creds.json should not be executable under Windows (#1456)

* Skip CAA flag test for LINODE * Require go 1.18 * Update CCI to use go 1.18 * go mod tidy * working * Update creds.json docs * go generate
2024-05-11 05:55:12 +00:00 · 2022-03-25 15:20:30 -04:00
parent 52a8964564
commit ffe21c6e6d
7 changed files with 123 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -182,9 +182,10 @@ See [dnscontrol-action](https://github.com/koenrh/dnscontrol-action)

 # Depreciation warnings (updated 2022-03-07)

-* Let's Encrypt support is frozen and will be removed in early 2023.  The "get-certs" command (renews certs via Let's Encrypt) has no maintainer. There are other projects that do a better job. If you don't use this feature, please do not start. If you do use this feature, please plan on migrating to something else.  See discussion in https://github.com/StackExchange/dnscontrol/issues/1400
-* Call for new volunteer maintainers for CLOUDFLARE_API, GCLOUD, NAMEDOTCOM, ROUTE53, and SOFTLAYER.
-* Provider ACTIVEDIRECTORY_PS is deprecated and will be removed soon. Use MSDNS instead.
+* **ACME/Let's Encrypt support is frozen and will be removed after December 31, 2022.**  The `get-certs` command (renews certs via Let's Encrypt) has no maintainer. There are other projects that do a better job. If you don't use this feature, please do not start. If you do use this feature, please plan on migrating to something else.  See discussion in https://github.com/StackExchange/dnscontrol/issues/1400
+* **convertzone is frozen and will be removed after June 30, 2022.** The `convertzone` stand-alone program is replaced by the `get-zone` subcommand of DNSControl. It does everything `convertzone` did and more.
+* **Provider ACTIVEDIRECTORY_PS is frozen and will be removed after June 30, 2022.** It is replaced by MSDNS which is 100% feature compatible and works better. (We believe nobody uses it.)
+* **Call for new volunteer maintainers for CLOUDFLARE_API, GCLOUD, NAMEDOTCOM, ROUTE53, and SOFTLAYER.** These providers have no maintainer. Maintainers respond to PRs and fix bugs in a timely manner, and try to stay on top of protocol changes.


 # More info at our web site
--- a/commands/commands.go
+++ b/commands/commands.go
@ -229,7 +229,7 @@ func (args *GetCredentialsArgs) flags() []cli.Flag {
 		&cli.StringFlag{
 			Name:        "creds",
 			Destination: &args.CredsFile,
-			Usage:       "Provider credentials JSON file",
+			Usage:       "Provider credentials JSON file (or !program to execute program that outputs json)",
 			Value:       "creds.json",
 		},
 	}
--- a/commands/getZones.go
+++ b/commands/getZones.go
@ -140,11 +140,11 @@ func GetZone(args GetZoneArgs) error {
 	// Read it in:
 	providerConfigs, err = config.LoadProviderConfigs(args.CredsFile)
 	if err != nil {
-		return fmt.Errorf("failed GetZone lpc(%q): %w", args.CredsFile, err)
+		return fmt.Errorf("failed GetZone LoadProviderConfigs(%q): %w", args.CredsFile, err)
 	}
 	provider, err := providers.CreateDNSProvider(args.ProviderName, providerConfigs[args.CredName], nil)
 	if err != nil {
-		return fmt.Errorf("failed GetZone cdp: %w", err)
+		return fmt.Errorf("failed GetZone CreateDNSProvider: %w", err)
 	}

 	// decide which zones we need to convert
--- a/docs/creds-json.md
+++ b/docs/creds-json.md
@ -0,0 +1,67 @@
+---
+layout: default
+title: creds.json file format
+---
+
+# creds.json
+
+When dnscontrol interacts with a provider, any API keys, credentials, or other
+configuration parameters required are stored in `creds.json`.   The file contains a set of key/value pairs for each configuration.  That is, since a provider can be used multiple times with different credentials, the file contains a section for each set of credentials.
+
+Here's a sample file:
+
+```json
+{
+  "cloudflare_tal": {
+    "apikey": "REDACTED",
+    "apiuser": "REDACTED"
+  },
+  "inside": {
+    "directory": "inzones",
+    "filenameformat": "db_%T%?_%D"
+  },
+  "hexonet": {
+    "apilogin": "$HEXONET_APILOGIN",
+    "apipassword": "$HEXONET_APIPASSWORD",
+    "debugmode": "$HEXONET_DEBUGMODE",
+    "domain": "$HEXONET_DOMAIN"
+  }
+}
+```
+
+# Format
+
+* Primary keys: (e.g. `cloudflare_tal`, `inside`, `hexonet`)
+  * ...refer to the first parameter in the `NewRegistrar()` or `NewDnsProvider()` functions in a dnsconfig.js file.
+  * ...may include any printable character except colon (`:`)
+  * Convention: all lower case, usually the name of the provider or the username at the provider or both.
+* Subkeys: (e.g. `apikey`, `apiuser` and etc.)
+  * ...are whatever the provider specifies.
+  * ...can be credentials, secrets, or configuration settings. In the above examples the `inside` setting is configuration parameters for the BIND provider, not credentials.
+  * A missing subkey is not an error. The value is the empty string.
+* Values:
+  * ...may include any JSON string value including the empty string.
+  * If a subkey starts with `$`, it is taken as an env variable.  In the above example, `$HEXONET_APILOGIN` would be replaced by the value of the environment variable `HEXONET_APILOGIN` or the empty string if no such environment variable exists.
+
+# Using a different name
+
+The `--creds` flag allows you to specify a different file name.
+
+* Normally the file is read as a JSON file.
+* Do not end the filename with `.yaml` or `.yml` as some day we hope to support YAML.
+* Rather than specifying a file, you can specify a program to be run. The output of the program must be valid JSON and will be read the same way.
+  * If the name begins with `!`, the remainder of the name is taken to be the command to be run.
+  * If the name is a file that is executable (chmod `+x` bit), it is taken as the command to be run.
+  * Exceptions: The `x` bit is not checked if the filename ends with `.yaml`, `.yml` or `.json`.
+  * Windows: Executing an external script isn't supported. There's no code that prevents it from trying, but it isn't supported.
+
+# Don't store secrets in a Git repo!
+
+Do NOT store secrets in a Git repository. That is not secure. For example,
+storing the example `cloudflare_tal` is insecure because anyone with access to
+your Git repository or the history will know your apiuser is `REDACTED`.
+Removing secrets accidentally stored in Git is very difficult. You'll probably
+give up and re-create the repo and lose all history.
+
+Instead, use environment variables as in the `hexonet` example above.  Use
+secure means to distribute the names and values of the environment variables.
--- a/docs/get-certs.md
+++ b/docs/get-certs.md
@ -5,6 +5,10 @@ title: Let's Encrypt Certificate generation

