1
0
mirror of https://github.com/vbrandl/bind9-api.git synced 2024-11-23 12:23:27 +01:00

Initial commit

This commit is contained in:
Valentin Brandl 2018-07-08 01:08:56 +02:00
parent c47130259c
commit 1c6b369753
Signed by: vbrandl
GPG Key ID: CAD4DA1A789125F9
20 changed files with 4919 additions and 0 deletions

3
.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
/target
**/*.rs.bk

17
.travis.yml Normal file
View File

@ -0,0 +1,17 @@
sudo: required
services:
- docker
script:
- docker run --rm -it -v "$(pwd)":/home/rust/src ekidd/rust-musl-builder cargo build --release
before_deploy:
- ./ci/before_deploy.sh
deploy:
provider: releases
file_glob: true
file:
- deploy/*
skip_cleanup: true
on:
tags: true

2248
Cargo.lock generated Normal file

File diff suppressed because it is too large Load Diff

3
Cargo.toml Normal file
View File

@ -0,0 +1,3 @@
[workspace]
members = [ "server", "client", "data", "crypto" ]

109
README.md Normal file
View File

@ -0,0 +1,109 @@
# BIND9 API
This is an attempt to implement an API to create, update or delete DNS records
on a BIND9 DNS server.
## Server
The server will wait for incoming requests and uses the `nsupdate` command to
perform operations on the BIND9 nameserver. For the server to work, a DNS key is
needed to perform the updates.
```
$ dnssec-keygen -r /dev/urandom -a HMAC-SHA256 -b 256 -n HOST dnskey
```
Copy the `Key` section of the resulting `Kdnskey*.private` file into a file that
looks like this:
```
key "dns-key" {
algorithm hmac-sha256;
secret "<your secret>";
}
```
And extend the zone section of the zones you'd like to modify in your
`named.conf.local`
```
zone "example.com" {
type master;
file "/var/lib/bind/db.example.com";
...
allow-update { key "dns-key"; };
...
}
```
Now you can start the server:
```
$ ./bind9-api -k <path to dnskey> -t <your api token>
```
By default, the server will bind to `0.0.0.0:8000`. The host and port to bind
to, can be changed using the `-h` and `-p` flags respectively. For production
use, you should bind to a private IP address (LAN or VLAN) or to `127.0.0.1` and
put the server behind a reverse proxy that offers TLS.
## Client
The client is used to perform changes to the DNS zone from any server. My use
case is to perform LetsEncrypt DNS challenges. The client will look for a
configuration file in `/etc/bind9apiclient.toml` which looks like this:
```
# API server host
host = "http://127.0.0.1:8080"
# API secret
secret = "topsecret"
```
The client can perform two operations: Creating/updating and deleting DNS
records. The client is invoked like this
```
$ ./bind9-api-client -d foo.example.com -r TXT update -v foobar
$ ./bind9-api-client -d foo.example.com -r TXT delete
```
## API Description
```
POST /record
X-Api-Token: <api-token>
{
"name": "foo.example.com",
"value": "127.0.0.1",
"record": "A",
"ttl": 1337
}
```
```
DELETE /record
X-Api-Token: <api-token>
{
"name": "foo.example.com",
"record": "A"
}
```
The API token is a SHA256 HMAC over the request body using a pre-shared secret.
### Security Considerations
The current API design does not migrate replay attacks. An attacker that is able
to intercept a request to the API can resend the same request again to execute
the same operation. To prevent these kinds of attacks, you should use a reverse
proxy and encrypt the connections using TLS. Future versions of the server might
provide TLS functionality by itself.
## Usage with LetsEncrypt
In `letsencrypt/`, two example scripts can be found to use the client as a
certbot hook for DNS challenges. It assumes that the client is located somewhere
in `$PATH` and that the configurations file exists.

