[mirror_acme.sh.git] / dnsapi / dns_mythic_beasts.sh

#!/usr/bin/env sh
# Mythic Beasts is a long-standing UK service provider using standards-based OAuth2 authentication
# To test: ./acme.sh --dns dns_mythic_beasts --test --debug 1 --output-insecure --issue --domain domain.com
# Cannot retest once cert is issued
# OAuth2 tokens only valid for 300 seconds so we do not store
# NOTE: This will remove all TXT records matching the fulldomain, not just the added ones (_acme-challenge.www.domain.com)

# Test OAuth2 credentials
#MB_AK="aaaaaaaaaaaaaaaa"
#MB_AS="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"

# URLs
MB_API='https://api.mythic-beasts.com/dns/v2/zones'
MB_AUTH='https://auth.mythic-beasts.com/login'

########  Public functions #####################

#Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_mythic_beasts_add() {
  fulldomain=$1
  txtvalue=$2

  _info "MYTHIC BEASTS Adding record $fulldomain = $txtvalue"
  if ! _initAuth; then
    return 1
  fi

  if ! _get_root "$fulldomain"; then
    return 1
  fi

  # method path body_data
  if _mb_rest POST "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then

    if _contains "$response" "1 records added"; then
      _info "Added, verifying..."
      # Max 120 seconds to publish
      for i in $(seq 1 6); do
        # Retry on error
        if ! _mb_rest GET "$_domain/records/$_sub_domain/TXT?verify"; then
          _sleep 20
        else
          _info "Record published!"
          return 0
        fi
      done

    else
      _err "\n$response"
    fi

  fi
  _err "Add txt record error."
  return 1
}

#Usage: rm  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_mythic_beasts_rm() {
  fulldomain=$1
  txtvalue=$2

  _info "MYTHIC BEASTS Removing record $fulldomain = $txtvalue"
  if ! _initAuth; then
    return 1
  fi

  if ! _get_root "$fulldomain"; then
    return 1
  fi

  # method path body_data
  if _mb_rest DELETE "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then
    _info "Record removed"
    return 0
  fi
  _err "Remove txt record error."
  return 1
}

####################  Private functions below ##################################

#Possible formats:
# _acme-challenge.www.example.com
# _acme-challenge.example.com
# _acme-challenge.example.co.uk
# _acme-challenge.www.example.co.uk
# _acme-challenge.sub1.sub2.www.example.co.uk
# sub1.sub2.example.co.uk
# example.com
# example.co.uk
#returns
# _sub_domain=_acme-challenge.www
# _domain=domain.com
_get_root() {
  domain=$1
  i=1
  p=1

  _debug "Detect the root zone"
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    if [ -z "$h" ]; then
      _err "Domain exhausted"
      return 1
    fi

    # Use the status errors to find the domain, continue on 403 Access denied
    # method path body_data
    _mb_rest GET "$h/records"
    ret="$?"
    if [ "$ret" -eq 0 ]; then
      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
      _domain="$h"
      _debug _sub_domain "$_sub_domain"
      _debug _domain "$_domain"
      return 0
    elif [ "$ret" -eq 1 ]; then
      return 1
    fi

    p=$i
    i=$(_math "$i" + 1)

    if [ "$i" -gt 50 ]; then
      break
    fi
  done
  _err "Domain too long"
  return 1
}

_initAuth() {
  MB_AK="${MB_AK:-$(_readaccountconf_mutable MB_AK)}"
  MB_AS="${MB_AS:-$(_readaccountconf_mutable MB_AS)}"

  if [ -z "$MB_AK" ] || [ -z "$MB_AS" ]; then
    MB_AK=""
    MB_AS=""
    _err "Please specify an OAuth2 Key & Secret"
    return 1
  fi

  _saveaccountconf_mutable MB_AK "$MB_AK"
  _saveaccountconf_mutable MB_AS "$MB_AS"

  if ! _oauth2; then
    return 1
  fi

  _info "Checking authentication"
  _secure_debug access_token "$MB_TK"
  _sleep 1

  # GET a list of zones
  # method path body_data
  if ! _mb_rest GET ""; then
    _err "The token is invalid"
    return 1
  fi
  _info "Token OK"
  return 0
}

