vbrandl/bind9-api
1
0
Fork 0
mirror of https://github.com/vbrandl/bind9-api.git synced 2024-11-22 04:43:49 +01:00
Code Issues Releases Wiki Activity

Merge branch 'release/0.1.0'

Browse Source
This commit is contained in:
Valentin Brandl 2018-07-15 19:31:01 +02:00
commit 99fd52adc3
Signed by: vbrandl
GPG Key ID: CAD4DA1A789125F9
23 changed files with 5694 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
/target
**/*.rs.bk

19
.travis.yml Normal file
View File

@ -0,0 +1,19 @@
sudo: required
services:
- docker
script:
- docker run --rm -it -v "$(pwd)":/home/rust/src ekidd/rust-musl-builder sh -c 'sudo chown -R rust . && cargo test && cargo build --release'
before_deploy:
- ./ci/before_deploy.sh
deploy:
provider: releases
api_key:
secure: "GHjOIiBMx3/0hqRsg4fAaNKeTbcgmS55AvzHGQUB8ZYIxbhRysIGk6ovdBS5RHE9t6uPlp3zdZ8Iw9s63zTH+z/l+eLA+9quT+Ls9g6/MKpTfmLgu+Fg5ilJllEzDG1MBEbneoU38hpBECJuoUX78JN8ss7Xu61vgXf/5R2lBtoxwqMLwUse0vbHnR8NQNsBKrOC1XETWRXTBnC1X2dJ4JbI5FprihHtxmkh4mC+gJRm/1RIO+oegRnR5H8d/w3A9cou750neR9rESh6NBZBgjLR+odwE+nZRJXqoYfhExKAa9MAK1HAj0f9IXGw4tRApUF4fU0dKHa5E4I2MjNJoLw88lG6Rt/+897LJrGN+Csf65vmvLANlKlhdme/+nyG0vOcTuuv5tTl/2DaytShw2Jjp7eT4iHVyS0/nuk2Z80nZyhlBoDyg2VwBfMoMYslphqbV3PVBnsnTp7LOBb7m6WpHZIB/QsXVUMhIoQGE7kgZxSA+TfiX5BGO7fYihFqdoqB4ddEm63ciJVE3ZQv2wYgHIuStoY7wu8nPzK4X0h5r84BaGGnuiL1nyKe3NgTHdU59LHLbM66//M0rJzxqjV7SjnQag/F8G/EbD0aq6CF4fXOUvIf+vXBVOPR45QTayjdbljm5GLPoGqHNyaaULsh5O2W4onn40PcaXKOkSs="
file_glob: true
file:
- deploy/*
skip_cleanup: true
on:
tags: true

2248
Cargo.lock generated Normal file
View File

File diff suppressed because it is too large Load Diff

6
Cargo.toml Normal file
View File

@ -0,0 +1,6 @@
[workspace]
members = [ "server", "client", "data", "crypto" ]
[profile.release]
lto = true

201
LICENSE-APACHE Normal file
View File

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

21
LICENSE-MIT Normal file
View File

@ -0,0 +1,21 @@
The MIT License (MIT)
Copyright (c) 2018 Valentin Brandl
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

120
README.md Normal file
View File

@ -0,0 +1,120 @@
# BIND9 API
This is an attempt to implement an API to create, update or delete DNS records
on a BIND9 DNS server.
## Server
The server will wait for incoming requests and uses the `nsupdate` command to
perform operations on the BIND9 nameserver. For the server to work, a DNS key is
needed to perform the updates.
```
$ dnssec-keygen -r /dev/urandom -a HMAC-SHA256 -b 256 -n HOST dnskey
```
Copy the `Key` section of the resulting `Kdnskey*.private` file into a file that
looks like this:
```
key "dns-key" {
algorithm hmac-sha256;
secret "<your secret>";
}
```
And extend the zone section of the zones you'd like to modify in your
`named.conf.local`
```
zone "example.com" {
type master;
file "/var/lib/bind/db.example.com";
...
allow-update { key "dns-key"; };
...
}
```
Now you can start the server:
```
$ ./bind9-api -k <path to dnskey> -t <your api token>
```
By default, the server will bind to `0.0.0.0:8000`. The host and port to bind
to, can be changed using the `-h` and `-p` flags respectively. For production
use, you should bind to a private IP address (LAN or VLAN) or to `127.0.0.1` and
put the server behind a reverse proxy that offers TLS.
## Client
The client is used to perform changes to the DNS zone from any server. My use
case is to perform LetsEncrypt DNS challenges. The client will look for a
configuration file in `/etc/bind9apiclient.toml` which looks like this:
```
# API server host
host = "http://127.0.0.1:8080"
# API secret
secret = "topsecret"
```
The client can perform two operations: Creating/updating and deleting DNS
records. The client is invoked like this
```
$ ./bind9-api-client -d foo.example.com -r TXT update -v foobar
$ ./bind9-api-client -d foo.example.com -r TXT delete
```
## API Description
```
POST /record
X-Api-Token: <api-token>
{
"name": "foo.example.com",
"value": "127.0.0.1",
"record": "A",
"ttl": 1337
}
```
```
DELETE /record
X-Api-Token: <api-token>
{
"name": "foo.example.com",
"record": "A"
}
```
The API token is a SHA256 HMAC over the request body using a pre-shared secret.
### Security Considerations
The current API design does not migrate replay attacks. An attacker that is able
to intercept a request to the API can resend the same request again to execute
the same operation. To prevent these kinds of attacks, you should use a reverse
proxy and encrypt the connections using TLS. Future versions of the server might
provide TLS functionality by itself.
## Usage with LetsEncrypt
In `letsencrypt/`, two example scripts can be found to use the client as a
certbot hook for DNS challenges. It assumes that the client is located somewhere
in `$PATH` and that the configurations file exists.
## License
This project is licensed under either of
* Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or
http://www.apache.org/licenses/LICENSE-2.0)
* MIT license ([LICENSE-MIT](LICENSE-MIT) or
http://opensource.org/licenses/MIT)
at your option.

