437 lines
12 KiB
Python
437 lines
12 KiB
Python
import json
|
|
import sys
|
|
import time
|
|
|
|
import lemur.common.utils as utils
|
|
import lemur.dns_providers.util as dnsutil
|
|
import requests
|
|
from flask import current_app
|
|
from lemur.extensions import metrics, sentry
|
|
|
|
REQUIRED_VARIABLES = [
|
|
"ACME_POWERDNS_APIKEYNAME",
|
|
"ACME_POWERDNS_APIKEY",
|
|
"ACME_POWERDNS_DOMAIN",
|
|
]
|
|
|
|
|
|
class Zone:
|
|
"""
|
|
This class implements a PowerDNS zone in JSON.
|
|
"""
|
|
|
|
def __init__(self, _data):
|
|
self._data = _data
|
|
|
|
@property
|
|
def id(self):
|
|
""" Zone id, has a trailing "." at the end, which we manually remove. """
|
|
return self._data["id"][:-1]
|
|
|
|
@property
|
|
def name(self):
|
|
""" Zone name, has a trailing "." at the end, which we manually remove. """
|
|
return self._data["name"][:-1]
|
|
|
|
@property
|
|
def kind(self):
|
|
""" Indicates whether the zone is setup as a PRIMARY or SECONDARY """
|
|
return self._data["kind"]
|
|
|
|
|
|
class Record:
|
|
"""
|
|
This class implements a PowerDNS record.
|
|
"""
|
|
|
|
def __init__(self, _data):
|
|
self._data = _data
|
|
|
|
@property
|
|
def name(self):
|
|
return self._data["name"]
|
|
|
|
@property
|
|
def type(self):
|
|
return self._data["type"]
|
|
|
|
@property
|
|
def ttl(self):
|
|
return self._data["ttl"]
|
|
|
|
@property
|
|
def content(self):
|
|
return self._data["content"]
|
|
|
|
@property
|
|
def disabled(self):
|
|
return self._data["disabled"]
|
|
|
|
|
|
def get_zones(account_number):
|
|
"""
|
|
Retrieve authoritative zones from the PowerDNS API and return a list of zones
|
|
|
|
:param account_number:
|
|
:raise: Exception
|
|
:return: list of Zone Objects
|
|
"""
|
|
_check_conf()
|
|
server_id = current_app.config.get("ACME_POWERDNS_SERVERID", "localhost")
|
|
path = f"/api/v1/servers/{server_id}/zones"
|
|
zones = []
|
|
function = sys._getframe().f_code.co_name
|
|
log_data = {
|
|
"function": function
|
|
}
|
|
try:
|
|
records = _get(path)
|
|
log_data["message"] = "Retrieved Zones Successfully"
|
|
current_app.logger.debug(log_data)
|
|
|
|
except Exception as e:
|
|
sentry.captureException()
|
|
log_data["message"] = "Failed to Retrieve Zone Data"
|
|
current_app.logger.debug(log_data)
|
|
raise
|
|
|
|
for record in records:
|
|
zone = Zone(record)
|
|
if zone.kind == 'Master':
|
|
zones.append(zone.name)
|
|
return zones
|
|
|
|
|
|
def create_txt_record(domain, token, account_number):
|
|
"""
|
|
Create a TXT record for the given domain and token and return a change_id tuple
|
|
|
|
:param domain: FQDN
|
|
:param token: challenge value
|
|
:param account_number:
|
|
:return: tuple of domain/token
|
|
"""
|
|
_check_conf()
|
|
|
|
function = sys._getframe().f_code.co_name
|
|
log_data = {
|
|
"function": function,
|
|
"fqdn": domain,
|
|
"token": token,
|
|
}
|
|
|
|
# Create new record
|
|
domain_id = domain + "."
|
|
records = [Record({'name': domain_id, 'content': f"\"{token}\"", 'disabled': False})]
|
|
|
|
# Get current records
|
|
cur_records = _get_txt_records(domain)
|
|
for record in cur_records:
|
|
if record.content != token:
|
|
records.append(record)
|
|
|
|
try:
|
|
_patch_txt_records(domain, account_number, records)
|
|
log_data["message"] = "TXT record(s) successfully created"
|
|
current_app.logger.debug(log_data)
|
|
except Exception as e:
|
|
sentry.captureException()
|
|
log_data["Exception"] = e
|
|
log_data["message"] = "Unable to create TXT record(s)"
|
|
current_app.logger.debug(log_data)
|
|
|
|
change_id = (domain, token)
|
|
return change_id
|
|
|
|
|
|
def wait_for_dns_change(change_id, account_number=None):
|
|
"""
|
|
Checks the authoritative DNS Server to see if changes have propagated.
