Merge pull request #6 from lowEagle/master

Enable http-auth during API-Access

README.md

@@ -37,7 +37,9 @@ An example file is provided in `/usr/local/etc/letsencrypt/certbot-pdns.json`:
 {
   "api-key": "change_it",
   "base-url": "http://127.0.0.1:34022/api/v1",
-  "axfr-time": 5
+  "axfr-time": 5,
+  "http-auth": ["user", "secret_pass"],
+  "verify-cert": "False"
 }
 ```
 
@@ -49,6 +51,10 @@ Configuration keys:
  - base-url: The base URL for PowerDNS API. Require `api=yes` and `api-readonly=no` in file `/etc/powerdns/pdns.conf`
  - axfr-time: The time in seconds to wait for AXFR in slaves. Can be set to 0 if there is only one authoritative server for the zone.
 
+The following two keys are optional and added in case a (nginx) reverse proxy is used to secure access to the api:
+ - http-auth (optional): A list of two strings containing the Username and Password for a http-basic-authentication
+ - verify-cert (optional): defines whether the SSL-certificate provided by the reverse proxy shall be verified. Possible options are True/False or a string containing the path to a local certificate which can be used to verify the one provided by the proxy.
+
 Usage
 -----
 

certbot-pdns.json

@@ -1,5 +1,7 @@
 {
   "api-key": "change_it",
   "base-url": "http://127.0.0.1:34022/api/v1",
-  "axfr-time": 5
-}
+  "axfr-time": 5,
+  "http-auth": ["user", "secret_pass"],
+  "verify-cert": "False"
+}

certbot_pdns/PdnsApiAuthenticator.py

@@ -1,3 +1,6 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
 import json
 
 import logging
@@ -59,6 +62,11 @@ class PdnsApiAuthenticator:
         self.api.set_api_key(config["api-key"])
         self.api.set_base_url(config["base-url"])
         self.axfr_time = config["axfr-time"]
+        # check if additional parameters are set before trying to assign them to ensure backwards compatibility
+        if "verify-cert" in config:
+            self.api.set_verify_cert(config["verify-cert"])
+        if "http-auth" in config:
+            self.api.set_http_auth(config["http-auth"])
         self.zones = self.api.list_zones()
         # print(self.zones)
         # raw_input('Press <ENTER> to continue')

certbot_pdns/__init__.py

@@ -1 +1,4 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
 """Let's Encrypt PDNS plugin"""

certbot_pdns/authenticator.py

@@ -1,3 +1,6 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
 """DNS plugin."""
 import collections
 import logging

certbot_pdns/pdnsapi.py

@@ -1,3 +1,6 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
 import json
 
 import requests
@@ -6,6 +9,8 @@ import requests
 class PdnsApi:
     api_key = None
     base_url = None
+    http_auth = None                                # Standard-value of requests-library will be used
+    verify_cert = None                              # Standard-value of requests-library will be used
 
     def set_api_key(self, api_key):
         self.api_key = api_key
@@ -13,6 +18,18 @@ class PdnsApi:
     def set_base_url(self, base_url):
         self.base_url = base_url
 
+    def set_verify_cert(self, verify_cert):
+        if verify_cert in ("True", "true", True):         # convert from string to real bool if needed
+            self.verify_cert = True
+        elif verify_cert in ("False", "false", False):    # convert from string to real bool if needed
+            self.verify_cert = False
+        elif isinstance(verify_cert, str):          # alternative: path to local cert is given as string
+            self.verify_cert = verify_cert          # see requests-documentation for more info
+        
+    def set_http_auth(self, http_auth):             # credentials should be given as list containing two string-elements
+        if len(http_auth) == 2:                     # first: username, second: password for http-basic auth
+            self.http_auth = (str(http_auth[0]), str(http_auth[1]))     # ensure right format of credentials
+        
     def _query(self, uri, method, kwargs=None):
         headers = {
             'X-API-Key': self.api_key,
@@ -23,15 +40,20 @@ class PdnsApi:
         data = json.dumps(kwargs)
 
         if method == "GET":
-            request = requests.get(self.base_url + uri, headers=headers)
+            request = requests.get(self.base_url + uri, headers=headers,
+                                   auth=self.http_auth, verify=self.verify_cert)
         elif method == "POST":
-            request = requests.post(self.base_url + uri, headers=headers, data=data)
+            request = requests.post(self.base_url + uri, headers=headers, data=data,
+                                    auth=self.http_auth, verify=self.verify_cert)
         elif method == "PUT":
-            request = requests.put(self.base_url + uri, headers=headers, data=data)
+            request = requests.put(self.base_url + uri, headers=headers, data=data,
+                                   auth=self.http_auth, verify=self.verify_cert)
         elif method == "PATCH":
-            request = requests.patch(self.base_url + uri, headers=headers, data=data)
+            request = requests.patch(self.base_url + uri, headers=headers, data=data,
+                                     auth=self.http_auth, verify=self.verify_cert)
         elif method == "DELETE":
-            request = requests.delete(self.base_url + uri, headers=headers)
+            request = requests.delete(self.base_url + uri, headers=headers,
+                                      auth=self.http_auth, verify=self.verify_cert)
         else:
             raise ValueError("Invalid method '%s'" % method)