3 # Akamai Edge DNS v2 API
4 # User must provide Open Edgegrid API credentials to the EdgeDNS installation. The remote user in EdgeDNS must have CRUD access to
5 # Edge DNS Zones and Recordsets, e.g. DNS—Zone Record Management authorization
7 # Report bugs to https://control.akamai.com/apps/support-ui/#/contact-support
11 # *** NOT IMPLEMENTED YET ***
12 # specify Edgegrid credentials file and section
13 # AKAMAI_EDGERC=<full file path>
14 # AKAMAI_EDGERC_SECTION="default"
16 # specify indiviual credentials
17 # export AKAMAI_HOST = <host>
18 # export AKAMAI_ACCESS_TOKEN = <access token>
19 # export AKAMAI_CLIENT_TOKEN = <client token>
20 # export AKAMAI_CLIENT_SECRET = <client secret>
22 ACME_EDGEDNS_VERSION
="0.1.0"
24 ######## Public functions #####################
26 # Usage: dns_edgedns_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
27 # Used to add txt record
33 _debug
"ENTERING DNS_EDGEDNS_ADD"
35 _debug2
"fulldomain" "$fulldomain"
36 _debug2
"txtvalue" "$txtvalue"
38 if ! _EDGEDNS_credentials
; then
43 if ! _EDGEDNS_getZoneInfo
"$fulldomain"; then
47 _debug2
"Add: zone" "${zone}"
48 acmeRecordURI
=$
(printf "%s/%s/names/%s/type/TXT" "${edge_endpoint}" "${zone}" "${fulldomain}")
49 _debug3
"Add URL" "$acmeRecordURI"
50 # Get existing TXT record
51 _edge_result
=$
(_edgedns_rest GET
"$acmeRecordURI")
53 if [ "$_api_status" -ne 0 ] && [ "$_edge_result" != "404" ]; then
54 _err
"$(printf "Failure accessing Akamai Edge DNS API Server. Error
: %s
" "$_edge_result")"
59 if [ "$_api_status" -eq 0 ]; then
60 # record already exists. Get existing record data and update
62 rdlist
=$
(echo -n "$response" | _egrep_o
"\"rdata\"\\s*:\\s*\\[\\s*\"[^\"]*\"\\s*]" | cut
-d : -f 2 |
tr -d "[]\"")
63 _debug2
"existing TXT found"
64 _debug2
"record data" "$rdlist"
65 # value already there?
66 if _contains
"$rdlist" "$txtvalue" ; then
70 rdata
="$rdata$comma\"${txtvalue}\""
72 _debug2
"new/updated rdata: " "${rdata}"
73 # Add the txtvalue TXT Record
74 body
="{\"name\":\"$fulldomain\",\"type\":\"TXT\",\"ttl\":600, \"rdata\":"[${rdata}]"}"
75 _debug3
"Add body '${body}'"
76 _edge_result
=$
(_edgedns_rest
"$record_op" "$acmeRecordURI" "$body")
78 if [ "$_api_status" -eq 0 ]; then
79 _log
"$(printf "Text value
%s added to recordset
%s
" "${txtvalue}" "${fulldomain}")"
82 _err
"$(printf "error adding TXT record
for validation. Error
: %s
" "$_edge_result")"
87 # Usage: dns_edgedns_rm _acme-challenge.www.domain.com
88 # Used to delete txt record
94 #################### Private functions below ##################################
