acme-dns-01-cli.js/index.js

'use strict';

// See https://tools.ietf.org/html/draft-ietf-acme-acme-01
// also https://gitlab.com/pushrocks/cert/blob/master/ts/cert.hook.ts

var PromiseA = require('bluebird');
var dns = PromiseA.promisifyAll(require('dns'));
var DDNS = require('ddns-cli');

//var count = 0;
var defaults = {
  oauth3: 'oauth3.org'
, debug: false
, acmeChallengeDns: '_acme-challenge.' // _acme-challenge.example.com TXT xxxxxxxxxxxxxxxx
, memstoreConfig: {
    name: 'le-ddns'
  }
};

var Challenge = module.exports;

Challenge.create = function (options) {
  // count += 1;
  var store = require('cluster-store');
  var results = {};

  Object.keys(Challenge).forEach(function (key) {
    results[key] = Challenge[key];
  });
  results.create = undefined;

  Object.keys(defaults).forEach(function (key) {
    if (!(key in options)) {
      options[key] = defaults[key];
    }
  });
  results._options = options;

  results.getOptions = function () {
    return results._options;
  };

  // TODO fix race condition at startup
  results._memstore = options.memstore;

  if (!results._memstore) {
    store.create(options.memstoreConfig).then(function (store) {
      // same api as new sqlite3.Database(options.filename)

      results._memstore = store;

      // app.use(expressSession({ secret: 'keyboard cat', store: store }));
    });
  }

  return results;
};

//
// NOTE: the "args" here in `set()` are NOT accessible to `get()` and `remove()`
// They are provided so that you can store them in an implementation-specific way
// if you need access to them.
//
Challenge.set = function (args, domain, challenge, keyAuthorization, done) {
  var me = this;
  // TODO use base64url module
  var keyAuthDigest = require('crypto').createHash('sha256').update(keyAuthorization||'').digest('base64')
    .replace(/\+/g, '-')
    .replace(/\//g, '_')
    .replace(/=+$/g, '')
    ;

  if (!challenge || !keyAuthorization) {
    console.warn("SANITY FAIL: missing challenge or keyAuthorization", domain, challenge, keyAuthorization);
  }

  return me._memstore.set(domain, {
    email: args.email
  , refreshToken: args.refreshToken
  , keyAuthDigest: keyAuthDigest
  }, function (err) {
    if (err) { done(err); return; }

    var challengeDomain = (args.test || '') + args.acmeChallengeDns + domain;
    var update = {
      email: args.email
    , refreshToken: args.refreshToken
    , silent: true

    , name: challengeDomain
    , type: "TXT"
    , value: keyAuthDigest || challenge
    , ttl: args.ttl || 0
    };

    return DDNS.update(update, {
      //debug: true
    }).then(function () {
      if (args.debug) {
        console.log("Test DNS Record:");
        console.log("dig TXT +noall +answer @ns1.redirect-www.org '" + challengeDomain + "' # " + challenge);
      }
      done(null, keyAuthDigest);
    }, function (err) {
      console.error(err);
      done(err);
      return PromiseA.reject(err);
    });
  });
};


//
// NOTE: the "defaults" here are still merged and templated, just like "args" would be,
// but if you specifically need "args" you must retrieve them from some storage mechanism
// based on domain and key
//
Challenge.get = function (defaults, domain, challenge, done) {
  done = null; // nix linter error for unused vars
  throw new Error("Challenge.get() does not need an implementation for dns-01. (did you mean Challenge.loopback?)");
};

Challenge.remove = function (defaults, domain, challenge, done) {
  var me = this;

  return me._memstore.get(domain, function (err, data) {
    if (err) { done(err); return; }
    if (!data) {
      console.warn("[warning] could not remove '" + domain + "': already removed");
      done(null);
      return;
    }

    var challengeDomain = (defaults.test || '') + defaults.acmeChallengeDns + domain;

    return DDNS.update({
      email: data.email
    , refreshToken: data.refreshToken
    , silent: true

    , name: challengeDomain
    , type: "TXT"
    , value: data.keyAuthDigest || challenge
    , ttl: defaults.ttl || 0

