r.Header.Get("Content-Type"), "application/json") + }) +} + +func (m *DNSMock) HandleListRecordsetsEmpty() { + m.Mux.HandleFunc("/v2/zones/123123/recordsets", func(w http.ResponseWriter, r *http.Request) { + fmt.Fprintf(w, `{ + "recordsets":[ + ]} + `) + + assert.Equal(m.t, r.URL.Path, "/v2/zones/123123/recordsets") + assert.Equal(m.t, r.URL.RawQuery, "type=TXT&name=_acme-challenge.example.com.") + }) +} +func (m *DNSMock) HandleListRecordsetsSuccessfully() { + m.Mux.HandleFunc("/v2/zones/123123/recordsets", func(w http.ResponseWriter, r *http.Request) { + if r.Method == "GET" { + fmt.Fprintf(w, `{ + "recordsets":[{ + "id":"321321" + }]} + `) + + assert.Equal(m.t, r.URL.Path, "/v2/zones/123123/recordsets") + assert.Equal(m.t, r.URL.RawQuery, "type=TXT&name=_acme-challenge.example.com.") + + } else if r.Method == "POST" { + body, err := ioutil.ReadAll(r.Body) + + assert.Nil(m.t, err) + exceptedString := "{\"name\":\"_acme-challenge.example.com.\",\"description\":\"Added TXT record for ACME dns-01 challenge using lego client\",\"type\":\"TXT\",\"ttl\":300,\"records\":[\"\\\"w6uP8Tcg6K2QR905Rms8iXTlksL6OD1KOWBxTK7wxPI\\\"\"]}" + assert.Equal(m.t, string(body), exceptedString) + + fmt.Fprintf(w, `{ + "recordsets":[{ + "id":"321321" + }]} + `) + + } else { + m.t.Errorf("Expected method to be 'GET' or 'POST' but got '%s'", r.Method) + } + + assert.Equal(m.t, r.Header.Get("Content-Type"), "application/json") + }) +} diff --git a/providers/dns/otc/otc.go b/providers/dns/otc/otc.go new file mode 100644 index 00000000..86bcaa9b --- /dev/null +++ b/providers/dns/otc/otc.go @@ -0,0 +1,388 @@ +// Package otc implements a DNS provider for solving the DNS-01 challenge +// using Open Telekom Cloud Managed DNS. +package otc + +import ( + "bytes" + "encoding/json" + "fmt" + "io" + "io/ioutil" + "net/http" + "os" + "time" + + "github.com/xenolf/lego/acme" +) + +// DNSProvider is an implementation of the acme.ChallengeProvider interface that uses +// OTC's Managed DNS API to manage TXT records for a domain. +type DNSProvider struct { + identityEndpoint string + otcBaseURL string + domainName string + projectName string + userName string + password string + token string +} + +// NewDNSProvider returns a DNSProvider instance configured for OTC DNS. +// Credentials must be passed in the environment variables: OTC_USER_NAME, +// OTC_DOMAIN_NAME, OTC_PASSWORD OTC_PROJECT_NAME and OTC_IDENTITY_ENDPOINT. +func NewDNSProvider() (*DNSProvider, error) { + domainName := os.Getenv("OTC_DOMAIN_NAME") + userName := os.Getenv("OTC_USER_NAME") + password := os.Getenv("OTC_PASSWORD") + projectName := os.Getenv("OTC_PROJECT_NAME") + identityEndpoint := os.Getenv("OTC_IDENTITY_ENDPOINT") + return NewDNSProviderCredentials(domainName, userName, password, projectName, identityEndpoint) +} + +// NewDNSProviderCredentials uses the supplied credentials to return a +// DNSProvider instance configured for OTC DNS. +func NewDNSProviderCredentials(domainName, userName, password, projectName, identityEndpoint string) (*DNSProvider, error) { + if domainName == "" || userName == "" || password == "" || projectName == "" { + return nil, fmt.Errorf("OTC credentials missing") + } + + if identityEndpoint == "" { + identityEndpoint = "https://iam.eu-de.otc.t-systems.com:443/v3/auth/tokens" + } + + return &DNSProvider{ + identityEndpoint: identityEndpoint, + domainName: domainName, + userName: userName, + password: password, + projectName: projectName, + }, nil +} + +func (d *DNSProvider) SendRequest(method, resource string, payload interface{}) (io.Reader, error) { + url := fmt.Sprintf("%s/%s", d.otcBaseURL, resource) + + body, err := json.Marshal(payload) + if err != nil { + return nil, err + } + + req, err := http.NewRequest(method, url, bytes.NewReader(body)) + if err != nil { + return nil, err + } + req.Header.Set("Content-Type", "application/json") + if len(d.token) > 0 { + req.Header.Set("X-Auth-Token", d.token) + } + + // Workaround for keep alive bug in otc api + tr := http.DefaultTransport.