traefik/vendor/github.com/xenolf/lego/providers/dns/otc/otc.go

// Package otc implements a DNS provider for solving the DNS-01 challenge
// using Open Telekom Cloud Managed DNS.
package otc

import (
	"bytes"
	"encoding/json"
	"fmt"
	"io"
	"io/ioutil"
	"net/http"
	"os"
	"time"

	"github.com/xenolf/lego/acme"
)

// DNSProvider is an implementation of the acme.ChallengeProvider interface that uses
// OTC's Managed DNS API to manage TXT records for a domain.
type DNSProvider struct {
	identityEndpoint string
	otcBaseURL       string
	domainName       string
	projectName      string
	userName         string
	password         string
	token            string
}

// NewDNSProvider returns a DNSProvider instance configured for OTC DNS.
// Credentials must be passed in the environment variables: OTC_USER_NAME,
// OTC_DOMAIN_NAME, OTC_PASSWORD OTC_PROJECT_NAME and OTC_IDENTITY_ENDPOINT.
func NewDNSProvider() (*DNSProvider, error) {
	domainName := os.Getenv("OTC_DOMAIN_NAME")
	userName := os.Getenv("OTC_USER_NAME")
	password := os.Getenv("OTC_PASSWORD")
	projectName := os.Getenv("OTC_PROJECT_NAME")
	identityEndpoint := os.Getenv("OTC_IDENTITY_ENDPOINT")
	return NewDNSProviderCredentials(domainName, userName, password, projectName, identityEndpoint)
}

// NewDNSProviderCredentials uses the supplied credentials to return a
// DNSProvider instance configured for OTC DNS.
func NewDNSProviderCredentials(domainName, userName, password, projectName, identityEndpoint string) (*DNSProvider, error) {
	if domainName == "" || userName == "" || password == "" || projectName == "" {
		return nil, fmt.Errorf("OTC credentials missing")
	}

	if identityEndpoint == "" {
		identityEndpoint = "https://iam.eu-de.otc.t-systems.com:443/v3/auth/tokens"
	}

	return &DNSProvider{
		identityEndpoint: identityEndpoint,
		domainName:       domainName,
		userName:         userName,
		password:         password,
		projectName:      projectName,
	}, nil
}

func (d *DNSProvider) SendRequest(method, resource string, payload interface{}) (io.Reader, error) {
	url := fmt.Sprintf("%s/%s", d.otcBaseURL, resource)

	body, err := json.Marshal(payload)
	if err != nil {
		return nil, err
	}

	req, err := http.NewRequest(method, url, bytes.NewReader(body))
	if err != nil {
		return nil, err
	}
	req.Header.Set("Content-Type", "application/json")
	if len(d.token) > 0 {
		req.Header.Set("X-Auth-Token", d.token)
	}

	// Workaround for keep alive bug in otc api
	tr := http.DefaultTransport.(*http.Transport)
	tr.DisableKeepAlives = true

	client := &http.Client{
		Timeout:   time.Duration(10 * time.Second),
		Transport: tr,
	}
	resp, err := client.Do(req)
	if err != nil {
		return nil, err
	}
	defer resp.Body.Close()

	if resp.StatusCode >= 400 {
		return nil, fmt.Errorf("OTC API request %s failed with HTTP status code %d", url, resp.StatusCode)
	}

	body1, err := ioutil.ReadAll(resp.Body)
	if err != nil {
		return nil, err
	}

	return bytes.NewReader(body1), nil
}

func (d *DNSProvider) loginRequest() error {
	type nameResponse struct {
		Name string `json:"name"`
	}

	type userResponse struct {
		Name     string       `json:"name"`
		Password string       `json:"password"`
		Domain   nameResponse `json:"domain"`
	}

	type passwordResponse struct {
		User userResponse `json:"user"`
	}
	type identityResponse struct {
		Methods  []string         `json:"methods"`
		Password passwordResponse `json:"password"`
	}

	type scopeResponse struct {
		Project nameResponse `json:"project"`
	}

	type authResponse struct {
		Identity identityResponse `json:"identity"`
		Scope    scopeResponse    `json:"scope"`
	}

	type loginResponse struct {
		Auth authResponse `json:"auth"`
	}

	userResp := userResponse{
		Name:     d.userName,
		Password: d.password,
		Domain: nameResponse{
			Name: d.domainName,
		},
	}

