You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

414 lines
16 KiB

3 months ago
3 months ago
4 months ago
3 months ago
3 months ago
4 months ago
3 months ago
4 months ago
4 months ago
3 months ago
4 months ago
4 months ago
3 months ago
4 months ago
4 months ago
3 months ago
3 months ago
4 months ago
3 months ago
7 years ago
7 years ago
7 years ago
3 months ago
4 months ago
3 months ago
3 months ago
4 months ago
3 months ago
4 months ago
4 months ago
3 months ago
4 months ago
4 months ago
3 months ago
4 months ago
3 months ago
3 months ago
4 months ago
7 years ago
7 years ago
4 years ago
7 years ago
3 months ago
7 years ago
7 years ago
3 months ago
3 months ago
  1. #!/usr/bin/env sh
  2. # shellcheck disable=SC2034
  3. dns_azure_info='Azure
  4. Site: Azure.microsoft.com
  5. Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_azure
  6. Options:
  7. AZUREDNS_SUBSCRIPTIONID Subscription ID
  8. AZUREDNS_TENANTID Tenant ID
  9. AZUREDNS_APPID App ID. App ID of the service principal
  10. AZUREDNS_CLIENTSECRET Client Secret. Secret from creating the service principal
  11. AZUREDNS_MANAGEDIDENTITY Use Managed Identity. Use Managed Identity assigned to a resource instead of a service principal. "true"/"false"
  12. AZUREDNS_BEARERTOKEN Optional Bearer Token. Used instead of service principal credentials or managed identity
  13. '
  14. ######## Public functions #####################
  15. # Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
  16. # Used to add txt record
  17. #
  18. # Ref: https://docs.microsoft.com/en-us/rest/api/dns/recordsets/createorupdate
  19. #
  20. dns_azure_add() {
  21. fulldomain=$1
  22. txtvalue=$2
  23. AZUREDNS_SUBSCRIPTIONID="${AZUREDNS_SUBSCRIPTIONID:-$(_readaccountconf_mutable AZUREDNS_SUBSCRIPTIONID)}"
  24. if [ -z "$AZUREDNS_SUBSCRIPTIONID" ]; then
  25. AZUREDNS_SUBSCRIPTIONID=""
  26. AZUREDNS_TENANTID=""
  27. AZUREDNS_APPID=""
  28. AZUREDNS_CLIENTSECRET=""
  29. AZUREDNS_BEARERTOKEN=""
  30. _err "You didn't specify the Azure Subscription ID"
  31. return 1
  32. fi
  33. #save subscription id to account conf file.
  34. _saveaccountconf_mutable AZUREDNS_SUBSCRIPTIONID "$AZUREDNS_SUBSCRIPTIONID"
  35. AZUREDNS_MANAGEDIDENTITY="${AZUREDNS_MANAGEDIDENTITY:-$(_readaccountconf_mutable AZUREDNS_MANAGEDIDENTITY)}"
  36. if [ "$AZUREDNS_MANAGEDIDENTITY" = true ]; then
  37. _info "Using Azure managed identity"
  38. #save managed identity as preferred authentication method, clear service principal credentials from conf file.
  39. _saveaccountconf_mutable AZUREDNS_MANAGEDIDENTITY "$AZUREDNS_MANAGEDIDENTITY"
  40. _saveaccountconf_mutable AZUREDNS_TENANTID ""
  41. _saveaccountconf_mutable AZUREDNS_APPID ""
  42. _saveaccountconf_mutable AZUREDNS_CLIENTSECRET ""
  43. _saveaccountconf_mutable AZUREDNS_BEARERTOKEN ""
  44. else
  45. _info "You didn't ask to use Azure managed identity, checking service principal credentials or provided bearer token"
  46. AZUREDNS_TENANTID="${AZUREDNS_TENANTID:-$(_readaccountconf_mutable AZUREDNS_TENANTID)}"
  47. AZUREDNS_APPID="${AZUREDNS_APPID:-$(_readaccountconf_mutable AZUREDNS_APPID)}"
  48. AZUREDNS_CLIENTSECRET="${AZUREDNS_CLIENTSECRET:-$(_readaccountconf_mutable AZUREDNS_CLIENTSECRET)}"
  49. AZUREDNS_BEARERTOKEN="${AZUREDNS_BEARERTOKEN:-$(_readaccountconf_mutable AZUREDNS_BEARERTOKEN)}"
