You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

327 lines
9.7 KiB

  1. #!/usr/bin/env sh
  2. ########
  3. # Custom cyon.ch DNS API for use with [acme.sh](https://github.com/Neilpang/acme.sh)
  4. #
  5. # Usage: acme.sh --issue --dns dns_cyon -d www.domain.com
  6. #
  7. # Dependencies:
  8. # -------------
  9. # - oathtool (When using 2 Factor Authentication)
  10. #
  11. # Issues:
  12. # -------
  13. # Any issues / questions / suggestions can be posted here:
  14. # https://github.com/noplanman/cyon-api/issues
  15. #
  16. # Author: Armando Lüscher <armando@noplanman.ch>
  17. ########
  18. dns_cyon_add() {
  19. _cyon_load_credentials \
  20. && _cyon_load_parameters "$@" \
  21. && _cyon_print_header "add" \
  22. && _cyon_login \
  23. && _cyon_change_domain_env \
  24. && _cyon_add_txt \
  25. && _cyon_logout
  26. }
  27. dns_cyon_rm() {
  28. _cyon_load_credentials \
  29. && _cyon_load_parameters "$@" \
  30. && _cyon_print_header "delete" \
  31. && _cyon_login \
  32. && _cyon_change_domain_env \
  33. && _cyon_delete_txt \
  34. && _cyon_logout
  35. }
  36. #########################
  37. ### PRIVATE FUNCTIONS ###
  38. #########################
  39. _cyon_load_credentials() {
  40. # Convert loaded password to/from base64 as needed.
  41. if [ "${CY_Password_B64}" ]; then
  42. CY_Password="$(printf "%s" "${CY_Password_B64}" | _dbase64 "multiline")"
  43. elif [ "${CY_Password}" ]; then
  44. CY_Password_B64="$(printf "%s" "${CY_Password}" | _base64)"
  45. fi
  46. if [ -z "${CY_Username}" ] || [ -z "${CY_Password}" ]; then
  47. # Dummy entries to satify script checker.
  48. CY_Username=""
  49. CY_Password=""
  50. CY_OTP_Secret=""
  51. _err ""
  52. _err "You haven't set your cyon.ch login credentials yet."
  53. _err "Please set the required cyon environment variables."
  54. _err ""
  55. return 1
  56. fi
  57. # Save the login credentials to the account.conf file.
  58. _debug "Save credentials to account.conf"
  59. _saveaccountconf CY_Username "${CY_Username}"
  60. _saveaccountconf CY_Password_B64 "$CY_Password_B64"
  61. if [ ! -z "${CY_OTP_Secret}" ]; then
  62. _saveaccountconf CY_OTP_Secret "$CY_OTP_Secret"
  63. else
  64. _clearaccountconf CY_OTP_Secret
  65. fi
  66. }
  67. _cyon_is_idn() {
  68. _idn_temp="$(printf "%s" "${1}" | tr -d "0-9a-zA-Z.,-_")"
  69. _idn_temp2="$(printf "%s" "${1}" | grep -o "xn--")"
  70. [ "$_idn_temp" ] || [ "$_idn_temp2" ]
  71. }
  72. _cyon_load_parameters() {
  73. # Read the required parameters to add the TXT entry.
  74. fulldomain="$(printf "%s" "${1}" | tr "A-Z" "a-z")"
  75. fulldomain_idn="${fulldomain}"
  76. # Special case for IDNs, as cyon needs a domain environment change,
  77. # which uses the "pretty" instead of the punycode version.
  78. if _cyon_is_idn "${fulldomain}"; then
  79. if ! _exists idn; then
  80. _err "Please install idn to process IDN names."
  81. _err ""
  82. return 1
  83. fi
  84. fulldomain="$(idn -u "${fulldomain}")"
  85. fulldomain_idn="$(idn -a "${fulldomain}")"
  86. fi
  87. _debug fulldomain "${fulldomain}"
  88. _debug fulldomain_idn "${fulldomain_idn}"
  89. txtvalue="${2}"
  90. _debug txtvalue "${txtvalue}"
  91. # This header is required for curl calls.
