net/ddns-scripts/files/usr/lib/ddns/update_route53_v1.sh

   1 #!/bin/sh
   2 # Distributed under the terms of the GNU General Public License (GPL) version 2.0
   3 # based on Yuval Adam's route53.sh found at https://github.com/yuvadm/route53-ddns/blob/master/route53.sh
   4 # 2017 Max Berger <max at berger dot name>
   5
   6 [ -z "${CURL_SSL}" ] && write_log 14 "Amazon AWS Route53 communication require cURL with SSL support. Please install"
   7 [ -z "${username}" ] && write_log 14 "Service section not configured correctly! Missing key as 'username'"
   8 [ -z "${password}" ] && write_log 14 "Service section not configured correctly! Missing secret as 'password'"
   9 [ -z "${domain}" ] && write_log 14 "Service section not configured correctly! Missing zone id as 'domain'"
  10
  11 ENDPOINT="route53.amazonaws.com"
  12 RECORD_TTL=300
  13 RECORD_NAME="${lookup_host}."
  14 [ ${use_ipv6} -eq 0 ] && RECORD_TYPE="A"
  15 [ ${use_ipv6} -eq 1 ] && RECORD_TYPE="AAAA"
  16 RECORD_VALUE="${LOCAL_IP}"
  17 HOSTED_ZONE_ID="${domain}"
  18 API_PATH="/2013-04-01/hostedzone/${HOSTED_ZONE_ID}/rrset/"
  19
  20 AWS_ACCESS_KEY_ID="${username}"
  21 AWS_SECRET_ACCESS_KEY="${password}"
  22 AWS_REGION='us-east-1'
  23 AWS_SERVICE='route53'
  24
  25 hash() {
  26     msg="$1"
  27     echo -en "${msg}" | openssl dgst -sha256 | sed 's/^.* //'
  28 }
  29
  30 sign_plain() {
  31     # Sign message using a plaintext key
  32     key="$1"
  33     msg="$2"
  34     echo -en "${msg}" | openssl dgst -hex -sha256 -hmac "${key}" | sed 's/^.* //'
  35 }
  36
  37 sign() {
  38     # Sign message using a hex formatted key
  39     key="$1"
  40     msg="$2"
  41     echo -en "${msg}" | openssl dgst -hex -sha256 -mac HMAC -macopt "hexkey:${key}" | sed 's/^.* //'
  42 }
  43
  44 request_body="<?xml version=\"1.0\" encoding=\"UTF-8\"?> \
  45 <ChangeResourceRecordSetsRequest xmlns=\"https://route53.amazonaws.com/doc/2013-04-01/\"> \
  46 <ChangeBatch> \
  47    <Changes> \
  48       <Change> \
  49          <Action>UPSERT</Action> \
  50          <ResourceRecordSet> \
  51             <Name>${RECORD_NAME}</Name> \
  52             <Type>${RECORD_TYPE}</Type> \
  53             <TTL>${RECORD_TTL}</TTL> \
  54             <ResourceRecords> \
  55                <ResourceRecord> \
  56                   <Value>${RECORD_VALUE}</Value> \
  57                </ResourceRecord> \
  58             </ResourceRecords> \
  59          </ResourceRecordSet> \
  60       </Change> \
  61    </Changes> \
  62 </ChangeBatch> \
  63 </ChangeResourceRecordSetsRequest>"
  64
  65 fulldate="$(date --utc +%Y%m%dT%H%M%SZ)"
  66 shortdate="$(date --utc +%Y%m%d)"
  67 signed_headers="host;x-amz-date"
  68 request_hash="$(hash "${request_body}")"
  69 canonical_request="POST\n${API_PATH}\n\nhost:route53.amazonaws.com\nx-amz-date:${fulldate}\n\n${signed_headers}\n${request_hash}"
  70
  71 date_key="$(sign_plain "AWS4${AWS_SECRET_ACCESS_KEY}" "${shortdate}")"
  72 region_key="$(sign "${date_key}" ${AWS_REGION})"
  73 service_key="$(sign "${region_key}" ${AWS_SERVICE})"
  74 signing_key="$(sign "${service_key}" aws4_request)"
  75
  76 credential="${shortdate}/${AWS_REGION}/${AWS_SERVICE}/aws4_request"
  77 sigmsg="AWS4-HMAC-SHA256\n${fulldate}\n${credential}\n$(hash "${canonical_request}")"
  78
  79 signature="$(sign "${signing_key}" "${sigmsg}")"
  80
  81 authorization="AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${credential}, SignedHeaders=${signed_headers}, Signature=${signature}"
  82
  83 ANSWER="$(flock /tmp/$(basename -s .sh "$0").lock curl \
  84     -X "POST" \
  85     -H "Host: route53.amazonaws.com" \
  86     -H "X-Amz-Date: ${fulldate}" \
  87     -H "Authorization: ${authorization}" \
  88     -H "Content-Type: text/xml" \
  89     -d "$request_body" \
  90     "https://${ENDPOINT}${API_PATH}")"
  91 write_log 7 "${ANSWER}"
  92
  93 echo "${ANSWER}" | grep -F "Error" >/dev/null && return 1
  94 echo "${ANSWER}" | grep -F "ChangeInfo" >/dev/null && return 0
  95 return 2