fix: return an error when extracting record name (#1766)

Author: ldez

challenge/dns01/domain.go

@@ -0,0 +1,24 @@
+package dns01
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/miekg/dns"
+)
+
+// ExtractSubDomain extracts the subdomain part from a domain and a zone.
+func ExtractSubDomain(domain, zone string) (string, error) {
+	canonDomain := dns.Fqdn(domain)
+	canonZone := dns.Fqdn(zone)
+
+	if canonDomain == canonZone {
+		return "", fmt.Errorf("no subdomain because the domain and the zone are identical: %s", canonDomain)
+	}
+
+	if !dns.IsSubDomain(canonZone, canonDomain) {
+		return "", fmt.Errorf("%s is not a subdomain of %s", canonDomain, canonZone)
+	}
+
+	return strings.TrimSuffix(canonDomain, "."+canonZone), nil
+}

challenge/dns01/domain_test.go

@@ -0,0 +1,104 @@
+package dns01
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestExtractSubDomain(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		domain   string
+		zone     string
+		expected string
+	}{
+		{
+			desc:     "no FQDN",
+			domain:   "_acme-challenge.example.com",
+			zone:     "example.com",
+			expected: "_acme-challenge",
+		},
+		{
+			desc:     "no FQDN zone",
+			domain:   "_acme-challenge.example.com.",
+			zone:     "example.com",
+			expected: "_acme-challenge",
+		},
+		{
+			desc:     "no FQDN domain",
+			domain:   "_acme-challenge.example.com",
+			zone:     "example.com.",
+			expected: "_acme-challenge",
+		},
+		{
+			desc:     "FQDN",
+			domain:   "_acme-challenge.example.com.",
+			zone:     "example.com.",
+			expected: "_acme-challenge",
+		},
+		{
+			desc:     "multi-level subdomain",
+			domain:   "_acme-challenge.one.example.com.",
+			zone:     "example.com.",
+			expected: "_acme-challenge.one",
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			subDomain, err := ExtractSubDomain(test.domain, test.zone)
+			require.NoError(t, err)
+
+			assert.Equal(t, test.expected, subDomain)
+		})
+	}
+}
+
+func TestExtractSubDomain_errors(t *testing.T) {
+	testCases := []struct {
+		desc   string
+		domain string
+		zone   string
+	}{
+		{
+			desc:   "same domain",
+			domain: "example.com",
+			zone:   "example.com",
+		},
+		{
+			desc:   "same domain, no FQDN zone",
+			domain: "example.com.",
+			zone:   "example.com",
+		},
+		{
+			desc:   "same domain, no FQDN domain",
+			domain: "example.com",
+			zone:   "example.com.",
+		},
+		{
+			desc:   "same domain, FQDN",
+			domain: "example.com.",
+			zone:   "example.com.",
+		},
+		{
+			desc:   "zone and domain are unrelated",
+			domain: "_acme-challenge.example.com",
+			zone:   "example.org",
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			_, err := ExtractSubDomain(test.domain, test.zone)
+			require.Error(t, err)
+		})
+	}
+}

providers/dns/alidns/alidns.go

@@ -4,7 +4,6 @@ package alidns
 import (
 	"errors"
 	"fmt"
-	"strings"
 	"time"
 
 	"github.com/aliyun/alibaba-cloud-sdk-go/sdk"
@@ -269,9 +268,10 @@ func extractRecordName(fqdn, zone string) (string, error) {
 		return "", fmt.Errorf("fail to convert punycode: %w", err)
 	}
 
-	name := dns01.UnFqdn(fqdn)
-	if idx := strings.Index(name, "."+asciiDomain); idx != -1 {
-		return name[:idx], nil
+	subDomain, err := dns01.ExtractSubDomain(fqdn, asciiDomain)
+	if err != nil {
+		return "", err
 	}
-	return name, nil
+
+	return subDomain, nil
 }

providers/dns/arvancloud/arvancloud.go

@@ -5,7 +5,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"strings"
 	"sync"
 	"time"
 