(*http.Transport) + tr.DisableKeepAlives = true + + client := &http.Client{ + Timeout: time.Duration(10 * time.Second), + Transport: tr, + } + resp, err := client.Do(req) + if err != nil { + return nil, err + } + defer resp.Body.Close() + + if resp.StatusCode >= 400 { + return nil, fmt.Errorf("OTC API request %s failed with HTTP status code %d", url, resp.StatusCode) + } + + body1, err := ioutil.ReadAll(resp.Body) + if err != nil { + return nil, err + } + + return bytes.NewReader(body1), nil +} + +func (d *DNSProvider) loginRequest() error { + type nameResponse struct { + Name string `json:"name"` + } + + type userResponse struct { + Name string `json:"name"` + Password string `json:"password"` + Domain nameResponse `json:"domain"` + } + + type passwordResponse struct { + User userResponse `json:"user"` + } + type identityResponse struct { + Methods []string `json:"methods"` + Password passwordResponse `json:"password"` + } + + type scopeResponse struct { + Project nameResponse `json:"project"` + } + + type authResponse struct { + Identity identityResponse `json:"identity"` + Scope scopeResponse `json:"scope"` + } + + type loginResponse struct { + Auth authResponse `json:"auth"` + } + + userResp := userResponse{ + Name: d.userName, + Password: d.password, + Domain: nameResponse{ + Name: d.domainName, + }, + } + + loginResp := loginResponse{ + Auth: authResponse{ + Identity: identityResponse{ + Methods: []string{"password"}, + Password: passwordResponse{ + User: userResp, + }, + }, + Scope: scopeResponse{ + Project: nameResponse{ + Name: d.projectName, + }, + }, + }, + } + + body, err := json.Marshal(loginResp) + if err != nil { + return err + } + req, err := http.NewRequest("POST", d.identityEndpoint, bytes.NewReader(body)) + if err != nil { + return err + } + req.Header.Set("Content-Type", "application/json") + + client := &http.Client{Timeout: time.Duration(10 * time.Second)} + resp, err := client.Do(req) + if err != nil { + return err + } + defer resp.Body.Close() + + if resp.StatusCode >= 400 { + return fmt.Errorf("OTC API request failed with HTTP status code %d", resp.StatusCode) + } + + d.token = resp.Header.Get("X-Subject-Token") + + if d.token == "" { + return fmt.Errorf("unable to get auth token") + } + + type endpointResponse struct { + Token struct { + Catalog []struct { + Type string `json:"type"` + Endpoints []struct { + URL string `json:"url"` + } `json:"endpoints"` + } `json:"catalog"` + } `json:"token"` + } + var endpointResp endpointResponse + + err = json.NewDecoder(resp.Body).Decode(&endpointResp) + if err != nil { + return err + } + + for _, v := range endpointResp.Token.Catalog { + if v.Type == "dns" { + for _, endpoint := range v.Endpoints { + d.otcBaseURL = fmt.Sprintf("%s/v2", endpoint.URL) + continue + } + } + } + + if d.otcBaseURL == "" { + return fmt.Errorf("unable to get dns endpoint") + } + + return nil +} + +// Starts a new OTC API Session. Authenticates using userName, password +// and receives a token to be used in for subsequent