Merge remote-tracking branch 'upstream/dev' into dev

4 years ago · 768e00ff1a
5 changed files with 351 additions and 8 deletions
--- a/acme.sh
+++ b/acme.sh
@ -1722,6 +1722,14 @@ _mktemp() {
  _err "Can not create temp file."
 }

+#clear all the https envs to cause _inithttp() to run next time.
+_resethttp() {
+  __HTTP_INITIALIZED=""
+  _ACME_CURL=""
+  _ACME_WGET=""
+  ACME_HTTP_NO_REDIRECTS=""
+}
+
 _inithttp() {

  if [ -z "$HTTP_HEADER" ] || ! touch "$HTTP_HEADER"; then
@ -1737,7 +1745,10 @@ _inithttp() {
  fi

  if [ -z "$_ACME_CURL" ] && _exists "curl"; then
-    _ACME_CURL="curl -L --silent --dump-header $HTTP_HEADER "
+    _ACME_CURL="curl --silent --dump-header $HTTP_HEADER "
+    if [ -z "$ACME_HTTP_NO_REDIRECTS" ]; then
+      _ACME_CURL="$_ACME_CURL -L "
+    fi
    if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
      _CURL_DUMP="$(_mktemp)"
      _ACME_CURL="$_ACME_CURL --trace-ascii $_CURL_DUMP "
@ -1756,6 +1767,9 @@ _inithttp() {

  if [ -z "$_ACME_WGET" ] && _exists "wget"; then
    _ACME_WGET="wget -q"
+    if [ "$ACME_HTTP_NO_REDIRECTS" ]; then
+      _ACME_WGET="$_ACME_WGET --max-redirect 0 "
+    fi
    if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
      _ACME_WGET="$_ACME_WGET -d "
    fi
@ -6649,8 +6663,8 @@ _checkSudo() {
      return 0
    fi
    if [ -n "$SUDO_COMMAND" ]; then
-      #it's a normal user doing "sudo su", or `sudo -i` or `sudo -s`
-      _endswith "$SUDO_COMMAND" /bin/su || grep "^$SUDO_COMMAND\$" /etc/shells >/dev/null 2>&1
+      #it's a normal user doing "sudo su", or `sudo -i` or `sudo -s`, or `sudo su acmeuser1`
+      _endswith "$SUDO_COMMAND" /bin/su || _contains "$SUDO_COMMAND" "/bin/su " || grep "^$SUDO_COMMAND\$" /etc/shells >/dev/null 2>&1
      return $?
    fi
    #otherwise
--- a/deploy/cleverreach.sh
+++ b/deploy/cleverreach.sh
@ -0,0 +1,70 @@
+#!/usr/bin/env sh
+# Here is the script to deploy the cert to your CleverReach Account using the CleverReach REST API.
+# Your OAuth needs the right scope, please contact CleverReach support for that.
+#
+# Written by Jan-Philipp Benecke <github@bnck.me>
+# Public domain, 2020
+#
+# Following environment variables must be set:
+#
+#export DEPLOY_CLEVERREACH_CLIENT_ID=myid
+#export DEPLOY_CLEVERREACH_CLIENT_SECRET=mysecret
+
+cleverreach_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  _getdeployconf DEPLOY_CLEVERREACH_CLIENT_ID
+  _getdeployconf DEPLOY_CLEVERREACH_CLIENT_SECRET
+
+  if [ -z "${DEPLOY_CLEVERREACH_CLIENT_ID}" ]; then
+    _err "CleverReach Client ID is not found, please define DEPLOY_CLEVERREACH_CLIENT_ID."
+    return 1
+  fi
+  if [ -z "${DEPLOY_CLEVERREACH_CLIENT_SECRET}" ]; then
+    _err "CleverReach client secret is not found, please define DEPLOY_CLEVERREACH_CLIENT_SECRET."
+    return 1
+  fi
+
+  _savedeployconf DEPLOY_CLEVERREACH_CLIENT_ID "${DEPLOY_CLEVERREACH_CLIENT_ID}"
+  _savedeployconf DEPLOY_CLEVERREACH_CLIENT_SECRET "${DEPLOY_CLEVERREACH_CLIENT_SECRET}"
+
+  _info "Obtaining a CleverReach access token"
+
+  _data="{\"grant_type\": \"client_credentials\", \"client_id\": \"${DEPLOY_CLEVERREACH_CLIENT_ID}\", \"client_secret\": \"${DEPLOY_CLEVERREACH_CLIENT_SECRET}\"}"
+  _auth_result="$(_post "$_data" "https://rest.cleverreach.com/oauth/token.php" "" "POST" "application/json")"
+
+  _debug _data "$_data"
+  _debug _auth_result "$_auth_result"
+
+  _regex=".*\"access_token\":\"\([-._0-9A-Za-z]*\)\".*$"
+  _debug _regex "$_regex"
+  _access_token=$(echo "$_auth_result" | _json_decode | sed -n "s/$_regex/\1/p")
+
+  _info "Uploading certificate and key to CleverReach"
+
+  _certData="{\"cert\":\"$(_json_encode <"$_cfullchain")\", \"key\":\"$(_json_encode <"$_ckey")\"}"
+  export _H1="Authorization: Bearer ${_access_token}"
+  _add_cert_result="$(_post "$_certData" "https://rest.cleverreach.com/v3/ssl" "" "POST" "application/json")"
+
+  _debug "Destroying token at CleverReach"
+  _post "" "https://rest.cleverreach.com/v3/oauth/token.json" "" "DELETE" "application/json"
+
+  if ! echo "$_add_cert_result" | grep '"error":' >/dev/null; then
+    _info "Uploaded certificate successfully"
+    return 0
+  else
+    _debug _add_cert_result "$_add_cert_result"
+    _err "Unable to update certificate"
+    return 1
+  fi
+}
--- a/deploy/fritzbox.sh
+++ b/deploy/fritzbox.sh
@ -28,11 +28,13 @@ fritzbox_deploy() {
  _debug _cfullchain "$_cfullchain"

