2016-11-02 16:33:57 +02:00
|
|
|
// Package azure implements a DNS provider for solving the DNS-01
|
|
|
|
// challenge using azure DNS.
|
|
|
|
// Azure doesn't like trailing dots on domain names, most of the acme code does.
|
|
|
|
package azure
|
|
|
|
|
|
|
|
import (
|
2018-02-14 22:28:02 +02:00
|
|
|
"context"
|
2018-06-11 17:32:50 +02:00
|
|
|
"errors"
|
2016-11-02 16:33:57 +02:00
|
|
|
"fmt"
|
2018-10-23 10:03:31 +02:00
|
|
|
"io/ioutil"
|
2018-09-15 19:07:24 +02:00
|
|
|
"net/http"
|
2018-05-30 19:53:04 +02:00
|
|
|
"strings"
|
2016-11-02 16:33:57 +02:00
|
|
|
"time"
|
|
|
|
|
2018-02-14 22:28:02 +02:00
|
|
|
"github.com/Azure/azure-sdk-for-go/services/dns/mgmt/2017-09-01/dns"
|
2017-05-03 16:53:59 +02:00
|
|
|
"github.com/Azure/go-autorest/autorest"
|
|
|
|
"github.com/Azure/go-autorest/autorest/adal"
|
2016-11-02 16:33:57 +02:00
|
|
|
"github.com/Azure/go-autorest/autorest/azure"
|
2018-10-23 10:03:31 +02:00
|
|
|
"github.com/Azure/go-autorest/autorest/azure/auth"
|
2016-11-02 16:33:57 +02:00
|
|
|
"github.com/Azure/go-autorest/autorest/to"
|
|
|
|
"github.com/xenolf/lego/acme"
|
2018-06-11 17:32:50 +02:00
|
|
|
"github.com/xenolf/lego/platform/config/env"
|
2016-11-02 16:33:57 +02:00
|
|
|
)
|
|
|
|
|
2018-10-23 10:03:31 +02:00
|
|
|
const defaultMetadataEndpoint = "http://169.254.169.254"
|
|
|
|
|
2018-09-15 19:07:24 +02:00
|
|
|
// Config is used to configure the creation of the DNSProvider
|
|
|
|
type Config struct {
|
2018-10-23 10:03:31 +02:00
|
|
|
// optional if using instance metadata service
|
|
|
|
ClientID string
|
|
|
|
ClientSecret string
|
|
|
|
TenantID string
|
|
|
|
|
|
|
|
SubscriptionID string
|
|
|
|
ResourceGroup string
|
|
|
|
|
|
|
|
MetadataEndpoint string
|
|
|
|
|
2018-09-15 19:07:24 +02:00
|
|
|
PropagationTimeout time.Duration
|
|
|
|
PollingInterval time.Duration
|
|
|
|
TTL int
|
|
|
|
HTTPClient *http.Client
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewDefaultConfig returns a default configuration for the DNSProvider
|
|
|
|
func NewDefaultConfig() *Config {
|
|
|
|
return &Config{
|
|
|
|
TTL: env.GetOrDefaultInt("AZURE_TTL", 60),
|
|
|
|
PropagationTimeout: env.GetOrDefaultSecond("AZURE_PROPAGATION_TIMEOUT", 2*time.Minute),
|
|
|
|
PollingInterval: env.GetOrDefaultSecond("AZURE_POLLING_INTERVAL", 2*time.Second),
|
2018-10-23 10:03:31 +02:00
|
|
|
MetadataEndpoint: env.GetOrFile("AZURE_METADATA_ENDPOINT"),
|
2018-09-15 19:07:24 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-11-02 16:33:57 +02:00
|
|
|
// DNSProvider is an implementation of the acme.ChallengeProvider interface
|
|
|
|
type DNSProvider struct {
|
2018-10-23 10:03:31 +02:00
|
|
|
config *Config
|
|
|
|
authorizer autorest.Authorizer
|
2016-11-02 16:33:57 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewDNSProvider returns a DNSProvider instance configured for azure.
|
2018-10-23 10:03:31 +02:00
|
|
|
// Credentials can be passed in the environment variables:
|
|
|
|
// AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID, AZURE_RESOURCE_GROUP
|
|
|
|
// If the credentials are _not_ set via the environment,
|
|
|
|
// then it will attempt to get a bearer token via the instance metadata service.
|
|
|
|
// see: https://github.com/Azure/go-autorest/blob/v10.14.0/autorest/azure/auth/auth.go#L38-L42
|
2016-11-02 16:33:57 +02:00
|
|
|
func NewDNSProvider() (*DNSProvider, error) {
|
2018-09-15 19:07:24 +02:00
|
|
|
config := NewDefaultConfig()
|
2018-10-23 10:03:31 +02:00
|
|
|
config.SubscriptionID = env.GetOrFile("AZURE_SUBSCRIPTION_ID")
|
|
|
|
config.ResourceGroup = env.GetOrFile("AZURE_RESOURCE_GROUP")
|
2018-09-15 19:07:24 +02:00
|
|
|
|
|
|
|
return NewDNSProviderConfig(config)
|
2016-11-02 16:33:57 +02:00
|
|
|
}
|
|
|
|
|
2018-09-15 19:07:24 +02:00
|
|
|
// NewDNSProviderCredentials uses the supplied credentials
|
|
|
|
// to return a DNSProvider instance configured for azure.