 # *Let's Encrypt* Certificate generation

+**WARNING: This feature
+is frozen and will be removed in early 2023. The "get-certs" command (renews certs via Let's Encrypt) has no maintainer. There are other projects that do a better job. If you don't use this feature, please do not start. If you do use this feature, please plan on migrating to something else. See discussion in [#1400](https://github.com/StackExchange/dnscontrol/issues/1400)**
+
+
 DNSControl will generate/renew Let's Encrypt certificates using DNS
 validation.  It is not a complete certificate management system, but
 can perform the renewal steps for the system you create.  If you
--- a/docs/index.md
+++ b/docs/index.md
@ -94,6 +94,42 @@ title: DNSControl
 					<a href="{{site.github.url}}/migrating">Migrating</a>: Migrating zones to DNSControl
 				</li>
 			</ul>
+
+			<h2>
+				Commands
+			</h2>
+			<p>
+				DNSControl sub-commands and options.
+			</p>
+
+			<ul>
+<!--
+				<li>
+ 					<a href="check-preview-push">check/preview/push</a>: dnscontrol's fundamentals
+				</li>
+-->
+				<li>
+ 					<a href="creds-json.html">creds.json</a>: creds.json file format
+				</li>
+				<li>
+ 					<a href="check-creds.html">check-creds</a>: Verify credentials
+				</li>
+<!--
+				<li>
+ 					<a href="create-domains">create-domains</a>: Populate domains at a provider
+				</li>
+				<li>
+ 					<a href="fmt">fmt</a>: Reformat dnsconfig.js
+				</li>
+-->
+				<li>
+ 					<a href="get-zones.html">get-zones</a>: Query a provider for zone info
+				</li>
+				<li>
+					<a href="get-certs.html">get-certs</a>: Renew SSL/TLS certs (DEPRECATED)
+				</li>
+			</ul>
+
 		</div>
 		<div class="col-md-4">
 			<h2>
@ -116,9 +152,6 @@ title: DNSControl
 				<li>
 					<a href="{{site.github.url}}/caa-builder">CAA Builder</a>: Build CAA records the easy way
 				</li>
-				<li>
-					<a href="{{site.github.url}}/get-certs">Let's Encrypt</a>: Renew your SSL/TLS certs
-				</li>
 			</ul>
 		</div>
 		<div class="col-md-4">
@ -130,13 +163,13 @@ title: DNSControl
 			</p>
 			<ul>
 				<li>
-					<a href="{{site.github.url}}/why-the-dot">Why CNAME/MX/NS targets require a "trailing dot"</a>
+					<a href="{{site.github.url}}/why-the-dot">Why CNAME/MX targets require a trailing dot</a>
 				</li>
 				<li>
 					<a href="{{site.github.url}}/unittests">Testing</a>: Unit Testing for you DNS Data
 				</li>
 				<li>
-					<a href="{{site.github.url}}/notifications">Notifications</a>: Be alerted when your domains are changed
+					<a href="{{site.github.url}}/notifications">Notifications</a>: Web-hook for changes
 				</li>
 				<li>
 					<a href="{{site.github.url}}/code-tricks">Code Tricks</a>: Safely use macros and loops.
--- a/providers/config/providerConfig.go
+++ b/providers/config/providerConfig.go
@ -28,6 +28,13 @@ func LoadProviderConfigs(fname string) (map[string]map[string]string, error) {
 		if err != nil {
 			return nil, err
 		}
+	} else if strings.HasSuffix(fname, ".json") {
+		// .json files are never executable (needed because in Windows WSL
+		// all files are executable).
+		dat, err = readCredsFile(fname)
+		if err != nil {
+			return nil, err
+		}
 	} else if isExecutable(fname) {
 		dat, err = executeCredsFile(fname)
 		if err != nil {