zonesync 0.6.1 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da2a32c21af6c64a37bdb9a998089318ba12cbf3e20e0699a757adafe23d6e29
-  data.tar.gz: 6614061b9bc864e1f5a6219d25ac96d93f45cf5a98a9234c75bc7241e51eb909
+  metadata.gz: a674bd1519c4b8bd6a30814b43e70365191c18a59b24615e0ed93bbf8f79c286
+  data.tar.gz: c929821a57474a2d4be05f39f2e24e0cef38ab1484d5dbe6d8fbefba05ec60fc
 SHA512:
-  metadata.gz: c79134908c21f775a9aa58eccadd072684d0657b3e23bf9b953a050ef4c558cd557f9bbed9c57a522c7ab3e0521bd0a3254c19c8b2415a36c25e236be242a74c
-  data.tar.gz: 17d1e8928f168ea9bd4e93a9add850c2c5e7e7c168d3982d133817bdef63a9c085ae4d2b108aa8b51f1d5cab692f597d8d035aece15c7b44fa2547ad7baa0f91
+  metadata.gz: e7678dc403b138a88de0d30a19a980c6c9d23ec3dcb6aa89157530cfc2e260b9e2dd610a1461b3d09174d3c70246c35d34d418a51802cc3c52cd651e5a42d1b2
+  data.tar.gz: 42bf9f0ba6346af233735e236e0cc39e69adc3caf9e41901f8aeddc6936cfdf602086b9a0b3b2999bc8852c493f72a453d66106c8543bc9c95b218caaae35a53

data/.rspec

@@ -1,2 +1,2 @@
 --color
---require debug
+--require spec_helper

data/README.md

@@ -95,3 +95,9 @@ require 'zonesync'
 Zonesync.call(zonefile: 'hostfile.txt', credentials: YAML.load('provider.yml'))
 ```
 
+### Managing or avoiding conflicts with other people making edits to the DNS records
+
+Zonesync writes two additional TXT records: `zonesync_manifest` and `zonesync_checksum`. These two records together try to handle the situation where someone else makes edits directly to the DNS records managed by zonesync.
+* `zonesync_manifest`: a short list of all the records that zonesync is aware of and managing. If a record appears in the DNS records that is not in the manifest, zonesync will simply ignore it. This makes it possible to coexist with other editors, provided they don't touch the records managed by zonesync. If they do, we have a `zonesync_checksum` to detect that.
+* `zonesync_checksum`: a fingerprint of the state of the managed records upon last save. If the checksum doesn't match the current state of the managed records, zonesync will refuse to save the new state. This is a safety measure to avoid overwriting changes made by other editors, and also to alert the user that the records have been changed outside of zonesync.
+

data/lib/zonesync/cli.rb

@@ -7,6 +7,9 @@ module Zonesync
     method_option :dry_run, type: :boolean, default: false, aliases: :n, desc: "log operations to STDOUT but don't perform the sync"
     def sync
       Zonesync.call dry_run: options[:dry_run]
+    rescue ConflictError, MissingManifestError, ChecksumMismatchError => e
+      puts e.message
+      exit 1
     end
 
     desc "generate", "generates a Zonefile from the DNS server configured in Rails.application.credentials.zonesync"

data/lib/zonesync/cloudflare.rb

@@ -4,21 +4,24 @@ require "zonesync/http"
 module Zonesync
   class Cloudflare < Provider
     def read
-      http.get("/export")
+      ([fake_soa] + all.keys.map do |hash|
+        Record.new(hash)
+      end).map(&:to_s).join("\n") + "\n"
     end
 
     def remove record
-      id = records.fetch(record)
+      id = all.fetch(record.to_h)
       http.delete("/#{id}")
     end
 
     def change old_record, new_record
-      id = records.fetch(old_record)
+      id = all.fetch(old_record.to_h)
       http.patch("/#{id}", {
         name: new_record[:name],
         type: new_record[:type],
         ttl: new_record[:ttl],
         content: new_record[:rdata],
+        comment: new_record[:comment],
       })
     end
 
@@ -28,11 +31,12 @@ module Zonesync
         type: record[:type],
         ttl: record[:ttl],
         content: record[:rdata],
+        comment: record[:comment],
       })
     end
 
-    def records