|
|
|
|
:param change_id: tuple of domain/token
|
|
:param account_number:
|
|
:return:
|
|
"""
|
|
_check_conf()
|
|
domain, token = change_id
|
|
number_of_attempts = current_app.config.get("ACME_POWERDNS_RETRIES", 3)
|
|
zone_name = _get_zone_name(domain, account_number)
|
|
nameserver = dnsutil.get_authoritative_nameserver(zone_name)
|
|
record_found = False
|
|
for attempts in range(0, number_of_attempts):
|
|
txt_records = dnsutil.get_dns_records(domain, "TXT", nameserver)
|
|
for txt_record in txt_records:
|
|
if txt_record == token:
|
|
record_found = True
|
|
break
|
|
if record_found:
|
|
break
|
|
time.sleep(10)
|
|
|
|
function = sys._getframe().f_code.co_name
|
|
log_data = {
|
|
"function": function,
|
|
"fqdn": domain,
|
|
"status": record_found,
|
|
"message": "Record status on PowerDNS authoritative server"
|
|
}
|
|
current_app.logger.debug(log_data)
|
|
|
|
if record_found:
|
|
metrics.send(f"{function}.success", "counter", 1, metric_tags={"fqdn": domain, "txt_record": token})
|
|
else:
|
|
metrics.send(f"{function}.fail", "counter", 1, metric_tags={"fqdn": domain, "txt_record": token})
|
|
|
|
|
|
def delete_txt_record(change_id, account_number, domain, token):
|
|
"""
|
|
Delete the TXT record for the given domain and token
|
|
|
|
:param change_id: tuple of domain/token
|
|
:param account_number:
|
|
:param domain: FQDN
|
|
:param token: challenge to delete
|
|
:return:
|
|
"""
|
|
_check_conf()
|
|
|
|
function = sys._getframe().f_code.co_name
|
|
log_data = {
|
|
"function": function,
|
|
"fqdn": domain,
|
|
"token": token,
|
|
}
|
|
|
|
"""
|
|
Get existing TXT records matching the domain from DNS
|
|
The token to be deleted should already exist
|
|
There may be other records with different tokens as well
|
|
"""
|
|
cur_records = _get_txt_records(domain)
|
|
found = False
|
|
new_records = []
|
|
for record in cur_records:
|
|
if record.content == f"\"{token}\"":
|
|
found = True
|
|
else:
|
|
new_records.append(record)
|
|
|
|
# Since the matching token is not in DNS, there is nothing to delete
|
|
if not found:
|
|
log_data["message"] = "Unable to delete TXT record: Token not found in existing TXT records"
|
|
current_app.logger.debug(log_data)
|
|
return
|
|
|
|
# The record to delete has been found AND there are other tokens set on the same domain
|
|
# Since we only want to delete one token value from the RRSet, we need to use the Patch command to
|
|
# overwrite the current RRSet with the existing records.
|
|
elif new_records:
|
|
try:
|
|
_patch_txt_records(domain, account_number, new_records)
|
|
log_data["message"] = "TXT record successfully deleted"
|
|
current_app.logger.debug(log_data)
|
|
except Exception as e:
|
|
sentry.captureException()
|
|
log_data["Exception"] = e
|
|
log_data["message"] = "Unable to delete TXT record: patching exception"
|
|
current_app.logger.debug(log_data)
|
|
|
|
# The record to delete has been found AND there are no other token values set on the same domain
|
|
# Use the Delete command to delete the whole RRSet.
|
|
else:
|
|
zone_name = _get_zone_name(domain, account_number)
|
|
server_id = current_app.config.get("ACME_POWERDNS_SERVERID", "localhost")
|
|
zone_id = zone_name + "."
|
|
domain_id = domain + "."
