]>
Commit | Line | Data |
---|---|---|
d5674c85 EL |
1 | #!/usr/bin/env sh |
2 | ||
3 | # Akamai Edge DNS v2 API | |
4 | # User must provide Open Edgegrid API credentials to the EdgeDNS installation. The remote user in EdgeDNS must have CRUD access to | |
5 | # Edge DNS Zones and Recordsets, e.g. DNS—Zone Record Management authorization | |
6 | ||
7 | # Report bugs to https://control.akamai.com/apps/support-ui/#/contact-support | |
8 | ||
9 | # Values to export: | |
596a1764 | 10 | # --EITHER-- |
aa85d0ff | 11 | # *** TBD. NOT IMPLEMENTED YET *** |
d5674c85 | 12 | # specify Edgegrid credentials file and section |
596a1764 | 13 | # AKAMAI_EDGERC=<full file path> |
d5674c85 EL |
14 | # AKAMAI_EDGERC_SECTION="default" |
15 | ## --OR-- | |
16 | # specify indiviual credentials | |
17 | # export AKAMAI_HOST = <host> | |
596a1764 | 18 | # export AKAMAI_ACCESS_TOKEN = <access token> |
d5674c85 EL |
19 | # export AKAMAI_CLIENT_TOKEN = <client token> |
20 | # export AKAMAI_CLIENT_SECRET = <client secret> | |
21 | ||
22 | ACME_EDGEDNS_VERSION="0.1.0" | |
23 | ||
24 | ######## Public functions ##################### | |
25 | ||
26 | # Usage: dns_edgedns_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" | |
27 | # Used to add txt record | |
28 | # | |
29 | dns_edgedns_add() { | |
30 | fulldomain=$1 | |
31 | txtvalue=$2 | |
d5674c85 | 32 | _debug "ENTERING DNS_EDGEDNS_ADD" |
d5674c85 EL |
33 | _debug2 "fulldomain" "$fulldomain" |
34 | _debug2 "txtvalue" "$txtvalue" | |
596a1764 | 35 | |
d5674c85 EL |
36 | if ! _EDGEDNS_credentials; then |
37 | _err "$@" | |
38 | return 1 | |
39 | fi | |
d5674c85 EL |
40 | if ! _EDGEDNS_getZoneInfo "$fulldomain"; then |
41 | _err "Invalid domain" | |
42 | return 1 | |
43 | fi | |
cc40110d | 44 | |
8e09e1b2 | 45 | _debug2 "Add: zone" "$zone" |
596a1764 | 46 | acmeRecordURI=$(printf "%s/%s/names/%s/types/TXT" "$edge_endpoint" "$zone" "$fulldomain") |
d5674c85 EL |
47 | _debug3 "Add URL" "$acmeRecordURI" |
48 | # Get existing TXT record | |
49 | _edge_result=$(_edgedns_rest GET "$acmeRecordURI") | |
50 | _api_status="$?" | |
8e09e1b2 EL |
51 | _debug3 "_edge_result" "$_edge_result" |
52 | if [ "$_api_status" -ne 0 ]; then | |
53 | if [ "$curResult" = "FATAL" ]; then | |
54 | _err "$(printf "Fatal error: acme API function call : %s" "$retVal")" | |
55 | fi | |
56 | if [ "$_edge_result" != "404" ]; then | |
57 | _err "$(printf "Failure accessing Akamai Edge DNS API Server. Error: %s" "$_edge_result")" | |
58 | return 1 | |
59 | fi | |
d5674c85 | 60 | fi |
8e09e1b2 | 61 | rdata="\"${txtvalue}\"" |
d5674c85 EL |
62 | record_op="POST" |
63 | if [ "$_api_status" -eq 0 ]; then | |
64 | # record already exists. Get existing record data and update | |
65 | record_op="PUT" | |
8e09e1b2 EL |
66 | rdlist="${_edge_result#*\"rdata\":[}" |
67 | rdlist="${rdlist%%]*}" | |
9c28a04c | 68 | rdlist=$(echo "$rdlist" | tr -d '"' | tr -d "\\\\") |
