Add DNS Provider for ACME-DNS.

cli.go

@@ -198,6 +198,7 @@ Here is an example bash command using the CloudFlare DNS provider:
 	w := tabwriter.NewWriter(os.Stdout, 0, 8, 1, '\t', 0)
 	fmt.Fprintln(w, "Valid providers and their associated credential environment variables:")
 	fmt.Fprintln(w)
+	fmt.Fprintln(w, "\tacme-dns:\tACME_DNS_API_BASE, ACME_DNS_STORAGE_PATH")
 	fmt.Fprintln(w, "\tazure:\tAZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID, AZURE_RESOURCE_GROUP")
 	fmt.Fprintln(w, "\tauroradns:\tAURORA_USER_ID, AURORA_KEY, AURORA_ENDPOINT")
 	fmt.Fprintln(w, "\tbluecat:\tBLUECAT_SERVER_URL, BLUECAT_USER_NAME, BLUECAT_PASSWORD, BLUECAT_CONFIG_NAME, BLUECAT_DNS_VIEW")

providers/dns/acmedns/acmedns.go

@@ -0,0 +1,170 @@
+// Package acmedns implements a DNS provider for solving DNS-01 challenges using
+// Joohoi's acme-dns project. For more information see the ACME-DNS homepage:
+//    https://github.com/joohoi/acme-dns
+package acmedns
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/cpu/goacmedns"
+	"github.com/xenolf/lego/acme"
+	"github.com/xenolf/lego/platform/config/env"
+)
+
+const (
+	// envNamespace is the prefix for ACME-DNS environment variables.
+	envNamespace = "ACME_DNS_"
+	// apiBaseEnvVar is the environment variable name for the ACME-DNS API address
+	// (e.g. https://acmedns.your-domain.com).
+	apiBaseEnvVar = envNamespace + "API_BASE"
+	// storagePathEnvVar is the environment variable name for the ACME-DNS JSON
+	// account data file. A per-domain account will be registered/persisted to
+	// this file and used for TXT updates.
+	storagePathEnvVar = envNamespace + "STORAGE_PATH"
+)
+
+// acmeDNSClient is an interface describing the goacmedns.Client functions
+// the DNSProvider uses. It makes it easier for tests to shim a mock Client into
+// the DNSProvider.
+type acmeDNSClient interface {
+	// UpdateTXTRecord updates the provided account's TXT record to the given
+	// value or returns an error.
+	UpdateTXTRecord(goacmedns.Account, string) error
+	// RegisterAccount registers and returns a new account with the given
+	// allowFrom restriction or returns an error.
+	RegisterAccount([]string) (goacmedns.Account, error)
+}
+
+// DNSProvider is an implementation of the acme.ChallengeProvider interface for
+// an ACME-DNS server.
+type DNSProvider struct {
+	client  acmeDNSClient
+	storage goacmedns.Storage
+}
+
+// NewDNSProvider creates an ACME-DNS provider using file based account storage.
+// Its configuration is loaded from the environment by reading apiBaseEnvVar and
+// storagePathEnvVar.
+func NewDNSProvider() (*DNSProvider, error) {
+	values, err := env.Get(apiBaseEnvVar, storagePathEnvVar)
+	if err != nil {
+		return nil, fmt.Errorf("acme-dns: %v", err)
+	}
+
+	client := goacmedns.NewClient(values[apiBaseEnvVar])
+	storage := goacmedns.NewFileStorage(values[storagePathEnvVar], 0600)
+	return NewDNSProviderClient(client, storage)
+}
+
+// NewDNSProviderClient creates an ACME-DNS DNSProvider with the given
+// acmeDNSClient and goacmedns.Storage.
+func NewDNSProviderClient(client acmeDNSClient, storage goacmedns.Storage) (*DNSProvider, error) {
+	if client == nil {
+		return nil, errors.New("ACME-DNS Client must be not nil")
+	}
+
+	if storage == nil {
+		return nil, errors.New("ACME-DNS Storage must be not nil")
+	}
+
+	return &DNSProvider{
+		client:  client,
+		storage: storage,
+	}, nil
+}
+
+// ErrCNAMERequired is returned by Present when the Domain indicated had no
+// existing ACME-DNS account in the Storage and additional setup is required.
+// The user must create a CNAME in the DNS zone for Domain that aliases FQDN
