bunny: fix zone detection (#2375)

go-acme · Dec 5, 2024 · 1a62bba · 1a62bba
1 parent 2c13835
commit 1a62bba
Show file tree

Hide file tree

Showing 2 changed files with 160 additions and 26 deletions.
diff --git a/providers/dns/bunny/bunny.go b/providers/dns/bunny/bunny.go
@@ -5,12 +5,15 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"slices"
 	"time"
 
 	"github.com/go-acme/lego/v4/challenge"
 	"github.com/go-acme/lego/v4/challenge/dns01"
 	"github.com/go-acme/lego/v4/platform/config/env"
+	"github.com/miekg/dns"
 	"github.com/nrdcg/bunny-go"
+	"golang.org/x/net/publicsuffix"
 )
 
 // Environment variables names.
@@ -94,19 +97,14 @@ func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
 func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 	info := dns01.GetChallengeInfo(domain, keyAuth)
 
-	authZone, err := getZoneName(info.EffectiveFQDN)
-	if err != nil {
-		return fmt.Errorf("bunny: could not find zone for domain %q: %w", domain, err)
-	}
-
 	ctx := context.Background()
 
-	zone, err := d.findZone(ctx, authZone)
+	zone, err := d.findZone(ctx, dns01.UnFqdn(info.EffectiveFQDN))
 	if err != nil {
 		return fmt.Errorf("bunny: %w", err)
 	}
 
-	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, deref(zone.Domain))
 	if err != nil {
 		return fmt.Errorf("bunny: %w", err)
 	}
@@ -129,19 +127,14 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 	info := dns01.GetChallengeInfo(domain, keyAuth)
 
-	authZone, err := getZoneName(info.EffectiveFQDN)
-	if err != nil {
-		return fmt.Errorf("bunny: could not find zone for domain %q: %w", domain, err)
-	}
-
 	ctx := context.Background()
 
-	zone, err := d.findZone(ctx, authZone)
+	zone, err := d.findZone(ctx, dns01.UnFqdn(info.EffectiveFQDN))
 	if err != nil {
 		return fmt.Errorf("bunny: %w", err)
 	}
 
-	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, deref(zone.Domain))
 	if err != nil {
 		return fmt.Errorf("bunny: %w", err)
 	}
@@ -172,28 +165,53 @@ func (d *DNSProvider) findZone(ctx context.Context, authZone string) (*bunny.DNS
 		return nil, err
 	}
 
+	zone := findZone(zones, authZone)
+	if zone == nil {
+		return nil, fmt.Errorf("could not find DNSZone domain=%s", authZone)
+	}
+
+	return zone, nil
+}
+
+func findZone(zones *bunny.DNSZones, domain string) *bunny.DNSZone {
+	domains := possibleDomains(domain)
+
+	var domainLength int
+
 	var zone *bunny.DNSZone
 	for _, item := range zones.Items {
-		if item != nil && deref(item.Domain) == authZone {
-			zone = item
-			break
+		if item == nil {
+			continue
 		}
-	}
 
-	if zone == nil {
-		return nil, fmt.Errorf("could not find DNSZone zone=%s", authZone)
+		curr := deref(item.Domain)
+
+		if slices.Contains(domains, curr) && domainLength < len(curr) {
+			domainLength = len(curr)
+
+			zone = item
+		}
 	}
 
-	return zone, nil
+	return zone
 }
 
-func getZoneName(fqdn string) (string, error) {
-	authZone, err := dns01.FindZoneByFqdn(fqdn)
-	if err != nil {
-		return "", err
+func possibleDomains(domain string) []string {
+	var domains []string
+
+	labelIndexes := dns.Split(domain)
+
+	for _, index := range labelIndexes {
+		tld, _ := publicsuffix.PublicSuffix(domain)
+		if tld == domain[index:] {
+			// skip the TLD
+			break
+		}
+
+		domains = append(domains, dns01.UnFqdn(domain[index:]))
 	}
 
