add ecs ram role support

4 years ago · d3ed8bea26
1 changed files with 74 additions and 18 deletions
--- a/dnsapi/dns_ali.sh
+++ b/dnsapi/dns_ali.sh
@ -1,27 +1,34 @@
-#!/usr/bin/env sh
+#!/usr/local/bin/bash

 Ali_API="https://alidns.aliyuncs.com/"

-#Ali_Key="LTqIA87hOKdjevsf5"
-#Ali_Secret="0p5EYueFNq501xnCPzKNbx6K51qPH2"
+#ALICLOUD_ACCESS_KEY="LTqIA87hOKdjevsf5"
+#ALICLOUD_SECRET_KEY="0p5EYueFNq501xnCPzKNbx6K51qPH2"

-#Usage: dns_ali_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+#Usage: dns_ali_add   $(_ali_urlencode "_acme-challenge.www.domain.com") "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_ali_add() {
  fulldomain=$1
  txtvalue=$2

-  Ali_Key="${Ali_Key:-$(_readaccountconf_mutable Ali_Key)}"
-  Ali_Secret="${Ali_Secret:-$(_readaccountconf_mutable Ali_Secret)}"
-  if [ -z "$Ali_Key" ] || [ -z "$Ali_Secret" ]; then
-    Ali_Key=""
-    Ali_Secret=""
+  ALICLOUD_ACCESS_KEY="${ALICLOUD_ACCESS_KEY:-$(_readaccountconf_mutable ALICLOUD_ACCESS_KEY)}"
+  ALICLOUD_SECRET_KEY="${ALICLOUD_SECRET_KEY:-$(_readaccountconf_mutable ALICLOUD_SECRET_KEY)}"
+
+  if [ -z "$ALICLOUD_ACCESS_KEY" ] || [ -z "$ALICLOUD_SECRET_KEY" ]; then
+    _use_instance_role
+  fi
+
+  if [ -z "$ALICLOUD_ACCESS_KEY" ] || [ -z "$ALICLOUD_SECRET_KEY" ]; then
+    ALICLOUD_ACCESS_KEY=""
+    ALICLOUD_SECRET_KEY=""
    _err "You don't specify aliyun api key and secret yet."
    return 1
  fi

  #save the api key and secret to the account conf file.
-  _saveaccountconf_mutable Ali_Key "$Ali_Key"
-  _saveaccountconf_mutable Ali_Secret "$Ali_Secret"
+  if [ -z "$_using_role" ]; then
+    _saveaccountconf_mutable ALICLOUD_ACCESS_KEY "$ALICLOUD_ACCESS_KEY"
+    _saveaccountconf_mutable ALICLOUD_SECRET_KEY "$ALICLOUD_SECRET_KEY"
+  fi

  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
@ -35,8 +42,8 @@ dns_ali_add() {
 dns_ali_rm() {
  fulldomain=$1
  txtvalue=$2
-  Ali_Key="${Ali_Key:-$(_readaccountconf_mutable Ali_Key)}"
-  Ali_Secret="${Ali_Secret:-$(_readaccountconf_mutable Ali_Secret)}"
+  ALICLOUD_ACCESS_KEY="${ALICLOUD_ACCESS_KEY:-$(_readaccountconf_mutable ALICLOUD_ACCESS_KEY)}"
+  ALICLOUD_SECRET_KEY="${ALICLOUD_SECRET_KEY:-$(_readaccountconf_mutable ALICLOUD_SECRET_KEY)}"

  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
@ -77,8 +84,45 @@ _get_root() {
  return 1
 }

