created CLI options for testin ACME over dns. Examle: acme dnstest -d _acme-chall.foo.com -t token1
This commit is contained in:
parent
c465062673
commit
b91899fe99
0
__init__.py
Normal file
0
__init__.py
Normal file
0
lemur/acme_providers/__init__.py
Normal file
0
lemur/acme_providers/__init__.py
Normal file
92
lemur/acme_providers/cli.py
Normal file
92
lemur/acme_providers/cli.py
Normal file
@ -0,0 +1,92 @@
|
||||
import time
|
||||
import json
|
||||
|
||||
from flask_script import Manager
|
||||
from flask import current_app
|
||||
|
||||
from lemur.extensions import sentry
|
||||
from lemur.extensions import metrics
|
||||
from lemur.constants import SUCCESS_METRIC_STATUS
|
||||
from lemur.plugins.lemur_acme.plugin import AcmeHandler
|
||||
|
||||
manager = Manager(
|
||||
usage="This provides ability to test ACME issuance"
|
||||
)
|
||||
|
||||
|
||||
@manager.option(
|
||||
"-d",
|
||||
"--domain",
|
||||
dest="domain",
|
||||
required=True,
|
||||
help="Name of the Domain to store to (ex. \"_acme-chall.test.com\".",
|
||||
)
|
||||
@manager.option(
|
||||
"-t",
|
||||
"--token",
|
||||
dest="token",
|
||||
required=True,
|
||||
help="Value of the Token to store in DNS as content.",
|
||||
)
|
||||
def dnstest(domain, token):
|
||||
"""
|
||||
Attempts to create, verify, and delete DNS TXT records with an autodetected provider.
|
||||
"""
|
||||
print("[+] Starting ACME Tests.")
|
||||
change_id = (domain, token)
|
||||
|
||||
acme_handler = AcmeHandler()
|
||||
acme_handler.autodetect_dns_providers(domain)
|
||||
if not acme_handler.dns_providers_for_domain[domain]:
|
||||
metrics.send(
|
||||
"get_authorizations_no_dns_provider_for_domain", "counter", 1
|
||||
)
|
||||
raise Exception(f"No DNS providers found for domain: {format(domain)}.")
|
||||
|
||||
# Create TXT Records
|
||||
for dns_provider in acme_handler.dns_providers_for_domain[domain]:
|
||||
dns_provider_plugin = acme_handler.get_dns_provider(dns_provider.provider_type)
|
||||
dns_provider_options = json.loads(dns_provider.credentials)
|
||||
account_number = dns_provider_options.get("account_id")
|
||||
|
||||
print(f"[+] Creating TXT Record in `{dns_provider.name}` provider")
|
||||
change_id = dns_provider_plugin.create_txt_record(domain, token, account_number)
|
||||
|
||||
print("[+] Verifying TXT Record has propagated to DNS.")
|
||||
print("[+] Waiting 60 second before continuing...")
|
||||
time.sleep(10)
|
||||
|
||||
# Verify TXT Records
|
||||
for dns_provider in acme_handler.dns_providers_for_domain[domain]:
|
||||
dns_provider_plugin = acme_handler.get_dns_provider(dns_provider.provider_type)
|
||||
dns_provider_options = json.loads(dns_provider.credentials)
|
||||
account_number = dns_provider_options.get("account_id")
|
||||
|
||||
try:
|
||||
dns_provider_plugin.wait_for_dns_change(change_id, account_number)
|
||||
print(f"[+] Verfied TXT Record in `{dns_provider.name}` provider")
|
||||
except Exception:
|
||||
metrics.send("complete_dns_challenge_error", "counter", 1)
|
||||
sentry.captureException()
|
||||
current_app.logger.debug(
|
||||
f"Unable to resolve DNS challenge for change_id: {change_id}, account_id: "
|
||||
f"{account_number}",
|
||||
exc_info=True,
|
||||
)
|
||||
print(f"[+] Unable to Verify TXT Record in `{dns_provider.name}` provider")
|
||||
|
||||
time.sleep(10)
|
||||
|
||||
# Delete TXT Records
|
||||
for dns_provider in acme_handler.dns_providers_for_domain[domain]:
|
||||
dns_provider_plugin = acme_handler.get_dns_provider(dns_provider.provider_type)
|
||||
dns_provider_options = json.loads(dns_provider.credentials)
|
||||
account_number = dns_provider_options.get("account_id")
|
||||
|
||||
# TODO(csine@: Add Exception Handling
|
||||
dns_provider_plugin.delete_txt_record(change_id, account_number, domain, token)
|
||||
print(f"[+] Deleted TXT Record in `{dns_provider.name}` provider")
|
||||
|
||||
status = SUCCESS_METRIC_STATUS
|
||||
metrics.send("dnstest", "counter", 1, metric_tags={"status": status})
|
||||
print("[+] Done with ACME Tests.")