-	return dns01.UnFqdn(authZone), nil
+	return domains
 }
 
 func pointer[T string | int | int32 | int64](v T) *T { return &v }

diff --git a/providers/dns/bunny/bunny_test.go b/providers/dns/bunny/bunny_test.go
@@ -4,6 +4,8 @@ import (
 	"testing"
 
 	"github.com/go-acme/lego/v4/platform/tester"
+	"github.com/nrdcg/bunny-go"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
@@ -123,3 +125,117 @@ func TestLiveCleanUp(t *testing.T) {
 	err = provider.CleanUp(envTest.GetDomain(), "", "123d==")
 	require.NoError(t, err)
 }
+
+func Test_findZone(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		domain   string
+		items    []*bunny.DNSZone
+		expected *bunny.DNSZone
+	}{
+		{
+			desc:   "found subdomain",
+			domain: "_acme-challenge.foo.bar.example.com",
+			items: []*bunny.DNSZone{
+				{ID: pointer[int64](1), Domain: pointer("example.com")},
+				{ID: pointer[int64](2), Domain: pointer("example.org")},
+				{ID: pointer[int64](4), Domain: pointer("bar.example.org")},
+				{ID: pointer[int64](5), Domain: pointer("bar.example.com")},
+				{ID: pointer[int64](6), Domain: pointer("foo.example.com")},
+			},
+			expected: &bunny.DNSZone{
+				ID:     pointer[int64](5),
+				Domain: pointer("bar.example.com"),
+			},
+		},
+		{
+			desc:   "found the longest subdomain",
+			domain: "_acme-challenge.foo.bar.example.com",
+			items: []*bunny.DNSZone{
+				{ID: pointer[int64](7), Domain: pointer("foo.bar.example.com")},
+				{ID: pointer[int64](1), Domain: pointer("example.com")},
+				{ID: pointer[int64](2), Domain: pointer("example.org")},
+				{ID: pointer[int64](4), Domain: pointer("bar.example.org")},
+				{ID: pointer[int64](5), Domain: pointer("bar.example.com")},
+				{ID: pointer[int64](6), Domain: pointer("foo.example.com")},
+			},
+			expected: &bunny.DNSZone{
+				ID:     pointer[int64](7),
+				Domain: pointer("foo.bar.example.com"),
+			},
+		},
+		{
+			desc:   "found apex",
+			domain: "_acme-challenge.foo.bar.example.com",
+			items: []*bunny.DNSZone{
+				{ID: pointer[int64](1), Domain: pointer("example.com")},
+				{ID: pointer[int64](2), Domain: pointer("example.org")},
+				{ID: pointer[int64](4), Domain: pointer("bar.example.org")},
+				{ID: pointer[int64](6), Domain: pointer("foo.example.com")},
+			},
+			expected: &bunny.DNSZone{
+				ID:     pointer[int64](1),
+				Domain: pointer("example.com"),
+			},
+		},
+		{
+			desc:   "not found",
+			domain: "_acme-challenge.foo.bar.example.com",
+			items: []*bunny.DNSZone{
+				{ID: pointer[int64](2), Domain: pointer("example.org")},
+				{ID: pointer[int64](4), Domain: pointer("bar.example.org")},
+				{ID: pointer[int64](6), Domain: pointer("foo.example.com")},
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			zones := &bunny.DNSZones{Items: test.items}
+
+			zone := findZone(zones, test.domain)
+
+			assert.Equal(t, test.expected, zone)
+		})
+	}
+}
+
+func Test_possibleDomains(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		domain   string
+		expected []string
+	}{
+		{
+			desc:     "apex",
+			domain:   "example.com",
+			expected: []string{"example.com"},
+		},
+		{
+			desc:     "CCTLD",
+			domain:   "example.co.uk",
+			expected: []string{"example.co.uk"},
+		},
+		{
+			desc:     "long domain",
+			domain:   "_acme-challenge.foo.bar.example.com",
+			expected: []string{"_acme-challenge.foo.bar.example.com", "foo.bar.example.com", "bar.example.com", "example.com"},
+		},
+		{
+			desc:   "empty",
+			domain: "",
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			domains := possibleDomains(test.domain)
+
+			assert.Equal(t, test.expected, domains)
+		})
+	}
+}