|
|
path = f"/api/v1/servers/{server_id}/zones/{zone_id}"
|
|
payload = {
|
|
"rrsets": [
|
|
{
|
|
"name": domain_id,
|
|
"type": "TXT",
|
|
"ttl": 300,
|
|
"changetype": "DELETE",
|
|
"records": [
|
|
{
|
|
"content": f"\"{token}\"",
|
|
"disabled": False
|
|
}
|
|
],
|
|
"comments": []
|
|
}
|
|
]
|
|
}
|
|
function = sys._getframe().f_code.co_name
|
|
log_data = {
|
|
"function": function,
|
|
"fqdn": domain,
|
|
"token": token
|
|
}
|
|
try:
|
|
_patch(path, payload)
|
|
log_data["message"] = "TXT record successfully deleted"
|
|
current_app.logger.debug(log_data)
|
|
except Exception as e:
|
|
sentry.captureException()
|
|
log_data["Exception"] = e
|
|
log_data["message"] = "Unable to delete TXT record"
|
|
current_app.logger.debug(log_data)
|
|
|
|
|
|
def _check_conf():
|
|
"""
|
|
Verifies required configuration variables are set
|
|
|
|
:return:
|
|
"""
|
|
utils.validate_conf(current_app, REQUIRED_VARIABLES)
|
|
|
|
|
|
def _generate_header():
|
|
"""
|
|
Generate a PowerDNS API header and return it as a dictionary
|
|
|
|
:return: Dict of header parameters
|
|
"""
|
|
api_key_name = current_app.config.get("ACME_POWERDNS_APIKEYNAME")
|
|
api_key = current_app.config.get("ACME_POWERDNS_APIKEY")
|
|
headers = {api_key_name: api_key}
|
|
return headers
|
|
|
|
|
|
def _get_zone_name(domain, account_number):
|
|
"""
|
|
Get most specific matching zone for the given domain and return as a String
|
|
|
|
:param domain: FQDN
|
|
:param account_number:
|
|
:return: FQDN of domain
|
|
"""
|
|
zones = get_zones(account_number)
|
|
zone_name = ""
|
|
for z in zones:
|
|
if domain.endswith(z):
|
|
if z.count(".") > zone_name.count("."):
|
|
zone_name = z
|
|
if not zone_name:
|
|
function = sys._getframe().f_code.co_name
|
|
log_data = {
|
|
"function": function,
|
|
"fqdn": domain,
|
|
"message": "No PowerDNS zone name found.",
|
|
}
|
|
metrics.send(f"{function}.fail", "counter", 1)
|
|
return zone_name
|
|
|
|
|
|
def _get_txt_records(domain):
|
|
"""
|
|
Retrieve TXT records for a given domain and return list of Record Objects
|
|
|
|
:param domain: FQDN
|
|
:return: list of Record objects
|
|
"""
|
|
server_id = current_app.config.get("ACME_POWERDNS_SERVERID", "localhost")
|
|
|
|
path = f"/api/v1/servers/{server_id}/search-data?q={domain}&max=100&object_type=record"
|
|
function = sys._getframe().f_code.co_name
|
|
log_data = {
|
|
"function": function
|
|
}
|
|
try:
|
|
records = _get(path)
|
|
log_data["message"] = "Retrieved TXT Records Successfully"
|
|
current_app.logger.debug(log_data)
|
|
|
|
except Exception as e:
|
|
sentry.captureException()
|
|
log_data["Exception"] = e
|
|
log_data["message"] = "Failed to Retrieve TXT Records"
|
|
current_app.logger.debug(log_data)
|
|
return []
|
|
|
|
txt_records = []
|
|
for record in records:
|
|
cur_record = Record(record)
|
|
txt_records.append(cur_record)
|
|
return txt_records
|
|
|
|
|
|
def _get(path, params=None):
|
|
"""
|
|
Execute a GET request on the given URL (base_uri + path) and return response as JSON object
|
|
|
|
:param path: Relative URL path
|
|
:param params: additional parameters
|
|
:return: json response
|
|
"""
|
|
base_uri = current_app.config.get("ACME_POWERDNS_DOMAIN")
|
|
verify_value = current_app.config.get("ACME_POWERDNS_VERIFY", True)
|
|
resp = requests.get(
|
|
f"{base_uri}{path}",
|
|
headers=_generate_header(),
|
|
params=params,
|
|
verify=verify_value
|
|
)
|
|
resp.raise_for_status()
|
|
return resp.json()
|
|
|
|
|
|
def _patch_txt_records(domain, account_number, records):
|
|
"""
|
|
Send Patch request to PowerDNS Server
|
|
|
|
:param domain: FQDN
|
|
:param account_number:
|
|
:param records: List of Record objects
|
|
:return:
|
|
"""
|
|
domain_id = domain + "."
|
|
|
|
# Create records
|
|
txt_records = []
|
|
for record in records:
|
|
txt_records.append(
|
|
{'content': record.content, 'disabled': record.disabled}
|
|
)
|
|
|
|
# Create RRSet
|
|
payload = {
|
|
"rrsets": [
|
|
{
|
|
"name": domain_id,
|
|
"type": "TXT",
|
|
"ttl": 300,
|
|
"changetype": "REPLACE",
|
|
"records": txt_records,
|
|
"comments": []
|
|
}
|
|
]
|
|
}
|
|
|
|
# Create Txt Records
|
|
server_id = current_app.config.get("ACME_POWERDNS_SERVERID", "localhost")
|
|
zone_name = _get_zone_name(domain, account_number)
|
|
zone_id = zone_name + "."
|
|
path = f"/api/v1/servers/{server_id}/zones/{zone_id}"
|
|
_patch(path, payload)
|
|
|
|
|
|
def _patch(path, payload):
|
|
"""
|
|
Execute a Patch request on the given URL (base_uri + path) with given payload
|
|
|
|
:param path:
|
|
:param payload:
|
|
:return:
|
|
"""
|
|
base_uri = current_app.config.get("ACME_POWERDNS_DOMAIN")
|
|
verify_value = current_app.config.get("ACME_POWERDNS_VERIFY", True)
|
|
resp = requests.patch(
|
|
f"{base_uri}{path}",
|
|
data=json.dumps(payload),
|
|
headers=_generate_header(),
|
|
verify=verify_value
|
|
)
|
|
resp.raise_for_status()
|