From d3ed8bea26f03534d3c6d66ea3e99f81e135aaea Mon Sep 17 00:00:00 2001 From: Yang Liu Date: Mon, 8 Mar 2021 09:56:36 +0800 Subject: [PATCH 1/8] add ecs ram role support --- dnsapi/dns_ali.sh | 92 +++++++++++++++++++++++++++++++++++++---------- 1 file changed, 74 insertions(+), 18 deletions(-) diff --git a/dnsapi/dns_ali.sh b/dnsapi/dns_ali.sh index c2105672..c4d55cec 100755 --- a/dnsapi/dns_ali.sh +++ b/dnsapi/dns_ali.sh @@ -1,27 +1,34 @@ -#!/usr/bin/env sh +#!/usr/local/bin/bash Ali_API="https://alidns.aliyuncs.com/" -#Ali_Key="LTqIA87hOKdjevsf5" -#Ali_Secret="0p5EYueFNq501xnCPzKNbx6K51qPH2" +#ALICLOUD_ACCESS_KEY="LTqIA87hOKdjevsf5" +#ALICLOUD_SECRET_KEY="0p5EYueFNq501xnCPzKNbx6K51qPH2" -#Usage: dns_ali_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +#Usage: dns_ali_add $(_ali_urlencode "_acme-challenge.www.domain.com") "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" dns_ali_add() { fulldomain=$1 txtvalue=$2 - Ali_Key="${Ali_Key:-$(_readaccountconf_mutable Ali_Key)}" - Ali_Secret="${Ali_Secret:-$(_readaccountconf_mutable Ali_Secret)}" - if [ -z "$Ali_Key" ] || [ -z "$Ali_Secret" ]; then - Ali_Key="" - Ali_Secret="" + ALICLOUD_ACCESS_KEY="${ALICLOUD_ACCESS_KEY:-$(_readaccountconf_mutable ALICLOUD_ACCESS_KEY)}" + ALICLOUD_SECRET_KEY="${ALICLOUD_SECRET_KEY:-$(_readaccountconf_mutable ALICLOUD_SECRET_KEY)}" + + if [ -z "$ALICLOUD_ACCESS_KEY" ] || [ -z "$ALICLOUD_SECRET_KEY" ]; then + _use_instance_role + fi + + if [ -z "$ALICLOUD_ACCESS_KEY" ] || [ -z "$ALICLOUD_SECRET_KEY" ]; then + ALICLOUD_ACCESS_KEY="" + ALICLOUD_SECRET_KEY="" _err "You don't specify aliyun api key and secret yet." return 1 fi #save the api key and secret to the account conf file. - _saveaccountconf_mutable Ali_Key "$Ali_Key" - _saveaccountconf_mutable Ali_Secret "$Ali_Secret" + if [ -z "$_using_role" ]; then + _saveaccountconf_mutable ALICLOUD_ACCESS_KEY "$ALICLOUD_ACCESS_KEY" + _saveaccountconf_mutable ALICLOUD_SECRET_KEY "$ALICLOUD_SECRET_KEY" + fi _debug "First detect the root zone" if ! _get_root "$fulldomain"; then @@ -35,8 +42,8 @@ dns_ali_add() { dns_ali_rm() { fulldomain=$1 txtvalue=$2 - Ali_Key="${Ali_Key:-$(_readaccountconf_mutable Ali_Key)}" - Ali_Secret="${Ali_Secret:-$(_readaccountconf_mutable Ali_Secret)}" + ALICLOUD_ACCESS_KEY="${ALICLOUD_ACCESS_KEY:-$(_readaccountconf_mutable ALICLOUD_ACCESS_KEY)}" + ALICLOUD_SECRET_KEY="${ALICLOUD_SECRET_KEY:-$(_readaccountconf_mutable ALICLOUD_SECRET_KEY)}" _debug "First detect the root zone" if ! _get_root "$fulldomain"; then @@ -77,8 +84,45 @@ _get_root() { return 1 } +_use_instance_role() { + _url="http://100.100.100.200/latest/meta-data/ram/security-credentials/" + _debug "_url" "$_url" + if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then + _debug "Unable to fetch IAM role from instance metadata" + return 1 + fi + _ali_instance_role=$(_get "$_url" "" 1) + _debug "_ali_instance_role" "_ali_instance_role" + + _ali_creds="$( + _get "$_url$_ali_instance_role" "" 1 | + _normalizeJson | + tr '{,}' '\n' | + while read -r _line; do + _key="$(echo "${_line%%:*}" | tr -d '"')" + _value="${_line#*:}" + _debug3 "_key" "$_key" + _secure_debug3 "_value" "$_value" + case "$_key" in + AccessKeyId) echo "ALICLOUD_ACCESS_KEY=$_value" ;; + AccessKeySecret) echo "ALICLOUD_SECRET_KEY=$_value" ;; + SecurityToken) echo "ALICLOUD_SECURITY_TOKEN=$_value" ;; + esac + done | + paste -sd' ' - + )" + _secure_debug "_ali_creds" "$_ali_creds" + + if [ -z "$_ali_creds" ]; then + return 1 + fi + + eval "$_ali_creds" + _using_role=true +} + _ali_rest() { - signature=$(printf "%s" "GET&%2F&$(_ali_urlencode "$query")" | _hmac "sha1" "$(printf "%s" "$Ali_Secret&" | _hex_dump | tr -d " ")" | _base64) + signature=$(printf "%s" "GET&%2F&$(_ali_urlencode "$query")" | _hmac "sha1" "$(printf "%s" "$ALICLOUD_SECRET_KEY&" | _hex_dump | tr -d " ")" | _base64) signature=$(_ali_urlencode "$signature") url="$Ali_API?$query&Signature=$signature" @@ -124,11 +168,14 @@ _check_exist_query() { _qdomain="$1" _qsubdomain="$2" query='' - query=$query'AccessKeyId='$Ali_Key + query=$query'AccessKeyId='$ALICLOUD_ACCESS_KEY query=$query'&Action=DescribeDomainRecords' query=$query'&DomainName='$_qdomain query=$query'&Format=json' query=$query'&RRKeyWord='$_qsubdomain + if [ -n "$ALICLOUD_SECURITY_TOKEN" ]; then + query=$query'&SecurityToken='$(_ali_urlencode "$ALICLOUD_SECURITY_TOKEN") + fi query=$query'&SignatureMethod=HMAC-SHA1' query=$query"&SignatureNonce=$(_ali_nonce)" query=$query'&SignatureVersion=1.0' @@ -139,11 +186,14 @@ _check_exist_query() { _add_record_query() { query='' - query=$query'AccessKeyId='$Ali_Key + query=$query'AccessKeyId='$ALICLOUD_ACCESS_KEY query=$query'&Action=AddDomainRecord' query=$query'&DomainName='$1 query=$query'&Format=json' query=$query'&RR='$2 + if [ -n "$ALICLOUD_SECURITY_TOKEN" ]; then + query=$query'&SecurityToken='$(_ali_urlencode "$ALICLOUD_SECURITY_TOKEN") + fi query=$query'&SignatureMethod=HMAC-SHA1' query=$query"&SignatureNonce=$(_ali_nonce)" query=$query'&SignatureVersion=1.0' @@ -155,10 +205,13 @@ _add_record_query() { _delete_record_query() { query='' - query=$query'AccessKeyId='$Ali_Key + query=$query'AccessKeyId='$ALICLOUD_ACCESS_KEY query=$query'&Action=DeleteDomainRecord' query=$query'&Format=json' query=$query'&RecordId='$1 + if [ -n "$ALICLOUD_SECURITY_TOKEN" ]; then + query=$query'&SecurityToken='$(_ali_urlencode "$ALICLOUD_SECURITY_TOKEN") + fi query=$query'&SignatureMethod=HMAC-SHA1' query=$query"&SignatureNonce=$(_ali_nonce)" query=$query'&SignatureVersion=1.0' @@ -168,10 +221,13 @@ _delete_record_query() { _describe_records_query() { query='' - query=$query'AccessKeyId='$Ali_Key + query=$query'AccessKeyId='$ALICLOUD_ACCESS_KEY query=$query'&Action=DescribeDomainRecords' query=$query'&DomainName='$1 query=$query'&Format=json' + if [ -n "$ALICLOUD_SECURITY_TOKEN" ]; then + query=$query'&SecurityToken='$(_ali_urlencode "$ALICLOUD_SECURITY_TOKEN") + fi query=$query'&SignatureMethod=HMAC-SHA1' query=$query"&SignatureNonce=$(_ali_nonce)" query=$query'&SignatureVersion=1.0' From a4411c818408f4e4eececc85b4856db07036fd29 Mon Sep 17 00:00:00 2001 From: Yang Liu Date: Mon, 8 Mar 2021 09:57:02 +0800 Subject: [PATCH 2/8] fix curl -I will send HEAD request --- acme.