2018-05-04 15:00:43 -07:00
|
|
|
import time
|
|
|
|
|
|
2018-05-29 10:18:16 -07:00
|
|
|
import dns
|
2018-05-07 09:58:24 -07:00
|
|
|
import dns.exception
|
2018-05-29 10:18:16 -07:00
|
|
|
import dns.name
|
|
|
|
|
import dns.query
|
|
|
|
|
import dns.resolver
|
2019-04-25 13:50:41 -07:00
|
|
|
from dyn.tm.errors import DynectCreateError, DynectDeleteError, DynectGetError, DynectUpdateError
|
2018-05-04 15:00:43 -07:00
|
|
|
from dyn.tm.session import DynectSession
|
2018-06-13 14:08:39 -07:00
|
|
|
from dyn.tm.zones import Node, Zone, get_all_zones
|
2018-05-04 15:00:43 -07:00
|
|
|
from flask import current_app
|
|
|
|
|
|
2019-04-24 15:26:23 -07:00
|
|
|
from lemur.extensions import metrics, sentry
|
|
|
|
|
|
2018-05-04 15:00:43 -07:00
|
|
|
|
2018-05-08 11:03:17 -07:00
|
|
|
def get_dynect_session():
|
2019-04-24 15:26:23 -07:00
|
|
|
try:
|
|
|
|
|
dynect_session = DynectSession(
|
|
|
|
|
current_app.config.get('ACME_DYN_CUSTOMER_NAME', ''),
|
|
|
|
|
current_app.config.get('ACME_DYN_USERNAME', ''),
|
|
|
|
|
current_app.config.get('ACME_DYN_PASSWORD', ''),
|
|
|
|
|
)
|
|
|
|
|
except Exception as e:
|
|
|
|
|
sentry.captureException()
|
|
|
|
|
metrics.send('get_dynect_session_fail', 'counter', 1)
|
|
|
|
|
current_app.logger.debug("Unable to establish connection to Dyn", exc_info=True)
|
|
|
|
|
raise
|
2018-05-08 11:03:17 -07:00
|
|
|
return dynect_session
|
2018-05-04 15:00:43 -07:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def _has_dns_propagated(name, token):
|
|
|
|
|
txt_records = []
|
|
|
|
|
try:
|
|
|
|
|
dns_resolver = dns.resolver.Resolver()
|
2018-05-29 10:18:16 -07:00
|
|
|
dns_resolver.nameservers = [get_authoritative_nameserver(name)]
|
2018-05-04 15:00:43 -07:00
|
|
|
dns_response = dns_resolver.query(name, 'TXT')
|
|
|
|
|
for rdata in dns_response:
|
|
|
|
|
for txt_record in rdata.strings:
|
|
|
|
|
txt_records.append(txt_record.decode("utf-8"))
|
|
|
|
|
except dns.exception.DNSException:
|
2019-04-24 15:26:23 -07:00
|
|
|
metrics.send('has_dns_propagated_fail', 'counter', 1)
|
2018-05-04 15:00:43 -07:00
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
for txt_record in txt_records:
|
|
|
|
|
if txt_record == token:
|
2019-04-24 15:26:23 -07:00
|
|
|
metrics.send('has_dns_propagated_success', 'counter', 1)
|
2018-05-04 15:00:43 -07:00
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def wait_for_dns_change(change_id, account_number=None):
|
|
|
|
|
fqdn, token = change_id
|
2019-04-25 13:50:41 -07:00
|
|
|
number_of_attempts = 20
|
2018-06-13 15:14:48 -07:00
|
|
|
for attempts in range(0, number_of_attempts):
|
2018-05-04 15:00:43 -07:00
|
|
|
status = _has_dns_propagated(fqdn, token)
|
|
|
|
|
current_app.logger.debug("Record status for fqdn: {}: {}".format(fqdn, status))
|
|
|
|
|
if status:
|
2019-04-24 15:26:23 -07:00
|
|
|
metrics.send('wait_for_dns_change_success', 'counter', 1)
|
2018-05-04 15:00:43 -07:00
|
|
|
break
|
2019-04-25 13:50:41 -07:00
|
|
|
time.sleep(10)
|
2018-06-13 15:14:48 -07:00
|
|
|
if not status:
|
2018-08-13 14:22:59 -07:00
|
|
|
# TODO: Delete associated DNS text record here
|
2019-04-24 15:26:23 -07:00
|
|
|
metrics.send('wait_for_dns_change_fail', 'counter', 1)
|
2019-04-25 13:50:41 -07:00
|
|
|
sentry.captureException(
|
|
|
|
|
extra={
