From 4e9af51629cf15c56e0d0058ffda6b6075952ede Mon Sep 17 00:00:00 2001 From: splashx Date: Fri, 14 Sep 2018 23:19:47 +0200 Subject: [PATCH] fix rfc2136 provider missing port error, plumb dnsNameserver01 Signed-off-by: splashx --- pkg/issuer/acme/dns/dns.go | 3 +- pkg/issuer/acme/dns/rfc2136/BUILD.bazel | 1 + pkg/issuer/acme/dns/rfc2136/rfc2136.go | 31 ++++++++----- pkg/issuer/acme/dns/rfc2136/rfc2136_test.go | 49 ++++++++++++++------- pkg/issuer/acme/dns/util_test.go | 4 +- 5 files changed, 57 insertions(+), 31 deletions(-) diff --git a/pkg/issuer/acme/dns/dns.go b/pkg/issuer/acme/dns/dns.go index ce1129c1b..a9ebd5914 100644 --- a/pkg/issuer/acme/dns/dns.go +++ b/pkg/issuer/acme/dns/dns.go @@ -57,7 +57,7 @@ type dnsProviderConstructors struct { route53 func(accessKey, secretKey, hostedZoneID, region string, ambient bool, dns01Nameservers []string) (*route53.DNSProvider, error) azureDNS func(clientID, clientSecret, subscriptionID, tenentID, resourceGroupName, hostedZoneName string, dns01Nameservers []string) (*azuredns.DNSProvider, error) acmeDNS func(host string, accountJson []byte, dns01Nameservers []string) (*acmedns.DNSProvider, error) - rfc2136 func(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret string) (*rfc2136.DNSProvider, error) + rfc2136 func(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret string, dns01Nameservers []string) (*rfc2136.DNSProvider, error) } // Solver is a solver for the acme dns01 challenge. @@ -301,6 +301,7 @@ func (s *Solver) solverForIssuerProvider(issuer v1alpha1.GenericIssuer, provider string(providerConfig.RFC2136.TSIGAlgorithm), providerConfig.RFC2136.TSIGKeyName, secret, + s.DNS01Nameservers, ) if err != nil { return nil, fmt.Errorf("error instantiating rfc2136 challenge solver: %s", err.Error()) diff --git a/pkg/issuer/acme/dns/rfc2136/BUILD.bazel b/pkg/issuer/acme/dns/rfc2136/BUILD.bazel index 70138a362..8a46986b5 100644 --- a/pkg/issuer/acme/dns/rfc2136/BUILD.bazel +++ b/pkg/issuer/acme/dns/rfc2136/BUILD.bazel @@ -16,6 +16,7 @@ go_test( srcs = ["rfc2136_test.go"], embed = [":go_default_library"], deps = [ + "//pkg/issuer/acme/dns/util:go_default_library", "//vendor/github.com/miekg/dns:go_default_library", "//vendor/github.com/stretchr/testify/assert:go_default_library", ], diff --git a/pkg/issuer/acme/dns/rfc2136/rfc2136.go b/pkg/issuer/acme/dns/rfc2136/rfc2136.go index 2e883f20e..aa18a0531 100644 --- a/pkg/issuer/acme/dns/rfc2136/rfc2136.go +++ b/pkg/issuer/acme/dns/rfc2136/rfc2136.go @@ -34,6 +34,8 @@ import ( "github.com/miekg/dns" ) +var defaultPort = "53" + var supportedAlgorithms = map[string]string{ "HMACMD5": dns.HmacMD5, "HMACSHA1": dns.HmacSHA1, @@ -70,7 +72,7 @@ func ValidNameserver(nameserver string) (string, error) { // nameserver.com: "nameserver.com" "" // nameserver.com:53 "nameserver.com" 53 // :53 "" 53 - host, port, err := net.SplitHostPort(nameserver) + host, port, err := net.SplitHostPort(strings.TrimSpace(nameserver)) if err != nil { if strings.Contains(err.Error(), "missing port") { @@ -79,7 +81,7 @@ func ValidNameserver(nameserver string) (string, error) { } if port == "" { - port = "53" + port = defaultPort } if host != "" { @@ -89,16 +91,20 @@ func ValidNameserver(nameserver string) (string, error) { } else { return "", fmt.Errorf("RFC2136 nameserver has no IP Address defined, %v", nameserver) } + + nameserver = host + ":" + port + return nameserver, nil } // DNSProvider is an implementation of the acme.ChallengeProvider interface that // uses dynamic DNS updates (RFC 2136) to create TXT records on a nameserver. type DNSProvider struct { - nameserver string - tsigAlgorithm string - tsigKeyName string - tsigSecret string + nameserver string + tsigAlgorithm string + tsigKeyName string + tsigSecret string + dns01Nameservers []string } // NewDNSProvider returns a DNSProvider instance configured for rfc2136 @@ -109,19 +115,19 @@ type DNSProvider struct { // RFC2136_TSIG_KEY: Name of the secret key as defined in DNS server configuration. // RFC2136_TSIG_SECRET: Secret key payload. // To disable TSIG authentication, leave the RFC2136_TSIG* variables unset. -func NewDNSProvider() (*DNSProvider, error) { +func NewDNSProvider(dns01Nameservers []string) (*DNSProvider, error) { nameserver := os.Getenv("RFC2136_NAMESERVER") tsigAlgorithm := os.Getenv("RFC2136_TSIG_ALGORITHM") tsigKeyName := os.Getenv("RFC2136_TSIG_KEY_NAME") tsigSecret := os.Getenv("RFC2136_TSIG_SECRET") - return NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret) + return NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret, dns01Nameservers) } // NewDNSProviderCredentials uses the supplied credentials to return a // DNSProvider instance configured for rfc2136 dynamic update. To disable TSIG // authentication, leave the TSIG parameters as empty strings. // nameserver must be a network address in the form "IP" or "IP:port". -func NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret string) (*DNSProvider, error) { +func NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret string, dns01Nameservers []string) (*DNSProvider, error) { d := &DNSProvider{} @@ -148,6 +154,7 @@ func NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKeyName, tsigSecre } d.tsigAlgorithm = tsigAlgorithm + d.dns01Nameservers = dns01Nameservers return d, nil } @@ -159,7 +166,7 @@ func (r *DNSProvider) Timeout() (timeout, interval time.Duration) { // Present creates a TXT record using the specified parameters func (r *DNSProvider) Present(domain, token, keyAuth string) error { - fqdn, value, ttl, err := util.DNS01Record(domain, keyAuth, strings.Fields(r.nameserver)) + fqdn, value, ttl, err := util.DNS01Record(domain, keyAuth, r.dns01Nameservers) if err != nil { return err } @@ -168,7 +175,7 @@ func (r *DNSProvider) Present(domain, token, keyAuth string) error { // CleanUp removes the TXT record matching the specified parameters func (r *DNSProvider) CleanUp(domain, token, keyAuth string) error { - fqdn, value, ttl, err := util.DNS01Record(domain, keyAuth, strings.Fields(r.nameserver)) + fqdn, value, ttl, err := util.DNS01Record(domain, keyAuth, r.dns01Nameservers) if err != nil { return err } @@ -177,7 +184,7 @@ func (r *DNSProvider) CleanUp(domain, token, keyAuth string) error { func (r *DNSProvider) changeRecord(action, fqdn, value string, ttl int) error { // Find the zone for the given fqdn - zone, err := util.FindZoneByFqdn(fqdn, []string{r.nameserver}) + zone, err := util.FindZoneByFqdn(fqdn, r.dns01Nameservers) if err != nil { return err } diff --git a/pkg/issuer/acme/dns/rfc2136/rfc2136_test.go b/pkg/issuer/acme/dns/rfc2136/rfc2136_test.go index 2c299a92f..d83db976a 100644 --- a/pkg/issuer/acme/dns/rfc2136/rfc2136_test.go +++ b/pkg/issuer/acme/dns/rfc2136/rfc2136_test.go @@ -29,6 +29,7 @@ import ( "testing" "time" + "github.com/jetstack/cert-manager/pkg/issuer/acme/dns/util" "github.com/miekg/dns" "github.com/stretchr/testify/assert" ) @@ -80,7 +81,7 @@ func TestRFC2136ServerSuccess(t *testing.T) { } defer server.Shutdown() - provider, err := NewDNSProviderCredentials(addrstr, "", "", "") + provider, err := NewDNSProviderCredentials(addrstr, "", "", "", util.RecursiveNameservers) if err != nil { t.Fatalf("Expected NewDNSProviderCredentials() to return no error but the error was -> %v", err) } @@ -99,7 +100,7 @@ func TestRFC2136ServerError(t *testing.T) { } defer server.Shutdown() - provider, err := NewDNSProviderCredentials(addrstr, "", "", "") + provider, err := NewDNSProviderCredentials(addrstr, "", "", "", util.RecursiveNameservers) if err != nil { t.Fatalf("Expected NewDNSProviderCredentials() to return no error but the error was -> %v", err) } @@ -120,7 +121,7 @@ func TestRFC2136TsigClient(t *testing.T) { } defer server.Shutdown() - provider, err := NewDNSProviderCredentials(addrstr, "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret) + provider, err := NewDNSProviderCredentials(addrstr, "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers) if err != nil { t.Fatalf("Expected NewDNSProviderCredentials() to return no error but the error was -> %v", err) } @@ -130,63 +131,79 @@ func TestRFC2136TsigClient(t *testing.T) { } func TestRFC2136InvalidNameserverFQDN(t *testing.T) { - _, err := NewDNSProviderCredentials("nameserver.com", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret) + _, err := NewDNSProviderCredentials("nameserver.com", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers) assert.Error(t, err) } func TestRFC2136InvalidNameserverFQDNWithPort(t *testing.T) { - _, err := NewDNSProviderCredentials("nameserver.com:53", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret) + _, err := NewDNSProviderCredentials("nameserver.com:53", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers) assert.Error(t, err) } func TestRFC2136InvalidNameserverFQDNWithPort2(t *testing.T) { - _, err := NewDNSProviderCredentials("nameserver.com:", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret) + _, err := NewDNSProviderCredentials("nameserver.com:", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers) assert.Error(t, err) } func