	loginResp := loginResponse{
		Auth: authResponse{
			Identity: identityResponse{
				Methods: []string{"password"},
				Password: passwordResponse{
					User: userResp,
				},
			},
			Scope: scopeResponse{
				Project: nameResponse{
					Name: d.projectName,
				},
			},
		},
	}

	body, err := json.Marshal(loginResp)
	if err != nil {
		return err
	}
	req, err := http.NewRequest("POST", d.identityEndpoint, bytes.NewReader(body))
	if err != nil {
		return err
	}
	req.Header.Set("Content-Type", "application/json")

	client := &http.Client{Timeout: time.Duration(10 * time.Second)}
	resp, err := client.Do(req)
	if err != nil {
		return err
	}
	defer resp.Body.Close()

	if resp.StatusCode >= 400 {
		return fmt.Errorf("OTC API request failed with HTTP status code %d", resp.StatusCode)
	}

	d.token = resp.Header.Get("X-Subject-Token")

	if d.token == "" {
		return fmt.Errorf("unable to get auth token")
	}

	type endpointResponse struct {
		Token struct {
			Catalog []struct {
				Type      string `json:"type"`
				Endpoints []struct {
					URL string `json:"url"`
				} `json:"endpoints"`
			} `json:"catalog"`
		} `json:"token"`
	}
	var endpointResp endpointResponse

	err = json.NewDecoder(resp.Body).Decode(&endpointResp)
	if err != nil {
		return err
	}

	for _, v := range endpointResp.Token.Catalog {
		if v.Type == "dns" {
			for _, endpoint := range v.Endpoints {
				d.otcBaseURL = fmt.Sprintf("%s/v2", endpoint.URL)
				continue
			}
		}
	}

	if d.otcBaseURL == "" {
		return fmt.Errorf("unable to get dns endpoint")
	}

	return nil
}

// Starts a new OTC API Session. Authenticates using userName, password
// and receives a token to be used in for subsequent requests.
func (d *DNSProvider) login() error {
	err := d.loginRequest()
	if err != nil {
		return err
	}

	return nil
}

func (d *DNSProvider) getZoneID(zone string) (string, error) {
	type zoneItem struct {
		ID string `json:"id"`
	}

	type zonesResponse struct {
		Zones []zoneItem `json:"zones"`
	}

	resource := fmt.Sprintf("zones?name=%s", zone)
	resp, err := d.SendRequest("GET", resource, nil)
	if err != nil {
		return "", err
	}

	var zonesRes zonesResponse
	err = json.NewDecoder(resp).Decode(&zonesRes)
	if err != nil {
		return "", err
	}

	if len(zonesRes.Zones) < 1 {
		return "", fmt.Errorf("zone %s not found", zone)
	}

	if len(zonesRes.Zones) > 1 {
		return "", fmt.Errorf("to many zones found")
	}

	if zonesRes.Zones[0].ID == "" {
		return "", fmt.Errorf("id not found")
	}

	return zonesRes.Zones[0].ID, nil
}

func (d *DNSProvider) getRecordSetID(zoneID string, fqdn string) (string, error) {
	type recordSet struct {
		ID string `json:"id"`
	}

	type recordSetsResponse struct {
		RecordSets []recordSet `json:"recordsets"`
	}

	resource := fmt.Sprintf("zones/%s/recordsets?type=TXT&name=%s", zoneID, fqdn)
	resp, err := d.SendRequest("GET", resource, nil)
	if err != nil {
		return "", err
	}

	var recordSetsRes recordSetsResponse
	err = json.NewDecoder(resp).Decode(&recordSetsRes)
	if err != nil {
		return "", err
	}

	if len(recordSetsRes.RecordSets) < 1 {
		return "", fmt.Errorf("record not found")
	}

	if len(recordSetsRes.RecordSets) > 1 {
		return "", fmt.Errorf("to many records found")
	}

	if recordSetsRes.RecordSets[0].ID == "" {
		return "", fmt.Errorf("id not found")
	}

	return recordSetsRes.RecordSets[0].ID, nil
}

func (d *DNSProvider) deleteRecordSet(zoneID, recordID string) error {
	resource := fmt.Sprintf("zones/%s/recordsets/%s", zoneID, recordID)

	_, err := d.SendRequest("DELETE", resource, nil)
	if err != nil {
		return err
	}
	return nil
}