+_use_instance_role() {
+  _url="http://100.100.100.200/latest/meta-data/ram/security-credentials/"
+  _debug "_url" "$_url"
+  if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then
+    _debug "Unable to fetch IAM role from instance metadata"
+    return 1
+  fi
+  _ali_instance_role=$(_get "$_url" "" 1)
+  _debug "_ali_instance_role" "_ali_instance_role"
+
+  _ali_creds="$(
+    _get "$_url$_ali_instance_role" "" 1 |
+      _normalizeJson |
+      tr '{,}' '\n' |
+      while read -r _line; do
+        _key="$(echo "${_line%%:*}" | tr -d '"')"
+        _value="${_line#*:}"
+        _debug3 "_key" "$_key"
+        _secure_debug3 "_value" "$_value"
+        case "$_key" in
+        AccessKeyId) echo "ALICLOUD_ACCESS_KEY=$_value" ;;
+        AccessKeySecret) echo "ALICLOUD_SECRET_KEY=$_value" ;;
+        SecurityToken) echo "ALICLOUD_SECURITY_TOKEN=$_value" ;;
+        esac
+      done |
+      paste -sd' ' -
+  )"
+  _secure_debug "_ali_creds" "$_ali_creds"
+
+  if [ -z "$_ali_creds" ]; then
+    return 1
+  fi
+
+  eval "$_ali_creds"
+  _using_role=true
+}
+
 _ali_rest() {
-  signature=$(printf "%s" "GET&%2F&$(_ali_urlencode "$query")" | _hmac "sha1" "$(printf "%s" "$Ali_Secret&" | _hex_dump | tr -d " ")" | _base64)
+  signature=$(printf "%s" "GET&%2F&$(_ali_urlencode "$query")" | _hmac "sha1" "$(printf "%s" "$ALICLOUD_SECRET_KEY&" | _hex_dump | tr -d " ")" | _base64)
  signature=$(_ali_urlencode "$signature")
  url="$Ali_API?$query&Signature=$signature"

@ -124,11 +168,14 @@ _check_exist_query() {
  _qdomain="$1"
  _qsubdomain="$2"
  query=''
-  query=$query'AccessKeyId='$Ali_Key
+  query=$query'AccessKeyId='$ALICLOUD_ACCESS_KEY
  query=$query'&Action=DescribeDomainRecords'
  query=$query'&DomainName='$_qdomain
  query=$query'&Format=json'
  query=$query'&RRKeyWord='$_qsubdomain
+  if [ -n "$ALICLOUD_SECURITY_TOKEN" ]; then
+    query=$query'&SecurityToken='$(_ali_urlencode "$ALICLOUD_SECURITY_TOKEN")
+  fi
  query=$query'&SignatureMethod=HMAC-SHA1'
  query=$query"&SignatureNonce=$(_ali_nonce)"
  query=$query'&SignatureVersion=1.0'
@ -139,11 +186,14 @@ _check_exist_query() {

 _add_record_query() {
  query=''
-  query=$query'AccessKeyId='$Ali_Key
+  query=$query'AccessKeyId='$ALICLOUD_ACCESS_KEY
  query=$query'&Action=AddDomainRecord'
  query=$query'&DomainName='$1
  query=$query'&Format=json'
  query=$query'&RR='$2
+  if [ -n "$ALICLOUD_SECURITY_TOKEN" ]; then
+    query=$query'&SecurityToken='$(_ali_urlencode "$ALICLOUD_SECURITY_TOKEN")
+  fi
  query=$query'&SignatureMethod=HMAC-SHA1'
  query=$query"&SignatureNonce=$(_ali_nonce)"
  query=$query'&SignatureVersion=1.0'
@ -155,10 +205,13 @@ _add_record_query() {

 _delete_record_query() {
  query=''
-  query=$query'AccessKeyId='$Ali_Key
+  query=$query'AccessKeyId='$ALICLOUD_ACCESS_KEY
  query=$query'&Action=DeleteDomainRecord'
  query=$query'&Format=json'
  query=$query'&RecordId='$1
+  if [ -n "$ALICLOUD_SECURITY_TOKEN" ]; then
+    query=$query'&SecurityToken='$(_ali_urlencode "$ALICLOUD_SECURITY_TOKEN")
+  fi
  query=$query'&SignatureMethod=HMAC-SHA1'
  query=$query"&SignatureNonce=$(_ali_nonce)"
  query=$query'&SignatureVersion=1.0'
@ -168,10 +221,13 @@ _delete_record_query() {

 _describe_records_query() {
  query=''
-  query=$query'AccessKeyId='$Ali_Key
+  query=$query'AccessKeyId='$ALICLOUD_ACCESS_KEY
  query=$query'&Action=DescribeDomainRecords'
  query=$query'&DomainName='$1
  query=$query'&Format=json'
+  if [ -n "$ALICLOUD_SECURITY_TOKEN" ]; then
+    query=$query'&SecurityToken='$(_ali_urlencode "$ALICLOUD_SECURITY_TOKEN")
+  fi
  query=$query'&SignatureMethod=HMAC-SHA1'
  query=$query"&SignatureNonce=$(_ali_nonce)"
  query=$query'&SignatureVersion=1.0'