Plugins/TencentDNS.ps1

function Get-CurrentPluginType { 'dns-01' }

function Add-DnsTxt {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory, Position = 0)]
        [string]$RecordName,
        [Parameter(Mandatory, Position = 1)]
        [string]$TxtValue,
        [Parameter(Mandatory, Position = 2)]
        [string]$TencentKeyId,
        [Parameter(Mandatory, Position = 3)]
        [securestring]$TencentSecret,
        [Parameter(ValueFromRemainingArguments)]
        $ExtraParams
    )

    # find the zone for this record
    try { $zoneName = Find-TencentZone $RecordName $TencentKeyId $TencentSecret } catch { throw }
    Write-Debug "Found zone $zoneName"

    # grab the relative portion of the fqdn
    $recShort = $RecordName -ireplace "\.?$([regex]::Escape($zoneName.TrimEnd('.')))$",''
    if ($recShort -eq $RecordName) { $recShort = '@' }

    # query for an existing record
    try { $record = Find-TencentRecord -Domain $zoneName -Subdomain $recShort -RecordType 'TXT'  -RecordValue $TxtValue -TencentKeyId $TencentKeyId -TencentSecret $TencentSecret } catch { throw }

    if ($null -eq $record) {
        # add the record
        Write-Verbose "Adding a TXT record for $RecordName with value $TxtValue"
        $body = @{
            SubDomain  = $recShort
            Domain     = $zoneName
            RecordType = 'TXT'
            Value      = $TxtValue
            RecordLine = '默认' # default
        }
        $response = Invoke-TencentRest CreateRecord $body $TencentKeyId $TencentSecret
        Invoke-Response $response
    }
    else {
        Write-Debug "Record $RecordName already contains $TxtValue. Nothing to do."
    }

    <#
    .SYNOPSIS
        Add a DNS TXT record to Tencentyun (Tencent Cloud)

    .DESCRIPTION
        Add a DNS TXT record to Tencentyun (Tencent Cloud)

    .PARAMETER RecordName
        The fully qualified name of the TXT record.

    .PARAMETER TxtValue
        The value of the TXT record.

    .PARAMETER TencentKeyId
        The Access Key ID for your Tencentyun account.

    .PARAMETER TencentSecret
        The Access Secret for your Tencentyun account.

    .PARAMETER ExtraParams
        This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports.

    .EXAMPLE
        $secret = Read-Host "Secret" -AsSecureString
        PS C:\>Add-DnsTxt '_acme-challenge.example.com' 'txt-value' 'key-id' $secret

        Adds a TXT record using a securestring object for TencentSecret.
    #>

}

function Remove-DnsTxt {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory, Position = 0)]
        [string]$RecordName,
        [Parameter(Mandatory, Position = 1)]
        [string]$TxtValue,
        [Parameter(Mandatory, Position = 2)]
        [string]$TencentKeyId,
        [Parameter(Mandatory, Position = 3)]
        [securestring]$TencentSecret,
        [Parameter(ValueFromRemainingArguments)]
        $ExtraParams
    )

    # find the zone for this record
    try { $zoneName = Find-TencentZone $RecordName $TencentKeyId $TencentSecret } catch { throw }
    Write-Debug "Found zone $zoneName"

    # grab the relative portion of the fqdn
    $recShort = $RecordName -ireplace "\.?$([regex]::Escape($zoneName.TrimEnd('.')))$",''
    if ($recShort -eq $RecordName) { $recShort = '@' }

    # query for an existing record
    try { $record = Find-TencentRecord -Domain $zoneName -Subdomain $recShort -RecordType 'TXT'  -RecordValue $TxtValue -TencentKeyId $TencentKeyId -TencentSecret $TencentSecret } catch { throw }
    Write-Debug "Found Record $record"

    if ($null -eq $record) {
        Write-Debug "Record $RecordName with value $TxtValue doesn't exist. Nothing to do."
    }
    else {
        # remove the record
        Write-Verbose "Removing TXT record for $RecordName with RecordId $($record.RecordId)"
        $body = @{
            Domain   = $zoneName
            RecordId = $record.RecordId
        }
        $response = Invoke-TencentRest DeleteRecord $body $TencentKeyId $TencentSecret
        Invoke-Response $response
    }


    <#
    .SYNOPSIS
        Remove a DNS TXT record from Tencentyun (Tencent Cloud)

    .DESCRIPTION
        Remove a DNS TXT record from Tencentyun (Tencent Cloud)

    .PARAMETER RecordName
        The fully qualified name of the TXT record.

    .PARAMETER TxtValue
        The value of the TXT record.

    .PARAMETER TencentKeyId
        The Access Key ID for your Tencentyun account.

