'use strict'; exports = module.exports = { removePrivateFields, injectPrivateFields, upsert, get, del, wait, verifyDomainConfig }; const assert = require('node:assert'), BoxError = require('../boxerror.js'), constants = require('../constants.js'), debug = require('debug')('box:dns/cloudflare'), dig = require('../dig.js'), dns = require('../dns.js'), safe = require('safetydance'), superagent = require('@cloudron/superagent'), waitForDns = require('./waitfordns.js'), _ = require('../underscore.js'); // we are using latest v4 stable API https://api.cloudflare.com/#getting-started-endpoints const CLOUDFLARE_ENDPOINT = 'https://api.cloudflare.com/client/v4'; function removePrivateFields(domainObject) { delete domainObject.config.token; return domainObject; } function injectPrivateFields(newConfig, currentConfig) { if (!Object.hasOwn(newConfig, 'token')) newConfig.token = currentConfig.token; } function translateResponseError(response) { assert.strictEqual(typeof response, 'object'); if (response.status === 404) return new BoxError(BoxError.NOT_FOUND, `[${response.status}] ${response.text}`); if (response.status === 422) return new BoxError(BoxError.BAD_FIELD, response.body.message); if (response.status === 400 || response.status === 401 || response.status === 403) { let message = 'Unknown error'; if (typeof response.body.error === 'string') { message = `[${response.status}] ${response.body.error}`; } else if (Array.isArray(response.body.errors) && response.body.errors.length > 0) { const error = response.body.errors[0]; message = `[${response.status}] ${error.message} code:${error.code}`; } return new BoxError(BoxError.ACCESS_DENIED, message); } return new BoxError(BoxError.EXTERNAL_ERROR, `${response.status} ${response.text}`); } function createRequest(method, url, domainConfig) { assert.strictEqual(typeof method, 'string'); assert.strictEqual(typeof url, 'string'); assert.strictEqual(typeof domainConfig, 'object'); const request = superagent.request(method, url).timeout(30 * 1000).ok(() => true); if (domainConfig.tokenType === 'GlobalApiKey') { request.set('X-Auth-Key', domainConfig.token).set('X-Auth-Email', domainConfig.email); } else { request.set('Authorization', 'Bearer ' + domainConfig.token); } return request; } async function getZoneByName(domainConfig, zoneName) { assert.strictEqual(typeof domainConfig, 'object'); assert.strictEqual(typeof zoneName, 'string'); const [error, response] = await safe(createRequest('GET', `${CLOUDFLARE_ENDPOINT}/zones?name=${zoneName}&status=active`, domainConfig)); if (error) throw new BoxError(BoxError.NETWORK_ERROR, error); if (response.status !== 200 || response.body.success !== true) throw translateResponseError(response); if (!response.body.result || !response.body.result.length) throw new BoxError(BoxError.NOT_FOUND, `${response.status} ${response.text}`); // check 'id' and 'name_servers' exist in the response const zone = response.body.result[0]; const zoneId = safe.query(zone, 'id'); if (typeof zoneId !== 'string') throw new BoxError(BoxError.EXTERNAL_ERROR, `No zone id in response: ${response.status} ${response.text}`); const name_servers = safe.query(zone, 'name_servers'); if (!Array.isArray(name_servers)) throw new BoxError(BoxError.EXTERNAL_ERROR, `name_servers is not an array: ${response.status} ${response.text}`); return zone; } // gets records filtered by zone, type and fqdn async function getDnsRecords(domainConfig, zoneId, fqdn, type) { assert.strictEqual(typeof domainConfig, 'object'); assert.strictEqual(typeof zoneId, 'string'); assert.strictEqual(typeof fqdn, 'string'); assert.strictEqual(typeof type, 'string'); const [error, response] = await safe(createRequest('GET', `${CLOUDFLARE_ENDPOINT}/zones/${zoneId}/dns_records`, domainConfig) .query({ type: type, name: fqdn })); if (error) throw new BoxError(BoxError.NETWORK_ERROR, error); if (response.status !== 200 || response.body.success !