Bladeren bron

Merge pull request #6 from lowEagle/master

Enable http-auth during API-Access
tags/v1.2.0
Robin Thoni 6 jaren geleden
bovenliggende
commit
bc923e0cc3
No account linked to committer's email address
6 gewijzigde bestanden met toevoegingen van 52 en 8 verwijderingen
  1. 7
    1
      README.md
  2. 4
    2
      certbot-pdns.json
  3. 8
    0
      certbot_pdns/PdnsApiAuthenticator.py
  4. 3
    0
      certbot_pdns/__init__.py
  5. 3
    0
      certbot_pdns/authenticator.py
  6. 27
    5
      certbot_pdns/pdnsapi.py

+ 7
- 1
README.md Bestand weergeven

@@ -37,7 +37,9 @@ An example file is provided in `/usr/local/etc/letsencrypt/certbot-pdns.json`:
37 37
 {
38 38
   "api-key": "change_it",
39 39
   "base-url": "http://127.0.0.1:34022/api/v1",
40
-  "axfr-time": 5
40
+  "axfr-time": 5,
41
+  "http-auth": ["user", "secret_pass"],
42
+  "verify-cert": "False"
41 43
 }
42 44
 ```
43 45
 
@@ -49,6 +51,10 @@ Configuration keys:
49 51
  - base-url: The base URL for PowerDNS API. Require `api=yes` and `api-readonly=no` in file `/etc/powerdns/pdns.conf`
50 52
  - axfr-time: The time in seconds to wait for AXFR in slaves. Can be set to 0 if there is only one authoritative server for the zone.
51 53
 
54
+The following two keys are optional and added in case a (nginx) reverse proxy is used to secure access to the api:
55
+ - http-auth (optional): A list of two strings containing the Username and Password for a http-basic-authentication
56
+ - verify-cert (optional): defines whether the SSL-certificate provided by the reverse proxy shall be verified. Possible options are True/False or a string containing the path to a local certificate which can be used to verify the one provided by the proxy.
57
+
52 58
 Usage
53 59
 -----
54 60
 

+ 4
- 2
certbot-pdns.json Bestand weergeven

@@ -1,5 +1,7 @@
1 1
 {
2 2
   "api-key": "change_it",
3 3
   "base-url": "http://127.0.0.1:34022/api/v1",
4
-  "axfr-time": 5
5
-}
4
+  "axfr-time": 5,
5
+  "http-auth": ["user", "secret_pass"],
6
+  "verify-cert": "False"
7
+}

+ 8
- 0
certbot_pdns/PdnsApiAuthenticator.py Bestand weergeven

@@ -1,3 +1,6 @@
1
+#!/usr/bin/env python
2
+# -*- coding: utf-8 -*-
3
+
1 4
 import json
2 5
 
3 6
 import logging
@@ -59,6 +62,11 @@ class PdnsApiAuthenticator:
59 62
         self.api.set_api_key(config["api-key"])
60 63
         self.api.set_base_url(config["base-url"])
61 64
         self.axfr_time = config["axfr-time"]
65
+        # check if additional parameters are set before trying to assign them to ensure backwards compatibility
66
+        if "verify-cert" in config:
67
+            self.api.set_verify_cert(config["verify-cert"])
68
+        if "http-auth" in config:
69
+            self.api.set_http_auth(config["http-auth"])
62 70
         self.zones = self.api.list_zones()
63 71
         # print(self.zones)
64 72
         # raw_input('Press <ENTER> to continue')

+ 3
- 0
certbot_pdns/__init__.py Bestand weergeven

@@ -1 +1,4 @@
1
+#!/usr/bin/env python
2
+# -*- coding: utf-8 -*-
3
+
1 4
 """Let's Encrypt PDNS plugin"""

+ 3
- 0
certbot_pdns/authenticator.py Bestand weergeven

@@ -1,3 +1,6 @@
1
+#!/usr/bin/env python
2
+# -*- coding: utf-8 -*-
3
+
1 4
 """DNS plugin."""
2 5
 import collections
3 6
 import logging

+ 27
- 5
certbot_pdns/pdnsapi.py Bestand weergeven

@@ -1,3 +1,6 @@
1
+#!/usr/bin/env python
2
+# -*- coding: utf-8 -*-
3
+
1 4
 import json
2 5
 
3 6
 import requests
@@ -6,6 +9,8 @@ import requests
6 9
 class PdnsApi:
7 10
     api_key = None
8 11
     base_url = None
12
+    http_auth = None                                # Standard-value of requests-library will be used
13
+    verify_cert = None                              # Standard-value of requests-library will be used
9 14
 
10 15
     def set_api_key(self, api_key):
11 16
         self.api_key = api_key
@@ -13,6 +18,18 @@ class PdnsApi:
13 18
     def set_base_url(self, base_url):
14 19
         self.base_url = base_url
15 20
 
21
+    def set_verify_cert(self, verify_cert):
22
+        if verify_cert in ("True", "true", True):         # convert from string to real bool if needed
23
+            self.verify_cert = True
24
+        elif verify_cert in ("False", "false", False):    # convert from string to real bool if needed
25
+            self.verify_cert = False
26
+        elif isinstance(verify_cert, str):          # alternative: path to local cert is given as string
27
+            self.verify_cert = verify_cert          # see requests-documentation for more info
28
+        
29
+    def set_http_auth(self, http_auth):             # credentials should be given as list containing two string-elements
30
+        if len(http_auth) == 2:                     # first: username, second: password for http-basic auth
31
+            self.http_auth = (str(http_auth[0]), str(http_auth[1]))     # ensure right format of credentials
32
+        
16 33
     def _query(self, uri, method, kwargs=None):
17 34
         headers = {
18 35
             'X-API-Key': self.api_key,
@@ -23,15 +40,20 @@ class PdnsApi:
23 40
         data = json.dumps(kwargs)
24 41
 
25 42
         if method == "GET":
26
-            request = requests.get(self.base_url + uri, headers=headers)
43
+            request = requests.get(self.base_url + uri, headers=headers,
44
+                                   auth=self.http_auth, verify=self.verify_cert)
27 45
         elif method == "POST":
28
-            request = requests.post(self.base_url + uri, headers=headers, data=data)
46
+            request = requests.post(self.base_url + uri, headers=headers, data=data,
47
+                                    auth=self.http_auth, verify=self.verify_cert)
29 48
         elif method == "PUT":
30
-            request = requests.put(self.base_url + uri, headers=headers, data=data)
49
+            request = requests.put(self.base_url + uri, headers=headers, data=data,
50
+                                   auth=self.http_auth, verify=self.verify_cert)
31 51
         elif method == "PATCH":
32
-            request = requests.patch(self.base_url + uri, headers=headers, data=data)
52
+            request = requests.patch(self.base_url + uri, headers=headers, data=data,
53
+                                     auth=self.http_auth, verify=self.verify_cert)
33 54
         elif method == "DELETE":
34
-            request = requests.delete(self.base_url + uri, headers=headers)
55
+            request = requests.delete(self.base_url + uri, headers=headers,
56
+                                      auth=self.http_auth, verify=self.verify_cert)
35 57
         else:
36 58
             raise ValueError("Invalid method '%s'" % method)
37 59
 

Laden…
Annuleren
Opslaan