[mirror_acme.sh.git] / dnsapi / dns_yc.sh

#!/usr/bin/env sh

#YC_Zone_ID="" # DNS Zone ID
#YC_Folder_ID="" # YC Folder ID
#YC_SA_ID="" # Service Account ID
#YC_SA_Key_ID="" # Service Account IAM Key ID
#YC_SA_Key_File_Path="/path/to/private.key" # Path to private.key use instead of YC_SA_Key_File_PEM_b64
#YC_SA_Key_File_PEM_b64="" # Base64 content of private.key use instead of YC_SA_Key_File_Path
YC_Api="https://dns.api.cloud.yandex.net/dns/v1"

########  Public functions #####################

#Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_yc_add() {
  fulldomain="$(echo "$1". | _lower_case)" # Add dot at end of domain name
  txtvalue=$2

  YC_SA_Key_File_PEM_b64="${YC_SA_Key_File_PEM_b64:-$(_readaccountconf_mutable YC_SA_Key_File_PEM_b64)}"
  YC_SA_Key_File_Path="${YC_SA_Key_File_Path:-$(_readaccountconf_mutable YC_SA_Key_File_Path)}"

  if [ "$YC_SA_Key_File_PEM_b64" ]; then
    echo "$YC_SA_Key_File_PEM_b64" | _dbase64 >private.key
    YC_SA_Key_File="private.key"
    _savedomainconf YC_SA_Key_File_PEM_b64 "$YC_SA_Key_File_PEM_b64"
  else
    YC_SA_Key_File="$YC_SA_Key_File_Path"
    _savedomainconf YC_SA_Key_File_Path "$YC_SA_Key_File_Path"
  fi

  YC_Zone_ID="${YC_Zone_ID:-$(_readaccountconf_mutable YC_Zone_ID)}"
  YC_Folder_ID="${YC_Folder_ID:-$(_readaccountconf_mutable YC_Folder_ID)}"
  YC_SA_ID="${YC_SA_ID:-$(_readaccountconf_mutable YC_SA_ID)}"
  YC_SA_Key_ID="${YC_SA_Key_ID:-$(_readaccountconf_mutable YC_SA_Key_ID)}"

  if [ "$YC_SA_ID" ] && [ "$YC_SA_Key_ID" ] && [ "$YC_SA_Key_File" ]; then
    if [ -f "$YC_SA_Key_File" ]; then
      if _isRSA "$YC_SA_Key_File" >/dev/null 2>&1; then
        if [ "$YC_Zone_ID" ]; then
          _savedomainconf YC_Zone_ID "$YC_Zone_ID"
          _savedomainconf YC_SA_ID "$YC_SA_ID"
          _savedomainconf YC_SA_Key_ID "$YC_SA_Key_ID"
        elif [ "$YC_Folder_ID" ]; then
          _savedomainconf YC_Folder_ID "$YC_Folder_ID"
          _saveaccountconf_mutable YC_SA_ID "$YC_SA_ID"
          _saveaccountconf_mutable YC_SA_Key_ID "$YC_SA_Key_ID"
          _clearaccountconf_mutable YC_Zone_ID
          _clearaccountconf YC_Zone_ID
        else
          _err "You didn't specify a Yandex Cloud Zone ID or Folder ID yet."
          return 1
        fi
      else
        _err "YC_SA_Key_File not a RSA file(_isRSA function return false)."
        return 1
      fi
    else
      _err "YC_SA_Key_File not found in path $YC_SA_Key_File."
      return 1
    fi
  else
    _clearaccountconf YC_Zone_ID
    _clearaccountconf YC_Folder_ID
    _clearaccountconf YC_SA_ID
    _clearaccountconf YC_SA_Key_ID
    _clearaccountconf YC_SA_Key_File_PEM_b64
    _clearaccountconf YC_SA_Key_File_Path
    _err "You didn't specify a YC_SA_ID or YC_SA_Key_ID or YC_SA_Key_File."
    return 1
  fi

  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1
  fi
  _debug _domain_id "$_domain_id"
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"

