/
rfc2136.go
156 lines (129 loc) · 4.75 KB
/
rfc2136.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
/*
Copyright 2020 The cert-manager Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package rfc2136 implements a DNS provider for solving the DNS-01 challenge
// using the rfc2136 dynamic update.
// This code was adapted from lego:
// https://github.com/xenolf/lego
package rfc2136
import (
"fmt"
"strings"
"time"
"github.com/miekg/dns"
"github.com/jetstack/cert-manager/internal/apis/certmanager/validation/util"
logf "github.com/jetstack/cert-manager/pkg/logs"
)
// This list must be kept in sync with pkg/apis/certmanager/validation/issuer.go
var supportedAlgorithms = map[string]string{
"HMACMD5": dns.HmacMD5,
"HMACSHA1": dns.HmacSHA1,
"HMACSHA256": dns.HmacSHA256,
"HMACSHA512": dns.HmacSHA512,
}
// DNSProvider is an implementation of the acme.ChallengeProvider interface that
// uses dynamic DNS updates (RFC 2136) to create TXT records on a nameserver.
type DNSProvider struct {
nameserver string
tsigAlgorithm string
tsigKeyName string
tsigSecret string
}
// NewDNSProviderCredentials uses the supplied credentials to return a
// DNSProvider instance configured for rfc2136 dynamic update. To disable TSIG
// authentication, leave the TSIG parameters as empty strings.
// nameserver must be a network address in the form "IP" or "IP:port".
func NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret string) (*DNSProvider, error) {
logf.Log.V(logf.DebugLevel).Info("Creating RFC2136 Provider")
d := &DNSProvider{}
if validNameserver, err := util.ValidNameserver(nameserver); err != nil {
return nil, err
} else {
d.nameserver = validNameserver
}
if len(tsigKeyName) > 0 && len(tsigSecret) > 0 {
d.tsigKeyName = tsigKeyName
d.tsigSecret = tsigSecret
}
if tsigAlgorithm == "" {
tsigAlgorithm = dns.HmacMD5
} else {
if value, ok := supportedAlgorithms[strings.ToUpper(tsigAlgorithm)]; ok {
tsigAlgorithm = value
} else {
return nil, fmt.Errorf("algorithm '%v' is not supported", tsigAlgorithm)
}
}
d.tsigAlgorithm = tsigAlgorithm
logf.V(logf.DebugLevel).Infof("DNSProvider nameserver: %s\n", d.nameserver)
logf.V(logf.DebugLevel).Infof(" tsigAlgorithm: %s\n", d.tsigAlgorithm)
logf.V(logf.DebugLevel).Infof(" tsigKeyName: %s\n", d.tsigKeyName)
keyLen := len(d.tsigSecret)
mask := make([]rune, keyLen/2)
for i := range mask {
mask[i] = '*'
}
masked := d.tsigSecret[0:keyLen/4] + string(mask) + d.tsigSecret[keyLen/4*3:keyLen]
logf.V(logf.DebugLevel).Infof(" tsigSecret: %s\n", masked)
return d, nil
}
// Present creates a TXT record using the specified parameters
func (r *DNSProvider) Present(_, fqdn, zone, value string) error {
return r.changeRecord("INSERT", fqdn, zone, value, 60)
}
// CleanUp removes the TXT record matching the specified parameters
func (r *DNSProvider) CleanUp(_, fqdn, zone, value string) error {
return r.changeRecord("REMOVE", fqdn, zone, value, 60)
}
func (r *DNSProvider) changeRecord(action, fqdn, zone, value string, ttl int) error {
// Create RR
rr := new(dns.TXT)
rr.Hdr = dns.RR_Header{Name: fqdn, Rrtype: dns.TypeTXT, Class: dns.ClassINET, Ttl: uint32(ttl)}
rr.Txt = []string{value}
rrs := []dns.RR{rr}
// Create dynamic update packet
m := new(dns.Msg)
m.SetUpdate(zone)
switch action {
case "INSERT":
m.Insert(rrs)
case "REMOVE":
m.Remove(rrs)
default:
return fmt.Errorf("unexpected action: %s", action)
}
// Setup client
c := new(dns.Client)
c.SingleInflight = true
// TSIG authentication / msg signing
if len(r.tsigKeyName) > 0 && len(r.tsigSecret) > 0 {
m.SetTsig(dns.Fqdn(r.tsigKeyName), r.tsigAlgorithm, 300, time.Now().Unix())
c.TsigSecret = map[string]string{dns.Fqdn(r.tsigKeyName): r.tsigSecret}
}
// Send the query
reply, _, err := c.Exchange(m, r.nameserver)
if err != nil {
return fmt.Errorf("DNS update failed: %v", err)
}
if reply != nil && reply.Rcode != dns.RcodeSuccess {
return fmt.Errorf("DNS update failed. Server replied: %s", dns.RcodeToString[reply.Rcode])
}
return nil
}
// Nameserver returns the nameserver configured for this provider when it was created
func (r *DNSProvider) Nameserver() string {
return r.nameserver
}
// TSIGAlgorithm returns the TSIG algorithm configured for this provider when it was created
func (r *DNSProvider) TSIGAlgorithm() string {
return r.tsigAlgorithm
}