# Github appears to use an outbound proxy for requests which means subsequent requests may not have the same
# source IP. The standard Mythic Beasts OAuth2 tokens are tied to an IP, meaning github test requests fail
# authentication. This is a work around using an undocumented MB API to obtain a token not tied to an
# IP just for the github tests.
_oauth2() {
  if [ "$GITHUB_ACTIONS" = "true" ]; then
    _oauth2_github
  else
    _oauth2_std
  fi
  return $?
}

_oauth2_std() {
  # HTTP Basic Authentication
  _H1="Authorization: Basic $(echo "$MB_AK:$MB_AS" | _base64)"
  _H2="Accepts: application/json"
  export _H1 _H2
  body="grant_type=client_credentials"

  _info "Getting OAuth2 token..."
  # body  url [needbase64] [POST|PUT|DELETE] [ContentType]
  response="$(_post "$body" "$MB_AUTH" "" "POST" "application/x-www-form-urlencoded")"
  if _contains "$response" "\"token_type\":\"bearer\""; then
    MB_TK="$(echo "$response" | _egrep_o "access_token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')"
    if [ -z "$MB_TK" ]; then
      _err "Unable to get access_token"
      _err "\n$response"
      return 1
    fi
  else
    _err "OAuth2 token_type not Bearer"
    _err "\n$response"
    return 1
  fi
  _debug2 response "$response"
  return 0
}

_oauth2_github() {
  _H1="Accepts: application/json"
  export _H1
  body="{\"login\":{\"handle\":\"$MB_AK\",\"pass\":\"$MB_AS\",\"floating\":1}}"

  _info "Getting Floating token..."
  # body  url [needbase64] [POST|PUT|DELETE] [ContentType]
  response="$(_post "$body" "$MB_AUTH" "" "POST" "application/json")"
  MB_TK="$(echo "$response" | _egrep_o "\"token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')"
  if [ -z "$MB_TK" ]; then
    _err "Unable to get token"
    _err "\n$response"
    return 1
  fi
  _debug2 response "$response"
  return 0
}

# method path body_data
_mb_rest() {
  # URL encoded body for single API operations
  m="$1"
  ep="$2"
  data="$3"

  if [ -z "$ep" ]; then
    _mb_url="$MB_API"
  else
    _mb_url="$MB_API/$ep"
  fi

  _H1="Authorization: Bearer $MB_TK"
  _H2="Accepts: application/json"
  export _H1 _H2
  if [ "$data" ] || [ "$m" = "POST" ] || [ "$m" = "PUT" ] || [ "$m" = "DELETE" ]; then
    # body  url [needbase64] [POST|PUT|DELETE] [ContentType]
    response="$(_post "data=$data" "$_mb_url" "" "$m" "application/x-www-form-urlencoded")"
  else
    response="$(_get "$_mb_url")"
  fi

  if [ "$?" != "0" ]; then
    _err "Request error"
    return 1
  fi

  header="$(cat "$HTTP_HEADER")"
  status="$(echo "$header" | _egrep_o "^HTTP[^ ]* .*$" | cut -d " " -f 2-100 | tr -d "\f\n")"
  code="$(echo "$status" | _egrep_o "^[0-9]*")"
  if [ "$code" -ge 400 ] || _contains "$response" "\"error\"" || _contains "$response" "invalid_client"; then
    _err "error $status"
    _err "\n$response"
    _debug "\n$header"
    return 2
  fi

