granny-devops 0.4.0__py3-none-any.whl

granny/dns/bunny.py

@@ -0,0 +1,150 @@
+"""Bunny DNS provider — full CRUD against ``api.bunny.net``.
+
+Lifted and generalized from ``tools/create/setup_bunny_storage.py``. The
+existing script keeps its local copy; this module is the shared home used by
+``granny dns`` and any future callers.
+"""
+
+import logging
+from typing import Any
+
+import requests
+
+from granny.credentials.secrets import get_secret
+from granny.dns.base import DNSProvider
+from granny.dns.records import DNSRecord
+
+logger = logging.getLogger(__name__)
+
+API_BASE = "https://api.bunny.net"
+
+# Bunny's numeric record type ids (from the public API docs).
+RECORD_TYPES = {
+    "A": 0,
+    "AAAA": 1,
+    "CNAME": 2,
+    "TXT": 3,
+    "MX": 4,
+    "REDIRECT": 5,
+    "FLATTEN": 6,
+    "PULLZONE": 7,
+    "SRV": 8,
+    "CAA": 9,
+    "PTR": 10,
+    "SCRIPT": 11,
+    "NS": 12,
+}
+RECORD_TYPE_NAMES = {v: k for k, v in RECORD_TYPES.items()}
+
+
+class BunnyDNSProvider(DNSProvider):
+    name = "bunny"
+
+    def __init__(self, api_key: str | None = None) -> None:
+        api_key = api_key or get_secret("BUNNY_API_KEY")
+        if not api_key:
+            raise ValueError("BUNNY_API_KEY not set (env or vault).")
+        self.session = requests.Session()
+        self.session.headers.update(
+            {"AccessKey": api_key, "Content-Type": "application/json"}
+        )
+        self._zone_cache: dict[str, str] = {}
+
+    def _request(self, method: str, path: str, data: dict | None = None) -> Any:
+        url = f"{API_BASE}{path}"
+        resp = getattr(self.session, method.lower())(url, json=data, timeout=30)
+        if resp.status_code >= 400:
+            raise RuntimeError(
+                f"Bunny DNS API {method} {path} failed: {resp.status_code} {resp.text}"
+            )
+        if resp.status_code == 204 or not resp.text:
+            return {}
+        return resp.json()
+
+    def _find_zone(self, zone_name: str) -> dict | None:
+        result = self._request("GET", "/dnszone")
+        zones = result.get("Items", []) if isinstance(result, dict) else result
+        for zone in zones:
+            if zone.get("Domain") == zone_name:
+                return zone
+        return None
+
+    def get_zone_id(self, zone_name: str) -> str:
+        if zone_name in self._zone_cache:
+            return self._zone_cache[zone_name]
+        zone = self._find_zone(zone_name)
+        if not zone:
+            raise RuntimeError(f"Bunny DNS zone not found: {zone_name}")
+        zone_id = str(zone["Id"])
+        self._zone_cache[zone_name] = zone_id
+        return zone_id
+
+    def get_nameservers(self, zone_name: str) -> list[str]:
+        zone = self._find_zone(zone_name)
+        if not zone:
+            return []
+        return [zone[k] for k in ("NameServer1", "NameServer2") if zone.get(k)]
+
+    def _raw_records(self, zone_id: str) -> list[dict]:
+        result = self._request("GET", f"/dnszone/{zone_id}")
+        return result.get("Records", []) or []
+
+    def list_records(
+        self,
+        zone_id: str,
+        name: str | None = None,
+        record_type: str | None = None,
+    ) -> list[DNSRecord]:
+        raw = self._raw_records(zone_id)
+        type_num = RECORD_TYPES.get(record_type.upper()) if record_type else None
+        out: list[DNSRecord] = []
+        for rec in raw:
+            if name is not None and rec.get("Name", "") != name:
+                continue
+            if type_num is not None and rec.get("Type") != type_num:
+                continue
+            out.append(
+                DNSRecord(
+                    name=rec.get("Name", "") or "",
+                    type=RECORD_TYPE_NAMES.get(rec.get("Type", -1), "?"),
+                    value=rec.get("Value", ""),
+                    ttl=int(rec.get("Ttl", 300)),
+                    id=str(rec.get("Id")),
+                    provider_data=rec,
+                )
+            )
+        return out
+
+    def create_record(
+        self,
+        zone_id: str,
+        name: str,
+        record_type: str,
+        value: str,
