yacloud/acme.sh
1
0
Fork 0
mirror of https://github.com/acmesh-official/acme.sh.git synced 2025-05-05 19:07:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

AzureDNS: Add support for AzureUSGovernment endpoints.

Browse Source
This commit is contained in:
JustChris1 2022-10-10 19:00:18 -04:00
parent be477d7ae3
commit 1afa9965a9
No known key found for this signature in database
1 changed files with 80 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
dnsapi/dns_azure.sh
View File

@ -17,6 +17,7 @@ dns_azure_add() {
AZUREDNS_SUBSCRIPTIONID="${AZUREDNS_SUBSCRIPTIONID:-$(_readaccountconf_mutable AZUREDNS_SUBSCRIPTIONID)}" AZUREDNS_SUBSCRIPTIONID="${AZUREDNS_SUBSCRIPTIONID:-$(_readaccountconf_mutable AZUREDNS_SUBSCRIPTIONID)}"
if [ -z "$AZUREDNS_SUBSCRIPTIONID" ]; then if [ -z "$AZUREDNS_SUBSCRIPTIONID" ]; then
AZUREDNS_SUBSCRIPTIONID="" AZUREDNS_SUBSCRIPTIONID=""
AZUREDNS_ENVIRONMENT=""
AZUREDNS_TENANTID="" AZUREDNS_TENANTID=""
AZUREDNS_APPID="" AZUREDNS_APPID=""
AZUREDNS_CLIENTSECRET="" AZUREDNS_CLIENTSECRET=""
@ -31,15 +32,30 @@ dns_azure_add() {
_info "Using Azure managed identity" _info "Using Azure managed identity"
#save managed identity as preferred authentication method, clear service principal credentials from conf file. #save managed identity as preferred authentication method, clear service principal credentials from conf file.
_saveaccountconf_mutable AZUREDNS_MANAGEDIDENTITY "$AZUREDNS_MANAGEDIDENTITY" _saveaccountconf_mutable AZUREDNS_MANAGEDIDENTITY "$AZUREDNS_MANAGEDIDENTITY"
_saveaccountconf_mutable AZUREDNS_ENVIRONMENT ""
_saveaccountconf_mutable AZUREDNS_TENANTID "" _saveaccountconf_mutable AZUREDNS_TENANTID ""
_saveaccountconf_mutable AZUREDNS_APPID "" _saveaccountconf_mutable AZUREDNS_APPID ""
_saveaccountconf_mutable AZUREDNS_CLIENTSECRET "" _saveaccountconf_mutable AZUREDNS_CLIENTSECRET ""
else else
_info "You didn't ask to use Azure managed identity, checking service principal credentials" _info "You didn't ask to use Azure managed identity, checking service principal credentials"
AZUREDNS_ENVIRONMENT="${AZUREDNS_ENVIRONMENT:-$(_readaccountconf_mutable AZUREDNS_ENVIRONMENT)}"
AZUREDNS_TENANTID="${AZUREDNS_TENANTID:-$(_readaccountconf_mutable AZUREDNS_TENANTID)}" AZUREDNS_TENANTID="${AZUREDNS_TENANTID:-$(_readaccountconf_mutable AZUREDNS_TENANTID)}"
AZUREDNS_APPID="${AZUREDNS_APPID:-$(_readaccountconf_mutable AZUREDNS_APPID)}" AZUREDNS_APPID="${AZUREDNS_APPID:-$(_readaccountconf_mutable AZUREDNS_APPID)}"
AZUREDNS_CLIENTSECRET="${AZUREDNS_CLIENTSECRET:-$(_readaccountconf_mutable AZUREDNS_CLIENTSECRET)}" AZUREDNS_CLIENTSECRET="${AZUREDNS_CLIENTSECRET:-$(_readaccountconf_mutable AZUREDNS_CLIENTSECRET)}"
if [ -z "$AZUREDNS_ENVIRONMENT" ]; then
AZUREDNS_ENVIRONMENT="AzureCloud"
_info "You didn't specify the Azure Environment; assuming AzureCloud for backwards compatibility"
fi
if [ "$AZUREDNS_ENVIRONMENT" != "AzureCloud" -a "$AZUREDNS_ENVIRONMENT" != "AzureUSGovernment" ]; then
AZUREDNS_SUBSCRIPTIONID=""
AZUREDNS_TENANTID=""
AZUREDNS_APPID=""
AZUREDNS_CLIENTSECRET=""
_err "($AZUREDNS_ENVIRONMENT): Unsupported environment for Azure DNS. Supported Environments: [AzureCloud, AzureUSGovernment]"
fi
if [ -z "$AZUREDNS_TENANTID" ]; then if [ -z "$AZUREDNS_TENANTID" ]; then
AZUREDNS_SUBSCRIPTIONID="" AZUREDNS_SUBSCRIPTIONID=""
AZUREDNS_TENANTID="" AZUREDNS_TENANTID=""
@ -69,14 +85,15 @@ dns_azure_add() {
#save account details to account conf file, don't opt in for azure manages identity check. #save account details to account conf file, don't opt in for azure manages identity check.