|
|
|
|
|
"fqdn": fqdn, "txt_record": token}
|
|
|
|
|
)
|
|
|
|
|
metrics.send('wait_for_dns_change_error', 'counter', 1,
|
|
|
|
|
metric_tags={'fqdn': fqdn, 'txt_record': token})
|
2018-06-13 15:14:48 -07:00
|
|
|
raise Exception("Unable to query DNS token for fqdn {}.".format(fqdn))
|
2018-05-04 15:00:43 -07:00
|
|
|
return
|
|
|
|
|
|
|
|
|
|
|
2018-06-13 14:08:39 -07:00
|
|
|
def get_zone_name(domain):
|
|
|
|
|
zones = get_all_zones()
|
|
|
|
|
|
|
|
|
|
zone_name = ""
|
|
|
|
|
|
|
|
|
|
for z in zones:
|
|
|
|
|
if domain.endswith(z.name):
|
|
|
|
|
# Find the most specific zone possible for the domain
|
|
|
|
|
# Ex: If fqdn is a.b.c.com, there is a zone for c.com,
|
|
|
|
|
# and a zone for b.c.com, we want to use b.c.com.
|
|
|
|
|
if z.name.count(".") > zone_name.count("."):
|
|
|
|
|
zone_name = z.name
|
|
|
|
|
if not zone_name:
|
2019-04-24 15:26:23 -07:00
|
|
|
metrics.send('dyn_no_zone_name', 'counter', 1)
|
2018-06-13 14:08:39 -07:00
|
|
|
raise Exception("No Dyn zone found for domain: {}".format(domain))
|
|
|
|
|
return zone_name
|
|
|
|
|
|
|
|
|
|
|
2018-08-13 14:22:59 -07:00
|
|
|
def get_zones(account_number):
|
|
|
|
|
get_dynect_session()
|
|
|
|
|
zones = get_all_zones()
|
|
|
|
|
zone_list = []
|
|
|
|
|
for zone in zones:
|
|
|
|
|
zone_list.append(zone.name)
|
|
|
|
|
return zone_list
|
|
|
|
|
|
|
|
|
|
|
2018-05-04 15:00:43 -07:00
|
|
|
def create_txt_record(domain, token, account_number):
|
2018-05-08 11:03:17 -07:00
|
|
|
get_dynect_session()
|
2018-06-13 14:08:39 -07:00
|
|
|
zone_name = get_zone_name(domain)
|
2018-05-04 15:00:43 -07:00
|
|
|
zone_parts = len(zone_name.split('.'))
|
|
|
|
|
node_name = '.'.join(domain.split('.')[:-zone_parts])
|
|
|
|
|
fqdn = "{0}.{1}".format(node_name, zone_name)
|
|
|
|
|
zone = Zone(zone_name)
|
2018-08-13 14:22:59 -07:00
|
|
|
|
2018-05-08 14:54:10 -07:00
|
|
|
try:
|
2018-08-13 14:22:59 -07:00
|
|
|
zone.add_record(node_name, record_type='TXT', txtdata="\"{}\"".format(token), ttl=5)
|
|
|
|
|
zone.publish()
|
|
|
|
|
current_app.logger.debug("TXT record created: {0}, token: {1}".format(fqdn, token))
|
2019-04-25 13:50:41 -07:00
|
|
|
except (DynectCreateError, DynectUpdateError) as e:
|
2018-08-13 14:22:59 -07:00
|
|
|
if "Cannot duplicate existing record data" in e.message:
|
|
|
|
|
current_app.logger.debug(
|
|
|
|
|
"Unable to add record. Domain: {}. Token: {}. "
|
|
|
|
|
"Record already exists: {}".format(domain, token, e), exc_info=True
|
|
|
|
|
)
|
2018-06-13 14:08:39 -07:00
|
|
|
else:
|
2019-04-24 15:26:23 -07:00
|
|
|
metrics.send('create_txt_record_error', 'counter', 1)
|
|
|
|
|
sentry.captureException()
|
2018-06-13 14:08:39 -07:00
|
|
|
raise
|
2018-08-13 14:22:59 -07:00
|
|
|
|
2018-05-04 15:00:43 -07:00
|
|
|
change_id = (fqdn, token)
|
|
|
|
|
return change_id
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def delete_txt_record(change_id, account_number, domain, token):
|
2018-05-08 11:03:17 -07:00
|
|
|
get_dynect_session()
|
2018-05-04 15:00:43 -07:00
|
|
|
if not domain:
|
|
|
|
|
current_app.logger.debug("delete_txt_record: No domain passed")
|
|
|
|
|
return
|
|
|
|
|
|
2018-06-13 14:08:39 -07:00
|
|
|
zone_name = get_zone_name(domain)
|
2018-05-04 15:00:43 -07:00
|
|
|
zone_parts = len(zone_name.split('.'))
