Infra
/
lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #3303 from Netflix/cname_metrics 

CNAME Delegation Cleanup
This commit is contained in:
Hossein Shafagh 2020-12-14 09:01:06 -08:00 committed by GitHub
parent 90531e79f0 4ac432ce87
commit 0504919835
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lemur/plugins/lemur_acme/acme_handlers.py
View File

@ -36,12 +36,13 @@ from retrying import retry
class AuthorizationRecord(object): class AuthorizationRecord(object):
def __init__(self, domain, target_domain, authz, dns_challenge, change_id): def __init__(self, domain, target_domain, authz, dns_challenge, change_id, cname_delegation):
self.domain = domain self.domain = domain
self.target_domain = target_domain self.target_domain = target_domain
self.authz = authz self.authz = authz
self.dns_challenge = dns_challenge self.dns_challenge = dns_challenge
self.change_id = change_id self.change_id = change_id
self.cname_delegation = cname_delegation
class AcmeHandler(object): class AcmeHandler(object):
@ -305,6 +306,7 @@ class AcmeDnsHandler(AcmeHandler):
current_app.logger.debug(f"Starting DNS challenge for {domain} using target domain {target_domain}.") current_app.logger.debug(f"Starting DNS challenge for {domain} using target domain {target_domain}.")
change_ids = [] change_ids = []
cname_delegation = domain != target_domain
dns_challenges = self.get_dns_challenges(domain, order.authorizations) dns_challenges = self.get_dns_challenges(domain, order.authorizations)
host_to_validate, _ = self.strip_wildcard(target_domain) host_to_validate, _ = self.strip_wildcard(target_domain)
host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options) host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options)
@ -315,9 +317,7 @@ class AcmeDnsHandler(AcmeHandler):
raise Exception("Unable to determine DNS challenges from authorizations") raise Exception("Unable to determine DNS challenges from authorizations")
for dns_challenge in dns_challenges: for dns_challenge in dns_challenges:
if not cname_delegation:
# Only prepend '_acme-challenge' if not using CNAME redirection
if domain == target_domain:
host_to_validate = dns_challenge.validation_domain_name(host_to_validate) host_to_validate = dns_challenge.validation_domain_name(host_to_validate)
change_id = dns_provider.create_txt_record( change_id = dns_provider.create_txt_record(
@ -328,7 +328,7 @@ class AcmeDnsHandler(AcmeHandler):
change_ids.append(change_id) change_ids.append(change_id)
return AuthorizationRecord( return AuthorizationRecord(
domain, target_domain, order.authorizations, dns_challenges, change_ids domain, target_domain, order.authorizations, dns_challenges, change_ids, cname_delegation
) )
def complete_dns_challenge(self, acme_client, authz_record): def complete_dns_challenge(self, acme_client, authz_record):
@ -395,6 +395,9 @@ class AcmeDnsHandler(AcmeHandler):
if cname_result: if cname_result:
target_domain = cname_result target_domain = cname_result
self.autodetect_dns_providers(target_domain) self.autodetect_dns_providers(target_domain)
metrics.send(
"get_authorizations_cname_delegation_for_domain", "counter", 1, metric_tags={"domain": domain}
)
if not self.dns_providers_for_domain.get(target_domain): if not self.dns_providers_for_domain.get(target_domain):
metrics.send( metrics.send(
@ -455,7 +458,7 @@ class AcmeDnsHandler(AcmeHandler):
account_number = dns_provider_options.get("account_id") account_number = dns_provider_options.get("account_id")
host_to_validate, _ = self.strip_wildcard(authz_record.target_domain) host_to_validate, _ = self.strip_wildcard(authz_record.target_domain)
host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options) host_to_validate = self.maybe_add_extension(host_to_validate, dns_provider_options)
if authz_record.domain == authz_record.target_domain: if not authz_record.cname_delegation:
host_to_validate = challenges.DNS01().validation_domain_name(host_to_validate) host_to_validate = challenges.DNS01().validation_domain_name(host_to_validate)
dns_provider_plugin.delete_txt_record( dns_provider_plugin.delete_txt_record(
authz_record.change_id, authz_record.change_id,
@ -492,7 +495,7 @@ class AcmeDnsHandler(AcmeHandler):
dns_provider_plugin = self.get_dns_provider(dns_provider.provider_type) dns_provider_plugin = self.get_dns_provider(dns_provider.provider_type)
for dns_challenge in dns_challenges: for dns_challenge in dns_challenges:
if authz_record.domain == authz_record.target_domain: if not authz_record.cname_delegation:
host_to_validate = dns_challenge.validation_domain_name(host_to_validate) host_to_validate = dns_challenge.validation_domain_name(host_to_validate)
try: try:
dns_provider_plugin.delete_txt_record( dns_provider_plugin.delete_txt_record(

2
lemur/plugins/lemur_acme/tests/test_acme_handler.py
View File

@ -30,7 +30,7 @@ class TestAcmeHandler(unittest.TestCase):
self.assertEqual(expected, result) self.assertEqual(expected, result)
def test_authz_record(self): def test_authz_record(self):
a = acme_handlers.AuthorizationRecord("domain", "host", "authz", "challenge", "id") a = acme_handlers.AuthorizationRecord("domain", "host", "authz", "challenge", "id", "cname_delegation")
self.assertEqual(type(a), acme_handlers.AuthorizationRecord) self.assertEqual(type(a), acme_handlers.AuthorizationRecord)
def test_setup_acme_client_fail(self): def test_setup_acme_client_fail(self):