-      @records ||= begin
+    def all
+      @all ||= begin
         response = http.get(nil)
         response["result"].reduce({}) do |map, attrs|
           map.merge to_record(attrs) => attrs["id"]
@@ -47,14 +51,21 @@ module Zonesync
       if %w[CNAME MX].include?(attrs["type"])
         rdata = normalize_trailing_period(rdata)
       end
+      if attrs["type"] == "MX"
+        rdata = "#{attrs["priority"]} #{rdata}"
+      end
       if %w[TXT SPF NAPTR].include?(attrs["type"])
         rdata = normalize_quoting(rdata)
       end
+      if attrs["type"] == "TXT"
+        rdata = normalize_quoting(rdata)
+      end
       Record.new(
-        normalize_trailing_period(attrs["name"]),
-        attrs["type"],
-        attrs["ttl"].to_i,
-        rdata,
+        name: normalize_trailing_period(attrs["name"]),
+        type: attrs["type"],
+        ttl: attrs["ttl"].to_i,
+        rdata:,
+        comment: attrs["comment"],
       ).to_h
     end
 
@@ -63,7 +74,19 @@ module Zonesync
     end
 
     def normalize_quoting value
-      value =~ /^".+"$/ ? value : %("#{value}")
+      value =~ /^".+"$/ ? value : %("#{value}") # handle quote wrapping
+      value.gsub('" "', "") # handle multiple txt record joining
+    end
+
+    def fake_soa
+      zone_name = http.get("/..")["result"]["name"]
+      Record.new(
+        name: normalize_trailing_period(zone_name),
+        type: "SOA",
+        ttl: 1,
+        rdata: "#{zone_name} admin.#{zone_name} 2000010101 1 1 1 1",
+        comment: nil,
+      )
     end
 
     def http

data/lib/zonesync/diff.rb

@@ -7,17 +7,19 @@ module Zonesync
     end
 
     def call
-      changes = ::Diff::LCS.sdiff(from.diffable_records, to.diffable_records)
+      changes = ::Diff::LCS.sdiff(from, to)
       changes.map do |change|
         case change.action
         when "-"
-          [:remove, [change.old_element.to_h]]
+          [:remove, [change.old_element]]
         when "!"
-          [:change, [change.old_element.to_h, change.new_element.to_h]]
+          [:change, [change.old_element, change.new_element]]
         when "+"
-          [:add, [change.new_element.to_h]]
+          [:add, [change.new_element]]
         end
-      end.compact
+      end.compact.sort_by do |operation|
+        operation.first
+      end.reverse # perform remove operations first
     end
   end
 end

data/lib/zonesync/errors.rb

@@ -0,0 +1,45 @@
+module Zonesync
+  class ConflictError < StandardError
+    def initialize existing, new
+      @existing = existing
+      @new = new
+    end
+
+    def message
+      <<~MSG
+        The following untracked DNS record already exists and would be overwritten.
+          existing: #{@existing}
+          new:      #{@new}
+      MSG
+    end
+  end
+
+  class MissingManifestError < StandardError
+    def initialize manifest
+      @manifest = manifest
+    end
+
+    def message
+      <<~MSG
+        The zonesync_manifest TXT record is missing. If this is the very first sync, make sure the Zonefile matches what's on the DNS server exactly. Otherwise, someone else may have removed it.
+          manifest: #{@manifest}
+      MSG
+    end
+  end
+
+  class ChecksumMismatchError < StandardError
+    def initialize existing, new
+      @existing = existing
+      @new = new
+    end
+
+    def message
+      <<~MSG
+        The zonesync_checksum TXT record does not match the current state of the DNS records. This probably means that someone else has changed them.
+          existing: #{@existing}
+          new:      #{@new}
+      MSG
+    end
+  end
+end
+

data/lib/zonesync/http.rb

@@ -3,6 +3,12 @@ require "json"
 
 module Zonesync
   class HTTP < Struct.new(:base)
+    def initialize(...)