  50. if [ -z "$AZUREDNS_BEARERTOKEN" ]; then
  51. if [ -z "$AZUREDNS_TENANTID" ]; then
  52. AZUREDNS_SUBSCRIPTIONID=""
  53. AZUREDNS_TENANTID=""
  54. AZUREDNS_APPID=""
  55. AZUREDNS_CLIENTSECRET=""
  56. AZUREDNS_BEARERTOKEN=""
  57. _err "You didn't specify the Azure Tenant ID "
  58. return 1
  59. fi
  60. if [ -z "$AZUREDNS_APPID" ]; then
  61. AZUREDNS_SUBSCRIPTIONID=""
  62. AZUREDNS_TENANTID=""
  63. AZUREDNS_APPID=""
  64. AZUREDNS_CLIENTSECRET=""
  65. AZUREDNS_BEARERTOKEN=""
  66. _err "You didn't specify the Azure App ID"
  67. return 1
  68. fi
  69. if [ -z "$AZUREDNS_CLIENTSECRET" ]; then
  70. AZUREDNS_SUBSCRIPTIONID=""
  71. AZUREDNS_TENANTID=""
  72. AZUREDNS_APPID=""
  73. AZUREDNS_CLIENTSECRET=""
  74. AZUREDNS_BEARERTOKEN=""
  75. _err "You didn't specify the Azure Client Secret"
  76. return 1
  77. fi
  78. else
  79. _info "Using provided bearer token"
  80. fi
  81. #save account details to account conf file, don't opt in for azure manages identity check.
  82. _saveaccountconf_mutable AZUREDNS_MANAGEDIDENTITY "false"
  83. _saveaccountconf_mutable AZUREDNS_TENANTID "$AZUREDNS_TENANTID"
  84. _saveaccountconf_mutable AZUREDNS_APPID "$AZUREDNS_APPID"
  85. _saveaccountconf_mutable AZUREDNS_CLIENTSECRET "$AZUREDNS_CLIENTSECRET"
  86. _saveaccountconf_mutable AZUREDNS_BEARERTOKEN "$AZUREDNS_BEARERTOKEN"
  87. fi
  88. if [ -z "$AZUREDNS_BEARERTOKEN" ]; then
  89. accesstoken=$(_azure_getaccess_token "$AZUREDNS_MANAGEDIDENTITY" "$AZUREDNS_TENANTID" "$AZUREDNS_APPID" "$AZUREDNS_CLIENTSECRET")
  90. else
  91. accesstoken=$(echo "$AZUREDNS_BEARERTOKEN" | sed "s/Bearer //g")
  92. fi
  93. if ! _get_root "$fulldomain" "$AZUREDNS_SUBSCRIPTIONID" "$accesstoken"; then
  94. _err "invalid domain"
  95. return 1
  96. fi
  97. _debug _domain_id "$_domain_id"
  98. _debug _sub_domain "$_sub_domain"
  99. _debug _domain "$_domain"
  100. acmeRecordURI="https://management.azure.com$(printf '%s' "$_domain_id" | sed 's/\\//g')/TXT/$_sub_domain?api-version=2017-09-01"
  101. _debug "$acmeRecordURI"
  102. # Get existing TXT record
  103. _azure_rest GET "$acmeRecordURI" "" "$accesstoken"
  104. values="{\"value\":[\"$txtvalue\"]}"
  105. timestamp="$(_time)"
  106. if [ "$_code" = "200" ]; then
  107. vlist="$(echo "$response" | _egrep_o "\"value\"\\s*:\\s*\\[\\s*\"[^\"]*\"\\s*]" | cut -d : -f 2 | tr -d "[]\"")"
  108. _debug "existing TXT found"
  109. _debug "$vlist"
  110. existingts="$(echo "$response" | _egrep_o "\"acmetscheck\"\\s*:\\s*\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d "\"")"
  111. if [ -z "$existingts" ]; then
  112. # the record was not created by acme.sh. Copy the exisiting entires
  113. existingts=$timestamp
  114. fi
  115. _diff="$(_math "$timestamp - $existingts")"
  116. _debug "existing txt age: $_diff"
  117. # only use recently added records and discard if older than 2 hours because they are probably orphaned
  118. if [ "$_diff" -lt 7200 ]; then
  119. _debug "existing txt value: $vlist"
  120. for v in $vlist; do
  121. values="$values ,{\"value\":[\"$v\"]}"
  122. done
  123. fi
  124. fi
  125. # Add the txtvalue TXT Record
  126. body="{\"properties\":{\"metadata\":{\"acmetscheck\":\"$timestamp\"},\"TTL\":10, \"TXTRecords\":[$values]}}"
