You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

261 lines
6.6 KiB

3 years ago
  1. #!/usr/bin/env sh
  2. # Mythic Beasts is a long-standing UK service provider using standards-based OAuth2 authentication
  3. # To test: ./acme.sh --dns dns_mythic_beasts --test --debug 1 --output-insecure --issue --domain domain.com
  4. # Cannot retest once cert is issued
  5. # OAuth2 tokens only valid for 300 seconds so we do not store
  6. # NOTE: This will remove all TXT records matching the fulldomain, not just the added ones (_acme-challenge.www.domain.com)
  7. # Test OAuth2 credentials
  8. #MB_AK="aaaaaaaaaaaaaaaa"
  9. #MB_AS="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
  10. # URLs
  11. MB_API='https://api.mythic-beasts.com/dns/v2/zones'
  12. MB_AUTH='https://auth.mythic-beasts.com/login'
  13. ######## Public functions #####################
  14. #Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
  15. dns_mythic_beasts_add() {
  16. fulldomain=$1
  17. txtvalue=$2
  18. _info "MYTHIC BEASTS Adding record $fulldomain = $txtvalue"
  19. if ! _initAuth; then
  20. return 1
  21. fi
  22. if ! _get_root "$fulldomain"; then
  23. return 1
  24. fi
  25. # method path body_data
  26. if _mb_rest POST "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then
  27. if _contains "$response" "1 records added"; then
  28. _info "Added, verifying..."
  29. # Max 120 seconds to publish
  30. for i in $(seq 1 6); do
  31. # Retry on error
  32. if ! _mb_rest GET "$_domain/records/$_sub_domain/TXT?verify"; then
  33. _sleep 20
  34. else
  35. _info "Record published!"
  36. return 0
  37. fi
  38. done
  39. else
  40. _err "\n$response"
  41. fi
  42. fi
  43. _err "Add txt record error."
  44. return 1
  45. }
  46. #Usage: rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
  47. dns_mythic_beasts_rm() {
  48. fulldomain=$1
  49. txtvalue=$2
  50. _info "MYTHIC BEASTS Removing record $fulldomain = $txtvalue"
  51. if ! _initAuth; then
  52. return 1
  53. fi
  54. if ! _get_root "$fulldomain"; then
  55. return 1
  56. fi
  57. # method path body_data
  58. if _mb_rest DELETE "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then
  59. _info "Record removed"
  60. return 0
  61. fi
  62. _err "Remove txt record error."
  63. return 1
  64. }
  65. #################### Private functions below ##################################
  66. #Possible formats:
  67. # _acme-challenge.www.example.com
  68. # _acme-challenge.example.com
  69. # _acme-challenge.example.co.uk
  70. # _acme-challenge.www.example.co.uk
  71. # _acme-challenge.sub1.sub2.www.example.co.uk
  72. # sub1.sub2.example.co.uk
  73. # example.com
  74. # example.co.uk
  75. #returns
  76. # _sub_domain=_acme-challenge.www
  77. # _domain=domain.com
  78. _get_root() {
  79. domain=$1
  80. i=1
  81. p=1
  82. _debug "Detect the root zone"
  83. while true; do
  84. h=$(printf "%s" "$domain" | cut -d . -f $i-100)
  85. if [ -z "$h" ]; then
  86. _err "Domain exhausted"
  87. return 1
  88. fi
  89. # Use the status errors to find the domain, continue on 403 Access denied
  90. # method path body_data
  91. _mb_rest GET "$h/records"
  92. ret="$?"
  93. if [ "$ret" -eq 0 ]; then
  94. _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
  95. _domain="$h"
  96. _debug _sub_domain "$_sub_domain"
  97. _debug _domain "$_domain"
  98. return 0
  99. elif [ "$ret" -eq 1 ]; then
  100. return 1
  101. fi
  102. p=$i
  103. i=$(_math "$i" + 1)
  104. if [ "$i" -gt 50 ]; then
  105. break
  106. fi
  107. done
  108. _err "Domain too long"
  109. return 1
  110. }
  111. _initAuth() {
  112. MB_AK="${MB_AK:-$(_readaccountconf_mutable MB_AK)}"
  113. MB_AS="${MB_AS:-$(_readaccountconf_mutable MB_AS)}"
  114. if [ -z "$MB_AK" ] || [ -z "$MB_AS" ]; then
  115. MB_AK=""
  116. MB_AS=""
  117. _err "Please specify an OAuth2 Key & Secret"
  118. return 1
  119. fi
  120. _saveaccountconf_mutable MB_AK "$MB_AK"
  121. _saveaccountconf_mutable MB_AS "$MB_AS"
  122. if ! _oauth2; then
  123. return 1
  124. fi
  125. _info "Checking authentication"
  126. _secure_debug access_token "$MB_TK"
  127. _sleep 1
  128. # GET a list of zones
  129. # method path body_data
  130. if ! _mb_rest GET ""; then
  131. _err "The token is invalid"
  132. return 1
  133. fi
  134. _info "Token OK"
  135. return 0
  136. }
  137. # Github appears to use an outbound proxy for requests which means subsequent requests may not have the same
  138. # source IP. The standard Mythic Beasts OAuth2 tokens are tied to an IP, meaning github test requests fail
  139. # authentication. This is a work around using an undocumented MB API to obtain a token not tied to an
  140. # IP just for the github tests.
