hendrik-hog/certbot-dns-corenetworks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

Initial Version of plugin

Browse Source
This commit is contained in:
Matthias Bilger
2019-08-15 18:46:50 +02:00
commit 0b76e29b65
7 changed files with 700 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
certbot_dns_ispconfig/__init__.py Normal file
View File

@@ -0,0 +1,86 @@
"""
The `~certbot_dns_ispconfig.dns_ispconfig` plugin automates the process of
completing a ``dns-01`` challenge (`~acme.challenges.DNS01`) by creating, and
subsequently removing, TXT records using the ISPConfig REST API.
Named Arguments
---------------
======================================== =====================================
``--dns-ispconfig-credentials`` ISPConfig Remote API credentials_
INI file. (Required)
``--dns-ispconfig-propagation-seconds`` The number of seconds to wait for DNS
to propagate before asking the ACME
server to verify the DNS record.
(Default: 120)
======================================== =====================================
Credentials
-----------
Use of this plugin requires a configuration file containing ISPConfig Remote API
credentials, obtained from your DNSimple
`System > Remote Users`.
.. code-block:: ini
:name: credentials.ini
:caption: Example credentials file:
# ISPCONFIG API credentials used by Certbot
dns_ispconfig_username = myispremoteuser
dns_ispconfig_password = mysecretpassword
dns_ispconfig_endpoint = https://localhost:8080
The path to this file can be provided interactively or using the
``--dns-ispconfig-credentials`` command-line argument. Certbot records the path
to this file for use during renewal, but does not store the file's contents.
.. caution::
You should protect these API credentials as you would a password. Users who
can read this file can use these credentials to issue arbitrary API calls on
your behalf. Users who can cause Certbot to run using these credentials can
complete a ``dns-01`` challenge to acquire new certificates or revoke
existing certificates for associated domains, even if those domains aren't
being managed by this server.
Certbot will emit a warning if it detects that the credentials file can be
accessed by other users on your system. The warning reads "Unsafe permissions
on credentials configuration file", followed by the path to the credentials
file. This warning will be emitted each time Certbot uses the credentials file,
including for renewal, and cannot be silenced except by addressing the issue
(e.g., by using a command like ``chmod 600`` to restrict access to the file).
Examples
--------
.. code-block:: bash
:caption: To acquire a certificate for ``example.com``
certbot certonly \\
--dns-ispconfig \\
--dns-ispconfig-credentials ~/.secrets/certbot/ispconfig.ini \\
-d example.com
.. code-block:: bash
:caption: To acquire a single certificate for both ``example.com`` and
``www.example.com``
certbot certonly \\
--dns-ispconfig \\
--dns-ispconfig-credentials ~/.secrets/certbot/ispconfig.ini \\
-d example.com \\
-d www.example.com
.. code-block:: bash
:caption: To acquire a certificate for ``example.com``, waiting 240 seconds
for DNS propagation
certbot certonly \\
--dns-ispconfig \\
--dns-ispconfig-credentials ~/.secrets/certbot/ispconfig.ini \\
--dns-ispconfig-propagation-seconds 240 \\
-d example.com
"""