  127. _azure_rest PUT "$acmeRecordURI" "$body" "$accesstoken"
  128. if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then
  129. _info "validation value added"
  130. return 0
  131. else
  132. _err "error adding validation value ($_code)"
  133. return 1
  134. fi
  135. }
  136. # Usage: fulldomain txtvalue
  137. # Used to remove the txt record after validation
  138. #
  139. # Ref: https://docs.microsoft.com/en-us/rest/api/dns/recordsets/delete
  140. #
  141. dns_azure_rm() {
  142. fulldomain=$1
  143. txtvalue=$2
  144. AZUREDNS_SUBSCRIPTIONID="${AZUREDNS_SUBSCRIPTIONID:-$(_readaccountconf_mutable AZUREDNS_SUBSCRIPTIONID)}"
  145. if [ -z "$AZUREDNS_SUBSCRIPTIONID" ]; then
  146. AZUREDNS_SUBSCRIPTIONID=""
  147. AZUREDNS_TENANTID=""
  148. AZUREDNS_APPID=""
  149. AZUREDNS_CLIENTSECRET=""
  150. AZUREDNS_BEARERTOKEN=""
  151. _err "You didn't specify the Azure Subscription ID "
  152. return 1
  153. fi
  154. AZUREDNS_MANAGEDIDENTITY="${AZUREDNS_MANAGEDIDENTITY:-$(_readaccountconf_mutable AZUREDNS_MANAGEDIDENTITY)}"
  155. if [ "$AZUREDNS_MANAGEDIDENTITY" = true ]; then
  156. _info "Using Azure managed identity"
  157. else
  158. _info "You didn't ask to use Azure managed identity, checking service principal credentials or provided bearer token"
  159. AZUREDNS_TENANTID="${AZUREDNS_TENANTID:-$(_readaccountconf_mutable AZUREDNS_TENANTID)}"
  160. AZUREDNS_APPID="${AZUREDNS_APPID:-$(_readaccountconf_mutable AZUREDNS_APPID)}"
  161. AZUREDNS_CLIENTSECRET="${AZUREDNS_CLIENTSECRET:-$(_readaccountconf_mutable AZUREDNS_CLIENTSECRET)}"
  162. AZUREDNS_BEARERTOKEN="${AZUREDNS_BEARERTOKEN:-$(_readaccountconf_mutable AZUREDNS_BEARERTOKEN)}"
  163. if [ -z "$AZUREDNS_BEARERTOKEN" ]; then
  164. if [ -z "$AZUREDNS_TENANTID" ]; then
  165. AZUREDNS_SUBSCRIPTIONID=""
  166. AZUREDNS_TENANTID=""
  167. AZUREDNS_APPID=""
  168. AZUREDNS_CLIENTSECRET=""
  169. AZUREDNS_BEARERTOKEN=""
  170. _err "You didn't specify the Azure Tenant ID "
  171. return 1
  172. fi
  173. if [ -z "$AZUREDNS_APPID" ]; then
  174. AZUREDNS_SUBSCRIPTIONID=""
  175. AZUREDNS_TENANTID=""
  176. AZUREDNS_APPID=""
  177. AZUREDNS_CLIENTSECRET=""
  178. AZUREDNS_BEARERTOKEN=""
  179. _err "You didn't specify the Azure App ID"
  180. return 1
  181. fi
  182. if [ -z "$AZUREDNS_CLIENTSECRET" ]; then
  183. AZUREDNS_SUBSCRIPTIONID=""
  184. AZUREDNS_TENANTID=""
  185. AZUREDNS_APPID=""
  186. AZUREDNS_CLIENTSECRET=""
  187. AZUREDNS_BEARERTOKEN=""
  188. _err "You didn't specify the Azure Client Secret"
  189. return 1
  190. fi
  191. else
  192. _info "Using provided bearer token"
  193. fi
  194. fi
  195. if [ -z "$AZUREDNS_BEARERTOKEN" ]; then
  196. accesstoken=$(_azure_getaccess_token "$AZUREDNS_MANAGEDIDENTITY" "$AZUREDNS_TENANTID" "$AZUREDNS_APPID" "$AZUREDNS_CLIENTSECRET")
  197. else
  198. accesstoken=$(echo "$AZUREDNS_BEARERTOKEN" | sed "s/Bearer //g")
  199. fi
  200. if ! _get_root "$fulldomain" "$AZUREDNS_SUBSCRIPTIONID" "$accesstoken"; then
  201. _err "invalid domain"
  202. return 1
  203. fi
  204. _debug _domain_id "$_domain_id"
  205. _debug _sub_domain "$_sub_domain"
  206. _debug _domain "$_domain"
  207. acmeRecordURI="https://management.azure.com$(printf '%s' "$_domain_id" | sed 's/\\//g')/TXT/$_sub_domain?api-version=2017-09-01"
  208. _debug "$acmeRecordURI"
