-
Notifications
You must be signed in to change notification settings - Fork 2k
/
cloudflare.go
335 lines (290 loc) · 9.54 KB
/
cloudflare.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
// +skip_license_check
/*
This file contains portions of code directly taken from the 'xenolf/lego' project.
A copy of the license for this code can be found in the file named LICENSE in
this directory.
*/
// Package cloudflare implements a DNS provider for solving the DNS-01
// challenge using cloudflare DNS.
package cloudflare
import (
"bytes"
"encoding/json"
"errors"
"fmt"
"io"
"net/http"
"os"
"strings"
"time"
"github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/util"
)
// CloudFlareAPIURL represents the API endpoint to call.
// TODO: Unexport?
const CloudFlareAPIURL = "https://api.cloudflare.com/client/v4"
// DNSProviderType is the Mockable Interface
type DNSProviderType interface {
makeRequest(method, uri string, body io.Reader) (json.RawMessage, error)
}
// DNSProvider is an implementation of the acme.ChallengeProvider interface
type DNSProvider struct {
dns01Nameservers []string
authEmail string
authKey string
authToken string
userAgent string
}
// DNSZone is the Zone-Record returned from Cloudflare (we`ll ignore everything we don't need)
// See https://api.cloudflare.com/#zone-properties
type DNSZone struct {
ID string `json:"id"`
Name string `json:"name"`
}
// NewDNSProvider returns a DNSProvider instance configured for cloudflare.
// Credentials must be passed in the environment variables: CLOUDFLARE_EMAIL
// and CLOUDFLARE_API_KEY.
func NewDNSProvider(dns01Nameservers []string, userAgent string) (*DNSProvider, error) {
email := os.Getenv("CLOUDFLARE_EMAIL")
key := os.Getenv("CLOUDFLARE_API_KEY")
return NewDNSProviderCredentials(email, key, "", dns01Nameservers, userAgent)
}
// NewDNSProviderCredentials uses the supplied credentials to return a
// DNSProvider instance configured for cloudflare.
func NewDNSProviderCredentials(email, key, token string, dns01Nameservers []string, userAgent string) (*DNSProvider, error) {
if (email == "" && key != "") || (key == "" && token == "") {
return nil, fmt.Errorf("no Cloudflare credential has been given (can be either an API key or an API token)")
}
if key != "" && token != "" {
return nil, fmt.Errorf("the Cloudflare API key and API token cannot be both present simultaneously")
}
// Cloudflare uses the X-Auth-Key header for its authentication.
// However, if the value of the X-Auth-Key header is invalid, the go
// http library will "helpfully" print out the value to help with
// debugging. To prevent leaking the X-Auth-Key value into the logs, we
// first check that the X-Auth-Key header contains a valid value to
// prevent the Go HTTP library from displaying it.
if !validHeaderFieldValue(key) {
return nil, fmt.Errorf("the Cloudflare API key is invalid (does the API key contain a newline?)")
}
if !validHeaderFieldValue(token) {
return nil, fmt.Errorf("the Cloudflare API token is invalid (does the API token contain a newline?)")
}
return &DNSProvider{
authEmail: email,
authKey: key,
authToken: token,
dns01Nameservers: dns01Nameservers,
userAgent: userAgent,
}, nil
}
// FindNearestZoneForFQDN will try to traverse the official Cloudflare API to find the nearest valid Zone.
// It's a replacement for /pkg/issuer/acme/dns/util/wait.go#FindZoneByFqdn
//
// example.com. ← Zone-Record found for the SLD (in most cases)
// └── foo.example.com. ← Zone-Record could be possibly here, but in this case not.
// └── _acme-challenge.foo.example.com. ← Starting point, the FQDN.
//
// It will try to call the API for each branch (from bottom to top) and see if there's a Zone-Record returned.
// Calling See https://api.cloudflare.com/#zone-list-zones
func FindNearestZoneForFQDN(c DNSProviderType, fqdn string) (DNSZone, error) {
if fqdn == "" {
return DNSZone{}, fmt.Errorf("FindNearestZoneForFQDN: FQDN-Parameter can't be empty, please specify a domain!")
}
mappedFQDN := strings.Split(fqdn, ".")