8e09e1b2 EL |
69 | _debug3 "existing TXT found" |
70 | _debug3 "record data" "$rdlist" | |
d5674c85 | 71 | # value already there? |
596a1764 | 72 | if _contains "$rdlist" "$txtvalue"; then |
d5674c85 EL |
73 | return 0 |
74 | fi | |
8e09e1b2 EL |
75 | _txt_val="" |
76 | while [ "$_txt_val" != "$rdlist" ] && [ "${rdlist}" ]; do | |
596a1764 EL |
77 | _txt_val="${rdlist%%,*}" |
78 | rdlist="${rdlist#*,}" | |
79 | rdata="${rdata},\"${_txt_val}\"" | |
8e09e1b2 | 80 | done |
d5674c85 | 81 | fi |
d5674c85 EL |
82 | # Add the txtvalue TXT Record |
83 | body="{\"name\":\"$fulldomain\",\"type\":\"TXT\",\"ttl\":600, \"rdata\":"[${rdata}]"}" | |
84 | _debug3 "Add body '${body}'" | |
85 | _edge_result=$(_edgedns_rest "$record_op" "$acmeRecordURI" "$body") | |
86 | _api_status="$?" | |
87 | if [ "$_api_status" -eq 0 ]; then | |
8e09e1b2 | 88 | _log "$(printf "Text value %s added to recordset %s" "$txtvalue" "$fulldomain")" |
d5674c85 EL |
89 | return 0 |
90 | else | |
91 | _err "$(printf "error adding TXT record for validation. Error: %s" "$_edge_result")" | |
92 | return 1 | |
93 | fi | |
94 | } | |
95 | ||
8e09e1b2 | 96 | # Usage: dns_edgedns_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" |
d5674c85 EL |
97 | # Used to delete txt record |
98 | # | |
99 | dns_edgedns_rm() { | |
100 | fulldomain=$1 | |
8e09e1b2 EL |
101 | txtvalue=$2 |
102 | _debug "ENTERING DNS_EDGEDNS_RM" | |
103 | _debug2 "fulldomain" "$fulldomain" | |
104 | _debug2 "txtvalue" "$txtvalue" | |
105 | ||
106 | if ! _EDGEDNS_credentials; then | |
107 | _err "$@" | |
108 | return 1 | |
109 | fi | |
110 | if ! _EDGEDNS_getZoneInfo "$fulldomain"; then | |
111 | _err "Invalid domain" | |
112 | return 1 | |
113 | fi | |
114 | _debug2 "RM: zone" "${zone}" | |
115 | acmeRecordURI=$(printf "%s/%s/names/%s/types/TXT" "${edge_endpoint}" "$zone" "$fulldomain") | |
116 | _debug3 "RM URL" "$acmeRecordURI" | |
117 | # Get existing TXT record | |
118 | _edge_result=$(_edgedns_rest GET "$acmeRecordURI") | |
119 | _api_status="$?" | |
120 | if [ "$_api_status" -ne 0 ]; then | |
121 | if [ "$curResult" = "FATAL" ]; then | |
122 | _err "$(printf "Fatal error: acme API function call : %s" "$retVal")" | |
123 | fi | |
124 | if [ "$_edge_result" != "404" ]; then | |
125 | _err "$(printf "Failure accessing Akamai Edge DNS API Server. Error: %s" "$_edge_result")" | |
126 | return 1 | |
127 | fi | |
128 | fi | |
129 | _debug3 "_edge_result" "$_edge_result" | |
130 | record_op="DELETE" | |
131 | body="" | |
132 | if [ "$_api_status" -eq 0 ]; then | |
133 | # record already exists. Get existing record data and update | |
134 | rdlist="${_edge_result#*\"rdata\":[}" | |
135 | rdlist="${rdlist%%]*}" | |
9c28a04c | 136 | rdlist=$(echo "$rdlist" | tr -d '"' | tr -d "\\\\") |
8e09e1b2 EL |
137 | _debug3 "rdlist" "$rdlist" |
138 | if [ -n "$rdlist" ]; then | |
139 | record_op="PUT" | |
140 | comma="" | |
141 | rdata="" | |
