add dnsapi for baidu cloud dns (#6844)

2026-05-18 20:03:55 +08:00 · 2026-04-14 20:44:30 +08:00
parent f3e61a8ef4
commit afba1455b8
1 changed files with 548 additions and 0 deletions
--- a/dnsapi/dns_baidu.sh
+++ b/dnsapi/dns_baidu.sh
@@ -0,0 +1,548 @@
+#!/usr/bin/env sh
+# shellcheck disable=SC2034
+
+# Global variables for returning results (avoid stdout pollution from logging)
+_BAIDU_FIND_RESULT=""
+_BAIDU_BCE_AUTH_RESULT=""
+
+: "${BAIDU_LOG_LEVEL:=2}"
+
+_baidu_log_ts() {
+  date
+}
+
+_baidu_log_ge() {
+  _want="$1"
+  [ "${BAIDU_LOG_LEVEL:-0}" -ge "$_want" ]
+}
+
+_baidu_log() {
+  _lvl="$1"
+  _tag="$2"
+  _msg="$3"
+  if [ "$_lvl" = "0" ] || _baidu_log_ge "$_lvl"; then
+    printf -- "[%s] %s %s\n" "$(_baidu_log_ts)" "$_tag" "$_msg"
+  fi
+}
+
+_baidu_err() {
+  _baidu_log 0 "baidu_bcd.err" "$1"
+  return 1
+}
+
+_baidu_info() {
+  _baidu_log 1 "baidu_bcd.info" "$1"
+  return 0
+}
+
+_baidu_debug() {
+  _baidu_log 2 "$1" "$2"
+  return 0
+}
+
+dns_baidu_info='Baidu Cloud BCD DNS
+Site: cloud.baidu.com
+Docs: https://cloud.baidu.com/doc/BCD/
+Signature: https://cloud.baidu.com/doc/Reference/s/njwvz1yfu
+Options:
+ Baidu_AK AccessKeyId
+ Baidu_SK SecretAccessKey
+OptionsAlt:
+ Baidu_BCD_Host API host, default: bcd.baidubce.com
+ Baidu_BCD_Version API version number, default: 1
+ Baidu_BCD_Expire Signature expiration seconds, default: 3600
+ Baidu_View Resolve view, default: DEFAULT
+ Baidu_TTL Resolve ttl seconds, default: 300
+ Baidu_RM_Max Max records to delete in one run, default: 20
+'
+
+BAIDU_BCD_DEFAULT_HOST="bcd.baidubce.com"
+
+# --- Public API ---
+dns_baidu_add() {
+  fulldomain=$(_idn "$1")
+  txtvalue=$2
+
+  if ! _baidu_prepare_record "$fulldomain"; then
+    _baidu_err "baidu_prepare_record failed for add: $fulldomain"
+    return 1
+  fi
+
+  if ! _baidu_find_record_ids "$_zone_name" "$_record_domain" "TXT" "$txtvalue"; then
+    _baidu_err "baidu_find_record_ids failed for add: $_record_domain.$_zone_name"
+    return 1
+  fi
+  _existing_ids="$_BAIDU_FIND_RESULT"
+  if [ "$_existing_ids" ]; then
+    _baidu_info "txt exists, skip add: $_record_domain.$_zone_name"
+    return 0
+  fi
+
+  _ttl="${Baidu_TTL:-300}"
+  _ttl="$(_baidu_trim_ws "$_ttl")"
+  case "$_ttl" in
+  "" | *[!0-9]*)
+    _ttl="300"
+    ;;
+  esac
+  _view="$(_baidu_trim_ws "${Baidu_View:-DEFAULT}")"
+  txtvalue="$(_baidu_trim_ws "$txtvalue")"
+  _record_domain="$(_baidu_trim_ws "$_record_domain")"
+  _zone_name="$(_baidu_trim_ws "$_zone_name")"
+
+  _body="$(_baidu_payload_add_txt "$_zone_name" "$_record_domain" "$txtvalue" "$_ttl" "$_view")"
+
+  if ! _baidu_bcd_post "/domain/resolve/add" "$_body"; then
+    _baidu_err "baidu_bcd_post failed: add record"
+    return 1
+  fi
+
+  if _baidu_is_api_error "$response"; then
+    _baidu_err "$response"
+    return 1
+  fi
+
+  return 0
+}
+
+dns_baidu_rm() {
+  fulldomain=$(_idn "$1")
+  txtvalue=$2
+
+  if ! _baidu_prepare_record "$fulldomain"; then
+    _baidu_err "baidu_prepare_record failed for delete: $fulldomain"
+    return 1
+  fi
+
+  if ! _baidu_find_record_ids "$_zone_name" "$_record_domain" "TXT" "$txtvalue"; then
+    _baidu_err "baidu_find_record_ids failed for delete: $_record_domain.$_zone_name"
+    return 1
+  fi
+  _ids="$_BAIDU_FIND_RESULT"
