mirror of
https://github.com/vbrandl/bind9-api.git
synced 2024-11-23 10:03:27 +01:00
Initial commit
This commit is contained in:
parent
c47130259c
commit
1c6b369753
3
.gitignore
vendored
Normal file
3
.gitignore
vendored
Normal file
@ -0,0 +1,3 @@
|
||||
|
||||
/target
|
||||
**/*.rs.bk
|
17
.travis.yml
Normal file
17
.travis.yml
Normal file
@ -0,0 +1,17 @@
|
||||
sudo: required
|
||||
services:
|
||||
- docker
|
||||
script:
|
||||
- docker run --rm -it -v "$(pwd)":/home/rust/src ekidd/rust-musl-builder cargo build --release
|
||||
|
||||
before_deploy:
|
||||
- ./ci/before_deploy.sh
|
||||
|
||||
deploy:
|
||||
provider: releases
|
||||
file_glob: true
|
||||
file:
|
||||
- deploy/*
|
||||
skip_cleanup: true
|
||||
on:
|
||||
tags: true
|
2248
Cargo.lock
generated
Normal file
2248
Cargo.lock
generated
Normal file
File diff suppressed because it is too large
Load Diff
3
Cargo.toml
Normal file
3
Cargo.toml
Normal file
@ -0,0 +1,3 @@
|
||||
[workspace]
|
||||
|
||||
members = [ "server", "client", "data", "crypto" ]
|
109
README.md
Normal file
109
README.md
Normal file
@ -0,0 +1,109 @@
|
||||
# BIND9 API
|
||||
|
||||
This is an attempt to implement an API to create, update or delete DNS records
|
||||
on a BIND9 DNS server.
|
||||
|
||||
## Server
|
||||
|
||||
The server will wait for incoming requests and uses the `nsupdate` command to
|
||||
perform operations on the BIND9 nameserver. For the server to work, a DNS key is
|
||||
needed to perform the updates.
|
||||
|
||||
```
|
||||
$ dnssec-keygen -r /dev/urandom -a HMAC-SHA256 -b 256 -n HOST dnskey
|
||||
```
|
||||
|
||||
Copy the `Key` section of the resulting `Kdnskey*.private` file into a file that
|
||||
looks like this:
|
||||
|
||||
```
|
||||
key "dns-key" {
|
||||
algorithm hmac-sha256;
|
||||
secret "<your secret>";
|
||||
}
|
||||
```
|
||||
|
||||
And extend the zone section of the zones you'd like to modify in your
|
||||
`named.conf.local`
|
||||
|
||||
```
|
||||
zone "example.com" {
|
||||
type master;
|
||||
file "/var/lib/bind/db.example.com";
|
||||
...
|
||||
allow-update { key "dns-key"; };
|
||||
...
|
||||
}
|
||||
```
|
||||
|
||||
Now you can start the server:
|
||||
|
||||
```
|
||||
$ ./bind9-api -k <path to dnskey> -t <your api token>
|
||||
```
|
||||
|
||||
By default, the server will bind to `0.0.0.0:8000`. The host and port to bind
|
||||
to, can be changed using the `-h` and `-p` flags respectively. For production
|
||||
use, you should bind to a private IP address (LAN or VLAN) or to `127.0.0.1` and
|
||||
put the server behind a reverse proxy that offers TLS.
|
||||
|
||||
## Client
|
||||
|
||||
The client is used to perform changes to the DNS zone from any server. My use
|
||||
case is to perform LetsEncrypt DNS challenges. The client will look for a
|
||||
configuration file in `/etc/bind9apiclient.toml` which looks like this:
|
||||
|
||||
```
|
||||
# API server host
|
||||
host = "http://127.0.0.1:8080"
|
||||
# API secret
|
||||
secret = "topsecret"
|
||||
```
|
||||
|
||||
The client can perform two operations: Creating/updating and deleting DNS
|
||||
records. The client is invoked like this
|
||||
|
||||
```
|
||||
$ ./bind9-api-client -d foo.example.com -r TXT update -v foobar
|
||||
$ ./bind9-api-client -d foo.example.com -r TXT delete
|
||||
```
|
||||
|
||||
## API Description
|
||||
|
||||
```
|
||||
POST /record
|
||||
X-Api-Token: <api-token>
|
||||
|
||||
{
|
||||
"name": "foo.example.com",
|
||||
"value": "127.0.0.1",
|
||||
"record": "A",
|
||||
"ttl": 1337
|
||||
}
|
||||
```
|
||||
|
||||
```
|
||||
DELETE /record
|
||||
X-Api-Token: <api-token>
|
||||
|
||||
{
|
||||
"name": "foo.example.com",
|
||||
"record": "A"
|
||||
}
|
||||
```
|
||||
|
||||
The API token is a SHA256 HMAC over the request body using a pre-shared secret.