== true) throw translateResponseError(response); const result = response.body.result; if (result === null) return []; // sometime about now, cloudflare API has started returning null instead of empty array if (!Array.isArray(result)) throw new BoxError(BoxError.EXTERNAL_ERROR, `result is not an array when getting records: ${response.status} ${response.text}`); return result; } async function upsert(domainObject, location, type, values) { assert.strictEqual(typeof domainObject, 'object'); assert.strictEqual(typeof location, 'string'); assert.strictEqual(typeof type, 'string'); assert(Array.isArray(values)); const domainConfig = domainObject.config, zoneName = domainObject.zoneName, fqdn = dns.fqdn(location, domainObject.domain); debug('upsert: %s for zone %s of type %s with values %j', fqdn, zoneName, type, values); const zone = await getZoneByName(domainConfig, zoneName); const zoneId = zone.id; const records = await getDnsRecords(domainConfig, zoneId, fqdn, type); let i = 0; // // used to track available records to update instead of create for (let value of values) { let priority = null; if (type === 'MX') { priority = parseInt(value.split(' ')[0], 10); value = value.split(' ')[1]; } const data = { type: type, name: fqdn, content: value, priority: priority, proxied: false, ttl: 120 // 1 means "automatic" (meaning 300ms) and 120 is the lowest supported }; if (i >= records.length) { // create a new record if (type === 'A' || type === 'AAAA' || type === 'CNAME') { data.proxied = !!domainConfig.defaultProxyStatus; // note that cloudflare will error if proxied is set for wrong record type or IP. only set at install time } debug(`upsert: Adding new record fqdn: ${fqdn}, zoneName: ${zoneName} proxied: ${data.proxied}`); const [error, response] = await safe(createRequest('POST', `${CLOUDFLARE_ENDPOINT}/zones/${zoneId}/dns_records`, domainConfig) .send(data)); if (error) throw new BoxError(BoxError.NETWORK_ERROR, error); if (response.status !== 200 || response.body.success !== true) throw translateResponseError(response); } else { // replace existing record data.proxied = records[i].proxied; // preserve proxied parameter debug(`upsert: Updating existing record fqdn: ${fqdn}, zoneName: ${zoneName} proxied: ${data.proxied}`); const [error, response] = await safe(createRequest('PUT', `${CLOUDFLARE_ENDPOINT}/zones/${zoneId}/dns_records/${records[i].id}`, domainConfig) .send(data)); if (error) throw new BoxError(BoxError.NETWORK_ERROR, error); if (response.status !== 200 || response.body.success !== true) throw translateResponseError(response); ++i; // increment, as we have consumed the record } } for (let j = values.length + 1; j < records.length; j++) { const [error] = await safe(createRequest('DELETE', `${CLOUDFLARE_ENDPOINT}/zones/${zoneId}/dns_records/${records[j].id}`, domainConfig)); if (error) debug(`upsert: error removing record ${records[j].id}: ${error.message}`); } } async function get(domainObject, location, type) { assert.strictEqual(typeof domainObject, 'object'); assert.strictEqual(typeof location, 'string'); assert.strictEqual(typeof type, 'string'); const domainConfig = domainObject.config, zoneName = domainObject.zoneName, fqdn = dns.fqdn(location, domainObject.domain); const zone = await getZoneByName(domainConfig, zoneName); const result = await getDnsRecords(domainConfig, zone.id, fqdn, type); const tmp = result.map(function (record) { return record.content; }); return tmp; } async function del(domainObject, location, type, values) { assert.strictEqual(typeof domainObject, 'object'); assert.strictEqual(typeof location, 'string'); assert.strictEqual(typeof type, 'string'); assert(Array.isArray(values)); const domainConfig = domainObject.config, zoneName = domainObject.zoneName, fqdn = dns.fqdn(location, domainObject.domain); const zone = await getZoneByName(domainConfig, zoneName); const result = await getDnsRecords(domainConfig, zone.id, fqdn, type); if (result.length === 0) return; const tmp = result.filter(function (record) { return values.some(function (value) { return value === record.content; }); }); debug('del: %j', tmp); if (tmp.length === 0) return; for (const r of tmp) { const [error, response] = await safe(createRequest('DELETE', `${CLOUDFLARE_ENDPOINT}/zones/${zone.id}/dns_records/${r.id}`, domainConfig)); if (error) throw new BoxError(BoxError.NETWORK_ERROR, error); if (response.status !