+        ttl: int = 300,
+        proxied: bool = False,
+    ) -> DNSRecord:
+        type_num = RECORD_TYPES.get(record_type.upper())
+        if type_num is None:
+            raise ValueError(f"Unknown record type: {record_type}")
+        short_name = "" if name in ("@", None) else name
+        payload = {
+            "Type": type_num,
+            "Name": short_name,
+            "Value": value.rstrip(".") if record_type.upper() == "CNAME" else value,
+            "Ttl": ttl,
+        }
+        result = self._request("PUT", f"/dnszone/{zone_id}/records", payload)
+        logger.info("Bunny DNS: created %s %s -> %s", record_type, short_name, value)
+        return DNSRecord(
+            name=short_name,
+            type=record_type.upper(),
+            value=payload["Value"],
+            ttl=ttl,
+            id=str(result.get("Id")) if isinstance(result, dict) else None,
+            provider_data=result if isinstance(result, dict) else {},
+        )
+
+    def delete_record(self, zone_id: str, record_id: str) -> None:
+        self._request("DELETE", f"/dnszone/{zone_id}/records/{record_id}")
+        logger.info("Bunny DNS: deleted record %s", record_id)

granny/dns/cloudflare.py

@@ -0,0 +1,192 @@
+"""Cloudflare DNS provider — full CRUD against the v4 REST API.
+
+Ported from ``tools/create/manage-dns.sh`` (the bash script this package
+replaces) and the partial Cloudflare adapters in ``setup_bunny_storage.py``
+and ``auto_certificate.py``. Uses ``requests`` directly so we don't depend
+on the ``cloudflare`` SDK.
+"""
+
+import logging
+from typing import Any
+
+import requests
+
+from granny.credentials.secrets import get_secret
+from granny.dns.base import DNSProvider
+from granny.dns.records import DNSRecord
+
+logger = logging.getLogger(__name__)
+
+API_BASE = "https://api.cloudflare.com/client/v4"
+
+
+class CloudflareDNSProvider(DNSProvider):
+    name = "cloudflare"
+
+    def __init__(self, api_token: str | None = None) -> None:
+        api_token = api_token or get_secret("CLOUDFLARE_API_TOKEN")
+        if not api_token:
+            raise ValueError("CLOUDFLARE_API_TOKEN not set (env or vault).")
+        self.session = requests.Session()
+        self.session.headers.update(
+            {
+                "Authorization": f"Bearer {api_token}",
+                "Content-Type": "application/json",
+            }
+        )
+        self._zone_cache: dict[str, str] = {}
+
+    def _request(
+        self, method: str, path: str, *, params: dict | None = None, json: dict | None = None
+    ) -> dict:
+        url = f"{API_BASE}{path}"
+        resp = getattr(self.session, method.lower())(
+            url, params=params, json=json, timeout=30
+        )
+        if resp.status_code >= 400:
+            raise RuntimeError(
+                f"Cloudflare {method} {path} failed: {resp.status_code} {resp.text}"
+            )
+        body = resp.json()
+        if not body.get("success", True):
+            errors = body.get("errors", [])
+            raise RuntimeError(f"Cloudflare {method} {path} error: {errors}")
+        return body
+
+    def get_zone_id(self, zone_name: str) -> str:
+        if zone_name in self._zone_cache:
+            return self._zone_cache[zone_name]
+        body = self._request("GET", "/zones", params={"name": zone_name})
+        result = body.get("result") or []
+        if not result:
+            raise RuntimeError(f"Cloudflare zone not found: {zone_name}")
+        zone_id = result[0]["id"]
+        self._zone_cache[zone_name] = zone_id
+        return zone_id
+
+    def get_nameservers(self, zone_name: str) -> list[str]:
+        body = self._request("GET", "/zones", params={"name": zone_name})
+        result = body.get("result") or []
+        if not result:
+            return []
+        return list(result[0].get("name_servers") or [])
+
+    def _fqdn(self, zone_id: str, name: str) -> str:
+        # Cloudflare's record API uses full FQDN for `name`. The caller passes
+        # us a short name relative to the zone, so we need the zone name to
+        # build the full one. We reverse-lookup via /zones/{id} once.
