use crate::{
CAARecord, DnsRecord, DnsRecordType, Error, IntoFqdn, KeyValue, MXRecord, SRVRecord,
TLSARecord, TlsaCertUsage, TlsaMatching, TlsaSelector,
http::{HttpClient, HttpClientBuilder},
utils::strip_origin_from_name,
};
use serde::{Deserialize, Serialize};
use std::{
net::AddrParseError,
sync::Arc,
time::{Duration, Instant},
};
use tokio::sync::Mutex;
const DEFAULT_ENDPOINT: &str = "https://ccp.netcup.net/run/webservice/servers/endpoint.php?JSON";
const SESSION_TTL_SECS: u64 = 10 * 60;
#[derive(Clone)]
pub struct NetcupProvider {
client: HttpClient,
endpoint: String,
customer_number: String,
api_key: String,
api_password: String,
session: Arc<Mutex<Option<(String, Instant)>>>,
}
#[derive(Serialize, Debug)]
struct Request<P: Serialize> {
action: &'static str,
param: P,
}
#[derive(Serialize, Debug)]
struct LoginParam<'a> {
customernumber: &'a str,
apikey: &'a str,
apipassword: &'a str,
}
#[derive(Serialize, Debug)]
struct LogoutParam<'a> {
customernumber: &'a str,
apikey: &'a str,
apisessionid: &'a str,
}
#[derive(Serialize, Debug)]
struct InfoDnsRecordsParam<'a> {
domainname: &'a str,
customernumber: &'a str,
apikey: &'a str,
apisessionid: &'a str,
}
#[derive(Serialize, Debug)]
struct UpdateDnsRecordsParam<'a> {
domainname: &'a str,
customernumber: &'a str,
apikey: &'a str,
apisessionid: &'a str,
dnsrecordset: DnsRecordSet,
}
#[derive(Serialize, Debug)]
struct DnsRecordSet {
dnsrecords: Vec<NetcupRecord>,
}
#[derive(Serialize, Deserialize, Clone, Debug)]
struct NetcupRecord {
#[serde(default, skip_serializing_if = "Option::is_none")]
id: Option<String>,
hostname: String,
#[serde(rename = "type")]
record_type: String,
#[serde(default, skip_serializing_if = "String::is_empty")]
priority: String,
destination: String,
#[serde(default, skip_serializing_if = "is_false")]
deleterecord: bool,
#[serde(default, skip_serializing_if = "String::is_empty")]
state: String,
}
fn is_false(v: &bool) -> bool {
!*v
}
fn ensure_trailing_dot(value: &str) -> String {
if value.ends_with('.') {
value.to_string()
} else {
format!("{value}.")
}
}
fn strip_trailing_dot(value: &str) -> String {
value.strip_suffix('.').unwrap_or(value).to_string()
}
#[derive(Deserialize, Debug)]
struct ResponseMsg {
#[serde(default)]
status: String,
#[serde(default, rename = "statuscode")]
status_code: i64,
#[serde(default, rename = "shortmessage")]
short_message: String,
#[serde(default, rename = "longmessage")]
long_message: String,
#[serde(default, rename = "responsedata")]
response_data: serde_json::Value,
}
#[derive(Deserialize, Debug)]
struct LoginResponse {
#[serde(default, rename = "apisessionid")]
api_session_id: String,
}
#[derive(Deserialize, Debug)]
struct InfoDnsRecordsResponse {
#[serde(default)]
dnsrecords: Vec<NetcupRecord>,
}
impl NetcupProvider {
pub(crate) fn new(
customer_number: impl AsRef<str>,
api_key: impl AsRef<str>,
api_password: impl AsRef<str>,
timeout: Option<Duration>,
) -> Self {
let client = HttpClientBuilder::default().with_timeout(timeout).build();
Self {
client,
endpoint: DEFAULT_ENDPOINT.to_string(),
customer_number: customer_number.as_ref().to_string(),
api_key: api_key.as_ref().to_string(),
api_password: api_password.as_ref().to_string(),
session: Arc::new(Mutex::new(None)),
}
}
#[cfg(test)]
pub(crate) fn with_endpoint(self, endpoint: impl AsRef<str>) -> Self {
Self {
endpoint: endpoint.as_ref().to_string(),
..self
}
}
pub(crate) async fn set_rrset(
&self,
name: impl IntoFqdn<'_>,
record_type: DnsRecordType,
_ttl: u32,
records: Vec<DnsRecord>,
origin: impl IntoFqdn<'_>,
) -> crate::Result<()> {
check_record_types(record_type, &records)?;
let name = name.into_name().into_owned();
let origin = origin.into_name().into_owned();
let hostname = strip_origin_from_name(&name, &origin, Some("@"));
let session = self.ensure_session().await?;
let listed = self.list_all_records(&origin, &session).await?;
let type_str = record_type.as_str();
let existing: Vec<NetcupRecord> = listed
.into_iter()
.filter(|r| r.hostname == hostname && r.record_type.eq_ignore_ascii_case(type_str))
.collect();
let desired: Vec<NetcupRecord> = records
.iter()
.map(|r| encode_record(r, &hostname))
.collect::<crate::Result<Vec<_>>>()?;
let mut batch: Vec<NetcupRecord> = Vec::new();