    .PARAMETER TencentSecret
        The Access Secret for your Tencentyun account.

    .PARAMETER ExtraParams
        This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports.

    .EXAMPLE
        $secret = Read-Host "Secret" -AsSecureString
        PS C:\>Remove-DnsTxt '_acme-challenge.example.com' 'txt-value' 'key-id' $secret

        Removes a TXT record using a securestring object for TencentSecret.
    #>

}

function Save-DnsTxt {
    [CmdletBinding()]
    param(
        [Parameter(ValueFromRemainingArguments)]
        $ExtraParams
    )
    <#
    .SYNOPSIS
        Not required.

    .DESCRIPTION
        This provider does not require calling this function to commit changes to DNS records.

    .PARAMETER ExtraParams
        This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports.
    #>

}

############################
# Helper Functions
############################

# API Docs
# https://www.tencentcloud.com/document/product/228/31723
# https://cloud.tencent.com/document/api/1427

function Invoke-TencentRest {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory, Position = 0)]
        [string]$action,
        [Parameter(Position = 1)]
        [Object]$bodyData,
        [Parameter(Mandatory, Position = 2)]
        [string]$secretId,
        [Parameter(Mandatory, Position = 3)]
        [securestring]$AccessSecret
    )

    $secretKey = [pscredential]::new('a', $AccessSecret).GetNetworkCredential().Password
    $body = $bodyData | ConvertTo-Json -Compress
    # BuildRequest
    $region = ""
    $token = ""
    $version = "2021-03-23"
    $apihost = "dnspod.tencentcloudapi.com"
    $contentType = "application/json;charset=utf-8"
    $epochStart = Get-Date -Year 1970 -Month 1 -Day 1 -Hour 0 -Minute 0 -Second 0 -Millisecond 0
    $timestamp = [Math]::Round((Get-Date).ToUniversalTime().Subtract($epochStart).TotalSeconds)

    # Signature mechanism
    # https://cloud.tencent.com/document/api/1427/56189
    $auth = GetAuth -secretId $secretId -secretKey $secretKey -apihost $apihost -contentType $contentType -timestamp $timestamp -body $body -action $action

    $queryParams = @{
        Uri = "https://$apihost"
        Method = 'Post'
        Headers = @{
            'Authorization'      = $auth
            'User-Agent'         = ''
            'Host'               = $apihost
            'X-TC-Timestamp'     = $timestamp
            'X-TC-Version'       = $version
            'X-TC-Action'        = $action
            'X-TC-Region'        = $region
            'X-TC-Token'         = $token
        }
        Body = $body
        ContentType = $contentType
        Verbose = $false
        ErrorAction = 'Stop'
    }
    Write-Debug "POST $($queryParams.Uri)`n$($queryParams.Body)"

    # PowerShell 7 does header validation by default now and rejects the request
    # unless you specify the SkipHeaderValidation flag.
    if ('SkipHeaderValidation' -in (Get-Command Invoke-RestMethod).Parameters.Keys) {
        $queryParams.SkipHeaderValidation = $true
    }

    Invoke-RestMethod @queryParams
}

function GetAuth {
    [CmdletBinding()]
    param(
        [string]$secretId,
        [string]$secretKey,
        [string]$apihost,
        [string]$contentType,
        [long]$timestamp,
        [string]$body,
        [string]$action
    )

    $canonicalURI = "/"
    $xtcaction = $action.ToLower()
    $canonicalHeaders = "content-type:$contentType`nhost:$apihost`nx-tc-action:$xtcaction`n"
    $signedHeaders = "content-type;host;x-tc-action"
    $hashedRequestPayload = Sha256Hex $body
    $canonicalRequest = "POST`n$canonicalURI`n`n$canonicalHeaders`n$signedHeaders`n$hashedRequestPayload"

    Write-Debug "canonicalRequest $canonicalRequest"

    $algorithm = "TC3-HMAC-SHA256"
    $epochStart = Get-Date -Year 1970 -Month 1 -Day 1 -Hour 0 -Minute 0 -Second 0 -Millisecond 0
    $timestampDateTime = $epochStart.AddSeconds($timestamp)
    $date = $timestampDateTime.ToString("yyyy-MM-dd")
    $service = $apihost.Split(".")[0]
    $credentialScope = "$date/$service/tc3_request"
    $hashedCanonicalRequest = Sha256Hex $canonicalRequest
    $stringToSign = "$algorithm`n$timestamp`n$credentialScope`n$hashedCanonicalRequest"

    Write-Debug "stringToSign $stringToSign"