+        body = self._request("GET", f"/zones/{zone_id}")
+        zone_name = body["result"]["name"]
+        if not name or name == "@":
+            return zone_name
+        if name.endswith(f".{zone_name}") or name == zone_name:
+            return name
+        return f"{name}.{zone_name}"
+
+    def list_records(
+        self,
+        zone_id: str,
+        name: str | None = None,
+        record_type: str | None = None,
+    ) -> list[DNSRecord]:
+        params: dict[str, Any] = {"per_page": 100}
+        if record_type:
+            params["type"] = record_type.upper()
+        if name is not None:
+            params["name"] = self._fqdn(zone_id, name)
+        body = self._request("GET", f"/zones/{zone_id}/dns_records", params=params)
+        out: list[DNSRecord] = []
+        for rec in body.get("result") or []:
+            out.append(
+                DNSRecord(
+                    name=rec.get("name", ""),
+                    type=rec.get("type", ""),
+                    value=rec.get("content", ""),
+                    ttl=int(rec.get("ttl", 300)),
+                    id=rec.get("id"),
+                    fqdn=rec.get("name"),
+                    provider_data=rec,
+                )
+            )
+        return out
+
+    def get_record(
+        self, zone_id: str, name: str, record_type: str
+    ) -> DNSRecord | None:
+        # Cloudflare stores `name` as the full FQDN on every record, so we
+        # must filter by FQDN not short name.
+        fqdn = self._fqdn(zone_id, name)
+        for rec in self.list_records(zone_id, record_type=record_type):
+            if rec.name == fqdn:
+                return rec
+        return None
+
+    def create_record(
+        self,
+        zone_id: str,
+        name: str,
+        record_type: str,
+        value: str,
+        ttl: int = 300,
+        proxied: bool = False,
+    ) -> DNSRecord:
+        fqdn = self._fqdn(zone_id, name)
+        payload = {
+            "type": record_type.upper(),
+            "name": fqdn,
+            "content": value,
+            # Cloudflare uses ttl=1 as the sentinel for "automatic". Anything
+            # else must be >= 60. Match manage-dns.sh's behavior: if caller
+            # passes ttl<=1, use automatic; otherwise send the value.
+            "ttl": 1 if ttl <= 1 else ttl,
+            "proxied": proxied,
+        }
+        body = self._request("POST", f"/zones/{zone_id}/dns_records", json=payload)
+        rec = body.get("result") or {}
+        logger.info("Cloudflare: created %s %s -> %s", record_type, fqdn, value)
+        return DNSRecord(
+            name=rec.get("name", fqdn),
+            type=rec.get("type", record_type.upper()),
+            value=rec.get("content", value),
+            ttl=int(rec.get("ttl", ttl)),
+            id=rec.get("id"),
+            fqdn=rec.get("name", fqdn),
+            provider_data=rec,
+        )
+
+    def update_record(
+        self,
+        zone_id: str,
+        record_id: str,
+        name: str,
+        record_type: str,
+        value: str,
+        ttl: int = 300,
+        proxied: bool = False,
+    ) -> DNSRecord:
+        fqdn = self._fqdn(zone_id, name)
+        payload = {
+            "type": record_type.upper(),
+            "name": fqdn,
+            "content": value,
+            "ttl": 1 if ttl <= 1 else ttl,
+            "proxied": proxied,
+        }
+        body = self._request(
+            "PUT", f"/zones/{zone_id}/dns_records/{record_id}", json=payload
+        )
+        rec = body.get("result") or {}
+        logger.info("Cloudflare: updated %s %s -> %s", record_type, fqdn, value)
+        return DNSRecord(
+            name=rec.get("name", fqdn),
+            type=rec.get("type", record_type.upper()),
+            value=rec.get("content", value),
+            ttl=int(rec.get("ttl", ttl)),
+            id=rec.get("id", record_id),
+            fqdn=rec.get("name", fqdn),
+            provider_data=rec,
+        )
+
+    def delete_record(self, zone_id: str, record_id: str) -> None:
+        self._request("DELETE", f"/zones/{zone_id}/dns_records/{record_id}")
+        logger.info("Cloudflare: deleted record %s", record_id)

granny/dns/cloudns.py

@@ -0,0 +1,162 @@
+"""ClouDNS provider — CRUD via https://api.cloudns.net.
