43e426ab9f
This reverts commit fdcc5d68a2.
Unfortunately, this requires us to move exports to the bottom.
This in turn causes circular dep issues and also access of
exports.GLOBAL_VAR in the global context
295 lines
13 KiB
JavaScript
295 lines
13 KiB
JavaScript
'use strict';
|
|
|
|
exports = module.exports = {
|
|
removePrivateFields,
|
|
injectPrivateFields,
|
|
upsert,
|
|
get,
|
|
del,
|
|
wait,
|
|
verifyDomainConfig
|
|
};
|
|
|
|
const assert = require('node:assert'),
|
|
BoxError = require('../boxerror.js'),
|
|
constants = require('../constants.js'),
|
|
debug = require('debug')('box:dns/cloudflare'),
|
|
dig = require('../dig.js'),
|
|
dns = require('../dns.js'),
|
|
safe = require('safetydance'),
|
|
superagent = require('@cloudron/superagent'),
|
|
waitForDns = require('./waitfordns.js'),
|
|
_ = require('../underscore.js');
|
|
|
|
// we are using latest v4 stable API https://api.cloudflare.com/#getting-started-endpoints
|
|
const CLOUDFLARE_ENDPOINT = 'https://api.cloudflare.com/client/v4';
|
|
|
|
function removePrivateFields(domainObject) {
|
|
delete domainObject.config.token;
|
|
return domainObject;
|
|
}
|
|
|
|
function injectPrivateFields(newConfig, currentConfig) {
|
|
if (!Object.hasOwn(newConfig, 'token')) newConfig.token = currentConfig.token;
|
|
}
|
|
|
|
function translateResponseError(response) {
|
|
assert.strictEqual(typeof response, 'object');
|
|
|
|
if (response.status === 404) return new BoxError(BoxError.NOT_FOUND, `[${response.status}] ${response.text}`);
|
|
if (response.status === 422) return new BoxError(BoxError.BAD_FIELD, response.body.message);
|
|
if (response.status === 400 || response.status === 401 || response.status === 403) {
|
|
let message = 'Unknown error';
|
|
if (typeof response.body.error === 'string') {
|
|
message = `[${response.status}] ${response.body.error}`;
|
|
} else if (Array.isArray(response.body.errors) && response.body.errors.length > 0) {
|
|
const error = response.body.errors[0];
|
|
message = `[${response.status}] ${error.message} code:${error.code}`;
|
|
}
|
|
return new BoxError(BoxError.ACCESS_DENIED, message);
|
|
}
|
|
|
|
return new BoxError(BoxError.EXTERNAL_ERROR, `${response.status} ${response.text}`);
|
|
}
|
|
|
|
function createRequest(method, url, domainConfig) {
|
|
assert.strictEqual(typeof method, 'string');
|
|
assert.strictEqual(typeof url, 'string');
|
|
assert.strictEqual(typeof domainConfig, 'object');
|
|
|
|
const request = superagent.request(method, url).timeout(30 * 1000).ok(() => true);
|
|
|
|
if (domainConfig.tokenType === 'GlobalApiKey') {
|
|
request.set('X-Auth-Key', domainConfig.token).set('X-Auth-Email', domainConfig.email);
|
|
} else {
|
|
request.set('Authorization', 'Bearer ' + domainConfig.token);
|
|
}
|
|
|
|
return request;
|
|
}
|
|
|
|
async function getZoneByName(domainConfig, zoneName) {
|
|
assert.strictEqual(typeof domainConfig, 'object');
|
|
assert.strictEqual(typeof zoneName, 'string');
|
|
|
|
const [error, response] = await safe(createRequest('GET', `${CLOUDFLARE_ENDPOINT}/zones?name=${zoneName}&status=active`, domainConfig));
|
|
if (error) throw new BoxError(BoxError.NETWORK_ERROR, error);
|
|
if (response.status !== 200 || response.body.success !== true) throw translateResponseError(response);
|
|