+      super 
+      @before_request = []
+      @after_response = []
+    end
+
     def get path
       request("get", path)
     end
@@ -20,25 +26,29 @@ module Zonesync
     end
 
     def before_request &block
-      @before_request = block
+      @before_request << block
     end
 
     def after_response &block
-      @after_response = block
+      @after_response << block
     end
 
     def request method, path, body=nil
       uri = URI.parse("#{base}#{path}")
       request = Net::HTTP.const_get(method.to_s.capitalize).new(uri.path)
 
-      @before_request.call(request) if @before_request
+      @before_request.each do |block|
+        block.call(request, uri, body)
+      end
 
       response = Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http|
-        body = JSON.dump(body) if request["Content-Type"].include?("application/json")
+        body = JSON.dump(body) if request.fetch("Content-Type", "").include?("application/json")
         http.request(request, body)
       end
 
-      @after_response.call(response) if @after_response
+      @after_response.each do |block|
+        call(response)
+      end
 
       raise response.body unless response.code =~ /^20.$/
       if response["Content-Type"].include?("application/json")

data/lib/zonesync/logger.rb

@@ -13,11 +13,10 @@ class Logger
     loggers.each do |logger|
       operation = case args
       when Array
-        args.map { |h| h.values.join(" ") }.join(" -> ")
-      when Hash
-        args.values.join(" ")
+        (args.length == 2 ? "\n" : "") +
+          args.map { |r| r.to_h.values.join(" ") }.join("->\n")
       else
-        raise args.inspect
+        args.to_h.values.join(" ")
       end
       logger.info "Zonesync: #{method.capitalize} #{operation}"
     end

data/lib/zonesync/manifest.rb

@@ -0,0 +1,97 @@
+require "zonesync/record"
+require "digest"
+
+module Zonesync
+  class Manifest < Struct.new(:records, :zone)
+    DIFFABLE_RECORD_TYPES =
+      %w[A AAAA CNAME MX TXT SPF NAPTR PTR].sort
+
+    def existing
+      records.find(&:manifest?)
+    end
+
+    def existing?
+      !!existing
+    end
+
+    def generate
+      Record.new(
+        name: "zonesync_manifest.#{zone.origin}",
+        type: "TXT",
+        ttl: 3600,
+        rdata: generate_rdata,
+        comment: nil,
+      )
+    end
+
+    def existing_checksum
+      records.find(&:checksum?)
+    end
+
+    def generate_checksum
+      input_string = diffable_records.map(&:to_s).join
+      sha256 = Digest::SHA256.hexdigest(input_string)
+      Record.new(
+        name: "zonesync_checksum.#{zone.origin}",
+        type: "TXT",
+        ttl: 3600,
+        rdata: sha256.inspect,
+        comment: nil,
+      )
+    end
+
+    def diffable? record
+      if existing?
+        matches?(record)
+      else
+        DIFFABLE_RECORD_TYPES.include?(record.type)
+      end
+    end
+
+    def matches? record
+      return false unless existing?
+      hash = existing
+        .rdata[1..-2] # remove quotes
+        .split(";")
+        .reduce({}) do |hash, pair|
+          type, short_names = pair.split(":")
+          hash[type] = short_names.split(",")
+          hash
+        end
+      shorthands = hash.fetch(record.type, [])
+      shorthands.include?(shorthand_for(record))
+    end
+
+    def shorthand_for record, with_type: false
+      shorthand = record.short_name(zone.origin)
+      shorthand = "#{record.type}:#{shorthand}" if with_type
+      if record.type == "MX"
+        shorthand += " #{record.rdata[/^\d+/]}"
+      end
+      shorthand
+    end
+
+    private
+
+    def generate_rdata
+      generate_manifest.map do |type, short_names|
+        "#{type}:#{short_names.join(",")}"
+      end.join(";").inspect
+    end
+
+    def diffable_records
+      records.select do |record|
+        diffable?(record)
+      end.sort
+    end
+
+    def generate_manifest
+      diffable_records.reduce({}) do |hash, record|
+        hash[record.type] ||= []
+        hash[record.type] << shorthand_for(record)
+        hash[record.type].sort!