15
ci/before_deploy.sh Executable file
View File

@ -0,0 +1,15 @@
#!/usr/bin/env bash
set -ex
main() {
local src=$(pwd) \
stage=$src/deploy
mkdir -p $deploy
test -f Cargo.lock || cargo generate-lockfile
cp target/x86_64-unknown-linux-musl/release/bind9-api $stage/bind9-api-${TRAVIS-TAG:1}-x86_64-musl
cp target/x86_64-unknown-linux-musl/release/bind9-api-client $stage/bind9-api-client-${TRAVIS-TAG:1}-x86_64-musl
}

194
client/Cargo.lock generated Normal file
View File

@ -0,0 +1,194 @@
[[package]]
name = "ansi_term"
version = "0.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"winapi 0.3.5 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "atty"
version = "0.2.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)",
"termion 1.5.1 (registry+https://github.com/rust-lang/crates.io-index)",
"winapi 0.3.5 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "bind9-api-client"
version = "0.1.0"
dependencies = [
"clap 2.32.0 (registry+https://github.com/rust-lang/crates.io-index)",
"serde 1.0.69 (registry+https://github.com/rust-lang/crates.io-index)",
"serde_derive 1.0.69 (registry+https://github.com/rust-lang/crates.io-index)",
"toml 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "bitflags"
version = "1.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "clap"
version = "2.32.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"ansi_term 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)",
"atty 0.2.10 (registry+https://github.com/rust-lang/crates.io-index)",
"bitflags 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)",
"strsim 0.7.0 (registry+https://github.com/rust-lang/crates.io-index)",
"textwrap 0.10.0 (registry+https://github.com/rust-lang/crates.io-index)",
"unicode-width 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
"vec_map 0.8.1 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "libc"
version = "0.2.42"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "proc-macro2"
version = "0.4.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"unicode-xid 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "quote"
version = "0.6.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"proc-macro2 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "redox_syscall"
version = "0.1.40"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "redox_termios"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"redox_syscall 0.1.40 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "serde"
version = "1.0.69"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "serde_derive"
version = "1.0.69"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"proc-macro2 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)",
"quote 0.6.3 (registry+https://github.com/rust-lang/crates.io-index)",
"syn 0.14.4 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "strsim"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "syn"
version = "0.14.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"proc-macro2 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)",
"quote 0.6.3 (registry+https://github.com/rust-lang/crates.io-index)",
"unicode-xid 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "termion"
version = "1.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)",
"redox_syscall 0.1.40 (registry+https://github.com/rust-lang/crates.io-index)",
"redox_termios 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "textwrap"
version = "0.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"unicode-width 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "toml"
version = "0.4.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"serde 1.0.69 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "unicode-width"
version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "unicode-xid"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "vec_map"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "winapi"
version = "0.3.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"winapi-i686-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
"winapi-x86_64-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "winapi-i686-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "winapi-x86_64-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
[metadata]
"checksum ansi_term 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
"checksum atty 0.2.10 (registry+https://github.com/rust-lang/crates.io-index)" = "2fc4a1aa4c24c0718a250f0681885c1af91419d242f29eb8f2ab28502d80dbd1"
"checksum bitflags 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)" = "d0c54bb8f454c567f21197eefcdbf5679d0bd99f2ddbe52e84c77061952e6789"
"checksum clap 2.32.0 (registry+https://github.com/rust-lang/crates.io-index)" = "b957d88f4b6a63b9d70d5f454ac8011819c6efa7727858f458ab71c756ce2d3e"
"checksum libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)" = "b685088df2b950fccadf07a7187c8ef846a959c142338a48f9dc0b94517eb5f1"
"checksum proc-macro2 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)" = "effdb53b25cdad54f8f48843d67398f7ef2e14f12c1b4cb4effc549a6462a4d6"
"checksum quote 0.6.3 (registry+https://github.com/rust-lang/crates.io-index)" = "e44651a0dc4cdd99f71c83b561e221f714912d11af1a4dff0631f923d53af035"
"checksum redox_syscall 0.1.40 (registry+https://github.com/rust-lang/crates.io-index)" = "c214e91d3ecf43e9a4e41e578973adeb14b474f2bee858742d127af75a0112b1"
"checksum redox_termios 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "7e891cfe48e9100a70a3b6eb652fef28920c117d366339687bd5576160db0f76"
"checksum serde 1.0.69 (registry+https://github.com/rust-lang/crates.io-index)" = "210e5a3b159c566d7527e9b22e44be73f2e0fcc330bb78fef4dbccb56d2e74c8"
"checksum serde_derive 1.0.69 (registry+https://github.com/rust-lang/crates.io-index)" = "dd724d68017ae3a7e63600ee4b2fdb3cad2158ffd1821d44aff4580f63e2b593"
"checksum strsim 0.7.0 (registry+https://github.com/rust-lang/crates.io-index)" = "bb4f380125926a99e52bc279241539c018323fab05ad6368b56f93d9369ff550"
"checksum syn 0.14.4 (registry+https://github.com/rust-lang/crates.io-index)" = "2beff8ebc3658f07512a413866875adddd20f4fd47b2a4e6c9da65cd281baaea"
"checksum termion 1.5.1 (registry+https://github.com/rust-lang/crates.io-index)" = "689a3bdfaab439fd92bc87df5c4c78417d3cbe537487274e9b0b2dce76e92096"
"checksum textwrap 0.10.0 (registry+https://github.com/rust-lang/crates.io-index)" = "307686869c93e71f94da64286f9a9524c0f308a9e1c87a583de8e9c9039ad3f6"
"checksum toml 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)" = "a0263c6c02c4db6c8f7681f9fd35e90de799ebd4cfdeab77a38f4ff6b3d8c0d9"
"checksum unicode-width 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)" = "882386231c45df4700b275c7ff55b6f3698780a650026380e72dabe76fa46526"
"checksum unicode-xid 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
"checksum vec_map 0.8.1 (registry+https://github.com/rust-lang/crates.io-index)" = "05c78687fb1a80548ae3250346c3db86a80a7cdd77bda190189f2d0a0987c81a"
"checksum winapi 0.3.5 (registry+https://github.com/rust-lang/crates.io-index)" = "773ef9dcc5f24b7d850d0ff101e542ff24c3b090a9768e03ff889fdef41f00fd"
"checksum winapi-i686-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
"checksum winapi-x86_64-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"