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acme.sh b/acme.sh index 757ed7a5..bdc1bfcf 100755 --- a/acme.sh +++ b/acme.sh @@ -1942,7 +1942,7 @@ _get() { fi _debug "_CURL" "$_CURL" if [ "$onlyheader" ]; then - $_CURL -I --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url" + $_CURL -X GET -I --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url" else $_CURL --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url" fi From 8f0f411c605d152c341c15e88f6b3329b468f2e6 Mon Sep 17 00:00:00 2001 From: Yang Liu Date: Mon, 8 Mar 2021 10:52:31 +0800 Subject: [PATCH 3/8] Update dns_ali.sh --- dnsapi/dns_ali.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_ali.sh b/dnsapi/dns_ali.sh index c4d55cec..ede106ba 100755 --- a/dnsapi/dns_ali.sh +++ b/dnsapi/dns_ali.sh @@ -5,7 +5,7 @@ Ali_API="https://alidns.aliyuncs.com/" #ALICLOUD_ACCESS_KEY="LTqIA87hOKdjevsf5" #ALICLOUD_SECRET_KEY="0p5EYueFNq501xnCPzKNbx6K51qPH2" -#Usage: dns_ali_add $(_ali_urlencode "_acme-challenge.www.domain.com") "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +#Usage: dns_ali_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" dns_ali_add() { fulldomain=$1 txtvalue=$2 From 875a4c3e63ce0f5fd1b185ac1008fdf06367b254 Mon Sep 17 00:00:00 2001 From: Yang Liu Date: Mon, 8 Mar 2021 11:00:24 +0800 Subject: [PATCH 4/8] update --- dnsapi/dns_ali.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_ali.sh b/dnsapi/dns_ali.sh index ede106ba..0514373a 100755 --- a/dnsapi/dns_ali.sh +++ b/dnsapi/dns_ali.sh @@ -5,7 +5,7 @@ Ali_API="https://alidns.aliyuncs.com/" #ALICLOUD_ACCESS_KEY="LTqIA87hOKdjevsf5" #ALICLOUD_SECRET_KEY="0p5EYueFNq501xnCPzKNbx6K51qPH2" -#Usage: dns_ali_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +#Usage: dns_ali_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" dns_ali_add() { fulldomain=$1 txtvalue=$2 From 0eb27fac10967ff053360e9be134f9b21357601e Mon Sep 17 00:00:00 2001 From: Yang Liu Date: Mon, 8 Mar 2021 11:37:40 +0800 Subject: [PATCH 5/8] Update dns_ali.sh --- dnsapi/dns_ali.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_ali.sh b/dnsapi/dns_ali.sh index 0514373a..ede106ba 100755 --- a/dnsapi/dns_ali.sh +++ b/dnsapi/dns_ali.sh @@ -5,7 +5,7 @@ Ali_API="https://alidns.aliyuncs.com/" #ALICLOUD_ACCESS_KEY="LTqIA87hOKdjevsf5" #ALICLOUD_SECRET_KEY="0p5EYueFNq501xnCPzKNbx6K51qPH2" -#Usage: dns_ali_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" +#Usage: dns_ali_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" dns_ali_add() { fulldomain=$1 txtvalue=$2 From 7fb77203ad5b9bc149a77ea794dd65ae1af84239 Mon Sep 17 00:00:00 2001 From: Yang Liu Date: Tue, 9 Mar 2021 18:23:25 +0800 Subject: [PATCH 6/8] fix bash to sh, env var name --- dnsapi/dns_ali.sh | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/dnsapi/dns_ali.sh b/dnsapi/dns_ali.sh index ede106ba..68118aee 100755 --- a/dnsapi/dns_ali.sh +++ b/dnsapi/dns_ali.sh @@ -1,33 +1,33 @@ -#!