|
||||
|
||||
### Security Considerations
|
||||
|
||||
The current API design does not migrate replay attacks. An attacker that is able
|
||||
to intercept a request to the API can resend the same request again to execute
|
||||
the same operation. To prevent these kinds of attacks, you should use a reverse
|
||||
proxy and encrypt the connections using TLS. Future versions of the server might
|
||||
provide TLS functionality by itself.
|
||||
|
||||
## Usage with LetsEncrypt
|
||||
|
||||
In `letsencrypt/`, two example scripts can be found to use the client as a
|
||||
certbot hook for DNS challenges. It assumes that the client is located somewhere
|
||||
in `$PATH` and that the configurations file exists.
|
15
ci/before_deploy.sh
Executable file
15
ci/before_deploy.sh
Executable file
@ -0,0 +1,15 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -ex
|
||||
|
||||
main() {
|
||||
local src=$(pwd) \
|
||||
stage=$src/deploy
|
||||
|
||||
mkdir -p $deploy
|
||||
|
||||
test -f Cargo.lock || cargo generate-lockfile
|
||||
|
||||
cp target/x86_64-unknown-linux-musl/release/bind9-api $stage/bind9-api-${TRAVIS-TAG:1}-x86_64-musl
|
||||
cp target/x86_64-unknown-linux-musl/release/bind9-api-client $stage/bind9-api-client-${TRAVIS-TAG:1}-x86_64-musl
|
||||
}
|
194
client/Cargo.lock
generated
Normal file
194
client/Cargo.lock
generated
Normal file
@ -0,0 +1,194 @@
|
||||
[[package]]
|
||||
name = "ansi_term"
|
||||
version = "0.11.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
dependencies = [
|
||||
"winapi 0.3.5 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "atty"
|
||||
version = "0.2.10"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
dependencies = [
|
||||
"libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"termion 1.5.1 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"winapi 0.3.5 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "bind9-api-client"
|
||||
version = "0.1.0"
|
||||
dependencies = [
|
||||
"clap 2.32.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"serde 1.0.69 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"serde_derive 1.0.69 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"toml 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "bitflags"
|
||||
version = "1.0.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
|
||||
[[package]]
|
||||
name = "clap"
|
||||
version = "2.32.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
dependencies = [
|
||||
"ansi_term 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"atty 0.2.10 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"bitflags 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"strsim 0.7.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"textwrap 0.10.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"unicode-width 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"vec_map 0.8.1 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "libc"
|
||||
version = "0.2.42"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
|
||||
[[package]]
|
||||
name = "proc-macro2"
|
||||
version = "0.4.6"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
dependencies = [
|
||||
"unicode-xid 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "quote"
|
||||
version = "0.6.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
dependencies = [
|
||||
"proc-macro2 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "redox_syscall"
|
||||
version = "0.1.40"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
|
||||
[[package]]
|
||||
name = "redox_termios"
|
||||
version = "0.1.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
dependencies = [
|
||||
"redox_syscall 0.1.40 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "serde"
|
||||
version = "1.0.69"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
|
||||
[[package]]
|
||||
name = "serde_derive"
|
||||
version = "1.0.69"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
dependencies = [
|
||||
"proc-macro2 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"quote 0.6.3 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"syn 0.14.4 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "strsim"
|
||||
version = "0.7.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
|
||||
[[package]]
|
||||
name = "syn"
|
||||
version = "0.14.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
dependencies = [