    , remove: true
    }, {
      //debug: true
    }).then(function () {

      done(null);
    }, done).then(function () {
      me._memstore.destroy(domain);
    });
  });
};

// same as get, but external
Challenge.loopback = function (defaults, domain, challenge, done) {
  var challengeDomain = (defaults.test || '') + defaults.acmeChallengeDns + domain;
  dns.resolveTxtAsync(challengeDomain).then(function (x) { done(null, x); }, done);
};

Challenge.test = function (args, domain, challenge, keyAuthorization, done) {
  var me = this;

  args.test = args.test || '_test.';
  defaults.test = args.test;

  me.set(args, domain, challenge, keyAuthorization || challenge, function (err, k) {
    if (err) { done(err); return; }

    me.loopback(defaults, domain, challenge, function (err, arr) {
      if (err) { done(err); return; }

      if (!arr.some(function (a) {
        return a.some(function (keyAuthDigest) {
          return keyAuthDigest === k;
        });
      })) {
        err = new Error("txt record '" + challenge + "' doesn't match '" + k + "'");
      }

      me.remove(defaults, domain, challenge, function (_err) {
        if (_err) { done(_err); return; }

        // TODO needs to use native-dns so that specific nameservers can be used
        // (otherwise the cache will still have the old answer)
        done(err || null);
        /*
        me.loopback(defaults, domain, challenge, function (err) {
          if (err) { done(err); return; }

          done();
        });
        */
      });
    });
  });
};
getting there... 2016-09-07 20:58:25 +00:00			`'use strict';`

use sha256sum of keyAuthorization as per spec 2016-09-15 06:51:29 +00:00			`// See https://tools.ietf.org/html/draft-ietf-acme-acme-01`
			`// also https://gitlab.com/pushrocks/cert/blob/master/ts/cert.hook.ts`
getting there... 2016-09-07 20:58:25 +00:00
			`var PromiseA = require('bluebird');`
			`var dns = PromiseA.promisifyAll(require('dns'));`
add missing deps 2016-09-09 01:10:50 +00:00			`var DDNS = require('ddns-cli');`
getting there... 2016-09-07 20:58:25 +00:00
memstore-cluster -> cluster-store 2016-09-09 00:56:58 +00:00			`//var count = 0;`
getting there... 2016-09-07 20:58:25 +00:00			`var defaults = {`
			`oauth3: 'oauth3.org'`
			`, debug: false`
			`, acmeChallengeDns: '_acme-challenge.' // _acme-challenge.example.com TXT xxxxxxxxxxxxxxxx`
			`, memstoreConfig: {`
dns -> ddns 2016-10-14 18:45:35 +00:00			`name: 'le-ddns'`
getting there... 2016-09-07 20:58:25 +00:00			`}`
			`};`

			`var Challenge = module.exports;`

			`Challenge.create = function (options) {`
memstore-cluster -> cluster-store 2016-09-09 00:56:58 +00:00			`// count += 1;`
			`var store = require('cluster-store');`
getting there... 2016-09-07 20:58:25 +00:00			`var results = {};`

			`Object.keys(Challenge).forEach(function (key) {`
			`results[key] = Challenge[key];`
			`});`
			`results.create = undefined;`

			`Object.keys(defaults).forEach(function (key) {`
			`if (!(key in options)) {`
			`options[key] = defaults[key];`
			`}`
			`});`
			`results._options = options;`

			`results.getOptions = function () {`
			`return results._options;`
			`};`

			`// TODO fix race condition at startup`
			`results._memstore = options.memstore;`

			`if (!results._memstore) {`
			`store.create(options.memstoreConfig).then(function (store) {`
			`// same api as new sqlite3.Database(options.filename)`

			`results._memstore = store;`

			`// app.use(expressSession({ secret: 'keyboard cat', store: store }));`
			`});`
			`}`