18
client/Cargo.toml Normal file
View File

@ -0,0 +1,18 @@
[package]
name = "bind9-api-client"
version = "0.1.0"
authors = ["Valentin Brandl <vbrandl@riseup.net>"]
[dependencies]
clap = "2.32.0"
crypto = { path = "../crypto" }
data = { path = "../data" }
failure = "0.1.1"
log = "0.4.3"
openssl-probe = "0.1.2"
pretty_env_logger = "0.2.3"
reqwest = "0.8.6"
serde = "1.0.69"
serde_derive = "1.0.69"
serde_json = "1.0.22"
toml = "0.4.6"

18
client/src/cli.rs Normal file
View File

@ -0,0 +1,18 @@
pub fn parse_cli() -> ::clap::ArgMatches<'static> {
clap_app!(bind9_api_client =>
(version: crate_version!())
(author: crate_authors!())
(about: crate_description!())
(@arg CONFIG: -c --config +takes_value "Path to config file (Defaults to /etc/bind9apiclient.toml)")
(@arg DOMAIN: -d --domain +takes_value +required "Domain to create")
(@arg RECORD: -r --record +takes_value "The record type (Defaults to TXT)")
(@subcommand update =>
(about: "Creates a new record")
(@arg VALUE: -v --value +takes_value +required "Value to write in the record")
(@arg TTL: -t --ttl + takes_value "TTL of the record (Defaults to 8640)")
)
(@subcommand delete =>
(about: "Deletes a record")
)
).get_matches()
}