let mut remaining: Vec<NetcupRecord> = existing.clone();
for want in &desired {
if let Some(idx) = remaining.iter().position(|r| same_payload(r, want)) {
remaining.swap_remove(idx);
} else {
batch.push(want.clone());
}
}
for stale in remaining {
batch.push(NetcupRecord {
id: stale.id,
hostname: stale.hostname,
record_type: stale.record_type,
priority: stale.priority,
destination: stale.destination,
deleterecord: true,
state: String::new(),
});
}
if batch.is_empty() {
return Ok(());
}
self.update_dns_records(&origin, &session, batch).await
}
pub(crate) async fn add_to_rrset(
&self,
name: impl IntoFqdn<'_>,
record_type: DnsRecordType,
_ttl: u32,
records: Vec<DnsRecord>,
origin: impl IntoFqdn<'_>,
) -> crate::Result<()> {
check_record_types(record_type, &records)?;
if records.is_empty() {
return Ok(());
}
let name = name.into_name().into_owned();
let origin = origin.into_name().into_owned();
let hostname = strip_origin_from_name(&name, &origin, Some("@"));
let session = self.ensure_session().await?;
let listed = self.list_all_records(&origin, &session).await?;
let type_str = record_type.as_str();
let existing: Vec<NetcupRecord> = listed
.into_iter()
.filter(|r| r.hostname == hostname && r.record_type.eq_ignore_ascii_case(type_str))
.collect();
let desired: Vec<NetcupRecord> = records
.iter()
.map(|r| encode_record(r, &hostname))
.collect::<crate::Result<Vec<_>>>()?;
let mut batch: Vec<NetcupRecord> = Vec::new();
for want in desired {
if !existing.iter().any(|r| same_payload(r, &want)) {
batch.push(want);
}
}
if batch.is_empty() {
return Ok(());
}
self.update_dns_records(&origin, &session, batch).await
}
pub(crate) async fn remove_from_rrset(
&self,
name: impl IntoFqdn<'_>,
record_type: DnsRecordType,
records: Vec<DnsRecord>,
origin: impl IntoFqdn<'_>,
) -> crate::Result<()> {
check_record_types(record_type, &records)?;
if records.is_empty() {
return Ok(());
}
let name = name.into_name().into_owned();
let origin = origin.into_name().into_owned();
let hostname = strip_origin_from_name(&name, &origin, Some("@"));
let session = self.ensure_session().await?;
let listed = self.list_all_records(&origin, &session).await?;
let type_str = record_type.as_str();
let existing: Vec<NetcupRecord> = listed
.into_iter()
.filter(|r| r.hostname == hostname && r.record_type.eq_ignore_ascii_case(type_str))
.collect();
let targets: Vec<NetcupRecord> = records
.iter()
.map(|r| encode_record(r, &hostname))
.collect::<crate::Result<Vec<_>>>()?;
let mut batch: Vec<NetcupRecord> = Vec::new();
for target in &targets {
if let Some(found) = existing.iter().find(|r| same_payload(r, target)) {
batch.push(NetcupRecord {
id: found.id.clone(),
hostname: found.hostname.clone(),
record_type: found.record_type.clone(),
priority: found.priority.clone(),
destination: found.destination.clone(),
deleterecord: true,
state: String::new(),
});
}
}
if batch.is_empty() {
return Ok(());
}
self.update_dns_records(&origin, &session, batch).await
}
pub(crate) async fn list_rrset(
&self,
name: impl IntoFqdn<'_>,
record_type: DnsRecordType,
origin: impl IntoFqdn<'_>,
) -> crate::Result<Vec<DnsRecord>> {
let name = name.into_name().into_owned();
let origin = origin.into_name().into_owned();
let hostname = strip_origin_from_name(&name, &origin, Some("@"));
let session = self.ensure_session().await?;
let listed = self.list_all_records(&origin, &session).await?;
let type_str = record_type.as_str();
let mut out = Vec::new();
for r in listed {
if r.hostname == hostname && r.record_type.eq_ignore_ascii_case(type_str) {
out.push(decode_record(record_type, &r)?);
}
}
Ok(out)
}
async fn ensure_session(&self) -> crate::Result<String> {
let mut guard = self.session.lock().await;
if let Some((ref id, expiry)) = *guard
&& Instant::now() < expiry
{
return Ok(id.clone());
}
let id = self.login().await?;
let expiry = Instant::now() + Duration::from_secs(SESSION_TTL_SECS);
*guard = Some((id.clone(), expiry));
Ok(id)
}
async fn login(&self) -> crate::Result<String> {
let payload = Request {
action: "login",
param: LoginParam {
customernumber: &self.customer_number,
apikey: &self.api_key,
apipassword: &self.api_password,
},
};
let response: ResponseMsg = self
.client
.post(&self.endpoint)
.with_body(payload)?