  _debug "Getting txt records"
  if ! _yc_rest GET "zones/${_domain_id}:getRecordSet?type=TXT&name=$_sub_domain"; then
    _err "Error: $response"
    return 1
  fi

  _info "Adding record"
  if _yc_rest POST "zones/$_domain_id:upsertRecordSets" "{\"merges\": [ { \"name\":\"$_sub_domain\",\"type\":\"TXT\",\"ttl\":\"120\",\"data\":[\"$txtvalue\"]}]}"; then
    if _contains "$response" "\"done\": true"; then
      _info "Added, OK"
      return 0
    else
      _err "Add txt record error."
      return 1
    fi
  fi
  _err "Add txt record error."
  return 1

}

#fulldomain txtvalue
dns_yc_rm() {
  fulldomain="$(echo "$1". | _lower_case)" # Add dot at end of domain name
  txtvalue=$2

  YC_Zone_ID="${YC_Zone_ID:-$(_readaccountconf_mutable YC_Zone_ID)}"
  YC_Folder_ID="${YC_Folder_ID:-$(_readaccountconf_mutable YC_Folder_ID)}"
  YC_SA_ID="${YC_SA_ID:-$(_readaccountconf_mutable YC_SA_ID)}"
  YC_SA_Key_ID="${YC_SA_Key_ID:-$(_readaccountconf_mutable YC_SA_Key_ID)}"

  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1
  fi
  _debug _domain_id "$_domain_id"
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"

  _debug "Getting txt records"
  if _yc_rest GET "zones/${_domain_id}:getRecordSet?type=TXT&name=$_sub_domain"; then
    exists_txtvalue=$(echo "$response" | _normalizeJson | _egrep_o "\"data\".*\][^,]*" | _egrep_o "[^:]*$")
    _debug exists_txtvalue "$exists_txtvalue"
  else
    _err "Error: $response"
    return 1
  fi

  if _yc_rest POST "zones/$_domain_id:updateRecordSets" "{\"deletions\": [ { \"name\":\"$_sub_domain\",\"type\":\"TXT\",\"ttl\":\"120\",\"data\":$exists_txtvalue}]}"; then
    if _contains "$response" "\"done\": true"; then
      _info "Delete, OK"
      return 0
    else
      _err "Delete record error."
      return 1
    fi
  fi
  _err "Delete record error."
  return 1
}

####################  Private functions below ##################################
#_acme-challenge.www.domain.com
#returns
# _sub_domain=_acme-challenge.www
# _domain=domain.com
# _domain_id=sdjkglgdfewsdfg
_get_root() {
  domain=$1
  i=1
  p=1

  # Use Zone ID directly if provided
  if [ "$YC_Zone_ID" ]; then
    if ! _yc_rest GET "zones/$YC_Zone_ID"; then
      return 1
    else
      if echo "$response" | tr -d " " | _egrep_o "\"id\":\"$YC_Zone_ID\"" >/dev/null; then
        _domain=$(echo "$response" | _egrep_o "\"zone\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ")
        if [ "$_domain" ]; then
          _cutlength=$((${#domain} - ${#_domain}))
          _sub_domain=$(printf "%s" "$domain" | cut -c "1-$_cutlength")
          _domain_id=$YC_Zone_ID
          return 0
        else
          return 1
        fi
      else
        return 1
      fi
    fi
  fi

  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    _debug h "$h"
    if [ -z "$h" ]; then
      #not valid
      return 1
    fi
    if [ "$YC_Folder_ID" ]; then
      if ! _yc_rest GET "zones?folderId=$YC_Folder_ID"; then
        return 1
      fi
    else
      echo "You didn't specify a Yandex Cloud Folder ID."
      return 1
    fi
    if _contains "$response" "\"zone\": \"$h\""; then
      _domain_id=$(echo "$response" | _normalizeJson | _egrep_o "[^{]*\"zone\":\"$h\"[^}]*" | _egrep_o "\"id\"[^,]*" | _egrep_o "[^:]*$" | tr -d '"')
      _debug _domain_id "$_domain_id"
      if [ "$_domain_id" ]; then
        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
        _domain=$h
        return 0
      fi
      return 1
    fi
    p=$i
    i=$(_math "$i" + 1)
  done
  return 1
}

