Plugins/Combell.ps1

function Get-CurrentPluginType { 'dns-01' }

function Add-DnsTxt {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory, Position = 0)]
        [string]$RecordName,
        [Parameter(Mandatory, Position = 1)]
        [string]$TxtValue,
        [Parameter(Mandatory, Position = 2)]
        [SecureString]$CombellApiKey,
        [Parameter(Mandatory, Position = 3)]
        [SecureString]$CombellApiSecret,
        [Parameter(ValueFromRemainingArguments)]
        $ExtraParams
    )

    # Convert the SecureString parameters to type String.
    $ApiKey = [pscredential]::new('a', $CombellApiKey).GetNetworkCredential().Password
    $ApiSecret = [pscredential]::new('a', $CombellApiSecret).GetNetworkCredential().Password

    $cmdletName = "Add-DnsTxt"
    $zoneName = Find-CombellZone $RecordName $ApiKey $ApiSecret
    Write-Verbose "${cmdletName}: Find domain '$zoneName' for record '$RecordName' - OK"
    $relativeRecordName = $RecordName -ireplace "\.?$([regex]::Escape($zoneName.TrimEnd('.')))$",''
    $txtRecords = Get-CombellTxtRecords $zoneName $relativeRecordName $TxtValue $ApiKey $ApiSecret
    $numberOfTxtRecords = $txtRecords.Length

    if ($numberOfTxtRecords -gt 0) {
        Write-Verbose "${cmdletName}: Domain '$zoneName' contains $numberOfTxtRecords TXT record$(if ($numberOfTxtRecords -gt 1) { "s" }) that match$(if ($numberOfTxtRecords -eq 1) { "es" }) record name ""$relativeRecordName"" and content ""$TxtValue""; abort."
        return
    }

    Write-Verbose "${cmdletName}: Domain '$zoneName' contains 0 TXT records that match record name ""$relativeRecordName"" and content ""$TxtValue""; add TXT record { ""record_name"": ""$relativeRecordName"", ""content"": ""$TxtValue"" }."
    $requestBody = @{
        type        = "TXT"
        record_name = $relativeRecordName
        ttl         = 60
        content     = $TxtValue
    } | ConvertTo-Json -Compress

    Send-CombellHttpRequest POST "dns/$zoneName/records" $ApiKey $ApiSecret $requestBody | Out-Null

    <#
    .SYNOPSIS
        Add a DNS TXT record via the Combell API.

    .DESCRIPTION
        Add a DNS TXT record via the Combell API.

    .PARAMETER RecordName
        The fully qualified name of the TXT record.

    .PARAMETER TxtValue
        The value of the TXT record.

    .PARAMETER CombellApiKey
        The Combell API key associated with your account.

    .PARAMETER CombellApiSecret
        The Combell API secret associated with your account.

   .PARAMETER ExtraParams
        This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this
        function supports.

    .EXAMPLE
        $combellApiKey = Read-Host "Combell API key" -AsSecureString
        $combellApiSecret = Read-Host "Combell API secret" -AsSecureString
        Add-DnsTxt '_acme-challenge.example.com' 'txt-value' $combellApiKey $combellApiSecret

        Adds a TXT record for the specified site with the specified value.
    #>

}

function Remove-DnsTxt {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory, Position = 0)]
        [string]$RecordName,
        [Parameter(Mandatory, Position = 1)]
        [string]$TxtValue,
        [Parameter(Mandatory, Position = 2)]
        [SecureString]$CombellApiKey,
        [Parameter(Mandatory, Position = 3)]
        [SecureString]$CombellApiSecret,
        [Parameter(ValueFromRemainingArguments)]
        $ExtraParams
    )

    # Convert the SecureString parameters to type String.
    $ApiKey = [pscredential]::new('a', $CombellApiKey).GetNetworkCredential().Password
    $ApiSecret = [pscredential]::new('a', $CombellApiSecret).GetNetworkCredential().Password

    $cmdletName = "Remove-DnsTxt"
    $zoneName = Find-CombellZone $RecordName $ApiKey $ApiSecret
    Write-Verbose "${cmdletName}: Find domain '$zoneName' for record '$RecordName' - OK"
    $relativeRecordName = $RecordName -ireplace "\.?$([regex]::Escape($zoneName.TrimEnd('.')))$",''
    $txtRecords = Get-CombellTxtRecords $zoneName $relativeRecordName $TxtValue $ApiKey $ApiSecret
    $numberOfTxtRecords = $txtRecords.Length

    if ($numberOfTxtRecords -eq 0) {
        Write-Verbose "${cmdletName}: Domain '$zoneName' contains 0 TXT records that match record name '$relativeRecordName' and content ""$TxtValue""; abort."
        return
    }