114
client/src/main.rs Normal file
View File

@ -0,0 +1,114 @@
#[macro_use]
extern crate clap;
extern crate crypto;
extern crate data;
extern crate failure;
#[macro_use]
extern crate log;
extern crate openssl_probe;
extern crate pretty_env_logger;
extern crate reqwest;
extern crate serde;
extern crate toml;
#[macro_use]
extern crate serde_derive;
extern crate serde_json;
mod cli;
use failure::Error;
use data::{ApiError, Delete, Record, Update};
use std::borrow::Cow;
type Result<T> = std::result::Result<T, Error>;
#[derive(Eq, PartialEq, Clone, Copy)]
enum Method {
POST,
DELETE,
}
#[derive(Deserialize)]
struct Config<'a> {
#[serde(borrow)]
host: Cow<'a, str>,
#[serde(borrow)]
secret: Cow<'a, str>,
}
fn delete(config: &Config, record: Record, domain: &str) -> Result<()> {
let delete = Delete::new(domain.to_owned(), record);
let res = call_api(config, delete, Method::DELETE)?;
if res.status().is_success() {
Ok(())
} else {
Err(ApiError::RequestError.into())
}
}
fn update(config: &Config, record: Record, domain: &str, value: &str, ttl: u32) -> Result<()> {
let update = Update::new(domain.to_owned(), value.to_owned(), record, ttl);
let res = call_api(config, update, Method::POST)?;
if res.status().is_success() {
Ok(())
} else {
Err(ApiError::RequestError.into())
}
}
fn call_api<D: serde::Serialize>(
config: &Config,
data: D,
method: Method,
) -> Result<reqwest::Response> {
let data_s = serde_json::to_string(&data)?;
info!("body: {}", data_s);
let signature = crypto::sign(config.secret.as_bytes(), data_s.as_bytes());
let signature = crypto::bytes_to_hex_str(&signature)?;
let client = reqwest::Client::new();
let url = format!("{}/record", config.host);
Ok(if method == Method::POST {
client.post(&url)
} else {
client.delete(&url)
}.header(data::XApiToken(signature))
.json(&data)
.send()?)
}
fn main() -> Result<()> {
openssl_probe::init_ssl_cert_env_vars();
std::env::set_var("RUST_LOG", "info");
pretty_env_logger::init();
let matches = cli::parse_cli();
let record: Record = matches
.value_of("RECORD")
.unwrap_or("TXT")
.parse()
.expect("Invalid record type");
let domain = matches.value_of("DOMAIN").unwrap();
let config_path = matches
.value_of("CONFIG")
.unwrap_or("/etc/bind9apiclient.toml");
let config = std::fs::read_to_string(config_path).expect("Cannot read config file");
let config: Config = toml::from_str(&config).expect("Cannot parse config file");
if let Some(matches) = matches.subcommand_matches("update") {
let ttl = matches
.value_of("TTL")
.unwrap_or("8640")
.parse()
.expect("Cannot parse TTL");
update(
&config,
record,
domain,
matches.value_of("VALUE").unwrap(),
ttl,
)?;
} else if matches.subcommand_matches("delete").is_some() {
delete(&config, record, domain)?;
}
Ok(())
}

12
crypto/Cargo.toml Normal file
View File

@ -0,0 +1,12 @@
[package]
name = "crypto"
version = "0.1.0"
authors = ["Valentin Brandl <vbrandl@riseup.net>"]
[dependencies]
failure = "0.1.1"
hex = "0.3.2"
ring = "0.12.1"
[dev-dependencies]
proptest = "0.8.1"

56
crypto/src/lib.rs Normal file
View File

@ -0,0 +1,56 @@
extern crate failure;
extern crate hex;
extern crate ring;
#[cfg(test)]
#[macro_use]
extern crate proptest;
use failure::Error;
use hex::{FromHex, ToHex};
use ring::{digest, hmac};
type Result<T> = std::result::Result<T, Error>;
pub fn bytes_to_hex_str(bytes: &[u8]) -> Result<String> {
let mut output = String::new();
bytes.write_hex(&mut output)?;
Ok(output)
}
pub fn hex_str_to_bytes(hex_str: &str) -> Result<Vec<u8>> {
Ok(Vec::from_hex(hex_str)?)
}
pub fn verify_signature(key: &[u8], msg: &[u8], signature: &[u8]) -> bool {
let key = hmac::VerificationKey::new(&digest::SHA256, key);
hmac::verify(&key, msg, signature)
.map(|_| true)
.unwrap_or(false)
}
pub fn sign(key: &[u8], msg: &[u8]) -> Vec<u8> {
let key = hmac::SigningKey::new(&digest::SHA256, key);
let signature = hmac::sign(&key, msg);
signature.as_ref().into_iter().cloned().collect()
}
#[cfg(test)]
mod tests {
use super::*;
proptest! {
#[test]
fn sign_verify(key: Vec<u8>, msg: Vec<u8>) {
let sig = sign(&key, &msg);
assert!(verify_signature(&key, &msg, &sig));
}
}
proptest! {
#[test]
fn to_from_hex(data: Vec<u8>) {
assert_eq!(hex_str_to_bytes(&bytes_to_hex_str(&data).unwrap()).unwrap(), data);
}
}
}