_yc_rest() {
  m=$1
  ep="$2"
  data="$3"
  _debug "$ep"

  if [ ! "$YC_Token" ]; then
    _debug "Login"
    _yc_login
  else
    _debug "Token already exists. Skip Login."
  fi

  token_trimmed=$(echo "$YC_Token" | tr -d '"')

  export _H1="Content-Type: application/json"
  export _H2="Authorization: Bearer $token_trimmed"

  if [ "$m" != "GET" ]; then
    _debug data "$data"
    response="$(_post "$data" "$YC_Api/$ep" "" "$m")"
  else
    response="$(_get "$YC_Api/$ep")"
  fi

  if [ "$?" != "0" ]; then
    _err "error $ep"
    return 1
  fi
  _debug2 response "$response"
  return 0
}

_yc_login() {
  header=$(echo "{\"typ\":\"JWT\",\"alg\":\"PS256\",\"kid\":\"$YC_SA_Key_ID\"}" | _normalizeJson | _base64 | _url_replace)
  _debug header "$header"

  _current_timestamp=$(_time)
  _expire_timestamp=$(_math "$_current_timestamp" + 1200) # 20 minutes
  payload=$(echo "{\"iss\":\"$YC_SA_ID\",\"aud\":\"https://iam.api.cloud.yandex.net/iam/v1/tokens\",\"iat\":$_current_timestamp,\"exp\":$_expire_timestamp}" | _normalizeJson | _base64 | _url_replace)
  _debug payload "$payload"

  #signature=$(printf "%s.%s" "$header" "$payload" | ${ACME_OPENSSL_BIN:-openssl} dgst -sign "$YC_SA_Key_File -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" | _base64 | _url_replace )
  _signature=$(printf "%s.%s" "$header" "$payload" | _sign "$YC_SA_Key_File" "sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" | _url_replace)
  _debug2 _signature "$_signature"

  rm -rf "$YC_SA_Key_File"

  _jwt=$(printf "{\"jwt\": \"%s.%s.%s\"}" "$header" "$payload" "$_signature")
  _debug2 _jwt "$_jwt"

  export _H1="Content-Type: application/json"
  _iam_response="$(_post "$_jwt" "https://iam.api.cloud.yandex.net/iam/v1/tokens" "" "POST")"
  _debug3 _iam_response "$(echo "$_iam_response" | _normalizeJson)"

  YC_Token="$(echo "$_iam_response" | _normalizeJson | _egrep_o "\"iamToken\"[^,]*" | _egrep_o "[^:]*$" | tr -d '"')"
  _debug3 YC_Token