15
ci/before_deploy.sh Executable file
View File

@ -0,0 +1,15 @@
#!/usr/bin/env bash
set -ex
main() {
local src=$(pwd) \
stage=$src/deploy
mkdir -p $deploy
test -f Cargo.lock || cargo generate-lockfile
cp target/x86_64-unknown-linux-musl/release/bind9-api $stage/bind9-api-${TRAVIS-TAG:1}-x86_64-musl
cp target/x86_64-unknown-linux-musl/release/bind9-api-client $stage/bind9-api-client-${TRAVIS-TAG:1}-x86_64-musl
}

194
client/Cargo.lock generated Normal file
View File

@ -0,0 +1,194 @@
[[package]]
name = "ansi_term"
version = "0.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"winapi 0.3.5 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "atty"
version = "0.2.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)",
"termion 1.5.1 (registry+https://github.com/rust-lang/crates.io-index)",
"winapi 0.3.5 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "bind9-api-client"
version = "0.1.0"
dependencies = [
"clap 2.32.0 (registry+https://github.com/rust-lang/crates.io-index)",
"serde 1.0.69 (registry+https://github.com/rust-lang/crates.io-index)",
"serde_derive 1.0.69 (registry+https://github.com/rust-lang/crates.io-index)",
"toml 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "bitflags"
version = "1.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "clap"
version = "2.32.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"ansi_term 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)",
"atty 0.2.10 (registry+https://github.com/rust-lang/crates.io-index)",
"bitflags 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)",
"strsim 0.7.0 (registry+https://github.com/rust-lang/crates.io-index)",
"textwrap 0.10.0 (registry+https://github.com/rust-lang/crates.io-index)",
"unicode-width 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
"vec_map 0.8.1 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "libc"
version = "0.2.42"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "proc-macro2"
version = "0.4.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"unicode-xid 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "quote"
version = "0.6.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"proc-macro2 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "redox_syscall"
version = "0.1.40"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "redox_termios"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"redox_syscall 0.1.40 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "serde"
version = "1.0.69"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "serde_derive"
version = "1.0.69"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"proc-macro2 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)",
"quote 0.6.3 (registry+https://github.com/rust-lang/crates.io-index)",
"syn 0.14.4 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "strsim"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "syn"
version = "0.14.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"proc-macro2 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)",
"quote 0.6.3 (registry+https://github.com/rust-lang/crates.io-index)",
"unicode-xid 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "termion"
version = "1.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)",
"redox_syscall 0.1.40 (registry+https://github.com/rust-lang/crates.io-index)",
"redox_termios 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "textwrap"
version = "0.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"unicode-width 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "toml"
version = "0.4.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"serde 1.0.69 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "unicode-width"
version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "unicode-xid"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "vec_map"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "winapi"
version = "0.3.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"winapi-i686-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
"winapi-x86_64-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "winapi-i686-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]]
name = "winapi-x86_64-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
[metadata]
"checksum ansi_term 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
"checksum atty 0.2.10 (registry+https://github.com/rust-lang/crates.io-index)" = "2fc4a1aa4c24c0718a250f0681885c1af91419d242f29eb8f2ab28502d80dbd1"
"checksum bitflags 1.0.3 (registry+https://github.com/rust-lang/crates.io-index)" = "d0c54bb8f454c567f21197eefcdbf5679d0bd99f2ddbe52e84c77061952e6789"
"checksum clap 2.32.0 (registry+https://github.com/rust-lang/crates.io-index)" = "b957d88f4b6a63b9d70d5f454ac8011819c6efa7727858f458ab71c756ce2d3e"
"checksum libc 0.2.42 (registry+https://github.com/rust-lang/crates.io-index)" = "b685088df2b950fccadf07a7187c8ef846a959c142338a48f9dc0b94517eb5f1"
"checksum proc-macro2 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)" = "effdb53b25cdad54f8f48843d67398f7ef2e14f12c1b4cb4effc549a6462a4d6"
"checksum quote 0.6.3 (registry+https://github.com/rust-lang/crates.io-index)" = "e44651a0dc4cdd99f71c83b561e221f714912d11af1a4dff0631f923d53af035"
"checksum redox_syscall 0.1.40 (registry+https://github.com/rust-lang/crates.io-index)" = "c214e91d3ecf43e9a4e41e578973adeb14b474f2bee858742d127af75a0112b1"
"checksum redox_termios 0.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "7e891cfe48e9100a70a3b6eb652fef28920c117d366339687bd5576160db0f76"
"checksum serde 1.0.69 (registry+https://github.com/rust-lang/crates.io-index)" = "210e5a3b159c566d7527e9b22e44be73f2e0fcc330bb78fef4dbccb56d2e74c8"
"checksum serde_derive 1.0.69 (registry+https://github.com/rust-lang/crates.io-index)" = "dd724d68017ae3a7e63600ee4b2fdb3cad2158ffd1821d44aff4580f63e2b593"
"checksum strsim 0.7.0 (registry+https://github.com/rust-lang/crates.io-index)" = "bb4f380125926a99e52bc279241539c018323fab05ad6368b56f93d9369ff550"
"checksum syn 0.14.4 (registry+https://github.com/rust-lang/crates.io-index)" = "2beff8ebc3658f07512a413866875adddd20f4fd47b2a4e6c9da65cd281baaea"
"checksum termion 1.5.1 (registry+https://github.com/rust-lang/crates.io-index)" = "689a3bdfaab439fd92bc87df5c4c78417d3cbe537487274e9b0b2dce76e92096"
"checksum textwrap 0.10.0 (registry+https://github.com/rust-lang/crates.io-index)" = "307686869c93e71f94da64286f9a9524c0f308a9e1c87a583de8e9c9039ad3f6"
"checksum toml 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)" = "a0263c6c02c4db6c8f7681f9fd35e90de799ebd4cfdeab77a38f4ff6b3d8c0d9"
"checksum unicode-width 0.1.5 (registry+https://github.com/rust-lang/crates.io-index)" = "882386231c45df4700b275c7ff55b6f3698780a650026380e72dabe76fa46526"
"checksum unicode-xid 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc"
"checksum vec_map 0.8.1 (registry+https://github.com/rust-lang/crates.io-index)" = "05c78687fb1a80548ae3250346c3db86a80a7cdd77bda190189f2d0a0987c81a"
"checksum winapi 0.3.5 (registry+https://github.com/rust-lang/crates.io-index)" = "773ef9dcc5f24b7d850d0ff101e542ff24c3b090a9768e03ff889fdef41f00fd"
"checksum winapi-i686-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
"checksum winapi-x86_64-pc-windows-gnu 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"