|
||||
"proc-macro2 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"quote 0.6.3 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"unicode-xid 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "termion"
|
||||
version = "1.5.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
dependencies = [
|
||||
"libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"redox_syscall 0.1.40 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"redox_termios 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "textwrap"
|
||||
version = "0.10.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
dependencies = [
|
||||
"unicode-width 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "toml"
|
||||
version = "0.4.6"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
dependencies = [
|
||||
"serde 1.0.69 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "unicode-width"
|
||||
version = "0.1.5"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
|
||||
[[package]]
|
||||
name = "unicode-xid"
|
||||
version = "0.1.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
|
||||
[[package]]
|
||||
name = "vec_map"
|
||||
version = "0.8.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
|
||||
[[package]]
|
||||
name = "winapi"
|
||||
version = "0.3.5"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
dependencies = [
|
||||
"winapi-i686-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
"winapi-x86_64-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "winapi-i686-pc-windows-gnu"
|
||||
version = "0.4.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
|
||||
[[package]]
|
||||
name = "winapi-x86_64-pc-windows-gnu"
|
||||
version = "0.4.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
|
||||
[metadata]
|
||||
"checksum ansi_term 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
|
||||
"checksum atty 0.2.10 (registry+https://github.com/rust-lang/crates.io-index)" = "2fc4a1aa4c24c0718a250f0681885c1af91419d242f29eb8f2ab28502d80dbd1"
|
||||
"checksum bitflags 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)" = "d0c54bb8f454c567f21197eefcdbf5679d0bd99f2ddbe52e84c77061952e6789"
|
||||
"checksum clap 2.32.0 (registry+https://github.com/rust-lang/crates.io-index)" = "b957d88f4b6a63b9d70d5f454ac8011819c6efa7727858f458ab71c756ce2d3e"
|
||||
"checksum libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)" = "b685088df2b950fccadf07a7187c8ef846a959c142338a48f9dc0b94517eb5f1"
|
||||
"checksum proc-macro2 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)" = "effdb53b25cdad54f8f48843d67398f7ef2e14f12c1b4cb4effc549a6462a4d6"
|
||||
"checksum quote 0.6.3 (registry+https://github.com/rust-lang/crates.io-index)" = "e44651a0dc4cdd99f71c83b561e221f714912d11af1a4dff0631f923d53af035"
|
||||
"checksum redox_syscall 0.1.40 (registry+https://github.com/rust-lang/crates.io-index)" = "c214e91d3ecf43e9a4e41e578973adeb14b474f2bee858742d127af75a0112b1"
|
||||
"checksum redox_termios 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "7e891cfe48e9100a70a3b6eb652fef28920c117d366339687bd5576160db0f76"
|
||||
"checksum serde 1.0.69 (registry+https://github.com/rust-lang/crates.io-index)" = "210e5a3b159c566d7527e9b22e44be73f2e0fcc330bb78fef4dbccb56d2e74c8"
|
||||
"checksum serde_derive 1.0.69 (registry+https://github.com/rust-lang/crates.io-index)" = "dd724d68017ae3a7e63600ee4b2fdb3cad2158ffd1821d44aff4580f63e2b593"
|
||||
"checksum strsim 0.7.0 (registry+https://github.com/rust-lang/crates.io-index)" = "bb4f380125926a99e52bc279241539c018323fab05ad6368b56f93d9369ff550"
|
||||
"checksum syn 0.14.4 (registry+https://github.com/rust-lang/crates.io-index)" = "2beff8ebc3658f07512a413866875adddd20f4fd47b2a4e6c9da65cd281baaea"
|
||||
"checksum termion 1.5.1 (registry+https://github.com/rust-lang/crates.io-index)" = "689a3bdfaab439fd92bc87df5c4c78417d3cbe537487274e9b0b2dce76e92096"
|
||||
"checksum textwrap 0.10.0 (registry+https://github.com/rust-lang/crates.io-index)" = "307686869c93e71f94da64286f9a9524c0f308a9e1c87a583de8e9c9039ad3f6"
|
||||
"checksum toml 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)" = "a0263c6c02c4db6c8f7681f9fd35e90de799ebd4cfdeab77a38f4ff6b3d8c0d9"
|
||||
"checksum unicode-width 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)" = "882386231c45df4700b275c7ff55b6f3698780a650026380e72dabe76fa46526"
|
||||
"checksum unicode-xid 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