@@ -114,9 +113,14 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 		return err
 	}
 
+	subDomain, err := dns01.ExtractSubDomain(fqdn, authZone)
+	if err != nil {
+		return fmt.Errorf("arvancloud: %w", err)
+	}
+
 	record := internal.DNSRecord{
 		Type:          "txt",
-		Name:          extractRecordName(fqdn, authZone),
+		Name:          subDomain,
 		Value:         internal.TXTRecordValue{Text: value},
 		TTL:           d.config.TTL,
 		UpstreamHTTPS: "default",
@@ -176,11 +180,3 @@ func getZone(fqdn string) (string, error) {
 
 	return dns01.UnFqdn(authZone), nil
 }
-
-func extractRecordName(fqdn, zone string) string {
-	name := dns01.UnFqdn(fqdn)
-	if idx := strings.Index(name, "."+zone); idx != -1 {
-		return name[:idx]
-	}
-	return name
-}

providers/dns/civo/civo.go

@@ -4,7 +4,6 @@ package civo
 import (
 	"errors"
 	"fmt"
-	"strings"
 	"time"
 
 	"github.com/civo/civogo"
@@ -104,8 +103,13 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 		return fmt.Errorf("civo: %w", err)
 	}
 
+	subDomain, err := dns01.ExtractSubDomain(fqdn, zone)
+	if err != nil {
+		return fmt.Errorf("civo: %w", err)
+	}
+
 	_, err = d.client.CreateDNSRecord(dnsDomain.ID, &civogo.DNSRecordConfig{
-		Name:  extractRecordName(fqdn, zone),
+		Name:  subDomain,
 		Value: value,
 		Type:  civogo.DNSRecordTypeTXT,
 		TTL:   d.config.TTL,
@@ -136,9 +140,14 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 		return fmt.Errorf("civo: %w", err)
 	}
 
+	subDomain, err := dns01.ExtractSubDomain(fqdn, zone)
+	if err != nil {
+		return fmt.Errorf("civo: %w", err)
+	}
+
 	var dnsRecord civogo.DNSRecord
 	for _, entry := range dnsRecords {
-		if entry.Name == extractRecordName(fqdn, zone) && entry.Value == value {
+		if entry.Name == subDomain && entry.Value == value {
 			dnsRecord = entry
 			break
 		}
@@ -166,11 +175,3 @@ func getZone(fqdn string) (string, error) {
 
 	return dns01.UnFqdn(authZone), nil
 }
-
-func extractRecordName(fqdn, zone string) string {
-	name := dns01.UnFqdn(fqdn)
-	if idx := strings.Index(name, "."+zone); idx != -1 {
-		return name[:idx]
-	}
-	return name
-}

providers/dns/constellix/constellix.go

@@ -109,7 +109,10 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 		return fmt.Errorf("constellix: failed to get domain (%s): %w", authZone, err)
 	}
 
-	recordName := getRecordName(fqdn, authZone)
+	recordName, err := dns01.ExtractSubDomain(fqdn, authZone)
+	if err != nil {
+		return fmt.Errorf("constellix: %w", err)
+	}
 
 	records, err := d.client.TxtRecords.Search(dom.ID, internal.Exact, recordName)
 	if err != nil {
@@ -147,7 +150,10 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 		return fmt.Errorf("constellix: failed to get domain (%s): %w", authZone, err)
 	}
 
-	recordName := getRecordName(fqdn, authZone)
+	recordName, err := dns01.ExtractSubDomain(fqdn, authZone)
+	if err != nil {
+		return fmt.Errorf("constellix: %w", err)
+	}
 
 	records, err := d.client.TxtRecords.Search(dom.ID, internal.Exact, recordName)
 	if err != nil {
@@ -262,7 +268,3 @@ func containsValue(record *internal.Record, value string) bool {
 
 	return false
 }
-
-func getRecordName(fqdn, authZone string) string {
-	return fqdn[0 : len(fqdn)-len(authZone)-1]
-}

providers/dns/desec/desec.go

@@ -109,7 +109,10 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 		return fmt.Errorf("desec: could not find zone for domain %q and fqdn %q : %w", domain, fqdn, err)
 	}
 
