rfc2136: add support for tsig-keygen generated file (#2330)

Co-authored-by: Dominik Menke <git@dmke.org>

Author: ldez

cmd/zz_gen_cmd_dnshelp.go

@@ -27,20 +27,18 @@ Here is an example bash command using the RFC2136 provider:
 
 ```bash
 RFC2136_NAMESERVER=127.0.0.1 \
-RFC2136_TSIG_KEY=lego \
+RFC2136_TSIG_KEY=example.com \
 RFC2136_TSIG_ALGORITHM=hmac-sha256. \
 RFC2136_TSIG_SECRET=YWJjZGVmZGdoaWprbG1ub3BxcnN0dXZ3eHl6MTIzNDU= \
 lego --email you@example.com --dns rfc2136 -d '*.example.com' -d example.com run
 
 ## ---
 
-keyname=lego; keyfile=lego.key; tsig-keygen $keyname > $keyfile
+keyname=example.com; keyfile=example.com.key; tsig-keygen $keyname > $keyfile
 
 RFC2136_NAMESERVER=127.0.0.1 \
-RFC2136_TSIG_KEY="$keyname" \
-RFC2136_TSIG_ALGORITHM="$( awk -F'[ ";]' '/algorithm/ { print $2 }' $keyfile )." \
-RFC2136_TSIG_SECRET="$( awk -F'[ ";]' '/secret/ { print $3 }' $keyfile )" \
-lego --email you@example.com --dns rfc2136  d "*.example.com" -d example.com run
+RFC2136_TSIG_FILE="$keyfile" \
+lego --email you@example.com --dns rfc2136 -d '*.example.com' -d example.com run
 ```
 
 
@@ -51,9 +49,9 @@ lego --email you@example.com --dns rfc2136  d "*.example.com" -d example.com run
 | Environment Variable Name | Description |
 |-----------------------|-------------|
 | `RFC2136_NAMESERVER` | Network address in the form "host" or "host:port" |
-| `RFC2136_TSIG_ALGORITHM` | TSIG algorithm. See [miekg/dns#tsig.go](https://github.com/miekg/dns/blob/master/tsig.go) for supported values. To disable TSIG authentication, leave the `RFC2136_TSIG*` variables unset. |
-| `RFC2136_TSIG_KEY` | Name of the secret key as defined in DNS server configuration. To disable TSIG authentication, leave the `RFC2136_TSIG*` variables unset. |
-| `RFC2136_TSIG_SECRET` | Secret key payload. To disable TSIG authentication, leave the` RFC2136_TSIG*` variables unset. |
+| `RFC2136_TSIG_ALGORITHM` | TSIG algorithm. See [miekg/dns#tsig.go](https://github.com/miekg/dns/blob/master/tsig.go) for supported values. To disable TSIG authentication, leave the `RFC2136_TSIG_KEY` or `RFC2136_TSIG_SECRET` variables unset. |
+| `RFC2136_TSIG_KEY` | Name of the secret key as defined in DNS server configuration. To disable TSIG authentication, leave the `RFC2136_TSIG_KEY` variable unset. |
+| `RFC2136_TSIG_SECRET` | Secret key payload. To disable TSIG authentication, leave the `RFC2136_TSIG_SECRET` variable unset. |
 
 The environment variable names can be suffixed by `_FILE` to reference a file instead of a value.
 More information [here]({{% ref "dns#configuration-and-credentials" %}}).
@@ -67,6 +65,7 @@ More information [here]({{% ref "dns#configuration-and-credentials" %}}).
 | `RFC2136_POLLING_INTERVAL` | Time between DNS propagation check |
 | `RFC2136_PROPAGATION_TIMEOUT` | Maximum waiting time for DNS propagation |
 | `RFC2136_SEQUENCE_INTERVAL` | Time between sequential requests |
+| `RFC2136_TSIG_FILE` | Path to a key file generated by tsig-keygen |
 | `RFC2136_TTL` | The TTL of the TXT record used for the DNS challenge |
 
 The environment variable names can be suffixed by `_FILE` to reference a file instead of a value.

docs/content/dns/zz_gen_rfc2136.md

@@ -0,0 +1,4 @@
+key "example.com" {
+	algorithm;
+	secret "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg=";
+};

providers/dns/rfc2136/internal/fixtures/invalid_field.conf

@@ -0,0 +1,4 @@
+key {
+	algorithm hmac-sha256;
+	secret "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg=";
+};

providers/dns/rfc2136/internal/fixtures/invalid_key.conf

@@ -0,0 +1,3 @@
+key "example.com" {
+	secret "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg=";
+};

providers/dns/rfc2136/internal/fixtures/mising_algo.conf

@@ -0,0 +1,3 @@
+key "example.com" {
+	algorithm hmac-sha256;
+};

providers/dns/rfc2136/internal/fixtures/missing_secret.conf

@@ -0,0 +1,4 @@
+key "example.com" {
+	algorithm hmac-sha256;
+	secret "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg=";
+};