// Present creates a TXT record using the specified parameters
func (d *DNSProvider) Present(domain, token, keyAuth string) error {
	fqdn, value, ttl := acme.DNS01Record(domain, keyAuth)

	if ttl < 300 {
		ttl = 300 // 300 is otc minimum value for ttl
	}

	authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)
	if err != nil {
		return err
	}

	err = d.login()
	if err != nil {
		return err
	}

	zoneID, err := d.getZoneID(authZone)
	if err != nil {
		return fmt.Errorf("unable to get zone: %s", err)
	}

	resource := fmt.Sprintf("zones/%s/recordsets", zoneID)

	type recordset struct {
		Name        string   `json:"name"`
		Description string   `json:"description"`
		Type        string   `json:"type"`
		Ttl         int      `json:"ttl"`
		Records     []string `json:"records"`
	}

	r1 := &recordset{
		Name:        fqdn,
		Description: "Added TXT record for ACME dns-01 challenge using lego client",
		Type:        "TXT",
		Ttl:         300,
		Records:     []string{fmt.Sprintf("\"%s\"", value)},
	}
	_, err = d.SendRequest("POST", resource, r1)

	if err != nil {
		return err
	}

	return nil
}

// CleanUp removes the TXT record matching the specified parameters
func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
	fqdn, _, _ := acme.DNS01Record(domain, keyAuth)

	authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)
	if err != nil {
		return err
	}

	err = d.login()
	if err != nil {
		return err
	}

	zoneID, err := d.getZoneID(authZone)

	if err != nil {
		return err
	}

	recordID, err := d.getRecordSetID(zoneID, fqdn)
	if err != nil {
		return fmt.Errorf("unable go get record %s for zone %s: %s", fqdn, domain, err)
	}
	return d.deleteRecordSet(zoneID, recordID)
}
Update github.com/xenolf/lego to 0.4.1 2017-10-31 09:42:03 +00:00			`// Package otc implements a DNS provider for solving the DNS-01 challenge`
			`// using Open Telekom Cloud Managed DNS.`
			`package otc`

			`import (`
			`"bytes"`
			`"encoding/json"`
			`"fmt"`
			`"io"`
			`"io/ioutil"`
			`"net/http"`
			`"os"`
			`"time"`

			`"github.com/xenolf/lego/acme"`
			`)`

			`// DNSProvider is an implementation of the acme.ChallengeProvider interface that uses`
			`// OTC's Managed DNS API to manage TXT records for a domain.`
			`type DNSProvider struct {`
			`identityEndpoint string`
			`otcBaseURL string`
			`domainName string`
			`projectName string`
			`userName string`
			`password string`
			`token string`
			`}`

			`// NewDNSProvider returns a DNSProvider instance configured for OTC DNS.`
			`// Credentials must be passed in the environment variables: OTC_USER_NAME,`
			`// OTC_DOMAIN_NAME, OTC_PASSWORD OTC_PROJECT_NAME and OTC_IDENTITY_ENDPOINT.`
			`func NewDNSProvider() (*DNSProvider, error) {`
			`domainName := os.Getenv("OTC_DOMAIN_NAME")`
			`userName := os.Getenv("OTC_USER_NAME")`
			`password := os.Getenv("OTC_PASSWORD")`
			`projectName := os.Getenv("OTC_PROJECT_NAME")`
			`identityEndpoint := os.Getenv("OTC_IDENTITY_ENDPOINT")`
			`return NewDNSProviderCredentials(domainName, userName, password, projectName, identityEndpoint)`
			`}`

			`// NewDNSProviderCredentials uses the supplied credentials to return a`
			`// DNSProvider instance configured for OTC DNS.`
			`func NewDNSProviderCredentials(domainName, userName, password, projectName, identityEndpoint string) (*DNSProvider, error) {`
			`if domainName == "" \|\| userName == "" \|\| password == "" \|\| projectName == "" {`
			`return nil, fmt.Errorf("OTC credentials missing")`
			`}`

			`if identityEndpoint == "" {`
			`identityEndpoint = "https://iam.eu-de.otc.t-systems.com:443/v3/auth/tokens"`
			`}`

			`return &DNSProvider{`
			`identityEndpoint: identityEndpoint,`
			`domainName: domainName,`
			`userName: userName,`
			`password: password,`
			`projectName: projectName,`
			`}, nil`
			`}`

			`func (d *DNSProvider) SendRequest(method, resource string, payload interface{}) (io.Reader, error) {`
			`url := fmt.Sprintf("%s/%s", d.otcBaseURL, resource)`

			`body, err := json.Marshal(payload)`
			`if err != nil {`
			`return nil, err`
			`}`