21
client/Cargo.toml Normal file
View File

@ -0,0 +1,21 @@
[package]
name = "bind9-api-client"
version = "0.1.0"
authors = ["Valentin Brandl <vbrandl@riseup.net>"]
description = "Client for the BIND9 API"
license = "MIT/Apache-2.0"
[dependencies]
clap = "2.32.0"
crypto = { path = "../crypto" }
data = { path = "../data" }
failure = "0.1.1"
hyper = "0.11"
log = "0.4.3"
openssl-probe = "0.1.2"
pretty_env_logger = "0.2.3"
reqwest = "0.8.6"
serde = "1.0.69"
serde_derive = "1.0.69"
serde_json = "1.0.22"
toml = "0.4.6"

57
client/src/cli.rs Normal file
View File

@ -0,0 +1,57 @@
// Copyright (c) 2018 Brandl, Valentin <mail+rust@vbrandl.net>
// Author: Brandl, Valentin <mail+rust@vbrandl.net>
//
// Licensed unter the Apache License, Version 2.0 or the MIT license, at your
// option.
//
// ********************************************************************************
//
// Permission is hereby granted, free of charge, to any person obtaining a copy of
// this software and associated documentation files (the "Software"), to deal in
// the Software without restriction, including without limitation the rights to
// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
// the Software, and to permit persons to whom the Software is furnished to do so,
// subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in all
// copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
// ********************************************************************************
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
pub fn parse_cli() -> ::clap::ArgMatches<'static> {
clap_app!(bind9_api_client =>
(version: crate_version!())
(author: crate_authors!())
(about: crate_description!())
(@arg CONFIG: -c --config +takes_value "Path to config file (Defaults to /etc/bind9apiclient.toml)")
(@arg DOMAIN: -d --domain +takes_value +required "Domain to create")
(@arg RECORD: -r --record +takes_value "The record type (Defaults to TXT)")
(@subcommand update =>
(about: "Creates a new record")
(@arg VALUE: -v --value +takes_value +required "Value to write in the record")
(@arg TTL: -t --ttl + takes_value "TTL of the record (Defaults to 8640)")
)
(@subcommand delete =>
(about: "Deletes a record")
)
).get_matches()
}

