328 lines
9.7 KiB

  1. #!/usr/bin/env sh
  2. ########
  3. # Custom cyon.ch DNS API for use with [acme.sh](https://github.com/acmesh-official/acme.sh)
  4. #
  5. # Usage: acme.sh --issue --dns dns_cyon -d www.domain.com
  6. #
  7. # Dependencies:
  8. # -------------
  9. # - oathtool (When using 2 Factor Authentication)
  10. #
  11. # Issues:
  12. # -------
  13. # Any issues / questions / suggestions can be posted here:
  14. # https://github.com/noplanman/cyon-api/issues
  15. #
  16. # Author: Armando Lüscher <armando@noplanman.ch>
  17. ########
  18. dns_cyon_add() {
  19. _cyon_load_credentials \
  20. && _cyon_load_parameters "$@" \
  21. && _cyon_print_header "add" \
  22. && _cyon_login \
  23. && _cyon_change_domain_env \
  24. && _cyon_add_txt \
  25. && _cyon_logout
  26. }
  27. dns_cyon_rm() {
  28. _cyon_load_credentials \
  29. && _cyon_load_parameters "$@" \
  30. && _cyon_print_header "delete" \
  31. && _cyon_login \
  32. && _cyon_change_domain_env \
  33. && _cyon_delete_txt \
  34. && _cyon_logout
  35. }
  36. #########################
  37. ### PRIVATE FUNCTIONS ###
  38. #########################
  39. _cyon_load_credentials() {
  40. # Convert loaded password to/from base64 as needed.
  41. if [ "${CY_Password_B64}" ]; then
  42. CY_Password="$(printf "%s" "${CY_Password_B64}" | _dbase64 "multiline")"
  43. elif [ "${CY_Password}" ]; then
  44. CY_Password_B64="$(printf "%s" "${CY_Password}" | _base64)"
  45. fi
  46. if [ -z "${CY_Username}" ] || [ -z "${CY_Password}" ]; then
  47. # Dummy entries to satisfy script checker.
  48. CY_Username=""
  49. CY_Password=""
  50. CY_OTP_Secret=""
  51. _err ""
  52. _err "You haven't set your cyon.ch login credentials yet."
  53. _err "Please set the required cyon environment variables."
  54. _err ""
  55. return 1
  56. fi
  57. # Save the login credentials to the account.conf file.
  58. _debug "Save credentials to account.conf"
  59. _saveaccountconf CY_Username "${CY_Username}"
  60. _saveaccountconf CY_Password_B64 "$CY_Password_B64"
  61. if [ ! -z "${CY_OTP_Secret}" ]; then
  62. _saveaccountconf CY_OTP_Secret "$CY_OTP_Secret"
  63. else
  64. _clearaccountconf CY_OTP_Secret
  65. fi
  66. }
  67. _cyon_is_idn() {
  68. _idn_temp="$(printf "%s" "${1}" | tr -d "0-9a-zA-Z.,-_")"
  69. _idn_temp2="$(printf "%s" "${1}" | grep -o "xn--")"
  70. [ "$_idn_temp" ] || [ "$_idn_temp2" ]
  71. }
  72. _cyon_load_parameters() {
  73. # Read the required parameters to add the TXT entry.
  74. # shellcheck disable=SC2018,SC2019
  75. fulldomain="$(printf "%s" "${1}" | tr "A-Z" "a-z")"
  76. fulldomain_idn="${fulldomain}"
  77. # Special case for IDNs, as cyon needs a domain environment change,
  78. # which uses the "pretty" instead of the punycode version.
  79. if _cyon_is_idn "${fulldomain}"; then
  80. if ! _exists idn; then
  81. _err "Please install idn to process IDN names."
  82. _err ""
  83. return 1
  84. fi
  85. fulldomain="$(idn -u "${fulldomain}")"
  86. fulldomain_idn="$(idn -a "${fulldomain}")"
  87. fi
  88. _debug fulldomain "${fulldomain}"
  89. _debug fulldomain_idn "${fulldomain_idn}"
  90. txtvalue="${2}"
  91. _debug txtvalue "${txtvalue}"
  92. # This header is required for curl calls.