|
103
lemur/dns_providers/util.py
Normal file
103
lemur/dns_providers/util.py
Normal file
@ -0,0 +1,103 @@
|
||||
import sys
|
||||
import dns
|
||||
import dns.exception
|
||||
import dns.name
|
||||
import dns.query
|
||||
import dns.resolver
|
||||
import re
|
||||
|
||||
from flask import current_app
|
||||
from lemur.extensions import metrics, sentry
|
||||
|
||||
|
||||
class DNSError(Exception):
|
||||
"""Base class for DNS Exceptions."""
|
||||
pass
|
||||
|
||||
|
||||
class BadDomainError(DNSError):
|
||||
"""Error for when a Bad Domain Name is given."""
|
||||
|
||||
def __init__(self, message):
|
||||
self.message = message
|
||||
|
||||
|
||||
class DNSResolveError(DNSError):
|
||||
"""Error for DNS Resolution Errors."""
|
||||
|
||||
def __init__(self, message):
|
||||
self.message = message
|
||||
|
||||
|
||||
def is_valid_domain(domain):
|
||||
"""Checks if a domain is syntactically valid and returns a bool"""
|
||||
if len(domain) > 253:
|
||||
return False
|
||||
if domain[-1] == ".":
|
||||
domain = domain[:-1]
|
||||
fqdn_re = re.compile("(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)", re.IGNORECASE)
|
||||
return all(fqdn_re.match(d) for d in domain.split("."))
|
||||
|
||||
|
||||
def get_authoritative_nameserver(domain):
|
||||
"""Get the authoritative nameservers for the given domain"""
|
||||
if not is_valid_domain(domain):
|
||||
raise BadDomainError(f"{domain} is not a valid FQDN")
|
||||
|
||||
n = dns.name.from_text(domain)
|
||||
|
||||
depth = 2
|
||||
default = dns.resolver.get_default_resolver()
|
||||
nameserver = default.nameservers[0]
|
||||
|
||||
last = False
|
||||
while not last:
|
||||
s = n.split(depth)
|
||||
|
||||
last = s[0].to_unicode() == u"@"
|
||||
sub = s[1]
|
||||
|
||||
query = dns.message.make_query(sub, dns.rdatatype.NS)
|
||||
response = dns.query.udp(query, nameserver)
|
||||
|
||||
rcode = response.rcode()
|
||||
if rcode != dns.rcode.NOERROR:
|
||||
function = sys._getframe().f_code.co_name
|
||||
metrics.send(f"{function}.error", "counter", 1)
|
||||
if rcode == dns.rcode.NXDOMAIN:
|
||||
raise DNSResolveError(f"{sub} does not exist.")