-	recordName := getRecordName(fqdn, authZone)
+	recordName, err := dns01.ExtractSubDomain(fqdn, authZone)
+	if err != nil {
+		return fmt.Errorf("desec: %w", err)
+	}
 
 	domainName := dns01.UnFqdn(authZone)
 
@@ -156,7 +159,10 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 		return fmt.Errorf("desec: could not find zone for domain %q and fqdn %q : %w", domain, fqdn, err)
 	}
 
-	recordName := getRecordName(fqdn, authZone)
+	recordName, err := dns01.ExtractSubDomain(fqdn, authZone)
+	if err != nil {
+		return fmt.Errorf("desec: %w", err)
+	}
 
 	domainName := dns01.UnFqdn(authZone)
 
@@ -179,7 +185,3 @@ func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 
 	return nil
 }
-
-func getRecordName(fqdn, authZone string) string {
-	return fqdn[0 : len(fqdn)-len(authZone)-1]
-}

providers/dns/dnsimple/dnsimple.go

@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"strconv"
-	"strings"
 	"time"
 
 	"github.com/dnsimple/dnsimple-go/dnsimple"
@@ -103,7 +102,11 @@ func (d *DNSProvider) Present(domain, token, keyAuth string) error {
 		return fmt.Errorf("dnsimple: %w", err)
 	}
 
-	recordAttributes := newTxtRecord(zoneName, fqdn, value, d.config.TTL)
+	recordAttributes, err := newTxtRecord(zoneName, fqdn, value, d.config.TTL)
+	if err != nil {
+		return fmt.Errorf("dnsimple: %w", err)
+	}
+
 	_, err = d.client.Zones.CreateRecord(context.Background(), accountID, zoneName, recordAttributes)
 	if err != nil {
 		return fmt.Errorf("dnsimple: API call failed: %w", err)
@@ -186,33 +189,31 @@ func (d *DNSProvider) findTxtRecords(fqdn string) ([]dnsimple.ZoneRecord, error)
 		return nil, err
 	}
 
-	recordName := extractRecordName(fqdn, zoneName)
+	subDomain, err := dns01.ExtractSubDomain(fqdn, zoneName)
+	if err != nil {
+		return nil, err
+	}
 
-	result, err := d.client.Zones.ListRecords(context.Background(), accountID, zoneName, &dnsimple.ZoneRecordListOptions{Name: &recordName, Type: dnsimple.String("TXT"), ListOptions: dnsimple.ListOptions{}})
+	result, err := d.client.Zones.ListRecords(context.Background(), accountID, zoneName, &dnsimple.ZoneRecordListOptions{Name: &subDomain, Type: dnsimple.String("TXT"), ListOptions: dnsimple.ListOptions{}})
 	if err != nil {
 		return nil, fmt.Errorf("API call has failed: %w", err)
 	}
 
 	return result.Data, nil
 }
 
-func newTxtRecord(zoneName, fqdn, value string, ttl int) dnsimple.ZoneRecordAttributes {
-	name := extractRecordName(fqdn, zoneName)
+func newTxtRecord(zoneName, fqdn, value string, ttl int) (dnsimple.ZoneRecordAttributes, error) {
+	subDomain, err := dns01.ExtractSubDomain(fqdn, zoneName)
+	if err != nil {
+		return dnsimple.ZoneRecordAttributes{}, err
+	}
 
 	return dnsimple.ZoneRecordAttributes{
 		Type:    "TXT",
-		Name:    &name,
+		Name:    &subDomain,
 		Content: value,
 		TTL:     ttl,
-	}
-}
-
-func extractRecordName(fqdn, zone string) string {
-	name := dns01.UnFqdn(fqdn)
-	if idx := strings.Index(name, "."+zone); idx != -1 {
-		return name[:idx]
-	}
-	return name
+	}, nil
 }
 
 func (d *DNSProvider) getAccountID() (string, error) {