import assert from 'node:assert'; import BoxError from '../boxerror.js'; import constants from '../constants.js'; import logger from '../logger.js'; import dig from '../dig.js'; import dns from '../dns.js'; import safe from 'safetydance'; import superagent from '@cloudron/superagent'; import waitForDns from './waitfordns.js'; const { log, trace } = logger('dns/hetzner'); const ENDPOINT = 'https://dns.hetzner.com/api/v1'; function formatError(response) { return `Hetzner DNS error ${response.status} ${response.text}`; } function removePrivateFields(domainObject) { delete domainObject.config.token; return domainObject; } function injectPrivateFields(newConfig, currentConfig) { if (!Object.hasOwn(newConfig, 'token')) newConfig.token = currentConfig.token; } async function getZone(domainConfig, zoneName) { assert.strictEqual(typeof domainConfig, 'object'); assert.strictEqual(typeof zoneName, 'string'); const [error, response] = await safe(superagent.get(`${ENDPOINT}/zones`) .set('Auth-API-Token', domainConfig.token) .query({ search_name: zoneName }) .timeout(30 * 1000) .retry(5) .ok(() => true)); if (error) throw new BoxError(BoxError.NETWORK_ERROR, error); if (response.status === 401 || response.status === 403) throw new BoxError(BoxError.ACCESS_DENIED, formatError(response)); if (response.status !== 200) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response)); if (!Array.isArray(response.body.zones)) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response)); const zone = response.body.zones.filter(z => z.name === zoneName); if (zone.length === 0) throw new BoxError(BoxError.NOT_FOUND, formatError(response)); return zone[0]; } async function getZoneRecords(domainConfig, zone, name, type) { assert.strictEqual(typeof domainConfig, 'object'); assert.strictEqual(typeof zone, 'object'); assert.strictEqual(typeof name, 'string'); assert.strictEqual(typeof type, 'string'); let page = 1, matchingRecords = []; log(`getZoneRecords: getting dns records of ${zone.name} with ${name} and type ${type}`); const perPage = 50; while (true) { const [error, response] = await safe(superagent.get(`${ENDPOINT}/records`) .set('Auth-API-Token', domainConfig.token) .query({ zone_id: zone.id, page, per_page: perPage }) .timeout(30 * 1000) .retry(5) .ok(() => true)); if (error) throw new BoxError(BoxError.NETWORK_ERROR, error); if (response.status === 404) throw new BoxError(BoxError.NOT_FOUND, formatError(response)); if (response.status === 401 || response.status === 403) throw new BoxError(BoxError.ACCESS_DENIED, formatError(response)); if (response.status !== 200) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response)); matchingRecords = matchingRecords.concat(response.body.records.filter(function (record) { return (record.type === type && record.name === name); })); if (response.body.records.length < perPage) break; ++page; } return matchingRecords; } async function upsert(domainObject, location, type, values) { assert.strictEqual(typeof domainObject, 'object'); assert.strictEqual(typeof location, 'string'); assert.strictEqual(typeof type, 'string'); assert(Array.isArray(values)); const domainConfig = domainObject.config, zoneName = domainObject.zoneName, name = dns.getName(domainObject, location, type) || '@'; log(`upsert: ${name} for zone ${zoneName} of type ${type} with values ${JSON.stringify(values)}`); const zone = await getZone(domainConfig, zoneName); const records = await getZoneRecords(domainConfig, zone, name, type); // used to track available records to update instead of create let i = 0; for (const value of values) { const data = { type, name, value, ttl: 60, zone_id: zone.id }; if (i >= records.length) { const [error, response] = await safe(superagent.post(`${ENDPOINT}/records`) .set('Auth-API-Token', domainConfig.token) .send(data) .timeout(30 * 1000) .retry(5) .ok(() => true)); if (error) throw new BoxError(BoxError.NETWORK_ERROR, error); if (response.status === 403 || response.status === 401) throw new BoxError(BoxError.ACCESS_DENIED, formatError(response)); if (response.status === 422) throw new BoxError(BoxError.BAD_FIELD, response.body.message); if (response.status !== 200) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response)); } else { const [error, response] = await safe(superagent.put(`${ENDPOINT}/records/${records[i].id}`) .set('Auth-API-Token', domainConfig.token) .send(data) .timeout(30 * 1000) .retry(5) .ok(() => true)); ++i; if (error) throw new BoxError(BoxError.NETWORK_ERROR, error); if (response.status === 403 || response.status === 401) throw new BoxError(BoxError.ACCESS_DENIED, formatError(response)); if (response.status === 422) throw new BoxError(BoxError.BAD_FIELD, response.body.message); if (response.status !