    Write-Verbose "${cmdletName}: Domain '$zoneName' contains $numberOfTxtRecords TXT record$(if ($numberOfTxtRecords -gt 1) { "s" }) that match$(if ($numberOfTxtRecords -eq 1) { "es" }) record name '$relativeRecordName' and content ""$TxtValue""; delete $numberOfTxtRecords record$(if ($numberOfTxtRecords -gt 1) { "s" })."

    foreach ($txtRecord in $txtRecords) {
        Write-Verbose "${cmdletName}: Delete TXT record $txtRecord"
        Send-CombellHttpRequest DELETE "dns/$zoneName/records/$($txtRecord.id)" $ApiKey $ApiSecret | Out-Null
    }

    <#
    .SYNOPSIS
        Remove a DNS TXT record via the Combell API.

    .DESCRIPTION
        Remove a DNS TXT record via the Combell API.

    .PARAMETER RecordName
        The fully qualified name of the TXT record.

    .PARAMETER TxtValue
        The value of the TXT record.

    .PARAMETER CombellApiKey
        The Combell API key associated with your account.

    .PARAMETER CombellApiSecret
        The Combell API secret associated with your account.

    .PARAMETER ExtraParams
        This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this
        function supports.

    .EXAMPLE
        $combellApiKey = Read-Host "Combell API key" -AsSecureString
        $combellApiSecret = Read-Host "Combell API secret" -AsSecureString
        Remove-DnsTxt '_acme-challenge.example.com' 'txt-value' $combellApiKey $combellApiSecret

        Removes a TXT record for the specified site with the specified value. If multiple records exist with the same
        record name and the same content, this cmdlet deletes all of them.
    #>

}

function Save-DnsTxt {
    [CmdletBinding()]
    param(
        [Parameter(ValueFromRemainingArguments)]
        $ExtraParams
    )
    <#
    .SYNOPSIS
        Not required.

    .DESCRIPTION
        This provider does not require calling this function to commit changes to DNS records.

    .PARAMETER ExtraParams
        This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this
        function supports.
    #>

}

############################
# Helper Functions
############################

function Find-CombellZone {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory, Position = 0)]
        [string]$RecordName,
        [Parameter(Mandatory, Position = 1)]
        [string]$ApiKey,
        [Parameter(Mandatory, Position = 2)]
        [string]$ApiSecret
    )

    # Setup a module variable to cache the record to zone mapping, so it's quicker to find later.
    if (!$script:CombellRecordZones) {
        $script:CombellRecordZones = @{}
    }

    # If the cache contains $RecordName, return it.
    if ($script:CombellRecordZones.ContainsKey($RecordName)) {
        return $script:CombellRecordZones.$RecordName
    }

    # Not specifying the 'take' query parameter defaults the result set to a maximum 25 items (situation on 30
    # September 2021). It is not clear from the documentation how you can get all domains in a single request, so I'm
    # defaulting here to a 'take' parameter value of '1000'.
    # If you find a better solution, feel free to submit an issue.
    # See https://api.combell.com/v2/documentation#operation/Domains for more information.
    # - Steven Volckaert, 30 September 2021.
    # TODO Although undocumented, it appears it might be possible to retrieve the total number of domains from some
    # custom HTTP response headers. So: Consider removing the 'take' query parameter, which will default back to
    # maximum 25 items per response, and sending addtional HTTP requests if the HTTP header(s) indicate that more
    # domains exist.
    # Implementing this requires further investigation though (start by reading
    # https://api.combell.com/v2/documentation#section/Conventions/Pagination), so if you need this, feel free to
    # submit a pull request or an issue - Steven Volckaert, 5 October 2021.
    $zones = Send-CombellHttpRequest GET "domains?take=1000" $ApiKey $ApiSecret;

    # We need to find the deepest sub-zone that can hold the record and add it there, except if there is only the apex
    # zone. So for a $RecordName like _acme-challenge.site1.sub1.sub2.example.com, we need to search the zone from
    # longest to shortest set of FQDNs contained in $zones, i.e. in the following order:
    # - site1.sub1.sub2.example.com
    # - sub1.sub2.example.com
    # - sub2.example.com
    # - example.com
    # See https://poshac.me/docs/v4/Plugins/Plugin-Development-Guide/#zone-matching for more information.
    # - Steven Volckaert, 30 September 2021.
    $pieces = $RecordName.Split('.')
    for ($i = 0; $i -lt ($pieces.Count - 1); $i++) {
        $zoneTest = $pieces[$i..($pieces.Count - 1)] -join '.'
        Write-Verbose "Find domain '$zoneTest' in $($zones.Length) Combell domains"
        if ($zoneTest -in $zones.domain_name) {
            $zone = $zones | Where-Object { $_.domain_name -eq $zoneTest }
            $script:CombellRecordZones.$RecordName = $zone.domain_name
            return $zone.domain_name
        }
    }