if (!response.body.result || !response.body.result.length) throw new BoxError(BoxError.NOT_FOUND, `${response.status} ${response.text}`);
|
|
|
|
// check 'id' and 'name_servers' exist in the response
|
|
const zone = response.body.result[0];
|
|
const zoneId = safe.query(zone, 'id');
|
|
if (typeof zoneId !== 'string') throw new BoxError(BoxError.EXTERNAL_ERROR, `No zone id in response: ${response.status} ${response.text}`);
|
|
const name_servers = safe.query(zone, 'name_servers');
|
|
if (!Array.isArray(name_servers)) throw new BoxError(BoxError.EXTERNAL_ERROR, `name_servers is not an array: ${response.status} ${response.text}`);
|
|
|
|
return zone;
|
|
}
|
|
|
|
// gets records filtered by zone, type and fqdn
|
|
async function getDnsRecords(domainConfig, zoneId, fqdn, type) {
|
|
assert.strictEqual(typeof domainConfig, 'object');
|
|
assert.strictEqual(typeof zoneId, 'string');
|
|
assert.strictEqual(typeof fqdn, 'string');
|
|
assert.strictEqual(typeof type, 'string');
|
|
|
|
const [error, response] = await safe(createRequest('GET', `${CLOUDFLARE_ENDPOINT}/zones/${zoneId}/dns_records`, domainConfig)
|
|
.query({ type: type, name: fqdn }));
|
|
|
|
if (error) throw new BoxError(BoxError.NETWORK_ERROR, error);
|
|
if (response.status !== 200 || response.body.success !== true) throw translateResponseError(response);
|
|
|
|
const result = response.body.result;
|
|
if (result === null) return []; // sometime about now, cloudflare API has started returning null instead of empty array
|
|
if (!Array.isArray(result)) throw new BoxError(BoxError.EXTERNAL_ERROR, `result is not an array when getting records: ${response.status} ${response.text}`);
|
|
return result;
|
|
}
|
|
|
|
async function upsert(domainObject, location, type, values) {
|
|
assert.strictEqual(typeof domainObject, 'object');
|
|
assert.strictEqual(typeof location, 'string');
|
|
assert.strictEqual(typeof type, 'string');
|
|
assert(Array.isArray(values));
|
|
|
|
const domainConfig = domainObject.config,
|
|
zoneName = domainObject.zoneName,
|
|
fqdn = dns.fqdn(location, domainObject.domain);
|
|
|
|
debug('upsert: %s for zone %s of type %s with values %j', fqdn, zoneName, type, values);
|
|
|
|
const zone = await getZoneByName(domainConfig, zoneName);
|
|
const zoneId = zone.id;
|
|
|
|
const records = await getDnsRecords(domainConfig, zoneId, fqdn, type);
|
|
|
|
let i = 0; // // used to track available records to update instead of create
|
|
|
|
for (let value of values) {
|
|
let priority = null;
|
|
|
|
if (type === 'MX') {
|
|
priority = parseInt(value.split(' ')[0], 10);
|
|
value = value.split(' ')[1];
|
|
}
|
|
|
|
const data = {
|
|
type: type,
|
|
name: fqdn,
|
|
content: value,
|
|
priority: priority,
|
|
proxied: false,
|
|
ttl: 120 // 1 means "automatic" (meaning 300ms) and 120 is the lowest supported
|
|
};
|
|
|
|
if (i >= records.length) { // create a new record
|
|
if (type === 'A' || type === 'AAAA' || type === 'CNAME') {
|
|
data.proxied = !!domainConfig.defaultProxyStatus; // note that cloudflare will error if proxied is set for wrong record type or IP. only set at install time
|
|
}
|
|
|
|
debug(`upsert: Adding new record fqdn: ${fqdn}, zoneName: ${zoneName} proxied: ${data.proxied}`);
|
|
|
|
const [error, response] = await safe(createRequest('POST', `${CLOUDFLARE_ENDPOINT}/zones/${zoneId}/dns_records`, domainConfig)
