GANDI: Gandi v5 auth changes #2726

llange · 2023-12-16T09:04:05Z

This PR handles the new default auth mechanism for GANDI_V5 API (token) now that the apikey is officialy deprecated.
The change should be transparent for existing users still using the apikey entry.
Other changes to creds.json include:

introducing apiurl setting to control then endpoint and allowing to use the sandbox endpoint
introducing dryrun setting to allow DryRun use of certain API verbs (untested)

Please note that I had no success creating a domain in the sandbox environment, thus was not able to validate that everything was working as expected there. However, the API calls are (of course) properly sent to apiurl and the authentication works there.
(notifying maintainer: @TomOnTime @tlimoncelli)

llange · 2023-12-16T09:48:44Z

Well it looks that the promising dryrun parameter is in fact not used with the LiveDns API, so may be we should remove completely this commit.

tlimoncelli · 2023-12-18T14:51:28Z

Yeah, I'd remove the dryrun feature. Seems like it will create more confusion than help.

tlimoncelli · 2023-12-18T21:10:44Z

providers/gandiv5/gandi_v5Provider.go

-// 		SharingID: client.sharingid,
-// 		Debug:     client.debug,
-// 	})
+// g := NewLiveDNSClient(client)


"N" should be lowercase. There's no need to export this function.

tlimoncelli · 2024-01-03T16:11:24Z

I'm a Gandi user so I was very excited to see this PR. However I don't seem to be able to make this work with my configuration.

From the debug output, it looks like it is using the Bearer token for most system calls, but not all. In particular, GetNameservers and GetRegistrarCorrections don't seem to be updated to use the Bearer token (PAT).

My creds.json entry:

  "gandi_v5_tal": {
    "TYPE": "GANDI_V5",
    "token": "REDACTED_40_CHAR_TOKEN",
    "sharing_id": "REDACTED_SHARING_ID"
  },

The output with debug:

******************** Domain: tomontime.com
2024/01/03 11:00:14 gandi.go:182: Request:  curl -X 'GET' -H 'Authorization: Bearer REDACTED_40_CHAR_TOKEN' -H 'Content-Type: application/json' 'https://api.gandi.net/v5/livedns/domains/tomontime.com/nameservers?sharing_id=REDACTED_SHARING_ID'
2024/01/03 11:00:15 gandi.go:198: Response : [200 OK] X-Xss-Protection: [1; mode=block] Expires: [Wed, 03 Jan 2024 16:00:15 GMT] Pragma: [no-cache] Trace-Id: [97b081ebf0417304] Etag: [W/"3d-GBt9IXujKOWNHm1faEoIijw/IYM"] Server: [nginx] Cache-Control: [max-age=0, must-revalidate, no-cache, no-store] Vary: [Accept-Encoding, Accept-Language] Date: [Wed, 03 Jan 2024 16:00:15 GMT] Content-Length: [61] Strict-Transport-Security: [max-age=15768000;] X-Frame-Options: [DENY] Content-Type: [application/json; charset=utf-8] Connection: [keep-alive] Last-Modified: [Wed, 03 Jan 2024 16:00:15 GMT] X-Content-Type-Options: [nosniff] 
2024/01/03 11:00:15 gandi.go:199: Response body: ["ns-175-a.gandi.net","ns-9-b.gandi.net","ns-76-c.gandi.net"]
2024/01/03 11:00:15 gandi.go:182: Request:  curl -X 'GET' -H 'Authorization: Bearer REDACTED_40_CHAR_TOKEN' -H 'Content-Type: application/json' 'https://api.gandi.net/v5/livedns/domains/tomontime.com/records?sharing_id=REDACTED_SHARING_ID'
2024/01/03 11:00:15 gandi.go:198: Response : [200 OK] Content-Type: [application/json; charset=utf-8] Trace-Id: [9cb7836cbd7d1ccb] X-Content-Type-Options: [nosniff] X-Frame-Options: [DENY] Pragma: [no-cache] Total-Count: [19] Vary: [Accept-Encoding, Accept-Language] Strict-Transport-Security: [max-age=15768000;] Date: [Wed, 03 Jan 2024 16:00:15 GMT] Content-Length: [3822] Cache-Control: [max-age=0, must-revalidate, no-cache, no-store] Server: [nginx] Connection: [keep-alive] Expires: [Wed, 03 Jan 2024 16:00:15 GMT] Last-Modified: [Wed, 03 Jan 2024 16:00:15 GMT] Etag: [W/"eee-APQRA04x4QnKQTKyE+zYrZiUpb8"] X-Xss-Protection: [1; mode=block] 
2024/01/03 11:00:15 gandi.go:199: Response body: [{"rrset_name":"@","rrset_type":"A","rrset_ttl":300,"rrset_values":["198.185.159.144","198.185.159.145","198.49.23.144","198.49.23.145"],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/%40/A"},{"rrset_name":"@","rrset_type":"MX","rrset_ttl":86400,"rrset_values":["1 aspmx.l.google.com.","5 alt1.aspmx.l.google.com.","5 alt2.aspmx.l.google.com.","10 aspmx2.googlemail.com.","10 aspmx3.googlemail.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/%40/MX"},{"rrset_name":"calendar","rrset_type":"CNAME","rrset_ttl":86400,"rrset_values":["ghs.googlehosted.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/calendar/CNAME"},{"rrset_name":"docs","rrset_type":"CNAME","rrset_ttl":86400,"rrset_values":["ghs.googlehosted.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/docs/CNAME"},{"rrset_name":"drive","rrset_type":"CNAME","rrset_ttl":86400,"rrset_values":["ghs.googlehosted.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/drive/CNAME"},{"rrset_name":"go","rrset_type":"CNAME","rrset_ttl":86400,"rrset_values":["ghs.googlehosted.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/go/CNAME"},{"rrset_name":"goto","rrset_type":"CNAME","rrset_ttl":86400,"rrset_values":["ghs.googlehosted.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/goto/CNAME"},{"rrset_name":"groups","rrset_type":"CNAME","rrset_ttl":86400,"rrset_values":["ghs.googlehosted.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/groups/CNAME"},{"rrset_name":"hangouts","rrset_type":"CNAME","rrset_ttl":86400,"rrset_values":["ghs.googlehosted.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/hangouts/CNAME"},{"rrset_name":"m","rrset_type":"CNAME","rrset_ttl":86400,"rrset_values":["ghs.googlehosted.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/m/CNAME"},{"rrset_name":"mail","rrset_type":"CNAME","rrset_ttl":86400,"rrset_values":["ghs.googlehosted.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/mail/CNAME"},{"rrset_name":"mz5nr947kcajxfzmb36m","rrset_type":"CNAME","rrset_ttl":300,"rrset_values":["verify.squarespace.