|
|
|
|
|
node_name = '.'.join(domain.split('.')[:-zone_parts])
|
|
|
|
|
fqdn = "{0}.{1}".format(node_name, zone_name)
|
|
|
|
|
|
|
|
|
|
zone = Zone(zone_name)
|
|
|
|
|
node = Node(zone_name, fqdn)
|
2018-05-25 11:07:26 -07:00
|
|
|
|
2019-01-17 14:56:04 -08:00
|
|
|
try:
|
|
|
|
|
all_txt_records = node.get_all_records_by_type('TXT')
|
|
|
|
|
except DynectGetError:
|
2019-04-24 15:26:23 -07:00
|
|
|
sentry.captureException()
|
2019-04-25 13:50:41 -07:00
|
|
|
metrics.send('delete_txt_record_geterror', 'counter', 1)
|
2019-01-17 14:56:04 -08:00
|
|
|
# No Text Records remain or host is not in the zone anymore because all records have been deleted.
|
|
|
|
|
return
|
2018-05-04 15:00:43 -07:00
|
|
|
for txt_record in all_txt_records:
|
|
|
|
|
if txt_record.txtdata == ("{}".format(token)):
|
|
|
|
|
current_app.logger.debug("Deleting TXT record name: {0}".format(fqdn))
|
2019-04-25 13:50:41 -07:00
|
|
|
try:
|
|
|
|
|
txt_record.delete()
|
|
|
|
|
except DynectDeleteError:
|
|
|
|
|
sentry.captureException(
|
|
|
|
|
extra={
|
|
|
|
|
"fqdn": fqdn, "zone_name": zone_name, "node_name": node_name,
|
|
|
|
|
"txt_record": txt_record.txtdata}
|
|
|
|
|
)
|
|
|
|
|
metrics.send('delete_txt_record_deleteerror', 'counter', 1,
|
|
|
|
|
metric_tags={'fqdn': fqdn, 'txt_record': txt_record.txtdata})
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
zone.publish()
|
|
|
|
|
except DynectUpdateError:
|
|
|
|
|
sentry.captureException(
|
|
|
|
|
extra={
|
|
|
|
|
"fqdn": fqdn, "zone_name": zone_name, "node_name": node_name,
|
|
|
|
|
"txt_record": txt_record.txtdata}
|
|
|
|
|
)
|
|
|
|
|
metrics.send('delete_txt_record_publish_error', 'counter', 1,
|
|
|
|
|
metric_tags={'fqdn': fqdn, 'txt_record': txt_record.txtdata})
|
2018-05-29 10:18:16 -07:00
|
|
|
|
|
|
|
|
|
2018-06-13 14:08:39 -07:00
|
|
|
def delete_acme_txt_records(domain):
|
|
|
|
|
get_dynect_session()
|
|
|
|
|
if not domain:
|
|
|
|
|
current_app.logger.debug("delete_acme_txt_records: No domain passed")
|
|
|
|
|
return
|
|
|
|
|
acme_challenge_string = "_acme-challenge"
|
|
|
|
|
if not domain.startswith(acme_challenge_string):
|
|
|
|
|
current_app.logger.debug(
|
|
|
|
|
"delete_acme_txt_records: Domain {} doesn't start with string {}. "
|
|
|
|
|
"Cowardly refusing to delete TXT records".format(domain, acme_challenge_string))
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
zone_name = get_zone_name(domain)
|
|
|
|
|
zone_parts = len(zone_name.split('.'))