== 200 || response.body.success !== true) throw translateResponseError(response); } } async function wait(domainObject, subdomain, type, value, options) { assert.strictEqual(typeof domainObject, 'object'); assert.strictEqual(typeof subdomain, 'string'); assert.strictEqual(typeof type, 'string'); assert.strictEqual(typeof value, 'string'); assert(options && typeof options === 'object'); // { interval: 5000, times: 50000 } const domainConfig = domainObject.config, zoneName = domainObject.zoneName, fqdn = dns.fqdn(subdomain, domainObject.domain); debug('wait: %s for zone %s of type %s', fqdn, zoneName, type); const zone = await getZoneByName(domainConfig, zoneName); const zoneId = zone.id; const dnsRecords = await getDnsRecords(domainConfig, zoneId, fqdn, type); if (dnsRecords.length === 0) throw new BoxError(BoxError.NOT_FOUND, 'Domain not found'); if (!dnsRecords[0].proxied) return await waitForDns(fqdn, domainObject.zoneName, type, value, options); debug('wait: skipping wait of proxied domain'); // maybe we can check for dns to be cloudflare IPs? https://api.cloudflare.com/#cloudflare-ips-cloudflare-ip-details } async function verifyDomainConfig(domainObject) { assert.strictEqual(typeof domainObject, 'object'); const domainConfig = domainObject.config, zoneName = domainObject.zoneName; // token can be api token or global api key if (!domainConfig.token || typeof domainConfig.token !== 'string') throw new BoxError(BoxError.BAD_FIELD, 'token must be a non-empty string'); if (domainConfig.tokenType !== 'GlobalApiKey' && domainConfig.tokenType !== 'ApiToken') throw new BoxError(BoxError.BAD_FIELD, 'tokenType is required'); if ('customNameservers' in domainConfig && typeof domainConfig.customNameservers !== 'boolean') throw new BoxError(BoxError.BAD_FIELD, 'customNameservers must be a boolean'); if (domainConfig.tokenType === 'GlobalApiKey') { if (typeof domainConfig.email !== 'string') throw new BoxError(BoxError.BAD_FIELD, 'email must be a non-empty string'); } if (typeof domainConfig.defaultProxyStatus !== 'boolean') throw new BoxError(BoxError.BAD_FIELD, 'defaultProxyStatus must be a boolean'); const ip = !domainConfig.defaultProxyStatus ? '127.0.0.1' : '103.31.4.0'; // when proxying 127.0.0.1 is not valid. use an address owned by cloudflare itself const sanitizedConfig = { token: domainConfig.token, tokenType: domainConfig.tokenType, email: domainConfig.email || null, defaultProxyStatus: domainConfig.defaultProxyStatus, customNameservers: !!domainConfig.customNameservers }; if (constants.TEST) return sanitizedConfig; // this shouldn't be here const [error, nameservers] = await safe(dig.resolve(zoneName, 'NS', { timeout: 5000 })); if (error && error.code === 'ENOTFOUND') throw new BoxError(BoxError.BAD_FIELD, 'Unable to resolve nameservers for this domain'); if (error || !nameservers) throw new BoxError(BoxError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'); const zone = await getZoneByName(domainConfig, zoneName); if (!_.isEqual(zone.name_servers.sort(), nameservers.sort())) { debug('verifyDomainConfig: %j and %j do not match', nameservers, zone.name_servers); if (!domainConfig.customNameservers) throw new BoxError(BoxError.BAD_FIELD, 'Domain nameservers are not set to Cloudflare'); } const location = 'cloudrontestdns'; await upsert(domainObject, location, 'A', [ ip ]); debug('verifyDomainConfig: Test A record added'); await del(domainObject, location, 'A', [ ip ]); debug('verifyDomainConfig: Test A record removed again'); return sanitizedConfig; }