Webhook challenges

[johanot]

Motivation

This is how I mostly use Faythe today, but I'm tired of maintaining my own fork :)

The change

Extracted the nsupdate exec code and allowed for implementation of other "ChallengeDriver"'s. Then, implemented a webhook challenge driver that sends either a PUT or DELETE-request with payload like:

{
  "records": {
    "_acme-challenge.example.org": {
      "type": "TXT",
      "content": "wGd5vRc5-V6XMgQhjiQ5W5nRk8TldjvK3oJmcx8YZ3Q"
    }
  }
}

Breaking current config

Using the existing nsupdate-driver, configuration has to be changed from:

"zones": {
  "example.com": {
    "server": "ns.example.com",
    "key": "acme.example.com.key"
  }
}

to:

"zones": {
  "example.com": {
    "auth_dns_server": "ns.example.com",
    "challenge_driver": {
      "nsupdate": {
        "server": "ns.example.com",
        "key": "acme.example.com.key"
      }
    }
  }
}

Note that the authoritative dns server is no longer assumed to be the same endpoint to hit with nsupdate.

Future improvements

• Write integration tests for this repo, including a dummy webhook receiver
• Implement authentication, e.g. Bearer token or Client cert auth. In my setup, I run Faythe and my receiver on loopback, but if you use this over the internet, you should definitely not let Faythe modify your DNS-zones anonymously.

[cafkafk]

btw, we have seen this PR and made a story for it internally, we're just hit by a lot of vacation... :p

[johanot]

Forgot/missed this review during my vacation. :P Thanks for it!

I basically agree with everything mentioned. See 46acd6d .. I can prettify the git history if/when you want.

[cafkafk]

Seems tests broke, this should fix it

[johanot]

Rebased with main and refactored to get the vault-test spinning :) The CI should run green now, once it is green-lighted to start running 🤞