|
||||
"checksum vec_map 0.8.1 (registry+https://github.com/rust-lang/crates.io-index)" = "05c78687fb1a80548ae3250346c3db86a80a7cdd77bda190189f2d0a0987c81a"
|
||||
"checksum winapi 0.3.5 (registry+https://github.com/rust-lang/crates.io-index)" = "773ef9dcc5f24b7d850d0ff101e542ff24c3b090a9768e03ff889fdef41f00fd"
|
||||
"checksum winapi-i686-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
|
||||
"checksum winapi-x86_64-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
|
18
client/Cargo.toml
Normal file
18
client/Cargo.toml
Normal file
@ -0,0 +1,18 @@
|
||||
[package]
|
||||
name = "bind9-api-client"
|
||||
version = "0.1.0"
|
||||
authors = ["Valentin Brandl <vbrandl@riseup.net>"]
|
||||
|
||||
[dependencies]
|
||||
clap = "2.32.0"
|
||||
crypto = { path = "../crypto" }
|
||||
data = { path = "../data" }
|
||||
failure = "0.1.1"
|
||||
log = "0.4.3"
|
||||
openssl-probe = "0.1.2"
|
||||
pretty_env_logger = "0.2.3"
|
||||
reqwest = "0.8.6"
|
||||
serde = "1.0.69"
|
||||
serde_derive = "1.0.69"
|
||||
serde_json = "1.0.22"
|
||||
toml = "0.4.6"
|
18
client/src/cli.rs
Normal file
18
client/src/cli.rs
Normal file
@ -0,0 +1,18 @@
|
||||
pub fn parse_cli() -> ::clap::ArgMatches<'static> {
|
||||
clap_app!(bind9_api_client =>
|
||||
(version: crate_version!())
|
||||
(author: crate_authors!())
|
||||
(about: crate_description!())
|
||||
(@arg CONFIG: -c --config +takes_value "Path to config file (Defaults to /etc/bind9apiclient.toml)")
|
||||
(@arg DOMAIN: -d --domain +takes_value +required "Domain to create")
|
||||
(@arg RECORD: -r --record +takes_value "The record type (Defaults to TXT)")
|
||||
(@subcommand update =>
|
||||
(about: "Creates a new record")
|
||||
(@arg VALUE: -v --value +takes_value +required "Value to write in the record")
|
||||
(@arg TTL: -t --ttl + takes_value "TTL of the record (Defaults to 8640)")
|
||||
)
|
||||
(@subcommand delete =>
|
||||
(about: "Deletes a record")
|
||||
)
|
||||
).get_matches()
|
||||
}
|
114
client/src/main.rs
Normal file
114
client/src/main.rs
Normal file
@ -0,0 +1,114 @@
|
||||
#[macro_use]
|
||||
extern crate clap;
|
||||
extern crate crypto;
|
||||
extern crate data;
|
||||
extern crate failure;
|
||||
#[macro_use]
|
||||
extern crate log;
|
||||
extern crate openssl_probe;
|
||||
extern crate pretty_env_logger;
|
||||
extern crate reqwest;
|
||||
extern crate serde;
|
||||
extern crate toml;
|
||||
#[macro_use]
|
||||
extern crate serde_derive;
|
||||
extern crate serde_json;
|
||||
|
||||
mod cli;
|
||||
|
||||
use failure::Error;
|
||||
|
||||
use data::{ApiError, Delete, Record, Update};
|
||||
|
||||
use std::borrow::Cow;
|
||||
|
||||
type Result<T> = std::result::Result<T, Error>;
|
||||
|
||||
#[derive(Eq, PartialEq, Clone, Copy)]
|
||||
enum Method {
|
||||
POST,
|
||||
DELETE,
|
||||
}
|
||||
|
||||
#[derive(Deserialize)]
|
||||
struct Config<'a> {
|
||||
#[serde(borrow)]
|
||||
host: Cow<'a, str>,
|
||||
#[serde(borrow)]
|
||||
secret: Cow<'a, str>,
|
||||
}
|
||||
|
||||
fn delete(config: &Config, record: Record, domain: &str) -> Result<()> {
|
||||
let delete = Delete::new(domain.to_owned(), record);
|
||||
let res = call_api(config, delete, Method::DELETE)?;
|
||||
if res.status().is_success() {
|
||||
Ok(())
|
||||
} else {
|
||||
Err(ApiError::RequestError.into())
|
||||
}
|
||||
}
|
||||
|
||||
fn update(config: &Config, record: Record, domain: &str, value: &str, ttl: u32) -> Result<()> {
|
||||
let update = Update::new(domain.to_owned(), value.to_owned(), record, ttl);
|
||||
let res = call_api(config, update, Method::POST)?;
|
||||
if res.status().is_success() {
|
||||
Ok(())
|
||||
} else {
|
||||
Err(ApiError::RequestError.into())
|
||||
}
|
||||
}
|
||||
|
||||
fn call_api<D: serde::Serialize>(
|
||||
config: &Config,
|
||||
data: D,
|
||||
method: Method,
|
||||
) -> Result<reqwest::Response> {
|
||||
let data_s = serde_json::to_string(&data)?;
|
||||
info!("body: {}", data_s);
|
||||
let signature = crypto::sign(config.secret.as_bytes(), data_s.as_bytes());
|
||||
let signature = crypto::bytes_to_hex_str(&signature)?;
|
||||
let client = reqwest::Client::new();
|
||||
let url = format!("{}/record", config.host);
|
||||
Ok(if method == Method::POST {
|
||||
client.post(&url)
|
||||
} else {
|
||||
client.delete(&url)
|
||||
}.header(data::XApiToken(signature))
|
||||
.json(&data)
|
||||
.send()?)