== 200) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response)); } } for (let j = values.length + 1; j < records.length; j++) { const [error] = await safe(superagent.del(`${ENDPOINT}/records/${records[j].id}`) .set('Auth-API-Token', domainConfig.token) .timeout(30 * 1000) .retry(5) .ok(() => true)); if (error) log(`upsert: error removing record ${records[j].id}: ${error.message}`); } log('upsert: completed'); } async function get(domainObject, location, type) { assert.strictEqual(typeof domainObject, 'object'); assert.strictEqual(typeof location, 'string'); assert.strictEqual(typeof type, 'string'); const domainConfig = domainObject.config, zoneName = domainObject.zoneName, name = dns.getName(domainObject, location, type) || '@'; const zone = await getZone(domainConfig, zoneName); const result = await getZoneRecords(domainConfig, zone, name, type); return result.map(function (record) { return record.value; }); } async function del(domainObject, location, type, values) { assert.strictEqual(typeof domainObject, 'object'); assert.strictEqual(typeof location, 'string'); assert.strictEqual(typeof type, 'string'); assert(Array.isArray(values)); const domainConfig = domainObject.config, zoneName = domainObject.zoneName, name = dns.getName(domainObject, location, type) || '@'; const zone = await getZone(domainConfig, zoneName); const records = await getZoneRecords(domainConfig, zone, name, type); if (records.length === 0) return; const matchingRecords = records.filter(function (record) { return values.some(function (value) { return value === record.value; }); }); if (matchingRecords.length === 0) return; for (const r of matchingRecords) { const [error, response] = await safe(superagent.del(`${ENDPOINT}/records/${r.id}`) .set('Auth-API-Token', domainConfig.token) .timeout(30 * 1000) .retry(5) .ok(() => true)); if (error) throw new BoxError(BoxError.NETWORK_ERROR, error); if (response.status === 404) return; if (response.status === 403 || response.status === 401) throw new BoxError(BoxError.ACCESS_DENIED, formatError(response)); if (response.status !== 200) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response)); } } async function wait(domainObject, subdomain, type, value, options) { assert.strictEqual(typeof domainObject, 'object'); assert.strictEqual(typeof subdomain, 'string'); assert.strictEqual(typeof type, 'string'); assert.strictEqual(typeof value, 'string'); assert(options && typeof options === 'object'); // { interval: 5000, times: 50000 } const fqdn = dns.fqdn(subdomain, domainObject.domain); await waitForDns(fqdn, domainObject.zoneName, type, value, options); } async function verifyDomainConfig(domainObject) { assert.strictEqual(typeof domainObject, 'object'); const domainConfig = domainObject.config, zoneName = domainObject.zoneName; if (!domainConfig.token || typeof domainConfig.token !== 'string') throw new BoxError(BoxError.BAD_FIELD, 'token must be a non-empty string'); if ('customNameservers' in domainConfig && typeof domainConfig.customNameservers !== 'boolean') throw new BoxError(BoxError.BAD_FIELD, 'customNameservers must be a boolean'); const ip = '127.0.0.1'; const credentials = { token: domainConfig.token, customNameservers: !!domainConfig.customNameservers }; if (constants.TEST) return credentials; // this shouldn't be here const [error, nameservers] = await safe(dig.resolve(zoneName, 'NS', { timeout: 5000 })); if (error && error.code === 'ENOTFOUND') throw new BoxError(BoxError.BAD_FIELD, 'Unable to resolve nameservers for this domain'); if (error || !nameservers) throw new BoxError(BoxError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'); // https://docs.hetzner.com/dns-console/dns/general/dns-overview#the-hetzner-online-name-servers-are if (!nameservers.every(function (n) { return n.toLowerCase().search(/hetzner|your-server|second-ns/) !== -1; })) { log('verifyDomainConfig: %j does not contain Hetzner NS', nameservers); if (!domainConfig.customNameservers) throw new BoxError(BoxError.BAD_FIELD, 'Domain nameservers are not set to Hetzner'); } const location = 'cloudrontestdns'; await upsert(domainObject, location, 'A', [ ip ]); log('verifyDomainConfig: Test A record added'); await del(domainObject, location, 'A', [ ip ]); log('verifyDomainConfig: Test A record removed again'); return credentials; } export default { removePrivateFields, injectPrivateFields, upsert, get, del, wait, verifyDomainConfig };