  209. # Get existing TXT record
  210. _azure_rest GET "$acmeRecordURI" "" "$accesstoken"
  211. timestamp="$(_time)"
  212. if [ "$_code" = "200" ]; then
  213. vlist="$(echo "$response" | _egrep_o "\"value\"\\s*:\\s*\\[\\s*\"[^\"]*\"\\s*]" | cut -d : -f 2 | tr -d "[]\"" | grep -v -- "$txtvalue")"
  214. values=""
  215. comma=""
  216. for v in $vlist; do
  217. values="$values$comma{\"value\":[\"$v\"]}"
  218. comma=","
  219. done
  220. if [ -z "$values" ]; then
  221. # No values left remove record
  222. _debug "removing validation record completely $acmeRecordURI"
  223. _azure_rest DELETE "$acmeRecordURI" "" "$accesstoken"
  224. if [ "$_code" = "200" ] || [ "$_code" = '204' ]; then
  225. _info "validation record removed"
  226. else
  227. _err "error removing validation record ($_code)"
  228. return 1
  229. fi
  230. else
  231. # Remove only txtvalue from the TXT Record
  232. body="{\"properties\":{\"metadata\":{\"acmetscheck\":\"$timestamp\"},\"TTL\":10, \"TXTRecords\":[$values]}}"
  233. _azure_rest PUT "$acmeRecordURI" "$body" "$accesstoken"
  234. if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then
  235. _info "validation value removed"
  236. return 0
  237. else
  238. _err "error removing validation value ($_code)"
  239. return 1
  240. fi
  241. fi
  242. fi
  243. }
  244. ################### Private functions below ##################################
  245. _azure_rest() {
  246. m=$1
  247. ep="$2"
  248. data="$3"
  249. accesstoken="$4"
  250. MAX_REQUEST_RETRY_TIMES=5
  251. _request_retry_times=0
  252. while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do
  253. _debug3 _request_retry_times "$_request_retry_times"
  254. export _H1="authorization: Bearer $accesstoken"
  255. export _H2="accept: application/json"
  256. export _H3="Content-Type: application/json"
  257. # clear headers from previous request to avoid getting wrong http code on timeouts
  258. : >"$HTTP_HEADER"
  259. _debug "$ep"
  260. if [ "$m" != "GET" ]; then
  261. _secure_debug2 "data $data"
  262. response="$(_post "$data" "$ep" "" "$m")"
  263. else
  264. response="$(_get "$ep")"
  265. fi
  266. _ret="$?"
  267. _secure_debug2 "response $response"
  268. _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")"
  269. _debug "http response code $_code"
  270. if [ "$_code" = "401" ]; then
  271. # we have an invalid access token set to expired
  272. _saveaccountconf_mutable AZUREDNS_TOKENVALIDTO "0"
  273. _err "access denied make sure your Azure settings are correct. See $WIKI"
  274. return 1
  275. fi
  276. # See https://docs.microsoft.com/en-us/azure/architecture/best-practices/retry-service-specific#general-rest-and-retry-guidelines for retryable HTTP codes
  277. if [ "$_ret" != "0" ] || [ -z "$_code" ] || [ "$_code" = "408" ] || [ "$_code" = "500" ] || [ "$_code" = "503" ] || [ "$_code" = "504" ]; then
  278. _request_retry_times="$(_math "$_request_retry_times" + 1)"
  279. _info "REST call error $_code retrying $ep in $_request_retry_times s"
  280. _sleep "$_request_retry_times"
  281. continue
  282. fi
  283. break
  284. done
  285. if [ "$_request_retry_times" = "$MAX_REQUEST_RETRY_TIMES" ]; then
  286. _err "Error Azure REST called was retried $MAX_REQUEST_RETRY_TIMES times."
  287. _err "Calling $ep failed."
