Merge tag 'upstream/0.24.0'
Upstream version 0.24.0
Harlan Lieberman-Berg
5 years ago
| 0 | 0 | Metadata-Version: 2.1 |
| 1 | 1 | Name: certbot-dns-rfc2136 |
| 2 | Version: 0.23.0 | |
| 2 | Version: 0.24.0 | |
| 3 | 3 | Summary: RFC 2136 DNS Authenticator plugin for Certbot |
| 4 | 4 | Home-page: https://github.com/certbot/certbot |
| 5 | 5 | Author: Certbot Project |
| 20 | 20 | ----------- |
| 21 | 21 | |
| 22 | 22 | Use of this plugin requires a configuration file containing the target DNS |
| 23 | server that supports RFC 2136 Dynamic Updates, the name of the TSIG key, the | |
| 24 | TSIG key secret itself and the algorithm used if it's different to HMAC-MD5. | |
| 23 | server and optional port that supports RFC 2136 Dynamic Updates, the name | |
| 24 | of the TSIG key, the TSIG key secret itself and the algorithm used if it's | |
| 25 | different to HMAC-MD5. | |
| 25 | 26 | |
| 26 | 27 | .. code-block:: ini |
| 27 | 28 | :name: credentials.ini |
| 29 | 30 | |
| 30 | 31 | # Target DNS server |
| 31 | 32 | dns_rfc2136_server = 192.0.2.1 |
| 33 | # Target DNS port | |
| 34 | dns_rfc2136_port = 53 | |
| 32 | 35 | # TSIG key name |
| 33 | 36 | dns_rfc2136_name = keyname. |
| 34 | 37 | # TSIG key secret |
| 34 | 34 | 'HMAC-SHA384': dns.tsig.HMAC_SHA384, |
| 35 | 35 | 'HMAC-SHA512': dns.tsig.HMAC_SHA512 |
| 36 | 36 | } |
| 37 | ||
| 38 | PORT = 53 | |
| 37 | 39 | |
| 38 | 40 | description = 'Obtain certificates using a DNS TXT record (if you are using BIND for DNS).' |
| 39 | 41 | ttl = 120 |
| 77 | 79 | |
| 78 | 80 | def _get_rfc2136_client(self): |
| 79 | 81 | return _RFC2136Client(self.credentials.conf('server'), |
| 82 | int(self.credentials.conf('port') or self.PORT), | |
| 80 | 83 | self.credentials.conf('name'), |
| 81 | 84 | self.credentials.conf('secret'), |
| 82 | 85 | self.ALGORITHMS.get(self.credentials.conf('algorithm'), |
| 87 | 90 | """ |
| 88 | 91 | Encapsulates all communication with the target DNS server. |
| 89 | 92 | """ |
| 90 | def __init__(self, server, key_name, key_secret, key_algorithm): | |
| 93 | def __init__(self, server, port, key_name, key_secret, key_algorithm): | |
| 91 | 94 | self.server = server |
| 95 | self.port = port | |
| 92 | 96 | self.keyring = dns.tsigkeyring.from_text({ |
| 93 | 97 | key_name: key_secret |
| 94 | 98 | }) |
| 117 | 121 | update.add(rel, record_ttl, dns.rdatatype.TXT, record_content) |
| 118 | 122 | |
| 119 | 123 | try: |
| 120 | response = dns.query.tcp(update, self.server) | |
| 124 | response = dns.query.tcp(update, self.server, port=self.port) | |
| 121 | 125 | except Exception as e: |
| 122 | 126 | raise errors.PluginError('Encountered error adding TXT record: {0}' |
| 123 | 127 | .format(e)) |
| 152 | 156 | update.delete(rel, dns.rdatatype.TXT, record_content) |
| 153 | 157 | |
| 154 | 158 | try: |
| 155 | response = dns.query.tcp(update, self.server) | |
