dnsapi/dns_edgedns.sh

   1 #!/usr/bin/env sh
   2
   3 # Akamai Edge DNS v2  API
   4 # User must provide Open Edgegrid API credentials to the EdgeDNS installation. The remote user in EdgeDNS must have CRUD access to
   5 # Edge DNS Zones and Recordsets, e.g. DNS—Zone Record Management authorization
   6
   7 # Report bugs to https://control.akamai.com/apps/support-ui/#/contact-support
   8
   9 # Values to export:
  10 # --EITHER--
  11 # *** NOT IMPLEMENTED YET ***
  12 # specify Edgegrid credentials file and section
  13 # AKAMAI_EDGERC=<full file path>
  14 # AKAMAI_EDGERC_SECTION="default"
  15 ## --OR--
  16 # specify indiviual credentials
  17 # export AKAMAI_HOST = <host>
  18 # export AKAMAI_ACCESS_TOKEN = <access token>
  19 # export AKAMAI_CLIENT_TOKEN = <client token>
  20 # export AKAMAI_CLIENT_SECRET = <client secret>
  21
  22 ACME_EDGEDNS_VERSION="0.1.0"
  23
  24 ########  Public functions #####################
  25
  26 # Usage: dns_edgedns_add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
  27 # Used to add txt record
  28 #
  29 dns_edgedns_add() {
  30   fulldomain=$1
  31   txtvalue=$2
  32
  33   _debug "ENTERING DNS_EDGEDNS_ADD"
  34
  35   _debug2 "fulldomain" "$fulldomain"
  36   _debug2 "txtvalue" "$txtvalue"
  37
  38   if ! _EDGEDNS_credentials; then
  39     _err "$@"
  40     return 1
  41   fi
  42
  43   if ! _EDGEDNS_getZoneInfo "$fulldomain"; then
  44     _err "Invalid domain"
  45     return 1
  46   fi
  47   _debug2 "Add: zone" "${zone}"
  48   acmeRecordURI=$(printf "%s/%s/names/%s/type/TXT" "${edge_endpoint}" "${zone}" "${fulldomain}")
  49   _debug3 "Add URL" "$acmeRecordURI"
  50   # Get existing TXT record
  51   _edge_result=$(_edgedns_rest GET "$acmeRecordURI")
  52   _api_status="$?"
  53   if [ "$_api_status" -ne 0 ] && [ "$_edge_result" != "404" ]; then
  54     _err "$(printf "Failure accessing Akamai Edge DNS API Server. Error: %s" "$_edge_result")"
  55     return 1
  56   fi
  57   rdata="\"$txtvalue\""
  58   record_op="POST"
  59   if [ "$_api_status" -eq 0 ]; then
  60     # record already exists. Get existing record data and update
  61     record_op="PUT"
  62     rdlist=$(echo -n "$response" | _egrep_o "\"rdata\"\\s*:\\s*\\[\\s*\"[^\"]*\"\\s*]" | cut -d : -f 2 | tr -d "[]\"")
  63     _debug2 "existing TXT found"
  64     _debug2 "record data" "$rdlist"
  65     # value already there?
  66     if _contains "$rdlist" "$txtvalue" ; then
  67       return 0
  68     fi
  69     comma=","
  70     rdata="$rdata$comma\"${txtvalue}\""
  71   fi
  72   _debug2 "new/updated rdata: " "${rdata}"
  73   # Add the txtvalue TXT Record
  74   body="{\"name\":\"$fulldomain\",\"type\":\"TXT\",\"ttl\":600, \"rdata\":"[${rdata}]"}"
  75   _debug3 "Add body '${body}'"
  76   _edge_result=$(_edgedns_rest "$record_op" "$acmeRecordURI" "$body")
  77   _api_status="$?"