  return 0
}
Commit	Line	Data
ec53b27d VS	1	#!/usr/bin/env sh
	2
	3	#YC_Zone_ID="" # DNS Zone ID
	4	#YC_Folder_ID="" # YC Folder ID
	5	#YC_SA_ID="" # Service Account ID
	6	#YC_SA_Key_ID="" # Service Account IAM Key ID
90623142 VS	7	#YC_SA_Key_File_Path="/path/to/private.key" # Path to private.key use instead of YC_SA_Key_File_PEM_b64
90623142 VS	8	#YC_SA_Key_File_PEM_b64="" # Base64 content of private.key use instead of YC_SA_Key_File_Path
ec53b27d VS	9	YC_Api="https://dns.api.cloud.yandex.net/dns/v1"
	10
	11	######## Public functions #####################
	12
	13	#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
	14	dns_yc_add() {
	15	fulldomain="$(echo "$1". \| _lower_case)" # Add dot at end of domain name
	16	txtvalue=$2
	17
90623142 VS	18	YC_SA_Key_File_PEM_b64="${YC_SA_Key_File_PEM_b64:-$(_readaccountconf_mutable YC_SA_Key_File_PEM_b64)}"
	19	YC_SA_Key_File_Path="${YC_SA_Key_File_Path:-$(_readaccountconf_mutable YC_SA_Key_File_Path)}"
	20
	21	if [ "$YC_SA_Key_File_PEM_b64" ]; then
4e5d4b96	22	echo "$YC_SA_Key_File_PEM_b64" \| _dbase64 >private.key
90623142 VS	23	YC_SA_Key_File="private.key"
90623142 VS	24	_savedomainconf YC_SA_Key_File_PEM_b64 "$YC_SA_Key_File_PEM_b64"
ec53b27d	25	else
90623142 VS	26	YC_SA_Key_File="$YC_SA_Key_File_Path"
90623142 VS	27	_savedomainconf YC_SA_Key_File_Path "$YC_SA_Key_File_Path"
ec53b27d VS	28	fi
	29
	30	YC_Zone_ID="${YC_Zone_ID:-$(_readaccountconf_mutable YC_Zone_ID)}"
	31	YC_Folder_ID="${YC_Folder_ID:-$(_readaccountconf_mutable YC_Folder_ID)}"
	32	YC_SA_ID="${YC_SA_ID:-$(_readaccountconf_mutable YC_SA_ID)}"
	33	YC_SA_Key_ID="${YC_SA_Key_ID:-$(_readaccountconf_mutable YC_SA_Key_ID)}"
90623142	34
ec53b27d VS	35	if [ "$YC_SA_ID" ] && [ "$YC_SA_Key_ID" ] && [ "$YC_SA_Key_File" ]; then
	36	if [ -f "$YC_SA_Key_File" ]; then
	37	if _isRSA "$YC_SA_Key_File" >/dev/null 2>&1; then
	38	if [ "$YC_Zone_ID" ]; then
	39	_savedomainconf YC_Zone_ID "$YC_Zone_ID"
	40	_savedomainconf YC_SA_ID "$YC_SA_ID"
	41	_savedomainconf YC_SA_Key_ID "$YC_SA_Key_ID"
ec53b27d VS	42	elif [ "$YC_Folder_ID" ]; then
	43	_savedomainconf YC_Folder_ID "$YC_Folder_ID"
	44	_saveaccountconf_mutable YC_SA_ID "$YC_SA_ID"
	45	_saveaccountconf_mutable YC_SA_Key_ID "$YC_SA_Key_ID"
ec53b27d VS	46	_clearaccountconf_mutable YC_Zone_ID
	47	_clearaccountconf YC_Zone_ID
	48	else
	49	_err "You didn't specify a Yandex Cloud Zone ID or Folder ID yet."
	50	return 1
	51	fi
	52	else
	53	_err "YC_SA_Key_File not a RSA file(_isRSA function return false)."
	54	return 1
	55	fi
	56	else
	57	_err "YC_SA_Key_File not found in path $YC_SA_Key_File."
	58	return 1
	59	fi
	60	else
	61	_clearaccountconf YC_Zone_ID
	62	_clearaccountconf YC_Folder_ID
	63	_clearaccountconf YC_SA_ID
	64	_clearaccountconf YC_SA_Key_ID
90623142 VS	65	_clearaccountconf YC_SA_Key_File_PEM_b64
90623142 VS	66	_clearaccountconf YC_SA_Key_File_Path
ec53b27d VS	67	_err "You didn't specify a YC_SA_ID or YC_SA_Key_ID or YC_SA_Key_File."
	68	return 1
	69	fi
	70
	71	_debug "First detect the root zone"
	72	if ! _get_root "$fulldomain"; then
	73	_err "invalid domain"
