require "json" require "uuid" require "uuid/json" require "baguette-crystal-base" require "./service.cr" require "dodb" class DNSManager::Storage getter domains : DODB::CachedDataBase(Domain) getter domains_by_name : DODB::Index(Domain) getter domains_by_share_key : DODB::Index(Domain) getter domains_by_transfer_key : DODB::Index(Domain) getter domains_by_owners : DODB::Tags(Domain) getter zones : DODB::CachedDataBase(Zone) getter zones_by_domain : DODB::Index(Zone) getter tokens : DODB::CachedDataBase(Token) getter tokens_by_uuid : DODB::Index(Token) getter tokens_by_domain : DODB::Partition(Token) getter root : String getter zonefiledir : String property dnsmanagerd : DNSManager::Service? = nil def dnsmanagerd() : DNSManager::Service @dnsmanagerd.not_nil! rescue raise Exception.new "dnsmanagerd not defined" end def initialize(@root : String, reindex : Bool = false) @domains = DODB::CachedDataBase(Domain).new "#{@root}/domains" @domains_by_name = @domains.new_index "name", &.name @domains_by_share_key = @domains.new_nilable_index "share-key", do |d| if k = d.share_key k else DODB.no_index end end @domains_by_transfer_key = @domains.new_nilable_index "transfer-key", do |d| if k = d.transfer_key k else DODB.no_index end end @domains_by_owners = @domains.new_tags "owners", &.owners.map &.to_s @zones = DODB::CachedDataBase(Zone).new "#{@root}/zones" @zones_by_domain = @zones.new_index "domain", &.domain @tokens = DODB::CachedDataBase(Token).new "#{@root}/tokens" @tokens_by_uuid = @tokens.new_index "uuid", &.uuid @tokens_by_domain = @tokens.new_partition "domain", &.domain @zonefiledir = "#{@root}/bind9-zones" Dir.mkdir_p @zonefiledir Baguette::Log.info "storage initialized" if reindex Baguette::Log.debug "Reindexing domains..." @domains.reindex_everything! Baguette::Log.debug "Reindexing zones..." @zones.reindex_everything! Baguette::Log.debug "Reindexing tokens..." @tokens.reindex_everything! Baguette::Log.debug "Reindexed!" end end def generate_zonefile_(domain : String) : Nil zone = zone_must_exist! domain # Safe write. filename_final = "#{@zonefiledir}/#{zone.domain}" filename_wip = "#{filename_final}.wip" Baguette::Log.info "writing zone file #{filename_final}" File.open(filename_wip, "w") do |file| zone.to_bind9 file end # Rename WIP filename to final file name. File.rename filename_wip, filename_final end # Only an admin can access this function. def generate_zonefile(domain : String) : IPC::JSON generate_zonefile_ domain Response::Success.new end # Only an admin can access this function. def generate_all_zonefiles() : IPC::JSON Baguette::Log.info "writing all zone files in #{@zonefiledir}/" zones.each do |zone| generate_zonefile_ zone.domain end Response::Success.new end def get_generated_zonefile(user_id : UserDataID, domain : String) : IPC::JSON user_must_exist! user_id zone = zone_must_exist! domain user_should_own! user_id, zone.domain io = IO::Memory.new zone.to_bind9 io Response::GeneratedZone.new domain, (String.new io.buffer, io.pos) end def new_domain(accepted_domains : Array(String), template_directory : String, user_id : UserDataID, domain : String) : IPC::JSON user_must_exist! user_id # Prevent future very confusing errors. domain = domain.downcase return Response::DomainAlreadyExists.new if zones_by_domain.get? domain # Verify if the domain is acceptable. matching_domains = accepted_domains.select { |adomain| domain.ends_with? adomain } unless matching_domains.size > 0 Baguette::Log.warning "trying to add an unacceptable domain: #{domain}" return Response::UnacceptableDomain.new end matching_domains.each do |md| # Prevent empty domains (from crafted requests) to be accepted. return Response::InvalidDomainName.new unless (domain.chomp md).size > 1 Baguette::Log.info "Add new domain #{domain} (matching domain #{md})" end # Verify the domain name validity. return Response::InvalidDomainName.new unless Zone.is_domain_valid? domain # Fill a template zone. tld = matching_domains.pop default_zone = Zone.from_json File.read "#{template_directory}/#{tld}.json" # Replace domain by the real domain. default_zone.replace_domain domain # # Actually write data on-disk. # # Add the new domain. the_new_domain = Domain.new domain the_new_domain.owners = [user_id] @domains << the_new_domain # Add the new zone in the database. zones_by_domain.update_or_create domain, default_zone Response::DomainAdded.new domain end def ask_share_token(user_id : UserDataID, domain_name : String) user_must_exist! user_id user_should_own! user_id, domain_name domain = @domains_by_name.get domain_name if domain.share_key.nil? domain.share_key = UUID.random.to_s @domains_by_name.update_or_create domain_name, domain Response::DomainChanged.new domain else Response::Error.new "The domain already have a share key." end end def ask_transfer_token(user_id : UserDataID, domain_name : String) user_must_exist! user_id user_should_own! user_id, domain_name domain = @domains_by_name.get domain_name if domain.transfer_key.nil? domain.transfer_key = UUID.random.to_s @domains_by_name.update_or_create domain_name, domain Response::DomainChanged.new domain else Response::Error.new "The domain already have a transfer key." end end # Check the domain owners. # In case there's only the requesting user, allow him to gain full control. def ask_unshare_domain(user_id : UserDataID, domain_name : String) user_must_exist! user_id user_should_own! user_id, domain_name domain = @domains_by_name.get domain_name if domain.owners.size == 1 && domain.owners[0] == user_id domain.share_key = nil @domains_by_name.update_or_create domain_name, domain Response::DomainChanged.new domain else Response::Error.new "You are not the only owner." end end def gain_ownership(user_id : UserDataID, uuid : String) user_must_exist! user_id if domain = @domains_by_share_key.get? uuid if domain.owners.includes? user_id return Response::Error.new "You already own this domain." end domain.owners << user_id @domains_by_name.update_or_create domain.name, domain Response::DomainChanged.new domain elsif domain = @domains_by_transfer_key.get? uuid if domain.owners.includes? user_id return Response::Error.new "You already own this domain." end domain.transfer_key = nil domain.owners = [user_id] @domains_by_name.update_or_create domain.name, domain Response::DomainChanged.new domain else Response::Error.new "There is no key with this UUID." end end def add_or_update_zone(user_id : UserDataID, zone : Zone) : IPC::JSON user_must_exist! user_id # Test zone validity. if errors = zone.get_errors? Baguette::Log.warning "zone #{zone.domain} update with errors: #{errors}" return Response::InvalidZone.new errors end # Does the zone already exist? if z = zones_by_domain.get? zone.domain user_should_own! user_id, z.domain else # Add the domain to the user's domain. domains << Domain.new zone.domain end # Add -or replace- the zone. zones_by_domain.update_or_create zone.domain, zone Response::Success.new end def add_rr(user_id : UserDataID, domain : String, rr : Zone::ResourceRecord) : IPC::JSON user_must_exist! user_id zone = zone_must_exist! domain user_should_own! user_id, domain # Test RR validity. rr.get_errors.tap do |errors| unless errors.empty? Baguette::Log.warning "add RR with errors: #{errors}" return Response::InvalidRR.new errors end end zone << rr update_zone zone Response::RRAdded.new zone.domain, rr end # Any modification of the zone must be performed here. # This function updates the SOA serial before storing the modified zone. def update_zone(zone : Zone) zone.update_serial zones_by_domain.update_or_create zone.domain, zone end def update_rr(user_id : UserDataID, domain : String, rr : Zone::ResourceRecord) : IPC::JSON user_must_exist! user_id zone = zone_must_exist! domain user_should_own! user_id, domain zone.rr_not_readonly! rr.rrid # Test RR validity. rr.get_errors.tap do |errors| unless errors.empty? Baguette::Log.warning "update RR with errors: #{errors}" return Response::InvalidRR.new errors end end zone.update_rr rr update_zone zone Response::RRUpdated.new domain, rr end def delete_rr(user_id : UserDataID, domain : String, rrid : UInt32) : IPC::JSON user_must_exist! user_id zone = zone_must_exist! domain user_should_own! user_id, domain rr = zone.rr_not_readonly! rrid # Remove token from the db. if token_uuid = rr.token tokens_by_uuid.delete token_uuid end zone.delete_rr rrid update_zone zone Response::RRDeleted.new rrid end def delete_domain(user_id : UserDataID, domain_name : String) : IPC::JSON user_must_exist! user_id zone_must_exist! domain_name user_should_own! user_id, domain_name domain = @domains_by_name.get domain_name # The user isn't the only owner, just remove him from the list of owners. if domain.owners.size > 1 domain.owners.select! { |o| o != user_id } @domains_by_name.update_or_create domain_name, domain # Not really a domain deletion, but that'll do the trick. return Response::DomainDeleted.new