Add gssapi attribute for GSS-TSIG signed updates

hashicorp · Mar 13, 2018 · dcde294 · dcde294
1 parent bc6e6b9
commit dcde294
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 4 deletions.
diff --git a/dns/config.go b/dns/config.go
@@ -2,10 +2,13 @@ package dns
 
 import (
 	"fmt"
-	"github.com/miekg/dns"
 	"log"
 	"net"
 	"strconv"
+
+	"github.com/bodgit/tsig"
+	"github.com/bodgit/tsig/gss"
+	"github.com/miekg/dns"
 )
 
 type Config struct {
@@ -14,6 +17,7 @@ type Config struct {
 	keyname   string
 	keyalgo   string
 	keysecret string
+	gssapi    bool
 }
 
 type DNSClient struct {
@@ -32,7 +36,7 @@ func (c *Config) Client() (interface{}, error) {
 	client.srv_addr = net.JoinHostPort(c.server, strconv.Itoa(c.port))
 	authCfgOk := false
 	if (c.keyname == "" && c.keysecret == "" && c.keyalgo == "") ||
-		(c.keyname != "" && c.keysecret != "" && c.keyalgo != "") {
+		(c.keyname != "" && c.keysecret != "" && c.keyalgo != "" && !c.gssapi) {
 		authCfgOk = true
 	}
 	if !authCfgOk {
@@ -48,6 +52,21 @@ func (c *Config) Client() (interface{}, error) {
 		}
 		client.keyalgo = keyalgo
 		client.c.TsigSecret = map[string]string{c.keyname: c.keysecret}
+	} else if c.gssapi {
+		g, err := gss.New()
+		if err != nil {
+			return nil, fmt.Errorf("Error initializing GSS library: %s", err)
+		}
+
+		keyname, _, err := g.NegotiateContext(c.server)
+		if err != nil {
+			return nil, fmt.Errorf("Error negotiating GSS context: %s", err)
+		}
+
+		client.keyname = *keyname
+		client.keyalgo = tsig.GSS
+		client.c.TsigAlgorithm = map[string]*dns.TsigAlgorithm{tsig.GSS: {g.GenerateGSS, g.VerifyGSS}}
+		client.c.TsigSecret = map[string]string{*keyname: ""}
 	}
 	return &client, nil
 }

diff --git a/dns/provider.go b/dns/provider.go
@@ -55,6 +55,11 @@ func Provider() terraform.ResourceProvider {
 							Optional:    true,
 							DefaultFunc: schema.EnvDefaultFunc("DNS_UPDATE_KEYSECRET", nil),
 						},
+						"gssapi": &schema.Schema{
+							Type:        schema.TypeBool,
+							Optional:    true,
+							DefaultFunc: schema.EnvDefaultFunc("DNS_UPDATE_GSSAPI", nil),
+						},
 					},
 				},
 			},
@@ -84,6 +89,7 @@ func configureProvider(d *schema.ResourceData) (interface{}, error) {
 
 	var server, keyname, keyalgo, keysecret string
 	var port int
+	var gssapi bool
 
 	// if the update block is missing, schema.EnvDefaultFunc is not called
 	if v, ok := d.GetOk("update"); ok {
@@ -103,6 +109,9 @@ func configureProvider(d *schema.ResourceData) (interface{}, error) {
 		if val, ok := update["key_secret"]; ok {
 			keysecret = val.(string)
 		}
+		if val, ok := update["gssapi"]; ok {
+			gssapi = val.(bool)
+		}
 	} else {
 		if len(os.Getenv("DNS_UPDATE_SERVER")) > 0 {
 			server = os.Getenv("DNS_UPDATE_SERVER")
@@ -128,6 +137,14 @@ func configureProvider(d *schema.ResourceData) (interface{}, error) {
 		if len(os.Getenv("DNS_UPDATE_KEYSECRET")) > 0 {
 			keysecret = os.Getenv("DNS_UPDATE_KEYSECRET")
 		}
+		if len(os.Getenv("DNS_UPDATE_GSSAPI")) > 0 {
+			var err error
+			gssapiStr := os.Getenv("DNS_UPDATE_GSSAPI")
+			gssapi, err = strconv.ParseBool(gssapiStr)
+			if err != nil {
+				return nil, fmt.Errorf("invalid DNS_UPDATE_GSSAPI environment variable: %s", err)
+			}
+		}
 	}
 
 	config := Config{
@@ -136,6 +153,7 @@ func configureProvider(d *schema.ResourceData) (interface{}, error) {
 		keyname:   keyname,
 		keyalgo:   keyalgo,
 		keysecret: keysecret,
+		gssapi:    gssapi,
 	}
 
 	return config.Client()

diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown
@@ -3,12 +3,12 @@ layout: "dns"
 page_title: "Provider: DNS"
 sidebar_current: "docs-dns-index"
 description: |-
-  The DNS provider supports DNS updates (RFC 2136). Additionally, the provider can be configured with secret key based transaction authentication (RFC 2845).
+  The DNS provider supports DNS updates (RFC 2136). Additionally, the provider can be configured with secret key based transaction authentication (RFC 2845) or can use GSS-TSIG (RFC 3645).
 ---
 
 # DNS Provider
 
-The DNS provider supports DNS updates (RFC 2136). Additionally, the provider can be configured with secret key based transaction authentication (RFC 2845).
+The DNS provider supports DNS updates (RFC 2136). Additionally, the provider can be configured with secret key based transaction authentication (RFC 2845) or can use GSS-TSIG (RFC 3645).
 
 Use the navigation to the left to read about the available resources.
 
@@ -43,3 +43,4 @@ The `update` block supports the following attributes:
 * `key_algorithm` - (Optional; Required if `key_name` is set) When using TSIG authentication, the algorithm to use for HMAC. Valid values are `hmac-md5`, `hmac-sha1`, `hmac-sha256` or `hmac-sha512`.
 * `key_secret` - (Optional; Required if `key_name` is set)
     A Base64-encoded string containing the shared secret to be used for TSIG.
+* `gssapi` - (Optional) Whether to use GSS-TSIG or not, should not be set at the same time as `key_name`, `key_algorithm` and `key_secret`.