10
data/Cargo.toml Normal file
View File

@ -0,0 +1,10 @@
[package]
name = "data"
version = "0.1.0"
authors = ["Valentin Brandl <vbrandl@riseup.net>"]
[dependencies]
failure = "0.1.1"
hyper = "0.11"
serde = "1.0.69"
serde_derive = "1.0.69"

146
data/src/lib.rs Normal file
View File

@ -0,0 +1,146 @@
#[macro_use]
extern crate failure;
#[macro_use]
extern crate hyper;
#[macro_use]
extern crate serde_derive;
pub const TOKEN_HEADER: &str = "X-Api-Token";
header! { (XApiToken, TOKEN_HEADER) => [String] }
#[derive(Eq, PartialEq, Deserialize, Serialize, Debug, Clone, Copy)]
pub enum Record {
A,
AAAA,
PTR,
TXT,
}
#[derive(Debug, Fail)]
pub enum ApiError {
#[fail(display = "Parse record error")]
ParseRecord,
#[fail(display = "API Error")]
RequestError,
}
impl std::str::FromStr for Record {
type Err = ApiError;
fn from_str(s: &str) -> Result<Self, Self::Err> {
match s {
"A" | "a" => Ok(Record::A),
"AAAA" | "aaaa" => Ok(Record::AAAA),
"TXT" | "txt" => Ok(Record::TXT),
"PTR" | "ptr" => Ok(Record::PTR),
_ => Err(ApiError::ParseRecord),
}
}
}
impl std::fmt::Display for Record {
fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
write!(
f,
"{}",
match *self {
Record::A => "A",
Record::AAAA => "AAAA",
Record::PTR => "PTR",
Record::TXT => "TXT",
}
)
}
}
#[derive(Deserialize, Serialize)]
pub struct Update {
name: String,
value: String,
record: Record,
ttl: u32,
}
impl Update {
pub fn new(name: String, value: String, record: Record, ttl: u32) -> Self {
Self {
name,
value,
record,
ttl: ttl,
}
}
#[inline]
pub fn name(&self) -> &str {
&self.name
}
#[inline]
pub fn value(&self) -> &str {
&self.value
}
#[inline]
pub fn record(&self) -> Record {
self.record
}
#[inline]
pub fn ttl(&self) -> u32 {
self.ttl
}
}
#[derive(Deserialize, Serialize)]
pub struct Delete {
name: String,
record: Record,
}
impl Delete {
pub fn new(name: String, record: Record) -> Self {
Self { name, record }
}
#[inline]
pub fn name(&self) -> &str {
&self.name
}
#[inline]
pub fn record(&self) -> Record {
self.record
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn parse_record() {
assert_eq!("a".parse::<Record>().unwrap(), Record::A);
assert_eq!("A".parse::<Record>().unwrap(), Record::A);
assert_eq!("aaaa".parse::<Record>().unwrap(), Record::AAAA);
assert_eq!("AAAA".parse::<Record>().unwrap(), Record::AAAA);
assert_eq!("txt".parse::<Record>().unwrap(), Record::TXT);
assert_eq!("TXT".parse::<Record>().unwrap(), Record::TXT);
assert_eq!("PTR".parse::<Record>().unwrap(), Record::PTR);
assert_eq!("ptr".parse::<Record>().unwrap(), Record::PTR);
assert!(!"aAaA".parse::<Record>().is_ok());
}
#[test]
fn record_to_str_and_parse_equals_input() {
assert!(validate_record_parsing(Record::A));
assert!(validate_record_parsing(Record::AAAA));
assert!(validate_record_parsing(Record::PTR));
assert!(validate_record_parsing(Record::TXT));
}
fn validate_record_parsing(record: Record) -> bool {
format!("{}", record).parse::<Record>().unwrap() == record
}
}