142 | _txt_val="" | |
143 | while [ "$_txt_val" != "$rdlist" ] && [ "$rdlist" ]; do | |
596a1764 EL |
144 | _txt_val="${rdlist%%,*}" |
145 | rdlist="${rdlist#*,}" | |
8e09e1b2 EL |
146 | _debug3 "_txt_val" "$_txt_val" |
147 | _debug3 "txtvalue" "$txtvalue" | |
596a1764 | 148 | if ! _contains "$_txt_val" "$txtvalue"; then |
8e09e1b2 EL |
149 | rdata="${rdata}${comma}\"${_txt_val}\"" |
150 | comma="," | |
151 | fi | |
152 | done | |
153 | if [ -z "$rdata" ]; then | |
154 | record_op="DELETE" | |
155 | else | |
156 | # Recreate the txtvalue TXT Record | |
157 | body="{\"name\":\"$fulldomain\",\"type\":\"TXT\",\"ttl\":600, \"rdata\":"[${rdata}]"}" | |
158 | _debug3 "body" "$body" | |
159 | fi | |
160 | fi | |
161 | fi | |
162 | _edge_result=$(_edgedns_rest "$record_op" "$acmeRecordURI" "$body") | |
163 | _api_status="$?" | |
164 | if [ "$_api_status" -eq 0 ]; then | |
165 | _log "$(printf "Text value %s removed from recordset %s" "$txtvalue" "$fulldomain")" | |
166 | return 0 | |
167 | else | |
168 | _err "$(printf "error removing TXT record for validation. Error: %s" "$_edge_result")" | |
169 | return 1 | |
170 | fi | |
d5674c85 EL |
171 | } |
172 | ||
173 | #################### Private functions below ################################## | |
174 | ||
175 | _EDGEDNS_credentials() { | |
596a1764 | 176 | _debug "GettingEdge DNS credentials" |
8e09e1b2 | 177 | _log "$(printf "ACME DNSAPI Edge DNS version %s" ${ACME_EDGEDNS_VERSION})" |
d5674c85 | 178 | args_missing=0 |
993c187e | 179 | AKAMAI_ACCESS_TOKEN="${AKAMAI_ACCESS_TOKEN:-$(_readaccountconf_mutable AKAMAI_ACCESS_TOKEN)}" |
8e09e1b2 | 180 | if [ -z "$AKAMAI_ACCESS_TOKEN" ]; then |
d5674c85 EL |
181 | AKAMAI_ACCESS_TOKEN="" |
182 | AKAMAI_CLIENT_TOKEN="" | |
183 | AKAMAI_HOST="" | |
184 | AKAMAI_CLIENT_SECRET="" | |
185 | _err "AKAMAI_ACCESS_TOKEN is missing" | |
186 | args_missing=1 | |
187 | fi | |
993c187e | 188 | AKAMAI_CLIENT_TOKEN="${AKAMAI_CLIENT_TOKEN:-$(_readaccountconf_mutable AKAMAI_CLIENT_TOKEN)}" |
d5674c85 EL |
189 | if [ -z "$AKAMAI_CLIENT_TOKEN" ]; then |
190 | AKAMAI_ACCESS_TOKEN="" | |
191 | AKAMAI_CLIENT_TOKEN="" | |
192 | AKAMAI_HOST="" | |
193 | AKAMAI_CLIENT_SECRET="" | |
194 | _err "AKAMAI_CLIENT_TOKEN is missing" | |
195 | args_missing=1 | |
196 | fi | |
993c187e | 197 | AKAMAI_HOST="${AKAMAI_HOST:-$(_readaccountconf_mutable AKAMAI_HOST)}" |
8e09e1b2 | 198 | if [ -z "$AKAMAI_HOST" ]; then |
d5674c85 EL |
199 | AKAMAI_ACCESS_TOKEN="" |
200 | AKAMAI_CLIENT_TOKEN="" | |
201 | AKAMAI_HOST="" | |
202 | AKAMAI_CLIENT_SECRET="" | |
203 | _err "AKAMAI_HOST is missing" | |
204 | args_missing=1 | |
205 | fi | |
993c187e | 206 | AKAMAI_CLIENT_SECRET="${AKAMAI_CLIENT_SECRET:-$(_readaccountconf_mutable AKAMAI_CLIENT_SECRET)}" |
8e09e1b2 | 207 | if [ -z "$AKAMAI_CLIENT_SECRET" ]; then |
d5674c85 EL |
208 | AKAMAI_ACCESS_TOKEN="" |
209 | AKAMAI_CLIENT_TOKEN="" | |
210 | AKAMAI_HOST="" | |
