lego/providers/dns/ovh/ovh.go
2024-07-21 15:06:01 +02:00

256 lines
7.4 KiB
Go

// Package ovh implements a DNS provider for solving the DNS-01 challenge using OVH DNS.
package ovh
import (
"errors"
"fmt"
"net/http"
"sync"
"time"
"github.com/go-acme/lego/v4/challenge/dns01"
"github.com/go-acme/lego/v4/platform/config/env"
"github.com/ovh/go-ovh/ovh"
)
// OVH API reference: https://eu.api.ovh.com/
// Create a Token: https://eu.api.ovh.com/createToken/
// Create a OAuth2 client: https://eu.api.ovh.com/console/?section=%2Fme&branch=v1#post-/me/api/oauth2/client
// Environment variables names.
const (
envNamespace = "OVH_"
EnvEndpoint = envNamespace + "ENDPOINT"
EnvTTL = envNamespace + "TTL"
EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
EnvPollingInterval = envNamespace + "POLLING_INTERVAL"
EnvHTTPTimeout = envNamespace + "HTTP_TIMEOUT"
)
// Authenticate using application key.
const (
EnvApplicationKey = envNamespace + "APPLICATION_KEY"
EnvApplicationSecret = envNamespace + "APPLICATION_SECRET"
EnvConsumerKey = envNamespace + "CONSUMER_KEY"
)
// Authenticate using OAuth2 client.
const (
EnvClientID = envNamespace + "CLIENT_ID"
EnvClientSecret = envNamespace + "CLIENT_SECRET"
)
// Record a DNS record.
type Record struct {
ID int64 `json:"id,omitempty"`
FieldType string `json:"fieldType,omitempty"`
SubDomain string `json:"subDomain,omitempty"`
Target string `json:"target,omitempty"`
TTL int `json:"ttl,omitempty"`
Zone string `json:"zone,omitempty"`
}
// OAuth2Config the OAuth2 specific configuration.
type OAuth2Config struct {
ClientID string
ClientSecret string
}
// Config is used to configure the creation of the DNSProvider.
type Config struct {
APIEndpoint string
ApplicationKey string
ApplicationSecret string
ConsumerKey string
OAuth2Config *OAuth2Config
PropagationTimeout time.Duration
PollingInterval time.Duration
TTL int
HTTPClient *http.Client
}
func (c *Config) hasAppKeyAuth() bool {
return c.ApplicationKey != "" || c.ApplicationSecret != "" || c.ConsumerKey != ""
}
// NewDefaultConfig returns a default configuration for the DNSProvider.
func NewDefaultConfig() *Config {
return &Config{
TTL: env.GetOrDefaultInt(EnvTTL, dns01.DefaultTTL),
PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, dns01.DefaultPropagationTimeout),
PollingInterval: env.GetOrDefaultSecond(EnvPollingInterval, dns01.DefaultPollingInterval),
HTTPClient: &http.Client{
Timeout: env.GetOrDefaultSecond(EnvHTTPTimeout, ovh.DefaultTimeout),
},
}
}
// DNSProvider implements the challenge.Provider interface.
type DNSProvider struct {
config *Config
client *ovh.Client
recordIDs map[string]int64
recordIDsMu sync.Mutex
}
// NewDNSProvider returns a DNSProvider instance configured for OVH
// Credentials must be passed in the environment variables:
// OVH_ENDPOINT (must be either "ovh-eu" or "ovh-ca"), OVH_APPLICATION_KEY, OVH_APPLICATION_SECRET, OVH_CONSUMER_KEY.
func NewDNSProvider() (*DNSProvider, error) {
config := NewDefaultConfig()
// https://github.com/ovh/go-ovh/blob/6817886d12a8c5650794b28da635af9fcdfd1162/ovh/configuration.go#L105
config.APIEndpoint = env.GetOrDefaultString(EnvEndpoint, "ovh-eu")
config.ApplicationKey = env.GetOrFile(EnvApplicationKey)
config.ApplicationSecret = env.GetOrFile(EnvApplicationSecret)
config.ConsumerKey = env.GetOrFile(EnvConsumerKey)
clientID := env.GetOrFile(EnvClientID)
clientSecret := env.GetOrFile(EnvClientSecret)
if clientID != "" || clientSecret != "" {
config.OAuth2Config = &OAuth2Config{
ClientID: clientID,
ClientSecret: clientSecret,
}
}
return NewDNSProviderConfig(config)
}
// NewDNSProviderConfig return a DNSProvider instance configured for OVH.