|
||||
}
|
||||
|
||||
fn main() -> Result<()> {
|
||||
openssl_probe::init_ssl_cert_env_vars();
|
||||
std::env::set_var("RUST_LOG", "info");
|
||||
pretty_env_logger::init();
|
||||
let matches = cli::parse_cli();
|
||||
let record: Record = matches
|
||||
.value_of("RECORD")
|
||||
.unwrap_or("TXT")
|
||||
.parse()
|
||||
.expect("Invalid record type");
|
||||
let domain = matches.value_of("DOMAIN").unwrap();
|
||||
let config_path = matches
|
||||
.value_of("CONFIG")
|
||||
.unwrap_or("/etc/bind9apiclient.toml");
|
||||
let config = std::fs::read_to_string(config_path).expect("Cannot read config file");
|
||||
let config: Config = toml::from_str(&config).expect("Cannot parse config file");
|
||||
if let Some(matches) = matches.subcommand_matches("update") {
|
||||
let ttl = matches
|
||||
.value_of("TTL")
|
||||
.unwrap_or("8640")
|
||||
.parse()
|
||||
.expect("Cannot parse TTL");
|
||||
update(
|
||||
&config,
|
||||
record,
|
||||
domain,
|
||||
matches.value_of("VALUE").unwrap(),
|
||||
ttl,
|
||||
)?;
|
||||
} else if matches.subcommand_matches("delete").is_some() {
|
||||
delete(&config, record, domain)?;
|
||||
}
|
||||
Ok(())
|
||||
}
|
12
crypto/Cargo.toml
Normal file
12
crypto/Cargo.toml
Normal file
@ -0,0 +1,12 @@
|
||||
[package]
|
||||
name = "crypto"
|
||||
version = "0.1.0"
|
||||
authors = ["Valentin Brandl <vbrandl@riseup.net>"]
|
||||
|
||||
[dependencies]
|
||||
failure = "0.1.1"
|
||||
hex = "0.3.2"
|
||||
ring = "0.12.1"
|
||||
|
||||
[dev-dependencies]
|
||||
proptest = "0.8.1"
|
56
crypto/src/lib.rs
Normal file
56
crypto/src/lib.rs
Normal file
@ -0,0 +1,56 @@
|
||||
extern crate failure;
|
||||
extern crate hex;
|
||||
extern crate ring;
|
||||
|
||||
#[cfg(test)]
|
||||
#[macro_use]
|
||||
extern crate proptest;
|
||||
|
||||
use failure::Error;
|
||||
use hex::{FromHex, ToHex};
|
||||
use ring::{digest, hmac};
|
||||
|
||||
type Result<T> = std::result::Result<T, Error>;
|
||||
|
||||
pub fn bytes_to_hex_str(bytes: &[u8]) -> Result<String> {
|
||||
let mut output = String::new();
|
||||
bytes.write_hex(&mut output)?;
|
||||
Ok(output)
|
||||
}
|
||||
|
||||
pub fn hex_str_to_bytes(hex_str: &str) -> Result<Vec<u8>> {
|
||||
Ok(Vec::from_hex(hex_str)?)
|
||||
}
|
||||
|
||||
pub fn verify_signature(key: &[u8], msg: &[u8], signature: &[u8]) -> bool {
|
||||
let key = hmac::VerificationKey::new(&digest::SHA256, key);
|
||||
hmac::verify(&key, msg, signature)
|
||||
.map(|_| true)
|
||||
.unwrap_or(false)
|
||||
}
|
||||
|
||||
pub fn sign(key: &[u8], msg: &[u8]) -> Vec<u8> {
|
||||
let key = hmac::SigningKey::new(&digest::SHA256, key);
|
||||
let signature = hmac::sign(&key, msg);
|
||||
signature.as_ref().into_iter().cloned().collect()
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::*;
|
||||
|
||||
proptest! {
|
||||
#[test]
|
||||
fn sign_verify(key: Vec<u8>, msg: Vec<u8>) {
|
||||
let sig = sign(&key, &msg);
|
||||
assert!(verify_signature(&key, &msg, &sig));
|
||||
}
|
||||
}
|
||||
|
||||
proptest! {
|
||||
#[test]
|
||||
fn to_from_hex(data: Vec<u8>) {
|
||||
assert_eq!(hex_str_to_bytes(&bytes_to_hex_str(&data).unwrap()).unwrap(), data);
|
||||
}
|
||||
}
|
||||
}
|
10
data/Cargo.toml
Normal file
10
data/Cargo.toml
Normal file
@ -0,0 +1,10 @@
|
||||
[package]
|
||||
name = "data"
|
||||
version = "0.1.0"
|
||||
authors = ["Valentin Brandl <vbrandl@riseup.net>"]
|
||||
|
||||
[dependencies]
|
||||
failure = "0.1.1"
|
||||
hyper = "0.11"
|
||||
serde = "1.0.69"
|
||||
serde_derive = "1.0.69"
|
146
data/src/lib.rs
Normal file
146
data/src/lib.rs
Normal file
@ -0,0 +1,146 @@
|
||||
#[macro_use]
|
||||
extern crate failure;
|
||||
#[macro_use]
|
||||
extern crate hyper;
|
||||
#[macro_use]
|
||||
extern crate serde_derive;
|
||||
|
||||
pub const TOKEN_HEADER: &str = "X-Api-Token";
|
||||
|
||||
header! { (XApiToken, TOKEN_HEADER) => [String] }
|
||||
|
||||
#[derive(Eq, PartialEq, Deserialize, Serialize, Debug, Clone, Copy)]
|
||||
pub enum Record {
|
||||
A,
|
||||
AAAA,
|
||||
PTR,
|
||||
TXT,
|
||||
}
|
||||
|
||||
#[derive(Debug, Fail)]
|
||||
pub enum ApiError {
|
||||
#[fail(display = "Parse record error")]
