-
Notifications
You must be signed in to change notification settings - Fork 0
/
cdh.go
255 lines (220 loc) · 6.43 KB
/
cdh.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
// CDH: CertBot DANE hook
// Copyright (C) 2019-2024 Yishen Miao
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package main
import (
"context"
"crypto/x509"
"encoding/json"
"encoding/pem"
"flag"
"fmt"
"log"
"os"
"path/filepath"
"strings"
"github.com/miekg/dns"
"github.com/sethvargo/go-envconfig"
gcdns "google.golang.org/api/dns/v1"
"google.golang.org/api/option"
)
// config holds the configuration values for the application, including
// the domains to be renewed and the path to the renewed certificate.
type config struct {
Domains []string `env:"RENEWED_DOMAINS, delimiter= "`
Cert string `env:"RENEWED_LINEAGE"`
}
// tlsa represents the DANE (DNS-based Authentication of Named Entities)
// information for a certificate, including the trust anchor, end entity,
// and associated DNS names.
type tlsa struct {
TrustAnchor string
EndEntity string
DNSNames []string
}
// NewTLSA creates a new instance of the tlsa struct with initialized DNSNames slice.
// It returns a pointer to the newly created tlsa instance.
func NewTLSA() *tlsa {
var t tlsa
t.DNSNames = make([]string, 0)
return &t
}
// ReadCert processes an x509.Certificate and populates the tlsa struct with
// the appropriate DANE (DNS-based Authentication of Named Entities) information.
// If the certificate is a CA (Certificate Authority), it sets the TrustAnchor field.
// Otherwise, it sets the EndEntity field and processes the DNS names associated
// with the certificate, ensuring each DNS name ends with a dot.
//
// Parameters:
// - c: A pointer to an x509.Certificate to be processed.
//
// Returns:
// - error: An error if the conversion to DANE fails, otherwise nil.
func (t *tlsa) ReadCert(c *x509.Certificate) error {
if dane, err := dns.CertificateToDANE(1, 1, c); err != nil {
return err
} else if c.IsCA {
t.TrustAnchor = dane
} else {
t.EndEntity = dane
for _, d := range c.DNSNames {
// Adds dot for DNS
if !strings.HasSuffix(d, ".") {
t.DNSNames = append(t.DNSNames, d+".")
} else {
t.DNSNames = append(t.DNSNames, d)
}
}
}
return nil
}
// MakeRRData generates the resource record data for the TLSA record.
// It returns a slice of strings containing the TLSA record data.
func (t tlsa) MakeRRData() []string {
r := []string{
fmt.Sprintf(
"3 1 1 %s",
t.EndEntity,
),
fmt.Sprintf(
"2 1 1 %s",
t.TrustAnchor,
),
}
return r
}
var (
keyPath, zone string
)
// readCert reads the certificate from the specified file path and returns
// a tlsa struct populated with the DANE information. It returns an error
// if the certificate cannot be read or processed.
func readCert(f string) (*tlsa, error) {
t := NewTLSA()
data, err := os.ReadFile(filepath.Join(filepath.Clean(f), "fullchain.pem"))
if err != nil {
return nil, err
}
for b, r := pem.Decode(data); b != nil; b, r = pem.Decode(r) {
cert, err := x509.ParseCertificate(b.Bytes)
if err != nil {
return nil, err
}
err = t.ReadCert(cert)
if err != nil {
return nil, err
}
}
return t, nil
}
// newDNSClient reads a JSON key file and returns a DNS client, the project ID,
// and any error that occurred.
func newDNSClient(f string) (*gcdns.Service, string, error) {
var projectID string
var err error
data, err := os.ReadFile(filepath.Clean(f))
if err != nil {
return nil, projectID, err
}
var info map[string]string
err = json.Unmarshal(data, &info)
if err != nil {
return nil, projectID, err
}
if p, ok := info["project_id"]; ok {
projectID = p
}
dnsSer, err := gcdns.NewService(
context.Background(),
option.WithCredentialsJSON(data),
option.WithScopes(gcdns.NdevClouddnsReadwriteScope),
)
if err != nil {
return nil, projectID, err
}
return dnsSer, projectID, nil
}
// newChange creates a new DNS change set based on the provided resource record sets
// and the tlsa struct. It returns a pointer to the created gcdns.Change struct.
func newChange(rR []*gcdns.ResourceRecordSet, t *tlsa) *gcdns.Change {
cset := gcdns.Change{}
// Build a map of resource record sets
recordMap := make(map[string][]*gcdns.ResourceRecordSet)
for _, r := range rR {
if r.Type == "TLSA" {
domain := strings.SplitN(r.Name, ".", 3)[2] // Remove the TLSA prefix from the domain name
recordMap[domain] = append(recordMap[domain], r)
}
}
for _, dnsName := range t.DNSNames {
// Check if the DNS name exists in the map
if rList, ok := recordMap[dnsName]; ok {
for _, r := range rList {
// Append the original record to cset.Deletions
cset.Deletions = append(cset.Deletions, r)
// Create a new resource record set with updated Rrdatas
newRecord := &gcdns.ResourceRecordSet{
Kind: r.Kind,
Name: r.Name,
Ttl: r.Ttl,
Type: r.Type,
Rrdatas: t.MakeRRData(),
}
cset.Additions = append(cset.Additions, newRecord)
}
} else {
// Create a new resource record set with default values
newRecord := &gcdns.ResourceRecordSet{
Kind: "dns#resourceRecordSet",
Name: "_443._tcp." + dnsName,
Ttl: 300,
Type: "TLSA",
Rrdatas: t.MakeRRData(),
}
cset.Additions = append(cset.Additions, newRecord)
}
}
return &cset
}
func main() {
flag.StringVar(&keyPath, "k", "", "path to the Google Cloud key file")
flag.StringVar(&zone, "z", "", "name of the DNS zone")
flag.Parse()
var err error
ctx := context.Background()
cfg := config{}
if err = envconfig.Process(ctx, &cfg); err != nil {
log.Fatal(err)
}
log.Println(cfg)
domains, err := readCert(cfg.Cert)
if err != nil {
log.Fatal(err)
}
dnsService, project, err := newDNSClient(keyPath)
if err != nil {
log.Fatal(err)
}
records, err := dnsService.ResourceRecordSets.List(project, zone).Do()
if err != nil {
log.Fatal(err)
}
cset := newChange(records.Rrsets, domains)
change, err := dnsService.Changes.Create(project, zone, cset).Do()
if err != nil {
log.Fatal(err)
}
fmt.Println(change.Status)
}