  93. _H1="X-Requested-With: XMLHttpRequest"
  94. export _H1
  95. }
  96. _cyon_print_header() {
  97. if [ "${1}" = "add" ]; then
  98. _info ""
  99. _info "+---------------------------------------------+"
  100. _info "| Adding DNS TXT entry to your cyon.ch domain |"
  101. _info "+---------------------------------------------+"
  102. _info ""
  103. _info " * Full Domain: ${fulldomain}"
  104. _info " * TXT Value: ${txtvalue}"
  105. _info ""
  106. elif [ "${1}" = "delete" ]; then
  107. _info ""
  108. _info "+-------------------------------------------------+"
  109. _info "| Deleting DNS TXT entry from your cyon.ch domain |"
  110. _info "+-------------------------------------------------+"
  111. _info ""
  112. _info " * Full Domain: ${fulldomain}"
  113. _info ""
  114. fi
  115. }
  116. _cyon_get_cookie_header() {
  117. printf "Cookie: %s" "$(grep "cyon=" "$HTTP_HEADER" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o 'cyon=[^;]*;' | tr -d ';')"
  118. }
  119. _cyon_login() {
  120. _info " - Logging in..."
  121. username_encoded="$(printf "%s" "${CY_Username}" | _url_encode)"
  122. password_encoded="$(printf "%s" "${CY_Password}" | _url_encode)"
  123. login_url="https://my.cyon.ch/auth/index/dologin-async"
  124. login_data="$(printf "%s" "username=${username_encoded}&password=${password_encoded}&pathname=%2F")"
  125. login_response="$(_post "$login_data" "$login_url")"
  126. _debug login_response "${login_response}"
  127. # Bail if login fails.
  128. if [ "$(printf "%s" "${login_response}" | _cyon_get_response_success)" != "success" ]; then
  129. _err " $(printf "%s" "${login_response}" | _cyon_get_response_message)"
  130. _err ""
  131. return 1
  132. fi
  133. _info " success"
  134. # NECESSARY!! Load the main page after login, to get the new cookie.
  135. _H2="$(_cyon_get_cookie_header)"
  136. export _H2
  137. _get "https://my.cyon.ch/" >/dev/null
  138. # todo: instead of just checking if the env variable is defined, check if we actually need to do a 2FA auth request.
  139. # 2FA authentication with OTP?
  140. if [ ! -z "${CY_OTP_Secret}" ]; then
  141. _info " - Authorising with OTP code..."
  142. if ! _exists oathtool; then
  143. _err "Please install oathtool to use 2 Factor Authentication."
  144. _err ""
  145. return 1
  146. fi
  147. # Get OTP code with the defined secret.
  148. otp_code="$(oathtool --base32 --totp "${CY_OTP_Secret}" 2>/dev/null)"
  149. login_otp_url="https://my.cyon.ch/auth/multi-factor/domultifactorauth-async"
  150. login_otp_data="totpcode=${otp_code}&pathname=%2F&rememberme=0"
  151. login_otp_response="$(_post "$login_otp_data" "$login_otp_url")"
  152. _debug login_otp_response "${login_otp_response}"
  153. # Bail if OTP authentication fails.
  154. if [ "$(printf "%s" "${login_otp_response}" | _cyon_get_response_success)" != "success" ]; then
  155. _err " $(printf "%s" "${login_otp_response}" | _cyon_get_response_message)"
  156. _err ""
  157. return 1
  158. fi
  159. _info " success"
  160. fi
  161. _info ""
  162. }
  163. _cyon_logout() {
  164. _info " - Logging out..."
  165. _get "https://my.cyon.ch/auth/index/dologout" >/dev/null
  166. _info " success"
  167. _info ""
  168. }
  169. _cyon_change_domain_env() {
  170. _info " - Changing domain environment..."
  171. # Get the "example.com" part of the full domain name.
  172. domain_env="$(printf "%s" "${fulldomain}" | sed -E -e 's/.*\.(.*\..*)$/\1/')"
  173. _debug "Changing domain environment to ${domain_env}"
  174. gloo_item_key="$(_get "https://my.cyon.ch/domain/" | tr '\n' ' ' | sed -E -e "s/.*data-domain=\"${domain_env}\"[^<]*data-itemkey=\"([^\"]*).*/\1/")"
  175. _debug gloo_item_key "${gloo_item_key}"
  176. domain_env_url="https://my.cyon.ch/user/environment/setdomain/d/${domain_env}/gik/${gloo_item_key}"
  177. domain_env_response="$(_get "${domain_env_url}")"
  178. _debug domain_env_response "${domain_env_response}"
  179. if ! _cyon_check_if_2fa_missed "${domain_env_response}"; then return 1; fi
  180. domain_env_success="$(printf "%s" "${domain_env_response}" | _egrep_o '"authenticated":\w*' | cut -d : -f 2)"
  181. # Bail if domain environment change fails.