/usr/local/bin/bash +#!/usr/bin/env sh Ali_API="https://alidns.aliyuncs.com/" -#ALICLOUD_ACCESS_KEY="LTqIA87hOKdjevsf5" -#ALICLOUD_SECRET_KEY="0p5EYueFNq501xnCPzKNbx6K51qPH2" +#Ali_Key="LTqIA87hOKdjevsf5" +#Ali_Secret="0p5EYueFNq501xnCPzKNbx6K51qPH2" #Usage: dns_ali_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" dns_ali_add() { fulldomain=$1 txtvalue=$2 - ALICLOUD_ACCESS_KEY="${ALICLOUD_ACCESS_KEY:-$(_readaccountconf_mutable ALICLOUD_ACCESS_KEY)}" - ALICLOUD_SECRET_KEY="${ALICLOUD_SECRET_KEY:-$(_readaccountconf_mutable ALICLOUD_SECRET_KEY)}" + Ali_Key="${Ali_Key:-$(_readaccountconf_mutable Ali_Key)}" + Ali_Secret="${Ali_Secret:-$(_readaccountconf_mutable Ali_Secret)}" - if [ -z "$ALICLOUD_ACCESS_KEY" ] || [ -z "$ALICLOUD_SECRET_KEY" ]; then + if [ -z "$Ali_Key" ] || [ -z "$Ali_Secret" ]; then _use_instance_role fi - if [ -z "$ALICLOUD_ACCESS_KEY" ] || [ -z "$ALICLOUD_SECRET_KEY" ]; then - ALICLOUD_ACCESS_KEY="" - ALICLOUD_SECRET_KEY="" + if [ -z "$Ali_Key" ] || [ -z "$Ali_Secret" ]; then + Ali_Key="" + Ali_Secret="" _err "You don't specify aliyun api key and secret yet." return 1 fi #save the api key and secret to the account conf file. if [ -z "$_using_role" ]; then - _saveaccountconf_mutable ALICLOUD_ACCESS_KEY "$ALICLOUD_ACCESS_KEY" - _saveaccountconf_mutable ALICLOUD_SECRET_KEY "$ALICLOUD_SECRET_KEY" + _saveaccountconf_mutable Ali_Key "$Ali_Key" + _saveaccountconf_mutable Ali_Secret "$Ali_Secret" fi _debug "First detect the root zone" @@ -42,8 +42,8 @@ dns_ali_add() { dns_ali_rm() { fulldomain=$1 txtvalue=$2 - ALICLOUD_ACCESS_KEY="${ALICLOUD_ACCESS_KEY:-$(_readaccountconf_mutable ALICLOUD_ACCESS_KEY)}" - ALICLOUD_SECRET_KEY="${ALICLOUD_SECRET_KEY:-$(_readaccountconf_mutable ALICLOUD_SECRET_KEY)}" + Ali_Key="${Ali_Key:-$(_readaccountconf_mutable Ali_Key)}" + Ali_Secret="${Ali_Secret:-$(_readaccountconf_mutable Ali_Secret)}" _debug "First detect the root zone" if ! _get_root "$fulldomain"; then @@ -104,8 +104,8 @@ _use_instance_role() { _debug3 "_key" "$_key" _secure_debug3 "_value" "$_value" case "$_key" in - AccessKeyId) echo "ALICLOUD_ACCESS_KEY=$_value" ;; - AccessKeySecret) echo "ALICLOUD_SECRET_KEY=$_value" ;; + AccessKeyId) echo "Ali_Key=$_value" ;; + AccessKeySecret) echo "Ali_Secret=$_value" ;; SecurityToken) echo "ALICLOUD_SECURITY_TOKEN=$_value" ;; esac done | @@ -122,7 +122,7 @@ _use_instance_role() { } _ali_rest() { - signature=$(printf "%s" "GET&%2F&$(_ali_urlencode "$query")" | _hmac "sha1" "$(printf "%s" "$ALICLOUD_SECRET_KEY&" | _hex_dump | tr -d " ")" | _base64) + signature=$(printf "%s" "GET&%2F&$(_ali_urlencode "$query")" | _hmac "sha1" "$(printf "%s" "$Ali_Secret&" | _hex_dump | tr -d " ")" | _base64) signature=$(_ali_urlencode "$signature") url="$Ali_API?