  _debug2 response "$response"
  return 0
}
Commit	Line	Data
4dd709b5	1	#!/usr/bin/env sh
	2	# Mythic Beasts is a long-standing UK service provider using standards-based OAuth2 authentication
	3	# To test: ./acme.sh --dns dns_mythic_beasts --test --debug 1 --output-insecure --issue --domain domain.com
	4	# Cannot retest once cert is issued
	5	# OAuth2 tokens only valid for 300 seconds so we do not store
	6	# NOTE: This will remove all TXT records matching the fulldomain, not just the added ones (_acme-challenge.www.domain.com)
	7
	8	# Test OAuth2 credentials
	9	#MB_AK="aaaaaaaaaaaaaaaa"
	10	#MB_AS="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
	11
	12	# URLs
	13	MB_API='https://api.mythic-beasts.com/dns/v2/zones'
	14	MB_AUTH='https://auth.mythic-beasts.com/login'
	15
	16	######## Public functions #####################
	17
	18	#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
	19	dns_mythic_beasts_add() {
	20	fulldomain=$1
	21	txtvalue=$2
	22
	23	_info "MYTHIC BEASTS Adding record $fulldomain = $txtvalue"
	24	if ! _initAuth; then
	25	return 1
	26	fi
	27
	28	if ! _get_root "$fulldomain"; then
	29	return 1
	30	fi
	31
	32	# method path body_data
	33	if _mb_rest POST "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then
	34
	35	if _contains "$response" "1 records added"; then
	36	_info "Added, verifying..."
	37	# Max 120 seconds to publish
	38	for i in $(seq 1 6); do
	39	# Retry on error
	40	if ! _mb_rest GET "$_domain/records/$_sub_domain/TXT?verify"; then
	41	_sleep 20
	42	else
	43	_info "Record published!"
	44	return 0
	45	fi
	46	done
	47
	48	else
	49	_err "\n$response"
	50	fi
	51
	52	fi
	53	_err "Add txt record error."
	54	return 1
	55	}
	56
	57	#Usage: rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
	58	dns_mythic_beasts_rm() {
	59	fulldomain=$1
	60	txtvalue=$2
	61
	62	_info "MYTHIC BEASTS Removing record $fulldomain = $txtvalue"
	63	if ! _initAuth; then
	64	return 1
65	fi
66
67	if ! _get_root "$fulldomain"; then
68	return 1
69	fi
70
71	# method path body_data
72	if _mb_rest DELETE "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then
73	_info "Record removed"
74	return 0
75	fi
76	_err "Remove txt record error."
77	return 1
78	}
79
80	#################### Private functions below ##################################
81
82	#Possible formats:
83	# _acme-challenge.www.example.com
84	# _acme-challenge.example.com
85	# _acme-challenge.example.co.uk
86	# _acme-challenge.www.example.co.uk
87	# _acme-challenge.sub1.sub2.www.example.co.uk
88	# sub1.sub2.example.co.uk
89	# example.com
90	# example.co.uk
91	#returns
92	# _sub_domain=_acme-challenge.www
93	# _domain=domain.com
94	_get_root() {
95	domain=$1
96	i=1
97	p=1
98
99	_debug "Detect the root zone"
100	while true; do
101	h=$(printf "%s" "$domain" \| cut -d . -f $i-100)
102	if [ -z "$h" ]; then
103	_err "Domain exhausted"
104	return 1
105	fi
106
107	# Use the status errors to find the domain, continue on 403 Access denied
108	# method path body_data
109	_mb_rest GET "$h/records"
110	ret="$?"
111	if [ "$ret" -eq 0 ]; then
112	_sub_domain=$(printf "%s" "$domain" \| cut -d . -f 1-$p)
113	_domain="$h"
114	_debug _sub_domain "$_sub_domain"
115	_debug _domain "$_domain"
116	return 0
117	elif [ "$ret" -eq 1 ]; then
118	return 1
119	fi
120
121	p=$i
122	i=$(_math "$i" + 1)
123
124	if [ "$i" -gt 50 ]; then
125	break
126	fi
127	done
128	_err "Domain too long"
129	return 1
130	}
131
132	_initAuth() {
133	MB_AK="${MB_AK:-$(_readaccountconf_mutable MB_AK)}"
134	MB_AS="${MB_AS:-$(_readaccountconf_mutable MB_AS)}"
135
136	if [ -z "$MB_AK" ] \|\| [ -z "$MB_AS" ]; then
137	MB_AK=""
138	MB_AS=""
139	_err "Please specify an OAuth2 Key & Secret"
140	return 1
141	fi
142