  141. _oauth2() {
  142. if [ "$GITHUB_ACTIONS" = "true" ]; then
  143. _oauth2_github
  144. else
  145. _oauth2_std
  146. fi
  147. return $?
  148. }
  149. _oauth2_std() {
  150. # HTTP Basic Authentication
  151. _H1="Authorization: Basic $(echo "$MB_AK:$MB_AS" | _base64)"
  152. _H2="Accepts: application/json"
  153. export _H1 _H2
  154. body="grant_type=client_credentials"
  155. _info "Getting OAuth2 token..."
  156. # body url [needbase64] [POST|PUT|DELETE] [ContentType]
  157. response="$(_post "$body" "$MB_AUTH" "" "POST" "application/x-www-form-urlencoded")"
  158. if _contains "$response" "\"token_type\":\"bearer\""; then
  159. MB_TK="$(echo "$response" | _egrep_o "access_token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')"
  160. if [ -z "$MB_TK" ]; then
  161. _err "Unable to get access_token"
  162. _err "\n$response"
  163. return 1
  164. fi
  165. else
  166. _err "OAuth2 token_type not Bearer"
  167. _err "\n$response"
  168. return 1
  169. fi
  170. _debug2 response "$response"
  171. return 0
  172. }
  173. _oauth2_github() {
  174. _H1="Accepts: application/json"
  175. export _H1
  176. body="{\"login\":{\"handle\":\"$MB_AK\",\"pass\":\"$MB_AS\",\"floating\":1}}"
  177. _info "Getting Floating token..."
  178. # body url [needbase64] [POST|PUT|DELETE] [ContentType]
  179. response="$(_post "$body" "$MB_AUTH" "" "POST" "application/json")"
  180. MB_TK="$(echo "$response" | _egrep_o "\"token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')"
  181. if [ -z "$MB_TK" ]; then
  182. _err "Unable to get token"
  183. _err "\n$response"
  184. return 1
  185. fi
  186. _debug2 response "$response"
  187. return 0
  188. }
  189. # method path body_data
  190. _mb_rest() {
  191. # URL encoded body for single API operations
  192. m="$1"
  193. ep="$2"
  194. data="$3"
  195. if [ -z "$ep" ]; then
  196. _mb_url="$MB_API"
  197. else
  198. _mb_url="$MB_API/$ep"
  199. fi
  200. _H1="Authorization: Bearer $MB_TK"
  201. _H2="Accepts: application/json"
  202. export _H1 _H2
  203. if [ "$data" ] || [ "$m" = "POST" ] || [ "$m" = "PUT" ] || [ "$m" = "DELETE" ]; then
  204. # body url [needbase64] [POST|PUT|DELETE] [ContentType]
  205. response="$(_post "data=$data" "$_mb_url" "" "$m" "application/x-www-form-urlencoded")"
  206. else
  207. response="$(_get "$_mb_url")"
  208. fi
  209. if [ "$?" != "0" ]; then
  210. _err "Request error"
  211. return 1
  212. fi
  213. header="$(cat "$HTTP_HEADER")"
  214. status="$(echo "$header" | _egrep_o "^HTTP[^ ]* .*$" | cut -d " " -f 2-100 | tr -d "\f\n")"
  215. code="$(echo "$status" | _egrep_o "^[0-9]*")"
  216. if [ "$code" -ge 400 ] || _contains "$response" "\"error\"" || _contains "$response" "invalid_client"; then
  217. _err "error $status"
  218. _err "\n$response"
  219. _debug "\n$header"
  220. return 2
  221. fi
  222. _debug2 response "$response"
  223. return 0
  224. }