157
client/src/main.rs Normal file
View File

@ -0,0 +1,157 @@
// Copyright (c) 2018 Brandl, Valentin <mail+rust@vbrandl.net>
// Author: Brandl, Valentin <mail+rust@vbrandl.net>
//
// Licensed unter the Apache License, Version 2.0 or the MIT license, at your
// option.
//
// ********************************************************************************
//
// Permission is hereby granted, free of charge, to any person obtaining a copy of
// this software and associated documentation files (the "Software"), to deal in
// the Software without restriction, including without limitation the rights to
// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
// the Software, and to permit persons to whom the Software is furnished to do so,
// subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in all
// copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
// ********************************************************************************
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#[macro_use]
extern crate clap;
extern crate crypto;
extern crate data;
extern crate failure;
#[macro_use]
extern crate hyper;
#[macro_use]
extern crate log;
extern crate openssl_probe;
extern crate pretty_env_logger;
extern crate reqwest;
extern crate serde;
extern crate toml;
#[macro_use]
extern crate serde_derive;
extern crate serde_json;
mod cli;
use failure::Error;
use data::{ApiError, Delete, Record, Update};
use std::borrow::Cow;
type Result<T> = std::result::Result<T, Error>;
header! { (XApiToken, data::TOKEN_HEADER) => [String] }
#[derive(Eq, PartialEq, Clone, Copy)]
enum Method {
POST,
DELETE,
}
#[derive(Deserialize)]
struct Config<'a> {
#[serde(borrow)]
host: Cow<'a, str>,
#[serde(borrow)]
secret: Cow<'a, str>,
}
fn delete(config: &Config, record: Record, domain: &str) -> Result<()> {
let delete = Delete::new(domain.to_owned(), record);
let res = call_api(config, delete, Method::DELETE)?;
if res.status().is_success() {
Ok(())
} else {
Err(ApiError::RequestError.into())
}
}
fn update(config: &Config, record: Record, domain: &str, value: &str, ttl: u32) -> Result<()> {
let update = Update::new(domain.to_owned(), value.to_owned(), record, ttl);
let res = call_api(config, update, Method::POST)?;
if res.status().is_success() {
Ok(())
} else {
Err(ApiError::RequestError.into())
}
}
fn call_api<D: serde::Serialize>(
config: &Config,
data: D,
method: Method,
) -> Result<reqwest::Response> {
let data_s = serde_json::to_string(&data)?;
info!("body: {}", data_s);
let signature = crypto::sign(config.secret.as_bytes(), data_s.as_bytes());
let signature = crypto::bytes_to_hex_str(&signature)?;
let client = reqwest::Client::new();
let url = format!("{}/record", config.host);
Ok(if method == Method::POST {
client.post(&url)
} else {
client.delete(&url)
}.header(XApiToken(signature))
.json(&data)
.send()?)
}
fn main() -> Result<()> {
openssl_probe::init_ssl_cert_env_vars();
std::env::set_var("RUST_LOG", "info");
pretty_env_logger::init();
let matches = cli::parse_cli();
let record: Record = matches
.value_of("RECORD")
.unwrap_or("TXT")
.parse()
.expect("Invalid record type");
let domain = matches.value_of("DOMAIN").unwrap();
let config_path = matches
.value_of("CONFIG")
.unwrap_or("/etc/bind9apiclient.toml");
let config = std::fs::read_to_string(config_path).expect("Cannot read config file");
let config: Config = toml::from_str(&config).expect("Cannot parse config file");
if let Some(matches) = matches.subcommand_matches("update") {
let ttl = matches
.value_of("TTL")
.unwrap_or("8640")
.parse()
.expect("Cannot parse TTL");
update(
&config,
record,
domain,
matches.value_of("VALUE").unwrap(),
ttl,
)?;
} else if matches.subcommand_matches("delete").is_some() {
delete(&config, record, domain)?;
}
Ok(())
}

13
crypto/Cargo.toml Normal file
View File

@ -0,0 +1,13 @@
[package]
name = "crypto"
version = "0.1.0"
authors = ["Valentin Brandl <vbrandl@riseup.net>"]
license = "MIT/Apache-2.0"
[dependencies]
failure = "0.1.1"
hex = "0.3.2"
ring = "0.12.1"
[dev-dependencies]
proptest = "0.8.1"

102
crypto/src/lib.rs Normal file
View File

@ -0,0 +1,102 @@
// Copyright (c) 2018 Brandl, Valentin <mail+rust@vbrandl.net>
// Author: Brandl, Valentin <mail+rust@vbrandl.net>
//
// Licensed unter the Apache License, Version 2.0 or the MIT license, at your
// option.
//
// ********************************************************************************
//
// Permission is hereby granted, free of charge, to any person obtaining a copy of
// this software and associated documentation files (the "Software"), to deal in
// the Software without restriction, including without limitation the rights to
// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
// the Software, and to permit persons to whom the Software is furnished to do so,
// subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in all
// copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
// ********************************************************************************
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#![deny(missing_docs)]
//! Helper crate for cryptographic operations.
extern crate failure;
extern crate hex;
extern crate ring;
#[cfg(test)]
#[macro_use]
extern crate proptest;
use failure::Error;
use hex::{FromHex, ToHex};
use ring::{digest, hmac};
type Result<T> = std::result::Result<T, Error>;
/// Converts a byte slice to a lowercase hex string.
pub fn bytes_to_hex_str(bytes: &[u8]) -> Result<String> {
let mut output = String::new();
bytes.write_hex(&mut output)?;
Ok(output)
}
/// Converts a hey string to a vec of bytes.
pub fn hex_str_to_bytes(hex_str: &str) -> Result<Vec<u8>> {
Ok(Vec::from_hex(hex_str)?)
}
/// Verifies a HMAC SHA256 signature.
pub fn verify_signature(key: &[u8], msg: &[u8], signature: &[u8]) -> bool {
let key = hmac::VerificationKey::new(&digest::SHA256, key);
hmac::verify(&key, msg, signature)
.map(|_| true)
.unwrap_or(false)
}
/// Creates a HMAC SHA256 signature.
pub fn sign(key: &[u8], msg: &[u8]) -> Vec<u8> {
let key = hmac::SigningKey::new(&digest::SHA256, key);
let signature = hmac::sign(&key, msg);
signature.as_ref().into_iter().cloned().collect()
}
#[cfg(test)]
mod tests {
use super::*;
proptest! {
#[test]
fn sign_verify(key: Vec<u8>, msg: Vec<u8>) {
let sig = sign(&key, &msg);
assert!(verify_signature(&key, &msg, &sig));
}
}
proptest! {
#[test]
fn to_from_hex(data: Vec<u8>) {
assert_eq!(hex_str_to_bytes(&bytes_to_hex_str(&data).unwrap()).unwrap(), data);
}
}
}

10
data/Cargo.toml Normal file
View File

@ -0,0 +1,10 @@
[package]
name = "data"
version = "0.1.0"
authors = ["Valentin Brandl <vbrandl@riseup.net>"]
license = "MIT/Apache-2.0"
[dependencies]
failure = "0.1.1"
serde = "1.0.69"
serde_derive = "1.0.69"

