Plugins/DMEasy.ps1
function Get-CurrentPluginType { 'dns-01' } function Add-DnsTxt { [CmdletBinding(DefaultParameterSetName='Secure')] param( [Parameter(Mandatory,Position=0)] [string]$RecordName, [Parameter(Mandatory,Position=1)] [string]$TxtValue, [Parameter(Mandatory,Position=2)] [string]$DMEKey, [Parameter(ParameterSetName='Secure',Mandatory,Position=3)] [securestring]$DMESecret, [Parameter(ParameterSetName='DeprecatedInsecure',Mandatory,Position=3)] [string]$DMESecretInsecure, [switch]$DMEUseSandbox, [Parameter(ValueFromRemainingArguments)] $ExtraParams ) # convert the secure secret to a normal string if ('Secure' -eq $PSCmdlet.ParameterSetName) { $DMESecretInsecure = [pscredential]::new('a',$DMESecret).GetNetworkCredential().Password } $apiBase = 'https://api.dnsmadeeasy.com/V2.0/dns/managed' if ($DMEUseSandbox) { $apiBase = 'https://api.sandbox.dnsmadeeasy.com/V2.0/dns/managed' } Write-Verbose "Attempting to find hosted zone for $RecordName" $zoneID,$zoneName = Find-DMEZone $RecordName $DMEKey $DMESecretInsecure $apiBase if (-not $zoneID) { throw "Unable to find DME hosted zone for $RecordName" } # separate the portion of the name that doesn't contain the zone name $recShort = $RecordName -ireplace "\.?$([regex]::Escape($zoneName.TrimEnd('.')))$",'' $recRoot = "$apiBase/$zoneID/records" # query the existing record(s) try { $auth = Get-DMEAuthHeader $DMEKey $DMESecretInsecure $response = Invoke-RestMethod "$($recRoot)?recordName=$recShort&type=TXT" ` -Headers $auth -ContentType 'application/json' @script:UseBasic } catch { throw } # check if our value is already in there if ($response.totalRecords -gt 0) { if ("`"$TxtValue`"" -in $response.data.value) { Write-Debug "Record $RecordName already contains $TxtValue. Nothing to do." return } } # create a new record try { $auth = Get-DMEAuthHeader $DMEKey $DMESecretInsecure $bodyJson = @{name=$recShort;value="`"$TxtValue`"";type='TXT';ttl=10} | ConvertTo-Json -Compress Write-Verbose "Creating $RecordName with value $TxtValue" Invoke-RestMethod $recRoot -Method Post -Body $bodyJson -Headers $auth ` -ContentType 'application/json' @script:UseBasic | Out-Null } catch { throw } <# .SYNOPSIS Add a DNS TXT record to DNS Made Easy. .DESCRIPTION Add a DNS TXT record to DNS Made Easy. .PARAMETER RecordName The fully qualified name of the TXT record. .PARAMETER TxtValue The value of the TXT record. .PARAMETER DMEKey The DNS Made Easy API key for your account. .PARAMETER DMESecret The DNS Made Easy API secret key for your account. .PARAMETER DMESecretInsecure (DEPRECATED) The DNS Made Easy API secret key for your account. .PARAMETER DMEUseSandbox If specified, all commands will run against the DNS Made Easy sandbox API endpoint. This is generally only used for testing the plugin. .PARAMETER ExtraParams This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports. .EXAMPLE $dmeSecret = Read-Host "DME Secret" -AsSecureString PS C:\>Add-DnsTxt '_acme-challenge.example.com' 'txt-value' 'key' $dmeSecret Adds a TXT record for the specified site with the specified value. #> } function Remove-DnsTxt { [CmdletBinding(DefaultParameterSetName='Secure')] param( [Parameter(Mandatory,Position=0)] [string]$RecordName, [Parameter(Mandatory,Position=1)] [string]$TxtValue, [Parameter(Mandatory,Position=2)] [string]$DMEKey, [Parameter(ParameterSetName='Secure',Mandatory,Position=3)] [securestring]$DMESecret, [Parameter(ParameterSetName='DeprecatedInsecure',Mandatory,Position=3)] [string]$DMESecretInsecure, [switch]$DMEUseSandbox, [Parameter(ValueFromRemainingArguments)] $ExtraParams ) # convert the secure secret to a normal string if ('Secure' -eq $PSCmdlet.ParameterSetName) { $DMESecretInsecure = [pscredential]::new('a',$DMESecret).GetNetworkCredential().Password } $apiBase = 'https://api.dnsmadeeasy.com/V2.0/dns/managed' if ($DMEUseSandbox) { $apiBase = 'https://api.sandbox.dnsmadeeasy.com/V2.0/dns/managed' } Write-Verbose "Attempting to find hosted zone for $RecordName" $zoneID,$zoneName = Find-DMEZone $RecordName $DMEKey $DMESecretInsecure $apiBase if (-not $zoneID) { throw "Unable to find DME hosted zone for $RecordName" } # separate the portion of the name that doesn't contain the zone name $recShort = $RecordName -ireplace "\.?$([regex]::Escape($zoneName.TrimEnd('.')))