+        hash
+      end.sort_by(&:first)
+    end
+  end
+end

data/lib/zonesync/provider.rb

@@ -1,5 +1,6 @@
-require "dns/zonefile"
 require "zonesync/record"
+require "zonesync/zonefile"
+require "zonesync/manifest"
 
 module Zonesync
   class Provider < Struct.new(:credentials)
@@ -8,20 +9,30 @@ module Zonesync
       Zonesync.const_get(credentials[:provider]).new(credentials)
     end
 
-    def diffable_records
+    def records
       zonefile.records.map do |record|
         Record.from_dns_zonefile_record(record)
-      end.select do |record|
-        %w[A AAAA CNAME MX TXT SPF NAPTR PTR].include?(record.type)
+      end
+    end
+
+    def diffable_records
+      records.select do |record|
+        manifest.diffable?(record)
       end.sort
     end
 
+    def manifest
+      @manifest ||= Manifest.new(records, zonefile)
+    end
+
     private def zonefile
-      body = read
-      if body !~ /\sSOA\s/ # insert dummy SOA to trick parser if needed
-        body.sub!(/\n([^$])/, "\n@ 1 SOA example.com example.com ( 2000010101 1 1 1 1 )\n\\1")
+      @zonefile ||= begin
+        body = read
+        if body !~ /\sSOA\s/ # insert dummy SOA to trick parser if needed
+          body.sub!(/\n([^$])/, "\n@ 1 SOA example.com example.com ( 2000010101 1 1 1 1 )\n\\1")
+        end
+        Zonefile.load(body)
       end
-      DNS::Zonefile.load(body)
     end
 
     def read record
@@ -46,6 +57,7 @@ module Zonesync
   end
 
   require "zonesync/cloudflare"
+  require "zonesync/route53"
 
   class Memory < Provider
     def read

data/lib/zonesync/record.rb

@@ -1,5 +1,5 @@
 module Zonesync
-  class Record < Struct.new(:name, :type, :ttl, :rdata)
+  class Record < Struct.new(:name, :type, :ttl, :rdata, :comment, keyword_init: true)
     def self.from_dns_zonefile_record record
       type = record.class.name.split("::").last
       rdata = case type
@@ -19,23 +19,44 @@ module Zonesync
       end
 
       new(
-        record.host,
-        type,
-        record.ttl,
-        rdata,
+        name: record.host,
+        type:,
+        ttl: record.ttl,
+        rdata:,
+        comment: record.comment,
       )
     end
 
+    def short_name origin
+      ret = name.sub(origin, "")
+      ret = ret.sub(/\.$/, "")
+      ret = "@" if ret == ""
+      ret
+    end
+
+    def manifest?
+      type == "TXT" &&
+        name =~ /^zonesync_manifest\./
+    end
+
+    def checksum?
+      type == "TXT" &&
+        name =~ /^zonesync_checksum\./
+    end
+
     def <=> other
       to_sortable <=> other.to_sortable
     end
 
     def to_sortable
-      [type, name, rdata, ttl]
+      is_soa = type == "SOA" ? 0 : 1
+      [is_soa, type, name, rdata, ttl]
     end
 
     def to_s
-      values.join(" ")
+      string = [name, ttl, type, rdata].join(" ")
+      string << " ; #{comment}" if comment
+      string
     end
   end
 end

data/lib/zonesync/route53.rb

@@ -0,0 +1,140 @@
+require "zonesync/record"
+require "zonesync/http"
+require "rexml/document"
+
+module Zonesync
+  class Route53 < Provider
+    def read
+      doc = REXML::Document.new(http.get(nil))
+      records = doc.elements.collect("*/ResourceRecordSets/ResourceRecordSet") do |record_set|
+        to_records(record_set)
+      end.flatten.sort
+      records.map(&:to_s).join("\n") + "\n"
+    end
+
+    def remove(record)
+      change_record("DELETE", record)
+    end
+
+    def change(old_record, new_record)
+      remove(old_record)
+      add(new_record)
+    end
+
+    def add(record)
+      change_record("CREATE", record)
+    end
+
+    private
+
+    def change_record(action, record)
+      http.post(nil, <<~XML)
+        <?xml version="1.0" encoding="UTF-8"?>
+        <ChangeResourceRecordSetsRequest xmlns="https://route53.amazonaws.com/doc/2013-04-01/">
+          <ChangeBatch>
+            <Changes>
+              <Change>
+                <Action>#{action}</Action>
+                <ResourceRecordSet>
+                  <Name>#{record[:name]}</Name>
+                  <Type>#{record[:type]}</Type>
+                  <TTL>#{record[:ttl]}</TTL>
+                  <ResourceRecords>
+                    <ResourceRecord>
+                      <Value>#{record[:rdata]}</Value>
+                    </ResourceRecord>
+                  </ResourceRecords>
+                </ResourceRecordSet>
+              </Change>
+            </Changes>
+          </ChangeBatch>
+        </ChangeResourceRecordSetsRequest>
+      XML
+    end
+
+    def to_records(el)
+      el.elements.collect("ResourceRecords/ResourceRecord") do |rr|
+        name = normalize_trailing_period(get_value(el, "Name"))
+        type = get_value(el, "Type")
+        rdata = get_value(rr, "Value")
+
+        record = Record.new(
+          name:,
+          type:,
+          ttl: get_value(el, "TTL"),
+          rdata:,
+          comment: nil, # Route 53 does not have a direct comment field
+        )
+      end
+    end
+
+    def get_value el, field
+      el.elements[field].text.gsub(/\\(\d{3})/) { $1.to_i(8).chr } # unescape octal
+    end
+
+    def from_record(record)
+      {
+        Name: normalize_trailing_period(record[:name]),
+        Type: record[:type],
+        TTL: record[:ttl],
+        ResourceRecords: record[:rdata].split(",").map { |value| { Value: value } }
+      }
+    end
+
+    def normalize_trailing_period(value)
+      value =~ /\.$/ ? value : value + "."
