ACME DNS challenges

2018-10-10 16:28:04 +02:00 · 2018-10-10 16:28:04 +02:00 · 5bdf8a5ea3
commit 5bdf8a5ea3
parent 7a2592b2fa
127 changed files with 24386 additions and 739 deletions
--- a/vendor/github.com/xenolf/lego/providers/dns/cloudflare/client.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/cloudflare/client.go
@ -1,212 +0,0 @@
-package cloudflare
-
-import (
-	"bytes"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"net/http"
-
-	"github.com/xenolf/lego/acme"
-)
-
-// defaultBaseURL represents the API endpoint to call.
-const defaultBaseURL = "https://api.cloudflare.com/client/v4"
-
-// APIError contains error details for failed requests
-type APIError struct {
-	Code       int        `json:"code,omitempty"`
-	Message    string     `json:"message,omitempty"`
-	ErrorChain []APIError `json:"error_chain,omitempty"`
-}
-
-// APIResponse represents a response from Cloudflare API
-type APIResponse struct {
-	Success bool            `json:"success"`
-	Errors  []*APIError     `json:"errors"`
-	Result  json.RawMessage `json:"result"`
-}
-
-// TxtRecord represents a Cloudflare DNS record
-type TxtRecord struct {
-	Name    string `json:"name"`
-	Type    string `json:"type"`
-	Content string `json:"content"`
-	ID      string `json:"id,omitempty"`
-	TTL     int    `json:"ttl,omitempty"`
-	ZoneID  string `json:"zone_id,omitempty"`
-}
-
-// HostedZone represents a Cloudflare DNS zone
-type HostedZone struct {
-	ID   string `json:"id"`
-	Name string `json:"name"`
-}
-
-// Client Cloudflare API client
-type Client struct {
-	authEmail  string
-	authKey    string
-	BaseURL    string
-	HTTPClient *http.Client
-}
-
-// NewClient create a Cloudflare API client
-func NewClient(authEmail string, authKey string) (*Client, error) {
-	if authEmail == "" {
-		return nil, errors.New("cloudflare: some credentials information are missing: email")
-	}
-
-	if authKey == "" {
-		return nil, errors.New("cloudflare: some credentials information are missing: key")
-	}
-
-	return &Client{
-		authEmail:  authEmail,
-		authKey:    authKey,
-		BaseURL:    defaultBaseURL,
-		HTTPClient: http.DefaultClient,
-	}, nil
-}
-
-// GetHostedZoneID get hosted zone
-func (c *Client) GetHostedZoneID(fqdn string) (string, error) {
-	authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)
-	if err != nil {
-		return "", err
-	}
-
-	result, err := c.doRequest(http.MethodGet, "/zones?name="+acme.UnFqdn(authZone), nil)
-	if err != nil {
-		return "", err
-	}
-
-	var hostedZone []HostedZone
-	err = json.Unmarshal(result, &hostedZone)
-	if err != nil {
-		return "", fmt.Errorf("cloudflare: HostedZone unmarshaling error: %v", err)
-	}
-
-	count := len(hostedZone)
-	if count == 0 {
-		return "", fmt.Errorf("cloudflare: zone %s not found for domain %s", authZone, fqdn)
-	} else if count > 1 {
-		return "", fmt.Errorf("cloudflare: zone %s cannot be find for domain %s: too many hostedZone: %v", authZone, fqdn, hostedZone)
-	}
-
-	return hostedZone[0].ID, nil
-}
-
-// FindTxtRecord Find a TXT record
-func (c *Client) FindTxtRecord(zoneID, fqdn string) (*TxtRecord, error) {
-	result, err := c.doRequest(
-		http.MethodGet,
-		fmt.Sprintf("/zones/%s/dns_records?per_page=1000&type=TXT&name=%s", zoneID, acme.UnFqdn(fqdn)),
-		nil,
-	)
-	if err != nil {
-		return nil, err
-	}
-
-	var records []TxtRecord
-	err = json.Unmarshal(result, &records)
-	if err != nil {
-		return nil, fmt.Errorf("cloudflare: record unmarshaling error: %v", err)
-	}
-
-	for _, rec := range records {
-		fmt.Println(rec.Name, acme.UnFqdn(fqdn))
-		if rec.Name == acme.UnFqdn(fqdn) {
-			return &rec, nil
-		}
-	}
-
-	return nil, fmt.Errorf("cloudflare: no existing record found for %s", fqdn)
-}
-
-// AddTxtRecord add a TXT record
-func (c *Client) AddTxtRecord(fqdn string, record TxtRecord) error {
-	zoneID, err := c.GetHostedZoneID(fqdn)
-	if err != nil {
-		return err
-	}
-
-	body, err := json.Marshal(record)
-	if err != nil {
-		return fmt.Errorf("cloudflare: record marshaling error: %v", err)
-	}
-
-	_, err = c.doRequest(http.MethodPost, fmt.Sprintf("/zones/%s/dns_records", zoneID), bytes.NewReader(body))
-	return err
-}
-
-// RemoveTxtRecord Remove a TXT record
-func (c *Client) RemoveTxtRecord(fqdn string) error {
-	zoneID, err := c.GetHostedZoneID(fqdn)
-	if err != nil {
-		return err
-	}
-
-	record, err := c.FindTxtRecord(zoneID, fqdn)
-	if err != nil {
-		return err
-	}
-
-	_, err = c.doRequest(http.MethodDelete, fmt.Sprintf("/zones/%s/dns_records/%s", record.ZoneID, record.ID), nil)
-	return err
-}
-
-func (c *Client) doRequest(method, uri string, body io.Reader) (json.RawMessage, error) {
-	req, err := http.NewRequest(method, fmt.Sprintf("%s%s", c.BaseURL, uri), body)
-	if err != nil {
-		return nil, err
-	}
-
-	req.Header.Set("X-Auth-Email", c.authEmail)
-	req.Header.Set("X-Auth-Key", c.authKey)
-
-	resp, err := c.HTTPClient.Do(req)
-	if err != nil {
-		return nil, fmt.Errorf("cloudflare: error querying API: %v", err)
-	}
-
-	defer resp.Body.Close()
-
-	content, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return nil, fmt.Errorf("cloudflare: %s", toUnreadableBodyMessage(req, content))
-	}
-
-	var r APIResponse
-	err = json.Unmarshal(content, &r)
-	if err != nil {
-		return nil, fmt.Errorf("cloudflare: APIResponse unmarshaling error: %v: %s", err, toUnreadableBodyMessage(req, content))
-	}
-
-	if !r.Success {
-		if len(r.Errors) > 0 {
-			return nil, fmt.Errorf("cloudflare: error \n%s", toError(r))
-		}
-
-		return nil, fmt.Errorf("cloudflare: %s", toUnreadableBodyMessage(req, content))
-	}
-
-	return r.Result, nil
-}
-
-func toUnreadableBodyMessage(req *http.Request, rawBody []byte) string {
-	return fmt.Sprintf("the request %s sent a response with a body which is an invalid format: %q", req.URL, string(rawBody))
-}
-
-func toError(r APIResponse) error {
-	errStr := ""
-	for _, apiErr := range r.Errors {
-		errStr += fmt.Sprintf("\t Error: %d: %s", apiErr.Code, apiErr.Message)
-		for _, chainErr := range apiErr.ErrorChain {
-			errStr += fmt.Sprintf("<- %d: %s", chainErr.Code, chainErr.Message)
-		}
-	}
-	return fmt.Errorf("cloudflare: error \n%s", errStr)
-}
--- a/vendor/github.com/xenolf/lego/providers/dns/cloudflare/cloudflare.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/cloudflare/cloudflare.go
@ -8,12 +8,18 @@ import (
 	"net/http"
 	"time"