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/mz5nr947kcajxfzmb36m/CNAME"},{"rrset_name":"plus","rrset_type":"CNAME","rrset_ttl":86400,"rrset_values":["ghs.googlehosted.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/plus/CNAME"},{"rrset_name":"sheets","rrset_type":"CNAME","rrset_ttl":86400,"rrset_values":["ghs.googlehosted.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/sheets/CNAME"},{"rrset_name":"sites","rrset_type":"CNAME","rrset_ttl":86400,"rrset_values":["ghs.googlehosted.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/sites/CNAME"},{"rrset_name":"slides","rrset_type":"CNAME","rrset_ttl":86400,"rrset_values":["ghs.googlehosted.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/slides/CNAME"},{"rrset_name":"start","rrset_type":"CNAME","rrset_ttl":86400,"rrset_values":["ghs.googlehosted.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/start/CNAME"},{"rrset_name":"vault","rrset_type":"CNAME","rrset_ttl":86400,"rrset_values":["ghs.googlehosted.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/vault/CNAME"},{"rrset_name":"www","rrset_type":"CNAME","rrset_ttl":300,"rrset_values":["ext-cust.squarespace.com."],"rrset_href":"https://api.gandi.net/v5/livedns/domains/tomontime.com/records/www/CNAME"}]
   0: @ A 300 A tomontime.com 198.185.159.144 300
   1: @ A 300 A tomontime.com 198.185.159.145 300
   2: @ A 300 A tomontime.com 198.49.23.144 300
   3: @ A 300 A tomontime.com 198.49.23.145 300
   4: @ MX 86400 MX tomontime.com aspmx.l.google.com. 86400 pref=1
   5: @ MX 86400 MX tomontime.com alt1.aspmx.l.google.com. 86400 pref=5
   6: @ MX 86400 MX tomontime.com alt2.aspmx.l.google.com. 86400 pref=5
   7: @ MX 86400 MX tomontime.com aspmx2.googlemail.com. 86400 pref=10
   8: @ MX 86400 MX tomontime.com aspmx3.googlemail.com. 86400 pref=10
   9: calendar CNAME 86400 CNAME calendar.tomontime.com ghs.googlehosted.com. 86400
   10: docs CNAME 86400 CNAME docs.tomontime.com ghs.googlehosted.com. 86400
   11: drive CNAME 86400 CNAME drive.tomontime.com ghs.googlehosted.com. 86400
   12: go CNAME 86400 CNAME go.tomontime.com ghs.googlehosted.com. 86400
   13: goto CNAME 86400 CNAME goto.tomontime.com ghs.googlehosted.com. 86400
   14: groups CNAME 86400 CNAME groups.tomontime.com ghs.googlehosted.com. 86400
   15: hangouts CNAME 86400 CNAME hangouts.tomontime.com ghs.googlehosted.com. 86400
   16: m CNAME 86400 CNAME m.tomontime.com ghs.googlehosted.com. 86400
   17: mail CNAME 86400 CNAME mail.tomontime.com ghs.googlehosted.com. 86400
   18: mz5nr947kcajxfzmb36m CNAME 300 CNAME mz5nr947kcajxfzmb36m.tomontime.com verify.squarespace.com. 300
   19: plus CNAME 86400 CNAME plus.tomontime.com ghs.googlehosted.com. 86400
   20: sheets CNAME 86400 CNAME sheets.tomontime.com ghs.googlehosted.com. 86400
   21: sites CNAME 86400 CNAME sites.tomontime.com ghs.googlehosted.com. 86400
   22: slides CNAME 86400 CNAME slides.tomontime.com ghs.googlehosted.com. 86400
   23: start CNAME 86400 CNAME start.tomontime.com ghs.googlehosted.com. 86400
   24: vault CNAME 86400 CNAME vault.tomontime.com ghs.googlehosted.com. 86400
   25: www CNAME 300 CNAME www.tomontime.com ext-cust.squarespace.com. 300
2024/01/03 11:00:15 gandi.go:182: Request:  curl -X 'GET' -H 'Authorization: Apikey ' -H 'Content-Type: application/json' 'https://api.gandi.net/v5/domain/domains/tomontime.com/nameservers?sharing_id=REDACTED_SHARING_ID'
2024/01/03 11:00:15 gandi.go:198: Response : [401 Unauthorized] Content-Type: [application/json; charset=utf-8] Content-Length: [108] Connection: [keep-alive] Etag: [W/"6c-r8Dpx3ZQzNoyYTVga6EZpa8Tj0U"] Server: [nginx] Date: [Wed, 03 Jan 2024 16:00:15 GMT] 
2024/01/03 11:00:15 gandi.go:199: Response body: {"message":"You must provide an access token or an API Key. See https://api.gandi.net/docs/authentication/"}
ERROR
Error getting corrections (gandi_v5_tal): Response body is not json for status 401