|
||||
else:
|
||||
raise DNSResolveError(f"Error: {dns.rcode.to_text(rcode)}")
|
||||
|
||||
if len(response.authority) > 0:
|
||||
rrset = response.authority[0]
|
||||
else:
|
||||
rrset = response.answer[0]
|
||||
|
||||
rr = rrset[0]
|
||||
if rr.rdtype != dns.rdatatype.SOA:
|
||||
authority = rr.target
|
||||
nameserver = default.query(authority).rrset[0].to_text()
|
||||
|
||||
depth += 1
|
||||
|
||||
return nameserver
|
||||
|
||||
|
||||
def get_dns_records(domain, rdtype, nameserver):
|
||||
"""Retrieves the DNS records matching the name and type and returns a list of records"""
|
||||
# if not nameserver:
|
||||
# nameserver = get_authoritative_nameserver(domain)[0]
|
||||
|
||||
records = []
|
||||
try:
|
||||
dns_resolver = dns.resolver.Resolver()
|
||||
dns_resolver.nameservers = [nameserver]
|
||||
dns_response = dns_resolver.query(domain, rdtype)
|
||||
for rdata in dns_response:
|
||||
for record in rdata.strings:
|
||||
records.append(record.decode("utf-8"))
|
||||
except dns.exception.DNSException:
|
||||
function = sys._getframe().f_code.co_name
|
||||
metrics.send(f"{function}.fail", "counter", 1)
|
||||
return records
|
@ -17,6 +17,7 @@ from flask_migrate import Migrate, MigrateCommand, stamp
|
||||
from flask_script.commands import ShowUrls, Clean, Server
|
||||
|
||||
from lemur.dns_providers.cli import manager as dns_provider_manager
|
||||
from lemur.acme_providers.cli import manager as acme_manager
|
||||
from lemur.sources.cli import manager as source_manager
|
||||
from lemur.policies.cli import manager as policy_manager
|
||||
from lemur.reporting.cli import manager as report_manager
|
||||
@ -584,6 +585,7 @@ def main():
|
||||
manager.add_command("policy", policy_manager)
|
||||
manager.add_command("pending_certs", pending_certificate_manager)
|
||||
manager.add_command("dns_providers", dns_provider_manager)
|
||||
manager.add_command("acme", acme_manager)
|
||||
manager.run()
|
||||
|
||||
|
||||
|
@ -3,11 +3,7 @@ import requests
|
||||
import json
|
||||
import sys
|
||||
|
||||
import dns
|
||||
import dns.exception
|
||||
import dns.name
|
||||
import dns.query
|
||||
import dns.resolver
|
||||
import lemur.dns_providers.util as dnsutil
|
||||
|
||||
from flask import current_app
|
||||
from lemur.extensions import metrics, sentry
|
||||
@ -63,8 +59,25 @@ def get_zones(account_number):
|
||||
server_id = current_app.config.get("ACME_POWERDNS_SERVERID", "")
|
||||
path = f"/api/v1/servers/{server_id}/zones"
|
||||
zones = []
|
||||
for elem in _get(path):
|
||||
zone = Zone(elem)
|
||||
try:
|
||||
records = _get(path)
|
||||
function = sys._getframe().f_code.co_name
|
||||
log_data = {
|
||||
"function": function,
|
||||
"message": "Retrieved Zones Successfully"
|
||||
}
|
||||
current_app.logger.debug(log_data)
|
||||
except Exception as e:
|
||||
records = _get(path)
|
||||
function = sys._getframe().f_code.co_name
|
||||
log_data = {
|
||||
"function": function,
|
||||
"message": "Failed to Retrieve Zone Data"
|
||||
}
|
||||
current_app.logger.debug(log_data)
|
||||
|
||||
for record in records:
|
||||
zone = Zone(record)
|
||||
if zone.kind == 'Master':
|
||||
zones.append(zone.name)
|
||||
return zones
|
||||
@ -80,14 +93,14 @@ def create_txt_record(domain, token, account_number):
|
||||
payload = {
|
||||
"rrsets": [
|
||||
{
|
||||
"name": f"{domain_id}",
|
||||
"name": domain_id,
|
||||
"type": "TXT",
|
||||
"ttl": "300",
|
||||
"ttl": 300,
|
||||
"changetype": "REPLACE",
|
||||
"records": [
|
||||
{
|
||||
"content": f"{token}",
|
||||
"disabled": "false"
|
||||
"content": f"\"{token}\"",
|
||||
"disabled": False
|
||||
}
|
||||
],
|
||||
"comments": []
|
||||
@ -105,7 +118,7 @@ def create_txt_record(domain, token, account_number):
|
||||
"message": "TXT record successfully created"
|
||||
}
|
||||
current_app.logger.debug(log_data)
|
||||
except requests.exceptions.RequestException as e:
|
||||
except Exception as e:
|
||||
function = sys._getframe().f_code.co_name
|
||||
log_data = {
|
||||
"function": function,
|
||||
@ -122,46 +135,36 @@ def create_txt_record(domain, token, account_number):
|
||||
|
||||
def wait_for_dns_change(change_id, account_number=None):
|
||||
"""
|
||||
Checks if changes have propagated to DNS
|
||||
Verifies both the authoritative DNS server and a public DNS server(Google <8.8.8.8> in our case)
|
||||
Checks the authoritative DNS Server to see if changes have propagated to DNS
|
||||
Retries and waits until successful.