211 | AKAMAI_CLIENT_SECRET="" | |
212 | _err "AKAMAI_CLIENT_SECRET is missing" | |
213 | args_missing=1 | |
214 | fi | |
215 | ||
8e09e1b2 | 216 | if [ "$args_missing" = 1 ]; then |
d5674c85 EL |
217 | _err "You have not properly specified the EdgeDNS Open Edgegrid API credentials. Please try again." |
218 | return 1 | |
219 | else | |
8e09e1b2 EL |
220 | _saveaccountconf_mutable AKAMAI_ACCESS_TOKEN "$AKAMAI_ACCESS_TOKEN" |
221 | _saveaccountconf_mutable AKAMAI_CLIENT_TOKEN "$AKAMAI_CLIENT_TOKEN" | |
222 | _saveaccountconf_mutable AKAMAI_HOST "$AKAMAI_HOST" | |
223 | _saveaccountconf_mutable AKAMAI_CLIENT_SECRET "$AKAMAI_CLIENT_SECRET" | |
d5674c85 EL |
224 | # Set whether curl should use secure or insecure mode |
225 | fi | |
596a1764 | 226 | export HTTPS_INSECURE=0 # All Edgegrid API calls are secure |
8e09e1b2 EL |
227 | edge_endpoint=$(printf "https://%s/config-dns/v2/zones" "$AKAMAI_HOST") |
228 | _debug3 "Edge API Endpoint:" "$edge_endpoint" | |
d5674c85 EL |
229 | |
230 | } | |
231 | ||
232 | _EDGEDNS_getZoneInfo() { | |
233 | _debug "Getting Zoneinfo" | |
234 | zoneEnd=false | |
235 | curZone=$1 | |
8e09e1b2 | 236 | while [ -n "$zoneEnd" ]; do |
d5674c85 EL |
237 | # we can strip the first part of the fulldomain, since its just the _acme-challenge string |
238 | curZone="${curZone#*.}" | |
239 | # suffix . needed for zone -> domain.tld. | |
240 | # create zone get url | |
8e09e1b2 | 241 | get_zone_url=$(printf "%s/%s" "$edge_endpoint" "$curZone") |
d5674c85 EL |
242 | _debug3 "Zone Get: " "${get_zone_url}" |
243 | curResult=$(_edgedns_rest GET "$get_zone_url") | |
244 | retVal=$? | |
8e09e1b2 EL |
245 | if [ "$retVal" -ne 0 ]; then |
246 | if [ "$curResult" = "FATAL" ]; then | |
247 | _err "$(printf "Fatal error: acme API function call : %s" "$retVal")" | |
248 | fi | |
249 | if [ "$curResult" != "404" ]; then | |
df60a224 | 250 | _err "$(printf "Managed zone validation failed. Error response: %s" "$retVal")" |
d5674c85 EL |
251 | return 1 |
252 | fi | |
253 | fi | |
596a1764 | 254 | if _contains "$curResult" "\"zone\":"; then |
d5674c85 | 255 | _debug2 "Zone data" "${curResult}" |
8e09e1b2 EL |
256 | zone=$(echo "${curResult}" | _egrep_o "\"zone\"\\s*:\\s*\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d "\"") |
257 | _debug3 "Zone" "${zone}" | |
d5674c85 EL |
258 | zoneEnd="" |
259 | return 0 | |
260 | fi | |
261 | ||
262 | if [ "${curZone#*.}" != "$curZone" ]; then | |
8e09e1b2 | 263 | _debug3 "$(printf "%s still contains a '.' - so we can check next higher level" "$curZone")" |
d5674c85 EL |
264 | else |
265 | zoneEnd=true | |
266 | _err "Couldn't retrieve zone data." | |
267 | return 1 | |
268 | fi | |
269 | done | |
270 | _err "Failed to retrieve zone data." | |
271 | return 2 | |
272 | } | |
273 | ||
274 | _edgedns_headers="" | |
275 | ||
276 | _edgedns_rest() { | |
277 | _debug "Handling API Request" | |
278 | m=$1 | |