384
data/src/lib.rs Normal file
View File

@ -0,0 +1,384 @@
// Copyright (c) 2018 Brandl, Valentin <mail+rust@vbrandl.net>
// Author: Brandl, Valentin <mail+rust@vbrandl.net>
//
// Licensed unter the Apache License, Version 2.0 or the MIT license, at your
// option.
//
// ********************************************************************************
//
// Permission is hereby granted, free of charge, to any person obtaining a copy of
// this software and associated documentation files (the "Software"), to deal in
// the Software without restriction, including without limitation the rights to
// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
// the Software, and to permit persons to whom the Software is furnished to do so,
// subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in all
// copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
// ********************************************************************************
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#![deny(missing_docs)]
//! This crate provides definitions for shared types between the client and the server
#[macro_use]
extern crate failure;
#[macro_use]
extern crate serde_derive;
/// The name of the API token header: `X-Api-Token`
pub const TOKEN_HEADER: &str = "X-Api-Token";
/// Enumeration of DNS record types
#[derive(Eq, PartialEq, Deserialize, Serialize, Debug, Clone, Copy)]
pub enum Record {
/// A record
A,
/// AAAA record
AAAA,
/// AFSDB record
AFSDB,
/// APL record
APL,
/// CAA record
CAA,
/// CDNSKEY record
CDNSKEY,
/// CDS record
CDS,
/// CERT record
CERT,
/// CNAME record
CNAME,
/// DHCID record
DHCID,
/// DLV record
DLV,
/// DNAME record
DNAME,
/// DNSKEY record
DNSKEY,
/// DS record
DS,
/// HIP record
HIP,
/// IPSECKEY record
IPSECKEY,
/// KEY record
KEY,
/// KX record
KX,
/// LOC record
LOC,
/// MX record
MX,
/// NAPTR record
NAPTR,
/// NS record
NS,
/// NSEC record
NSEC,
/// NSEC3 record
NSEC3,
/// NSEC3PARAM record
NSEC3PARAM,
/// OPENPGPKEY record
OPENPGPKEY,
/// PTR record
PTR,
/// RRSIG record
RRSIG,
/// RP record
RP,
/// SIG record
SIG,
/// SOA record
SOA,
/// SRV record
SRV,
/// SSHFP record
SSHFP,
/// TA record
TA,
/// TKEY record
TKEY,
/// TLSA record
TLSA,
/// TSIG record
TSIG,
/// TXT record
TXT,
/// URI record
URI,
/// ALIAS record
ALIAS,
}
/// Error types that the API can yield
#[derive(Debug, Fail)]
pub enum ApiError {
/// Error while parsing a DNS record
#[fail(display = "Parse record error")]
ParseRecord,
/// Error while handling a request
#[fail(display = "API Error")]
RequestError,
}
impl std::str::FromStr for Record {
type Err = ApiError;
fn from_str(s: &str) -> Result<Self, Self::Err> {
match s {
"A" | "a" => Ok(Record::A),
"AAAA" | "aaaa" => Ok(Record::AAAA),
"AFSDB" | "afsdb" => Ok(Record::AFSDB),
"APL" | "apl" => Ok(Record::APL),
"CAA" | "caa" => Ok(Record::CAA),
"CDNSKEY" | "cdnskey" => Ok(Record::CDNSKEY),
"CDS" | "cds" => Ok(Record::CDS),
"CERT" | "cert" => Ok(Record::CERT),
"CNAME" | "cname" => Ok(Record::CNAME),
"DHCID" | "dhcid" => Ok(Record::DHCID),
"DLV" | "dlv" => Ok(Record::DLV),
"DNAME" | "dname" => Ok(Record::DNAME),
"DNSKEY" | "dnskey" => Ok(Record::DNSKEY),
"DS" | "ds" => Ok(Record::DS),
"HIP" | "hip" => Ok(Record::HIP),
"IPSECKEY" | "ipseckey" => Ok(Record::IPSECKEY),
"KEY" | "key" => Ok(Record::KEY),
"KX" | "kx" => Ok(Record::KX),
"LOC" | "loc" => Ok(Record::LOC),
"MX" | "mx" => Ok(Record::MX),
"NAPTR" | "naptr" => Ok(Record::NAPTR),
"NS" | "ns" => Ok(Record::NS),
"NSEC" | "nsec" => Ok(Record::NSEC),
"NSEC3" | "nsec3" => Ok(Record::NSEC3),
"NSEC3PARAM" | "nsec3param" => Ok(Record::NSEC3PARAM),
"OPENPGPKEY" | "openpgpkey" => Ok(Record::OPENPGPKEY),
"PTR" | "ptr" => Ok(Record::PTR),
"RRSIG" | "rrsig" => Ok(Record::RRSIG),
"RP" | "rp" => Ok(Record::RP),
"SIG" | "sig" => Ok(Record::SIG),
"SOA" | "soa" => Ok(Record::SOA),
"SRV" | "srv" => Ok(Record::SRV),
"SSHFP" | "sshfp" => Ok(Record::SSHFP),
"TA" | "ta" => Ok(Record::TA),
"TKEY" | "tkey" => Ok(Record::TKEY),
"TLSA" | "tlsa" => Ok(Record::TLSA),
"TSIG" | "tsig" => Ok(Record::TSIG),
"TXT" | "txt" => Ok(Record::TXT),
"URI" | "uri" => Ok(Record::URI),
"ALIAS" | "alias" => Ok(Record::ALIAS),
_ => Err(ApiError::ParseRecord),
}
}
}
impl std::fmt::Display for Record {
fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
write!(
f,
"{}",
match *self {
Record::A => "A",
Record::AAAA => "AAAA",
Record::AFSDB => "AFSDB",
Record::APL => "APL",
Record::CAA => "CAA",
Record::CDNSKEY => "CDNSKEY",
Record::CDS => "CDS",
Record::CERT => "CERT",
Record::CNAME => "CNAME",
Record::DHCID => "DHCID",
Record::DLV => "DLV",