  78   if [ "$_api_status" -eq 0 ]; then
  79     _log "$(printf "Text value %s added to recordset %s" "${txtvalue}" "${fulldomain}")"
  80     return 0
  81   else
  82     _err "$(printf "error adding TXT record for validation. Error: %s" "$_edge_result")"
  83     return 1
  84   fi
  85 }
  86
  87 # Usage: dns_edgedns_rm   _acme-challenge.www.domain.com
  88 # Used to delete txt record
  89 #
  90 dns_edgedns_rm() {
  91   fulldomain=$1
  92 }
  93
  94 ####################  Private functions below ##################################
  95
  96 _EDGEDNS_credentials() {
  97   _debug "GettingEdge DNS credentials"
  98   _log $(printf "ACME DNSAPI Edge DNS version %s" ${ACME_EDGEDNS_VERSION})
  99   args_missing=0
 100   if [ -z "${AKAMAI_ACCESS_TOKEN}" ]; then
 101     AKAMAI_ACCESS_TOKEN=""
 102     AKAMAI_CLIENT_TOKEN=""
 103     AKAMAI_HOST=""
 104     AKAMAI_CLIENT_SECRET=""
 105     _err "AKAMAI_ACCESS_TOKEN is missing"
 106     args_missing=1
 107   fi
 108   if [ -z "$AKAMAI_CLIENT_TOKEN" ]; then
 109     AKAMAI_ACCESS_TOKEN=""
 110     AKAMAI_CLIENT_TOKEN=""
 111     AKAMAI_HOST=""
 112     AKAMAI_CLIENT_SECRET=""
 113     _err "AKAMAI_CLIENT_TOKEN is missing"
 114     args_missing=1
 115   fi
 116   if [ -z "${AKAMAI_HOST}" ]; then
 117     AKAMAI_ACCESS_TOKEN=""
 118     AKAMAI_CLIENT_TOKEN=""
 119     AKAMAI_HOST=""
 120     AKAMAI_CLIENT_SECRET=""
 121     _err "AKAMAI_HOST is missing"
 122     args_missing=1
 123   fi
 124   if [ -z "${AKAMAI_CLIENT_SECRET}" ]; then
 125     AKAMAI_ACCESS_TOKEN=""
 126     AKAMAI_CLIENT_TOKEN=""
 127     AKAMAI_HOST=""
 128     AKAMAI_CLIENT_SECRET=""
 129     _err "AKAMAI_CLIENT_SECRET is missing"
 130     args_missing=1
 131   fi
 132
 133   if [ "${args_missing}" = 1 ]; then
 134     _err "You have not properly specified the EdgeDNS Open Edgegrid API credentials. Please try again."
 135     return 1
 136   else
 137     _saveaccountconf_mutable AKAMAI_ACCESS_TOKEN "${AKAMAI_ACCESS_TOKEN}"
 138     _saveaccountconf_mutable AKAMAI_CLIENT_TOKEN "${AKAMAI_CLIENT_TOKEN}"
 139     _saveaccountconf_mutable AKAMAI_HOST "${AKAMAI_HOST}"
 140     _saveaccountconf_mutable AKAMAI_CLIENT_SECRET "${AKAMAI_CLIENT_SECRET}"
 141     # Set whether curl should use secure or insecure mode
 142   fi
 143   export HTTPS_INSECURE=0     # All Edgegrid API calls are secure
 144   edge_endpoint=$(printf "https://%s/config-dns/v2/zones" "${AKAMAI_HOST}")
 145   _debug3 "Edge API Endpoint:" "${edge_endpoint}"
 146
 147 }
 148
 149 _EDGEDNS_getZoneInfo() {
 150   _debug "Getting Zoneinfo"
 151   zoneEnd=false
 152   curZone=$1
 153   while [ -n "${zoneEnd}" ]; do
 154     # we can strip the first part of the fulldomain, since its just the _acme-challenge string
 155     curZone="${curZone#*.}"
 156     # suffix . needed for zone -> domain.tld.
 157     # create zone get url
 158     get_zone_url=$(printf "%s/%s" "${edge_endpoint}" "${curZone}")
 159     _debug3 "Zone Get: " "${get_zone_url}"
 160     curResult=$(_edgedns_rest GET "$get_zone_url")
 161     retVal=$?
 162     if [ $retVal -ne 0 ]; then
 163       if ["$curResult" != "404" ]; then
 164         _err "$(printf "Managed zone validation failed. Error response: %s" "$retVal")"
 165         return 1
 166       fi
 167     fi
 168
 169     if _contains "${curResult}" "\"zone\":" ; then
 170       _debug2 "Zone data" "${curResult}"
 171       zone=$(echo -n "${curResult}" | _egrep_o "\"zone\"\\s*:\\s*\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d "\"")
 172       _debug2 "Zone" "${zone}"
 173       zoneFound=""
 174       zoneEnd=""
 175       return 0
 176     fi
 177
 178     if [ "${curZone#*.}" != "$curZone" ]; then
 179       _debug2 $(printf "%s still contains a '.' - so we can check next higher level" "$curZone")
 180     else
 181       zoneEnd=true
 182       _err "Couldn't retrieve zone data."
 183       return 1
 184     fi
 185   done
 186   _err "Failed to  retrieve zone data."