279 | # Assume endpoint is complete path, including query args if applicable | |
280 | ep=$2 | |
281 | body_data=$3 | |
282 | _edgedns_content_type="" | |
283 | _request_url_path="$ep" | |
284 | _request_body="$body_data" | |
285 | _request_method="$m" | |
286 | _edgedns_headers="" | |
287 | tab="" | |
288 | _edgedns_headers="${_edgedns_headers}${tab}Host: ${AKAMAI_HOST}" | |
289 | tab="\t" | |
290 | # Set in acme.sh _post/_get | |
291 | #_edgedns_headers="${_edgedns_headers}${tab}User-Agent:ACME DNSAPI Edge DNS version ${ACME_EDGEDNS_VERSION}" | |
8e09e1b2 | 292 | _edgedns_headers="${_edgedns_headers}${tab}Accept: application/json,*/*" |
596a1764 | 293 | if [ "$m" != "GET" ] && [ "$m" != "DELETE" ]; then |
8e09e1b2 EL |
294 | _edgedns_content_type="application/json" |
295 | _debug3 "_request_body" "$_request_body" | |
296 | _body_len=$(echo "$_request_body" | tr -d "\n\r" | awk '{print length}') | |
297 | _edgedns_headers="${_edgedns_headers}${tab}Content-Length: ${_body_len}" | |
d5674c85 | 298 | fi |
8e09e1b2 EL |
299 | _edgedns_make_auth_header |
300 | _edgedns_headers="${_edgedns_headers}${tab}Authorization: ${_signed_auth_header}" | |
301 | _secure_debug2 "Made Auth Header" "$_signed_auth_header" | |
d5674c85 EL |
302 | hdr_indx=1 |
303 | work_header="${_edgedns_headers}${tab}" | |
8e09e1b2 | 304 | _debug3 "work_header" "$work_header" |
596a1764 EL |
305 | while [ "$work_header" ]; do |
306 | entry="${work_header%%\\t*}" | |
307 | work_header="${work_header#*\\t}" | |
8e09e1b2 EL |
308 | export "$(printf "_H%s=%s" "$hdr_indx" "$entry")" |
309 | _debug2 "Request Header " "$entry" | |
596a1764 | 310 | hdr_indx=$((hdr_indx + 1)) |
d5674c85 | 311 | done |
596a1764 | 312 | |
d5674c85 | 313 | # clear headers from previous request to avoid getting wrong http code on timeouts |
8e09e1b2 EL |
314 | : >"$HTTP_HEADER" |
315 | _debug2 "$ep" | |
d5674c85 | 316 | if [ "$m" != "GET" ]; then |
8e09e1b2 | 317 | _debug3 "Method data" "$data" |
d5674c85 | 318 | # body url [needbase64] [POST|PUT|DELETE] [ContentType] |
8e09e1b2 | 319 | response=$(_post "$_request_body" "$ep" false "$m" "$_edgedns_content_type") |
d5674c85 | 320 | else |
8e09e1b2 | 321 | response=$(_get "$ep") |
d5674c85 | 322 | fi |
d5674c85 | 323 | _ret="$?" |
8e09e1b2 EL |
324 | if [ "$_ret" -ne 0 ]; then |
325 | _err "$(printf "acme.sh API function call failed. Error: %s" "$_ret")" | |
326 | echo "FATAL" | |
327 | return "$_ret" | |
328 | fi | |
329 | _debug2 "response" "${response}" | |
d5674c85 EL |
330 | _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" |
331 | _debug2 "http response code" "$_code" | |
d5674c85 EL |
332 | if [ "$_code" = "200" ] || [ "$_code" = "201" ]; then |
333 | # All good | |
8e09e1b2 EL |
334 | response="$(echo "${response}" | _normalizeJson)" |
335 | echo "$response" | |
d5674c85 EL |
336 | return 0 |
337 | fi | |
338 | ||
339 | if [ "$_code" = "204" ]; then | |
