]>
Commit | Line | Data |
---|---|---|
ec53b27d VS |
1 | #!/usr/bin/env sh |
2 | ||
3 | #YC_Zone_ID="" # DNS Zone ID | |
4 | #YC_Folder_ID="" # YC Folder ID | |
5 | #YC_SA_ID="" # Service Account ID | |
6 | #YC_SA_Key_ID="" # Service Account IAM Key ID | |
90623142 VS |
7 | #YC_SA_Key_File_Path="/path/to/private.key" # Path to private.key use instead of YC_SA_Key_File_PEM_b64 |
8 | #YC_SA_Key_File_PEM_b64="" # Base64 content of private.key use instead of YC_SA_Key_File_Path | |
ec53b27d VS |
9 | YC_Api="https://dns.api.cloud.yandex.net/dns/v1" |
10 | ||
11 | ######## Public functions ##################### | |
12 | ||
13 | #Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" | |
14 | dns_yc_add() { | |
15 | fulldomain="$(echo "$1". | _lower_case)" # Add dot at end of domain name | |
16 | txtvalue=$2 | |
17 | ||
90623142 VS |
18 | YC_SA_Key_File_PEM_b64="${YC_SA_Key_File_PEM_b64:-$(_readaccountconf_mutable YC_SA_Key_File_PEM_b64)}" |
19 | YC_SA_Key_File_Path="${YC_SA_Key_File_Path:-$(_readaccountconf_mutable YC_SA_Key_File_Path)}" | |
20 | ||
21 | if [ "$YC_SA_Key_File_PEM_b64" ]; then | |
4e5d4b96 | 22 | echo "$YC_SA_Key_File_PEM_b64" | _dbase64 >private.key |
90623142 VS |
23 | YC_SA_Key_File="private.key" |
24 | _savedomainconf YC_SA_Key_File_PEM_b64 "$YC_SA_Key_File_PEM_b64" | |
ec53b27d | 25 | else |
90623142 VS |
26 | YC_SA_Key_File="$YC_SA_Key_File_Path" |
27 | _savedomainconf YC_SA_Key_File_Path "$YC_SA_Key_File_Path" | |
ec53b27d VS |
28 | fi |
29 | ||
30 | YC_Zone_ID="${YC_Zone_ID:-$(_readaccountconf_mutable YC_Zone_ID)}" | |
31 | YC_Folder_ID="${YC_Folder_ID:-$(_readaccountconf_mutable YC_Folder_ID)}" | |
32 | YC_SA_ID="${YC_SA_ID:-$(_readaccountconf_mutable YC_SA_ID)}" | |
33 | YC_SA_Key_ID="${YC_SA_Key_ID:-$(_readaccountconf_mutable YC_SA_Key_ID)}" | |
90623142 | 34 | |
ec53b27d VS |
35 | if [ "$YC_SA_ID" ] && [ "$YC_SA_Key_ID" ] && [ "$YC_SA_Key_File" ]; then |
36 | if [ -f "$YC_SA_Key_File" ]; then | |
37 | if _isRSA "$YC_SA_Key_File" >/dev/null 2>&1; then | |
38 | if [ "$YC_Zone_ID" ]; then | |
39 | _savedomainconf YC_Zone_ID "$YC_Zone_ID" | |
40 | _savedomainconf YC_SA_ID "$YC_SA_ID" | |
41 | _savedomainconf YC_SA_Key_ID "$YC_SA_Key_ID" | |
ec53b27d VS |
42 | elif [ "$YC_Folder_ID" ]; then |
43 | _savedomainconf YC_Folder_ID "$YC_Folder_ID" | |
44 | _saveaccountconf_mutable YC_SA_ID "$YC_SA_ID" | |
45 | _saveaccountconf_mutable YC_SA_Key_ID "$YC_SA_Key_ID" | |
ec53b27d VS |
46 | _clearaccountconf_mutable YC_Zone_ID |
47 | _clearaccountconf YC_Zone_ID | |
48 | else | |
49 | _err "You didn't specify a Yandex Cloud Zone ID or Folder ID yet." | |
50 | return 1 | |
51 | fi | |
52 | else | |
53 | _err "YC_SA_Key_File not a RSA file(_isRSA function return false)." | |
54 | return 1 | |
55 | fi | |
56 | else | |
57 | _err "YC_SA_Key_File not found in path $YC_SA_Key_File." | |
58 | return 1 | |
59 | fi | |
60 | else | |
61 | _clearaccountconf YC_Zone_ID | |
62 | _clearaccountconf YC_Folder_ID | |
63 | _clearaccountconf YC_SA_ID | |
64 | _clearaccountconf YC_SA_Key_ID | |
90623142 VS |
65 | _clearaccountconf YC_SA_Key_File_PEM_b64 |
66 | _clearaccountconf YC_SA_Key_File_Path | |
ec53b27d VS |
67 | _err "You didn't specify a YC_SA_ID or YC_SA_Key_ID or YC_SA_Key_File." |
68 | return 1 | |
69 | fi | |
70 | ||
71 | _debug "First detect the root zone" | |
72 | if ! _get_root "$fulldomain"; then | |
73 | _err "invalid domain" | |
74 | return 1 | |
75 | fi | |
76 | _debug _domain_id "$_domain_id" | |
