// Mgmt // Copyright (C) James Shubin and the project contributors // Written by James Shubin and the project contributors // // This program is free software: you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation, either version 3 of the License, or // (at your option) any later version. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License // along with this program. If not, see . // // Additional permission under GNU GPL version 3 section 7 // // If you modify this program, or any covered work, by linking or combining it // with embedded mcl code and modules (and that the embedded mcl code and // modules which link with this program, contain a copy of their source code in // the authoritative form) containing parts covered by the terms of any other // license, the licensors of this program grant you additional permission to // convey the resulting work. Furthermore, the licensors of this program grant // the original author, James Shubin, additional permission to update this // additional permission if he deems it necessary to achieve the goals of this // additional permission. package resources import ( "context" "fmt" "github.com/purpleidea/mgmt/engine" "github.com/purpleidea/mgmt/engine/traits" "github.com/purpleidea/mgmt/util/errwrap" "github.com/cloudflare/cloudflare-go/v6" "github.com/cloudflare/cloudflare-go/v6/dns" "github.com/cloudflare/cloudflare-go/v6/option" "github.com/cloudflare/cloudflare-go/v6/zones" ) func init() { engine.RegisterResource("cloudflare:dns", func() engine.Res { return &CloudflareDNSRes{} }) } // TODO: description of cloudflare_dns resource type CloudflareDNSRes struct { traits.Base traits.GraphQueryable init *engine.Init APIToken string `lang:"apitoken"` Comment string `lang:"comment"` Content string `lang:"content"` // using a *int64 here to help with disambiguating nil values Priority *int64 `lang:"priority"` // using a *bool here to help with disambiguating nil values Proxied *bool `lang:"proxied"` Purge bool `lang:"purge"` RecordName string `lang:"record_name"` State string `lang:"state"` TTL int64 `lang:"ttl"` Type string `lang:"type"` Zone string `lang:"zone"` client *cloudflare.Client zoneID string } func (obj *CloudflareDNSRes) Default() engine.Res { return &CloudflareDNSRes{ State: "exists", TTL: 1, // this sets TTL to automatic } } func (obj *CloudflareDNSRes) Validate() error { if obj.RecordName == "" { return fmt.Errorf("record name is required") } if obj.APIToken == "" { return fmt.Errorf("API token is required") } if obj.Type == "" { return fmt.Errorf("record type is required") } if (obj.TTL < 60 || obj.TTL > 86400) && obj.TTL != 1 { // API requirement return fmt.Errorf("TTL must be between 60s and 86400s, or set to 1") } if obj.Zone == "" { return fmt.Errorf("zone name is required") } if obj.State != "exists" && obj.State != "absent" && obj.State != "" { return fmt.Errorf("state must be either 'exists', 'absent', or empty") } if obj.State == "exists" && obj.Content == "" && !obj.Purge { return fmt.Errorf("content is required when state is 'exists'") } if obj.MetaParams().Poll == 0 || obj.MetaParams().Poll < 1 { return fmt.Errorf("cloudflare:dns requiers polling, set Meta:poll param (e.g., 60 seconds), min. 1s") } return nil } func (obj *CloudflareDNSRes) Init(init *engine.Init) error { obj.init = init obj.client = cloudflare.NewClient( option.WithAPIToken(obj.APIToken), ) //TODO: does it make more sense to check it here or in CheckApply()? zoneListParams := zones.ZoneListParams{ Name: cloudflare.F(obj.Zone), } zoneList, err := obj.client.Zones.List(context.Background(), zoneListParams) if err != nil { return errwrap.Wrapf(err, "failed to list zones") } if len(zoneList.Result) == 0 { return fmt.Errorf("zone %s not found", obj.Zone) } obj.zoneID = zoneList.Result[0].ID return nil } func (obj *CloudflareDNSRes) Cleanup() error { obj.APIToken = "" obj.client = nil obj.zoneID = "" return nil } // Watch isn't implemented for this resource, since the Cloudflare API does not // provide any event stream. Instead, always use polling. func (obj *CloudflareDNSRes) Watch(context.Context) error { return fmt.Errorf("invalid Watch call: requires poll metaparam") } func (obj *CloudflareDNSRes) CheckApply(ctx context.Context, apply bool) (bool, error) { zone, err := obj.client.Zones.List(ctx, zones.ZoneListParams{ Name: cloudflare.F(obj.Zone), }) if err != nil { return false, err } if len(zone.Result) == 0 { return false, fmt.Errorf("there's no zone registered with name %s", obj.Zone) } if len(zone.Result) > 1 { return false, fmt.Errorf("there's more than one zone with name %s", obj.Zone) } // We start by checking the need for purging if obj.Purge { checkOK, err := obj.purgeCheckApply(ctx, apply) if err != nil { return false, err } if !checkOK { return false, nil } } // List existing records listParams := dns.RecordListParams{ ZoneID: cloudflare.F(obj.zoneID), Name: cloudflare.F(dns.RecordListParamsName{ Exact: cloudflare.F(obj.RecordName), // this matches the exact name }), Type: cloudflare.F(dns.RecordListParamsType(obj.Type)), } recordList, err := obj.client.DNS.Records.List(ctx, listParams) if err != nil { return false, errwrap.Wrapf(err, "failed to list DNS records") } recordExists := len(recordList.Result) > 0 var record dns.RecordResponse if recordExists { record = recordList.Result[0] } switch obj.State { case "exists", "": if !recordExists { if !apply { return false, nil } if err := obj.createRecord(ctx); err != nil { return false, err } return true, nil } if obj.needsUpdate(record) { if !apply { return false, nil } if err := obj.updateRecord(ctx, record.ID); err != nil { return false, err } return true, nil } case "absent": if recordExists { if !apply { return false, nil } deleteParams := dns.RecordDeleteParams{ ZoneID: cloudflare.F(obj.zoneID), } _, err := obj.client.DNS.Records.Delete(ctx, record.ID, deleteParams) if err != nil { return false, errwrap.Wrapf(err, "failed to delete DNS record") } return true, nil } } return true, nil } func (obj *CloudflareDNSRes) Cmp(r engine.Res) error { if obj == nil && r == nil { return nil } if (obj == nil) != (r == nil) { return fmt.Errorf("one resource is empty") } res, ok := r.(*CloudflareDNSRes) if !ok { return fmt.Errorf("not a %s", obj.Kind()) } if obj.APIToken != res.APIToken { return fmt.Errorf("apitoken differs") } // check how this being a pointer influences this check if obj.Proxied != res.Proxied { return fmt.Errorf("proxied values differ") } if obj.RecordName != res.RecordName { return fmt.Errorf("record name differs") } if obj.Purge != res.Purge { return fmt.Errorf("purge value differs") } if obj.State != res.State { return fmt.Errorf("state differs") } if obj.TTL != res.TTL { return fmt.Errorf("ttl differs") } if obj.Type != res.Type { return fmt.Errorf("record type differs") } if obj.Zone != res.Zone { return fmt.Errorf("zone differs") } if obj.zoneID != res.zoneID { return fmt.Errorf("zoneid differs") } if obj.Content != res.Content { return fmt.Errorf("content param differs") } // check how this being a pointer influences this check if obj.Priority != res.Priority { return fmt.Errorf("the priority param differs") } return nil } // TODO: double check the fields for each record, might have missed some func (obj *CloudflareDNSRes) buildRecordParam() (any, error) { ttl := dns.TTL(obj.TTL) switch obj.Type { case "A": param := dns.ARecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.ARecordTypeA), Content: cloudflare.F(obj.Content), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil case "AAAA": param := dns.AAAARecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.AAAARecordTypeAAAA), Content: cloudflare.F(obj.Content), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil case "CNAME": param := dns.CNAMERecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.CNAMERecordTypeCNAME), Content: cloudflare.F(obj.Content), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil case "MX": param := dns.MXRecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.MXRecordTypeMX), Content: cloudflare.F(obj.Content), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Priority != nil { // required for MX record param.Priority = cloudflare.F(float64(*obj.Priority)) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil case "TXT": param := dns.TXTRecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.TXTRecordTypeTXT), Content: cloudflare.F(obj.Content), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil case "NS": param := dns.NSRecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.NSRecordTypeNS), Content: cloudflare.F(obj.Content), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil case "SRV": param := dns.SRVRecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.SRVRecordTypeSRV), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil case "PTR": param := dns.PTRRecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.PTRRecordTypePTR), Content: cloudflare.F(obj.Content), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil default: return nil, fmt.Errorf("record type %s is not supported", obj.Type) } } // buildNewRecordParam creates the appropriate record parameter for creating // records. func (obj *CloudflareDNSRes) buildNewRecordParam() (dns.RecordNewParamsBodyUnion, error) { result, err := obj.buildRecordParam() if err != nil { return nil, err } return result.(dns.RecordNewParamsBodyUnion), nil } // buildEditRecordParam creates the appropriate record parameter for editing // records. func (obj *CloudflareDNSRes) buildEditRecordParam() (dns.RecordEditParamsBodyUnion, error) { result, err := obj.buildRecordParam() if err != nil { return nil, err } return result.(dns.RecordEditParamsBodyUnion), nil } func (obj *CloudflareDNSRes) createRecord(ctx context.Context) error { recordParams, err := obj.buildNewRecordParam() if err != nil { return err } createParams := dns.RecordNewParams{ ZoneID: cloudflare.F(obj.zoneID), Body: recordParams, } _, err = obj.client.DNS.Records.New(ctx, createParams) if err != nil { return errwrap.Wrapf(err, "failed to create dns record") } return nil } func (obj *CloudflareDNSRes) updateRecord(ctx context.Context, recordID string) error { recordParams, err := obj.buildEditRecordParam() if err != nil { return err } editParams := dns.RecordEditParams{ ZoneID: cloudflare.F(obj.zoneID), Body: recordParams, } _, err = obj.client.DNS.Records.Edit(ctx, recordID, editParams) if err != nil { return errwrap.Wrapf(err, "failed to update dns record") } return nil } func (obj *CloudflareDNSRes) needsUpdate(record dns.RecordResponse) bool { if obj.Content != record.Content { return true } if obj.TTL != int64(record.TTL) { return true } if obj.Proxied != nil { if *obj.Proxied != record.Proxied { return true } } if obj.Priority != nil { if float64(*obj.Priority) != record.Priority { return true } } if obj.Comment != record.Comment { return true } // TODO add more checks? return false } func (obj *CloudflareDNSRes) purgeCheckApply(ctx context.Context, apply bool) (bool, error) { listParams := dns.RecordListParams{ ZoneID: cloudflare.F(obj.zoneID), } iter := obj.client.DNS.Records.ListAutoPaging(ctx, listParams) allRecords := []dns.RecordResponse{} for iter.Next() { allRecords = append(allRecords, iter.Current()) } if err := iter.Err(); err != nil { return false, errwrap.Wrapf(err, "failed to list dns records for purge") } excludes := make(map[string]bool) graph, err := obj.init.FilteredGraph() if err != nil { return false, errwrap.Wrapf(err, "can't read the filtered graph") } for _, vertex := range graph.Vertices() { res, ok := vertex.(engine.Res) if !ok { return false, fmt.Errorf("not a resource") } if res.Kind() != "cloudflare:dns" { continue // we only want cloudflare dns resources } if res.Name() == obj.Name() { continue // skip self } cfRes, ok := res.(*CloudflareDNSRes) if !ok { return false, fmt.Errorf("wrong resource type") } if cfRes.Zone == obj.Zone { recordKey := fmt.Sprintf("%s:%s", cfRes.RecordName, cfRes.Type) excludes[recordKey] = true } } checkOK := true for _, record := range allRecords { recordKey := fmt.Sprintf("%s:%s", record.Name, record.Type) if excludes[recordKey] { continue } if apply { deleteParams := dns.RecordDeleteParams{ ZoneID: cloudflare.F(obj.zoneID), } _, err := obj.client.DNS.Records.Delete(ctx, record.ID, deleteParams) if err != nil { return false, errwrap.Wrapf(err, "failed to purge %s", recordKey) } } else { checkOK = false } } return checkOK, nil } // GraphQueryAllowed returns nil if you're allowed to query the graph. This // function accepts information about the requesting resource so we can // determine the access with some form of fine-grained control. func (obj *CloudflareDNSRes) GraphQueryAllowed(opts ...engine.GraphQueryableOption) error { options := &engine.GraphQueryableOptions{} // default options options.Apply(opts...) // apply the options if options.Kind != "cloudflare:dns" { return fmt.Errorf("only other cloudflare dns resources can access this info") } return nil }