You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

272 lines
6.9 KiB

5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
4 months ago
5 years ago
4 months ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
  1. #!/usr/bin/env sh
  2. # shellcheck disable=SC2034
  3. dns_opnsense_info='OPNsense Server
  4. Site: docs.opnsense.org/development/api.html
  5. Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_opnsense
  6. Options:
  7. OPNs_Host Server Hostname. E.g. "opnsense.example.com"
  8. OPNs_Port Port. Default: "443".
  9. OPNs_Key API Key
  10. OPNs_Token API Token
  11. OPNs_Api_Insecure Insecure TLS. 0: check for cert validity, 1: always accept
  12. Issues: github.com/acmesh-official/acme.sh/issues/2480
  13. '
  14. ######## Public functions #####################
  15. #Usage: add _acme-challenge.www.domain.com "123456789ABCDEF0000000000000000000000000000000000000"
  16. #fulldomain
  17. #txtvalue
  18. OPNs_DefaultPort=443
  19. OPNs_DefaultApi_Insecure=0
  20. dns_opnsense_add() {
  21. fulldomain=$1
  22. txtvalue=$2
  23. _opns_check_auth || return 1
  24. if ! set_record "$fulldomain" "$txtvalue"; then
  25. return 1
  26. fi
  27. return 0
  28. }
  29. #fulldomain
  30. dns_opnsense_rm() {
  31. fulldomain=$1
  32. txtvalue=$2
  33. _opns_check_auth || return 1
  34. if ! rm_record "$fulldomain" "$txtvalue"; then
  35. return 1
  36. fi
  37. return 0
  38. }
  39. set_record() {
  40. fulldomain=$1
  41. new_challenge=$2
  42. _info "Adding record $fulldomain with challenge: $new_challenge"
  43. _debug "Detect root zone"
  44. if ! _get_root "$fulldomain"; then
  45. _err "invalid domain"
  46. return 1
  47. fi
  48. _debug _domain "$_domain"
  49. _debug _host "$_host"
  50. _debug _domainid "$_domainid"
  51. _return_str=""
  52. _record_string=""
  53. _build_record_string "$_domainid" "$_host" "$new_challenge"
  54. _uuid=""
  55. if _existingchallenge "$_domain" "$_host" "$new_challenge"; then
  56. # Update
  57. if _opns_rest "POST" "/record/setRecord/${_uuid}" "$_record_string"; then
  58. _return_str="$response"
  59. else
  60. return 1
  61. fi
  62. else
  63. #create
  64. if _opns_rest "POST" "/record/addRecord" "$_record_string"; then
  65. _return_str="$response"
  66. else
  67. return 1
  68. fi
  69. fi
  70. if echo "$_return_str" | _egrep_o "\"result\":\"saved\"" >/dev/null; then
  71. _opns_rest "POST" "/service/reconfigure" "{}"
  72. _debug "Record created"
  73. else
  74. _err "Error creating record $_record_string"
  75. return 1
  76. fi
  77. return 0
  78. }
  79. rm_record() {
  80. fulldomain=$1
  81. new_challenge="$2"
  82. _info "Remove record $fulldomain with challenge: $new_challenge"
  83. _debug "Detect root zone"
  84. if ! _get_root "$fulldomain"; then
  85. _err "invalid domain"
  86. return 1
  87. fi
  88. _debug _domain "$_domain"
  89. _debug _host "$_host"
  90. _debug _domainid "$_domainid"
  91. _uuid=""
  92. if _existingchallenge "$_domain" "$_host" "$new_challenge"; then
  93. # Delete
  94. if _opns_rest "POST" "/record/delRecord/${_uuid}" "\{\}"; then
  95. if echo "$_return_str" | _egrep_o "\"result\":\"deleted\"" >/dev/null; then
  96. _opns_rest "POST" "/service/reconfigure" "{}"
  97. _debug "Record deleted"
  98. else
  99. _err "Error deleting record $_host from domain $fulldomain"
  100. return 1
  101. fi
  102. else
  103. _err "Error deleting record $_host from domain $fulldomain"
  104. return 1
  105. fi
  106. else
  107. _info "Record not found, nothing to remove"
  108. fi
  109. return 0
  110. }
  111. #################### Private functions below ##################################
  112. #_acme-challenge.www.domain.com
  113. #returns
  114. # _domainid=domid
  115. #_domain=domain.com
  116. _get_root() {
  117. domain=$1
  118. i=2
  119. p=1
  120. if _opns_rest "GET" "/domain/searchPrimaryDomain"; then
  121. _domain_response="$response"
  122. else
  123. return 1
  124. fi
  125. while true; do
  126. h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