+
+Lifted from ``tools/create/setup_bunny_storage.py``. ClouDNS uses form-encoded
+POST requests for every operation, including reads. The zone identifier is
+the domain name itself. TTLs are quantized to a fixed set.
+"""
+
+import logging
+from typing import Any
+
+import requests
+
+from granny.credentials.secrets import get_secret
+from granny.dns.base import DNSProvider
+from granny.dns.records import DNSRecord
+
+logger = logging.getLogger(__name__)
+
+API_BASE = "https://api.cloudns.net"
+VALID_TTLS = [
+    60, 300, 900, 1800, 3600, 21600, 43200, 86400,
+    172800, 259200, 604800, 1209600, 2592000,
+]
+
+
+def _quantize_ttl(ttl: int) -> int:
+    for valid in VALID_TTLS:
+        if ttl <= valid:
+            return valid
+    return VALID_TTLS[-1]
+
+
+class ClouDNSDNSProvider(DNSProvider):
+    name = "cloudns"
+
+    def __init__(
+        self,
+        auth_id: str | None = None,
+        auth_password: str | None = None,
+        sub_auth_id: str | None = None,
+        sub_auth_user: str | None = None,
+    ) -> None:
+        self.auth_id = auth_id or get_secret("CLOUDNS_AUTH_ID")
+        self.auth_password = auth_password or get_secret("CLOUDNS_AUTH_PASSWORD")
+        self.sub_auth_id = sub_auth_id or get_secret("CLOUDNS_SUB_AUTH_ID")
+        self.sub_auth_user = sub_auth_user or get_secret("CLOUDNS_SUB_AUTH_USER")
+        if not self.auth_password:
+            raise ValueError("CLOUDNS_AUTH_PASSWORD not set (env or vault).")
+        if not self.auth_id and not self.sub_auth_id and not self.sub_auth_user:
+            raise ValueError(
+                "ClouDNS requires auth-id, sub-auth-id, or sub-auth-user."
+            )
+
+    def _auth_params(self) -> dict[str, str]:
+        p = {"auth-password": self.auth_password}
+        if self.auth_id:
+            p["auth-id"] = self.auth_id
+        elif self.sub_auth_id:
+            p["sub-auth-id"] = self.sub_auth_id
+        elif self.sub_auth_user:
+            p["sub-auth-user"] = self.sub_auth_user
+        return p
+
+    def _request(self, endpoint: str, params: dict | None = None) -> Any:
+        all_params = self._auth_params()
+        if params:
+            all_params.update(params)
+        resp = requests.post(f"{API_BASE}{endpoint}", data=all_params, timeout=30)
+        if resp.status_code >= 400:
+            raise RuntimeError(
+                f"ClouDNS {endpoint} failed: {resp.status_code} {resp.text}"
+            )
+        data = resp.json()
+        if isinstance(data, dict) and data.get("status") == "Failed":
+            raise RuntimeError(
+                f"ClouDNS {endpoint} error: {data.get('statusDescription')}"
+            )
+        return data
+
+    def get_zone_id(self, zone_name: str) -> str:
+        result = self._request(
+            "/dns/list-zones.json", {"page": 1, "rows-per-page": 100}
+        )
+        zones = result if isinstance(result, list) else list(result.values() or [])
+        for zone in zones:
+            if isinstance(zone, dict) and zone.get("name") == zone_name:
+                return zone_name
+        raise RuntimeError(f"ClouDNS zone not found: {zone_name}")
+
+    def list_records(
+        self,
+        zone_id: str,
+        name: str | None = None,
+        record_type: str | None = None,
+    ) -> list[DNSRecord]:
+        result = self._request("/dns/records.json", {"domain-name": zone_id})
+        if isinstance(result, dict):
+            records = list(result.values())
+        elif isinstance(result, list):
+            records = result
+        else:
+            records = []
+        short_name = "" if name in ("@", None) else name
+        rtype = record_type.upper() if record_type else None
+        out: list[DNSRecord] = []
+        for rec in records:
+            if not isinstance(rec, dict):
+                continue
+            if name is not None and rec.get("host", "") != short_name:
+                continue
+            if rtype is not None and rec.get("type") != rtype:
+                continue
+            out.append(
+                DNSRecord(
+                    name=rec.get("host", ""),
+                    type=rec.get("type", ""),
+                    value=rec.get("record", ""),
+                    ttl=int(rec.get("ttl", 3600)),
+                    id=str(rec.get("id")),
+                    provider_data=rec,
+                )
+            )
+        return out
+
+    def create_record(
+        self,
+        zone_id: str,
+        name: str,
+        record_type: str,
+        value: str,
+        ttl: int = 300,
+        proxied: bool = False,
+    ) -> DNSRecord:
+        short = "" if not name or name == "@" else name
+        result = self._request(
+            "/dns/add-record.json",
+            {
+                "domain-name": zone_id,
+                "record-type": record_type.upper(),
+                "host": short,
+                "record": value.rstrip(".") if record_type.upper() == "CNAME" else value,
+                "ttl": _quantize_ttl(ttl),
+            },
+        )
+        record_id = None
+        if isinstance(result, dict):
+            record_id = str(result.get("data", {}).get("id") or "")
+        logger.info("ClouDNS: created %s %s -> %s", record_type, short, value)
+        return DNSRecord(
+            name=short,
+            type=record_type.upper(),
+            value=value,
+            ttl=_quantize_ttl(ttl),
+            id=record_id or None,
+        )
+
+    def delete_record(self, zone_id: str, record_id: str) -> None:
+        self._request(
+            "/dns/delete-record.json",
+            {"domain-name": zone_id, "record-id": record_id},
+        )
+        logger.info("ClouDNS: deleted record %s", record_id)

granny/dns/desec.py

@@ -0,0 +1,152 @@
+"""deSEC DNS provider — CRUD via https://desec.io/api/v1.
+
+deSEC models records as RRsets (one set per subname+type), and uses the
+domain name itself as the "zone id". The provider-level ``id`` we expose is
+an opaque ``subname|type`` pair so ``delete_record`` can round-trip to the
+right rrset endpoint.
+"""
+
+import logging
+import time
+
+import requests
+
+from granny.credentials.secrets import get_secret
+from granny.dns.base import DNSProvider
+from granny.dns.records import DNSRecord
+
+logger = logging.getLogger(__name__)
+
+API_BASE = "https://desec.io/api/v1"
+MIN_TTL = 3600  # deSEC API minimum
+
+
+class DeSECDNSProvider(DNSProvider):
+    name = "desec"
+
+    def __init__(self, api_token: str | None = None) -> None:
+        api_token = api_token or get_secret("DESEC_API_TOKEN")
+        if not api_token:
+            raise ValueError("DESEC_API_TOKEN not set (env or vault).")