$",'' $recRoot = "$apiBase/$zoneID/records" # query the existing record(s) try { $auth = Get-DMEAuthHeader $DMEKey $DMESecretInsecure $response = Invoke-RestMethod "$($recRoot)?recordName=$recShort&type=TXT" ` -Headers $auth -ContentType 'application/json' @script:UseBasic } catch { throw } # check for the value to delete if ($response.totalRecords -eq 0) { Write-Debug "Record $RecordName doesn't exist. Nothing to do." return } else { if ("`"$TxtValue`"" -notin $response.data.value) { Write-Debug "Record $RecordName does not contain $TxtValue. Nothing to do." return } # grab the ID and delete the record $recID = ($response.data | Where-Object { $_.value -eq "`"$TxtValue`"" }).id try { $auth = $auth = Get-DMEAuthHeader $DMEKey $DMESecretInsecure Write-Verbose "Deleting record $RecordName with value $TxtValue." Invoke-RestMethod "$recRoot/$recID" -Method Delete -Headers $auth ` -ContentType 'application/json' @script:UseBasic | Out-Null } catch { throw } } <# .SYNOPSIS Remove a DNS TXT record from DNS Made Easy. .DESCRIPTION Remove a DNS TXT record from DNS Made Easy. .PARAMETER RecordName The fully qualified name of the TXT record. .PARAMETER TxtValue The value of the TXT record. .PARAMETER DMEKey The DNS Made Easy API key for your account. .PARAMETER DMESecret The DNS Made Easy API secret key for your account. .PARAMETER DMESecretInsecure (DEPRECATED) The DNS Made Easy API secret key for your account. .PARAMETER DMEUseSandbox If specified, all commands will run against the DNS Made Easy sandbox API endpoint. This is generally only used for testing the plugin. .PARAMETER ExtraParams This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports. .EXAMPLE $dmeSecret = Read-Host "DME Secret" -AsSecureString PS C:\>Remove-DnsTxt '_acme-challenge.example.com' 'txt-value' 'key' $dmeSecret Removes a TXT record for the specified site with the specified value. #> } function Save-DnsTxt { [CmdletBinding()] param( [Parameter(ValueFromRemainingArguments)] $ExtraParams ) <# .SYNOPSIS Not required. .DESCRIPTION This provider does not require calling this function to commit changes to DNS records. .PARAMETER ExtraParams This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports. #> } ############################ # Helper Functions ############################ function Get-DMEAuthHeader { [CmdletBinding()] param( [Parameter(Mandatory,Position=0)] [string]$DMEKey, [Parameter(Mandatory,Position=1)] [string]$DMESecretInsecure ) # We need to initialize an HMACSHA1 instance with the secret key as a byte array. # I know there's probably a safer way to do this that doesn't leave the plaintext # secret around in memory for as long, but it's beyond me at the moment. $secBytes = [Text.Encoding]::UTF8.GetBytes($DMESecretInsecure) $hmac = New-Object Security.Cryptography.HMACSHA1($secBytes,$true) # We need to hash a timestamp in "HTTP format", aka RFC 1123 # https://api-docs.dnsmadeeasy.com/#1bf6d47c-61b1-0cf3-4f04-0ed4772561fe # https://docs.microsoft.com/en-us/dotnet/standard/base-types/standard-date-and-time-format-strings#RFC1123 $reqDate = (Get-DateTimeOffsetNow).ToString('r') $dateBytes = [Text.Encoding]::UTF8.GetBytes($reqDate) $dateHash = [BitConverter]::ToString($hmac.ComputeHash($dateBytes)).Replace('-','').ToLower() # now build the header hashtable $header = @{ 'x-dnsme-apiKey' = $DMEKey; 'x-dnsme-requestDate' = $reqDate; 'x-dnsme-hmac' = $dateHash; } return $header } function Find-DMEZone { [CmdletBinding()] param( [Parameter(Mandatory,Position=0)] [string]$RecordName, [Parameter(Mandatory,Position=1)] [string]$DMEKey, [Parameter(Mandatory,Position=2)] [string]$DMESecretInsecure, [Parameter(Mandatory,Position=3)] [string]$ApiBase ) # setup a module variable to cache the record to zone mapping # so it's quicker to find later if (!$script:DMERecordZones) { $script:DMERecordZones = @{} } # check for the record in the cache if ($script:DMERecordZones.ContainsKey($RecordName)) { return $script:DMERecordZones.$RecordName } # The response object for managed zones makes it seem like it supports paging with # fields like totalPages/page. But the docs don't really make it clear how to # request subsequent pages. They also don't say what the max results per page is. # So for now, we'll just assume all results get returned in one page. If any large # customers find differently, feel free to submit an issue. try { $auth = Get-DMEAuthHeader $DMEKey $DMESecretInsecure $response = Invoke-RestMethod $ApiBase -Headers $auth -ContentType 'application/json' @script:UseBasic $zones = @($response.data) } catch { throw } # Since DME could be hosting both apex and sub-zones, we need to find the closest/deepest # sub-zone that would hold the record rather than just adding it to the apex. So for something # like _acme-challenge.site1.sub1.sub2.example.com, we'd look for zone matches in the following # order: # - site1.sub1.sub2.example.com # - sub1.sub2.example.com # - sub2.example.com # - example.com $pieces = $RecordName.Split('.') for ($i=0; $i -lt ($pieces.Count-1); $i++) { $zoneTest = $pieces[$i..($pieces.Count-1)] -join '.' Write-Debug "Checking $zoneTest" if ($zoneTest -in $zones.name) { $zone = $zones | Where-Object { $_.name -eq $zoneTest } $script:DMERecordZones.$RecordName = $zone.id,$zone.name return $zone.id,$zone.name } } return $null } |