  92. _H1="X-Requested-With: XMLHttpRequest"
  93. export _H1
  94. }
  95. _cyon_print_header() {
  96. if [ "${1}" = "add" ]; then
  97. _info ""
  98. _info "+---------------------------------------------+"
  99. _info "| Adding DNS TXT entry to your cyon.ch domain |"
  100. _info "+---------------------------------------------+"
  101. _info ""
  102. _info " * Full Domain: ${fulldomain}"
  103. _info " * TXT Value: ${txtvalue}"
  104. _info ""
  105. elif [ "${1}" = "delete" ]; then
  106. _info ""
  107. _info "+-------------------------------------------------+"
  108. _info "| Deleting DNS TXT entry from your cyon.ch domain |"
  109. _info "+-------------------------------------------------+"
  110. _info ""
  111. _info " * Full Domain: ${fulldomain}"
  112. _info ""
  113. fi
  114. }
  115. _cyon_get_cookie_header() {
  116. printf "Cookie: %s" "$(grep "cyon=" "$HTTP_HEADER" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o 'cyon=[^;]*;' | tr -d ';')"
  117. }
  118. _cyon_login() {
  119. _info " - Logging in..."
  120. username_encoded="$(printf "%s" "${CY_Username}" | _url_encode)"
  121. password_encoded="$(printf "%s" "${CY_Password}" | _url_encode)"
  122. login_url="https://my.cyon.ch/auth/index/dologin-async"
  123. login_data="$(printf "%s" "username=${username_encoded}&password=${password_encoded}&pathname=%2F")"
  124. login_response="$(_post "$login_data" "$login_url")"
  125. _debug login_response "${login_response}"
  126. # Bail if login fails.
  127. if [ "$(printf "%s" "${login_response}" | _cyon_get_response_success)" != "success" ]; then
  128. _err " $(printf "%s" "${login_response}" | _cyon_get_response_message)"
  129. _err ""
  130. return 1
  131. fi
  132. _info " success"
  133. # NECESSARY!! Load the main page after login, to get the new cookie.
  134. _H2="$(_cyon_get_cookie_header)"
  135. export _H2
  136. _get "https://my.cyon.ch/" >/dev/null
  137. # todo: instead of just checking if the env variable is defined, check if we actually need to do a 2FA auth request.
  138. # 2FA authentication with OTP?
  139. if [ ! -z "${CY_OTP_Secret}" ]; then
  140. _info " - Authorising with OTP code..."
  141. if ! _exists oathtool; then
  142. _err "Please install oathtool to use 2 Factor Authentication."
  143. _err ""
  144. return 1
  145. fi
  146. # Get OTP code with the defined secret.
  147. otp_code="$(oathtool --base32 --totp "${CY_OTP_Secret}" 2>/dev/null)"
  148. login_otp_url="https://my.cyon.ch/auth/multi-factor/domultifactorauth-async"
  149. login_otp_data="totpcode=${otp_code}&pathname=%2F&rememberme=0"
  150. login_otp_response="$(_post "$login_otp_data" "$login_otp_url")"
  151. _debug login_otp_response "${login_otp_response}"
  152. # Bail if OTP authentication fails.
  153. if [ "$(printf "%s" "${login_otp_response}" | _cyon_get_response_success)" != "success" ]; then
  154. _err " $(printf "%s" "${login_otp_response}" | _cyon_get_response_message)"
  155. _err ""
  156. return 1
  157. fi
  158. _info " success"
  159. fi
  160. _info ""
  161. }
  162. _cyon_logout() {
  163. _info " - Logging out..."
  164. _get "https://my.cyon.ch/auth/index/dologout" >/dev/null
  165. _info " success"
  166. _info ""
  167. }
  168. _cyon_change_domain_env() {
  169. _info " - Changing domain environment..."
  170. # Get the "example.com" part of the full domain name.
  171. domain_env="$(printf "%s" "${fulldomain}" | sed -E -e 's/.*\.(.*\..*)$/\1/')"
  172. _debug "Changing domain environment to ${domain_env}"
  173. gloo_item_key="$(_get "https://my.cyon.ch/domain/" | tr '\n' ' ' | sed -E -e "s/.*data-domain=\"${domain_env}\"[^<]*data-itemkey=\"([^\"]*).*/\1/")"
  174. _debug gloo_item_key "${gloo_item_key}"
  175. domain_env_url="https://my.cyon.ch/user/environment/setdomain/d/${domain_env}/gik/${gloo_item_key}"
  176. domain_env_response="$(_get "${domain_env_url}")"
  177. _debug domain_env_response "${domain_env_response}"
  178. if ! _cyon_check_if_2fa_missed "${domain_env_response}"; then return 1; fi
  179. domain_env_success="$(printf "%s" "${domain_env_response}" | _egrep_o '"authenticated":\w*' | cut -d : -f 2)"
  180. # Bail if domain environment change fails.