|
|
|
|
// Deprecated
|
2018-05-30 19:53:04 +02:00
|
|
|
func NewDNSProviderCredentials(clientID, clientSecret, subscriptionID, tenantID, resourceGroup string) (*DNSProvider, error) {
|
2018-09-15 19:07:24 +02:00
|
|
|
config := NewDefaultConfig()
|
|
|
|
config.ClientID = clientID
|
|
|
|
config.ClientSecret = clientSecret
|
|
|
|
config.TenantID = tenantID
|
2018-10-23 10:03:31 +02:00
|
|
|
config.SubscriptionID = subscriptionID
|
2018-09-15 19:07:24 +02:00
|
|
|
config.ResourceGroup = resourceGroup
|
|
|
|
|
|
|
|
return NewDNSProviderConfig(config)
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewDNSProviderConfig return a DNSProvider instance configured for Azure.
|
|
|
|
func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
|
|
|
|
if config == nil {
|
|
|
|
return nil, errors.New("azure: the configuration of the DNS provider is nil")
|
2016-11-02 16:33:57 +02:00
|
|
|
}
|
|
|
|
|
2018-10-23 10:03:31 +02:00
|
|
|
if config.HTTPClient == nil {
|
|
|
|
config.HTTPClient = http.DefaultClient
|
|
|
|
}
|
|
|
|
|
|
|
|
authorizer, err := getAuthorizer(config)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if config.SubscriptionID == "" {
|
|
|
|
subsID, err := getMetadata(config, "subscriptionId")
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("azure: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if subsID == "" {
|
|
|
|
return nil, errors.New("azure: SubscriptionID is missing")
|
|
|
|
}
|
|
|
|
config.SubscriptionID = subsID
|
|
|
|
}
|
|
|
|
|
|
|
|
if config.ResourceGroup == "" {
|
|
|
|
resGroup, err := getMetadata(config, "resourceGroupName")
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("azure: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if resGroup == "" {
|
|
|
|
return nil, errors.New("azure: ResourceGroup is missing")
|
|
|
|
}
|
|
|
|
config.ResourceGroup = resGroup
|
2018-09-15 19:07:24 +02:00
|
|
|
}
|
|
|
|
|
2018-10-23 10:03:31 +02:00
|
|
|
return &DNSProvider{config: config, authorizer: authorizer}, nil
|
2016-11-02 16:33:57 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Timeout returns the timeout and interval to use when checking for DNS
|
|
|
|
// propagation. Adjusting here to cope with spikes in propagation times.
|
2018-06-21 19:06:16 +02:00
|
|
|
func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
|
2018-09-15 19:07:24 +02:00
|
|
|
return d.config.PropagationTimeout, d.config.PollingInterval
|
2016-11-02 16:33:57 +02:00
|
|
|
}
|
|
|
|
|
2018-09-24 21:07:20 +02:00
|
|
|
// Present creates a TXT record to fulfill the dns-01 challenge
|
2018-06-21 19:06:16 +02:00
|
|
|
func (d *DNSProvider) Present(domain, token, keyAuth string) error {
|
2018-09-15 19:07:24 +02:00
|
|
|
ctx := context.Background()
|
2016-11-02 16:33:57 +02:00
|
|
|
fqdn, value, _ := acme.DNS01Record(domain, keyAuth)
|
2018-09-15 19:07:24 +02:00
|
|
|
|
|
|
|
zone, err := d.getHostedZoneID(ctx, fqdn)
|
2016-11-02 16:33:57 +02:00
|
|
|
if err != nil {
|
2018-09-15 19:07:24 +02:00
|
|
|
return fmt.Errorf("azure: %v", err)
|
2016-11-02 16:33:57 +02:00
|
|
|
}
|
|
|
|
|
2018-09-15 19:07:24 +02:00
|
|
|
rsc := dns.NewRecordSetsClient(d.config.SubscriptionID)
|
2018-10-23 10:03:31 +02:00
|
|
|
rsc.Authorizer = d.authorizer
|
2017-05-03 16:53:59 +02:00
|
|
|
|
2016-11-02 16:33:57 +02:00
|
|
|
relative := toRelativeRecord(fqdn, acme.ToFqdn(zone))
|
|
|
|
rec := dns.RecordSet{
|
|
|
|
Name: &relative,
|
2016-12-01 00:05:55 +02:00
|
|
|
RecordSetProperties: &dns.RecordSetProperties{
|
2018-09-15 19:07:24 +02:00
|
|
|
TTL: to.Int64Ptr(int64(d.config.TTL)),
|
2018-05-30 19:53:04 +02:00
|
|
|
TxtRecords: &[]dns.TxtRecord{{Value: &[]string{value}}},
|
2016-11-02 16:33:57 +02:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2018-09-15 19:07:24 +02:00
|
|
|
_, err = rsc.CreateOrUpdate(ctx, d.config.ResourceGroup, zone, relative, dns.TXT, rec, "", "")
|
2018-09-20 23:18:13 +02:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("azure: %v", err)
|
|
|
|
}
|
|
|
|
return nil
|