			`return results;`
			`};`

			`//`
			// NOTE: the "args" here in `set()` are NOT accessible to `get()` and `remove()`
			`// They are provided so that you can store them in an implementation-specific way`
			`// if you need access to them.`
			`//`
			`Challenge.set = function (args, domain, challenge, keyAuthorization, done) {`
make cluster safe 2016-09-07 23:10:04 +00:00			`var me = this;`
use sha256sum of keyAuthorization as per spec 2016-09-15 06:51:29 +00:00			`// TODO use base64url module`
			`var keyAuthDigest = require('crypto').createHash('sha256').update(keyAuthorization\|\|'').digest('base64')`
			`.replace(/\+/g, '-')`
			`.replace(/\//g, '_')`
			`.replace(/=+$/g, '')`
			`;`

			`if (!challenge \|\| !keyAuthorization) {`
			`console.warn("SANITY FAIL: missing challenge or keyAuthorization", domain, challenge, keyAuthorization);`
			`}`
getting there... 2016-09-07 20:58:25 +00:00
use sha256sum of keyAuthorization as per spec 2016-09-15 06:51:29 +00:00			`return me._memstore.set(domain, {`
getting there... 2016-09-07 20:58:25 +00:00			`email: args.email`
			`, refreshToken: args.refreshToken`
use sha256sum of keyAuthorization as per spec 2016-09-15 06:51:29 +00:00			`, keyAuthDigest: keyAuthDigest`
make cluster safe 2016-09-07 23:10:04 +00:00			`}, function (err) {`
			`if (err) { done(err); return; }`

use sha256sum of keyAuthorization as per spec 2016-09-15 06:51:29 +00:00			`var challengeDomain = (args.test \|\| '') + args.acmeChallengeDns + domain;`
			`var update = {`
getting there... 2016-09-07 20:58:25 +00:00			`email: args.email`
			`, refreshToken: args.refreshToken`
seems to pass tests 2016-09-09 01:01:03 +00:00			`, silent: true`
getting there... 2016-09-07 20:58:25 +00:00
make cluster safe 2016-09-07 23:10:04 +00:00			`, name: challengeDomain`
getting there... 2016-09-07 20:58:25 +00:00			`, type: "TXT"`
use sha256sum of keyAuthorization as per spec 2016-09-15 06:51:29 +00:00			`, value: keyAuthDigest \|\| challenge`
			`, ttl: args.ttl \|\| 0`
			`};`

			`return DDNS.update(update, {`
make cluster safe 2016-09-07 23:10:04 +00:00			`//debug: true`
			`}).then(function () {`
			`if (args.debug) {`
			`console.log("Test DNS Record:");`
			`console.log("dig TXT +noall +answer @ns1.redirect-www.org '" + challengeDomain + "' # " + challenge);`
			`}`
actually check txt record 2016-10-12 21:04:25 +00:00			`done(null, keyAuthDigest);`
use sha256sum of keyAuthorization as per spec 2016-09-15 06:51:29 +00:00			`}, function (err) {`
			`console.error(err);`
			`done(err);`
			`return PromiseA.reject(err);`
			`});`
getting there... 2016-09-07 20:58:25 +00:00			`});`
			`};`


			`//`
			`// NOTE: the "defaults" here are still merged and templated, just like "args" would be,`
			`// but if you specifically need "args" you must retrieve them from some storage mechanism`
			`// based on domain and key`
			`//`
			`Challenge.get = function (defaults, domain, challenge, done) {`
use sha256sum of keyAuthorization as per spec 2016-09-15 06:51:29 +00:00			`done = null; // nix linter error for unused vars`
getting there... 2016-09-07 20:58:25 +00:00			`throw new Error("Challenge.get() does not need an implementation for dns-01. (did you mean Challenge.loopback?)");`
			`};`