+    end
+
+    def http
+      return @http if @http
+      @http = HTTP.new("https://route53.amazonaws.com/2013-04-01/hostedzone/#{credentials.fetch(:hosted_zone_id)}/rrset")
+      @http.before_request do |request, uri, body|
+        request["Content-Type"] = "application/xml"
+        request["X-Amz-Date"] = Time.now.utc.strftime("%Y%m%dT%H%M%SZ")
+        request["Authorization"] = sign_request(request.method, uri, body)
+      end
+      @http
+    end
+
+    def sign_request(method, uri, body)
+      service = "route53"
+      date = Time.now.utc.strftime("%Y%m%d")
+      amz_date = Time.now.utc.strftime("%Y%m%dT%H%M%SZ")
+      canonical_uri = uri.path
+      canonical_querystring = uri.query.to_s
+      canonical_headers = "host:#{uri.host}\n" + "x-amz-date:#{amz_date}\n"
+      signed_headers = "host;x-amz-date"
+      payload_hash = OpenSSL::Digest::SHA256.hexdigest(body || "")
+      canonical_request = [
+        method,
+        canonical_uri,
+        canonical_querystring,
+        canonical_headers,
+        signed_headers,
+        payload_hash
+      ].join("\n")
+
+      algorithm = "AWS4-HMAC-SHA256"
+      credential_scope = "#{date}/#{credentials.fetch(:aws_region)}/#{service}/aws4_request"
+      string_to_sign = [
+        algorithm,
+        amz_date,
+        credential_scope,
+        OpenSSL::Digest::SHA256.hexdigest(canonical_request)
+      ].join("\n")
+
+      signing_key = get_signature_key(credentials.fetch(:aws_secret_access_key), date, credentials.fetch(:aws_region), service)
+      signature = OpenSSL::HMAC.hexdigest("SHA256", signing_key, string_to_sign)
+
+      "#{algorithm} Credential=#{credentials.fetch(:aws_access_key_id)}/#{credential_scope}, SignedHeaders=#{signed_headers}, Signature=#{signature}"
+    end
+
+    def get_signature_key(key, date_stamp, region_name, service_name)
+      k_date = OpenSSL::HMAC.digest("SHA256", "AWS4" + key, date_stamp)
+      k_region = OpenSSL::HMAC.digest("SHA256", k_date, region_name)
+      k_service = OpenSSL::HMAC.digest("SHA256", k_region, service_name)
+      OpenSSL::HMAC.digest("SHA256", k_service, "aws4_request")
+    end
+  end
+end
+

data/lib/zonesync/validator.rb

@@ -0,0 +1,45 @@
+module Zonesync
+  class Validator < Struct.new(:operations, :destination)
+    def self.call(...)
+      new(...).call
+    end
+
+    def call
+      if operations.any? && !manifest.existing?
+        raise MissingManifestError.new(manifest.generate)
+      end
+      if manifest.existing_checksum && manifest.existing_checksum != manifest.generate_checksum
+        raise ChecksumMismatchError.new(manifest.existing_checksum, manifest.generate_checksum)
+      end
+      operations.each do |method, args|
+        send(method, *args)
+      end
+    end
+
+    private
+
+    def manifest
+      destination.manifest
+    end
+
+    def add record
+      return if manifest.matches?(record)
+      shorthand = manifest.shorthand_for(record, with_type: true)
+      conflicting_record = destination.records.find do |r|
+        manifest.shorthand_for(r, with_type: true) == shorthand
+      end
+      return if !conflicting_record
+      return if conflicting_record == record
+      raise Zonesync::ConflictError.new(conflicting_record, record)
+    end
+
+    def change *records
+      # FIXME? is it possible to break something with a tracked changed record
+    end
+
+    def remove record
+      # FIXME? is it possible to break something with a tracked removed record
+    end
+  end
+end
+

data/lib/zonesync/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Zonesync
-  VERSION = "0.6.1"
+  VERSION = "0.8.0"
 end