security/acme-client: add support for INWX 2FA (opnsense#3942)

requires opnsense/tools#444 While here, fix a typo in the INWX password field name: inws -> inwx
fraenki · Dec 18, 2024 · 52d28a7 · 52d28a7
1 parent 07a7489
commit 52d28a7
Show file tree

Hide file tree

Showing 6 changed files with 90 additions and 5 deletions.
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
@@ -14,12 +14,14 @@ Added:
 * Add support for MyDNS.JP DNS API (#4328)
 * Add support for fornex DNS API (#4389)
 * Add support for OTP Code to Synology deploy hook (#4045)
+* Add support for Shared Secret to INWX DNS API (#3942)
 
 Changed:
 * Convert Synology deploy hook variables to uppercase (#4286)
 
 Fixed:
 * SFTP/SSH automation results in fatal PHP error (#4363)
+* Typo in INWX password field name
 
 4.6
 

diff --git a/...me-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/...me-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -690,10 +690,16 @@
         <type>text</type>
     </field>
     <field>
-        <id>validation.dns_inws_password</id>
+        <id>validation.dns_inwx_password</id>
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <id>validation.dns_inwx_shared_secret</id>
+        <label>Shared Secret</label>
+        <type>password</type>
+        <help>When 2FA is enabled, the Shared Secret must be provided. Note that this feature requires the package oath-toolkit, which must be installed manually.</help>
+    </field>
     <field>
         <label>IONOS domain API</label>
         <type>header</type>

diff --git a/...ity/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInwx.php b/...ity/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInwx.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2024 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -29,6 +29,7 @@
 namespace OPNsense\AcmeClient\LeValidation;
 
 use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\AcmeClient\LeUtils;
 use OPNsense\Core\Config;
 
 /**
@@ -40,6 +41,13 @@ class DnsInwx extends Base implements LeValidationInterface
     public function prepare()
     {
         $this->acme_env['INWX_User'] = (string)$this->config->dns_inwx_user;
-        $this->acme_env['INWX_Password'] = (string)$this->config->dns_inws_password;
+        $this->acme_env['INWX_Password'] = (string)$this->config->dns_inwx_password;
+        if (!empty((string)$this->config->dns_inwx_shared_secret)) {
+            if ((string)$this->model->isPackageInstalled('oath-toolkit') != '1') {
+                LeUtils::log_error('Required package oath-toolkit is NOT installed. Please install the package or remove the INWX Shared Secret.');
+                return false;
+            }
+            $this->acme_env['INWX_Shared_Secret'] = (string)$this->config->dns_inwx_shared_secret;
+        }
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2017 Frank Wall
+ *    Copyright (C) 2017-2024 Frank Wall
  *    Copyright (C) 2015 Deciso B.V.
  *
  *    All rights reserved.
@@ -101,4 +101,19 @@ public function isPluginInstalled($name)
         $backend = new Backend();
         return trim($backend->configdRun('firmware plugin ' . escapeshellarg($name)));
     }
+
+    /**
+     * check if the specfied package is installed
+     * @param $name package name
+     * @return bool is the package installed
+     */
+    public function isPackageInstalled($name)
+    {
+        $backend = new Backend();
+        $_package_list = $backend->configdRun('firmware local');
+        if (preg_match("/^$name\|\|.*/m", $_package_list)) {
+          return 1;
+        }
+        return 0;
+    }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>4.1.0</version>
+    <version>4.2.0</version>
     <description>A secure ACME Client plugin</description>
     <items>
         <settings>
@@ -746,9 +746,16 @@
                 <dns_inwx_user type="TextField">
                     <Required>N</Required>
                 </dns_inwx_user>
+                <!-- TODO: old value, should be removed -->
                 <dns_inws_password type="TextField">
                     <Required>N</Required>
                 </dns_inws_password>
+                <dns_inwx_password type="TextField">
+                    <Required>N</Required>
+                </dns_inwx_password>
+                <dns_inwx_shared_secret type="TextField">
+                    <Required>N</Required>
+                </dns_inwx_shared_secret>
                 <dns_ionos_prefix type="TextField">
                     <Required>N</Required>
                 </dns_ionos_prefix>

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_2_0.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_2_0.php
@@ -0,0 +1,47 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\AcmeClient\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M4_2_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        foreach ($model->getNodeByReference('validations.validation')->iterateItems() as $validation) {
+            $dns_service = (string)$validation->dns_service;
+            if ($dns_service === 'dns_inwx') {
+                // Migrate data from misspelled item to new one
+                $validation->dns_inwx_password = (string)$validation->dns_inws_password;
+            }
+        }
+    }
+}