You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

270 lines
6.8 KiB

1 month ago
1 month ago
3 years ago
  1. #!/usr/bin/env sh
  2. # shellcheck disable=SC2034
  3. dns_mythic_beasts_info='Mythic-Beasts.com
  4. Site: Mythic-Beasts.com
  5. Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_mythic_beasts
  6. Options:
  7. MB_AK API Key
  8. MB_AS API Secret
  9. Issues: github.com/acmesh-official/acme.sh/issues/3848
  10. '
  11. # Mythic Beasts is a long-standing UK service provider using standards-based OAuth2 authentication
  12. # To test: ./acme.sh --dns dns_mythic_beasts --test --debug 1 --output-insecure --issue --domain domain.com
  13. # Cannot retest once cert is issued
  14. # OAuth2 tokens only valid for 300 seconds so we do not store
  15. # NOTE: This will remove all TXT records matching the fulldomain, not just the added ones (_acme-challenge.www.domain.com)
  16. # Test OAuth2 credentials
  17. #MB_AK="aaaaaaaaaaaaaaaa"
  18. #MB_AS="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
  19. # URLs
  20. MB_API='https://api.mythic-beasts.com/dns/v2/zones'
  21. MB_AUTH='https://auth.mythic-beasts.com/login'
  22. ######## Public functions #####################
  23. #Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
  24. dns_mythic_beasts_add() {
  25. fulldomain=$1
  26. txtvalue=$2
  27. _info "MYTHIC BEASTS Adding record $fulldomain = $txtvalue"
  28. if ! _initAuth; then
  29. return 1
  30. fi
  31. if ! _get_root "$fulldomain"; then
  32. return 1
  33. fi
  34. # method path body_data
  35. if _mb_rest POST "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then
  36. if _contains "$response" "1 records added"; then
  37. _info "Added, verifying..."
  38. # Max 120 seconds to publish
  39. for i in $(seq 1 6); do
  40. # Retry on error
  41. if ! _mb_rest GET "$_domain/records/$_sub_domain/TXT?verify"; then
  42. _sleep 20
  43. else
  44. _info "Record published!"
  45. return 0
  46. fi
  47. done
  48. else
  49. _err "\n$response"
  50. fi
  51. fi
  52. _err "Add txt record error."
  53. return 1
  54. }
  55. #Usage: rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
  56. dns_mythic_beasts_rm() {
  57. fulldomain=$1
  58. txtvalue=$2
  59. _info "MYTHIC BEASTS Removing record $fulldomain = $txtvalue"
  60. if ! _initAuth; then
  61. return 1
  62. fi
  63. if ! _get_root "$fulldomain"; then
  64. return 1
  65. fi
  66. # method path body_data
  67. if _mb_rest DELETE "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then
  68. _info "Record removed"
  69. return 0
  70. fi
  71. _err "Remove txt record error."
  72. return 1
  73. }
  74. #################### Private functions below ##################################
  75. #Possible formats:
  76. # _acme-challenge.www.example.com
  77. # _acme-challenge.example.com
  78. # _acme-challenge.example.co.uk
  79. # _acme-challenge.www.example.co.uk
  80. # _acme-challenge.sub1.sub2.www.example.co.uk
  81. # sub1.sub2.example.co.uk
  82. # example.com
  83. # example.co.uk
  84. #returns
  85. # _sub_domain=_acme-challenge.www
  86. # _domain=domain.com
  87. _get_root() {
  88. domain=$1
  89. i=1
  90. p=1
  91. _debug "Detect the root zone"
  92. while true; do
  93. h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
  94. if [ -z "$h" ]; then
  95. _err "Domain exhausted"
  96. return 1
  97. fi
  98. # Use the status errors to find the domain, continue on 403 Access denied
  99. # method path body_data
  100. _mb_rest GET "$h/records"
  101. ret="$?"