|
|
|
|
|
node_name = '.'.join(domain.split('.')[:-zone_parts])
|
|
|
|
|
fqdn = "{0}.{1}".format(node_name, zone_name)
|
|
|
|
|
|
|
|
|
|
zone = Zone(zone_name)
|
|
|
|
|
node = Node(zone_name, fqdn)
|
|
|
|
|
|
|
|
|
|
all_txt_records = node.get_all_records_by_type('TXT')
|
|
|
|
|
for txt_record in all_txt_records:
|
|
|
|
|
current_app.logger.debug("Deleting TXT record name: {0}".format(fqdn))
|
2019-04-25 13:50:41 -07:00
|
|
|
try:
|
|
|
|
|
txt_record.delete()
|
|
|
|
|
except DynectDeleteError:
|
|
|
|
|
sentry.captureException(
|
|
|
|
|
extra={
|
|
|
|
|
"fqdn": fqdn, "zone_name": zone_name, "node_name": node_name,
|
|
|
|
|
"txt_record": txt_record.txtdata}
|
|
|
|
|
)
|
|
|
|
|
metrics.send('delete_txt_record_deleteerror', 'counter', 1,
|
|
|
|
|
metric_tags={'fqdn': fqdn, 'txt_record': txt_record.txtdata})
|
2018-06-13 14:08:39 -07:00
|
|
|
zone.publish()
|
|
|
|
|
|
|
|
|
|
|
2018-05-29 10:18:16 -07:00
|
|
|
def get_authoritative_nameserver(domain):
|
2018-06-13 14:08:39 -07:00
|
|
|
if current_app.config.get('ACME_DYN_GET_AUTHORATATIVE_NAMESERVER'):
|
|
|
|
|
n = dns.name.from_text(domain)
|
2018-05-29 10:18:16 -07:00
|
|
|
|
2018-06-13 14:08:39 -07:00
|
|
|
depth = 2
|
|
|
|
|
default = dns.resolver.get_default_resolver()
|
|
|
|
|
nameserver = default.nameservers[0]
|
2018-05-29 10:18:16 -07:00
|
|
|
|
2018-06-13 14:08:39 -07:00
|
|
|
last = False
|
|
|
|
|
while not last:
|
|
|
|
|
s = n.split(depth)
|
2018-05-29 10:18:16 -07:00
|
|
|
|
2018-06-13 14:08:39 -07:00
|
|
|
last = s[0].to_unicode() == u'@'
|
|
|
|
|
sub = s[1]
|
2018-05-29 10:18:16 -07:00
|
|
|
|
2018-06-13 14:08:39 -07:00
|
|
|
query = dns.message.make_query(sub, dns.rdatatype.NS)
|
|
|
|
|
response = dns.query.udp(query, nameserver)
|
2018-05-29 10:18:16 -07:00
|
|
|
|
2018-06-13 14:08:39 -07:00
|
|
|
rcode = response.rcode()
|
|
|
|
|
if rcode != dns.rcode.NOERROR:
|
2019-04-24 15:26:23 -07:00
|
|
|
metrics.send('get_authoritative_nameserver_error', 'counter', 1)
|
2018-06-13 14:08:39 -07:00
|
|
|
if rcode == dns.rcode.NXDOMAIN:
|
|
|
|
|
raise Exception('%s does not exist.' % sub)
|
|
|
|
|
else:
|
|
|
|
|
raise Exception('Error %s' % dns.rcode.to_text(rcode))
|
2018-05-29 10:18:16 -07:00
|
|
|
|
2018-06-13 14:08:39 -07:00
|
|
|
if len(response.authority) > 0:
|
|
|
|
|
rrset = response.authority[0]
|
|
|
|
|
else:
|
|
|
|
|
rrset = response.answer[0]
|
2018-05-29 10:18:16 -07:00
|
|
|
|
2018-06-13 14:08:39 -07:00
|
|
|
rr = rrset[0]
|
|
|
|
|
if rr.rdtype != dns.rdatatype.SOA:
|
|
|
|
|
authority = rr.target
|
|
|
|
|
nameserver = default.query(authority).rrset[0].to_text()
|
2018-05-29 10:18:16 -07:00
|
|
|
|
2018-06-13 14:08:39 -07:00
|
|
|
depth += 1
|
2018-05-29 10:18:16 -07:00
|
|
|
|
2018-06-13 14:08:39 -07:00
|
|
|
return nameserver
|
|
|
|
|
else:
|
|
|
|
|
return "8.8.8.8"
|