+        self.session = requests.Session()
+        self.session.headers.update(
+            {"Authorization": f"Token {api_token}", "Content-Type": "application/json"}
+        )
+
+    def _request(self, method: str, path: str, json: dict | None = None) -> dict:
+        url = f"{API_BASE}{path}"
+        resp = getattr(self.session, method.lower())(url, json=json, timeout=30)
+        if resp.status_code == 429:
+            delay = int(resp.headers.get("Retry-After", 5))
+            logger.warning("deSEC rate limited, sleeping %ss", delay)
+            time.sleep(delay)
+            return self._request(method, path, json=json)
+        if resp.status_code == 404:
+            raise KeyError(path)
+        if resp.status_code >= 400:
+            raise RuntimeError(
+                f"deSEC {method} {path} failed: {resp.status_code} {resp.text}"
+            )
+        if resp.status_code == 204 or not resp.text:
+            return {}
+        return resp.json()
+
+    def get_zone_id(self, zone_name: str) -> str:
+        try:
+            self._request("GET", f"/domains/{zone_name}/")
+        except KeyError:
+            raise RuntimeError(f"deSEC domain not found: {zone_name}")
+        return zone_name
+
+    def get_nameservers(self, zone_name: str) -> list[str]:
+        # deSEC's nameservers are fixed.
+        return ["ns1.desec.io", "ns2.desec.org"]
+
+    def _normalize_subname(self, name: str | None) -> str:
+        if name is None or name in ("@", ""):
+            return ""
+        return name
+
+    def list_records(
+        self,
+        zone_id: str,
+        name: str | None = None,
+        record_type: str | None = None,
+    ) -> list[DNSRecord]:
+        rrsets = self._request("GET", f"/domains/{zone_id}/rrsets/")
+        if not isinstance(rrsets, list):
+            rrsets = []
+        subname_filter = self._normalize_subname(name) if name is not None else None
+        rtype = record_type.upper() if record_type else None
+        out: list[DNSRecord] = []
+        for rrset in rrsets:
+            if subname_filter is not None and rrset.get("subname", "") != subname_filter:
+                continue
+            if rtype is not None and rrset.get("type") != rtype:
+                continue
+            for value in rrset.get("records") or []:
+                out.append(
+                    DNSRecord(
+                        name=rrset.get("subname", ""),
+                        type=rrset.get("type", ""),
+                        value=value,
+                        ttl=int(rrset.get("ttl", MIN_TTL)),
+                        id=f"{rrset.get('subname', '')}|{rrset.get('type', '')}",
+                        provider_data=rrset,
+                    )
+                )
+        return out
+
+    def create_record(
+        self,
+        zone_id: str,
+        name: str,
+        record_type: str,
+        value: str,
+        ttl: int = 300,
+        proxied: bool = False,
+    ) -> DNSRecord:
+        subname = self._normalize_subname(name)
+        rtype = record_type.upper()
+        ttl = max(ttl, MIN_TTL)
+        # CNAME values in deSEC must be fully-qualified with trailing dot.
+        stored = value if value.endswith(".") else f"{value}."
+        payload_value = stored if rtype in ("CNAME", "MX", "NS", "PTR", "SRV") else value
+        payload = {
+            "subname": subname,
+            "type": rtype,
+            "records": [payload_value],
+            "ttl": ttl,
+        }
+        try:
+            self._request("POST", f"/domains/{zone_id}/rrsets/", json=payload)
+        except RuntimeError as exc:
+            # If the rrset already exists, upgrade to PATCH (merges records).
+            if "already" in str(exc).lower():
+                self._request(
+                    "PATCH",
+                    f"/domains/{zone_id}/rrsets/{subname}.../{rtype}/",
+                    json={"records": [payload_value], "ttl": ttl},
+                )
+            else:
+                raise
+        logger.info("deSEC: created %s %s -> %s", rtype, subname or "@", payload_value)
+        return DNSRecord(
+            name=subname,
+            type=rtype,
+            value=payload_value,
+            ttl=ttl,
+            id=f"{subname}|{rtype}",
+        )
+
+    def delete_record(self, zone_id: str, record_id: str) -> None:
+        # record_id is our synthetic "subname|type" pair. Deleting the whole
+        # rrset is deSEC-idiomatic — per-value deletes require PATCH with the
+        # remaining set.
+        subname, _, rtype = record_id.partition("|")
+        path = f"/domains/{zone_id}/rrsets/{subname}.../{rtype}/"
+        try:
+            self._request("DELETE", path)
+        except KeyError:
+            pass
+        logger.info("deSEC: deleted rrset %s/%s", subname or "@", rtype)