220
certbot_dns_ispconfig/dns_ispconfig.py Normal file
View File

@@ -0,0 +1,220 @@
"""DNS Authenticator for ISPConfig."""
import json
import logging
import requests
import zope.interface
from certbot import errors
from certbot import interfaces
from certbot.plugins import dns_common
logger = logging.getLogger(__name__)
@zope.interface.implementer(interfaces.IAuthenticator)
@zope.interface.provider(interfaces.IPluginFactory)
class Authenticator(dns_common.DNSAuthenticator):
"""DNS Authenticator for ISPConfig
This Authenticator uses the ISPConfig Remote REST API to fulfill a dns-01 challenge.
"""
description = ('Obtain certificates using a DNS TXT record (if you are using ISPConfig for DNS).')
ttl = 60
def __init__(self, *args, **kwargs):
super(Authenticator, self).__init__(*args, **kwargs)
self.credentials = None
@classmethod
def add_parser_arguments(cls, add): # pylint: disable=arguments-differ
super(Authenticator, cls).add_parser_arguments(add, default_propagation_seconds=120)
add('credentials', help='ISPConfig credentials INI file.')
def more_info(self): # pylint: disable=missing-docstring,no-self-use
return 'This plugin configures a DNS TXT record to respond to a dns-01 challenge using ' + \
'the ISPConfig Remote REST API.'
def _setup_credentials(self):
self.credentials = self._configure_credentials(
'credentials',
'ISPConfig credentials INI file',
{
'endpoint': 'URL of the ISPConfig Remote API.',
'username': 'Username for ISPConfig Remote API.',
'password': 'Password for ISPConfig Remote API.'
}
)
def _perform(self, domain, validation_name, validation):
self._get_ispconfig_client().add_txt_record(domain, validation_name, validation, self.ttl)
def _cleanup(self, domain, validation_name, validation):
self._get_ispconfig_client().del_txt_record(domain, validation_name, validation, self.ttl)
def _get_ispconfig_client(self):
return _ISPConfigClient(self.credentials.conf('endpoint'), self.credentials.conf('username'), self.credentials.conf('password'))
class _ISPConfigClient(object):
"""
Encapsulates all communication with the ISPConfig Remote REST API.
"""
def __init__(self, endpoint, username, password):
self.endpoint = endpoint
self.username = username
self.password = password
self.session = requests.Session()
self.session_id = None
def _login(self):
if self.session_id is not None:
return
logindata = {'username': self.username, 'password':self.password}
self.session_id = self._api_request('login', logindata)
def _api_request(self, action, data):
if self.session_id is not None:
data['session_id'] = self.session_id
resp = self.session.get(
self._get_url(action),
json=data
)
if resp.status_code != 200:
raise errors.PluginError('HTTP Error during login {0}'.format(resp.status_code))
try:
result = resp.json()
except:
raise errors.PluginError('API response with non JSON: {0}'.format(resp.text))
if (result['code'] == 'ok'):
return result['response']
elif (result['code'] == 'remote_fault'):
raise errors.PluginError('API response with an error: {0}'.format(result['message']))
else:
raise errors.PluginError('API response unknown {0}'.format(resp.text))
def _get_url(self, action):
return '{0}?{1}'.format(self.endpoint, action)
def _get_server_id(self, zone_id):
zone = self._api_request('dns_zone_get', {'primary_id': zone_id})
return zone['server_id']
def add_txt_record(self, domain, record_name, record_content, record_ttl):
"""
Add a TXT record using the supplied information.
:param str domain: The domain to use to look up the managed zone.
:param str record_name: The record name (typically beginning with '_acme-challenge.').
:param str record_content: The record content (typically the challenge validation).