requests. +func (d *DNSProvider) login() error { + err := d.loginRequest() + if err != nil { + return err + } + + return nil +} + +func (d *DNSProvider) getZoneID(zone string) (string, error) { + type zoneItem struct { + ID string `json:"id"` + } + + type zonesResponse struct { + Zones []zoneItem `json:"zones"` + } + + resource := fmt.Sprintf("zones?name=%s", zone) + resp, err := d.SendRequest("GET", resource, nil) + if err != nil { + return "", err + } + + var zonesRes zonesResponse + err = json.NewDecoder(resp).Decode(&zonesRes) + if err != nil { + return "", err + } + + if len(zonesRes.Zones) < 1 { + return "", fmt.Errorf("zone %s not found", zone) + } + + if len(zonesRes.Zones) > 1 { + return "", fmt.Errorf("to many zones found") + } + + if zonesRes.Zones[0].ID == "" { + return "", fmt.Errorf("id not found") + } + + return zonesRes.Zones[0].ID, nil +} + +func (d *DNSProvider) getRecordSetID(zoneID string, fqdn string) (string, error) { + type recordSet struct { + ID string `json:"id"` + } + + type recordSetsResponse struct { + RecordSets []recordSet `json:"recordsets"` + } + + resource := fmt.Sprintf("zones/%s/recordsets?type=TXT&name=%s", zoneID, fqdn) + resp, err := d.SendRequest("GET", resource, nil) + if err != nil { + return "", err + } + + var recordSetsRes recordSetsResponse + err = json.NewDecoder(resp).Decode(&recordSetsRes) + if err != nil { + return "", err + } + + if len(recordSetsRes.RecordSets) < 1 { + return "", fmt.Errorf("record not found") + } + + if len(recordSetsRes.RecordSets) > 1 { + return "", fmt.Errorf("to many records found") + } + + if recordSetsRes.RecordSets[0].ID == "" { + return "", fmt.Errorf("id not found") + } + + return recordSetsRes.RecordSets[0].ID, nil +} + +func (d *DNSProvider) deleteRecordSet(zoneID, recordID string) error { + resource := fmt.Sprintf("zones/%s/recordsets/%s", zoneID, recordID) + + _, err := d.SendRequest("DELETE", resource, nil) + if err != nil { + return err + } + return nil +} + +// Present creates a TXT record using the specified parameters +func (d *DNSProvider) Present(domain, token, keyAuth string) error { + fqdn, value, ttl := acme.DNS01Record(domain, keyAuth) + + if ttl < 300 { + ttl = 300 // 300 is otc minimum value for ttl + } + + authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers) + if err != nil { + return err + } + + err = d.login() + if err != nil { + return err + } + + zoneID, err := d.getZoneID(authZone) + if err != nil { + return fmt.Errorf("unable to get zone: %s", err) + } + + resource := fmt.Sprintf("zones/%s/recordsets", zoneID) + + type recordset struct { + Name string `json:"name"` + Description string `json:"description"` + Type string `json:"type"` + Ttl int `json:"ttl"` + Records []string `json:"records"` + } + + r1 := &recordset{ + Name: fqdn, + Description: "Added TXT record for ACME dns-01 challenge using lego client", + Type: "TXT", + Ttl: 300, + Records: []string{fmt.Sprintf("\"%s\"", value)}, + } + _, err = d.SendRequest("POST", resource, r1) + + if err != nil { + return err + } + + return nil +} + +// CleanUp removes the TXT record matching the specified parameters +func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error { + fqdn, _, _ := acme.DNS01Record(domain, keyAuth) + + authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers) + if err != nil { + return err + } + + err = d.login() + if err != nil { + return err + } + + zoneID, err := d.getZoneID(authZone) + + if err != nil { + return err + } + + recordID, err := d.getRecordSetID(zoneID, fqdn) + if