77 | _debug _sub_domain "$_sub_domain" | |
78 | _debug _domain "$_domain" | |
79 | ||
80 | _debug "Getting txt records" | |
81 | if ! _yc_rest GET "zones/${_domain_id}:getRecordSet?type=TXT&name=$_sub_domain"; then | |
82 | _err "Error: $response" | |
83 | return 1 | |
84 | fi | |
85 | ||
86 | _info "Adding record" | |
87 | if _yc_rest POST "zones/$_domain_id:upsertRecordSets" "{\"merges\": [ { \"name\":\"$_sub_domain\",\"type\":\"TXT\",\"ttl\":\"120\",\"data\":[\"$txtvalue\"]}]}"; then | |
88 | if _contains "$response" "\"done\": true"; then | |
89 | _info "Added, OK" | |
90 | return 0 | |
91 | else | |
92 | _err "Add txt record error." | |
93 | return 1 | |
94 | fi | |
95 | fi | |
96 | _err "Add txt record error." | |
97 | return 1 | |
98 | ||
99 | } | |
100 | ||
101 | #fulldomain txtvalue | |
102 | dns_yc_rm() { | |
103 | fulldomain="$(echo "$1". | _lower_case)" # Add dot at end of domain name | |
104 | txtvalue=$2 | |
105 | ||
106 | YC_Zone_ID="${YC_Zone_ID:-$(_readaccountconf_mutable YC_Zone_ID)}" | |
107 | YC_Folder_ID="${YC_Folder_ID:-$(_readaccountconf_mutable YC_Folder_ID)}" | |
108 | YC_SA_ID="${YC_SA_ID:-$(_readaccountconf_mutable YC_SA_ID)}" | |
109 | YC_SA_Key_ID="${YC_SA_Key_ID:-$(_readaccountconf_mutable YC_SA_Key_ID)}" | |
ec53b27d VS |
110 | |
111 | _debug "First detect the root zone" | |
112 | if ! _get_root "$fulldomain"; then | |
113 | _err "invalid domain" | |
114 | return 1 | |
115 | fi | |
116 | _debug _domain_id "$_domain_id" | |
117 | _debug _sub_domain "$_sub_domain" | |
118 | _debug _domain "$_domain" | |
119 | ||
120 | _debug "Getting txt records" | |
121 | if _yc_rest GET "zones/${_domain_id}:getRecordSet?type=TXT&name=$_sub_domain"; then | |
122 | exists_txtvalue=$(echo "$response" | _normalizeJson | _egrep_o "\"data\".*\][^,]*" | _egrep_o "[^:]*$") | |
123 | _debug exists_txtvalue "$exists_txtvalue" | |
124 | else | |
125 | _err "Error: $response" | |
126 | return 1 | |
127 | fi | |
128 | ||
129 | if _yc_rest POST "zones/$_domain_id:updateRecordSets" "{\"deletions\": [ { \"name\":\"$_sub_domain\",\"type\":\"TXT\",\"ttl\":\"120\",\"data\":$exists_txtvalue}]}"; then | |
130 | if _contains "$response" "\"done\": true"; then | |
131 | _info "Delete, OK" | |
132 | return 0 | |
133 | else | |
134 | _err "Delete record error." | |
135 | return 1 | |
136 | fi | |
137 | fi | |
138 | _err "Delete record error." | |
139 | return 1 | |
140 | } | |
141 | ||
142 | #################### Private functions below ################################## | |
143 | #_acme-challenge.www.domain.com | |
144 | #returns | |
145 | # _sub_domain=_acme-challenge.www | |
146 | # _domain=domain.com | |
147 | # _domain_id=sdjkglgdfewsdfg | |
148 | _get_root() { | |
149 | domain=$1 | |
150 | i=1 | |
151 | p=1 | |
152 | ||
153 | # Use Zone ID directly if provided | |
154 | if [ "$YC_Zone_ID" ]; then | |
155 | if ! _yc_rest GET "zones/$YC_Zone_ID"; then | |
156 | return 1 | |
157 | else | |
4e5d4b96 | 158 | if echo "$response" | tr -d " " | _egrep_o "\"id\":\"$YC_Zone_ID\"" >/dev/null; then |
ec53b27d VS |
159 | _domain=$(echo "$response" | _egrep_o "\"zone\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ") |
160 | if [ "$_domain" ]; then | |
161 | _cutlength=$((${#domain} - ${#_domain})) | |
162 | _sub_domain=$(printf "%s" "$domain" | cut -c "1-$_cutlength") | |
163 | _domain_id=$YC_Zone_ID | |
164 | return 0 | |
165 | else | |
166 | return 1 | |
167 | fi | |
168 | else | |
169 | return 1 | |
170 | fi | |
171 | fi | |
172 | fi | |
173 | ||