|
|
.send(data));
|
|
if (error) throw new BoxError(BoxError.NETWORK_ERROR, error);
|
|
if (response.status !== 200 || response.body.success !== true) throw translateResponseError(response);
|
|
} else { // replace existing record
|
|
data.proxied = records[i].proxied; // preserve proxied parameter
|
|
|
|
debug(`upsert: Updating existing record fqdn: ${fqdn}, zoneName: ${zoneName} proxied: ${data.proxied}`);
|
|
|
|
const [error, response] = await safe(createRequest('PUT', `${CLOUDFLARE_ENDPOINT}/zones/${zoneId}/dns_records/${records[i].id}`, domainConfig)
|
|
.send(data));
|
|
if (error) throw new BoxError(BoxError.NETWORK_ERROR, error);
|
|
if (response.status !== 200 || response.body.success !== true) throw translateResponseError(response);
|
|
++i; // increment, as we have consumed the record
|
|
}
|
|
}
|
|
|
|
for (let j = values.length + 1; j < records.length; j++) {
|
|
|
|
const [error] = await safe(createRequest('DELETE', `${CLOUDFLARE_ENDPOINT}/zones/${zoneId}/dns_records/${records[j].id}`, domainConfig));
|
|
if (error) debug(`upsert: error removing record ${records[j].id}: ${error.message}`);
|
|
}
|
|
}
|
|
|
|
async function get(domainObject, location, type) {
|
|
assert.strictEqual(typeof domainObject, 'object');
|
|
assert.strictEqual(typeof location, 'string');
|
|
assert.strictEqual(typeof type, 'string');
|
|
|
|
const domainConfig = domainObject.config,
|
|
zoneName = domainObject.zoneName,
|
|
fqdn = dns.fqdn(location, domainObject.domain);
|
|
|
|
const zone = await getZoneByName(domainConfig, zoneName);
|
|
const result = await getDnsRecords(domainConfig, zone.id, fqdn, type);
|
|
const tmp = result.map(function (record) { return record.content; });
|
|
return tmp;
|
|
}
|
|
|
|
async function del(domainObject, location, type, values) {
|
|
assert.strictEqual(typeof domainObject, 'object');
|
|
assert.strictEqual(typeof location, 'string');
|
|
assert.strictEqual(typeof type, 'string');
|
|
assert(Array.isArray(values));
|
|
|
|
const domainConfig = domainObject.config,
|
|
zoneName = domainObject.zoneName,
|
|
fqdn = dns.fqdn(location, domainObject.domain);
|
|
|
|
const zone = await getZoneByName(domainConfig, zoneName);
|
|
|
|
const result = await getDnsRecords(domainConfig, zone.id, fqdn, type);
|
|
if (result.length === 0) return;
|
|
|
|
const tmp = result.filter(function (record) { return values.some(function (value) { return value === record.content; }); });
|
|
debug('del: %j', tmp);
|
|
|
|
if (tmp.length === 0) return;
|
|
|
|
for (const r of tmp) {
|
|
const [error, response] = await safe(createRequest('DELETE', `${CLOUDFLARE_ENDPOINT}/zones/${zone.id}/dns_records/${r.id}`, domainConfig));
|
|
if (error) throw new BoxError(BoxError.NETWORK_ERROR, error);
|
|
if (response.status !== 200 || response.body.success !== true) throw translateResponseError(response);
|
|
}
|
|
}
|
|
|
|
async function wait(domainObject, subdomain, type, value, options) {
|
|
assert.strictEqual(typeof domainObject, 'object');
|
|
assert.strictEqual(typeof subdomain, 'string');
|
|
assert.strictEqual(typeof type, 'string');
|
|
assert.strictEqual(typeof value, 'string');
|
|
assert(options && typeof options === 'object'); // { interval: 5000, times: 50000 }
|
|
|
|
const domainConfig = domainObject.config,
|
|
zoneName = domainObject.zoneName,
