rfc2136: add support for tsig-keygen generated file

Author: ldez

providers/dns/rfc2136/internal/fixtures/invalid_key.conf

@@ -0,0 +1,4 @@
+key {
+	algorithm hmac-sha256;
+	secret "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg=";
+};

providers/dns/rfc2136/internal/fixtures/mising_algo.conf

@@ -0,0 +1,3 @@
+key "lego" {
+	secret "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg=";
+};

providers/dns/rfc2136/internal/fixtures/missing_secret.conf

@@ -0,0 +1,3 @@
+key "lego" {
+	algorithm hmac-sha256;
+};

providers/dns/rfc2136/internal/fixtures/sample.conf

@@ -0,0 +1,4 @@
+key "lego" {
+	algorithm hmac-sha256;
+	secret "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg=";
+};

providers/dns/rfc2136/internal/fixtures/text_after.conf

@@ -0,0 +1,4 @@
+key "lego" {
+	algorithm hmac-sha256;
+	secret "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg=";
+};

providers/dns/rfc2136/internal/fixtures/text_before.conf

@@ -0,0 +1,4 @@
+key "lego" {
+	algorithm hmac-sha256;
+	secret "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg=";
+};

providers/dns/rfc2136/internal/readme.md

@@ -0,0 +1,10 @@
+# TSIG Key File
+
+How to generate example:
+
+```console
+$ docker run --rm -it -v $(pwd):/app -w /app alpine sh
+/app # apk add bind
+/app # tsig-keygen lego > sample1.conf
+/app # tsig-keygen -a hmac-sha512 lego > sample2.conf
+```

providers/dns/rfc2136/internal/tsigkey.go

@@ -0,0 +1,87 @@
+package internal
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/go-viper/mapstructure/v2"
+)
+
+type Key struct {
+	Name      string `mapstructure:"name"`
+	Algorithm string `mapstructure:"algorithm"`
+	Secret    string `mapstructure:"secret"`
+}
+
+// ReadTSIGFile reads TSIG key file generated with `tsig-keygen`.
+func ReadTSIGFile(filename string) (*Key, error) {
+	raw, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+
+	data := make(map[string]string)
+
+	var read bool
+
+	scanner := bufio.NewScanner(bytes.NewReader(raw))
+	for scanner.Scan() {
+		line := strings.TrimSuffix(scanner.Text(), ";")
+
+		if line == "}" {
+			break
+		}
+
+		switch {
+		case strings.HasPrefix(line, "key "):
+			read = true
+			fields := strings.Fields(line)
+
+			if len(fields) != 3 {
+				return nil, fmt.Errorf("invalid key line: %s", line)
+			}
+
+			data["name"] = safeUnquote(fields[1])
+
+		case !read:
+			continue
+
+		default:
+			fields := strings.Fields(line)
+
+			if len(fields) != 2 {
+				continue
+			}
+
+			data[safeUnquote(fields[0])] = safeUnquote(fields[1])
+		}
+	}
+
+	key := &Key{}
+	err = mapstructure.Decode(data, key)
+	if err != nil {
+		return nil, err
+	}
+
+	if key.Algorithm != "" {
+		// to be compatible with https://github.com/miekg/dns/blob/master/tsig.go
+		key.Algorithm += "."
+	}
+
+	return key, nil
+}
+
+func safeUnquote(v string) string {
+	if v == "" {
+		return v
+	}
+
+	if v[0] == '"' && v[len(v)-1] == '"' {
+		return v[1 : len(v)-1]
+	}
+
+	return v
+}

providers/dns/rfc2136/internal/tsigkey_test.go

@@ -0,0 +1,59 @@
+package internal
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestReadTSIGFile(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		filename string
+		expected *Key
+	}{
+		{
+			desc:     "basic",
+			filename: "sample.conf",
+			expected: &Key{Name: "lego", Algorithm: "hmac-sha256.", Secret: "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg="},
+		},
+		{
+			desc:     "data before the key",
+			filename: "text_before.conf",
+			expected: &Key{Name: "lego", Algorithm: "hmac-sha256.", Secret: "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg="},
+		},
+		{
+			desc:     "data after the key",
+			filename: "text_after.conf",
+			expected: &Key{Name: "lego", Algorithm: "hmac-sha256.", Secret: "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg="},
+		},
+		{
+			desc:     "missing secret",
+			filename: "missing_secret.conf",
+			expected: &Key{Name: "lego", Algorithm: "hmac-sha256."},
+		},
+		{
+			desc:     "missing algorithm",
+			filename: "mising_algo.conf",
+			expected: &Key{Name: "lego", Secret: "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg="},
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			key, err := ReadTSIGFile(filepath.Join("fixtures", test.filename))
+			require.NoError(t, err)
+
+			assert.Equal(t, test.expected, key)
+		})
+	}
+}
+
+func TestReadTSIGFile_error(t *testing.T) {
+	_, err := ReadTSIGFile(filepath.Join("fixtures", "invalid_key.conf"))
+	require.Error(t, err)
+}

providers/dns/rfc2136/rfc2136.go

@@ -10,18 +10,22 @@ import (
 
 	"github.com/go-acme/lego/v4/challenge/dns01"
 	"github.com/go-acme/lego/v4/platform/config/env"
+	"github.com/go-acme/lego/v4/providers/dns/rfc2136/internal"
 	"github.com/miekg/dns"
 )
 