96 _EDGEDNS_credentials
() {
97 _debug
"GettingEdge DNS credentials"
98 _log $
(printf "ACME DNSAPI Edge DNS version %s" ${ACME_EDGEDNS_VERSION})
100 if [ -z "${AKAMAI_ACCESS_TOKEN}" ]; then
101 AKAMAI_ACCESS_TOKEN
=""
102 AKAMAI_CLIENT_TOKEN
=""
104 AKAMAI_CLIENT_SECRET
=""
105 _err
"AKAMAI_ACCESS_TOKEN is missing"
108 if [ -z "$AKAMAI_CLIENT_TOKEN" ]; then
109 AKAMAI_ACCESS_TOKEN
=""
110 AKAMAI_CLIENT_TOKEN
=""
112 AKAMAI_CLIENT_SECRET
=""
113 _err
"AKAMAI_CLIENT_TOKEN is missing"
116 if [ -z "${AKAMAI_HOST}" ]; then
117 AKAMAI_ACCESS_TOKEN
=""
118 AKAMAI_CLIENT_TOKEN
=""
120 AKAMAI_CLIENT_SECRET
=""
121 _err
"AKAMAI_HOST is missing"
124 if [ -z "${AKAMAI_CLIENT_SECRET}" ]; then
125 AKAMAI_ACCESS_TOKEN
=""
126 AKAMAI_CLIENT_TOKEN
=""
128 AKAMAI_CLIENT_SECRET
=""
129 _err
"AKAMAI_CLIENT_SECRET is missing"
133 if [ "${args_missing}" = 1 ]; then
134 _err
"You have not properly specified the EdgeDNS Open Edgegrid API credentials. Please try again."
137 _saveaccountconf_mutable AKAMAI_ACCESS_TOKEN
"${AKAMAI_ACCESS_TOKEN}"
138 _saveaccountconf_mutable AKAMAI_CLIENT_TOKEN
"${AKAMAI_CLIENT_TOKEN}"
139 _saveaccountconf_mutable AKAMAI_HOST
"${AKAMAI_HOST}"
140 _saveaccountconf_mutable AKAMAI_CLIENT_SECRET
"${AKAMAI_CLIENT_SECRET}"
141 # Set whether curl should use secure or insecure mode
143 export HTTPS_INSECURE
=0 # All Edgegrid API calls are secure
144 edge_endpoint
=$
(printf "https://%s/config-dns/v2/zones" "${AKAMAI_HOST}")
145 _debug3
"Edge API Endpoint:" "${edge_endpoint}"
149 _EDGEDNS_getZoneInfo
() {
150 _debug
"Getting Zoneinfo"
153 while [ -n "${zoneEnd}" ]; do
154 # we can strip the first part of the fulldomain, since its just the _acme-challenge string
155 curZone
="${curZone#*.}"
156 # suffix . needed for zone -> domain.tld.
157 # create zone get url
158 get_zone_url
=$
(printf "%s/%s" "${edge_endpoint}" "${curZone}")
159 _debug3
"Zone Get: " "${get_zone_url}"
160 curResult
=$
(_edgedns_rest GET
"$get_zone_url")
162 if [ $retVal -ne 0 ]; then
163 if ["$curResult" != "404" ]; then
164 _err
"$(printf "Managed zone validation failed. Error response
: %s
" "$retVal")"
169 if _contains
"${curResult}" "\"zone\":" ; then
170 _debug2
"Zone data" "${curResult}"
171 zone
=$
(echo -n "${curResult}" | _egrep_o
"\"zone\"\\s*:\\s*\"[^\"]*\"" | _head_n
1 | cut
-d : -f 2 |
tr -d "\"")
172 _debug2
"Zone" "${zone}"
178 if [ "${curZone#*.}" != "$curZone" ]; then
179 _debug2 $
(printf "%s still contains a '.' - so we can check next higher level" "$curZone")
182 _err
"Couldn't retrieve zone data."
186 _err
"Failed to retrieve zone data."