TestRFC2136NamserverWithoutPort(t *testing.T) { - _, err := NewDNSProviderCredentials("127.0.0.1", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret) + nameserver := "127.0.0.1" + dnsProvider, err := NewDNSProviderCredentials(nameserver, "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers) assert.NoError(t, err) + + if dnsProvider.nameserver != nameserver+":"+defaultPort { + t.Errorf("dnsProvider.namserver to be %v:%v, but it is %v", nameserver, defaultPort, dnsProvider.nameserver) + } + } func TestRFC2136NamserverWithoutPort2(t *testing.T) { - _, err := NewDNSProviderCredentials("127.0.0.1:", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret) + nameserver := "127.0.0.1:" + dnsProvider, err := NewDNSProviderCredentials(nameserver, "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers) assert.NoError(t, err) + + if dnsProvider.nameserver != nameserver+defaultPort { + t.Errorf("dnsProvider.namserver to be %v%v, but it is %v", nameserver, defaultPort, dnsProvider.nameserver) + } } func TestRFC2136NamserverWithPort(t *testing.T) { - _, err := NewDNSProviderCredentials("127.0.0.1:53", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret) + nameserver := "127.0.0.1:12345" + dnsProvider, err := NewDNSProviderCredentials(nameserver, "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers) assert.NoError(t, err) + + if dnsProvider.nameserver != nameserver { + t.Errorf("dnsProvider.namserver to be %v, but it is %v", nameserver, dnsProvider.nameserver) + } } func TestRFC2136NamserverWithPortNoIP(t *testing.T) { - _, err := NewDNSProviderCredentials(":53", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret) + _, err := NewDNSProviderCredentials(":53", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers) assert.Error(t, err) } func TestRFC2136NamserverEmpty(t *testing.T) { - _, err := NewDNSProviderCredentials("", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret) + _, err := NewDNSProviderCredentials("", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers) assert.Error(t, err) } func TestRFC2136NamserverIPInvalid(t *testing.T) { - _, err := NewDNSProviderCredentials("900.65.3.64", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret) + _, err := NewDNSProviderCredentials("900.65.3.64", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers) assert.Error(t, err) } func TestRFC2136NamserverIPInvalid2(t *testing.T) { - _, err := NewDNSProviderCredentials(":", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret) + _, err := NewDNSProviderCredentials(":", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers) assert.Error(t, err) } func TestRFC2136DefaultTSIGAlgorithm(t *testing.T) { - provider, err := NewDNSProviderCredentials("127.0.0.1:0", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret) + provider, err := NewDNSProviderCredentials("127.0.0.1:0", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers) if err != nil { assert.Equal(t, provider.tsigAlgorithm, dns.HmacMD5, "Default TSIG must match") } } func TestRFC2136InvalidTSIGAlgorithm(t *testing.T) { - _, err := NewDNSProviderCredentials("127.0.0.1:0", "HAMMOCK", rfc2136TestTsigKeyName, rfc2136TestTsigSecret) + _, err := NewDNSProviderCredentials("127.0.0.1:0", "HAMMOCK", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers) assert.Error(t, err) } @@ -212,7 +229,7 @@ func TestRFC2136ValidUpdatePacket(t *testing.T) { t.Fatalf("Error packing expect msg: %v", err) } - provider, err := NewDNSProviderCredentials(addrstr, "", "", "") + provider, err := NewDNSProviderCredentials(addrstr, "", "", "", util.RecursiveNameservers) if err != nil { t.Fatalf("Expected NewDNSProviderCredentials() to return no error but the error was -> %v", err) } diff --git a/pkg/issuer/acme/dns/util_test.go b/pkg/issuer/acme/dns/util_test.go index b449e6ec9..b9786f498 100644 --- a/pkg/issuer/acme/dns/util_test.go +++ b/pkg/issuer/acme/dns/util_test.go @@ -160,8 +160,8 @@ func newFakeDNSProviders() *fakeDNSProviders { f.call("acmedns", host, accountJson, dns01Nameservers) return nil, nil }, - rfc2136: func(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret string) (*rfc2136.DNSProvider, error) { - f.call("rfc2136", nameserver, tsigAlgorithm, tsigKeyName, tsigSecret) + rfc2136: func(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret string, dns01Nameservers []string) (*rfc2136.DNSProvider, error) { + f.call("rfc2136", nameserver, tsigAlgorithm, tsigKeyName, tsigSecret, util.RecursiveNameservers) return nil, nil }, }