nextName := util.UnFqdn(fqdn) //remove the trailing dot
var lastErr error
for i := 0; i < len(mappedFQDN)-1; i++ {
var from, to = len(mappedFQDN[i]) + 1, len(nextName)
if from > to {
continue
}
if mappedFQDN[i] == "*" { //skip wildcard sub-domain-entries
nextName = string([]rune(nextName)[from:to])
continue
}
lastErr = nil
result, err := c.makeRequest("GET", "/zones?name="+nextName, nil)
if err != nil {
lastErr = err
continue
}
var zones []DNSZone
err = json.Unmarshal(result, &zones)
if err != nil {
return DNSZone{}, err
}
if len(zones) > 0 {
return zones[0], nil //we're returning the first zone found, might need to test that further
}
nextName = string([]rune(nextName)[from:to])
}
if lastErr != nil {
return DNSZone{}, fmt.Errorf("while attempting to find Zones for domain %s\n%s", fqdn, lastErr)
}
return DNSZone{}, fmt.Errorf("Found no Zones for domain %s (neither in the sub-domain nor in the SLD) please make sure your domain-entries in the config are correct and the API key is correctly setup with Zone.read rights.", fqdn)
}
// Present creates a TXT record to fulfil the dns-01 challenge
func (c *DNSProvider) Present(domain, fqdn, value string) error {
zoneID, err := c.getHostedZoneID(fqdn)
if err != nil {
return err
}
record, err := c.findTxtRecord(fqdn)
if err != nil && err != errNoExistingRecord {
// this is a real error
return err
}
if record != nil {
if record.Content == value {
// the record is already set to the desired value
return nil
}
_, err = c.makeRequest("DELETE", fmt.Sprintf("/zones/%s/dns_records/%s", record.ZoneID, record.ID), nil)
if err != nil {
return err
}
}
rec := cloudFlareRecord{
Type: "TXT",
Name: util.UnFqdn(fqdn),
Content: value,
TTL: 120,
}
body, err := json.Marshal(rec)
if err != nil {
return err
}
_, err = c.makeRequest("POST", fmt.Sprintf("/zones/%s/dns_records", zoneID), bytes.NewReader(body))
if err != nil {
return err
}
return nil
}
// CleanUp removes the TXT record matching the specified parameters
func (c *DNSProvider) CleanUp(domain, fqdn, value string) error {
record, err := c.findTxtRecord(fqdn)
// Nothing to cleanup
if err == errNoExistingRecord {
return nil
}
if err != nil {
return err
}
_, err = c.makeRequest("DELETE", fmt.Sprintf("/zones/%s/dns_records/%s", record.ZoneID, record.ID), nil)
if err != nil {
return err
}
return nil
}
func (c *DNSProvider) getHostedZoneID(fqdn string) (string, error) {
hostedZone, err := FindNearestZoneForFQDN(c, fqdn)
if err != nil {
return "", err
}
return hostedZone.ID, nil
}
var errNoExistingRecord = errors.New("No existing record found")
func (c *DNSProvider) findTxtRecord(fqdn string) (*cloudFlareRecord, error) {
zoneID, err := c.getHostedZoneID(fqdn)
if err != nil {
return nil, err
}
result, err := c.makeRequest(
"GET",
fmt.Sprintf("/zones/%s/dns_records?per_page=100&type=TXT&name=%s", zoneID, util.UnFqdn(fqdn)),
nil,
)
if err != nil {
return nil, err
}
var records []cloudFlareRecord
err = json.Unmarshal(result, &records)
if err != nil {
return nil, err
}
for _, rec := range records {
if rec.Name == util.UnFqdn(fqdn) {
return &rec, nil
}
}
return nil, errNoExistingRecord
}
func (c *DNSProvider) makeRequest(method, uri string, body io.Reader) (json.RawMessage, error) {
// APIError contains error details for failed requests
type APIError struct {
Code int `json:"code,omitempty"`
Message string `json:"message,omitempty"`
ErrorChain []APIError `json:"error_chain,omitempty"`
}
// APIResponse represents a response from CloudFlare API
type APIResponse struct {
Success bool `json:"success"`
Errors []*APIError `json:"errors"`
Result json.RawMessage `json:"result"`
}
req, err := http.NewRequest(method, fmt.Sprintf("%s%s", CloudFlareAPIURL, uri), body)
if err != nil {
return nil, err
}
if c.authEmail != "" {
req.Header.Set("X-Auth-Email", c.authEmail)
}
if c.authToken != "" {
req.Header.Set("Authorization", "Bearer "+c.authToken)
} else {
req.Header.Set("X-Auth-Key", c.authKey)
}
req.Header.Set("User-Agent", c.userAgent)
client := http.Client{
Timeout: 30 * time.Second,
}
resp, err := client.Do(req)
if err != nil {
return nil, fmt.Errorf("while querying the Cloudflare API for %s %q: %v", method, uri, err)
}
defer resp.Body.Close()
var r APIResponse
err = json.NewDecoder(resp.Body).Decode(&r)
if err != nil {
return nil, err
}
if !r.Success {
if len(r.Errors) > 0 {
errStr := ""
for _, apiErr := range r.Errors {
errStr += fmt.Sprintf("\t Error: %d: %s", apiErr.Code, apiErr.Message)
for _, chainErr := range apiErr.ErrorChain {
errStr += fmt.Sprintf("<- %d: %s", chainErr.Code, chainErr.Message)
}
}
return nil, fmt.Errorf("while querying the Cloudflare API for %s %q \n%s", method, uri, errStr)
}
return nil, fmt.Errorf("while querying the Cloudflare API for %s %q", method, uri)
}
return r.Result, nil
}
// cloudFlareRecord represents a CloudFlare DNS record
type cloudFlareRecord struct {
Name string `json:"name"`
Type string `json:"type"`
Content string `json:"content"`
ID string `json:"id,omitempty"`
TTL int `json:"ttl,omitempty"`
ZoneID string `json:"zone_id,omitempty"`
}
// following functions are copy-pasted from go's internal
// http server
func validHeaderFieldValue(v string) bool {
for i := 0; i < len(v); i++ {
b := v[i]
if isCTL(b) && !isLWS(b) {
return false
}
}
return true
}
func isCTL(b byte) bool {
const del = 0x7f // a CTL
return b < ' ' || b == del
}
func isLWS(b byte) bool { return b == ' ' || b == '\t' }