193 _debug
"Handling API Request"
195 # Assume endpoint is complete path, including query args if applicable
198 _edgedns_content_type
=""
199 _request_url_path
="$ep"
200 _request_body
="$body_data"
204 _edgedns_headers
="${_edgedns_headers}${tab}Host: ${AKAMAI_HOST}"
206 # Set in acme.sh _post/_get
207 #_edgedns_headers="${_edgedns_headers}${tab}User-Agent:ACME DNSAPI Edge DNS version ${ACME_EDGEDNS_VERSION}"
208 _edgedns_headers
="${_edgedns_headers}${tab}Accept: application/json"
209 if [ "$m" != "GET" ] && [ "$m" != "DELETE" ] ; then
210 _edgedns_content_type
="application/json;charset=UTF-8"
211 _utf8_body_data
="$(echo -n "$ _request_body
" | iconv -t utf-8)"
212 _utf8_body_len
="$(echo -n "$_utf8_body_data" | awk '{print length}')"
213 _edgedns_headers
="${_edgedns_headers}${tab}Content-Length: ${_utf8_body_len}"
215 _made_auth_header
=$
(_edgedns_make_auth_header
)
216 _edgedns_headers
="${_edgedns_headers}${tab}Authorization: ${_made_auth_header}"
217 _secure_debug2
"Made Auth Header" "${_made_auth_header}"
219 work_header
="${_edgedns_headers}${tab}"
220 _debug3
"work_header" "${work_header}"
221 while [ "${work_header}" ]; do
222 entry
="${work_header%%\\t*}"; work_header
="${work_header#*\\t}"
223 export "$(printf "_H
%s
=%s
" "${hdr_indx}" "${entry}")"
224 _debug2
"Request Header " "${entry}"
225 hdr_indx
=$
(( hdr_indx
+ 1 ))
228 # clear headers from previous request to avoid getting wrong http code on timeouts
231 if [ "$m" != "GET" ]; then
232 _debug
"Method data" "$data"
233 # body url [needbase64] [POST|PUT|DELETE] [ContentType]
234 response
="$(_post "$_utf8_body_data" "$ep" false "$m")"
236 response
="$(_get "$ep")"
240 _debug
"response" "$response"
241 _code
="$(grep "^HTTP
" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r
\\n
")"
242 _debug2
"http response code" "$_code"
244 if [ "$_code" = "200" ] ||
[ "$_code" = "201" ]; then
246 response
="$(echo "$response" | _normalizeJson)"
247 echo -n "${response}"
251 if [ "$_code" = "204" ]; then
257 if [ "$_code" = "400" ]; then
258 _err
"Bad request presented"
259 _log
"$(printf "Headers
: %s
" "$_edgedns_headers")"
260 _log
"$(printf "Method
: %s
" "$_request_method")"
261 _log
"$(printf "URL
: %s
" "$ep")"
262 _log
"$(printf "Data
: %s
" "$data")"
265 if [ "$_code" = "403" ]; then
266 _err
"access denied make sure your Edgegrid cedentials are correct."
273 _edgedns_eg_timestamp
() {
274 _eg_timestamp
=$
(date -u "+%Y%m%dT%H:%M:%S+0000")
277 _edgedns_new_nonce
() {
281 _edgedns_make_auth_header
() {
282 _debug
"Constructing Auth Header"
283 _edgedns_eg_timestamp
285 # "Unsigned authorization header: 'EG1-HMAC-SHA256 client_token=block;access_token=block;timestamp=20200806T14:16:33+0000;nonce=72cde72c-82d9-4721-9854-2ba057929d67;'"
286 _auth_header
="$(printf "EG1-HMAC-SHA256 client_token
=%s
;access_token
=%s
;timestamp
=%s
;nonce
=%s
;" "${AKAMAI_CLIENT_TOKEN}" "${AKAMAI_ACCESS_TOKEN}" "${_eg_timestamp}" "${_nonce}")"
287 _secure_debug2
