created CLI options for testin ACME over dns. Examle: acme dnstest -d _acme-chall.foo.com -t token1

This commit is contained in:
csine-nflx 2020-01-28 19:13:28 -08:00
parent c465062673
commit b91899fe99
6 changed files with 254 additions and 122 deletions

0
__init__.py Normal file
View File

View File

View File

@ -0,0 +1,92 @@
import time
import json
from flask_script import Manager
from flask import current_app
from lemur.extensions import sentry
from lemur.extensions import metrics
from lemur.constants import SUCCESS_METRIC_STATUS
from lemur.plugins.lemur_acme.plugin import AcmeHandler
manager = Manager(
usage="This provides ability to test ACME issuance"
)
@manager.option(
"-d",
"--domain",
dest="domain",
required=True,
help="Name of the Domain to store to (ex. \"_acme-chall.test.com\".",
)
@manager.option(
"-t",
"--token",
dest="token",
required=True,
help="Value of the Token to store in DNS as content.",
)
def dnstest(domain, token):
"""
Attempts to create, verify, and delete DNS TXT records with an autodetected provider.
"""
print("[+] Starting ACME Tests.")
change_id = (domain, token)
acme_handler = AcmeHandler()
acme_handler.autodetect_dns_providers(domain)
if not acme_handler.dns_providers_for_domain[domain]:
metrics.send(
"get_authorizations_no_dns_provider_for_domain", "counter", 1
)
raise Exception(f"No DNS providers found for domain: {format(domain)}.")
# Create TXT Records
for dns_provider in acme_handler.dns_providers_for_domain[domain]:
dns_provider_plugin = acme_handler.get_dns_provider(dns_provider.provider_type)
dns_provider_options = json.loads(dns_provider.credentials)
account_number = dns_provider_options.get("account_id")
print(f"[+] Creating TXT Record in `{dns_provider.name}` provider")
change_id = dns_provider_plugin.create_txt_record(domain, token, account_number)
print("[+] Verifying TXT Record has propagated to DNS.")
print("[+] Waiting 60 second before continuing...")
time.sleep(10)
# Verify TXT Records
for dns_provider in acme_handler.dns_providers_for_domain[domain]:
dns_provider_plugin = acme_handler.get_dns_provider(dns_provider.provider_type)
dns_provider_options = json.loads(dns_provider.credentials)
account_number = dns_provider_options.get("account_id")
try:
dns_provider_plugin.wait_for_dns_change(change_id, account_number)
print(f"[+] Verfied TXT Record in `{dns_provider.name}` provider")
except Exception:
metrics.send("complete_dns_challenge_error", "counter", 1)
sentry.captureException()
current_app.logger.debug(
f"Unable to resolve DNS challenge for change_id: {change_id}, account_id: "
f"{account_number}",
exc_info=True,
)
print(f"[+] Unable to Verify TXT Record in `{dns_provider.name}` provider")
time.sleep(10)
# Delete TXT Records
for dns_provider in acme_handler.dns_providers_for_domain[domain]:
dns_provider_plugin = acme_handler.get_dns_provider(dns_provider.provider_type)
dns_provider_options = json.loads(dns_provider.credentials)
account_number = dns_provider_options.get("account_id")
# TODO(csine@: Add Exception Handling
dns_provider_plugin.delete_txt_record(change_id, account_number, domain, token)
print(f"[+] Deleted TXT Record in `{dns_provider.name}` provider")
status = SUCCESS_METRIC_STATUS
metrics.send("dnstest", "counter", 1, metric_tags={"status": status})
print("[+] Done with ACME Tests.")