  if ! _exists iconv; then
+    if ! _exists uconv; then
      if ! _exists perl; then
-      _err "iconv or perl not found"
+        _err "iconv or uconv or perl not found"
        return 1
      fi
    fi
+  fi

  _fritzbox_username="${DEPLOY_FRITZBOX_USERNAME}"
  _fritzbox_password="${DEPLOY_FRITZBOX_PASSWORD}"
@ -65,6 +67,8 @@ fritzbox_deploy() {
  _fritzbox_challenge="$(_get "${_fritzbox_url}/login_sid.lua" | sed -e 's/^.*<Challenge>//' -e 's/<\/Challenge>.*$//')"
  if _exists iconv; then
    _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${_fritzbox_password}" | iconv -f ASCII -t UTF16LE | _digest md5 hex)"
+  elif _exists uconv; then
+    _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${_fritzbox_password}" | uconv -f ASCII -t UTF16LE | _digest md5 hex)"
  else
    _fritzbox_hash="$(printf "%s-%s" "${_fritzbox_challenge}" "${_fritzbox_password}" | perl -p -e 'use Encode qw/encode/; print encode("UTF-16LE","$_"); $_="";' | _digest md5 hex)"
  fi
--- a/dnsapi/dns_desec.sh
+++ b/dnsapi/dns_desec.sh
@ -61,7 +61,7 @@ dns_desec_add() {
  fi
  _debug txtvalues "$txtvalues"
  _info "Adding record"
-  body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":60}]"
+  body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":3600}]"

  if _desec_rest PUT "$REST_API/$DEDYN_NAME/rrsets/" "$body"; then
    if _contains "$response" "$txtvalue"; then
@ -130,7 +130,7 @@ dns_desec_rm() {
  _debug txtvalues "$txtvalues"