:param int record_ttl: The record TTL (number of seconds that the record may be cached).
:raises certbot.errors.PluginError: if an error occurs communicating with the ISPConfig API
"""
self._login()
zone_id = self._find_managed_zone_id(domain)
if zone_id is None:
raise errors.PluginError("Domain not known")
record = self.get_existing_txt(zone_id, record_name)
if record is not None:
if record['data'] == record_content:
print('already there, id {0}'.format(record['id']))
return
else:
self._update_txt_record(zone_id, record['id'], record_name, record_content, record_ttl)
else:
self._insert_txt_record(zone_id, record_name, record_content, record_ttl)
def del_txt_record(self, domain, record_name, record_content, record_ttl):
"""
Delete a TXT record using the supplied information.
:param str domain: The domain to use to look up the managed zone.
:param str record_name: The record name (typically beginning with '_acme-challenge.').
:param str record_content: The record content (typically the challenge validation).
:param int record_ttl: The record TTL (number of seconds that the record may be cached).
:raises certbot.errors.PluginError: if an error occurs communicating with the ISPConfig API
"""
self._login()
zone_id = self._find_managed_zone_id(domain)
if zone_id is None:
raise errors.PluginError("Domain not known")
record = self.get_existing_txt(zone_id, record_name)
if record is not None:
if record['data'] == record_content:
self._delete_txt_record(record['id'])
def _prepare_rr_data(self, zone_id, record_name, record_content, record_ttl):
server_id = self._get_server_id(zone_id)
data = {
'client_id': None,
'rr_type': 'TXT',
'params':{
'server_id': server_id,
'name': record_name,
'active': 'Y',
'type': 'TXT',
'data': record_content,
'zone': zone_id,
'ttl': record_ttl,
'update_serial':False,
},
}
return data
def _insert_txt_record(self, zone_id, record_name, record_content, record_ttl):
data = self._prepare_rr_data(zone_id, record_name, record_content, record_ttl)
result = self._api_request('dns_txt_add', data)
def _update_txt_record(self, zone_id, primary_id, record_name, record_content, record_ttl):
data = self._prepare_rr_data(zone_id, record_name, record_content, record_ttl)
data['primary_id'] = primary_id
result = self._api_request('dns_txt_update', data)
def _delete_txt_record(self, primary_id):
data = { 'primary_id': primary_id }
result = self._api_request('dns_txt_delete', data)
def _find_managed_zone_id(self, domain):
"""
Find the managed zone for a given domain.
:param str domain: The domain for which to find the managed zone.
:returns: The ID of the managed zone, if found.
:rtype: str
:raises certbot.errors.PluginError: if the managed zone cannot be found.
"""
zone_dns_name_guesses = dns_common.base_domain_name_guesses(domain)
for zone_name in zone_dns_name_guesses:
#get the zone id
try:
zone_id = self._api_request('dns_zone_get_id', {'origin': zone_name})
return zone_id
except errors.PluginError as e:
pass
return None
def get_existing_txt(self, zone_id, record_name):
"""
Get existing TXT records from the RRset for the record name.
If an error occurs while requesting the record set, it is suppressed
and None is returned.
:param str zone_id: The ID of the managed zone.
:param str record_name: The record name (typically beginning with '_acme-challenge.').
:returns: TXT record value or None
:rtype: `string` or `None`
"""
self._login()
read_zone_data = {'zone_id': zone_id}
zone_data = self._api_request('dns_rr_get_all_by_zone', read_zone_data)
for entry in zone_data:
if entry['name'] == record_name and entry['type'] == 'TXT':
return entry
return None