	74	return 1
	75	fi
	76	_debug _domain_id "$_domain_id"
	77	_debug _sub_domain "$_sub_domain"
	78	_debug _domain "$_domain"
	79
	80	_debug "Getting txt records"
	81	if ! _yc_rest GET "zones/${_domain_id}:getRecordSet?type=TXT&name=$_sub_domain"; then
	82	_err "Error: $response"
	83	return 1
	84	fi
	85
	86	_info "Adding record"
	87	if _yc_rest POST "zones/$_domain_id:upsertRecordSets" "{\"merges\": [ { \"name\":\"$_sub_domain\",\"type\":\"TXT\",\"ttl\":\"120\",\"data\":[\"$txtvalue\"]}]}"; then
	88	if _contains "$response" "\"done\": true"; then
	89	_info "Added, OK"
	90	return 0
	91	else
	92	_err "Add txt record error."
	93	return 1
	94	fi
	95	fi
	96	_err "Add txt record error."
	97	return 1
	98
	99	}
	100
	101	#fulldomain txtvalue
	102	dns_yc_rm() {
	103	fulldomain="$(echo "$1". \| _lower_case)" # Add dot at end of domain name
	104	txtvalue=$2
	105
	106	YC_Zone_ID="${YC_Zone_ID:-$(_readaccountconf_mutable YC_Zone_ID)}"
	107	YC_Folder_ID="${YC_Folder_ID:-$(_readaccountconf_mutable YC_Folder_ID)}"
	108	YC_SA_ID="${YC_SA_ID:-$(_readaccountconf_mutable YC_SA_ID)}"
	109	YC_SA_Key_ID="${YC_SA_Key_ID:-$(_readaccountconf_mutable YC_SA_Key_ID)}"
ec53b27d VS	110
	111	_debug "First detect the root zone"
	112	if ! _get_root "$fulldomain"; then
	113	_err "invalid domain"
	114	return 1
	115	fi
	116	_debug _domain_id "$_domain_id"
	117	_debug _sub_domain "$_sub_domain"
	118	_debug _domain "$_domain"
	119
	120	_debug "Getting txt records"
	121	if _yc_rest GET "zones/${_domain_id}:getRecordSet?type=TXT&name=$_sub_domain"; then
	122	exists_txtvalue=$(echo "$response" \| _normalizeJson \| _egrep_o "\"data\".\][^,]" \| _egrep_o "[^:]*$")
	123	_debug exists_txtvalue "$exists_txtvalue"
	124	else
	125	_err "Error: $response"
	126	return 1
	127	fi
	128
	129	if _yc_rest POST "zones/$_domain_id:updateRecordSets" "{\"deletions\": [ { \"name\":\"$_sub_domain\",\"type\":\"TXT\",\"ttl\":\"120\",\"data\":$exists_txtvalue}]}"; then
	130	if _contains "$response" "\"done\": true"; then
	131	_info "Delete, OK"
	132	return 0
	133	else
	134	_err "Delete record error."
	135	return 1
	136	fi
	137	fi
	138	_err "Delete record error."
	139	return 1
	140	}
	141
	142	#################### Private functions below ##################################
	143	#_acme-challenge.www.domain.com
	144	#returns
	145	# _sub_domain=_acme-challenge.www
	146	# _domain=domain.com
	147	# _domain_id=sdjkglgdfewsdfg
	148	_get_root() {
	149	domain=$1
	150	i=1
	151	p=1
	152
	153	# Use Zone ID directly if provided
	154	if [ "$YC_Zone_ID" ]; then
	155	if ! _yc_rest GET "zones/$YC_Zone_ID"; then
	156	return 1
	157	else
4e5d4b96	158	if echo "$response" \| tr -d " " \| _egrep_o "\"id\":\"$YC_Zone_ID\"" >/dev/null; then
ec53b27d VS	159	_domain=$(echo "$response" \| _egrep_o "\"zone\": \"[^\"]\"" \| cut -d : -f 2 \| tr -d \" \| _head_n 1 \| tr -d " ")
	160	if [ "$_domain" ]; then
	161	_cutlength=$((${#domain} - ${#_domain}))
	162	_sub_domain=$(printf "%s" "$domain" \| cut -c "1-$_cutlength")
	163	_domain_id=$YC_Zone_ID
	164	return 0
	165	else
	166	return 1
	167	fi
	168	else
	169	return 1