_saveaccountconf_mutable AZUREDNS_MANAGEDIDENTITY "false" _saveaccountconf_mutable AZUREDNS_MANAGEDIDENTITY "false"
_saveaccountconf_mutable AZUREDNS_ENVIRONMENT "$AZUREDNS_ENVIRONMENT"
_saveaccountconf_mutable AZUREDNS_TENANTID "$AZUREDNS_TENANTID" _saveaccountconf_mutable AZUREDNS_TENANTID "$AZUREDNS_TENANTID"
_saveaccountconf_mutable AZUREDNS_APPID "$AZUREDNS_APPID" _saveaccountconf_mutable AZUREDNS_APPID "$AZUREDNS_APPID"
_saveaccountconf_mutable AZUREDNS_CLIENTSECRET "$AZUREDNS_CLIENTSECRET" _saveaccountconf_mutable AZUREDNS_CLIENTSECRET "$AZUREDNS_CLIENTSECRET"
fi fi
accesstoken=$(_azure_getaccess_token "$AZUREDNS_MANAGEDIDENTITY" "$AZUREDNS_TENANTID" "$AZUREDNS_APPID" "$AZUREDNS_CLIENTSECRET") accesstoken=$(_azure_getaccess_token "$AZUREDNS_MANAGEDIDENTITY" "$AZUREDNS_ENVIRONMENT" "$AZUREDNS_TENANTID" "$AZUREDNS_APPID" "$AZUREDNS_CLIENTSECRET")
if ! _get_root "$fulldomain" "$AZUREDNS_SUBSCRIPTIONID" "$accesstoken"; then if ! _get_root "$fulldomain" "$AZUREDNS_SUBSCRIPTIONID" "$AZUREDNS_ENVIRONMENT" "$accesstoken"; then
_err "invalid domain" _err "invalid domain"
return 1 return 1
fi fi
@ -84,7 +101,14 @@ dns_azure_add() {
_debug _sub_domain "$_sub_domain" _debug _sub_domain "$_sub_domain"
_debug _domain "$_domain" _debug _domain "$_domain"
acmeRecordURI="https://management.azure.com$(printf '%s' "$_domain_id" | sed 's/\\//g')/TXT/$_sub_domain?api-version=2017-09-01" if [ "$azureEnvironment" = "AzureUSGovernment" ]; then
active_directory_service_endpoint_resource_id="management.usgovcloudapi.net"
else
#assuming AzureCloud endpoints for backwards compatibility
active_directory_service_endpoint_resource_id="management.azure.com"
fi
acmeRecordURI="https://${active_directory_service_endpoint_resource_id}$(printf '%s' "$_domain_id" | sed 's/\\//g')/TXT/$_sub_domain?api-version=2017-09-01"
_debug "$acmeRecordURI" _debug "$acmeRecordURI"
# Get existing TXT record # Get existing TXT record
_azure_rest GET "$acmeRecordURI" "" "$accesstoken" _azure_rest GET "$acmeRecordURI" "" "$accesstoken"
@ -133,6 +157,7 @@ dns_azure_rm() {
AZUREDNS_SUBSCRIPTIONID="${AZUREDNS_SUBSCRIPTIONID:-$(_readaccountconf_mutable AZUREDNS_SUBSCRIPTIONID)}" AZUREDNS_SUBSCRIPTIONID="${AZUREDNS_SUBSCRIPTIONID:-$(_readaccountconf_mutable AZUREDNS_SUBSCRIPTIONID)}"
if [ -z "$AZUREDNS_SUBSCRIPTIONID" ]; then if [ -z "$AZUREDNS_SUBSCRIPTIONID" ]; then
AZUREDNS_SUBSCRIPTIONID="" AZUREDNS_SUBSCRIPTIONID=""
AZUREDNS_ENVIRONMENT=""
AZUREDNS_TENANTID="" AZUREDNS_TENANTID=""
AZUREDNS_APPID="" AZUREDNS_APPID=""
AZUREDNS_CLIENTSECRET="" AZUREDNS_CLIENTSECRET=""
@ -145,10 +170,24 @@ dns_azure_rm() {
_info "Using Azure managed identity" _info "Using Azure managed identity"
else else
_info "You didn't ask to use Azure managed identity, checking service principal credentials" _info "You didn't ask to use Azure managed identity, checking service principal credentials"
AZUREDNS_ENVIRONMENT="${AZUREDNS_ENVIRONMENT:-$(_readaccountconf_mutable AZUREDNS_ENVIRONMENT)}"
AZUREDNS_TENANTID="${AZUREDNS_TENANTID:-$(_readaccountconf_mutable AZUREDNS_TENANTID)}" AZUREDNS_TENANTID="${AZUREDNS_TENANTID:-$(_readaccountconf_mutable AZUREDNS_TENANTID)}"
AZUREDNS_APPID="${AZUREDNS_APPID:-$(_readaccountconf_mutable AZUREDNS_APPID)}" AZUREDNS_APPID="${AZUREDNS_APPID:-$(_readaccountconf_mutable AZUREDNS_APPID)}"
AZUREDNS_CLIENTSECRET="${AZUREDNS_CLIENTSECRET:-$(_readaccountconf_mutable AZUREDNS_CLIENTSECRET)}" AZUREDNS_CLIENTSECRET="${AZUREDNS_CLIENTSECRET:-$(_readaccountconf_mutable AZUREDNS_CLIENTSECRET)}"
if [ -z "$AZUREDNS_ENVIRONMENT" ]; then
AZUREDNS_ENVIRONMENT="AzureCloud"