|
||||
ParseRecord,
|
||||
#[fail(display = "API Error")]
|
||||
RequestError,
|
||||
}
|
||||
|
||||
impl std::str::FromStr for Record {
|
||||
type Err = ApiError;
|
||||
|
||||
fn from_str(s: &str) -> Result<Self, Self::Err> {
|
||||
match s {
|
||||
"A" | "a" => Ok(Record::A),
|
||||
"AAAA" | "aaaa" => Ok(Record::AAAA),
|
||||
"TXT" | "txt" => Ok(Record::TXT),
|
||||
"PTR" | "ptr" => Ok(Record::PTR),
|
||||
_ => Err(ApiError::ParseRecord),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl std::fmt::Display for Record {
|
||||
fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
|
||||
write!(
|
||||
f,
|
||||
"{}",
|
||||
match *self {
|
||||
Record::A => "A",
|
||||
Record::AAAA => "AAAA",
|
||||
Record::PTR => "PTR",
|
||||
Record::TXT => "TXT",
|
||||
}
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Deserialize, Serialize)]
|
||||
pub struct Update {
|
||||
name: String,
|
||||
value: String,
|
||||
record: Record,
|
||||
ttl: u32,
|
||||
}
|
||||
|
||||
impl Update {
|
||||
pub fn new(name: String, value: String, record: Record, ttl: u32) -> Self {
|
||||
Self {
|
||||
name,
|
||||
value,
|
||||
record,
|
||||
ttl: ttl,
|
||||
}
|
||||
}
|
||||
|
||||
#[inline]
|
||||
pub fn name(&self) -> &str {
|
||||
&self.name
|
||||
}
|
||||
|
||||
#[inline]
|
||||
pub fn value(&self) -> &str {
|
||||
&self.value
|
||||
}
|
||||
|
||||
#[inline]
|
||||
pub fn record(&self) -> Record {
|
||||
self.record
|
||||
}
|
||||
|
||||
#[inline]
|
||||
pub fn ttl(&self) -> u32 {
|
||||
self.ttl
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Deserialize, Serialize)]
|
||||
pub struct Delete {
|
||||
name: String,
|
||||
record: Record,
|
||||
}
|
||||
|
||||
impl Delete {
|
||||
pub fn new(name: String, record: Record) -> Self {
|
||||
Self { name, record }
|
||||
}
|
||||
|
||||
#[inline]
|
||||
pub fn name(&self) -> &str {
|
||||
&self.name
|
||||
}
|
||||
|
||||
#[inline]
|
||||
pub fn record(&self) -> Record {
|
||||
self.record
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::*;
|
||||
|
||||
#[test]
|
||||
fn parse_record() {
|
||||
assert_eq!("a".parse::<Record>().unwrap(), Record::A);
|
||||
assert_eq!("A".parse::<Record>().unwrap(), Record::A);
|
||||
assert_eq!("aaaa".parse::<Record>().unwrap(), Record::AAAA);
|
||||
assert_eq!("AAAA".parse::<Record>().unwrap(), Record::AAAA);
|
||||
assert_eq!("txt".parse::<Record>().unwrap(), Record::TXT);
|
||||
assert_eq!("TXT".parse::<Record>().unwrap(), Record::TXT);
|
||||
assert_eq!("PTR".parse::<Record>().unwrap(), Record::PTR);
|
||||
assert_eq!("ptr".parse::<Record>().unwrap(), Record::PTR);
|
||||
assert!(!"aAaA".parse::<Record>().is_ok());
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn record_to_str_and_parse_equals_input() {
|
||||
assert!(validate_record_parsing(Record::A));
|
||||
assert!(validate_record_parsing(Record::AAAA));
|
||||
assert!(validate_record_parsing(Record::PTR));
|
||||
assert!(validate_record_parsing(Record::TXT));
|
||||
}
|
||||
|
||||
fn validate_record_parsing(record: Record) -> bool {
|
||||
format!("{}", record).parse::<Record>().unwrap() == record
|
||||
}
|
||||
}
|
3
letsencrypt/certbot-bind9-auth
Normal file
3
letsencrypt/certbot-bind9-auth
Normal file
@ -0,0 +1,3 @@
|
||||
#!/usr/bin/env sh
|
||||
|
||||
bind9-api-client -d "_acme-challenge.$CERTBOT_DOMAIN" -r TXT update -v "$CERTBOT_VALIDATION"
|
3
letsencrypt/certbot-bind9-cleanup
Normal file
3
letsencrypt/certbot-bind9-cleanup
Normal file
@ -0,0 +1,3 @@
|
||||
#!/usr/bin/env sh
|
||||
|
||||
bind9-api-client -d "_acme-challenge.$CERTBOT_DOMAIN" -r TXT delete
|
1741
server/Cargo.lock
generated
Normal file
1741
server/Cargo.lock
generated
Normal file
File diff suppressed because it is too large
Load Diff
18
server/Cargo.toml
Normal file
18
server/Cargo.toml
Normal file
@ -0,0 +1,18 @@
|
||||
[package]
|
||||
name = "bind9-api"
|
||||
version = "0.1.0"
|
||||
authors = ["Valentin Brandl <vbrandl@riseup.net>"]
|
||||
description = "Web API to create, update and remove DNS entries in bind9"
|
||||
|
||||
[dependencies]
|
||||
actix-web = "0.6.14"
|
||||
