You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

262 lines
6.6 KiB

3 years ago
  1. #!/usr/bin/env sh
  2. # Mythic Beasts is a long-standing UK service provider using standards-based OAuth2 authentication
  3. # To test: ./acme.sh --dns dns_mythic_beasts --test --debug 1 --output-insecure --issue --domain domain.com
  4. # Cannot retest once cert is issued
  5. # OAuth2 tokens only valid for 300 seconds so we do not store
  6. # NOTE: This will remove all TXT records matching the fulldomain, not just the added ones (_acme-challenge.www.domain.com)
  7. # Test OAuth2 credentials
  8. #MB_AK="aaaaaaaaaaaaaaaa"
  9. #MB_AS="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
  10. # URLs
  11. MB_API='https://api.mythic-beasts.com/dns/v2/zones'
  12. MB_AUTH='https://auth.mythic-beasts.com/login'
  13. ######## Public functions #####################
  14. #Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
  15. dns_mythic_beasts_add() {
  16. fulldomain=$1
  17. txtvalue=$2
  18. _info "MYTHIC BEASTS Adding record $fulldomain = $txtvalue"
  19. if ! _initAuth; then
  20. return 1
  21. fi
  22. if ! _get_root "$fulldomain"; then
  23. return 1
  24. fi
  25. # method path body_data
  26. if _mb_rest POST "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then
  27. if _contains "$response" "1 records added"; then
  28. _info "Added, verifying..."
  29. # Max 120 seconds to publish
  30. for i in $(seq 1 6); do
  31. # Retry on error
  32. if ! _mb_rest GET "$_domain/records/$_sub_domain/TXT?verify"; then
  33. _sleep 20
  34. else
  35. _info "Record published!"
  36. return 0
  37. fi
  38. done
  39. else
  40. _err "\n$response"
  41. fi
  42. fi
  43. _err "Add txt record error."
  44. return 1
  45. }
  46. #Usage: rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
  47. dns_mythic_beasts_rm() {
  48. fulldomain=$1
  49. txtvalue=$2
  50. _info "MYTHIC BEASTS Removing record $fulldomain = $txtvalue"
  51. if ! _initAuth; then
  52. return 1
  53. fi
  54. if ! _get_root "$fulldomain"; then
  55. return 1
  56. fi
  57. # method path body_data
  58. if _mb_rest DELETE "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then
  59. _info "Record removed"
  60. return 0
  61. fi
  62. _err "Remove txt record error."
  63. return 1
  64. }
  65. #################### Private functions below ##################################
  66. #Possible formats:
  67. # _acme-challenge.www.example.com
  68. # _acme-challenge.example.com
  69. # _acme-challenge.example.co.uk
  70. # _acme-challenge.www.example.co.uk
  71. # _acme-challenge.sub1.sub2.www.example.co.uk
  72. # sub1.sub2.example.co.uk
  73. # example.com
  74. # example.co.uk
  75. #returns
  76. # _sub_domain=_acme-challenge.www
  77. # _domain=domain.com
  78. _get_root() {
  79. domain=$1
  80. i=1
  81. p=1
  82. _debug "Detect the root zone"
  83. while true; do
  84. h=$(printf "%s" "$domain" | cut -d . -f $i-100)
  85. if [ -z "$h" ]; then
  86. _err "Domain exhausted"
  87. return 1
  88. fi
  89. # Use the status errors to find the domain, continue on 403 Access denied
  90. # method path body_data
  91. _mb_rest GET "$h/records"
  92. ret="$?"
  93. if [ "$ret" -eq 0 ]; then
  94. _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
  95. _domain="$h"
  96. _debug _sub_domain "$_sub_domain"
  97. _debug _domain "$_domain"
  98. return 0
  99. elif [ "$ret" -eq 1 ]; then
  100. return 1
  101. fi
  102. p=$i
  103. i=$(_math "$i" + 1)
  104. if [ "$i" -gt 50 ]; then
  105. break
  106. fi
  107. done
  108. _err "Domain too long"
  109. return 1
  110. }
  111. _initAuth() {
  112. MB_AK="${MB_AK:-$(_readaccountconf_mutable MB_AK)}"
  113. MB_AS="${MB_AS:-$(_readaccountconf_mutable MB_AS)}"
  114. if [ -z "$MB_AK" ] || [ -z "$MB_AS" ]; then
  115. MB_AK=""
  116. MB_AS=""
  117. _err "Please specify an OAuth2 Key & Secret"
  118. return 1
  119. fi
  120. _saveaccountconf_mutable MB_AK "$MB_AK"
  121. _saveaccountconf_mutable MB_AS "$MB_AS"
  122. if ! _oauth2; then
  123. return 1
  124. fi
  125. _info "Checking authentication"
  126. _secure_debug access_token "$MB_TK"
  127. _sleep 1
  128. # GET a list of zones
  129. # method path body_data
  130. if ! _mb_rest GET ""; then
  131. _err "The token is invalid"
  132. return 1
  133. fi
  134. _info "Token OK"
  135. return 0
  136. }
  137. # Github appears to use an outbound proxy for requests which means subsequent requests may not have the same
  138. # source IP. The standard Mythic Beasts OAuth2 tokens are tied to an IP, meaning github test requests fail
  139. # authentication. This works arounds this by using an undocumented MB API to obtain a token not tied to an
  140. # IP just for the github tests.