| 159 | response = dns.query.tcp(update, self.server, port=self.port) | |
| 156 | 160 | except Exception as e: |
| 157 | 161 | raise errors.PluginError('Encountered error deleting TXT record: {0}' |
| 158 | 162 | .format(e)) |
| 201 | 205 | request.flags ^= dns.flags.RD |
| 202 | 206 | |
| 203 | 207 | try: |
| 204 | response = dns.query.udp(request, self.server) | |
| 208 | response = dns.query.udp(request, self.server, port=self.port) | |
| 205 | 209 | rcode = response.rcode() |
| 206 | 210 | |
| 207 | 211 | # Authoritative Answer bit should be set |
| 13 | 13 | from certbot.tests import util as test_util |
| 14 | 14 | |
| 15 | 15 | SERVER = '192.0.2.1' |
| 16 | PORT = 53 | |
| 16 | 17 | NAME = 'a-tsig-key.' |
| 17 | 18 | SECRET = 'SSB3b25kZXIgd2hvIHdpbGwgYm90aGVyIHRvIGRlY29kZSB0aGlzIHRleHQK' |
| 18 | 19 | VALID_CONFIG = {"rfc2136_server": SERVER, "rfc2136_name": NAME, "rfc2136_secret": SECRET} |
| 73 | 74 | def setUp(self): |
| 74 | 75 | from certbot_dns_rfc2136.dns_rfc2136 import _RFC2136Client |
| 75 | 76 | |
| 76 | self.rfc2136_client = _RFC2136Client(SERVER, NAME, SECRET, dns.tsig.HMAC_MD5) | |
| 77 | self.rfc2136_client = _RFC2136Client(SERVER, PORT, NAME, SECRET, dns.tsig.HMAC_MD5) | |
| 77 | 78 | |
| 78 | 79 | @mock.patch("dns.query.tcp") |
| 79 | 80 | def test_add_txt_record(self, query_mock): |
| 83 | 84 | |
| 84 | 85 | self.rfc2136_client.add_txt_record("bar", "baz", 42) |
| 85 | 86 | |
| 86 | query_mock.assert_called_with(mock.ANY, SERVER) | |
| 87 | query_mock.assert_called_with(mock.ANY, SERVER, port=PORT) | |
| 87 | 88 | self.assertTrue("bar. 42 IN TXT \"baz\"" in str(query_mock.call_args[0][0])) |
| 88 | 89 | |
| 89 | 90 | @mock.patch("dns.query.tcp") |
| 116 | 117 | |
| 117 | 118 | self.rfc2136_client.del_txt_record("bar", "baz") |
| 118 | 119 | |
| 119 | query_mock.assert_called_with(mock.ANY, SERVER) | |
| 120 | query_mock.assert_called_with(mock.ANY, SERVER, port=PORT) | |
| 120 | 121 | self.assertTrue("bar. 0 NONE TXT \"baz\"" in str(query_mock.call_args[0][0])) |
| 121 | 122 | |
| 122 | 123 | @mock.patch("dns.query.tcp") |
| 168 | 169 | # _query_soa | pylint: disable=protected-access |
| 169 | 170 | result = self.rfc2136_client._query_soa(DOMAIN) |
| 170 | 171 | |
| 171 | query_mock.assert_called_with(mock.ANY, SERVER) | |
| 172 | query_mock.assert_called_with(mock.ANY, SERVER, port=PORT) | |
| 172 | 173 | self.assertTrue(result == True) |
| 173 | 174 | |
| 174 | 175 | @mock.patch("dns.query.udp") |
| 178 | 179 | # _query_soa | pylint: disable=protected-access |
| 179 | 180 | result = self.rfc2136_client._query_soa(DOMAIN) |
| 180 | 181 | |
| 181 | query_mock.assert_called_with(mock.ANY, SERVER) | |
| 182 | query_mock.assert_called_with(mock.ANY, SERVER, port=PORT) | |
| 182 | 183 | self.assertTrue(result == False) |
| 183 | 184 | |
| 184 | 185 | @mock.patch("dns.query.udp") |