 187   return 2
 188 }
 189
 190 _edgedns_headers=""
 191
 192 _edgedns_rest() {
 193   _debug "Handling API Request"
 194   m=$1
 195   # Assume endpoint is complete path, including query args if applicable
 196   ep=$2
 197   body_data=$3
 198   _edgedns_content_type=""
 199   _request_url_path="$ep"
 200   _request_body="$body_data"
 201   _request_method="$m"
 202   _edgedns_headers=""
 203   tab=""
 204   _edgedns_headers="${_edgedns_headers}${tab}Host: ${AKAMAI_HOST}"
 205   tab="\t"
 206   # Set in acme.sh _post/_get
 207   #_edgedns_headers="${_edgedns_headers}${tab}User-Agent:ACME DNSAPI Edge DNS version ${ACME_EDGEDNS_VERSION}"
 208   _edgedns_headers="${_edgedns_headers}${tab}Accept: application/json"
 209   if [ "$m" != "GET" ] && [ "$m" != "DELETE" ] ; then
 210     _edgedns_content_type="application/json;charset=UTF-8"
 211     _utf8_body_data="$(echo -n "$ _request_body" | iconv -t utf-8)"
 212     _utf8_body_len="$(echo -n "$_utf8_body_data"  | awk '{print length}')"
 213     _edgedns_headers="${_edgedns_headers}${tab}Content-Length: ${_utf8_body_len}"
 214   fi
 215   _made_auth_header=$(_edgedns_make_auth_header)
 216   _edgedns_headers="${_edgedns_headers}${tab}Authorization: ${_made_auth_header}"
 217   _secure_debug2 "Made Auth Header" "${_made_auth_header}"
 218   hdr_indx=1
 219   work_header="${_edgedns_headers}${tab}"
 220   _debug3 "work_header" "${work_header}"
 221   while [ "${work_header}" ]; do
 222     entry="${work_header%%\\t*}"; work_header="${work_header#*\\t}"
 223     export "$(printf "_H%s=%s" "${hdr_indx}" "${entry}")"
 224     _debug2 "Request Header " "${entry}"
 225     hdr_indx=$(( hdr_indx + 1 ))
 226   done
 227
 228   # clear headers from previous request to avoid getting wrong http code on timeouts
 229   :>"$HTTP_HEADER"
 230   _debug "$ep"
 231   if [ "$m" != "GET" ]; then
 232     _debug "Method data" "$data"
 233     # body  url [needbase64] [POST|PUT|DELETE] [ContentType]
 234     response="$(_post "$_utf8_body_data" "$ep" false "$m")"
 235   else
 236     response="$(_get "$ep")"
 237   fi
 238
 239   _ret="$?"
 240   _debug "response" "$response"
 241   _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")"
 242   _debug2 "http response code" "$_code"
 243
 244   if [ "$_code" = "200" ] || [ "$_code" = "201" ]; then
 245     # All good
 246     response="$(echo "$response" | _normalizeJson)"
 247     echo -n "${response}"
 248     return 0
 249   fi
 250
 251   if [ "$_code" = "204" ]; then
 252     # Success, no body
 253     echo -n ""
 254     return 0
 255   fi
 256
 257   if [ "$_code" = "400" ]; then
 258     _err "Bad request presented"
 259     _log "$(printf "Headers: %s" "$_edgedns_headers")"
 260     _log "$(printf "Method: %s" "$_request_method")"
 261     _log "$(printf "URL: %s" "$ep")"
 262     _log "$(printf "Data: %s" "$data")"
 263   fi
 264
 265   if [ "$_code" = "403" ]; then
 266     _err "access denied make sure your Edgegrid cedentials are correct."