	170	fi
	171	fi
	172	fi
	173
	174	while true; do
	175	h=$(printf "%s" "$domain" \| cut -d . -f $i-100)
	176	_debug h "$h"
	177	if [ -z "$h" ]; then
	178	#not valid
	179	return 1
	180	fi
	181	if [ "$YC_Folder_ID" ]; then
	182	if ! _yc_rest GET "zones?folderId=$YC_Folder_ID"; then
	183	return 1
	184	fi
	185	else
	186	echo "You didn't specify a Yandex Cloud Folder ID."
	187	return 1
	188	fi
	189	if _contains "$response" "\"zone\": \"$h\""; then
	190	_domain_id=$(echo "$response" \| _normalizeJson \| _egrep_o "[^{]\"zone\":\"$h\"[^}]" \| _egrep_o "\"id\"[^,]" \| _egrep_o "[^:]$" \| tr -d '"')
	191	_debug _domain_id "$_domain_id"
	192	if [ "$_domain_id" ]; then
	193	_sub_domain=$(printf "%s" "$domain" \| cut -d . -f 1-$p)
	194	_domain=$h
	195	return 0
	196	fi
	197	return 1
	198	fi
	199	p=$i
	200	i=$(_math "$i" + 1)
	201	done
	202	return 1
	203	}
	204
	205	_yc_rest() {
	206	m=$1
	207	ep="$2"
	208	data="$3"
	209	_debug "$ep"
	210
	211	if [ ! "$YC_Token" ]; then
	212	_debug "Login"
	213	_yc_login
	214	else
	215	_debug "Token already exists. Skip Login."
	216	fi
	217
	218	token_trimmed=$(echo "$YC_Token" \| tr -d '"')
	219
	220	export _H1="Content-Type: application/json"
	221	export _H2="Authorization: Bearer $token_trimmed"
	222
223	if [ "$m" != "GET" ]; then
224	_debug data "$data"
225	response="$(_post "$data" "$YC_Api/$ep" "" "$m")"
226	else
227	response="$(_get "$YC_Api/$ep")"
228	fi
229
230	if [ "$?" != "0" ]; then
231	_err "error $ep"
232	return 1
233	fi
234	_debug2 response "$response"
235	return 0
236	}
237
238	_yc_login() {
239	header=$(echo "{\"typ\":\"JWT\",\"alg\":\"PS256\",\"kid\":\"$YC_SA_Key_ID\"}" \| _normalizeJson \| _base64 \| _url_replace)
240	_debug header "$header"
4e5d4b96	241
ec53b27d	242	_current_timestamp=$(_time)
4e5d4b96	243	_expire_timestamp=$(_math "$_current_timestamp" + 1200) # 20 minutes
ec53b27d VS	244	payload=$(echo "{\"iss\":\"$YC_SA_ID\",\"aud\":\"https://iam.api.cloud.yandex.net/iam/v1/tokens\",\"iat\":$_current_timestamp,\"exp\":$_expire_timestamp}" \| _normalizeJson \| _base64 \| _url_replace)
	245	_debug payload "$payload"
	246
	247	#signature=$(printf "%s.%s" "$header" "$payload" \| ${ACME_OPENSSL_BIN:-openssl} dgst -sign "$YC_SA_Key_File -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" \| _base64 \| _url_replace )
	248	_signature=$(printf "%s.%s" "$header" "$payload" \| _sign "$YC_SA_Key_File" "sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" \| _url_replace)
	249	_debug2 _signature "$_signature"
4e5d4b96	250
90623142	251	rm -rf "$YC_SA_Key_File"
ec53b27d VS	252
	253	_jwt=$(printf "{\"jwt\": \"%s.%s.%s\"}" "$header" "$payload" "$_signature")
	254	_debug2 _jwt "$_jwt"
	255
	256	export _H1="Content-Type: application/json"
	257	_iam_response="$(_post "$_jwt" "https://iam.api.cloud.yandex.net/iam/v1/tokens" "" "POST")"
	258	_debug3 _iam_response "$(echo "$_iam_response" \| _normalizeJson)"
	259
	260	YC_Token="$(echo "$_iam_response" \| _normalizeJson \| _egrep_o "\"iamToken\"[^,]" \| _egrep_o "[^:]$" \| tr -d '"')"
	261	_debug3 YC_Token
	262
	263	return 0
	264	}