    $tc3SecretKey = [Text.Encoding]::UTF8.GetBytes("TC3" + $secretKey)
    $secretDate = HmacSha256 -key $tc3SecretKey -msg ([Text.Encoding]::UTF8.GetBytes($date))
    $secretService = HmacSha256 -key $secretDate -msg ([Text.Encoding]::UTF8.GetBytes($service))
    $secretSigning = HmacSha256 -key $secretService -msg ([Text.Encoding]::UTF8.GetBytes("tc3_request"))
    $signatureBytes = HmacSha256 -key $secretSigning -msg ([Text.Encoding]::UTF8.GetBytes($stringToSign))
    $signature = ($signatureBytes | ForEach-Object { $_.ToString("x2") }) -join ''
    $signature = $signature.ToLower()

    $auth = "$algorithm Credential=$secretId/$credentialScope, SignedHeaders=$signedHeaders, Signature=$signature"
    Write-Debug "auth $auth"
    return $auth
}

function Sha256Hex {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [String]$inputString
    )

    $sha256 = [Security.Cryptography.SHA256]::Create()
    $inputBytes = [Text.Encoding]::UTF8.GetBytes($inputString)
    $hashBytes = $sha256.ComputeHash($inputBytes)
    $hashHexString = [BitConverter]::ToString($hashBytes) -replace "-"

    return $hashHexString.ToLower()
}

function HmacSha256 {
    [CmdletBinding()]
    param(
        [byte[]]$key,
        [byte[]]$msg
    )

    $mac = [Security.Cryptography.HMACSHA256]::new($key)
    return $mac.ComputeHash($msg)
}
function Invoke-Response {
    [CmdletBinding()]
    param(
        [object]$response
    )
    if ($response.Response.Error) {
        $strRps = $response | ConvertTo-Json -Compress
        Write-Warning "Response Error $strRps"
        throw
    }

}

function Find-TencentZone {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory, Position = 0)]
        [string]$RecordName,
        [Parameter(Mandatory, Position = 1)]
        [string]$TencentKeyId,
        [Parameter(Mandatory, Position = 2)]
        [securestring]$TencentSecret
    )

    # setup a module variable to cache the record to zone ID mapping
    # so it's quicker to find later
    if (!$script:TencentRecordZones) { $script:TencentRecordZones = @{} }

    # check for the record in the cache
    if ($script:TencentRecordZones.ContainsKey($RecordName)) {
        return $script:TencentRecordZones.$RecordName
    }

    # Search for the zone from longest to shortest set of FQDN pieces.
    $pieces = $RecordName.Split('.')
    for ($i = 0; $i -lt ($pieces.Count - 1); $i++) {
        $zoneTest = $pieces[$i..($pieces.Count - 1)] -join '.'
        Write-Debug "Checking $zoneTest"
        try {
            $body = @{
                Keyword = $zoneTest
            }
            $response = Invoke-TencentRest DescribeDomainList $body $TencentKeyId $TencentSecret

            # check for results
            if ($response.Response.DomainCountInfo.DomainTotal -gt 0) {
                $script:TencentRecordZones.$RecordName = $response.Response.DomainList[0].Name # or PunyCode?
                return $script:TencentRecordZones.$RecordName
            }
        }
        catch { throw }
    }

    throw "No zone found for $RecordName"
}
function Find-TencentRecord {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory, Position = 0)]
        [string]$Domain,
        [Parameter(Mandatory, Position = 1)]
        [AllowEmptyString()]
        [string]$Subdomain,
        [Parameter(Mandatory, Position = 2)]
        [string]$RecordType,
        [Parameter(Position = 3)]
        [string]$RecordValue,
        [Parameter(Mandatory, Position = 4)]
        [string]$TencentKeyId,
        [Parameter(Mandatory, Position = 5)]
        [securestring]$TencentSecret
    )

    try {
        $body = @{
            Domain     = $Domain
            Subdomain  = $Subdomain
            #Keyword =$TxtValue # can not add this param
            RecordType = $RecordType
        }
        $response = Invoke-TencentRest DescribeRecordList $body $TencentKeyId $TencentSecret
    }
    catch { throw }

    if ($response.Response.RecordCountInfo.TotalCount -gt 0) {

        $recordList = $response.Response.RecordList
        if ($RecordValue -eq $null) {
            return $recordList[0]
        }
        # found data . then foreach
        for ($i = 0; $i -lt ($recordList.Count); $i++) {

            $item = $recordList[$i]
            if ($item.Value -eq $RecordValue) {
                #Write-Debug "Find RecordItem $item"
                return $item
            }

        }

    }
    Write-Debug "No Record found for $Domain Subdomain $Subdomain RecordType $RecordType RecordValue $RecordValue"
}