|
||||
"""
|
||||
domain, token = change_id
|
||||
number_of_attempts = 20
|
||||
|
||||
nameserver = _get_authoritative_nameserver(domain)
|
||||
status = False
|
||||
zone_name = _get_zone_name(domain, account_number)
|
||||
nameserver = dnsutil.get_authoritative_nameserver(zone_name)
|
||||
record_found = False
|
||||
for attempts in range(0, number_of_attempts):
|
||||
status = _has_dns_propagated(domain, token, nameserver)
|
||||
function = sys._getframe().f_code.co_name
|
||||
log_data = {
|
||||
"function": function,
|
||||
"fqdn": domain,
|
||||
"status": status,
|
||||
"message": "Record status on UltraDNS authoritative server"
|
||||
}
|
||||
current_app.logger.debug(log_data)
|
||||
if status:
|
||||
time.sleep(10)
|
||||
txt_records = dnsutil.get_dns_records(domain, "TXT", nameserver)
|
||||
for txt_record in txt_records:
|
||||
if txt_record == token:
|
||||
record_found = True
|
||||
break
|
||||
if record_found:
|
||||
break
|
||||
time.sleep(10)
|
||||
if status:
|
||||
nameserver = _get_public_authoritative_nameserver()
|
||||
for attempts in range(0, number_of_attempts):
|
||||
status = _has_dns_propagated(domain, token, nameserver)
|
||||
function = sys._getframe().f_code.co_name
|
||||
log_data = {
|
||||
"function": function,
|
||||
"fqdn": domain,
|
||||
"status": status,
|
||||
"message": "Record status on Public DNS"
|
||||
}
|
||||
current_app.logger.debug(log_data)
|
||||
if status:
|
||||
metrics.send(f"{function}.success", "counter", 1)
|
||||
break
|
||||
time.sleep(10)
|
||||
if not status:
|
||||
|
||||
function = sys._getframe().f_code.co_name
|
||||
log_data = {
|
||||
"function": function,
|
||||
"fqdn": domain,
|
||||
"status": record_found,
|
||||
"message": "Record status on PowerDNS authoritative server"
|
||||
}
|
||||
current_app.logger.debug(log_data)
|
||||
|
||||
if record_found:
|
||||
metrics.send(f"{function}.success", "counter", 1, metric_tags={"fqdn": domain, "txt_record": token})
|
||||
else:
|
||||
metrics.send(f"{function}.fail", "counter", 1, metric_tags={"fqdn": domain, "txt_record": token})
|
||||
sentry.captureException(extra={"fqdn": str(domain), "txt_record": str(token)})
|
||||
|
||||
@ -176,14 +179,14 @@ def delete_txt_record(change_id, account_number, domain, token):
|
||||
payload = {
|
||||
"rrsets": [
|
||||
{
|
||||
"name": f"{domain_id}",
|
||||
"name": domain_id,
|
||||
"type": "TXT",
|
||||
"ttl": "300",
|
||||
"ttl": 300,
|
||||
"changetype": "DELETE",
|
||||
"records": [
|
||||
{
|
||||
"content": f"{token}",
|
||||
"disabled": "false"
|
||||
"content": f"\"{token}\"",
|
||||
"disabled": False
|
||||
}
|
||||
],
|
||||
"comments": []
|
||||
@ -201,7 +204,7 @@ def delete_txt_record(change_id, account_number, domain, token):
|
||||
"message": "TXT record successfully deleted"
|
||||
}
|
||||
current_app.logger.debug(log_data)
|
||||
except requests.exceptions.RequestException as e:
|
||||
except Exception as e:
|
||||
function = sys._getframe().f_code.co_name
|
||||
log_data = {
|
||||
"function": function,
|
||||
@ -217,7 +220,8 @@ def _generate_header():
|
||||