$query&Signature=$signature" @@ -168,7 +168,7 @@ _check_exist_query() { _qdomain="$1" _qsubdomain="$2" query='' - query=$query'AccessKeyId='$ALICLOUD_ACCESS_KEY + query=$query'AccessKeyId='$Ali_Key query=$query'&Action=DescribeDomainRecords' query=$query'&DomainName='$_qdomain query=$query'&Format=json' @@ -186,7 +186,7 @@ _check_exist_query() { _add_record_query() { query='' - query=$query'AccessKeyId='$ALICLOUD_ACCESS_KEY + query=$query'AccessKeyId='$Ali_Key query=$query'&Action=AddDomainRecord' query=$query'&DomainName='$1 query=$query'&Format=json' @@ -205,7 +205,7 @@ _add_record_query() { _delete_record_query() { query='' - query=$query'AccessKeyId='$ALICLOUD_ACCESS_KEY + query=$query'AccessKeyId='$Ali_Key query=$query'&Action=DeleteDomainRecord' query=$query'&Format=json' query=$query'&RecordId='$1 @@ -221,7 +221,7 @@ _delete_record_query() { _describe_records_query() { query='' - query=$query'AccessKeyId='$ALICLOUD_ACCESS_KEY + query=$query'AccessKeyId='$Ali_Key query=$query'&Action=DescribeDomainRecords' query=$query'&DomainName='$1 query=$query'&Format=json' From 2229047afdc91af8d282d2cb4c6a1a72b5db22ba Mon Sep 17 00:00:00 2001 From: Yang Liu Date: Thu, 11 Mar 2021 15:06:28 +0800 Subject: [PATCH 7/8] fix _get --- acme.sh | 2 +- dnsapi/dns_ali.sh | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/acme.sh b/acme.sh index bdc1bfcf..757ed7a5 100755 --- a/acme.sh +++ b/acme.sh @@ -1942,7 +1942,7 @@ _get() { fi _debug "_CURL" "$_CURL" if [ "$onlyheader" ]; then - $_CURL -X GET -I --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url" + $_CURL -I --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url" else $_CURL --user-agent "$USER_AGENT" -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" "$url" fi diff --git a/dnsapi/dns_ali.sh b/dnsapi/dns_ali.sh index 68118aee..936f7c2e 100755 --- a/dnsapi/dns_ali.sh +++ b/dnsapi/dns_ali.sh @@ -87,8 +87,12 @@ _get_root() { _use_instance_role() { _url="http://100.100.100.200/latest/meta-data/ram/security-credentials/" _debug "_url" "$_url" - if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then - _debug "Unable to fetch IAM role from instance metadata" + + # **Do Not** set the parameter `onlyheadr` for _get, it will + # send a HEAD request instead of GET. And alicloud + # mata url not allow HEAD request. + if _get "$_url" "" 1 | grep '404 - Not Found' > /dev/null; then + _debug "Unable to fetch RAM role from instance metadata" return 1 fi _ali_instance_role=$(_get "$_url" "" 1) From 10240eb9f088937e280baa83a1008d102bf6d492 Mon Sep 17 00:00:00 2001 From: Yang Liu Date: Fri, 19 Mar 2021 10:04:45 +0800 Subject: [PATCH 8/8] fix shfmt --- dnsapi/dns_ali.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsapi/dns_ali.sh b/dnsapi/dns_ali.sh index 936f7c2e..f1d7bb8d 100755 --- a/dnsapi/dns_ali.sh +++ b/dnsapi/dns_ali.sh @@ -91,7 +91,7 @@ _use_instance_role() { # **Do Not** set the parameter `onlyheadr` for _get, it will # send a HEAD request instead of GET. And alicloud # mata url not allow HEAD request. - if _get "$_url" "" 1 | grep '404 - Not Found' > /dev/null; then + if _get "$_url" "" 1 | grep '404 - Not Found' >/dev/null; then _debug "Unable to fetch RAM role from instance metadata" return 1 fi