|
|
fqdn = dns.fqdn(subdomain, domainObject.domain);
|
|
|
|
debug('wait: %s for zone %s of type %s', fqdn, zoneName, type);
|
|
|
|
const zone = await getZoneByName(domainConfig, zoneName);
|
|
const zoneId = zone.id;
|
|
|
|
const dnsRecords = await getDnsRecords(domainConfig, zoneId, fqdn, type);
|
|
if (dnsRecords.length === 0) throw new BoxError(BoxError.NOT_FOUND, 'Domain not found');
|
|
|
|
if (!dnsRecords[0].proxied) return await waitForDns(fqdn, domainObject.zoneName, type, value, options);
|
|
|
|
debug('wait: skipping wait of proxied domain');
|
|
|
|
// maybe we can check for dns to be cloudflare IPs? https://api.cloudflare.com/#cloudflare-ips-cloudflare-ip-details
|
|
}
|
|
|
|
async function verifyDomainConfig(domainObject) {
|
|
assert.strictEqual(typeof domainObject, 'object');
|
|
|
|
const domainConfig = domainObject.config,
|
|
zoneName = domainObject.zoneName;
|
|
|
|
// token can be api token or global api key
|
|
if (!domainConfig.token || typeof domainConfig.token !== 'string') throw new BoxError(BoxError.BAD_FIELD, 'token must be a non-empty string');
|
|
if (domainConfig.tokenType !== 'GlobalApiKey' && domainConfig.tokenType !== 'ApiToken') throw new BoxError(BoxError.BAD_FIELD, 'tokenType is required');
|
|
if ('customNameservers' in domainConfig && typeof domainConfig.customNameservers !== 'boolean') throw new BoxError(BoxError.BAD_FIELD, 'customNameservers must be a boolean');
|
|
|
|
if (domainConfig.tokenType === 'GlobalApiKey') {
|
|
if (typeof domainConfig.email !== 'string') throw new BoxError(BoxError.BAD_FIELD, 'email must be a non-empty string');
|
|
}
|
|
|
|
if (typeof domainConfig.defaultProxyStatus !== 'boolean') throw new BoxError(BoxError.BAD_FIELD, 'defaultProxyStatus must be a boolean');
|
|
|
|
const ip = !domainConfig.defaultProxyStatus ? '127.0.0.1' : '103.31.4.0'; // when proxying 127.0.0.1 is not valid. use an address owned by cloudflare itself
|
|
|
|
const sanitizedConfig = {
|
|
token: domainConfig.token,
|
|
tokenType: domainConfig.tokenType,
|
|
email: domainConfig.email || null,
|
|
defaultProxyStatus: domainConfig.defaultProxyStatus,
|
|
customNameservers: !!domainConfig.customNameservers
|
|
};
|
|
|
|
if (constants.TEST) return sanitizedConfig; // this shouldn't be here
|
|
|
|
const [error, nameservers] = await safe(dig.resolve(zoneName, 'NS', { timeout: 5000 }));
|
|
if (error && error.code === 'ENOTFOUND') throw new BoxError(BoxError.BAD_FIELD, 'Unable to resolve nameservers for this domain');
|
|
if (error || !nameservers) throw new BoxError(BoxError.BAD_FIELD, error ? error.message : 'Unable to get nameservers');
|
|
|
|
const zone = await getZoneByName(domainConfig, zoneName);
|
|
|
|
if (!_.isEqual(zone.name_servers.sort(), nameservers.sort())) {
|
|
debug('verifyDomainConfig: %j and %j do not match', nameservers, zone.name_servers);
|
|
if (!domainConfig.customNameservers) throw new BoxError(BoxError.BAD_FIELD, 'Domain nameservers are not set to Cloudflare');
|
|
}
|
|
|
|
const location = 'cloudrontestdns';
|
|
|
|
await upsert(domainObject, location, 'A', [ ip ]);
|
|
debug('verifyDomainConfig: Test A record added');
|
|
|
|
await del(domainObject, location, 'A', [ ip ]);
|
|
debug('verifyDomainConfig: Test A record removed again');
|
|
|
|
return sanitizedConfig;
|
|
}
|
|
|