# actix-web = { git = "https://github.com/actix/actix-web.git" }
|
||||
clap = "2.31.2"
|
||||
crypto = { path = "../crypto" }
|
||||
data = { path = "../data" }
|
||||
failure = "0.1.1"
|
||||
futures = "0.1.21"
|
||||
log = "0.4.3"
|
||||
pretty_env_logger = "0.2.3"
|
||||
serde = "1.0.69"
|
||||
serde_json = "1.0.22"
|
14
server/src/cli.rs
Normal file
14
server/src/cli.rs
Normal file
@ -0,0 +1,14 @@
|
||||
pub fn parse_args() -> ::clap::ArgMatches<'static> {
|
||||
clap_app!(api =>
|
||||
(version: crate_version!())
|
||||
(author: crate_authors!())
|
||||
(about: crate_description!())
|
||||
(@arg TOKEN: -t --token +required +takes_value "Token to authenticate against the API")
|
||||
(@arg CMD: -c --command +takes_value "Nsupdate command (Defaults to nsupdate)")
|
||||
(@arg KEYPATH: -k --keypath +required +takes_value "Path to the DNS key")
|
||||
(@arg OKMARK: -m --marker +takes_value "Marker to detect if a operation was successful")
|
||||
(@arg PORT: -p --port +takes_value "Port to listen on (Defaults to 8000)")
|
||||
(@arg HOST: -h --host +takes_value "Host to listen on (Defaults to 0.0.0.0)")
|
||||
(@arg SERVER: -s --server +takes_value "Bind server (Defaults to 127.0.0.1)")
|
||||
).get_matches()
|
||||
}
|
177
server/src/main.rs
Normal file
177
server/src/main.rs
Normal file
@ -0,0 +1,177 @@
|
||||
extern crate actix_web;
|
||||
extern crate crypto;
|
||||
extern crate data;
|
||||
#[macro_use]
|
||||
extern crate clap;
|
||||
#[macro_use]
|
||||
extern crate failure;
|
||||
extern crate futures;
|
||||
#[macro_use]
|
||||
extern crate log;
|
||||
extern crate pretty_env_logger;
|
||||
extern crate serde_json;
|
||||
|
||||
mod cli;
|
||||
|
||||
use actix_web::{
|
||||
error::{self, ErrorInternalServerError, ErrorUnauthorized, JsonPayloadError, ParseError}, http,
|
||||
middleware::Logger, server, App, HttpMessage, HttpRequest, Result,
|
||||
};
|
||||
use data::{Delete, Update};
|
||||
use failure::Error;
|
||||
use futures::future::{err as FutErr, Future};
|
||||
use std::{
|
||||
io::Write, process::{Command, Stdio}, sync::Arc,
|
||||
};
|
||||
|
||||
#[derive(Debug, Fail)]
|
||||
enum ExecuteError {
|
||||
#[fail(display = "Stdin error")]
|
||||
Stdin,
|
||||
}
|
||||
|
||||
struct Config {
|
||||
token: String,
|
||||
command: String,
|
||||
key_path: String,
|
||||
ok_marker: String,
|
||||
server: String,
|
||||
}
|
||||
|
||||
fn execute_nsupdate(input: &str, config: &Config) -> Result<String, Error> {
|
||||
info!("executing update: {}", input);
|
||||
let mut cmd = Command::new(&config.command)
|
||||
.stdin(Stdio::piped())
|
||||
.stdout(Stdio::piped())
|
||||
.args(&["-k", &config.key_path])
|
||||
.spawn()?;
|
||||
{
|
||||
let stdin = cmd.stdin.as_mut().ok_or(ExecuteError::Stdin)?;
|
||||
stdin.write_all(input.as_bytes())?;
|
||||
}
|
||||
let output = cmd.wait_with_output()?.stdout;
|
||||
let output = String::from_utf8(output)?;
|
||||
info!("output: {}", output);
|
||||
Ok(output)
|
||||
}
|
||||
|
||||
fn delete(req: HttpRequest<Arc<Config>>) -> Box<Future<Item = &'static str, Error = error::Error>> {
|
||||
let state = req.state().clone();
|
||||
let sig = extract_signature(&req);
|
||||
if sig.is_err() {
|
||||
return Box::new(FutErr(sig.unwrap_err()));
|
||||
}
|
||||
let sig = sig.unwrap();
|
||||
let secret = state.token.clone();
|
||||
Box::new(req.body().from_err().and_then(move |body| {
|
||||
if crypto::verify_signature(secret.as_bytes(), &body, &sig) {
|
||||
let delete: Delete = serde_json::from_slice(&body)
|
||||
.map_err(|e| ErrorInternalServerError(JsonPayloadError::Deserialize(e)))?;
|
||||
info!("Deleting {} record for {}", delete.record(), delete.name());
|
||||
let stdin = format!(
|
||||
"server {}\nupdate delete {} {}\nsend\n",
|
||||
state.server,
|
||||
delete.name(),
|
||||
delete.record()
|
||||
);
|
||||
Ok(execute_nsupdate(&stdin, &state)
|
||||
.map_err(|_| ErrorInternalServerError("Error executing nsupdate"))
|
||||
.and_then(|s| {
|
||||
if s.contains(&state.ok_marker) {
|
||||
Ok("OK")
|
||||
} else {
|
||||
Err(ErrorInternalServerError("Marker not found"))
|
||||
}
|
||||
})?)
