Fix unique dyn situation where zone does not match tld, and there's a deeper zone

lemur/plugins/lemur_acme/dyn.py

@@ -5,11 +5,10 @@ import dns.exception
 import dns.name
 import dns.query
 import dns.resolver
-from dyn.tm.errors import DynectCreateError
+from dyn.tm.errors import DynectCreateError, DynectGetError
 from dyn.tm.session import DynectSession
-from dyn.tm.zones import Node, Zone
+from dyn.tm.zones import Node, Zone, get_all_zones
 from flask import current_app
-from tld import get_tld
 
 
 def get_dynect_session():
@@ -51,19 +50,43 @@ def wait_for_dns_change(change_id, account_number=None):
     return
 
 
+def get_zone_name(domain):
+    zones = get_all_zones()
+
+    zone_name = ""
+
+    for z in zones:
+        if domain.endswith(z.name):
+            # Find the most specific zone possible for the domain
+            # Ex: If fqdn is a.b.c.com, there is a zone for c.com,
+            # and a zone for b.c.com, we want to use b.c.com.
+            if z.name.count(".") > zone_name.count("."):
+                zone_name = z.name
+    if not zone_name:
+        raise Exception("No Dyn zone found for domain: {}".format(domain))
+    return zone_name
+
+
 def create_txt_record(domain, token, account_number):
     get_dynect_session()
-    zone_name = get_tld('http://' + domain)
+    zone_name = get_zone_name(domain)
     zone_parts = len(zone_name.split('.'))
     node_name = '.'.join(domain.split('.')[:-zone_parts])
     fqdn = "{0}.{1}".format(node_name, zone_name)
     zone = Zone(zone_name)
     try:
+        # Delete all stale ACME TXT records
+        delete_acme_txt_records(domain)
+    except DynectGetError as e:
+        if (
+                "No such zone." in e.message or
+                "Host is not in this zone" in e.message or
+                "Host not found in this zone" in e.message
+        ):
+            current_app.logger.debug("Unable to delete ACME TXT records. They probably don't exist yet: {}".format(e))
+        else:
+            raise
     zone.add_record(node_name, record_type='TXT', txtdata="\"{}\"".format(token), ttl=5)
-    except DynectCreateError:
-        delete_txt_record(None, None, domain, token)
-        zone.add_record(node_name, record_type='TXT', txtdata="\"{}\"".format(token), ttl=5)
-    node = zone.get_node(node_name)
     zone.publish()
     current_app.logger.debug("TXT record created: {0}".format(fqdn))
     change_id = (fqdn, token)
@@ -76,7 +99,7 @@ def delete_txt_record(change_id, account_number, domain, token):
         current_app.logger.debug("delete_txt_record: No domain passed")
         return
 
-    zone_name = get_tld('http://' + domain)
+    zone_name = get_zone_name(domain)
     zone_parts = len(zone_name.split('.'))
     node_name = '.'.join(domain.split('.')[:-zone_parts])
     fqdn = "{0}.{1}".format(node_name, zone_name)
@@ -92,7 +115,35 @@ def delete_txt_record(change_id, account_number, domain, token):
     zone.publish()
 
 
+def delete_acme_txt_records(domain):
+    get_dynect_session()
+    if not domain:
+        current_app.logger.debug("delete_acme_txt_records: No domain passed")
+        return
+    acme_challenge_string = "_acme-challenge"
+    if not domain.startswith(acme_challenge_string):
+        current_app.logger.debug(
+            "delete_acme_txt_records: Domain {} doesn't start with string {}. "
+            "Cowardly refusing to delete TXT records".format(domain, acme_challenge_string))
+        return
+
+    zone_name = get_zone_name(domain)
+    zone_parts = len(zone_name.split('.'))
+    node_name = '.'.join(domain.split('.')[:-zone_parts])
+    fqdn = "{0}.{1}".format(node_name, zone_name)
+
+    zone = Zone(zone_name)
+    node = Node(zone_name, fqdn)
+
+    all_txt_records = node.get_all_records_by_type('TXT')
+    for txt_record in all_txt_records:
+        current_app.logger.debug("Deleting TXT record name: {0}".format(fqdn))
+        txt_record.delete()
+    zone.publish()
+
+
 def get_authoritative_nameserver(domain):
+    if current_app.config.get('ACME_DYN_GET_AUTHORATATIVE_NAMESERVER'):
         n = dns.name.from_text(domain)
 
         depth = 2
@@ -129,3 +180,5 @@ def get_authoritative_nameserver(domain):
             depth += 1
 
         return nameserver
+    else:
+        return "8.8.8.8"

requirements-dev.txt

@@ -11,20 +11,20 @@ cfgv==1.1.0               # via pre-commit
 chardet==3.0.4            # via requests
 flake8==3.5.0
 identify==1.1.0           # via pre-commit
-idna==2.6                 # via requests
+idna==2.7                 # via requests
 invoke==1.0.0
 mccabe==0.6.1             # via flake8
-nodeenv==1.3.0
+nodeenv==1.3.1
 pkginfo==1.4.2            # via twine
 pre-commit==1.10.2
 pycodestyle==2.3.1        # via flake8
 pyflakes==1.6.0           # via flake8
 pyyaml==3.12              # via aspy.yaml, pre-commit
 requests-toolbelt==0.8.0  # via twine
-requests==2.18.4          # via requests-toolbelt, twine
+requests==2.19.0          # via requests-toolbelt, twine
 six==1.11.0               # via cfgv, pre-commit
 toml==0.9.4               # via pre-commit
 tqdm==4.23.4              # via twine
 twine==1.11.0
-urllib3==1.22             # via requests
+urllib3==1.23             # via requests
 virtualenv==16.0.0        # via pre-commit