+// to Target in order to complete setup for the ACME-DNS account that was
+// created.
+type ErrCNAMERequired struct {
+	// The Domain that is being issued for.
+	Domain string
+	// The alias of the CNAME (left hand DNS label).
+	FQDN string
+	// The RDATA of the CNAME (right hand side, canonical name).
+	Target string
+}
+
+// Error returns a descriptive message for the ErrCNAMERequired instance telling
+// the user that a CNAME needs to be added to the DNS zone of c.Domain before
+// the ACME-DNS hook will work. The CNAME to be created should be of the form:
+//   {{ c.FQDN }} 	CNAME	{{ c.Target }}
+func (e ErrCNAMERequired) Error() string {
+	return fmt.Sprintf("acme-dns: new account created for %q. "+
+		"To complete setup for %q you must provision the following "+
+		"CNAME in your DNS zone and re-run this provider when it is "+
+		"in place:\n"+
+		"%s CNAME %s.",
+		e.Domain, e.Domain, e.FQDN, e.Target)
+}
+
+// Present creates a TXT record to fulfil the DNS-01 challenge. If there is an
+// existing account for the domain in the provider's storage then it will be
+// used to set the challenge response TXT record with the ACME-DNS server and
+// issuance will continue. If there is not an account for the given domain
+// present in the DNSProvider storage one will be created and registered with
+// the ACME DNS server and an ErrCNAMERequired error is returned. This will halt
+// issuance and indicate to the user that a one-time manual setup is required
+// for the domain.
+func (d *DNSProvider) Present(domain, _, keyAuth string) error {
+	// Compute the challenge response FQDN and TXT value for the domain based
+	// on the keyAuth.
+	fqdn, value, _ := acme.DNS01Record(domain, keyAuth)
+
+	// Check if credentials were previously saved for this domain.
+	account, err := d.storage.Fetch(domain)
+	// Errors other than goacmeDNS.ErrDomainNotFound are unexpected.
+	if err != nil && err != goacmedns.ErrDomainNotFound {
+		return err
+	}
+	if err == goacmedns.ErrDomainNotFound {
+		// The account did not exist. Create a new one and return an error
+		// indicating the required one-time manual CNAME setup.
+		return d.register(domain, fqdn)
+	}
+
+	// Update the acme-dns TXT record.
+	return d.client.UpdateTXTRecord(account, value)
+}
+
+// CleanUp removes the record matching the specified parameters. It is not
+// implemented for the ACME-DNS provider.
+func (d *DNSProvider) CleanUp(_, _, _ string) error {
+	// ACME-DNS doesn't support the notion of removing a record. For users of
+	// ACME-DNS it is expected the stale records remain in-place.
+	return nil
+}
+
+// register creates a new ACME-DNS account for the given domain. If account
+// creation works as expected a ErrCNAMERequired error is returned describing
+// the one-time manual CNAME setup required to complete setup of the ACME-DNS
+// hook for the domain. If any other error occurs it is returned as-is.
+func (d *DNSProvider) register(domain, fqdn string) error {
+	// TODO(@cpu): Read CIDR whitelists from the environment
+	newAcct, err := d.client.RegisterAccount(nil)
+	if err != nil {
+		return err
+	}
+
+	// Store the new account in the storage and call save to persist the data.
+	err = d.storage.Put(domain, newAcct)
+	if err != nil {
+		return err
+	}
+	err = d.storage.Save()
+	if err != nil {
+		return err
+	}
+
+	// Stop issuance by returning an error. The user needs to perform a manual
+	// one-time CNAME setup in their DNS zone to complete the setup of the new
+	// account we created.
+	return ErrCNAMERequired{
+		Domain: domain,
+		FQDN:   fqdn,
+		Target: newAcct.FullDomain,
+	}
+}