  288. return 1
  289. fi
  290. response="$(echo "$response" | _normalizeJson)"
  291. return 0
  292. }
  293. ## Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service#request-an-access-token
  294. _azure_getaccess_token() {
  295. managedIdentity=$1
  296. tenantID=$2
  297. clientID=$3
  298. clientSecret=$4
  299. accesstoken="${AZUREDNS_ACCESSTOKEN:-$(_readaccountconf_mutable AZUREDNS_ACCESSTOKEN)}"
  300. expires_on="${AZUREDNS_TOKENVALIDTO:-$(_readaccountconf_mutable AZUREDNS_TOKENVALIDTO)}"
  301. # can we reuse the bearer token?
  302. if [ -n "$accesstoken" ] && [ -n "$expires_on" ]; then
  303. if [ "$(_time)" -lt "$expires_on" ]; then
  304. # brearer token is still valid - reuse it
  305. _debug "reusing bearer token"
  306. printf "%s" "$accesstoken"
  307. return 0
  308. else
  309. _debug "bearer token expired"
  310. fi
  311. fi
  312. _debug "getting new bearer token"
  313. if [ "$managedIdentity" = true ]; then
  314. # https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
  315. export _H1="Metadata: true"
  316. response="$(_get http://169.254.169.254/metadata/identity/oauth2/token\?api-version=2018-02-01\&resource=https://management.azure.com/)"
  317. response="$(echo "$response" | _normalizeJson)"
  318. accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
  319. expires_on=$(echo "$response" | _egrep_o "\"expires_on\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
  320. else
  321. export _H1="accept: application/json"
  322. export _H2="Content-Type: application/x-www-form-urlencoded"
  323. body="resource=$(printf "%s" 'https://management.core.windows.net/' | _url_encode)&client_id=$(printf "%s" "$clientID" | _url_encode)&client_secret=$(printf "%s" "$clientSecret" | _url_encode)&grant_type=client_credentials"
  324. _secure_debug2 "data $body"
  325. response="$(_post "$body" "https://login.microsoftonline.com/$tenantID/oauth2/token" "" "POST")"
  326. _ret="$?"
  327. _secure_debug2 "response $response"
  328. response="$(echo "$response" | _normalizeJson)"
  329. accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
  330. expires_on=$(echo "$response" | _egrep_o "\"expires_on\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
  331. fi
  332. if [ -z "$accesstoken" ]; then
  333. _err "no acccess token received. Check your Azure settings see $WIKI"
  334. return 1
  335. fi
  336. if [ "$_ret" != "0" ]; then
  337. _err "error $response"
  338. return 1
  339. fi
  340. _saveaccountconf_mutable AZUREDNS_ACCESSTOKEN "$accesstoken"
  341. _saveaccountconf_mutable AZUREDNS_TOKENVALIDTO "$expires_on"
  342. printf "%s" "$accesstoken"
  343. return 0
  344. }
  345. _get_root() {
  346. domain=$1
  347. subscriptionId=$2
  348. accesstoken=$3
  349. i=1
  350. p=1
  351. ## Ref: https://docs.microsoft.com/en-us/rest/api/dns/zones/list
  352. ## returns up to 100 zones in one response therefore handling more results is not not implemented
  353. ## (ZoneListResult with continuation token for the next page of results)
  354. ## Per https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#dns-limits you are limited to 100 Zone/subscriptions anyways
  355. ##
  356. _azure_rest GET "https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.Network/dnszones?\$top=500&api-version=2017-09-01" "" "$accesstoken"
  357. # Find matching domain name in Json response
  358. while true; do
  359. h=$(printf "%s" "$domain" | cut -d . -f $i-100)
  360. _debug2 "Checking domain: $h"
  361. if [ -z "$h" ]; then
  362. #not valid
  363. _err "Invalid domain"
  364. return 1
  365. fi
  366. if _contains "$response" "\"name\":\"$h\"" >/dev/null; then
  367. _domain_id=$(echo "$response" | _egrep_o "\\{\"id\":\"[^\"]*\\/$h\"" | head -n 1 | cut -d : -f 2 | tr -d \")
  368. if [ "$_domain_id" ]; then
  369. if [ "$i" = 1 ]; then
  370. #create the record at the domain apex (@) if only the domain name was provided as --domain-alias
  371. _sub_domain="@"
  372. else
  373. _sub_domain=$(echo "$domain" | cut -d . -f 1-$p)
  374. fi
  375. _domain=$h
  376. return 0
  377. fi
  378. return 1
  379. fi
  380. p=$i
  381. i=$(_math "$i" + 1)
  382. done
  383. return 1
  384. }