  127. if [ -z "$h" ]; then
  128. #not valid
  129. return 1
  130. fi
  131. _debug h "$h"
  132. id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"primary\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
  133. if [ -n "$id" ]; then
  134. _debug id "$id"
  135. _host=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
  136. _domain="${h}"
  137. _domainid="${id}"
  138. return 0
  139. fi
  140. p=$i
  141. i=$(_math $i + 1)
  142. done
  143. _debug "$domain not found"
  144. return 1
  145. }
  146. _opns_rest() {
  147. method=$1
  148. ep=$2
  149. data=$3
  150. #Percent encode user and token
  151. key=$(echo "$OPNs_Key" | tr -d "\n\r" | _url_encode)
  152. token=$(echo "$OPNs_Token" | tr -d "\n\r" | _url_encode)
  153. opnsense_url="https://${key}:${token}@${OPNs_Host}:${OPNs_Port:-$OPNs_DefaultPort}/api/bind${ep}"
  154. export _H1="Content-Type: application/json"
  155. _debug2 "Try to call api: https://${OPNs_Host}:${OPNs_Port:-$OPNs_DefaultPort}/api/bind${ep}"
  156. if [ ! "$method" = "GET" ]; then
  157. _debug data "$data"
  158. export _H1="Content-Type: application/json"
  159. response="$(_post "$data" "$opnsense_url" "" "$method")"
  160. else
  161. export _H1=""
  162. response="$(_get "$opnsense_url")"
  163. fi
  164. if [ "$?" != "0" ]; then
  165. _err "error $ep"
  166. return 1
  167. fi
  168. _debug2 response "$response"
  169. return 0
  170. }
  171. _build_record_string() {
  172. _record_string="{\"record\":{\"enabled\":\"1\",\"domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"}}"
  173. }
  174. _existingchallenge() {
  175. if _opns_rest "GET" "/record/searchRecord"; then
  176. _record_response="$response"
  177. else
  178. return 1
  179. fi
  180. _uuid=""
  181. _uuid=$(echo "$_record_response" | _egrep_o "\"uuid\":\"[^\"]*\",\"enabled\":\"[01]\",\"domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
  182. if [ -n "$_uuid" ]; then
  183. _debug uuid "$_uuid"
  184. return 0
  185. fi
  186. _debug "${2}.$1{1} record not found"
  187. return 1
  188. }
  189. _opns_check_auth() {
  190. OPNs_Host="${OPNs_Host:-$(_readaccountconf_mutable OPNs_Host)}"
  191. OPNs_Port="${OPNs_Port:-$(_readaccountconf_mutable OPNs_Port)}"
  192. OPNs_Key="${OPNs_Key:-$(_readaccountconf_mutable OPNs_Key)}"
  193. OPNs_Token="${OPNs_Token:-$(_readaccountconf_mutable OPNs_Token)}"
  194. OPNs_Api_Insecure="${OPNs_Api_Insecure:-$(_readaccountconf_mutable OPNs_Api_Insecure)}"
  195. if [ -z "$OPNs_Host" ]; then
  196. _err "You don't specify OPNsense address."
  197. return 1
  198. else
  199. _saveaccountconf_mutable OPNs_Host "$OPNs_Host"
  200. fi
  201. if ! printf '%s' "$OPNs_Port" | grep '^[0-9]*$' >/dev/null; then
  202. _err 'OPNs_Port specified but not numeric value'
  203. return 1
  204. elif [ -z "$OPNs_Port" ]; then
  205. _info "OPNSense port not specified. Defaulting to using port $OPNs_DefaultPort"
  206. else
  207. _saveaccountconf_mutable OPNs_Port "$OPNs_Port"
  208. fi
  209. if ! printf '%s' "$OPNs_Api_Insecure" | grep '^[01]$' >/dev/null; then
  210. _err 'OPNs_Api_Insecure specified but not 0/1 value'
  211. return 1
  212. elif [ -n "$OPNs_Api_Insecure" ]; then
  213. _saveaccountconf_mutable OPNs_Api_Insecure "$OPNs_Api_Insecure"
  214. fi
  215. export HTTPS_INSECURE="${OPNs_Api_Insecure:-$OPNs_DefaultApi_Insecure}"
  216. if [ -z "$OPNs_Key" ]; then
  217. _err "you have not specified your OPNsense api key id."
  218. _err "Please set OPNs_Key and try again."
  219. return 1
  220. else
  221. _saveaccountconf_mutable OPNs_Key "$OPNs_Key"
  222. fi
  223. if [ -z "$OPNs_Token" ]; then
  224. _err "you have not specified your OPNsense token."
  225. _err "Please create OPNs_Token and try again."
  226. return 1
  227. else
  228. _saveaccountconf_mutable OPNs_Token "$OPNs_Token"
  229. fi
  230. if ! _opns_rest "GET" "/general/get"; then
  231. _err "Call to OPNsense API interface failed. Unable to access OPNsense API."
  232. return 1
  233. fi
  234. return 0
  235. }