 267   fi
 268
 269   echo "$_code"
 270   return 1
 271 }
 272
 273 _edgedns_eg_timestamp() {
 274   _eg_timestamp=$(date -u "+%Y%m%dT%H:%M:%S+0000")
 275 }
 276
 277 _edgedns_new_nonce() {
 278   _nonce=$(uuidgen -r)
 279 }
 280
 281 _edgedns_make_auth_header() {
 282   _debug "Constructing Auth Header"
 283   _edgedns_eg_timestamp
 284   _edgedns_new_nonce
 285   # "Unsigned authorization header: 'EG1-HMAC-SHA256 client_token=block;access_token=block;timestamp=20200806T14:16:33+0000;nonce=72cde72c-82d9-4721-9854-2ba057929d67;'"
 286   _auth_header="$(printf "EG1-HMAC-SHA256 client_token=%s;access_token=%s;timestamp=%s;nonce=%s;" "${AKAMAI_CLIENT_TOKEN}" "${AKAMAI_ACCESS_TOKEN}" "${_eg_timestamp}" "${_nonce}")"
 287   _secure_debug2 "Unsigned Auth Header: " "$_auth_header"
 288
 289   _sig="$(_edgedns_sign_request)"
 290   _signed_auth_header="$(printf "%ssignature=%s" "${_auth_header}" "${_sig}")"
 291   _secure_debug2 "Signed Auth Header: " "${_signed_auth_header}"
 292   echo -n "${_signed_auth_header}"
 293 }
 294
 295 _edgedns_sign_request() {
 296   _debug2 "Signing http request"
 297   _signed_data=$(_edgedns_make_data_to_sign "${_auth_header}")
 298   _secure_debug2 "Returned signed data" "$_signed_data"
 299   _key=$(_edgedns_make_signing_key "${_eg_timestamp}")
 300   _signed_req=$(_edgedns_base64_hmac_sha256 "$_signed_data" "$_key")
 301   _secure_debug2 "Signed Request" "${_signed_req}"
 302   echo -n "${_signed_req}"
 303 }
 304
 305 _edgedns_make_signing_key() {
 306   _debug2 "Creating sigining key"
 307   ts=$1
 308   _signing_key=$(_edgedns_base64_hmac_sha256 "$ts" "${AKAMAI_CLIENT_SECRET}")
 309   _secure_debug2 "Signing Key" "${_signing_key}"
 310   echo -n "${_signing_key}"
 311
 312 }
 313
 314 _edgedns_make_data_to_sign() {
 315   _debug2 "Processing data to sign"
 316   hdr=$1
 317   _secure_debug2 "hdr" "$hdr"
 318   content_hash=$(_edgedns_make_content_hash)
 319   path="$(echo -n "${_request_url_path}" |sed 's/https\?:\/\///')"
 320   path="${path#*$AKAMAI_HOST}"
 321   _debug "hier path" "${path}"
 322   # dont expose headers to sign so use MT string
 323   data="$(printf "%s\thttps\t%s\t%s\t%s\t%s\t%s" "${_request_method}" "${AKAMAI_HOST}" "${path}" "" "${content_hash}" "$hdr")"
 324   _secure_debug2 "Data to Sign" "${data}"
 325   echo -n "${data}"
 326 }
 327
 328 _edgedns_make_content_hash() {
 329   _debug2 "Generating content hash"
 330   prep_body=""
 331   _hash=""
 332   _debug2 "Request method" "${_request_method}"
 333   if [ "${_request_method}" != "POST" ] || [ -z "${_request_body}" ]; then
 334     echo -n "${prep_body}"
 335     return 0
 336   fi
 337   prep_body="$(echo -n "${_request_body}")"
 338   _debug2 "Req body" "${prep_body}"
 339   _hash=$(_edgedns_base64_sha256 "${prep_body}")
 340   _debug2 "Content hash" "${_hash}"
 341   echo -n "${_hash}"
 342 }
 343
 344 _edgedns_base64_hmac_sha256() {
 345   _debug2 "Generating hmac"
 346   data=$1
 347   key=$2
 348   encoded_data="$(echo -n "${data}" | iconv -t utf-8)"
 349   encoded_key="$(echo -n "${key}" | iconv -t utf-8)"
 350   _secure_debug2 "encoded data" "${encoded_data}"
 351   _secure_debug2 "encoded key" "${encoded_key}"
 352   #key_hex="$(_durl_replace_base64 "$key" | _dbase64 | _hex_dump | tr -d ' ')"
 353   #data_sig="$(printf "%s" "$encoded_data" | _hmac sha256 "${key_hex}" | _base64 | _url_replace)"
 354
 355   data_sig="$(echo -n "$encoded_data" | ${ACME_OPENSSL_BIN:-openssl} dgst -sha256 -hmac $encoded_key -binary | _base64)"
 356   _secure_debug2 "data_sig:" "${data_sig}"
 357   out="$(echo -n "${data_sig}" | iconv -f utf-8)"
 358   _secure_debug2 "hmac" "${out}"
 359   echo -n "${out}"
 360 }
 361
 362 _edgedns_base64_sha256() {
 363   _debug2 "Creating sha256 digest"
 364   trg=$1
 365   utf8_str="$(echo -n "${trg}" | iconv -t utf-8)"
 366   _secure_debug2 "digest data" "$trg"
 367   _secure_debug2 "encoded digest data" "${utf8_str}"
 368   digest="$(echo -n "${trg}" | ${ACME_OPENSSL_BIN:-openssl} dgst -sha256 -binary | _base64)"
 369   out="$(echo -n "${digest}" | iconv -f utf-8)"
 370   _secure_debug2 "digest decode" "${out}"
 371   echo -n "${out}"
 372 }
 373
 374 #_edgedns_parse_edgerc() {
 375 #  filepath=$1
 376 #  section=$2
 377 #}
 378
 379