174 | while true; do | |
175 | h=$(printf "%s" "$domain" | cut -d . -f $i-100) | |
176 | _debug h "$h" | |
177 | if [ -z "$h" ]; then | |
178 | #not valid | |
179 | return 1 | |
180 | fi | |
181 | if [ "$YC_Folder_ID" ]; then | |
182 | if ! _yc_rest GET "zones?folderId=$YC_Folder_ID"; then | |
183 | return 1 | |
184 | fi | |
185 | else | |
186 | echo "You didn't specify a Yandex Cloud Folder ID." | |
187 | return 1 | |
188 | fi | |
189 | if _contains "$response" "\"zone\": \"$h\""; then | |
190 | _domain_id=$(echo "$response" | _normalizeJson | _egrep_o "[^{]*\"zone\":\"$h\"[^}]*" | _egrep_o "\"id\"[^,]*" | _egrep_o "[^:]*$" | tr -d '"') | |
191 | _debug _domain_id "$_domain_id" | |
192 | if [ "$_domain_id" ]; then | |
193 | _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) | |
194 | _domain=$h | |
195 | return 0 | |
196 | fi | |
197 | return 1 | |
198 | fi | |
199 | p=$i | |
200 | i=$(_math "$i" + 1) | |
201 | done | |
202 | return 1 | |
203 | } | |
204 | ||
205 | _yc_rest() { | |
206 | m=$1 | |
207 | ep="$2" | |
208 | data="$3" | |
209 | _debug "$ep" | |
210 | ||
211 | if [ ! "$YC_Token" ]; then | |
212 | _debug "Login" | |
213 | _yc_login | |
214 | else | |
215 | _debug "Token already exists. Skip Login." | |
216 | fi | |
217 | ||
218 | token_trimmed=$(echo "$YC_Token" | tr -d '"') | |
219 | ||
220 | export _H1="Content-Type: application/json" | |
221 | export _H2="Authorization: Bearer $token_trimmed" | |
222 | ||
223 | if [ "$m" != "GET" ]; then | |
224 | _debug data "$data" | |
225 | response="$(_post "$data" "$YC_Api/$ep" "" "$m")" | |
226 | else | |
227 | response="$(_get "$YC_Api/$ep")" | |
228 | fi | |
229 | ||
230 | if [ "$?" != "0" ]; then | |
231 | _err "error $ep" | |
232 | return 1 | |
233 | fi | |
234 | _debug2 response "$response" | |
235 | return 0 | |
236 | } | |
237 | ||
238 | _yc_login() { | |
239 | header=$(echo "{\"typ\":\"JWT\",\"alg\":\"PS256\",\"kid\":\"$YC_SA_Key_ID\"}" | _normalizeJson | _base64 | _url_replace) | |
240 | _debug header "$header" | |
4e5d4b96 | 241 | |
ec53b27d | 242 | _current_timestamp=$(_time) |
4e5d4b96 | 243 | _expire_timestamp=$(_math "$_current_timestamp" + 1200) # 20 minutes |
ec53b27d VS |
244 | payload=$(echo "{\"iss\":\"$YC_SA_ID\",\"aud\":\"https://iam.api.cloud.yandex.net/iam/v1/tokens\",\"iat\":$_current_timestamp,\"exp\":$_expire_timestamp}" | _normalizeJson | _base64 | _url_replace) |
245 | _debug payload "$payload" | |
246 | ||
247 | #signature=$(printf "%s.%s" "$header" "$payload" | ${ACME_OPENSSL_BIN:-openssl} dgst -sign "$YC_SA_Key_File -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" | _base64 | _url_replace ) | |
248 | _signature=$(printf "%s.%s" "$header" "$payload" | _sign "$YC_SA_Key_File" "sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" | _url_replace) | |
249 | _debug2 _signature "$_signature" | |
4e5d4b96 | 250 | |
90623142 | 251 | rm -rf "$YC_SA_Key_File" |
ec53b27d VS |
252 | |
253 | _jwt=$(printf "{\"jwt\": \"%s.%s.%s\"}" "$header" "$payload" "$_signature") | |
254 | _debug2 _jwt "$_jwt" | |
255 | ||
256 | export _H1="Content-Type: application/json" | |
257 | _iam_response="$(_post "$_jwt" "https://iam.api.cloud.yandex.net/iam/v1/tokens" "" "POST")" | |
258 | _debug3 _iam_response "$(echo "$_iam_response" | _normalizeJson)" | |
259 | ||
260 | YC_Token="$(echo "$_iam_response" | _normalizeJson | _egrep_o "\"iamToken\"[^,]*" | _egrep_o "[^:]*$" | tr -d '"')" | |
261 | _debug3 YC_Token | |
262 | ||
263 | return 0 | |
264 | } |