providers/dns/rfc2136/internal/fixtures/sample.conf

@@ -0,0 +1,9 @@
+key "example.com" {
+	algorithm hmac-sha256;
+	secret "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg=";
+};
+
+key "example.org" {
+        algorithm hmac-sha512;
+        secret "v6CkK3gop6HXj4+dcWiLXLGSYKVY5J1cTMjDsdl/Ah9B8aWfTgjwFBoHHyiHWSyvwWPDuEIRs2Pqm8nedca4+g==";
+};

providers/dns/rfc2136/internal/fixtures/text_after.conf

@@ -0,0 +1,8 @@
+foo {
+    bar example;
+};
+
+key "example.com" {
+	algorithm hmac-sha256;
+	secret "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg=";
+};

providers/dns/rfc2136/internal/fixtures/text_before.conf

@@ -0,0 +1,10 @@
+# TSIG Key File
+
+How to generate example:
+
+```console
+$ docker run --rm -it -v $(pwd):/app -w /app alpine sh
+/app # apk add bind
+/app # tsig-keygen example.com > sample1.conf
+/app # tsig-keygen -a hmac-sha512 example.com > sample2.conf
+```

providers/dns/rfc2136/internal/readme.md

@@ -0,0 +1,89 @@
+package internal
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"strings"
+)
+
+type Key struct {
+	Name      string
+	Algorithm string
+	Secret    string
+}
+
+// ReadTSIGFile reads TSIG key file generated with `tsig-keygen`.
+func ReadTSIGFile(filename string) (*Key, error) {
+	file, err := os.Open(filename)
+	if err != nil {
+		return nil, fmt.Errorf("open file: %w", err)
+	}
+
+	defer func() { _ = file.Close() }()
+
+	key := &Key{}
+
+	var read bool
+
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		line := strings.TrimSpace(strings.TrimSuffix(scanner.Text(), ";"))
+
+		if line == "" {
+			continue
+		}
+
+		if read && line == "}" {
+			break
+		}
+
+		fields := strings.Fields(line)
+
+		switch {
+		case fields[0] == "key":
+			read = true
+
+			if len(fields) != 3 {
+				return nil, fmt.Errorf("invalid key line: %s", line)
+			}
+
+			key.Name = safeUnquote(fields[1])
+
+		case !read:
+			continue
+
+		default:
+			if len(fields) != 2 {
+				continue
+			}
+
+			v := safeUnquote(fields[1])
+
+			switch safeUnquote(fields[0]) {
+			case "algorithm":
+				key.Algorithm = v
+			case "secret":
+				key.Secret = v
+			default:
+				continue
+			}
+		}
+	}
+
+	return key, nil
+}
+
+func safeUnquote(v string) string {
+	if len(v) < 2 {
+		// empty or single character string
+		return v
+	}
+
+	if v[0] == '"' && v[len(v)-1] == '"' {
+		// string wrapped in quotes
+		return v[1 : len(v)-1]
+	}
+
+	return v
+}

providers/dns/rfc2136/internal/tsigkey.go

@@ -0,0 +1,95 @@
+package internal
+
+import (
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestReadTSIGFile(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		filename string
+		expected *Key
+	}{
+		{
+			desc:     "basic",
+			filename: "sample.conf",
+			expected: &Key{Name: "example.com", Algorithm: "hmac-sha256", Secret: "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg="},
+		},
+		{
+			desc:     "data before the key",
+			filename: "text_before.conf",
+			expected: &Key{Name: "example.com", Algorithm: "hmac-sha256", Secret: "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg="},
+		},
+		{
+			desc:     "data after the key",
+			filename: "text_after.conf",
+			expected: &Key{Name: "example.com", Algorithm: "hmac-sha256", Secret: "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg="},
+		},
+		{
+			desc:     "ignore missing secret",
+			filename: "missing_secret.conf",
+			expected: &Key{Name: "example.com", Algorithm: "hmac-sha256"},
+		},
+		{
+			desc:     "ignore missing algorithm",
+			filename: "mising_algo.conf",
+			expected: &Key{Name: "example.com", Secret: "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg="},
+		},
+		{
+			desc:     "ignore invalid field format",
+			filename: "invalid_field.conf",
+			expected: &Key{Name: "example.com", Secret: "TCG5A6/lOHUGbW0e/9RYYbzWDFMlj1pIxCvybLBayBg="},
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			key, err := ReadTSIGFile(filepath.Join("fixtures", test.filename))
+			require.NoError(t, err)
+
+			assert.Equal(t, test.expected, key)
+		})
+	}
+}
+
+func TestReadTSIGFile_error(t *testing.T) {
+	if runtime.GOOS != "linux" {
+		// Because error messages are different on Windows.
+		t.Skip("only for UNIX systems")
+	}
+
+	testCases := []struct {
+		desc     string
+		filename string
+		expected string
+	}{
+		{
+			desc:     "missing file",
+			filename: "missing.conf",
+			expected: "open file: open fixtures/missing.conf: no such file or directory",
+		},
+		{
+			desc:     "invalid key format",
+			filename: "invalid_key.conf",
+			expected: "invalid key line: key {",
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			_, err := ReadTSIGFile(filepath.Join("fixtures", test.filename))
+			require.Error(t, err)
+
+			require.EqualError(t, err, test.expected)
+		})
+	}
+}