"Unsigned Auth Header: " "$_auth_header"
289 _sig
="$(_edgedns_sign_request)"
290 _signed_auth_header
="$(printf "%ssignature
=%s
" "${_auth_header}" "${_sig}")"
291 _secure_debug2
"Signed Auth Header: " "${_signed_auth_header}"
292 echo -n "${_signed_auth_header}"
295 _edgedns_sign_request
() {
296 _debug2
"Signing http request"
297 _signed_data
=$
(_edgedns_make_data_to_sign
"${_auth_header}")
298 _secure_debug2
"Returned signed data" "$_signed_data"
299 _key
=$
(_edgedns_make_signing_key
"${_eg_timestamp}")
300 _signed_req
=$
(_edgedns_base64_hmac_sha256
"$_signed_data" "$_key")
301 _secure_debug2
"Signed Request" "${_signed_req}"
302 echo -n "${_signed_req}"
305 _edgedns_make_signing_key
() {
306 _debug2
"Creating sigining key"
308 _signing_key
=$
(_edgedns_base64_hmac_sha256
"$ts" "${AKAMAI_CLIENT_SECRET}")
309 _secure_debug2
"Signing Key" "${_signing_key}"
310 echo -n "${_signing_key}"
314 _edgedns_make_data_to_sign
() {
315 _debug2
"Processing data to sign"
317 _secure_debug2
"hdr" "$hdr"
318 content_hash
=$
(_edgedns_make_content_hash
)
319 path
="$(echo -n "${_request_url_path}" |sed 's/https\?:\/\///')"
320 path
="${path#*$AKAMAI_HOST}"
321 _debug
"hier path" "${path}"
322 # dont expose headers to sign so use MT string
323 data
="$(printf "%s
\thttps
\t%s
\t%s
\t%s
\t%s
\t%s
" "${_request_method}" "${AKAMAI_HOST}" "${path}" "" "${content_hash}" "$hdr")"
324 _secure_debug2
"Data to Sign" "${data}"
328 _edgedns_make_content_hash
() {
329 _debug2
"Generating content hash"
332 _debug2
"Request method" "${_request_method}"
333 if [ "${_request_method}" != "POST" ] ||
[ -z "${_request_body}" ]; then
334 echo -n "${prep_body}"
337 prep_body
="$(echo -n "${_request_body}")"
338 _debug2
"Req body" "${prep_body}"
339 _hash
=$
(_edgedns_base64_sha256
"${prep_body}")
340 _debug2
"Content hash" "${_hash}"
344 _edgedns_base64_hmac_sha256
() {
345 _debug2
"Generating hmac"
348 encoded_data
="$(echo -n "${data}" | iconv -t utf-8)"
349 encoded_key
="$(echo -n "${key}" | iconv -t utf-8)"
350 _secure_debug2
"encoded data" "${encoded_data}"
351 _secure_debug2
"encoded key" "${encoded_key}"
352 #key_hex="$(_durl_replace_base64 "$key" | _dbase64 | _hex_dump | tr -d ' ')"
353 #data_sig="$(printf "%s" "$encoded_data" | _hmac sha256 "${key_hex}" | _base64 | _url_replace)"
355 data_sig
="$(echo -n "$encoded_data" | ${ACME_OPENSSL_BIN:-openssl} dgst -sha256 -hmac $encoded_key -binary | _base64)"
356 _secure_debug2
"data_sig:" "${data_sig}"
357 out
="$(echo -n "${data_sig}" | iconv -f utf-8)"
358 _secure_debug2
"hmac" "${out}"
362 _edgedns_base64_sha256
() {
363 _debug2
"Creating sha256 digest"
365 utf8_str
="$(echo -n "${trg}" | iconv -t utf-8)"
366 _secure_debug2
"digest data" "$trg"
367 _secure_debug2
"encoded digest data" "${utf8_str}"
368 digest
="$(echo -n "${trg}" | ${ACME_OPENSSL_BIN:-openssl} dgst -sha256 -binary | _base64)"
369 out
="$(echo -n "${digest}" | iconv -f utf-8)"
370 _secure_debug2
"digest decode" "${out}"
374 #_edgedns_parse_edgerc() {