  181. if [ "${domain_env_success}" != "true" ]; then
  182. _err " $(printf "%s" "${domain_env_response}" | _cyon_get_response_message)"
  183. _err ""
  184. return 1
  185. fi
  186. _info " success"
  187. _info ""
  188. }
  189. _cyon_add_txt() {
  190. _info " - Adding DNS TXT entry..."
  191. add_txt_url="https://my.cyon.ch/domain/dnseditor/add-record-async"
  192. add_txt_data="zone=${fulldomain_idn}.&ttl=900&type=TXT&value=${txtvalue}"
  193. add_txt_response="$(_post "$add_txt_data" "$add_txt_url")"
  194. _debug add_txt_response "${add_txt_response}"
  195. if ! _cyon_check_if_2fa_missed "${add_txt_response}"; then return 1; fi
  196. add_txt_message="$(printf "%s" "${add_txt_response}" | _cyon_get_response_message)"
  197. add_txt_status="$(printf "%s" "${add_txt_response}" | _cyon_get_response_status)"
  198. # Bail if adding TXT entry fails.
  199. if [ "${add_txt_status}" != "true" ]; then
  200. _err " ${add_txt_message}"
  201. _err ""
  202. return 1
  203. fi
  204. _info " success (TXT|${fulldomain_idn}.|${txtvalue})"
  205. _info ""
  206. }
  207. _cyon_delete_txt() {
  208. _info " - Deleting DNS TXT entry..."
  209. list_txt_url="https://my.cyon.ch/domain/dnseditor/list-async"
  210. list_txt_response="$(_get "${list_txt_url}" | sed -e 's/data-hash/\\ndata-hash/g')"
  211. _debug list_txt_response "${list_txt_response}"
  212. if ! _cyon_check_if_2fa_missed "${list_txt_response}"; then return 1; fi
  213. # Find and delete all acme challenge entries for the $fulldomain.
  214. _dns_entries="$(printf "%b\n" "${list_txt_response}" | sed -n 's/data-hash=\\"\([^"]*\)\\" data-identifier=\\"\([^"]*\)\\".*/\1 \2/p')"
  215. printf "%s" "${_dns_entries}" | while read -r _hash _identifier; do
  216. dns_type="$(printf "%s" "$_identifier" | cut -d'|' -f1)"
  217. dns_domain="$(printf "%s" "$_identifier" | cut -d'|' -f2)"
  218. if [ "${dns_type}" != "TXT" ] || [ "${dns_domain}" != "${fulldomain_idn}." ]; then
  219. continue
  220. fi
  221. hash_encoded="$(printf "%s" "${_hash}" | _url_encode)"
  222. identifier_encoded="$(printf "%s" "${_identifier}" | _url_encode)"
  223. delete_txt_url="https://my.cyon.ch/domain/dnseditor/delete-record-async"
  224. delete_txt_data="$(printf "%s" "hash=${hash_encoded}&identifier=${identifier_encoded}")"
  225. delete_txt_response="$(_post "$delete_txt_data" "$delete_txt_url")"
  226. _debug delete_txt_response "${delete_txt_response}"
  227. if ! _cyon_check_if_2fa_missed "${delete_txt_response}"; then return 1; fi
  228. delete_txt_message="$(printf "%s" "${delete_txt_response}" | _cyon_get_response_message)"
  229. delete_txt_status="$(printf "%s" "${delete_txt_response}" | _cyon_get_response_status)"
  230. # Skip if deleting TXT entry fails.
  231. if [ "${delete_txt_status}" != "true" ]; then
  232. _err " ${delete_txt_message} (${_identifier})"
  233. else
  234. _info " success (${_identifier})"
  235. fi
  236. done
  237. _info " done"
  238. _info ""
  239. }
  240. _cyon_get_response_message() {
  241. _egrep_o '"message":"[^"]*"' | cut -d : -f 2 | tr -d '"'
  242. }
  243. _cyon_get_response_status() {
  244. _egrep_o '"status":\w*' | cut -d : -f 2
  245. }
  246. _cyon_get_response_success() {
  247. _egrep_o '"onSuccess":"[^"]*"' | cut -d : -f 2 | tr -d '"'
  248. }
  249. _cyon_check_if_2fa_missed() {
  250. # Did we miss the 2FA?
  251. if test "${1#*multi_factor_form}" != "${1}"; then
  252. _err " Missed OTP authentication!"
  253. _err ""
  254. return 1
  255. fi
  256. }