View File

@ -0,0 +1,3 @@
#!/usr/bin/env sh
bind9-api-client -d "_acme-challenge.$CERTBOT_DOMAIN" -r TXT update -v "$CERTBOT_VALIDATION"

View File

@ -0,0 +1,3 @@
#!/usr/bin/env sh
bind9-api-client -d "_acme-challenge.$CERTBOT_DOMAIN" -r TXT delete

1741
server/Cargo.lock generated Normal file

File diff suppressed because it is too large Load Diff

18
server/Cargo.toml Normal file
View File

@ -0,0 +1,18 @@
[package]
name = "bind9-api"
version = "0.1.0"
authors = ["Valentin Brandl <vbrandl@riseup.net>"]
description = "Web API to create, update and remove DNS entries in bind9"
[dependencies]
actix-web = "0.6.14"
# actix-web = { git = "https://github.com/actix/actix-web.git" }
clap = "2.31.2"
crypto = { path = "../crypto" }
data = { path = "../data" }
failure = "0.1.1"
futures = "0.1.21"
log = "0.4.3"
pretty_env_logger = "0.2.3"
serde = "1.0.69"
serde_json = "1.0.22"

14
server/src/cli.rs Normal file
View File

@ -0,0 +1,14 @@
pub fn parse_args() -> ::clap::ArgMatches<'static> {
clap_app!(api =>
(version: crate_version!())
(author: crate_authors!())
(about: crate_description!())
(@arg TOKEN: -t --token +required +takes_value "Token to authenticate against the API")
(@arg CMD: -c --command +takes_value "Nsupdate command (Defaults to nsupdate)")
(@arg KEYPATH: -k --keypath +required +takes_value "Path to the DNS key")
(@arg OKMARK: -m --marker +takes_value "Marker to detect if a operation was successful")
(@arg PORT: -p --port +takes_value "Port to listen on (Defaults to 8000)")
(@arg HOST: -h --host +takes_value "Host to listen on (Defaults to 0.0.0.0)")
(@arg SERVER: -s --server +takes_value "Bind server (Defaults to 127.0.0.1)")
).get_matches()
}