340 | # Success, no body | |
8e09e1b2 | 341 | echo "$_code" |
d5674c85 EL |
342 | return 0 |
343 | fi | |
344 | ||
345 | if [ "$_code" = "400" ]; then | |
346 | _err "Bad request presented" | |
347 | _log "$(printf "Headers: %s" "$_edgedns_headers")" | |
348 | _log "$(printf "Method: %s" "$_request_method")" | |
349 | _log "$(printf "URL: %s" "$ep")" | |
350 | _log "$(printf "Data: %s" "$data")" | |
351 | fi | |
352 | ||
353 | if [ "$_code" = "403" ]; then | |
354 | _err "access denied make sure your Edgegrid cedentials are correct." | |
355 | fi | |
356 | ||
357 | echo "$_code" | |
358 | return 1 | |
359 | } | |
360 | ||
361 | _edgedns_eg_timestamp() { | |
cc40110d EL |
362 | _debug "Generating signature Timestamp" |
363 | _debug3 "Retriving ntp time" | |
364 | _timeheaders="$(_get "https://www.ntp.org" "onlyheader")" | |
365 | _debug3 "_timeheaders" "$_timeheaders" | |
366 | _ntpdate="$(echo "$_timeheaders" | grep -i "Date:" | _head_n 1 | cut -d ':' -f 2- | tr -d "\r\n")" | |
367 | _debug3 "_ntpdate" "$_ntpdate" | |
368 | _ntpdate="$(echo "${_ntpdate}" | sed -e 's/^[[:space:]]*//')" | |
369 | _debug3 "_NTPDATE" "$_ntpdate" | |
370 | _ntptime="$(echo "${_ntpdate}" | _head_n 1 | cut -d " " -f 5 | tr -d "\r\n")" | |
371 | _debug3 "_ntptime" "$_ntptime" | |
372 | _eg_timestamp=$(date -u "+%Y%m%dT") | |
373 | _eg_timestamp="$(printf "%s%s+0000" "$_eg_timestamp" "$_ntptime")" | |
374 | _debug "_eg_timestamp" "$_eg_timestamp" | |
d5674c85 EL |
375 | } |
376 | ||
377 | _edgedns_new_nonce() { | |
cc40110d | 378 | _debug "Generating Nonce" |
5aff5487 | 379 | _nonce=$(echo "EDGEDNS$(_time)" | _digest sha1 hex | cut -c 1-32) |
9c28a04c | 380 | _debug3 "_nonce" "$_nonce" |
d5674c85 EL |
381 | } |
382 | ||
383 | _edgedns_make_auth_header() { | |
384 | _debug "Constructing Auth Header" | |
596a1764 | 385 | _edgedns_new_nonce |
cc40110d | 386 | _edgedns_eg_timestamp |
d5674c85 | 387 | # "Unsigned authorization header: 'EG1-HMAC-SHA256 client_token=block;access_token=block;timestamp=20200806T14:16:33+0000;nonce=72cde72c-82d9-4721-9854-2ba057929d67;'" |
596a1764 | 388 | _auth_header="$(printf "EG1-HMAC-SHA256 client_token=%s;access_token=%s;timestamp=%s;nonce=%s;" "$AKAMAI_CLIENT_TOKEN" "$AKAMAI_ACCESS_TOKEN" "$_eg_timestamp" "$_nonce")" |
d5674c85 EL |
389 | _secure_debug2 "Unsigned Auth Header: " "$_auth_header" |
390 | ||
8e09e1b2 EL |
391 | _edgedns_sign_request |
392 | _signed_auth_header="$(printf "%ssignature=%s" "$_auth_header" "$_signed_req")" | |
596a1764 | 393 | _secure_debug2 "Signed Auth Header: " "${_signed_auth_header}" |
d5674c85 EL |
394 | } |
395 | ||
396 | _edgedns_sign_request() { | |
397 | _debug2 "Signing http request" | |
8e09e1b2 EL |
398 | _edgedns_make_data_to_sign "$_auth_header" |
399 | _secure_debug2 "Returned signed data" "$_mdata" | |
400 | _edgedns_make_signing_key "$_eg_timestamp" | |
401 | _edgedns_base64_hmac_sha256 "$_mdata" "$_signing_key" | |