Record::DNAME => "DNAME",
Record::DNSKEY => "DNSKEY",
Record::DS => "DS",
Record::HIP => "HIP",
Record::IPSECKEY => "IPSECKEY",
Record::KEY => "KEY",
Record::KX => "KX",
Record::LOC => "LOC",
Record::MX => "MX",
Record::NAPTR => "NAPTR",
Record::NS => "NS",
Record::NSEC => "NSEC",
Record::NSEC3 => "NSEC3",
Record::NSEC3PARAM => "NSEC3PARAM",
Record::OPENPGPKEY => "OPENPGPKEY",
Record::PTR => "PTR",
Record::RRSIG => "RRSIG",
Record::RP => "RP",
Record::SIG => "SIG",
Record::SOA => "SOA",
Record::SRV => "SRV",
Record::SSHFP => "SSHFP",
Record::TA => "TA",
Record::TKEY => "TKEY",
Record::TLSA => "TLSA",
Record::TSIG => "TSIG",
Record::TXT => "TXT",
Record::URI => "URI",
Record::ALIAS => "ALIAS",
}
)
}
}
/// Data for an update request containing the domain name, record type,
/// record value and TTL.
#[derive(Deserialize, Serialize)]
pub struct Update {
name: String,
value: String,
record: Record,
ttl: u32,
}
impl Update {
/// Creates a new Update object.
pub fn new(name: String, value: String, record: Record, ttl: u32) -> Self {
Self {
name,
value,
record,
ttl,
}
}
/// Returns a reference to the name field.
#[inline]
pub fn name(&self) -> &str {
&self.name
}
/// Returns a reference to the value field.
#[inline]
pub fn value(&self) -> &str {
&self.value
}
/// Returns the record field.
#[inline]
pub fn record(&self) -> Record {
self.record
}
/// Returns the TTL.
#[inline]
pub fn ttl(&self) -> u32 {
self.ttl
}
}
/// Data of a delete request, containing the domain name and record type.
#[derive(Deserialize, Serialize)]
pub struct Delete {
name: String,
record: Record,
}
impl Delete {
/// Creates a new Delete object.
pub fn new(name: String, record: Record) -> Self {
Self { name, record }
}
/// Returns a reference to the name field.
#[inline]
pub fn name(&self) -> &str {
&self.name
}
/// Returns the record type.
#[inline]
pub fn record(&self) -> Record {
self.record
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn parse_record() {
assert_eq!("a".parse::<Record>().unwrap(), Record::A);
assert_eq!("A".parse::<Record>().unwrap(), Record::A);
assert_eq!("aaaa".parse::<Record>().unwrap(), Record::AAAA);
assert_eq!("AAAA".parse::<Record>().unwrap(), Record::AAAA);
assert_eq!("txt".parse::<Record>().unwrap(), Record::TXT);
assert_eq!("TXT".parse::<Record>().unwrap(), Record::TXT);
assert_eq!("PTR".parse::<Record>().unwrap(), Record::PTR);
assert_eq!("ptr".parse::<Record>().unwrap(), Record::PTR);
assert!(!"aAaA".parse::<Record>().is_ok());
}
#[test]
fn record_to_str_and_parse_equals_input() {
assert!(validate_record_parsing(Record::A));
assert!(validate_record_parsing(Record::AAAA));
assert!(validate_record_parsing(Record::AFSDB));
assert!(validate_record_parsing(Record::APL));
assert!(validate_record_parsing(Record::CAA));
assert!(validate_record_parsing(Record::CDNSKEY));
assert!(validate_record_parsing(Record::CDS));
assert!(validate_record_parsing(Record::CERT));
assert!(validate_record_parsing(Record::CNAME));
assert!(validate_record_parsing(Record::DHCID));
assert!(validate_record_parsing(Record::DLV));
assert!(validate_record_parsing(Record::DNAME));
assert!(validate_record_parsing(Record::DNSKEY));
assert!(validate_record_parsing(Record::DS));
assert!(validate_record_parsing(Record::HIP));
assert!(validate_record_parsing(Record::IPSECKEY));
assert!(validate_record_parsing(Record::KEY));
assert!(validate_record_parsing(Record::KX));
assert!(validate_record_parsing(Record::LOC));
assert!(validate_record_parsing(Record::MX));
assert!(validate_record_parsing(Record::NAPTR));
assert!(validate_record_parsing(Record::NS));
assert!(validate_record_parsing(Record::NSEC));
assert!(validate_record_parsing(Record::NSEC3));
assert!(validate_record_parsing(Record::NSEC3PARAM));
assert!(validate_record_parsing(Record::OPENPGPKEY));
assert!(validate_record_parsing(Record::PTR));
assert!(validate_record_parsing(Record::RRSIG));
assert!(validate_record_parsing(Record::RP));
assert!(validate_record_parsing(Record::SIG));
assert!(validate_record_parsing(Record::SOA));
assert!(validate_record_parsing(Record::SRV));
assert!(validate_record_parsing(Record::SSHFP));
assert!(validate_record_parsing(Record::TA));
assert!(validate_record_parsing(Record::TKEY));
assert!(validate_record_parsing(Record::TLSA));
assert!(validate_record_parsing(Record::TSIG));
assert!(validate_record_parsing(Record::TXT));
assert!(validate_record_parsing(Record::URI));
assert!(validate_record_parsing(Record::ALIAS));
}
fn validate_record_parsing(record: Record) -> bool {
format!("{}", record).parse::<Record>().unwrap() == record
}
}