177
server/src/main.rs Normal file
View File

@ -0,0 +1,177 @@
extern crate actix_web;
extern crate crypto;
extern crate data;
#[macro_use]
extern crate clap;
#[macro_use]
extern crate failure;
extern crate futures;
#[macro_use]
extern crate log;
extern crate pretty_env_logger;
extern crate serde_json;
mod cli;
use actix_web::{
error::{self, ErrorInternalServerError, ErrorUnauthorized, JsonPayloadError, ParseError}, http,
middleware::Logger, server, App, HttpMessage, HttpRequest, Result,
};
use data::{Delete, Update};
use failure::Error;
use futures::future::{err as FutErr, Future};
use std::{
io::Write, process::{Command, Stdio}, sync::Arc,
};
#[derive(Debug, Fail)]
enum ExecuteError {
#[fail(display = "Stdin error")]
Stdin,
}
struct Config {
token: String,
command: String,
key_path: String,
ok_marker: String,
server: String,
}
fn execute_nsupdate(input: &str, config: &Config) -> Result<String, Error> {
info!("executing update: {}", input);
let mut cmd = Command::new(&config.command)
.stdin(Stdio::piped())
.stdout(Stdio::piped())
.args(&["-k", &config.key_path])
.spawn()?;
{
let stdin = cmd.stdin.as_mut().ok_or(ExecuteError::Stdin)?;
stdin.write_all(input.as_bytes())?;
}
let output = cmd.wait_with_output()?.stdout;
let output = String::from_utf8(output)?;
info!("output: {}", output);
Ok(output)
}
fn delete(req: HttpRequest<Arc<Config>>) -> Box<Future<Item = &'static str, Error = error::Error>> {
let state = req.state().clone();
let sig = extract_signature(&req);
if sig.is_err() {
return Box::new(FutErr(sig.unwrap_err()));
}
let sig = sig.unwrap();
let secret = state.token.clone();
Box::new(req.body().from_err().and_then(move |body| {
if crypto::verify_signature(secret.as_bytes(), &body, &sig) {
let delete: Delete = serde_json::from_slice(&body)
.map_err(|e| ErrorInternalServerError(JsonPayloadError::Deserialize(e)))?;
info!("Deleting {} record for {}", delete.record(), delete.name());
let stdin = format!(
"server {}\nupdate delete {} {}\nsend\n",
state.server,
delete.name(),
delete.record()
);
Ok(execute_nsupdate(&stdin, &state)
.map_err(|_| ErrorInternalServerError("Error executing nsupdate"))
.and_then(|s| {
if s.contains(&state.ok_marker) {
Ok("OK")
} else {
Err(ErrorInternalServerError("Marker not found"))
}
})?)
} else {
Err(ErrorUnauthorized(ParseError::Header))
}
}))
}
fn extract_signature<S>(req: &HttpRequest<S>) -> Result<Vec<u8>> {
Ok(req.headers()
.get(data::TOKEN_HEADER)
.as_ref()
.ok_or_else(|| ErrorUnauthorized(ParseError::Header))?
.to_str()
.map_err(ErrorUnauthorized)
.and_then(|s| {
crypto::hex_str_to_bytes(s).map_err(|_| ErrorUnauthorized(ParseError::Header))
})
.map_err(ErrorUnauthorized)?)
}
fn update(req: HttpRequest<Arc<Config>>) -> Box<Future<Item = &'static str, Error = error::Error>> {
let state = req.state().clone();
let sig = extract_signature(&req);
if sig.is_err() {
return Box::new(FutErr(sig.unwrap_err()));
}
let sig = sig.unwrap();
let secret = state.token.clone();
Box::new(req.body().from_err().and_then(move |body| {
if crypto::verify_signature(secret.as_bytes(), &body, &sig) {
let update: Update = serde_json::from_slice(&body)
.map_err(|e| ErrorInternalServerError(JsonPayloadError::Deserialize(e)))?;
info!(
"Updating {} record for {} with value \"{}\"",
update.record(),
update.name(),
update.value()
);
let stdin = format!(
"server {}\nupdate add {} {} {} {}\nsend\n",
state.server,
update.name(),
update.ttl(),
update.record(),
update.value()
);
Ok(execute_nsupdate(&stdin, &state)
.map_err(|_| ErrorInternalServerError("Error executing nsupdate"))
.and_then(|s| {
if s.contains(&state.ok_marker) {
Ok("OK")
} else {
Err(ErrorInternalServerError("Marker not found"))
}
})?)
} else {
Err(ErrorUnauthorized(ParseError::Header))
}
}))
}
fn main() {
std::env::set_var("RUST_LOG", "info");
pretty_env_logger::init();
let matches = cli::parse_args();
let token = matches.value_of("TOKEN").unwrap().to_owned();
let command = matches.value_of("CMD").unwrap_or("nsupdate").to_owned();
let key_path = matches.value_of("KEYPATH").unwrap().to_owned();
let ok_marker = matches.value_of("OKMARK").unwrap_or("").to_owned();
let server = matches.value_of("SERVER").unwrap_or("127.0.0.1").to_owned();
let config = Arc::new(Config {
token,
command,
key_path,
ok_marker,
server,
});
let port: u16 = matches
.value_of("PORT")
.unwrap_or("8000")
.parse()
.expect("Cannot parse port");
let host = matches.value_of("HOST").unwrap_or("0.0.0.0");
let host = format!("{}:{}", host, port);
server::new(move || {
App::with_state(config.clone())
.middleware(Logger::default())
.route("/record", http::Method::POST, update)
.route("/record", http::Method::DELETE, delete)
}).bind(host)
.unwrap()
.run();
}