			`Challenge.remove = function (defaults, domain, challenge, done) {`
make cluster safe 2016-09-07 23:10:04 +00:00			`var me = this;`

use sha256sum of keyAuthorization as per spec 2016-09-15 06:51:29 +00:00			`return me._memstore.get(domain, function (err, data) {`
make cluster safe 2016-09-07 23:10:04 +00:00			`if (err) { done(err); return; }`
actually check txt record 2016-10-12 21:04:25 +00:00			`if (!data) {`
			`console.warn("[warning] could not remove '" + domain + "': already removed");`
			`done(null);`
			`return;`
			`}`
make cluster safe 2016-09-07 23:10:04 +00:00
use sha256sum of keyAuthorization as per spec 2016-09-15 06:51:29 +00:00			`var challengeDomain = (defaults.test \|\| '') + defaults.acmeChallengeDns + domain;`
make cluster safe 2016-09-07 23:10:04 +00:00
			`return DDNS.update({`
getting there... 2016-09-07 20:58:25 +00:00			`email: data.email`
			`, refreshToken: data.refreshToken`
seems to pass tests 2016-09-09 01:01:03 +00:00			`, silent: true`
getting there... 2016-09-07 20:58:25 +00:00
make cluster safe 2016-09-07 23:10:04 +00:00			`, name: challengeDomain`
getting there... 2016-09-07 20:58:25 +00:00			`, type: "TXT"`
use sha256sum of keyAuthorization as per spec 2016-09-15 06:51:29 +00:00			`, value: data.keyAuthDigest \|\| challenge`
			`, ttl: defaults.ttl \|\| 0`
getting there... 2016-09-07 20:58:25 +00:00
			`, remove: true`
make cluster safe 2016-09-07 23:10:04 +00:00			`}, {`
			`//debug: true`
getting there... 2016-09-07 20:58:25 +00:00			`}).then(function () {`

			`done(null);`
			`}, done).then(function () {`
make cluster safe 2016-09-07 23:10:04 +00:00			`me._memstore.destroy(domain);`
getting there... 2016-09-07 20:58:25 +00:00			`});`
			`});`
			`};`

			`// same as get, but external`
			`Challenge.loopback = function (defaults, domain, challenge, done) {`
use sha256sum of keyAuthorization as per spec 2016-09-15 06:51:29 +00:00			`var challengeDomain = (defaults.test \|\| '') + defaults.acmeChallengeDns + domain;`
actually check txt record 2016-10-12 21:04:25 +00:00			`dns.resolveTxtAsync(challengeDomain).then(function (x) { done(null, x); }, done);`
getting there... 2016-09-07 20:58:25 +00:00			`};`

			`Challenge.test = function (args, domain, challenge, keyAuthorization, done) {`
make cluster safe 2016-09-07 23:10:04 +00:00			`var me = this;`
getting there... 2016-09-07 20:58:25 +00:00
make cluster safe 2016-09-07 23:10:04 +00:00			`args.test = args.test \|\| '_test.';`
			`defaults.test = args.test;`
getting there... 2016-09-07 20:58:25 +00:00
actually check txt record 2016-10-12 21:04:25 +00:00			`me.set(args, domain, challenge, keyAuthorization \|\| challenge, function (err, k) {`
getting there... 2016-09-07 20:58:25 +00:00			`if (err) { done(err); return; }`

actually check txt record 2016-10-12 21:04:25 +00:00			`me.loopback(defaults, domain, challenge, function (err, arr) {`
getting there... 2016-09-07 20:58:25 +00:00			`if (err) { done(err); return; }`

actually check txt record 2016-10-12 21:04:25 +00:00			`if (!arr.some(function (a) {`
			`return a.some(function (keyAuthDigest) {`
			`return keyAuthDigest === k;`
			`});`
			`})) {`
			`err = new Error("txt record '" + challenge + "' doesn't match '" + k + "'");`
			`}`

fix error 2016-10-12 23:12:29 +00:00			`me.remove(defaults, domain, challenge, function (_err) {`
			`if (_err) { done(_err); return; }`
getting there... 2016-09-07 20:58:25 +00:00
			`// TODO needs to use native-dns so that specific nameservers can be used`
			`// (otherwise the cache will still have the old answer)`
actually check txt record 2016-10-12 21:04:25 +00:00			`done(err \|\| null);`
getting there... 2016-09-07 20:58:25 +00:00			`/*`
make cluster safe 2016-09-07 23:10:04 +00:00			`me.loopback(defaults, domain, challenge, function (err) {`
getting there... 2016-09-07 20:58:25 +00:00			`if (err) { done(err); return; }`

			`done();`
			`});`
			`*/`
			`});`
			`});`
			`});`
			`};`