			`req, err := http.NewRequest(method, url, bytes.NewReader(body))`
			`if err != nil {`
			`return nil, err`
			`}`
			`req.Header.Set("Content-Type", "application/json")`
			`if len(d.token) > 0 {`
			`req.Header.Set("X-Auth-Token", d.token)`
			`}`

			`// Workaround for keep alive bug in otc api`
			`tr := http.DefaultTransport.(*http.Transport)`
			`tr.DisableKeepAlives = true`

			`client := &http.Client{`
			`Timeout: time.Duration(10 * time.Second),`
			`Transport: tr,`
			`}`
			`resp, err := client.Do(req)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer resp.Body.Close()`

			`if resp.StatusCode >= 400 {`
			`return nil, fmt.Errorf("OTC API request %s failed with HTTP status code %d", url, resp.StatusCode)`
			`}`

			`body1, err := ioutil.ReadAll(resp.Body)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return bytes.NewReader(body1), nil`
			`}`

			`func (d *DNSProvider) loginRequest() error {`
			`type nameResponse struct {`
			Name string `json:"name"`
			`}`

			`type userResponse struct {`
			Name string `json:"name"`
			Password string `json:"password"`
			Domain nameResponse `json:"domain"`
			`}`

			`type passwordResponse struct {`
			User userResponse `json:"user"`
			`}`
			`type identityResponse struct {`
			Methods []string `json:"methods"`
			Password passwordResponse `json:"password"`
			`}`

			`type scopeResponse struct {`
			Project nameResponse `json:"project"`
			`}`

			`type authResponse struct {`
			Identity identityResponse `json:"identity"`
			Scope scopeResponse `json:"scope"`
			`}`

			`type loginResponse struct {`
			Auth authResponse `json:"auth"`
			`}`

			`userResp := userResponse{`
			`Name: d.userName,`
			`Password: d.password,`
			`Domain: nameResponse{`
			`Name: d.domainName,`
			`},`
			`}`

			`loginResp := loginResponse{`
			`Auth: authResponse{`
			`Identity: identityResponse{`
			`Methods: []string{"password"},`
			`Password: passwordResponse{`
			`User: userResp,`
			`},`
			`},`
			`Scope: scopeResponse{`
			`Project: nameResponse{`
			`Name: d.projectName,`
			`},`
			`},`
			`},`
			`}`

			`body, err := json.Marshal(loginResp)`
			`if err != nil {`
			`return err`
			`}`
			`req, err := http.NewRequest("POST", d.identityEndpoint, bytes.NewReader(body))`
			`if err != nil {`
			`return err`
			`}`
			`req.Header.Set("Content-Type", "application/json")`

			`client := &http.Client{Timeout: time.Duration(10 * time.Second)}`
			`resp, err := client.Do(req)`
			`if err != nil {`
			`return err`
			`}`
			`defer resp.Body.Close()`

			`if resp.StatusCode >= 400 {`
			`return fmt.Errorf("OTC API request failed with HTTP status code %d", resp.StatusCode)`
			`}`

			`d.token = resp.Header.Get("X-Subject-Token")`

			`if d.token == "" {`
			`return fmt.Errorf("unable to get auth token")`
			`}`

			`type endpointResponse struct {`
			`Token struct {`
			`Catalog []struct {`
			Type string `json:"type"`
			`Endpoints []struct {`
			URL string `json:"url"`
			} `json:"endpoints"`
			} `json:"catalog"`
			} `json:"token"`
			`}`
			`var endpointResp endpointResponse`

			`err = json.NewDecoder(resp.Body).Decode(&endpointResp)`
			`if err != nil {`
			`return err`
			`}`

			`for _, v := range endpointResp.Token.Catalog {`
			`if v.Type == "dns" {`
			`for _, endpoint := range v.Endpoints {`
			`d.otcBaseURL = fmt.Sprintf("%s/v2", endpoint.URL)`
			`continue`
			`}`
			`}`
			`}`

			`if d.otcBaseURL == "" {`
			`return fmt.Errorf("unable to get dns endpoint")`
			`}`

			`return nil`
			`}`

			`// Starts a new OTC API Session. Authenticates using userName, password`
			`// and receives a token to be used in for subsequent requests.`
			`func (d *DNSProvider) login() error {`
			`err := d.loginRequest()`
			`if err != nil {`
			`return err`
			`}`

			`return nil`
			`}`

			`func (d *DNSProvider) getZoneID(zone string) (string, error) {`
			`type zoneItem struct {`
			ID string `json:"id"`
			`}`