3
letsencrypt/certbot-bind9-auth Normal file
View File

@ -0,0 +1,3 @@
#!/usr/bin/env sh
bind9-api-client -d "_acme-challenge.$CERTBOT_DOMAIN" -r TXT update -v "$CERTBOT_VALIDATION"

3
letsencrypt/certbot-bind9-cleanup Normal file
View File

@ -0,0 +1,3 @@
#!/usr/bin/env sh
bind9-api-client -d "_acme-challenge.$CERTBOT_DOMAIN" -r TXT delete

1741
server/Cargo.lock generated Normal file
View File

File diff suppressed because it is too large Load Diff

18
server/Cargo.toml Normal file
View File

@ -0,0 +1,18 @@
[package]
name = "bind9-api"
version = "0.1.0"
authors = ["Valentin Brandl <vbrandl@riseup.net>"]
description = "Web API to create, update and remove DNS entries in bind9"
license = "MIT/Apache-2.0"
[dependencies]
actix-web = "0.6.14"
clap = "2.31.2"
crypto = { path = "../crypto" }
data = { path = "../data" }
failure = "0.1.1"
futures = "0.1.21"
log = "0.4.3"
pretty_env_logger = "0.2.3"
serde = "1.0.69"
serde_json = "1.0.22"

53
server/src/cli.rs Normal file
View File

@ -0,0 +1,53 @@
// Copyright (c) 2018 Brandl, Valentin <mail+rust@vbrandl.net>
// Author: Brandl, Valentin <mail+rust@vbrandl.net>
//
// Licensed unter the Apache License, Version 2.0 or the MIT license, at your
// option.
//
// ********************************************************************************
//
// Permission is hereby granted, free of charge, to any person obtaining a copy of
// this software and associated documentation files (the "Software"), to deal in
// the Software without restriction, including without limitation the rights to
// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
// the Software, and to permit persons to whom the Software is furnished to do so,
// subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in all
// copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
// ********************************************************************************
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
pub fn parse_args() -> ::clap::ArgMatches<'static> {
clap_app!(api =>
(version: crate_version!())
(author: crate_authors!())
(about: crate_description!())
(@arg TOKEN: -t --token +required +takes_value "Token to authenticate against the API")
(@arg CMD: -c --command +takes_value "Nsupdate command (Defaults to nsupdate)")
(@arg KEYPATH: -k --keypath +required +takes_value "Path to the DNS key")
(@arg OKMARK: -m --marker +takes_value "Marker to detect if a operation was successful")
(@arg PORT: -p --port +takes_value "Port to listen on (Defaults to 8000)")
(@arg HOST: -h --host +takes_value "Host to listen on (Defaults to 0.0.0.0)")
(@arg SERVER: -s --server +takes_value "Bind server (Defaults to 127.0.0.1)")
).get_matches()
}