137
certbot_dns_ispconfig/dns_ispconfig_test.py Normal file
View File

@@ -0,0 +1,137 @@
"""Tests for certbot_dns_ispconfig.dns_ispconfig."""
import unittest
import mock
import json
import requests_mock
from certbot import errors
from certbot.compat import os
from certbot.errors import PluginError
from certbot.plugins import dns_test_common
from certbot.plugins.dns_test_common import DOMAIN
from certbot.tests import util as test_util
FAKE_USER = "remoteuser"
FAKE_PW = "password"
FAKE_ENDPOINT = 'mock://endpoint'
class AuthenticatorTest(test_util.TempDirTestCase, dns_test_common.BaseAuthenticatorTest):
def setUp(self):
super(AuthenticatorTest, self).setUp()
from certbot_dns_ispconfig.dns_ispconfig import Authenticator
path = os.path.join(self.tempdir, 'file.ini')
dns_test_common.write({
"ispconfig_username": FAKE_USER,
"ispconfig_password": FAKE_PW,
"ispconfig_endpoint": FAKE_ENDPOINT,
}, path)
super(AuthenticatorTest, self).setUp()
self.config = mock.MagicMock(ispconfig_credentials=path,
ispconfig_propagation_seconds=0) # don't wait during tests
self.auth = Authenticator(self.config, "ispconfig")
self.mock_client = mock.MagicMock()
# _get_ispconfig_client | pylint: disable=protected-access
self.auth._get_ispconfig_client = mock.MagicMock(return_value=self.mock_client)
def test_perform(self):
self.auth.perform([self.achall])
expected = [mock.call.add_txt_record(DOMAIN, '_acme-challenge.'+DOMAIN, mock.ANY, mock.ANY)]
self.assertEqual(expected, self.mock_client.mock_calls)
def test_cleanup(self):
# _attempt_cleanup | pylint: disable=protected-access
self.auth._attempt_cleanup = True
self.auth.cleanup([self.achall])
expected = [mock.call.del_txt_record(DOMAIN, '_acme-challenge.'+DOMAIN, mock.ANY, mock.ANY)]
self.assertEqual(expected, self.mock_client.mock_calls)
class ISPConfigClientTest(unittest.TestCase):
record_name = "foo"
record_content = "bar"
record_ttl = 42
def setUp(self):
from certbot_dns_ispconfig.dns_ispconfig import _ISPConfigClient
self.adapter = requests_mock.Adapter()
self.client = _ISPConfigClient(FAKE_ENDPOINT, FAKE_USER, FAKE_PW)
self.client.session.mount('mock', self.adapter)
def _register_response(self, ep_id, response=None, message=None, additional_matcher=None, **kwargs):
resp = {"code":"ok",
"message":message,
"response":response}
if message is not None:
resp['code'] = "remote_failure"
def add_matcher(request):
data = json.loads(request.text)
add_result = True
if additional_matcher is not None:
add_result = additionsal_matcher(request)
return ((('username' in data and data['username'] == FAKE_USER) and
('username' in data and data['password'] == FAKE_PW)) or
data['session_id'] == 'FAKE_SESSION') and add_result
self.adapter.register_uri(
requests_mock.ANY,
'{0}?{1}'.format(FAKE_ENDPOINT, ep_id),
text=json.dumps(resp),
additional_matcher=add_matcher,
**kwargs
)
def test_add_txt_record(self):
if request_mock.__version__ < '1.6.0'
self._register_response('login', response='FAKE_SESSION')
self._register_response('dns_zone_get_id', response=23)
self._register_response('dns_txt_add', response=99)
self._register_response('dns_zone_get', response={'zone_id': 102, 'server_id': 1})
self._register_response('dns_rr_get_all_by_zone', response=[])
self.client.add_txt_record(DOMAIN, self.record_name, self.record_content, self.record_ttl)
def test_add_txt_record_fail_to_find_domain(self):
self._register_response('login', response='FAKE_SESSION')
self._register_response('dns_zone_get_id', message='Not Found')
with self.assertRaises(errors.PluginError) as context:
self.client.add_txt_record(DOMAIN, self.record_name, self.record_content, self.record_ttl)
def test_add_txt_record_fail_to_authenticate(self):
self._register_response('login', message='FAILED')
with self.assertRaises(errors.PluginError) as context:
self.client.add_txt_record(DOMAIN, self.record_name, self.record_content, self.record_ttl)
def test_del_txt_record(self):
self._register_response('login', response='FAKE_SESSION')
self._register_response('dns_zone_get_id', response=23)
self._register_response('dns_rr_get_all_by_zone', response=[])
self._register_response('dns_txt_delete', response='')
self.client.del_txt_record(DOMAIN, self.record_name, self.record_content, self.record_ttl)
def test_del_txt_record_fail_to_find_domain(self):
self._register_response('login', response='FAKE_SESSION')
self._register_response('dns_zone_get_id', message='Not Found')
with self.assertRaises(errors.PluginError) as context:
self.client.del_txt_record(DOMAIN, self.record_name, self.record_content, self.record_ttl)
def test_del_txt_record_fail_to_authenticate(self):
self._register_response('login', message='FAILED')
with self.assertRaises(errors.PluginError) as context:
self.client.del_txt_record(DOMAIN, self.record_name, self.record_content, self.record_ttl)
if __name__ == "__main__":
unittest.main() # pragma: no cover