.send()
.await?;
check_status(&response)?;
let parsed: LoginResponse = serde_json::from_value(response.response_data)
.map_err(|e| Error::Serialize(format!("Failed to parse Netcup login: {e}")))?;
Ok(parsed.api_session_id)
}
async fn update_dns_records(
&self,
domain: &str,
session: &str,
records: Vec<NetcupRecord>,
) -> crate::Result<()> {
let payload = Request {
action: "updateDnsRecords",
param: UpdateDnsRecordsParam {
domainname: domain,
customernumber: &self.customer_number,
apikey: &self.api_key,
apisessionid: session,
dnsrecordset: DnsRecordSet {
dnsrecords: records,
},
},
};
let response: ResponseMsg = self
.client
.post(&self.endpoint)
.with_body(payload)?
.send_with_retry(3)
.await?;
check_status(&response)?;
Ok(())
}
async fn list_all_records(
&self,
domain: &str,
session: &str,
) -> crate::Result<Vec<NetcupRecord>> {
let payload = Request {
action: "infoDnsRecords",
param: InfoDnsRecordsParam {
domainname: domain,
customernumber: &self.customer_number,
apikey: &self.api_key,
apisessionid: session,
},
};
let response: ResponseMsg = self
.client
.post(&self.endpoint)
.with_body(payload)?
.send()
.await?;
check_status(&response)?;
let parsed: InfoDnsRecordsResponse = serde_json::from_value(response.response_data)
.map_err(|e| Error::Serialize(format!("Failed to parse Netcup record list: {e}")))?;
Ok(parsed.dnsrecords)
}
#[allow(dead_code)]
async fn logout(&self, session: &str) -> crate::Result<()> {
let payload = Request {
action: "logout",
param: LogoutParam {
customernumber: &self.customer_number,
apikey: &self.api_key,
apisessionid: session,
},
};
let response: ResponseMsg = self
.client
.post(&self.endpoint)
.with_body(payload)?
.send()
.await?;
check_status(&response)
}
}
fn check_record_types(expected: DnsRecordType, records: &[DnsRecord]) -> crate::Result<()> {
for r in records {
if r.as_type() != expected {
return Err(Error::Api(format!(
"RRSet record type mismatch: expected {}, got {}",
expected.as_str(),
r.as_type().as_str(),
)));
}
}
Ok(())
}
fn check_status(response: &ResponseMsg) -> crate::Result<()> {
if response.status == "success" {
Ok(())
} else {
Err(Error::Api(format!(
"Netcup API error: status={} code={} short={} long={}",
response.status, response.status_code, response.short_message, response.long_message
)))
}
}
fn same_payload(a: &NetcupRecord, b: &NetcupRecord) -> bool {
a.hostname == b.hostname
&& a.record_type.eq_ignore_ascii_case(&b.record_type)
&& a.destination == b.destination
&& a.priority == b.priority
}
fn encode_record(record: &DnsRecord, hostname: &str) -> crate::Result<NetcupRecord> {
let (record_type, destination, priority) = match record {
DnsRecord::A(addr) => ("A", addr.to_string(), String::new()),
DnsRecord::AAAA(addr) => ("AAAA", addr.to_string(), String::new()),
DnsRecord::CNAME(value) => ("CNAME", ensure_trailing_dot(value), String::new()),
DnsRecord::NS(value) => ("NS", ensure_trailing_dot(value), String::new()),
DnsRecord::MX(mx) => (
"MX",
ensure_trailing_dot(&mx.exchange),
mx.priority.to_string(),
),
DnsRecord::TXT(value) => ("TXT", value.clone(), String::new()),
DnsRecord::SRV(srv) => (
"SRV",
format!(
"{} {} {} {}",
srv.priority,
srv.weight,
srv.port,
ensure_trailing_dot(&srv.target),