158
server/src/main.rs Normal file
View File

@ -0,0 +1,158 @@
// Copyright (c) 2018 Brandl, Valentin <mail+rust@vbrandl.net>
// Author: Brandl, Valentin <mail+rust@vbrandl.net>
//
// Licensed unter the Apache License, Version 2.0 or the MIT license, at your
// option.
//
// ********************************************************************************
//
// Permission is hereby granted, free of charge, to any person obtaining a copy of
// this software and associated documentation files (the "Software"), to deal in
// the Software without restriction, including without limitation the rights to
// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
// the Software, and to permit persons to whom the Software is furnished to do so,
// subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in all
// copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
// ********************************************************************************
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
extern crate actix_web;
extern crate crypto;
extern crate data;
#[macro_use]
extern crate clap;
#[macro_use]
extern crate failure;
extern crate futures;
#[macro_use]
extern crate log;
extern crate pretty_env_logger;
extern crate serde;
extern crate serde_json;
mod cli;
mod util;
use actix_web::{
error::{self, ErrorInternalServerError}, http, middleware::Logger, server, App, Result, State,
};
use data::{Delete, Update};
use failure::Error;
use std::{
io::Write, process::{Command, Stdio}, sync::Arc,
};
use util::{Config, ExecuteError, Validated};
fn execute_nsupdate(input: &str, config: &Config) -> Result<String, Error> {
info!("executing update: {}", input);
let mut cmd = Command::new(config.command())
.stdin(Stdio::piped())
.stdout(Stdio::piped())
.args(&["-k", config.key_path()])
.spawn()?;
{
let stdin = cmd.stdin.as_mut().ok_or(ExecuteError::Stdin)?;
stdin.write_all(input.as_bytes())?;
}
let output = cmd.wait_with_output()?.stdout;
let output = String::from_utf8(output)?;
info!("output: {}", output);
Ok(output)
}
fn delete(
(delete, state): (Validated<Delete>, State<Arc<Config>>),
) -> Result<&'static str, error::Error> {
info!("Deleting {} record for {}", delete.record(), delete.name());
let stdin = format!(
"server {}\nupdate delete {} {}\nsend\n",
state.server(),
delete.name(),
delete.record()
);
Ok(execute_nsupdate(&stdin, &state)
.map_err(|_| ErrorInternalServerError("Error executing nsupdate"))
.and_then(|s| {
if s.contains(state.ok_marker()) {
Ok("OK")
} else {
Err(ErrorInternalServerError("Marker not found"))
}
})?)
}
fn update(
(update, state): (Validated<Update>, State<Arc<Config>>),
) -> Result<&'static str, error::Error> {
info!(
"Updating {} record for {} with value \"{}\"",
update.record(),
update.name(),
update.value()
);
let stdin = format!(
"server {}\nupdate add {} {} {} {}\nsend\n",
state.server(),
update.name(),
update.ttl(),
update.record(),
update.value()
);
Ok(execute_nsupdate(&stdin, &state)
.map_err(|_| ErrorInternalServerError("Error executing nsupdate"))
.and_then(|s| {
if s.contains(state.ok_marker()) {
Ok("OK")
} else {
Err(ErrorInternalServerError("Marker not found"))
}
})?)
}
fn main() {
std::env::set_var("RUST_LOG", "info");
pretty_env_logger::init();
let matches = cli::parse_args();
let token = matches.value_of("TOKEN").unwrap().to_owned();
let command = matches.value_of("CMD").unwrap_or("nsupdate").to_owned();
let key_path = matches.value_of("KEYPATH").unwrap().to_owned();
let ok_marker = matches.value_of("OKMARK").unwrap_or("").to_owned();
let server = matches.value_of("SERVER").unwrap_or("127.0.0.1").to_owned();
let config = Arc::new(Config::new(token, command, key_path, ok_marker, server));
let port: u16 = matches
.value_of("PORT")
.unwrap_or("8000")
.parse()
.expect("Cannot parse port");
let host = matches.value_of("HOST").unwrap_or("0.0.0.0");
let host = format!("{}:{}", host, port);
server::new(move || {
App::with_state(config.clone())
.middleware(Logger::default())
.route("/record", http::Method::POST, update)
.route("/record", http::Method::DELETE, delete)
}).bind(host)
.unwrap()
.run();
}

147
server/src/util.rs Normal file
View File

@ -0,0 +1,147 @@
// Copyright (c) 2018 Brandl, Valentin <mail+rust@vbrandl.net>
// Author: Brandl, Valentin <mail+rust@vbrandl.net>
//
// Licensed unter the Apache License, Version 2.0 or the MIT license, at your
// option.
//
// ********************************************************************************
//
// Permission is hereby granted, free of charge, to any person obtaining a copy of
// this software and associated documentation files (the "Software"), to deal in
// the Software without restriction, including without limitation the rights to
// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
// the Software, and to permit persons to whom the Software is furnished to do so,
// subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in all
// copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
// ********************************************************************************
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
use actix_web::{
error::{Error, ErrorInternalServerError, ErrorUnauthorized, JsonPayloadError, ParseError},
FromRequest, HttpMessage, HttpRequest, Result,
};
use futures::future::{err as FutErr, Future};
use std::{ops::Deref, sync::Arc};
#[derive(Debug, Fail)]
pub enum ExecuteError {
#[fail(display = "Stdin error")]
Stdin,
}
pub struct Config {
token: String,
command: String,
key_path: String,
ok_marker: String,
server: String,
}
impl Config {
pub fn new(
token: String,
command: String,
key_path: String,
ok_marker: String,
server: String,
) -> Self {
Self {
token,
command,
key_path,
ok_marker,
server,
}
}
#[inline]
pub fn token(&self) -> &str {
&self.token
}
#[inline]
pub fn command(&self) -> &str {
&self.command
}
#[inline]
pub fn key_path(&self) -> &str {
&self.key_path
}
#[inline]
pub fn ok_marker(&self) -> &str {
&self.ok_marker
}
#[inline]
pub fn server(&self) -> &str {
&self.server
}
}
pub struct Validated<T>(T);
impl<T: 'static + ::serde::de::DeserializeOwned> FromRequest<Arc<Config>> for Validated<T> {
type Config = ();
type Result = Box<Future<Item = Self, Error = Error>>;
fn from_request(req: &HttpRequest<Arc<Config>>, _: &Self::Config) -> Self::Result {
let state = req.state().clone();
let sig = extract_signature(&req);
if sig.is_err() {
return Box::new(FutErr(sig.unwrap_err()));
}
let sig = sig.unwrap();
Box::new(req.clone().body().from_err().and_then(move |body| {
if ::crypto::verify_signature(state.token().as_bytes(), &body, &sig) {
let delete: T = ::serde_json::from_slice(&body)
.map_err(|e| ErrorInternalServerError(JsonPayloadError::Deserialize(e)))?;
Ok(Validated(delete))
} else {
Err(ErrorUnauthorized(ParseError::Header))
}
}))
}
}
impl<T> Deref for Validated<T> {
type Target = T;
fn deref(&self) -> &T {
&self.0
}
}
fn extract_signature<S>(req: &HttpRequest<S>) -> Result<Vec<u8>> {
Ok(req.headers()
.get(::data::TOKEN_HEADER)
.as_ref()
.ok_or_else(|| ErrorUnauthorized(ParseError::Header))?
.to_str()
.map_err(ErrorUnauthorized)
.and_then(|s| {
::crypto::hex_str_to_bytes(s).map_err(|_| ErrorUnauthorized(ParseError::Header))
})
.map_err(ErrorUnauthorized)?)
}