err != nil { + return fmt.Errorf("unable go get record %s for zone %s: %s", fqdn, domain, err) + } + return d.deleteRecordSet(zoneID, recordID) +} diff --git a/providers/dns/otc/otc_test.go b/providers/dns/otc/otc_test.go new file mode 100644 index 00000000..0c05334a --- /dev/null +++ b/providers/dns/otc/otc_test.go @@ -0,0 +1,112 @@ +package otc + +import ( + "fmt" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/suite" + "os" + "testing" +) + +type OTCDNSTestSuite struct { + suite.Suite + Mock *DNSMock +} + +func (s *OTCDNSTestSuite) TearDownSuite() { + s.Mock.ShutdownServer() +} + +func (s *OTCDNSTestSuite) SetupTest() { + s.Mock = NewDNSMock(s.T()) + s.Mock.Setup() + s.Mock.HandleAuthSuccessfully() + +} + +func TestOTCDNSTestSuite(t *testing.T) { + suite.Run(t, new(OTCDNSTestSuite)) +} + +func (s *OTCDNSTestSuite) createDNSProvider() (*DNSProvider, error) { + url := fmt.Sprintf("%s/v3/auth/token", s.Mock.Server.URL) + return NewDNSProviderCredentials(fakeOTCUserName, fakeOTCPassword, fakeOTCDomainName, fakeOTCProjectName, url) +} + +func (s *OTCDNSTestSuite) TestOTCDNSLoginEnv() { + os.Setenv("OTC_DOMAIN_NAME", "unittest1") + os.Setenv("OTC_USER_NAME", "unittest2") + os.Setenv("OTC_PASSWORD", "unittest3") + os.Setenv("OTC_PROJECT_NAME", "unittest4") + os.Setenv("OTC_IDENTITY_ENDPOINT", "unittest5") + + provider, err := NewDNSProvider() + assert.Nil(s.T(), err) + assert.Equal(s.T(), provider.domainName, "unittest1") + assert.Equal(s.T(), provider.userName, "unittest2") + assert.Equal(s.T(), provider.password, "unittest3") + assert.Equal(s.T(), provider.projectName, "unittest4") + assert.Equal(s.T(), provider.identityEndpoint, "unittest5") + + os.Setenv("OTC_IDENTITY_ENDPOINT", "") + + provider, err = NewDNSProvider() + assert.Nil(s.T(), err) + assert.Equal(s.T(), provider.identityEndpoint, "https://iam.eu-de.otc.t-systems.com:443/v3/auth/tokens") + + os.Clearenv() +} + +func (s *OTCDNSTestSuite) TestOTCDNSLoginEnvEmpty() { + _, err := NewDNSProvider() + assert.Equal(s.T(), "OTC credentials missing", err.Error()) + + os.Clearenv() +} + +func (s *OTCDNSTestSuite) TestOTCDNSLogin() { + otcProvider, err := s.createDNSProvider() + + assert.Nil(s.T(), err) + err = otcProvider.loginRequest() + assert.Nil(s.T(), err) + assert.Equal(s.T(), otcProvider.otcBaseURL, fmt.Sprintf("%s/v2", s.Mock.Server.URL)) + assert.Equal(s.T(), fakeOTCToken, otcProvider.token) +} + +func (s *OTCDNSTestSuite) TestOTCDNSEmptyZone() { + s.Mock.HandleListZonesEmpty() + s.Mock.HandleListRecordsetsSuccessfully() + + otcProvider, _ := s.createDNSProvider() + err := otcProvider.Present("example.com", "", "foobar") + assert.NotNil(s.T(), err) +} + +func (s *OTCDNSTestSuite) TestOTCDNSEmptyRecordset() { + s.Mock.HandleListZonesSuccessfully() + s.Mock.HandleListRecordsetsEmpty() + + otcProvider, _ := s.createDNSProvider() + err := otcProvider.CleanUp("example.com", "", "foobar") + assert.NotNil(s.T(), err) +} + +func (s *OTCDNSTestSuite) TestOTCDNSPresent() { + s.Mock.HandleListZonesSuccessfully() + s.Mock.HandleListRecordsetsSuccessfully() + + otcProvider, _ := s.createDNSProvider() + err := otcProvider.Present("example.com", "", "foobar") + assert.Nil(s.T(), err) +} + +func (s *OTCDNSTestSuite) TestOTCDNSCleanup() { + s.Mock.HandleListZonesSuccessfully() + s.Mock.HandleListRecordsetsSuccessfully() + s.Mock.HandleDeleteRecordsetsSuccessfully() + + otcProvider, _ := s.createDNSProvider() + err := otcProvider.CleanUp("example.com", "", "foobar") + assert.Nil(s.T(), err) +}