),
srv.priority.to_string(),
),
DnsRecord::CAA(caa) => {
let (flags, tag, value) = caa.clone().decompose();
(
"CAA",
format!("{} {} \"{}\"", flags, tag, value.replace('"', "\\\"")),
String::new(),
)
}
DnsRecord::TLSA(tlsa) => (
"TLSA",
format!(
"{} {} {} {}",
u8::from(tlsa.cert_usage),
u8::from(tlsa.selector),
u8::from(tlsa.matching),
tlsa.cert_data
.iter()
.map(|b| format!("{:02x}", b))
.collect::<String>()
),
String::new(),
),
};
Ok(NetcupRecord {
id: None,
hostname: hostname.to_string(),
record_type: record_type.to_string(),
priority,
destination,
deleterecord: false,
state: String::new(),
})
}
fn decode_record(record_type: DnsRecordType, record: &NetcupRecord) -> crate::Result<DnsRecord> {
Ok(match record_type {
DnsRecordType::A => {
DnsRecord::A(record.destination.parse().map_err(|e: AddrParseError| {
Error::Parse(format!(
"invalid Netcup A value '{}': {e}",
record.destination
))
})?)
}
DnsRecordType::AAAA => {
DnsRecord::AAAA(record.destination.parse().map_err(|e: AddrParseError| {
Error::Parse(format!(
"invalid Netcup AAAA value '{}': {e}",
record.destination
))
})?)
}
DnsRecordType::CNAME => DnsRecord::CNAME(strip_trailing_dot(&record.destination)),
DnsRecordType::NS => DnsRecord::NS(strip_trailing_dot(&record.destination)),
DnsRecordType::MX => {
let priority: u16 = record.priority.parse().map_err(|e| {
Error::Parse(format!(
"invalid Netcup MX priority '{}': {e}",
record.priority
))
})?;
DnsRecord::MX(MXRecord {
priority,
exchange: strip_trailing_dot(&record.destination),
})
}
DnsRecordType::TXT => DnsRecord::TXT(record.destination.clone()),
DnsRecordType::SRV => parse_srv(record)?,
DnsRecordType::TLSA => parse_tlsa(&record.destination)?,
DnsRecordType::CAA => parse_caa(&record.destination)?,
})
}
fn parse_srv(record: &NetcupRecord) -> crate::Result<DnsRecord> {
let priority: u16 = record.priority.parse().map_err(|e| {
Error::Parse(format!(
"invalid Netcup SRV priority '{}': {e}",
record.priority
))
})?;
let value = record.destination.as_str();
let mut parts = value.split_whitespace();
let weight = parts
.next()
.ok_or_else(|| Error::Parse(format!("invalid SRV value '{value}'")))?
.parse()
.map_err(|e| Error::Parse(format!("invalid SRV weight in '{value}': {e}")))?;
let port = parts
.next()
.ok_or_else(|| Error::Parse(format!("invalid SRV value '{value}'")))?
.parse()
.map_err(|e| Error::Parse(format!("invalid SRV port in '{value}': {e}")))?;
let target = parts
.next()
.ok_or_else(|| Error::Parse(format!("invalid SRV value '{value}'")))?;
Ok(DnsRecord::SRV(SRVRecord {
priority,
weight,
port,
target: strip_trailing_dot(target),
}))
}
fn parse_tlsa(value: &str) -> crate::Result<DnsRecord> {
let mut parts = value.split_whitespace();
let usage_raw: u8 = parts
.next()
.ok_or_else(|| Error::Parse(format!("invalid TLSA value '{value}'")))?
.parse()
.map_err(|e| Error::Parse(format!("invalid TLSA usage in '{value}': {e}")))?;
let selector_raw: u8 = parts
.next()
.ok_or_else(|| Error::Parse(format!("invalid TLSA value '{value}'")))?
.parse()
.map_err(|e| Error::Parse(format!("invalid TLSA selector in '{value}': {e}")))?;
let matching_raw: u8 = parts
.next()
.ok_or_else(|| Error::Parse(format!("invalid TLSA value '{value}'")))?