    throw "FATAL: No domain zone found for record '$RecordName'."
}

function Get-CombellAuthorizationHeaderValue {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory, Position = 0)]
        [string]$ApiKey,
        [Parameter(Mandatory, Position = 1)]
        [string]$ApiSecret,
        [Parameter(Mandatory, Position = 2)]
        [string]$Method,
        [Parameter(Mandatory, Position = 3)]
        [string]$Path,
        [Parameter(Position = 4)]
        [string]$Body
    )

    $urlEncodedPath = [System.Net.WebUtility]::UrlEncode("/v2/$Path")
    $unixTimestamp = [System.DateTimeOffset]::Now.ToUnixTimeSeconds().ToString()
    $nonce = (New-Guid).ToString()
    $hmacInputValue = "${ApiKey}$($Method.ToLowerInvariant())${urlEncodedPath}${unixTimestamp}${nonce}"

    if ($Body) {
        $md5Algorithm = New-Object System.Security.Cryptography.MD5CryptoServiceProvider
        $bodyAsByteArray = [Text.Encoding]::UTF8.GetBytes($Body)
        $bodyAsHashedBase64String = [Convert]::ToBase64String($md5Algorithm.ComputeHash($bodyAsByteArray))
        $hmacInputValue += $bodyAsHashedBase64String
    }

    $hmacAlgorithm = New-Object System.Security.Cryptography.HMACSHA256
    $hmacAlgorithm.Key = [Text.Encoding]::UTF8.GetBytes($ApiSecret)
    $hmacInputValueAsByteArray = [Text.Encoding]::UTF8.GetBytes($hmacInputValue)
    $hmacSignature = [Convert]::ToBase64String($hmacAlgorithm.ComputeHash($hmacInputValueAsByteArray))

    return "hmac ${ApiKey}:${hmacSignature}:${nonce}:${unixTimestamp}"

    <#
    .SYNOPSIS
        Gets the value of the Authorization header.
        See https://api.combell.com/v2/documentation#section/Authentication for more information.
    #>

}

function Get-CombellTxtRecords {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory, Position = 0)]
        [string]$DomainName,
        [Parameter(Mandatory, Position = 1)]
        [string]$RelativeRecordName,
        [Parameter(Mandatory, Position = 2)]
        [string]$TxtValue,
        [Parameter(Mandatory, Position = 3)]
        [string]$ApiKey,
        [Parameter(Mandatory, Position = 4)]
        [string]$ApiSecret
    )

    $txtRecords = Send-CombellHttpRequest `
        GET "dns/$DomainName/records?type=TXT&record_name=$RelativeRecordName" $ApiKey $ApiSecret
    return @($txtRecords | Where-Object { $_.record_name -eq $RelativeRecordName -and $_.content -ceq $TxtValue })
}

function Send-CombellHttpRequest {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory, Position = 0)]
        [ValidateSet('GET', 'PUT', 'POST', 'DELETE')]
        [string]$Method,
        [Parameter(Mandatory, Position = 1)]
        [string]$Path,
        [Parameter(Mandatory, Position = 2)]
        [string]$ApiKey,
        [Parameter(Mandatory, Position = 3)]
        [string]$ApiSecret,
        [Parameter(Position = 4)]
        [string]$Body
    )

    $uri = [uri]"https://api.combell.com/v2/$Path"
    $authorizationHeaderValue = Get-CombellAuthorizationHeaderValue $ApiKey $ApiSecret $Method $Path $Body

    $headers = @{
        Accept        = 'application/json'
        Authorization = $authorizationHeaderValue
    }
    $invokeRestMesthodParameters = @{
        Method             = $Method
        Uri                = $uri
        Headers            = $headers
        ContentType        = 'application/json'
        MaximumRedirection = 0
        ErrorAction        = 'Stop'
    }
    if ($Body) {
        $invokeRestMesthodParameters.Body = $Body
    }

    try {
        $Stopwatch = New-Object -TypeName System.Diagnostics.Stopwatch
        $Stopwatch.Start()
        Invoke-RestMethod @invokeRestMesthodParameters @script:UseBasic
        $Stopwatch.Stop()
        Write-Verbose "$Method $uri - OK ($($Stopwatch.ElapsedMilliseconds) ms)"
    }
    catch {
        $Stopwatch.Stop()
        Write-Error "$Method $uri - FAILED ($($Stopwatch.ElapsedMilliseconds) ms) - $($_)"
        throw
    }
}