+	"github.com/cloudflare/cloudflare-go"
 	"github.com/xenolf/lego/acme"
+	"github.com/xenolf/lego/log"
 	"github.com/xenolf/lego/platform/config/env"
 )

 // CloudFlareAPIURL represents the API endpoint to call.
-const CloudFlareAPIURL = defaultBaseURL // Deprecated
+const CloudFlareAPIURL = "https://api.cloudflare.com/client/v4" // Deprecated
+
+const (
+	minTTL = 120
+)

 // Config is used to configure the creation of the DNSProvider
 type Config struct {
@ -28,7 +34,7 @@ type Config struct {
 // NewDefaultConfig returns a default configuration for the DNSProvider
 func NewDefaultConfig() *Config {
 	return &Config{
-		TTL:                env.GetOrDefaultInt("CLOUDFLARE_TTL", 120),
+		TTL:                env.GetOrDefaultInt("CLOUDFLARE_TTL", minTTL),
 		PropagationTimeout: env.GetOrDefaultSecond("CLOUDFLARE_PROPAGATION_TIMEOUT", 2*time.Minute),
 		PollingInterval:    env.GetOrDefaultSecond("CLOUDFLARE_POLLING_INTERVAL", 2*time.Second),
 		HTTPClient: &http.Client{
@ -39,7 +45,7 @@ func NewDefaultConfig() *Config {