_info "You didn't specify the Azure Environment; assuming AzureCloud for backwards compatibility"
fi
if [ "$AZUREDNS_ENVIRONMENT" != "AzureCloud" -a "$AZUREDNS_ENVIRONMENT" != "AzureUSGovernment" ]; then
AZUREDNS_SUBSCRIPTIONID=""
AZUREDNS_TENANTID=""
AZUREDNS_APPID=""
AZUREDNS_CLIENTSECRET=""
_err "($AZUREDNS_ENVIRONMENT): Unsupported environment for Azure DNS. Supported Environments: [AzureCloud, AzureUSGovernment]"
fi
if [ -z "$AZUREDNS_TENANTID" ]; then if [ -z "$AZUREDNS_TENANTID" ]; then
AZUREDNS_SUBSCRIPTIONID="" AZUREDNS_SUBSCRIPTIONID=""
AZUREDNS_TENANTID="" AZUREDNS_TENANTID=""
@ -177,9 +216,9 @@ dns_azure_rm() {
fi fi
fi fi
accesstoken=$(_azure_getaccess_token "$AZUREDNS_MANAGEDIDENTITY" "$AZUREDNS_TENANTID" "$AZUREDNS_APPID" "$AZUREDNS_CLIENTSECRET") accesstoken=$(_azure_getaccess_token "$AZUREDNS_MANAGEDIDENTITY" "$AZUREDNS_ENVIRONMENT" "$AZUREDNS_TENANTID" "$AZUREDNS_APPID" "$AZUREDNS_CLIENTSECRET")
if ! _get_root "$fulldomain" "$AZUREDNS_SUBSCRIPTIONID" "$accesstoken"; then if ! _get_root "$fulldomain" "$AZUREDNS_SUBSCRIPTIONID" "$AZUREDNS_ENVIRONMENT" "$accesstoken"; then
_err "invalid domain" _err "invalid domain"
return 1 return 1
fi fi
@ -187,7 +226,14 @@ dns_azure_rm() {
_debug _sub_domain "$_sub_domain" _debug _sub_domain "$_sub_domain"
_debug _domain "$_domain" _debug _domain "$_domain"
acmeRecordURI="https://management.azure.com$(printf '%s' "$_domain_id" | sed 's/\\//g')/TXT/$_sub_domain?api-version=2017-09-01" if [ "$azureEnvironment" = "AzureUSGovernment" ]; then
active_directory_service_endpoint_resource_id="management.usgovcloudapi.net"
else
#assuming AzureCloud endpoints for backwards compatibility
active_directory_service_endpoint_resource_id="management.azure.com"
fi
acmeRecordURI="https://${active_directory_service_endpoint_resource_id}$(printf '%s' "$_domain_id" | sed 's/\\//g')/TXT/$_sub_domain?api-version=2017-09-01"
_debug "$acmeRecordURI" _debug "$acmeRecordURI"
# Get existing TXT record # Get existing TXT record
_azure_rest GET "$acmeRecordURI" "" "$accesstoken" _azure_rest GET "$acmeRecordURI" "" "$accesstoken"
@ -280,9 +326,10 @@ _azure_rest() {
## Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service#request-an-access-token ## Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service#request-an-access-token
_azure_getaccess_token() { _azure_getaccess_token() {
managedIdentity=$1 managedIdentity=$1
tenantID=$2 azureEnvironment=$2
clientID=$3 tenantID=$3
clientSecret=$4 clientID=$4
clientSecret=$5
accesstoken="${AZUREDNS_BEARERTOKEN:-$(_readaccountconf_mutable AZUREDNS_BEARERTOKEN)}" accesstoken="${AZUREDNS_BEARERTOKEN:-$(_readaccountconf_mutable AZUREDNS_BEARERTOKEN)}"
expires_on="${AZUREDNS_TOKENVALIDTO:-$(_readaccountconf_mutable AZUREDNS_TOKENVALIDTO)}" expires_on="${AZUREDNS_TOKENVALIDTO:-$(_readaccountconf_mutable AZUREDNS_TOKENVALIDTO)}"
@ -300,19 +347,30 @@ _azure_getaccess_token() {
fi fi
_debug "getting new bearer token" _debug "getting new bearer token"
if [ "$azureEnvironment" = "AzureUSGovernment" ]; then
active_directory_service_endpoint_resource_id="management.usgovcloudapi.net"
service_management_url="management.core.usgovcloudapi.net"
active_directory_authority="login.microsoftonline.us"
else
#assuming AzureCloud endpoints for backwards compatibility
active_directory_service_endpoint_resource_id="management.azure.com"
service_management_url="management.core.windows.net"
active_directory_authority="login.microsoftonline.com"
fi
if [ "$managedIdentity" = true ]; then if [ "$managedIdentity" = true ]; then
# https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http # https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
export _H1="Metadata: true" export _H1="Metadata: true"