103
lemur/dns_providers/util.py Normal file
View File

@ -0,0 +1,103 @@
import sys
import dns
import dns.exception
import dns.name
import dns.query
import dns.resolver
import re
from flask import current_app
from lemur.extensions import metrics, sentry
class DNSError(Exception):
"""Base class for DNS Exceptions."""
pass
class BadDomainError(DNSError):
"""Error for when a Bad Domain Name is given."""
def __init__(self, message):
self.message = message
class DNSResolveError(DNSError):
"""Error for DNS Resolution Errors."""
def __init__(self, message):
self.message = message
def is_valid_domain(domain):
"""Checks if a domain is syntactically valid and returns a bool"""
if len(domain) > 253:
return False
if domain[-1] == ".":
domain = domain[:-1]
fqdn_re = re.compile("(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)", re.IGNORECASE)
return all(fqdn_re.match(d) for d in domain.split("."))
def get_authoritative_nameserver(domain):
"""Get the authoritative nameservers for the given domain"""
if not is_valid_domain(domain):
raise BadDomainError(f"{domain} is not a valid FQDN")
n = dns.name.from_text(domain)
depth = 2
default = dns.resolver.get_default_resolver()
nameserver = default.nameservers[0]
last = False
while not last:
s = n.split(depth)
last = s[0].to_unicode() == u"@"
sub = s[1]
query = dns.message.make_query(sub, dns.rdatatype.NS)
response = dns.query.udp(query, nameserver)
rcode = response.rcode()
if rcode != dns.rcode.NOERROR:
function = sys._getframe().f_code.co_name
metrics.send(f"{function}.error", "counter", 1)
if rcode == dns.rcode.NXDOMAIN:
raise DNSResolveError(f"{sub} does not exist.")
else:
raise DNSResolveError(f"Error: {dns.rcode.to_text(rcode)}")
if len(response.authority) > 0:
rrset = response.authority[0]
else:
rrset = response.answer[0]
rr = rrset[0]
if rr.rdtype != dns.rdatatype.SOA:
authority = rr.target
nameserver = default.query(authority).rrset[0].to_text()
depth += 1
return nameserver
def get_dns_records(domain, rdtype, nameserver):
"""Retrieves the DNS records matching the name and type and returns a list of records"""
# if not nameserver:
# nameserver = get_authoritative_nameserver(domain)[0]
records = []
try:
dns_resolver = dns.resolver.Resolver()
dns_resolver.nameservers = [nameserver]
dns_response = dns_resolver.query(domain, rdtype)
for rdata in dns_response:
for record in rdata.strings:
records.append(record.decode("utf-8"))
except dns.exception.DNSException:
function = sys._getframe().f_code.co_name
metrics.send(f"{function}.fail", "counter", 1)
return records

View File

@ -17,6 +17,7 @@ from flask_migrate import Migrate, MigrateCommand, stamp
from flask_script.commands import ShowUrls, Clean, Server
from lemur.dns_providers.cli import manager as dns_provider_manager
from lemur.acme_providers.cli import manager as acme_manager
from lemur.sources.cli import manager as source_manager
from lemur.policies.cli import manager as policy_manager
from lemur.reporting.cli import manager as report_manager
@ -584,6 +585,7 @@ def main():
manager.add_command("policy", policy_manager)
manager.add_command("pending_certs", pending_certificate_manager)
manager.add_command("dns_providers", dns_provider_manager)
manager.add_command("acme", acme_manager)
manager.run()