			`type zonesResponse struct {`
			Zones []zoneItem `json:"zones"`
			`}`

			`resource := fmt.Sprintf("zones?name=%s", zone)`
			`resp, err := d.SendRequest("GET", resource, nil)`
			`if err != nil {`
			`return "", err`
			`}`

			`var zonesRes zonesResponse`
			`err = json.NewDecoder(resp).Decode(&zonesRes)`
			`if err != nil {`
			`return "", err`
			`}`

			`if len(zonesRes.Zones) < 1 {`
			`return "", fmt.Errorf("zone %s not found", zone)`
			`}`

			`if len(zonesRes.Zones) > 1 {`
			`return "", fmt.Errorf("to many zones found")`
			`}`

			`if zonesRes.Zones[0].ID == "" {`
			`return "", fmt.Errorf("id not found")`
			`}`

			`return zonesRes.Zones[0].ID, nil`
			`}`

			`func (d *DNSProvider) getRecordSetID(zoneID string, fqdn string) (string, error) {`
			`type recordSet struct {`
			ID string `json:"id"`
			`}`

			`type recordSetsResponse struct {`
			RecordSets []recordSet `json:"recordsets"`
			`}`

			`resource := fmt.Sprintf("zones/%s/recordsets?type=TXT&name=%s", zoneID, fqdn)`
			`resp, err := d.SendRequest("GET", resource, nil)`
			`if err != nil {`
			`return "", err`
			`}`

			`var recordSetsRes recordSetsResponse`
			`err = json.NewDecoder(resp).Decode(&recordSetsRes)`
			`if err != nil {`
			`return "", err`
			`}`

			`if len(recordSetsRes.RecordSets) < 1 {`
			`return "", fmt.Errorf("record not found")`
			`}`

			`if len(recordSetsRes.RecordSets) > 1 {`
			`return "", fmt.Errorf("to many records found")`
			`}`

			`if recordSetsRes.RecordSets[0].ID == "" {`
			`return "", fmt.Errorf("id not found")`
			`}`

			`return recordSetsRes.RecordSets[0].ID, nil`
			`}`

			`func (d *DNSProvider) deleteRecordSet(zoneID, recordID string) error {`
			`resource := fmt.Sprintf("zones/%s/recordsets/%s", zoneID, recordID)`

			`_, err := d.SendRequest("DELETE", resource, nil)`
			`if err != nil {`
			`return err`
			`}`
			`return nil`
			`}`

			`// Present creates a TXT record using the specified parameters`
			`func (d *DNSProvider) Present(domain, token, keyAuth string) error {`
			`fqdn, value, ttl := acme.DNS01Record(domain, keyAuth)`

			`if ttl < 300 {`
			`ttl = 300 // 300 is otc minimum value for ttl`
			`}`

			`authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)`
			`if err != nil {`
			`return err`
			`}`

			`err = d.login()`
			`if err != nil {`
			`return err`
			`}`

			`zoneID, err := d.getZoneID(authZone)`
			`if err != nil {`
			`return fmt.Errorf("unable to get zone: %s", err)`
			`}`

			`resource := fmt.Sprintf("zones/%s/recordsets", zoneID)`

			`type recordset struct {`
			Name string `json:"name"`
			Description string `json:"description"`
			Type string `json:"type"`
			Ttl int `json:"ttl"`
			Records []string `json:"records"`
			`}`

			`r1 := &recordset{`
			`Name: fqdn,`
			`Description: "Added TXT record for ACME dns-01 challenge using lego client",`
			`Type: "TXT",`
			`Ttl: 300,`
			`Records: []string{fmt.Sprintf("\"%s\"", value)},`
			`}`
			`_, err = d.SendRequest("POST", resource, r1)`

			`if err != nil {`
			`return err`
			`}`

			`return nil`
			`}`

			`// CleanUp removes the TXT record matching the specified parameters`
			`func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {`
			`fqdn, _, _ := acme.DNS01Record(domain, keyAuth)`

			`authZone, err := acme.FindZoneByFqdn(fqdn, acme.RecursiveNameservers)`
			`if err != nil {`
			`return err`
			`}`

			`err = d.login()`
			`if err != nil {`
			`return err`
			`}`

			`zoneID, err := d.getZoneID(authZone)`

			`if err != nil {`
			`return err`
			`}`

			`recordID, err := d.getRecordSetID(zoneID, fqdn)`
			`if err != nil {`
			`return fmt.Errorf("unable go get record %s for zone %s: %s", fqdn, domain, err)`
			`}`
			`return d.deleteRecordSet(zoneID, recordID)`
			`}`