402 | _signed_req="$_hmac_out" | |
403 | _secure_debug2 "Signed Request" "$_signed_req" | |
d5674c85 EL |
404 | } |
405 | ||
406 | _edgedns_make_signing_key() { | |
407 | _debug2 "Creating sigining key" | |
408 | ts=$1 | |
8e09e1b2 EL |
409 | _edgedns_base64_hmac_sha256 "$ts" "$AKAMAI_CLIENT_SECRET" |
410 | _signing_key="$_hmac_out" | |
411 | _secure_debug2 "Signing Key" "$_signing_key" | |
d5674c85 EL |
412 | |
413 | } | |
414 | ||
415 | _edgedns_make_data_to_sign() { | |
416 | _debug2 "Processing data to sign" | |
417 | hdr=$1 | |
418 | _secure_debug2 "hdr" "$hdr" | |
8e09e1b2 EL |
419 | _edgedns_make_content_hash |
420 | path="$(echo "$_request_url_path" | tr -d "\n\r" | sed 's/https\?:\/\///')" | |
60315e5b | 421 | path=${path#*"$AKAMAI_HOST"} |
8e09e1b2 | 422 | _debug "hier path" "$path" |
d5674c85 | 423 | # dont expose headers to sign so use MT string |
8e09e1b2 EL |
424 | _mdata="$(printf "%s\thttps\t%s\t%s\t%s\t%s\t%s" "$_request_method" "$AKAMAI_HOST" "$path" "" "$_hash" "$hdr")" |
425 | _secure_debug2 "Data to Sign" "$_mdata" | |
d5674c85 EL |
426 | } |
427 | ||
428 | _edgedns_make_content_hash() { | |
429 | _debug2 "Generating content hash" | |
d5674c85 EL |
430 | _hash="" |
431 | _debug2 "Request method" "${_request_method}" | |
8e09e1b2 | 432 | if [ "$_request_method" != "POST" ] || [ -z "$_request_body" ]; then |
d5674c85 EL |
433 | return 0 |
434 | fi | |
8e09e1b2 EL |
435 | _debug2 "Req body" "$_request_body" |
436 | _edgedns_base64_sha256 "$_request_body" | |
437 | _hash="$_sha256_out" | |
438 | _debug2 "Content hash" "$_hash" | |
d5674c85 EL |
439 | } |
440 | ||
441 | _edgedns_base64_hmac_sha256() { | |
442 | _debug2 "Generating hmac" | |
443 | data=$1 | |
444 | key=$2 | |
8e09e1b2 EL |
445 | encoded_data="$(echo "$data" | iconv -t utf-8)" |
446 | encoded_key="$(echo "$key" | iconv -t utf-8)" | |
447 | _secure_debug2 "encoded data" "$encoded_data" | |
448 | _secure_debug2 "encoded key" "$encoded_key" | |
449 | ||
d866b3df | 450 | encoded_key_hex=$(printf "%s" "$encoded_key" | _hex_dump | tr -d ' ') |
c490dd15 | 451 | data_sig="$(echo "$encoded_data" | tr -d "\n\r" | _hmac sha256 "$encoded_key_hex" | _base64)" |
d866b3df | 452 | |
8e09e1b2 EL |
453 | _secure_debug2 "data_sig:" "$data_sig" |
454 | _hmac_out="$(echo "$data_sig" | tr -d "\n\r" | iconv -f utf-8)" | |
455 | _secure_debug2 "hmac" "$_hmac_out" | |
d5674c85 EL |
456 | } |
457 | ||
458 | _edgedns_base64_sha256() { | |
459 | _debug2 "Creating sha256 digest" | |
460 | trg=$1 | |
d5674c85 | 461 | _secure_debug2 "digest data" "$trg" |
6b20993d | 462 | digest="$(echo "$trg" | tr -d "\n\r" | _digest "sha256")" |
8e09e1b2 EL |
463 | _sha256_out="$(echo "$digest" | tr -d "\n\r" | iconv -f utf-8)" |
464 | _secure_debug2 "digest decode" "$_sha256_out" | |
d5674c85 EL |
465 | } |
466 | ||
467 | #_edgedns_parse_edgerc() { | |
468 | # filepath=$1 | |
469 | # section=$2 | |
470 | #} |