response="$(_get http://169.254.169.254/metadata/identity/oauth2/token\?api-version=2018-02-01\&resource=https://management.azure.com/)" response="$(_get http://169.254.169.254/metadata/identity/oauth2/token\?api-version=2018-02-01\&resource=https://${active_directory_service_endpoint_resource_id}/)"
response="$(echo "$response" | _normalizeJson)" response="$(echo "$response" | _normalizeJson)"
accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \") accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
expires_on=$(echo "$response" | _egrep_o "\"expires_on\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \") expires_on=$(echo "$response" | _egrep_o "\"expires_on\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
else else
export _H1="accept: application/json" export _H1="accept: application/json"
export _H2="Content-Type: application/x-www-form-urlencoded" export _H2="Content-Type: application/x-www-form-urlencoded"
body="resource=$(printf "%s" 'https://management.core.windows.net/' | _url_encode)&client_id=$(printf "%s" "$clientID" | _url_encode)&client_secret=$(printf "%s" "$clientSecret" | _url_encode)&grant_type=client_credentials" body="resource=$(printf "%s" "https://${service_management_url}/" | _url_encode)&client_id=$(printf "%s" "$clientID" | _url_encode)&client_secret=$(printf "%s" "$clientSecret" | _url_encode)&grant_type=client_credentials"
_secure_debug2 "data $body" _secure_debug2 "data $body"
response="$(_post "$body" "https://login.microsoftonline.com/$tenantID/oauth2/token" "" "POST")" response="$(_post "$body" "https://${active_directory_authority}/$tenantID/oauth2/token" "" "POST")"
_ret="$?" _ret="$?"
_secure_debug2 "response $response" _secure_debug2 "response $response"
response="$(echo "$response" | _normalizeJson)" response="$(echo "$response" | _normalizeJson)"
@ -337,16 +395,24 @@ _azure_getaccess_token() {
_get_root() { _get_root() {
domain=$1 domain=$1
subscriptionId=$2 subscriptionId=$2
accesstoken=$3 azureEnvironment=$3
accesstoken=$4
i=1 i=1
p=1 p=1
if [ "$azureEnvironment" = "AzureUSGovernment" ]; then
active_directory_service_endpoint_resource_id="management.usgovcloudapi.net"
else
#assuming AzureCloud endpoints for backwards compatibility
active_directory_service_endpoint_resource_id="management.azure.com"
fi
## Ref: https://docs.microsoft.com/en-us/rest/api/dns/zones/list ## Ref: https://docs.microsoft.com/en-us/rest/api/dns/zones/list
## returns up to 100 zones in one response therefore handling more results is not not implemented ## returns up to 100 zones in one response therefore handling more results is not not implemented
## (ZoneListResult with continuation token for the next page of results) ## (ZoneListResult with continuation token for the next page of results)
## Per https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#dns-limits you are limited to 100 Zone/subscriptions anyways ## Per https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#dns-limits you are limited to 100 Zone/subscriptions anyways
## ##
_azure_rest GET "https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.Network/dnszones?\$top=500&api-version=2017-09-01" "" "$accesstoken" _azure_rest GET "https://${active_directory_service_endpoint_resource_id}/subscriptions/$subscriptionId/providers/Microsoft.Network/dnszones?\$top=500&api-version=2017-09-01" "" "$accesstoken"
# Find matching domain name in Json response # Find matching domain name in Json response
while true; do while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100) h=$(printf "%s" "$domain" | cut -d . -f $i-100)