  141. _oauth2() {
  142. _info "DOMAIN: $TEST_DNS"
  143. if [ "$TEST_DNS" != "dns_mythic_beasts" ]; then
  144. _oauth2_std
  145. else
  146. _oauth2_github
  147. fi
  148. return $?
  149. }
  150. _oauth2_std() {
  151. # HTTP Basic Authentication
  152. _H1="Authorization: Basic $(echo "$MB_AK:$MB_AS" | _base64)"
  153. _H2="Accepts: application/json"
  154. export _H1 _H2
  155. body="grant_type=client_credentials"
  156. _info "Getting OAuth2 token..."
  157. # body url [needbase64] [POST|PUT|DELETE] [ContentType]
  158. response="$(_post "$body" "$MB_AUTH" "" "POST" "application/x-www-form-urlencoded")"
  159. if _contains "$response" "\"token_type\":\"bearer\""; then
  160. MB_TK="$(echo "$response" | _egrep_o "access_token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')"
  161. if [ -z "$MB_TK" ]; then
  162. _err "Unable to get access_token"
  163. _err "\n$response"
  164. return 1
  165. fi
  166. else
  167. _err "OAuth2 token_type not Bearer"
  168. _err "\n$response"
  169. return 1
  170. fi
  171. _debug2 response "$response"
  172. return 0
  173. }
  174. _oauth2_github() {
  175. _H1="Accepts: application/json"
  176. export _H1
  177. body="{\"login\":{\"handle\":$MB_AK,\"pass\":$MB_AS,\"floating\":1}}"
  178. _info "Getting Floating token..."
  179. # body url [needbase64] [POST|PUT|DELETE] [ContentType]
  180. response="$(_post "$body" "$MB_AUTH" "" "POST" "application/json")"
  181. MB_TK="$(echo "$response" | _egrep_o "\"token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')"
  182. if [ -z "$MB_TK" ]; then
  183. _err "Unable to get token"
  184. _err "\n$response"
  185. return 1
  186. fi
  187. _debug2 response "$response"
  188. return 0
  189. }
  190. # method path body_data
  191. _mb_rest() {
  192. # URL encoded body for single API operations
  193. m="$1"
  194. ep="$2"
  195. data="$3"
  196. if [ -z "$ep" ]; then
  197. _mb_url="$MB_API"
  198. else
  199. _mb_url="$MB_API/$ep"
  200. fi
  201. _H1="Authorization: Bearer $MB_TK"
  202. _H2="Accepts: application/json"
  203. export _H1 _H2
  204. if [ "$data" ] || [ "$m" = "POST" ] || [ "$m" = "PUT" ] || [ "$m" = "DELETE" ]; then
  205. # body url [needbase64] [POST|PUT|DELETE] [ContentType]
  206. response="$(_post "data=$data" "$_mb_url" "" "$m" "application/x-www-form-urlencoded")"
  207. else
  208. response="$(_get "$_mb_url")"
  209. fi
  210. if [ "$?" != "0" ]; then
  211. _err "Request error"
  212. return 1
  213. fi
  214. header="$(cat "$HTTP_HEADER")"
  215. status="$(echo "$header" | _egrep_o "^HTTP[^ ]* .*$" | cut -d " " -f 2-100 | tr -d "\f\n")"
  216. code="$(echo "$status" | _egrep_o "^[0-9]*")"
  217. if [ "$code" -ge 400 ] || _contains "$response" "\"error\"" || _contains "$response" "invalid_client"; then
  218. _err "error $status"
  219. _err "\n$response"
  220. _debug "\n$header"
  221. return 2
  222. fi
  223. _debug2 response "$response"
  224. return 0
  225. }