func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
if config == nil {
return nil, errors.New("ovh: the configuration of the DNS provider is nil")
}
if config.OAuth2Config != nil && config.hasAppKeyAuth() {
return nil, errors.New("ovh: can't use both authentication systems (ApplicationKey and OAuth2)")
}
client, err := newClient(config)
if err != nil {
return nil, fmt.Errorf("ovh: %w", err)
}
return &DNSProvider{
config: config,
client: client,
recordIDs: make(map[string]int64),
}, nil
}
// Present creates a TXT record to fulfill the dns-01 challenge.
func (d *DNSProvider) Present(domain, token, keyAuth string) error {
info := dns01.GetChallengeInfo(domain, keyAuth)
authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
if err != nil {
return fmt.Errorf("ovh: could not find zone for domain %q: %w", domain, err)
}
authZone = dns01.UnFqdn(authZone)
subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
if err != nil {
return fmt.Errorf("ovh: %w", err)
}
reqURL := fmt.Sprintf("/domain/zone/%s/record", authZone)
reqData := Record{FieldType: "TXT", SubDomain: subDomain, Target: info.Value, TTL: d.config.TTL}
// Create TXT record
var respData Record
err = d.client.Post(reqURL, reqData, &respData)
if err != nil {
return fmt.Errorf("ovh: error when call api to add record (%s): %w", reqURL, err)
}
// Apply the change
reqURL = fmt.Sprintf("/domain/zone/%s/refresh", authZone)
err = d.client.Post(reqURL, nil, nil)
if err != nil {
return fmt.Errorf("ovh: error when call api to refresh zone (%s): %w", reqURL, err)
}
d.recordIDsMu.Lock()
d.recordIDs[token] = respData.ID
d.recordIDsMu.Unlock()
return nil
}
// CleanUp removes the TXT record matching the specified parameters.
func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
info := dns01.GetChallengeInfo(domain, keyAuth)
// get the record's unique ID from when we created it
d.recordIDsMu.Lock()
recordID, ok := d.recordIDs[token]
d.recordIDsMu.Unlock()
if !ok {
return fmt.Errorf("ovh: unknown record ID for '%s'", info.EffectiveFQDN)
}
authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
if err != nil {
return fmt.Errorf("ovh: could not find zone for domain %q: %w", domain, err)
}
authZone = dns01.UnFqdn(authZone)
reqURL := fmt.Sprintf("/domain/zone/%s/record/%d", authZone, recordID)
err = d.client.Delete(reqURL, nil)
if err != nil {
return fmt.Errorf("ovh: error when call OVH api to delete challenge record (%s): %w", reqURL, err)
}
// Apply the change
reqURL = fmt.Sprintf("/domain/zone/%s/refresh", authZone)
err = d.client.Post(reqURL, nil, nil)
if err != nil {
return fmt.Errorf("ovh: error when call api to refresh zone (%s): %w", reqURL, err)
}
// Delete record ID from map
d.recordIDsMu.Lock()
delete(d.recordIDs, token)
d.recordIDsMu.Unlock()
return nil
}
// Timeout returns the timeout and interval to use when checking for DNS propagation.
// Adjusting here to cope with spikes in propagation times.
func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
return d.config.PropagationTimeout, d.config.PollingInterval
}
func newClient(config *Config) (*ovh.Client, error) {
var client *ovh.Client
var err error
switch {
case config.hasAppKeyAuth():
client, err = ovh.NewClient(config.APIEndpoint, config.ApplicationKey, config.ApplicationSecret, config.ConsumerKey)
case config.OAuth2Config != nil:
client, err = ovh.NewOAuth2Client(config.APIEndpoint, config.OAuth2Config.ClientID, config.OAuth2Config.ClientSecret)
default:
client, err = ovh.NewDefaultClient()
}
if err != nil {
return nil, fmt.Errorf("new client: %w", err)
}
client.UserAgent = "go-acme/lego"
return client, nil
}