 // Environment variables names.
 const (
 	envNamespace = "RFC2136_"
 
+	EnvTSIGFile = envNamespace + "TSIG_FILE"
+
 	EnvTSIGKey       = envNamespace + "TSIG_KEY"
 	EnvTSIGSecret    = envNamespace + "TSIG_SECRET"
 	EnvTSIGAlgorithm = envNamespace + "TSIG_ALGORITHM"
-	EnvNameserver    = envNamespace + "NAMESERVER"
-	EnvDNSTimeout    = envNamespace + "DNS_TIMEOUT"
+
+	EnvNameserver = envNamespace + "NAMESERVER"
+	EnvDNSTimeout = envNamespace + "DNS_TIMEOUT"
 
 	EnvTTL                = envNamespace + "TTL"
 	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
@@ -31,10 +35,14 @@ const (
 
 // Config is used to configure the creation of the DNSProvider.
 type Config struct {
-	Nameserver         string
-	TSIGAlgorithm      string
-	TSIGKey            string
-	TSIGSecret         string
+	Nameserver string
+
+	TSIGFile string
+
+	TSIGAlgorithm string
+	TSIGKey       string
+	TSIGSecret    string
+
 	PropagationTimeout time.Duration
 	PollingInterval    time.Duration
 	TTL                int
@@ -76,6 +84,9 @@ func NewDNSProvider() (*DNSProvider, error) {
 
 	config := NewDefaultConfig()
 	config.Nameserver = values[EnvNameserver]
+
+	config.TSIGFile = env.GetOrDefaultString(EnvTSIGFile, "")
+
 	config.TSIGKey = env.GetOrFile(EnvTSIGKey)
 	config.TSIGSecret = env.GetOrFile(EnvTSIGSecret)
 
@@ -92,10 +103,28 @@ func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
 		return nil, errors.New("rfc2136: nameserver missing")
 	}
 
+	if config.TSIGFile != "" {
+		key, err := internal.ReadTSIGFile(config.TSIGFile)
+		if err != nil {
+			return nil, fmt.Errorf("rfc2136: read TSIG file: %w", err)
+		}
+
+		config.TSIGAlgorithm = key.Algorithm
+		config.TSIGKey = key.Name
+		config.TSIGSecret = key.Secret
+	}
+
 	if config.TSIGAlgorithm == "" {
 		config.TSIGAlgorithm = dns.HmacSHA1
 	}
 
+	switch config.TSIGAlgorithm {
+	case dns.HmacSHA1, dns.HmacSHA224, dns.HmacSHA256, dns.HmacSHA384, dns.HmacSHA512:
+		// valid algorithm
+	default:
+		return nil, fmt.Errorf("rfc2136: unsupported TSIG algorithm: %s", config.TSIGAlgorithm)
+	}
+
 	// Append the default DNS port if none is specified.
 	if _, _, err := net.SplitHostPort(config.Nameserver); err != nil {
 		if strings.Contains(err.Error(), "missing port") {

providers/dns/rfc2136/rfc2136.toml

@@ -16,10 +16,8 @@ lego --email [email protected] --dns rfc2136 -d '*.example.com' -d example.com run
 keyname=lego; keyfile=lego.key; tsig-keygen $keyname > $keyfile
 
 RFC2136_NAMESERVER=127.0.0.1 \
-RFC2136_TSIG_KEY="$keyname" \
-RFC2136_TSIG_ALGORITHM="$( awk -F'[ ";]' '/algorithm/ { print $2 }' $keyfile )." \
-RFC2136_TSIG_SECRET="$( awk -F'[ ";]' '/secret/ { print $3 }' $keyfile )" \
-lego --email [email protected] --dns rfc2136  d "*.example.com" -d example.com run
+RFC2136_TSIG_FILE="$keyfile" \
+lego --email [email protected] --dns rfc2136  d '*.example.com' -d example.com run
 '''
 
 [Configuration]
@@ -29,6 +27,7 @@ lego --email [email protected] --dns rfc2136  d "*.example.com" -d example.com run
     RFC2136_TSIG_ALGORITHM = "TSIG algorithm. See [miekg/dns#tsig.go](https://github.com/miekg/dns/blob/master/tsig.go) for supported values. To disable TSIG authentication, leave the `RFC2136_TSIG*` variables unset."
     RFC2136_NAMESERVER = 'Network address in the form "host" or "host:port"'
   [Configuration.Additional]
+    RFC2136_TSIG_FILE = "Path to a key file generated by tsig-keygen"
     RFC2136_POLLING_INTERVAL = "Time between DNS propagation check"
     RFC2136_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
     RFC2136_TTL = "The TTL of the TXT record used for the DNS challenge"