domain_name end # Remove this domain_name from the list of user's domains. domains_by_name.delete domain_name # Remove the related zone and their registered tokens. zones_by_domain.delete domain_name tokens_by_domain.delete domain_name Response::DomainDeleted.new domain_name end # Get all removed users from `authd`, list all their domains and remove their data from `dnsmanagerd`. def get_orphan_domains(user_id : UserDataID) : IPC::JSON user_must_be_admin! user_id # Baguette::Log.debug "list all orphan domains (long computation)" # orphans = [] of String # user_data.each do |user| # begin # dnsmanagerd().authd.get_user? user.uid # rescue e # Baguette::Log.warning "no authd info on user #{user.uid}: #{e} (removing this user)" # Baguette::Log.debug "user #{user.uid} had #{user.domains.size} domains" # user.domains.each do |domain| # orphans << domain # end # wipe_user_data user # end # end # Baguette::Log.debug "total: #{orphans.size} orphans" # # Response::OrphanDomainList.new orphans Response::Error.new "Not implemented." end def get_zone(user_id : UserDataID, domain : String) : IPC::JSON user_must_exist! user_id zone = zone_must_exist! domain user_should_own! user_id, domain Response::Zone.new zone end def wipe_user_data(user_id : UserDataID) domains_by_owners.get(user_id.to_s).each do |domain| domain.owners.delete user_id # Remove the user's domain when he is the only owner. if domain.owners.empty? @domains_by_name.delete domain.name @tokens_by_domain.delete domain.name @zones_by_domain.delete domain.name else @domains_by_name.update_or_create domain.name, domain end end rescue e Baguette::Log.error "while removing a domain: #{e}" end def delete_user_data(user_id : UserDataID, user_to_delete : UserDataID?) : IPC::JSON user_must_exist! user_id user_id_to_delete = if u = user_to_delete user_must_be_admin! user_id Baguette::Log.info "Admin #{user_id} removes data of user #{u}." user_must_exist! u u else Baguette::Log.info "User #{user_id} terminates his account." user_id end wipe_user_data user_id_to_delete Response::Success.new end def user_domains(user_id : UserDataID) : Array(Domain) user_must_exist! user_id domains_by_owners.get(user_id.to_s) end # TODO: is the user known from authd? def user_must_exist!(user_id : UserDataID) dnsmanagerd().authd.get_user? user_id end def user_must_be_admin!(user_id : UserDataID) : Nil dnsmanagerd().assert_permissions! user_id, "*", AuthD::User::PermissionLevel::Admin end def zone_must_exist!(domain : String) : Zone zone = zones_by_domain.get? domain raise DomainNotFoundException.new unless zone zone end # Owning a domain means to be in the owners' list of the domain. # TODO: accept admin users to override this test. def user_should_own!(user_id : UserDataID, domain : String) : Nil d = domains_by_name.get domain unless d.owners.includes? user_id raise NoOwnershipException.new end end def new_token(user_id : UserDataID, domain : String, rrid : UInt32) : IPC::JSON user_must_exist! user_id zone = zone_must_exist! domain user_should_own! user_id, domain rr = zone.rr_must_exist! rrid old_token = rr.token # 1. create token token = Token.new domain, rrid # 2. add token to the RR. rr.token = token.uuid zone.update_rr rr # 3. update the zone (no need to call `update_zone` to change the zone serial). zones_by_domain.update_or_create zone.domain, zone # 4. if there is an old token, remove it. if old_token_uuid = old_token tokens_by_uuid.delete old_token_uuid end # 5. add token to the db. @tokens << token Response::RRUpdated.new domain, rr end def token_must_exist!(token_uuid : String) : Token token = tokens_by_uuid.get? token_uuid raise TokenNotFoundException.new unless token token end def use_token(token_uuid : String, address : String) : IPC::JSON token = token_must_exist! token_uuid zone = zone_must_exist! token.domain rr = zone.rr_must_exist! token.rrid # Same address, no need to change anything. return Response::Success.new if rr.target == address case rr when Zone::A return Response::Error.new "invalid ipv4" unless Zone.is_ipv4_address_valid? address rr.target = address zone.update_rr rr zones_by_domain.update_or_create zone.domain, zone Response::Success.new when Zone::AAAA return Response::Error.new "invalid ipv6" unless Zone.is_ipv6_address_valid? address rr.target = address zone.update_rr rr update_zone zone Response::Success.new else Response::Error.new "use token on invalid entry (not A or AAAA)" end end end require "./storage/*"