  102. if [ "$ret" -eq 0 ]; then
  103. _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
  104. _domain="$h"
  105. _debug _sub_domain "$_sub_domain"
  106. _debug _domain "$_domain"
  107. return 0
  108. elif [ "$ret" -eq 1 ]; then
  109. return 1
  110. fi
  111. p=$i
  112. i=$(_math "$i" + 1)
  113. if [ "$i" -gt 50 ]; then
  114. break
  115. fi
  116. done
  117. _err "Domain too long"
  118. return 1
  119. }
  120. _initAuth() {
  121. MB_AK="${MB_AK:-$(_readaccountconf_mutable MB_AK)}"
  122. MB_AS="${MB_AS:-$(_readaccountconf_mutable MB_AS)}"
  123. if [ -z "$MB_AK" ] || [ -z "$MB_AS" ]; then
  124. MB_AK=""
  125. MB_AS=""
  126. _err "Please specify an OAuth2 Key & Secret"
  127. return 1
  128. fi
  129. _saveaccountconf_mutable MB_AK "$MB_AK"
  130. _saveaccountconf_mutable MB_AS "$MB_AS"
  131. if ! _oauth2; then
  132. return 1
  133. fi
  134. _info "Checking authentication"
  135. _secure_debug access_token "$MB_TK"
  136. _sleep 1
  137. # GET a list of zones
  138. # method path body_data
  139. if ! _mb_rest GET ""; then
  140. _err "The token is invalid"
  141. return 1
  142. fi
  143. _info "Token OK"
  144. return 0
  145. }
  146. # Github appears to use an outbound proxy for requests which means subsequent requests may not have the same
  147. # source IP. The standard Mythic Beasts OAuth2 tokens are tied to an IP, meaning github test requests fail
  148. # authentication. This is a work around using an undocumented MB API to obtain a token not tied to an
  149. # IP just for the github tests.
  150. _oauth2() {
  151. if [ "$GITHUB_ACTIONS" = "true" ]; then
  152. _oauth2_github
  153. else
  154. _oauth2_std
  155. fi
  156. return $?
  157. }
  158. _oauth2_std() {
  159. # HTTP Basic Authentication
  160. _H1="Authorization: Basic $(echo "$MB_AK:$MB_AS" | _base64)"
  161. _H2="Accepts: application/json"
  162. export _H1 _H2
  163. body="grant_type=client_credentials"
  164. _info "Getting OAuth2 token..."
  165. # body url [needbase64] [POST|PUT|DELETE] [ContentType]
  166. response="$(_post "$body" "$MB_AUTH" "" "POST" "application/x-www-form-urlencoded")"
  167. if _contains "$response" "\"token_type\":\"bearer\""; then
  168. MB_TK="$(echo "$response" | _egrep_o "access_token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')"
  169. if [ -z "$MB_TK" ]; then
  170. _err "Unable to get access_token"
  171. _err "\n$response"
  172. return 1
  173. fi
  174. else
  175. _err "OAuth2 token_type not Bearer"
  176. _err "\n$response"
  177. return 1
  178. fi
  179. _debug2 response "$response"
  180. return 0
  181. }
  182. _oauth2_github() {
  183. _H1="Accepts: application/json"
  184. export _H1
  185. body="{\"login\":{\"handle\":\"$MB_AK\",\"pass\":\"$MB_AS\",\"floating\":1}}"
  186. _info "Getting Floating token..."
  187. # body url [needbase64] [POST|PUT|DELETE] [ContentType]
  188. response="$(_post "$body" "$MB_AUTH" "" "POST" "application/json")"
  189. MB_TK="$(echo "$response" | _egrep_o "\"token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')"
  190. if [ -z "$MB_TK" ]; then
  191. _err "Unable to get token"
  192. _err "\n$response"
  193. return 1
  194. fi
  195. _debug2 response "$response"
  196. return 0
  197. }
  198. # method path body_data
  199. _mb_rest() {
  200. # URL encoded body for single API operations
  201. m="$1"
  202. ep="$2"
  203. data="$3"
  204. if [ -z "$ep" ]; then
  205. _mb_url="$MB_API"
  206. else
  207. _mb_url="$MB_API/$ep"
  208. fi
  209. _H1="Authorization: Bearer $MB_TK"
  210. _H2="Accepts: application/json"
  211. export _H1 _H2
  212. if [ "$data" ] || [ "$m" = "POST" ] || [ "$m" = "PUT" ] || [ "$m" = "DELETE" ]; then
  213. # body url [needbase64] [POST|PUT|DELETE] [ContentType]
  214. response="$(_post "data=$data" "$_mb_url" "" "$m" "application/x-www-form-urlencoded")"
  215. else
  216. response="$(_get "$_mb_url")"
  217. fi
  218. if [ "$?" != "0" ]; then
  219. _err "Request error"
  220. return 1
  221. fi
  222. header="$(cat "$HTTP_HEADER")"
  223. status="$(echo "$header" | _egrep_o "^HTTP[^ ]* .*$" | cut -d " " -f 2-100 | tr -d "\f\n")"
  224. code="$(echo "$status" | _egrep_o "^[0-9]*")"
  225. if [ "$code" -ge 400 ] || _contains "$response" "\"error\"" || _contains "$response" "invalid_client"; then
  226. _err "error $status"
  227. _err "\n$response"
  228. _debug "\n$header"
  229. return 2
  230. fi
  231. _debug2 response "$response"
  232. return 0
  233. }