+  if [ -z "$_ids" ]; then
+    _baidu_info "no matching txt to delete: $_record_domain.$_zone_name"
+    return 0
+  fi
+
+  _rm_max="${Baidu_RM_Max:-20}"
+  _rm_max="$(_baidu_trim_ws "$_rm_max")"
+  case "$_rm_max" in
+  "" | *[!0-9]*)
+    _rm_max="20"
+    ;;
+  esac
+  _rm_cnt="$(printf "%s\n" "$_ids" | sed '/^$/d' | wc -l | tr -d ' ')"
+  if [ "$_rm_cnt" ] && [ "$_rm_cnt" -gt "$_rm_max" ]; then
+    _baidu_err "Refusing to delete $_rm_cnt records (limit: $_rm_max)"
+    return 1
+  fi
+
+  for _rid in $_ids; do
+    _body="$(_baidu_payload_delete "$_zone_name" "$_rid")"
+    if ! _baidu_bcd_post "/domain/resolve/delete" "$_body"; then
+      _baidu_err "baidu_bcd_post failed: delete recordId=$_rid"
+      return 1
+    fi
+    if _baidu_is_api_error "$response"; then
+      _baidu_err "$response"
+      return 1
+    fi
+  done
+
+  if ! _baidu_find_record_ids "$_zone_name" "$_record_domain" "TXT" "$txtvalue"; then
+    _baidu_err "baidu_find_record_ids failed for delete verify: $_record_domain.$_zone_name"
+    return 1
+  fi
+  _left_ids="$_BAIDU_FIND_RESULT"
+  if [ -z "$_left_ids" ]; then
+    return 0
+  fi
+  if [ -n "$_left_ids" ]; then
+    _baidu_err "delete verification failed: $_record_domain.$_zone_name still has TXT records"
+    return 1
+  fi
+
+  return 0
+}
+
+# --- Config / Record Context ---
+_baidu_load_credentials() {
+  Baidu_AK="${Baidu_AK:-$(_readaccountconf_mutable Baidu_AK)}"
+  Baidu_SK="${Baidu_SK:-$(_readaccountconf_mutable Baidu_SK)}"
+
+  Baidu_AK="$(_baidu_trim_ws "$Baidu_AK")"
+  Baidu_SK="$(_baidu_trim_ws "$Baidu_SK")"
+
+  if [ -z "$Baidu_AK" ] || [ -z "$Baidu_SK" ]; then
+    _baidu_err "Baidu_AK and Baidu_SK are required"
+    return 1
+  fi
+
+  _saveaccountconf_mutable Baidu_AK "$Baidu_AK"
+  _saveaccountconf_mutable Baidu_SK "$Baidu_SK"
+
+  BAIDU_BCD_HOST="${Baidu_BCD_Host:-$BAIDU_BCD_DEFAULT_HOST}"
+  BAIDU_BCD_VERSION="${Baidu_BCD_Version:-1}"
+
+  return 0
+}
+
+_baidu_prepare_record() {
+  _fulldomain="$1"
+  if ! _baidu_load_credentials; then
+    _baidu_err "baidu_load_credentials failed"
+    return 1
+  fi
+  if ! _baidu_get_root "$_fulldomain"; then
+    _baidu_err "Could not find zone for $_fulldomain"
+    return 1
+  fi
+  _record_domain="$_sub_domain"
+  _zone_name="$_domain"
+  return 0
+}
+
+# --- Zone / Records ---
+_baidu_get_root() {
+  domain=$1
+  i=1
+  p=1
+
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
+    if [ -z "$h" ]; then
+      _baidu_err "invalid domain: $domain"
+      return 1
+    fi
+
+    if ! _baidu_bcd_post "/domain/resolve/list" "$(_baidu_payload_list "$h" 1 1)"; then
+      _baidu_err "baidu_bcd_post failed: list zones"
+      return 1
+    fi
+    if ! _baidu_is_api_error "$response" && (_contains "$response" "\"totalCount\"" || _contains "$response" "\"result\""); then
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
+      _domain=$h
+      if [ "$_sub_domain" = "$_domain" ]; then
+        _sub_domain="@"
+      fi
+      _baidu_info "zone matched: $_domain (host: $_sub_domain)"
+      return 0
+    fi
+
+    p=$i
+    i=$(_math "$i" + 1)
+  done
+}
+
+_baidu_find_record_ids() {
+  _zone_name="$1"
+  _record_domain="$2"
+  _rdtype="$3"
+  _rdata="$4"
+
+  # Reset global result variable
+  _BAIDU_FIND_RESULT=""