  _info "Deleting record"
-  body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":60}]"
+  body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":3600}]"
  _desec_rest PUT "$REST_API/$DEDYN_NAME/rrsets/" "$body"
  if [ "$_code" = "200" ]; then
    _info "Deleted, OK"
--- a/dnsapi/dns_huaweicloud.sh
+++ b/dnsapi/dns_huaweicloud.sh
@ -0,0 +1,255 @@
+#!/usr/bin/env sh
+
+# HUAWEICLOUD_Username
+# HUAWEICLOUD_Password
+# HUAWEICLOUD_ProjectID
+
+iam_api="https://iam.myhuaweicloud.com"
+dns_api="https://dns.ap-southeast-1.myhuaweicloud.com"
+
+########  Public functions #####################
+
+# Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+# Used to add txt record
+#
+# Ref: https://support.huaweicloud.com/intl/zh-cn/api-dns/zh-cn_topic_0132421999.html
+#
+
+dns_huaweicloud_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  HUAWEICLOUD_Username="${HUAWEICLOUD_Username:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}"
+  HUAWEICLOUD_Password="${HUAWEICLOUD_Password:-$(_readaccountconf_mutable HUAWEICLOUD_Password)}"
+  HUAWEICLOUD_ProjectID="${HUAWEICLOUD_ProjectID:-$(_readaccountconf_mutable HUAWEICLOUD_ProjectID)}"
+
+  # Check information
+  if [ -z "${HUAWEICLOUD_Username}" ] || [ -z "${HUAWEICLOUD_Password}" ] || [ -z "${HUAWEICLOUD_ProjectID}" ]; then
+    _err "Not enough information provided to dns_huaweicloud!"
+    return 1
+  fi
+
+  token="$(_get_token "${HUAWEICLOUD_Username}" "${HUAWEICLOUD_Password}" "${HUAWEICLOUD_ProjectID}")"
+  _debug2 "${token}"
+  zoneid="$(_get_zoneid "${token}" "${fulldomain}")"
+  _debug "${zoneid}"
+
+  _debug "Adding Record"
+  _add_record "${token}" "${fulldomain}" "${txtvalue}"
+  ret="$?"
+  if [ "${ret}" != "0" ]; then
+    _err "dns_huaweicloud: Error adding record."
+    return 1
+  fi
+
+  # Do saving work if all succeeded
+  _saveaccountconf_mutable HUAWEICLOUD_Username "${HUAWEICLOUD_Username}"
+  _saveaccountconf_mutable HUAWEICLOUD_Password "${HUAWEICLOUD_Password}"
+  _saveaccountconf_mutable HUAWEICLOUD_ProjectID "${HUAWEICLOUD_ProjectID}"
+  return 0
+}
+
+# Usage: fulldomain txtvalue
+# Used to remove the txt record after validation
+#
+# Ref: https://support.huaweicloud.com/intl/zh-cn/api-dns/dns_api_64005.html
+#
+
+dns_huaweicloud_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  HUAWEICLOUD_Username="${HUAWEICLOUD_Username:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}"
+  HUAWEICLOUD_Password="${HUAWEICLOUD_Password:-$(_readaccountconf_mutable HUAWEICLOUD_Password)}"
+  HUAWEICLOUD_ProjectID="${HUAWEICLOUD_ProjectID:-$(_readaccountconf_mutable HUAWEICLOUD_ProjectID)}"
+
+  # Check information
+  if [ -z "${HUAWEICLOUD_Username}" ] || [ -z "${HUAWEICLOUD_Password}" ] || [ -z "${HUAWEICLOUD_ProjectID}" ]; then
+    _err "Not enough information provided to dns_huaweicloud!"
+    return 1
+  fi
+
+  token="$(_get_token "${HUAWEICLOUD_Username}" "${HUAWEICLOUD_Password}" "${HUAWEICLOUD_ProjectID}")"
+  _debug2 "${token}"
+  zoneid="$(_get_zoneid "${token}" "${fulldomain}")"
+  _debug "${zoneid}"
+  record_id="$(_get_recordset_id "${token}" "${fulldomain}" "${zoneid}")"
+  _debug "Record Set ID is: ${record_id}"
+
+  # Remove all records
+  # Therotically HuaweiCloud does not allow more than one record set
+  # But remove them recurringly to increase robusty
+  while [ "${record_id}" != "0" ]; do
+    _debug "Removing Record"
+    _rm_record "${token}" "${zoneid}" "${record_id}"
+    record_id="$(_get_recordset_id "${token}" "${fulldomain}" "${zoneid}")"
+  done
+  return 0
+}
+
+###################  Private functions below ##################################
+
+# _get_zoneid
+#
+# _token=$1
+# _domain_string=$2
+#
+# printf "%s" "${_zoneid}"
+_get_zoneid() {
+  _token=$1
+  _domain_string=$2
+  export _H1="X-Auth-Token: ${_token}"
+
+  i=1
+  while true; do