|
||||
} else {
|
||||
Err(ErrorUnauthorized(ParseError::Header))
|
||||
}
|
||||
}))
|
||||
}
|
||||
|
||||
fn extract_signature<S>(req: &HttpRequest<S>) -> Result<Vec<u8>> {
|
||||
Ok(req.headers()
|
||||
.get(data::TOKEN_HEADER)
|
||||
.as_ref()
|
||||
.ok_or_else(|| ErrorUnauthorized(ParseError::Header))?
|
||||
.to_str()
|
||||
.map_err(ErrorUnauthorized)
|
||||
.and_then(|s| {
|
||||
crypto::hex_str_to_bytes(s).map_err(|_| ErrorUnauthorized(ParseError::Header))
|
||||
})
|
||||
.map_err(ErrorUnauthorized)?)
|
||||
}
|
||||
|
||||
fn update(req: HttpRequest<Arc<Config>>) -> Box<Future<Item = &'static str, Error = error::Error>> {
|
||||
let state = req.state().clone();
|
||||
let sig = extract_signature(&req);
|
||||
if sig.is_err() {
|
||||
return Box::new(FutErr(sig.unwrap_err()));
|
||||
}
|
||||
let sig = sig.unwrap();
|
||||
let secret = state.token.clone();
|
||||
Box::new(req.body().from_err().and_then(move |body| {
|
||||
if crypto::verify_signature(secret.as_bytes(), &body, &sig) {
|
||||
let update: Update = serde_json::from_slice(&body)
|
||||
.map_err(|e| ErrorInternalServerError(JsonPayloadError::Deserialize(e)))?;
|
||||
info!(
|
||||
"Updating {} record for {} with value \"{}\"",
|
||||
update.record(),
|
||||
update.name(),
|
||||
update.value()
|
||||
);
|
||||
let stdin = format!(
|
||||
"server {}\nupdate add {} {} {} {}\nsend\n",
|
||||
state.server,
|
||||
update.name(),
|
||||
update.ttl(),
|
||||
update.record(),
|
||||
update.value()
|
||||
);
|
||||
Ok(execute_nsupdate(&stdin, &state)
|
||||
.map_err(|_| ErrorInternalServerError("Error executing nsupdate"))
|
||||
.and_then(|s| {
|
||||
if s.contains(&state.ok_marker) {
|
||||
Ok("OK")
|
||||
} else {
|
||||
Err(ErrorInternalServerError("Marker not found"))
|
||||
}
|
||||
})?)
|
||||
} else {
|
||||
Err(ErrorUnauthorized(ParseError::Header))
|
||||
}
|
||||
}))
|
||||
}
|
||||
|
||||
fn main() {
|
||||
std::env::set_var("RUST_LOG", "info");
|
||||
pretty_env_logger::init();
|
||||
let matches = cli::parse_args();
|
||||
let token = matches.value_of("TOKEN").unwrap().to_owned();
|
||||
let command = matches.value_of("CMD").unwrap_or("nsupdate").to_owned();
|
||||
let key_path = matches.value_of("KEYPATH").unwrap().to_owned();
|
||||
let ok_marker = matches.value_of("OKMARK").unwrap_or("").to_owned();
|
||||
let server = matches.value_of("SERVER").unwrap_or("127.0.0.1").to_owned();
|
||||
let config = Arc::new(Config {
|
||||
token,
|
||||
command,
|
||||
key_path,
|
||||
ok_marker,
|
||||
server,
|
||||
});
|
||||
let port: u16 = matches
|
||||
.value_of("PORT")
|
||||
.unwrap_or("8000")
|
||||
.parse()
|
||||
.expect("Cannot parse port");
|
||||
let host = matches.value_of("HOST").unwrap_or("0.0.0.0");
|
||||
let host = format!("{}:{}", host, port);
|
||||
server::new(move || {
|
||||
App::with_state(config.clone())
|
||||
.middleware(Logger::default())
|
||||
.route("/record", http::Method::POST, update)
|
||||
.route("/record", http::Method::DELETE, delete)
|
||||
}).bind(host)
|
||||
.unwrap()
|
||||
.run();
|
||||
}
|
Loading…
Reference in New Issue
Block a user