  182. if [ "${domain_env_success}" != "true" ]; then
  183. _err " $(printf "%s" "${domain_env_response}" | _cyon_get_response_message)"
  184. _err ""
  185. return 1
  186. fi
  187. _info " success"
  188. _info ""
  189. }
  190. _cyon_add_txt() {
  191. _info " - Adding DNS TXT entry..."
  192. add_txt_url="https://my.cyon.ch/domain/dnseditor/add-record-async"
  193. add_txt_data="zone=${fulldomain_idn}.&ttl=900&type=TXT&value=${txtvalue}"
  194. add_txt_response="$(_post "$add_txt_data" "$add_txt_url")"
  195. _debug add_txt_response "${add_txt_response}"
  196. if ! _cyon_check_if_2fa_missed "${add_txt_response}"; then return 1; fi
  197. add_txt_message="$(printf "%s" "${add_txt_response}" | _cyon_get_response_message)"
  198. add_txt_status="$(printf "%s" "${add_txt_response}" | _cyon_get_response_status)"
  199. # Bail if adding TXT entry fails.
  200. if [ "${add_txt_status}" != "true" ]; then
  201. _err " ${add_txt_message}"
  202. _err ""
  203. return 1
  204. fi
  205. _info " success (TXT|${fulldomain_idn}.|${txtvalue})"
  206. _info ""
  207. }
  208. _cyon_delete_txt() {
  209. _info " - Deleting DNS TXT entry..."
  210. list_txt_url="https://my.cyon.ch/domain/dnseditor/list-async"
  211. list_txt_response="$(_get "${list_txt_url}" | sed -e 's/data-hash/\\ndata-hash/g')"
  212. _debug list_txt_response "${list_txt_response}"
  213. if ! _cyon_check_if_2fa_missed "${list_txt_response}"; then return 1; fi
  214. # Find and delete all acme challenge entries for the $fulldomain.
  215. _dns_entries="$(printf "%b\n" "${list_txt_response}" | sed -n 's/data-hash=\\"\([^"]*\)\\" data-identifier=\\"\([^"]*\)\\".*/\1 \2/p')"
  216. printf "%s" "${_dns_entries}" | while read -r _hash _identifier; do
  217. dns_type="$(printf "%s" "$_identifier" | cut -d'|' -f1)"
  218. dns_domain="$(printf "%s" "$_identifier" | cut -d'|' -f2)"
  219. if [ "${dns_type}" != "TXT" ] || [ "${dns_domain}" != "${fulldomain_idn}." ]; then
  220. continue
  221. fi
  222. hash_encoded="$(printf "%s" "${_hash}" | _url_encode)"
  223. identifier_encoded="$(printf "%s" "${_identifier}" | _url_encode)"
  224. delete_txt_url="https://my.cyon.ch/domain/dnseditor/delete-record-async"
  225. delete_txt_data="$(printf "%s" "hash=${hash_encoded}&identifier=${identifier_encoded}")"
  226. delete_txt_response="$(_post "$delete_txt_data" "$delete_txt_url")"
  227. _debug delete_txt_response "${delete_txt_response}"
  228. if ! _cyon_check_if_2fa_missed "${delete_txt_response}"; then return 1; fi
  229. delete_txt_message="$(printf "%s" "${delete_txt_response}" | _cyon_get_response_message)"
  230. delete_txt_status="$(printf "%s" "${delete_txt_response}" | _cyon_get_response_status)"
  231. # Skip if deleting TXT entry fails.
  232. if [ "${delete_txt_status}" != "true" ]; then
  233. _err " ${delete_txt_message} (${_identifier})"
  234. else
  235. _info " success (${_identifier})"
  236. fi
  237. done
  238. _info " done"
  239. _info ""
  240. }
  241. _cyon_get_response_message() {
  242. _egrep_o '"message":"[^"]*"' | cut -d : -f 2 | tr -d '"'
  243. }
  244. _cyon_get_response_status() {
  245. _egrep_o '"status":\w*' | cut -d : -f 2
  246. }
  247. _cyon_get_response_success() {
  248. _egrep_o '"onSuccess":"[^"]*"' | cut -d : -f 2 | tr -d '"'
  249. }
  250. _cyon_check_if_2fa_missed() {
  251. # Did we miss the 2FA?
  252. if test "${1#*multi_factor_form}" != "${1}"; then
  253. _err " Missed OTP authentication!"
  254. _err ""
  255. return 1
  256. fi
  257. }