2016-11-02 16:33:57 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// CleanUp removes the TXT record matching the specified parameters
|
2018-06-21 19:06:16 +02:00
|
|
|
func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
|
2018-09-15 19:07:24 +02:00
|
|
|
ctx := context.Background()
|
2016-11-02 16:33:57 +02:00
|
|
|
fqdn, _, _ := acme.DNS01Record(domain, keyAuth)
|
|
|
|
|
2018-09-15 19:07:24 +02:00
|
|
|
zone, err := d.getHostedZoneID(ctx, fqdn)
|
2016-11-02 16:33:57 +02:00
|
|
|
if err != nil {
|
2018-09-15 19:07:24 +02:00
|
|
|
return fmt.Errorf("azure: %v", err)
|
2016-11-02 16:33:57 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
relative := toRelativeRecord(fqdn, acme.ToFqdn(zone))
|
2018-09-15 19:07:24 +02:00
|
|
|
rsc := dns.NewRecordSetsClient(d.config.SubscriptionID)
|
2018-10-23 10:03:31 +02:00
|
|
|
rsc.Authorizer = d.authorizer
|
2018-05-30 19:53:04 +02:00
|
|
|
|
2018-09-15 19:07:24 +02:00
|
|
|
_, err = rsc.Delete(ctx, d.config.ResourceGroup, zone, relative, dns.TXT, "")
|
2018-09-20 23:18:13 +02:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("azure: %v", err)
|
|
|
|
}
|
|
|
|
return nil
|
2016-11-02 16:33:57 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Checks that azure has a zone for this domain name.
|
2018-09-15 19:07:24 +02:00
|
|
|
func (d *DNSProvider) getHostedZoneID(ctx context.Context, fqdn string) (string, error) {
|
2016-11-02 16:33:57 +02:00
|
|
|
authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
2018-09-15 19:07:24 +02:00
|
|
|
dc := dns.NewZonesClient(d.config.SubscriptionID)
|
2018-10-23 10:03:31 +02:00
|
|
|
dc.Authorizer = d.authorizer
|
2017-05-03 16:53:59 +02:00
|
|
|
|
2018-09-15 19:07:24 +02:00
|
|
|
zone, err := dc.Get(ctx, d.config.ResourceGroup, acme.UnFqdn(authZone))
|
2016-11-02 16:33:57 +02:00
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
// zone.Name shouldn't have a trailing dot(.)
|
|
|
|
return to.String(zone.Name), nil
|
|
|
|
}
|
|
|
|
|
2018-09-15 19:07:24 +02:00
|
|
|
// Returns the relative record to the domain
|
|
|
|
func toRelativeRecord(domain, zone string) string {
|
|
|
|
return acme.UnFqdn(strings.TrimSuffix(domain, zone))
|
2016-11-02 16:33:57 +02:00
|
|
|
}
|
2018-10-23 10:03:31 +02:00
|
|
|
|
|
|
|
func getAuthorizer(config *Config) (autorest.Authorizer, error) {
|
|
|
|
if config.ClientID != "" && config.ClientSecret != "" && config.TenantID != "" {
|
|
|
|
oauthConfig, err := adal.NewOAuthConfig(azure.PublicCloud.ActiveDirectoryEndpoint, config.TenantID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
spt, err := adal.NewServicePrincipalToken(*oauthConfig, config.ClientID, config.ClientSecret, azure.PublicCloud.ResourceManagerEndpoint)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
spt.SetSender(config.HTTPClient)
|
|
|
|
return autorest.NewBearerAuthorizer(spt), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return auth.NewAuthorizerFromEnvironment()
|
|
|
|
}
|
|
|
|
|
|
|
|
// Fetches metadata from environment or he instance metadata service
|
|
|
|
// borrowed from https://github.com/Microsoft/azureimds/blob/master/imdssample.go
|
|
|
|
func getMetadata(config *Config, field string) (string, error) {
|
|
|
|
metadataEndpoint := config.MetadataEndpoint
|
|
|
|
if len(metadataEndpoint) == 0 {
|
|
|
|
metadataEndpoint = defaultMetadataEndpoint
|
|
|
|
}
|
|
|
|
|
|
|
|
resource := fmt.Sprintf("%s/metadata/instance/compute/%s", metadataEndpoint, field)
|
|
|
|
req, err := http.NewRequest(http.MethodGet, resource, nil)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Header.Add("Metadata", "True")
|
|
|
|
|
|
|
|
q := req.URL.Query()
|
|
|
|
q.Add("format", "text")
|
|
|
|
q.Add("api-version", "2017-12-01")
|
|
|
|
req.URL.RawQuery = q.Encode()
|
|
|
|
|
|
|
|
resp, err := config.HTTPClient.Do(req)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
respBody, err := ioutil.ReadAll(resp.Body)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
return string(respBody[:]), nil
|
|
|
|
}
|