tlimoncelli · 2024-01-03T18:10:36Z

For integration tests to work, the providers.json file needs to be updated:

$ git diff
diff --git a/integrationTest/providers.json b/integrationTest/providers.json
index ac55cbe5..79399654 100644
--- a/integrationTest/providers.json
+++ b/integrationTest/providers.json
@@ -107,7 +107,8 @@
   "GANDI_V5": {
     "TYPE": "GANDI_V5",
     "apikey": "$GANDI_V5_APIKEY",
-    "domain": "$GANDI_V5_DOMAIN"
+    "domain": "$GANDI_V5_DOMAIN",
+    "token": "$GANDI_V5_TOKEN"
   },
   "GCLOUD": {
     "TYPE": "GCLOUD",

tlimoncelli · 2024-01-04T06:10:51Z

Another suggestion:
It would be helpful if the docs included the minimum specs for a PAT. From my testing so far, that is:

Domains:
Manage domain name technical configurations
(which implies "See and renew domain names")

tlimoncelli · 2024-01-05T14:41:39Z

Drat. I can't figure out what settings are required to make a PAT that works for me.

$ dnscontrol preview
******************** Domain: best-spaghetti-sauce-ever.com
ERROR
Error getting corrections (gandi_v5_tal): Response body is not json for status 401

I even created a PAT that has all the DNS-related roles:

llange · 2024-02-12T21:46:10Z

Another suggestion: It would be helpful if the docs included the minimum specs for a PAT. From my testing so far, that is:
Domains:
Manage domain name technical configurations
(which implies "See and renew domain names")

I agree with those settings, these are the ones I use with success. My PATs are even limited to "products" (domain names) to further isolate the impact.
I'll update the doc.

llange · 2024-02-12T22:00:26Z

Drat. I can't figure out what settings are required to make a PAT that works for me.
$ dnscontrol preview
******************** Domain: best-spaghetti-sauce-ever.com
ERROR
Error getting corrections (gandi_v5_tal): Response body is not json for status 401
I even created a PAT that has all the DNS-related roles:

This seems linked to your previous error : "it looks like it is using the Bearer token for most system calls, but not all" ? If so it's unrelated to the PAT itself.

llange · 2024-02-12T22:30:31Z

From the debug output, it looks like it is using the Bearer token for most system calls, but not all. In particular, GetNameservers and GetRegistrarCorrections don't seem to be updated to use the Bearer token (PAT).

It's my fault, I patched only the newLiveDNSClient() side, not the NewDomainClient() side. It did not occur in my tests as I was not dealing with the registrar (yet).
Let me know if this change works for you.

llange force-pushed the gandi_v5-auth-changes branch 2 times, most recently from 4256b96 to bd136ec Compare December 16, 2023 09:07

llange marked this pull request as ready for review December 16, 2023 09:09

llange force-pushed the gandi_v5-auth-changes branch from 352b45b to 3867899 Compare December 18, 2023 15:20

tlimoncelli reviewed Dec 18, 2023

View reviewed changes

cafferata added the provider-GANDI label Jan 22, 2024

llange force-pushed the gandi_v5-auth-changes branch from 8cb583c to a8feba5 Compare February 12, 2024 21:35

llange force-pushed the gandi_v5-auth-changes branch from a8feba5 to edd8ce2 Compare February 12, 2024 21:51

llange force-pushed the gandi_v5-auth-changes branch from edd8ce2 to a6a79bc Compare February 12, 2024 22:19

llange added 5 commits February 12, 2024 23:23

GANDI_V5: small refactor to avoid repeating ourselves

6fc7766

GANDI_V5: deprecate apikey, introduce (personal access) token

95a61d8

GANDI_V5: add development notes in the doc

709b2b3

GANDI_V5: allow customization of endpoint URL - e.g. to use the Sandbox

97865a9

GANDI_V5: enable integration tests

5b9d26a

llange force-pushed the gandi_v5-auth-changes branch from a6a79bc to 5b9d26a Compare February 12, 2024 22:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GANDI: Gandi v5 auth changes #2726

GANDI: Gandi v5 auth changes #2726

llange commented Dec 16, 2023

llange commented Dec 16, 2023

tlimoncelli commented Dec 18, 2023

tlimoncelli Dec 18, 2023

tlimoncelli commented Jan 3, 2024

tlimoncelli commented Jan 3, 2024 •

edited

tlimoncelli commented Jan 4, 2024

tlimoncelli commented Jan 5, 2024

llange commented Feb 12, 2024

llange commented Feb 12, 2024

llange commented Feb 12, 2024

GANDI: Gandi v5 auth changes #2726

Are you sure you want to change the base?

GANDI: Gandi v5 auth changes #2726

Conversation

llange commented Dec 16, 2023

llange commented Dec 16, 2023

tlimoncelli commented Dec 18, 2023

tlimoncelli Dec 18, 2023

Choose a reason for hiding this comment

tlimoncelli commented Jan 3, 2024

tlimoncelli commented Jan 3, 2024 • edited

tlimoncelli commented Jan 4, 2024

tlimoncelli commented Jan 5, 2024

llange commented Feb 12, 2024

llange commented Feb 12, 2024

llange commented Feb 12, 2024

tlimoncelli commented Jan 3, 2024 •

edited