+    h=$(printf "%s" "${_domain_string}" | cut -d . -f $i-100)
+    if [ -z "$h" ]; then
+      #not valid
+      return 1
+    fi
+    _debug "$h"
+    response=$(_get "${dns_api}/v2/zones?name=${h}")
+
+    if _contains "${response}" "id"; then
+      _debug "Get Zone ID Success."
+      _zoneid=$(echo "${response}" | _egrep_o "\"id\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | tr -d " ")
+      printf "%s" "${_zoneid}"
+      return 0
+    fi
+
+    i=$(_math "$i" + 1)
+  done
+  return 1
+}
+
+_get_recordset_id() {
+  _token=$1
+  _domain=$2
+  _zoneid=$3
+  export _H1="X-Auth-Token: ${_token}"
+
+  response=$(_get "${dns_api}/v2/zones/${_zoneid}/recordsets?name=${_domain}")
+  if _contains "${response}" "id"; then
+    _id="$(echo "${response}" | _egrep_o "\"id\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | tr -d " ")"
+    printf "%s" "${_id}"
+    return 0
+  fi
+  printf "%s" "0"
+  return 1
+}
+
+_add_record() {
+  _token=$1
+  _domain=$2
+  _txtvalue=$3
+
+  # Get Existing Records
+  export _H1="X-Auth-Token: ${_token}"
+  response=$(_get "${dns_api}/v2/zones/${zoneid}/recordsets?name=${_domain}")
+
+  _debug2 "${response}"
+  _exist_record=$(echo "${response}" | _egrep_o '"records":[^]]*' | sed 's/\"records\"\:\[//g')
+  _debug "${_exist_record}"
+
+  # Check if record exist
+  # Generate body data
+  if [ -z "${_exist_record}" ]; then
+    _post_body="{
+      \"name\": \"${_domain}.\",
+      \"description\": \"ACME Challenge\",
+      \"type\": \"TXT\",
+      \"ttl\": 1,
+      \"records\": [
+        \"\\\"${_txtvalue}\\\"\"
+      ]
+    }"
+  else
+    _post_body="{
+      \"name\": \"${_domain}.\",
+      \"description\": \"ACME Challenge\",
+      \"type\": \"TXT\",
+      \"ttl\": 1,
+      \"records\": [
+        ${_exist_record},
+        \"\\\"${_txtvalue}\\\"\"
+      ]
+    }"
+  fi
+
+  _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${zoneid}")"
+  _debug "Record Set ID is: ${_record_id}"
+
+  # Remove all records
+  while [ "${_record_id}" != "0" ]; do
+    _debug "Removing Record"
+    _rm_record "${_token}" "${zoneid}" "${_record_id}"
+    _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${zoneid}")"
+  done
+
+  # Add brand new records with all old and new records
+  export _H2="Content-Type: application/json"
+  export _H1="X-Auth-Token: ${_token}"
+
+  _debug2 "${_post_body}"
+  _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets" >/dev/null
+  _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")"
+  if [ "$_code" != "202" ]; then
+    _err "dns_huaweicloud: http code ${_code}"
+    return 1
+  fi
+  return 0
+}
+
+# _rm_record $token $zoneid $recordid
+# assume ${dns_api} exist
+# no output
+# return 0
+_rm_record() {
+  _token=$1
+  _zone_id=$2
+  _record_id=$3
+
+  export _H2="Content-Type: application/json"
+  export _H1="X-Auth-Token: ${_token}"
+
+  _post "" "${dns_api}/v2/zones/${_zone_id}/recordsets/${_record_id}" false "DELETE" >/dev/null
+  return $?
+}
+
+_get_token() {
+  _username=$1
+  _password=$2
+  _project=$3
+
+  _debug "Getting Token"
+  body="{
+    \"auth\": {
+      \"identity\": {
+        \"methods\": [
+          \"password\"
+        ],
+        \"password\": {
+          \"user\": {
+            \"name\": \"${_username}\",
+            \"password\": \"${_password}\",
+            \"domain\": {
+              \"name\": \"${_username}\"
+            }
+          }
+        }
+      },
+      \"scope\": {
+        \"project\": {
+          \"id\": \"${_project}\"
+        }
+      }
+    }
+  }"
+  export _H1="Content-Type: application/json;charset=utf8"
+  _post "${body}" "${iam_api}/v3/auth/tokens" >/dev/null
+  _code=$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")
+  _token=$(grep "^X-Subject-Token" "$HTTP_HEADER" | cut -d " " -f 2-)
+  _debug2 "${_code}"
+  printf "%s" "${_token}"
+  return 0
+}