.parse()
.map_err(|e| Error::Parse(format!("invalid TLSA matching in '{value}': {e}")))?;
let hex = parts
.next()
.ok_or_else(|| Error::Parse(format!("invalid TLSA value '{value}'")))?;
Ok(DnsRecord::TLSA(TLSARecord {
cert_usage: tlsa_cert_usage_from_u8(usage_raw)?,
selector: tlsa_selector_from_u8(selector_raw)?,
matching: tlsa_matching_from_u8(matching_raw)?,
cert_data: decode_hex(hex)?,
}))
}
fn parse_caa(value: &str) -> crate::Result<DnsRecord> {
let mut parts = value.splitn(3, char::is_whitespace);
let flags: u8 = parts
.next()
.ok_or_else(|| Error::Parse(format!("invalid CAA value '{value}'")))?
.parse()
.map_err(|e| Error::Parse(format!("invalid CAA flags in '{value}': {e}")))?;
let tag = parts
.next()
.ok_or_else(|| Error::Parse(format!("invalid CAA value '{value}'")))?
.to_ascii_lowercase();
let raw_value = parts
.next()
.ok_or_else(|| Error::Parse(format!("invalid CAA value '{value}'")))?
.trim();
let unquoted = raw_value
.strip_prefix('"')
.and_then(|s| s.strip_suffix('"'))
.map(|s| s.replace("\\\"", "\""))
.unwrap_or_else(|| raw_value.to_string());
let issuer_critical = flags & 0x80 != 0;
match tag.as_str() {
"issue" => {
let (name, options) = parse_caa_kv(&unquoted);
Ok(DnsRecord::CAA(CAARecord::Issue {
issuer_critical,
name,
options,
}))
}
"issuewild" => {
let (name, options) = parse_caa_kv(&unquoted);
Ok(DnsRecord::CAA(CAARecord::IssueWild {
issuer_critical,
name,
options,
}))
}
"iodef" => Ok(DnsRecord::CAA(CAARecord::Iodef {
issuer_critical,
url: unquoted,
})),
other => Err(Error::Parse(format!("unknown CAA tag: {other}"))),
}
}
fn parse_caa_kv(value: &str) -> (Option<String>, Vec<KeyValue>) {
let mut parts = value.split(';').map(str::trim);
let name_part = parts.next().unwrap_or("").trim().to_string();
let name = if name_part.is_empty() {
None
} else {
Some(name_part)
};
let options = parts
.filter(|p| !p.is_empty())
.map(|p| match p.split_once('=') {
Some((k, v)) => KeyValue {
key: k.trim().to_string(),
value: v.trim().to_string(),
},
None => KeyValue {
key: p.trim().to_string(),
value: String::new(),
},
})
.collect();
(name, options)
}
fn decode_hex(hex: &str) -> crate::Result<Vec<u8>> {
if !hex.len().is_multiple_of(2) {
return Err(Error::Parse(format!("invalid hex string: {hex}")));
}
(0..hex.len())
.step_by(2)
.map(|i| {
u8::from_str_radix(&hex[i..i + 2], 16)
.map_err(|e| Error::Parse(format!("invalid hex byte: {e}")))
})
.collect()
}
fn tlsa_cert_usage_from_u8(value: u8) -> crate::Result<TlsaCertUsage> {
Ok(match value {
0 => TlsaCertUsage::PkixTa,
1 => TlsaCertUsage::PkixEe,
2 => TlsaCertUsage::DaneTa,
3 => TlsaCertUsage::DaneEe,
255 => TlsaCertUsage::Private,
_ => return Err(Error::Parse(format!("unknown TLSA cert usage: {value}"))),
})
}
fn tlsa_selector_from_u8(value: u8) -> crate::Result<TlsaSelector> {
Ok(match value {
0 => TlsaSelector::Full,
1 => TlsaSelector::Spki,
255 => TlsaSelector::Private,
_ => return Err(Error::Parse(format!("unknown TLSA selector: {value}"))),
})
}
fn tlsa_matching_from_u8(value: u8) -> crate::Result<TlsaMatching> {
Ok(match value {
0 => TlsaMatching::Raw,
1 => TlsaMatching::Sha256,
2 => TlsaMatching::Sha512,
255 => TlsaMatching::Private,
_ => return Err(Error::Parse(format!("unknown TLSA matching: {value}"))),
})
}