 // DNSProvider is an implementation of the acme.ChallengeProvider interface
 type DNSProvider struct {
-	client *Client
+	client *cloudflare.API
 	config *Config
 }

@ -47,7 +53,9 @@ type DNSProvider struct {
 // Credentials must be passed in the environment variables:
 // CLOUDFLARE_EMAIL and CLOUDFLARE_API_KEY.
 func NewDNSProvider() (*DNSProvider, error) {
-	values, err := env.Get("CLOUDFLARE_EMAIL", "CLOUDFLARE_API_KEY")
+	values, err := env.GetWithFallback(
+		[]string{"CLOUDFLARE_EMAIL", "CF_API_EMAIL"},
+		[]string{"CLOUDFLARE_API_KEY", "CF_API_KEY"})
 	if err != nil {
 		return nil, fmt.Errorf("cloudflare: %v", err)
 	}
@ -76,45 +84,92 @@ func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
 		return nil, errors.New("cloudflare: the configuration of the DNS provider is nil")
 	}

-	client, err := NewClient(config.AuthEmail, config.AuthKey)
+	if config.TTL < minTTL {
+		return nil, fmt.Errorf("cloudflare: invalid TTL, TTL (%d) must be greater than %d", config.TTL, minTTL)
+	}
+
+	client, err := cloudflare.New(config.AuthKey, config.AuthEmail, cloudflare.HTTPClient(config.HTTPClient))
 	if err != nil {
 		return nil, err
 	}

-	client.HTTPClient = config.HTTPClient
-
 	// TODO: must be remove. keep only for compatibility reason.
 	client.BaseURL = CloudFlareAPIURL

-	return &DNSProvider{
-		client: client,
-		config: config,
-	}, nil
+	return &DNSProvider{client: client, config: config}, nil
 }

-// Timeout returns the timeout and interval to use when checking for DNS
-// propagation. Adjusting here to cope with spikes in propagation times.
+// Timeout returns the timeout and interval to use when checking for DNS propagation.
+// Adjusting here to cope with spikes in propagation times.
 func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
 	return d.config.PropagationTimeout, d.config.PollingInterval
 }

-// Present creates a TXT record to fulfil the dns-01 challenge
+// Present creates a TXT record to fulfill the dns-01 challenge
 func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 	fqdn, value, _ := acme.DNS01Record(domain, keyAuth)

-	rec := TxtRecord{
+	authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)
+	if err != nil {
+		return fmt.Errorf("cloudflare: %v", err)
+	}
+
+	zoneID, err := d.client.ZoneIDByName(authZone)
+	if err != nil {
+		return fmt.Errorf("cloudflare: failed to find zone %s: %v", authZone, err)
+	}
+
+	dnsRecord := cloudflare.DNSRecord{
 		Type:    "TXT",
 		Name:    acme.UnFqdn(fqdn),
 		Content: value,
 		TTL:     d.config.TTL,
 	}

-	return d.client.AddTxtRecord(fqdn, rec)
+	response, _ := d.client.CreateDNSRecord(zoneID, dnsRecord)
+	if err != nil {
+		return fmt.Errorf("cloudflare: failed to create TXT record: %v", err)
+	}
+
+	if !response.Success {
+		return fmt.Errorf("cloudflare: failed to create TXT record: %+v %+v", response.Errors, response.Messages)
+	}
+
+	log.Infof("cloudflare: new record for %s, ID %s", domain, response.Result.ID)
+
+	return nil
 }

 // CleanUp removes the TXT record matching the specified parameters
 func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 	fqdn, _, _ := acme.DNS01Record(domain, keyAuth)

-	return d.client.RemoveTxtRecord(fqdn)
+	authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)
+	if err != nil {
+		return fmt.Errorf("cloudflare: %v", err)
+	}
+
+	zoneID, err := d.client.ZoneIDByName(authZone)
+	if err != nil {
+		return fmt.Errorf("cloudflare: failed to find zone %s: %v", authZone, err)
+	}
+
+	dnsRecord := cloudflare.DNSRecord{
+		Type: "TXT",
+		Name: acme.UnFqdn(fqdn),
+	}
+
+	records, err := d.client.DNSRecords(zoneID, dnsRecord)
+	if err != nil {
+		return fmt.Errorf("cloudflare: failed to find TXT records: %v", err)
+	}
+
+	for _, record := range records {
+		err = d.client.DeleteDNSRecord(zoneID, record.ID)
+		if err != nil {
+			log.Printf("cloudflare: failed to delete TXT record: %v", err)
+		}
+	}
+
+	return nil
 }