143	_saveaccountconf_mutable MB_AK "$MB_AK"
144	_saveaccountconf_mutable MB_AS "$MB_AS"
145
146	if ! _oauth2; then
147	return 1
148	fi
149
150	_info "Checking authentication"
151	_secure_debug access_token "$MB_TK"
152	_sleep 1
153
154	# GET a list of zones
155	# method path body_data
156	if ! _mb_rest GET ""; then
157	_err "The token is invalid"
158	return 1
159	fi
160	_info "Token OK"
161	return 0
162	}
163
6a2c9a0d	164	# Github appears to use an outbound proxy for requests which means subsequent requests may not have the same
6a2c9a0d	165	# source IP. The standard Mythic Beasts OAuth2 tokens are tied to an IP, meaning github test requests fail
2b6aa267	166	# authentication. This is a work around using an undocumented MB API to obtain a token not tied to an
6a2c9a0d	167	# IP just for the github tests.
4dd709b5	168	_oauth2() {
2b6aa267	169	if [ "$GITHUB_ACTIONS" = "true" ]; then
6251652c	170	_oauth2_github
2b6aa267	171	else
2b6aa267	172	_oauth2_std
6a2c9a0d	173	fi
6251652c	174	return $?
6a2c9a0d	175	}
	176
	177	_oauth2_std() {
4dd709b5	178	# HTTP Basic Authentication
	179	_H1="Authorization: Basic $(echo "$MB_AK:$MB_AS" \| _base64)"
	180	_H2="Accepts: application/json"
	181	export _H1 _H2
	182	body="grant_type=client_credentials"
	183
	184	_info "Getting OAuth2 token..."
	185	# body url [needbase64] [POST\|PUT\|DELETE] [ContentType]
	186	response="$(_post "$body" "$MB_AUTH" "" "POST" "application/x-www-form-urlencoded")"
	187	if _contains "$response" "\"token_type\":\"bearer\""; then
	188	MB_TK="$(echo "$response" \| _egrep_o "access_token\":\"[^\"]*\"" \| cut -d : -f 2 \| tr -d '"')"
	189	if [ -z "$MB_TK" ]; then
	190	_err "Unable to get access_token"
	191	_err "\n$response"
	192	return 1
	193	fi
	194	else
	195	_err "OAuth2 token_type not Bearer"
	196	_err "\n$response"
	197	return 1
	198	fi
	199	_debug2 response "$response"
	200	return 0
	201	}
	202
6a2c9a0d	203	_oauth2_github() {
	204	_H1="Accepts: application/json"
	205	export _H1
95f13360	206	body="{\"login\":{\"handle\":\"$MB_AK\",\"pass\":\"$MB_AS\",\"floating\":1}}"
6a2c9a0d	207
	208	_info "Getting Floating token..."
	209	# body url [needbase64] [POST\|PUT\|DELETE] [ContentType]
	210	response="$(_post "$body" "$MB_AUTH" "" "POST" "application/json")"
	211	MB_TK="$(echo "$response" \| _egrep_o "\"token\":\"[^\"]*\"" \| cut -d : -f 2 \| tr -d '"')"
	212	if [ -z "$MB_TK" ]; then
56d799f4	213	_err "Unable to get token"
6a2c9a0d	214	_err "\n$response"
	215	return 1
	216	fi
	217	_debug2 response "$response"
	218	return 0
	219	}
	220
4dd709b5	221	# method path body_data
	222	_mb_rest() {
	223	# URL encoded body for single API operations
	224	m="$1"
	225	ep="$2"
	226	data="$3"
	227
	228	if [ -z "$ep" ]; then
	229	_mb_url="$MB_API"
	230	else
	231	_mb_url="$MB_API/$ep"
	232	fi
	233
	234	_H1="Authorization: Bearer $MB_TK"
	235	_H2="Accepts: application/json"
	236	export _H1 _H2
	237	if [ "$data" ] \|\| [ "$m" = "POST" ] \|\| [ "$m" = "PUT" ] \|\| [ "$m" = "DELETE" ]; then
	238	# body url [needbase64] [POST\|PUT\|DELETE] [ContentType]
	239	response="$(_post "data=$data" "$_mb_url" "" "$m" "application/x-www-form-urlencoded")"
	240	else
	241	response="$(_get "$_mb_url")"
	242	fi
	243
	244	if [ "$?" != "0" ]; then
	245	_err "Request error"
	246	return 1
	247	fi
	248
	249	header="$(cat "$HTTP_HEADER")"
	250	status="$(echo "$header" \| _egrep_o "^HTTP[^ ]* .*$" \| cut -d " " -f 2-100 \| tr -d "\f\n")"
	251	code="$(echo "$status" \| _egrep_o "^[0-9]*")"
	252	if [ "$code" -ge 400 ] \|\| _contains "$response" "\"error\"" \|\| _contains "$response" "invalid_client"; then
	253	_err "error $status"
	254	_err "\n$response"
	255	_debug "\n$header"
	256	return 2
	257	fi
	258
	259	_debug2 response "$response"
	260	return 0
	261	}