View File

@ -3,11 +3,7 @@ import requests
import json
import sys
import dns
import dns.exception
import dns.name
import dns.query
import dns.resolver
import lemur.dns_providers.util as dnsutil
from flask import current_app
from lemur.extensions import metrics, sentry
@ -63,8 +59,25 @@ def get_zones(account_number):
server_id = current_app.config.get("ACME_POWERDNS_SERVERID", "")
path = f"/api/v1/servers/{server_id}/zones"
zones = []
for elem in _get(path):
zone = Zone(elem)
try:
records = _get(path)
function = sys._getframe().f_code.co_name
log_data = {
"function": function,
"message": "Retrieved Zones Successfully"
}
current_app.logger.debug(log_data)
except Exception as e:
records = _get(path)
function = sys._getframe().f_code.co_name
log_data = {
"function": function,
"message": "Failed to Retrieve Zone Data"
}
current_app.logger.debug(log_data)
for record in records:
zone = Zone(record)
if zone.kind == 'Master':
zones.append(zone.name)
return zones
@ -80,14 +93,14 @@ def create_txt_record(domain, token, account_number):
payload = {
"rrsets": [
{
"name": f"{domain_id}",
"name": domain_id,
"type": "TXT",
"ttl": "300",
"ttl": 300,
"changetype": "REPLACE",
"records": [
{
"content": f"{token}",
"disabled": "false"
"content": f"\"{token}\"",
"disabled": False
}
],
"comments": []
@ -105,7 +118,7 @@ def create_txt_record(domain, token, account_number):
"message": "TXT record successfully created"
}
current_app.logger.debug(log_data)
except requests.exceptions.RequestException as e:
except Exception as e:
function = sys._getframe().f_code.co_name
log_data = {
"function": function,
@ -122,46 +135,36 @@ def create_txt_record(domain, token, account_number):
def wait_for_dns_change(change_id, account_number=None):
"""
Checks if changes have propagated to DNS
Verifies both the authoritative DNS server and a public DNS server(Google <8.8.8.8> in our case)
Checks the authoritative DNS Server to see if changes have propagated to DNS
Retries and waits until successful.
"""
domain, token = change_id
number_of_attempts = 20
nameserver = _get_authoritative_nameserver(domain)
status = False
zone_name = _get_zone_name(domain, account_number)
nameserver = dnsutil.get_authoritative_nameserver(zone_name)
record_found = False
for attempts in range(0, number_of_attempts):
status = _has_dns_propagated(domain, token, nameserver)
function = sys._getframe().f_code.co_name
log_data = {
"function": function,
"fqdn": domain,
"status": status,
"message": "Record status on UltraDNS authoritative server"
}
current_app.logger.debug(log_data)
if status:
time.sleep(10)
txt_records = dnsutil.get_dns_records(domain, "TXT", nameserver)
for txt_record in txt_records:
if txt_record == token:
record_found = True
break
if record_found:
break
time.sleep(10)
if status:
nameserver = _get_public_authoritative_nameserver()
for attempts in range(0, number_of_attempts):
status = _has_dns_propagated(domain, token, nameserver)
function = sys._getframe().f_code.co_name
log_data = {
"function": function,
"fqdn": domain,
"status": status,
"message": "Record status on Public DNS"
}
current_app.logger.debug(log_data)
if status:
metrics.send(f"{function}.success", "counter", 1)
break
time.sleep(10)
if not status:
function = sys._getframe().f_code.co_name
log_data = {
"function": function,
"fqdn": domain,
"status": record_found,
"message": "Record status on PowerDNS authoritative server"
}
current_app.logger.debug(log_data)
if record_found:
metrics.send(f"{function}.success", "counter", 1, metric_tags={"fqdn": domain, "txt_record": token})
else:
metrics.send(f"{function}.fail", "counter", 1, metric_tags={"fqdn": domain, "txt_record": token})
sentry.captureException(extra={"fqdn": str(domain), "txt_record": str(token)})
@ -176,14 +179,14 @@ def delete_txt_record(change_id, account_number, domain, token):
payload = {
"rrsets": [
{
"name": f"{domain_id}",
"name": domain_id,
"type": "TXT",
"ttl": "300",
"ttl": 300,
"changetype": "DELETE",
"records": [
{
"content": f"{token}",
"disabled": "false"
"content": f"\"{token}\"",
"disabled": False
}
],
"comments": []
@ -201,7 +204,7 @@ def delete_txt_record(change_id, account_number, domain, token):
"message": "TXT record successfully deleted"
}
current_app.logger.debug(log_data)
except requests.exceptions.RequestException as e:
except Exception as e:
function = sys._getframe().f_code.co_name
log_data = {
"function": function,
@ -217,7 +220,8 @@ def _generate_header():
"""Generate a PowerDNS API header and return it as a dictionary"""
api_key_name = current_app.config.get("ACME_POWERDNS_APIKEYNAME", "")
api_key = current_app.config.get("ACME_POWERDNS_APIKEY", "")
return {api_key_name: api_key}
headers = {api_key_name: api_key}
return headers
def _get(path, params=None):
@ -238,8 +242,8 @@ def _patch(path, payload):
base_uri = current_app.config.get("ACME_POWERDNS_DOMAIN", "")
resp = requests.patch(
f"{base_uri}{path}",
headers=_generate_header(),
data=json.dumps(payload)
data=json.dumps(payload),
headers=_generate_header()
)
resp.raise_for_status()
@ -258,72 +262,3 @@ def _get_zone_name(domain, account_number):
raise Exception(f"No PowerDNS zone found for domain: {domain}")
return zone_name
def _get_authoritative_nameserver(domain):
"""Get the authoritative nameserver for the given domain"""
n = dns.name.from_text(domain)
depth = 2
default = dns.resolver.get_default_resolver()
nameserver = default.nameservers[0]
last = False
while not last:
s = n.split(depth)
last = s[0].to_unicode() == u"@"
sub = s[1]
query = dns.message.make_query(sub, dns.rdatatype.NS)
response = dns.query.udp(query, nameserver)
rcode = response.rcode()
if rcode != dns.rcode.NOERROR:
function = sys._getframe().f_code.co_name
metrics.send(f"{function}.error", "counter", 1)
if rcode == dns.rcode.NXDOMAIN:
raise Exception("%s does not exist." % sub)
else:
raise Exception("Error %s" % dns.rcode.to_text(rcode))
if len(response.authority) > 0:
rrset = response.authority[0]
else:
rrset = response.answer[0]
rr = rrset[0]
if rr.rdtype != dns.rdatatype.SOA:
authority = rr.target
nameserver = default.query(authority).rrset[0].to_text()
depth += 1
return nameserver
def _get_public_authoritative_nameserver():
return "8.8.8.8"
def _has_dns_propagated(name, token, domain):
"""Check whether the DNS change has propagated to the public DNS"""
txt_records = []
try:
dns_resolver = dns.resolver.Resolver()
dns_resolver.nameservers = [domain]
dns_response = dns_resolver.query(name, "TXT")
for rdata in dns_response:
for txt_record in rdata.strings:
txt_records.append(txt_record.decode("utf-8"))
except dns.exception.DNSException:
function = sys._getframe().f_code.co_name
metrics.send(f"{function}.fail", "counter", 1)
return False
for txt_record in txt_records:
if txt_record == token:
function = sys._getframe().f_code.co_name
metrics.send(f"{function}.success", "counter", 1)
return True
return False