requirements-docs.txt

@@ -4,7 +4,7 @@
 #
 #    pip-compile --no-index --output-file requirements-docs.txt requirements-docs.in
 #
-acme==0.24.0
+acme==0.25.0
 alabaster==0.7.10         # via sphinx
 alembic-autogenerate-enums==0.0.2
 alembic==0.9.9
@@ -15,8 +15,8 @@ asyncpool==1.0
 babel==2.6.0              # via sphinx
 bcrypt==3.1.4
 blinker==1.4
-boto3==1.7.32
+boto3==1.7.36
-botocore==1.10.32
+botocore==1.10.36
 certifi==2018.4.16
 cffi==1.11.5
 click==6.7
@@ -27,7 +27,7 @@ dnspython==1.15.0
 docutils==0.14
 dyn==1.8.1
 flask-bcrypt==0.7.1
-flask-cors==3.0.4
+flask-cors==3.0.6
 flask-mail==0.9.1
 flask-migrate==2.1.1
 flask-principal==0.4.0
@@ -37,7 +37,7 @@ flask-sqlalchemy==2.3.2
 flask==0.12
 future==0.16.0
 gunicorn==19.8.1
-idna==2.6
+idna==2.7
 imagesize==1.0.0          # via sphinx
 inflection==0.3.1
 itsdangerous==0.24
@@ -54,7 +54,7 @@ mock==2.0.0
 ndg-httpsclient==0.5.0
 packaging==17.1           # via sphinx
 paramiko==2.4.1
-pbr==4.0.3
+pbr==4.0.4
 pem==17.1.0
 psycopg2==2.7.4
 pyasn1-modules==0.2.1
@@ -65,12 +65,13 @@ pyjwt==1.6.4
 pynacl==1.2.1
 pyopenssl==17.2.0
 pyparsing==2.2.0          # via packaging
-pyrfc3339==1.0
+pyrfc3339==1.1
 python-dateutil==2.7.3
 python-editor==1.0.3
 pytz==2018.4
 pyyaml==3.12
 raven[flask]==6.9.0
+requests-toolbelt==0.8.0
 requests[security]==2.11.1
 retrying==1.3.3
 s3transfer==0.1.13

requirements-tests.txt

@@ -8,9 +8,9 @@ asn1crypto==0.24.0        # via cryptography
 atomicwrites==1.1.5       # via pytest
 attrs==18.1.0             # via pytest
 aws-xray-sdk==0.95        # via moto
-boto3==1.7.36             # via moto
+boto3==1.7.37             # via moto
 boto==2.48.0              # via moto
-botocore==1.10.36         # via boto3, moto, s3transfer
+botocore==1.10.37         # via boto3, moto, s3transfer
 certifi==2018.4.16        # via requests
 cffi==1.11.5              # via cryptography
 chardet==3.0.4            # via requests
@@ -25,7 +25,7 @@ factory-boy==2.11.1
 faker==0.8.15
 flask==1.0.2              # via pytest-flask
 freezegun==0.3.10
-idna==2.6                 # via cryptography, requests
+idna==2.7                 # via cryptography, requests
 itsdangerous==0.24        # via flask
 jinja2==2.10              # via flask, moto
 jmespath==0.9.3           # via boto3, botocore
@@ -49,12 +49,12 @@ python-dateutil==2.6.1    # via botocore, faker, freezegun, moto
 pytz==2018.4              # via moto
 pyyaml==3.12              # via pyaml
 requests-mock==1.5.0
-requests==2.18.4          # via aws-xray-sdk, docker, moto, requests-mock, responses
+requests==2.19.0          # via aws-xray-sdk, docker, moto, requests-mock, responses
 responses==0.9.0          # via moto
 s3transfer==0.1.13        # via boto3
 six==1.11.0               # via cryptography, docker, docker-pycreds, faker, freezegun, mock, more-itertools, moto, pytest, python-dateutil, requests-mock, responses, websocket-client
 text-unidecode==1.2       # via faker
-urllib3==1.22             # via requests
+urllib3==1.23             # via requests
 websocket-client==0.48.0  # via docker
 werkzeug==0.14.1          # via flask, moto, pytest-flask
 wrapt==1.10.11            # via aws-xray-sdk

requirements.in

@@ -39,5 +39,4 @@ retrying
 six
 SQLAlchemy-Utils
 tabulate
-tld
 xmltodict

requirements.txt

@@ -4,7 +4,7 @@
 #
 #    pip-compile --no-index --output-file requirements.txt requirements.in
 #
-acme==0.25.0
+acme==0.25.1
 alembic-autogenerate-enums==0.0.2
 alembic==0.9.9            # via flask-migrate
 aniso8601==3.0.0          # via flask-restful
@@ -13,8 +13,8 @@ asn1crypto==0.24.0        # via cryptography
 asyncpool==1.0
 bcrypt==3.1.4             # via flask-bcrypt, paramiko
 blinker==1.4              # via flask-mail, flask-principal, raven
-boto3==1.7.36
+boto3==1.7.37
-botocore==1.10.36         # via boto3, s3transfer
+botocore==1.10.37         # via boto3, s3transfer
 certifi==2018.4.16
 cffi==1.11.5              # via bcrypt, cryptography, pynacl
 click==6.7                # via flask
@@ -74,6 +74,5 @@ six==1.11.0
 sqlalchemy-utils==0.33.3
 sqlalchemy==1.2.8         # via alembic, flask-sqlalchemy, marshmallow-sqlalchemy, sqlalchemy-utils
 tabulate==0.8.2
-tld==0.7.10
 werkzeug==0.14.1          # via flask
 xmltodict==0.11.0