"""Generate a PowerDNS API header and return it as a dictionary"""
|
||||
api_key_name = current_app.config.get("ACME_POWERDNS_APIKEYNAME", "")
|
||||
api_key = current_app.config.get("ACME_POWERDNS_APIKEY", "")
|
||||
return {api_key_name: api_key}
|
||||
headers = {api_key_name: api_key}
|
||||
return headers
|
||||
|
||||
|
||||
def _get(path, params=None):
|
||||
@ -238,8 +242,8 @@ def _patch(path, payload):
|
||||
base_uri = current_app.config.get("ACME_POWERDNS_DOMAIN", "")
|
||||
resp = requests.patch(
|
||||
f"{base_uri}{path}",
|
||||
headers=_generate_header(),
|
||||
data=json.dumps(payload)
|
||||
data=json.dumps(payload),
|
||||
headers=_generate_header()
|
||||
)
|
||||
resp.raise_for_status()
|
||||
|
||||
@ -258,72 +262,3 @@ def _get_zone_name(domain, account_number):
|
||||
raise Exception(f"No PowerDNS zone found for domain: {domain}")
|
||||
return zone_name
|
||||
|
||||
|
||||
def _get_authoritative_nameserver(domain):
|
||||
"""Get the authoritative nameserver for the given domain"""
|
||||
n = dns.name.from_text(domain)
|
||||
|
||||
depth = 2
|
||||
default = dns.resolver.get_default_resolver()
|
||||
nameserver = default.nameservers[0]
|
||||
|
||||
last = False
|
||||
while not last:
|
||||
s = n.split(depth)
|
||||
|
||||
last = s[0].to_unicode() == u"@"
|
||||
sub = s[1]
|
||||
|
||||
query = dns.message.make_query(sub, dns.rdatatype.NS)
|
||||
response = dns.query.udp(query, nameserver)
|
||||
|
||||
rcode = response.rcode()
|
||||
if rcode != dns.rcode.NOERROR:
|
||||
function = sys._getframe().f_code.co_name
|
||||
metrics.send(f"{function}.error", "counter", 1)
|
||||
if rcode == dns.rcode.NXDOMAIN:
|
||||
raise Exception("%s does not exist." % sub)
|
||||
else:
|
||||
raise Exception("Error %s" % dns.rcode.to_text(rcode))
|
||||
|
||||
if len(response.authority) > 0:
|
||||
rrset = response.authority[0]
|
||||
else:
|
||||
rrset = response.answer[0]
|
||||
|
||||
rr = rrset[0]
|
||||
if rr.rdtype != dns.rdatatype.SOA:
|
||||
authority = rr.target
|
||||
nameserver = default.query(authority).rrset[0].to_text()
|
||||
|
||||
depth += 1
|
||||
|
||||
return nameserver
|
||||
|
||||
|
||||
def _get_public_authoritative_nameserver():
|
||||
return "8.8.8.8"
|
||||
|
||||
|
||||
def _has_dns_propagated(name, token, domain):
|
||||
"""Check whether the DNS change has propagated to the public DNS"""
|
||||
txt_records = []
|
||||
try:
|
||||
dns_resolver = dns.resolver.Resolver()
|
||||
dns_resolver.nameservers = [domain]
|
||||
dns_response = dns_resolver.query(name, "TXT")
|
||||
for rdata in dns_response:
|
||||
for txt_record in rdata.strings:
|
||||
txt_records.append(txt_record.decode("utf-8"))
|
||||
except dns.exception.DNSException:
|
||||
function = sys._getframe().f_code.co_name
|
||||
metrics.send(f"{function}.fail", "counter", 1)
|
||||
return False
|
||||
|
||||
for txt_record in txt_records:
|
||||
if txt_record == token:
|
||||
function = sys._getframe().f_code.co_name
|
||||
metrics.send(f"{function}.success", "counter", 1)
|
||||
return True
|
||||
|
||||
return False
|
||||
|
Loading…
Reference in New Issue
Block a user