+
+  _zone_name_e="$(_baidu_json_escape "$_zone_name")"
+  _record_domain_e="$(_baidu_json_escape "$_record_domain")"
+  _rdtype_e="$(_baidu_json_escape "$_rdtype")"
+  _rdata_e="$(_baidu_json_escape "$_rdata")"
+
+  _page=1
+  _page_size=100
+  _ids=""
+
+  _max_page=""
+  while true; do
+    if ! _baidu_bcd_post "/domain/resolve/list" "$(_baidu_payload_list "$_zone_name" "$_page" "$_page_size")"; then
+      _baidu_err "baidu_bcd_post failed: list records"
+      return 1
+    fi
+
+    if _baidu_is_api_error "$response"; then
+      _baidu_err "baidu_bcd error: $(_baidu_json_get_str "$response" "code") $(_baidu_json_get_str "$response" "message")"
+      return 1
+    fi
+
+    _normalized="$(
+      printf "%s" "$response" | _normalizeJson
+    )"
+
+    if [ -z "$_max_page" ]; then
+      _total="$(_baidu_parse_totalcount "$_normalized")"
+      _max_page="$(_baidu_calc_max_page "$_total" "$_page_size")"
+    fi
+
+    _records=$(printf "%s" "$_normalized" | sed 's/},{/}\n{/g')
+    while IFS= read -r _line; do
+      _id="$(_baidu_match_record_id "$_line" "$_record_domain_e" "$_rdtype_e" "$_rdata_e")"
+      if [ "$_id" ]; then
+        _ids="$_ids $_id"
+      fi
+    done <<EOF
+$_records
+EOF
+
+    if [ "$_page" -ge "$_max_page" ]; then
+      break
+    fi
+    _page=$(_math "$_page" + 1)
+  done
+
+  # Store result in global variable instead of stdout
+  _BAIDU_FIND_RESULT="$_ids"
+}
+
+# --- HTTP ---
+_baidu_bcd_post() {
+  _api_path="$1"
+  _payload="$2"
+
+  # BCD API requires JSON payload. Some call sites build fragments; normalize defensively.
+  _payload="$(_baidu_normalize_payload "$_payload")"
+
+  _ts="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+  _expire="${Baidu_BCD_Expire:-3600}"
+  _content_type="application/json; charset=utf-8"
+  _payload_hash="$(printf "%s" "$_payload" | _digest sha256 hex)"
+
+  _uri="/v${BAIDU_BCD_VERSION}${_api_path}"
+  if ! _baidu_bce_auth "POST" "$_uri" "" "$BAIDU_BCD_HOST" "$_ts" "$_expire" "$_content_type" "$_payload_hash"; then
+    _baidu_err "baidu_bcd auth failed"
+    return 1
+  fi
+  _auth="$_BAIDU_BCE_AUTH_RESULT"
+  if [ -z "$_auth" ]; then
+    _baidu_err "baidu_bcd auth failed"
+    return 1
+  fi
+
+  _H1="Authorization: $_auth"
+  _H2="x-bce-date: $_ts"
+  _H3="x-bce-content-sha256: $_payload_hash"
+  _H4="Host: $BAIDU_BCD_HOST"
+  _H5=""
+
+  _url="https://${BAIDU_BCD_HOST}${_uri}"
+  _signed_headers_dbg="$(printf "%s" "$_auth" | cut -d / -f 5)"
+  _baidu_info "POST ${_uri}"
+  _baidu_info "signedHeaders: $_signed_headers_dbg"
+  _baidu_info "payload_sha256: $_payload_hash"
+  _baidu_debug "baidu_bcd.http.payload" "$(_baidu_dbg_trim "$(_baidu_redact_txt "$_payload")")"
+  response="$(_post "$_payload" "$_url" "" "POST" "$_content_type")"
+  _ret="$?"
+  _baidu_info "ret: $_ret"
+  _req_id="$(_baidu_json_get_str "$response" "requestId")"
+  _code="$(_baidu_json_get_str "$response" "code")"
+  _msg="$(_baidu_json_get_str "$response" "message")"
+  _baidu_info "response: requestId=${_req_id:-"-"} code=${_code:-"-"} message=$(_baidu_dbg_trim "${_msg:-"-"}")"
+  if [ "$_ret" != "0" ]; then
+    _baidu_err "baidu_bcd_post failed: $_uri"
+    return 1
+  fi
+
+  return 0
+}
+
+# --- Auth / Signing ---
+_baidu_bce_auth() {
+  # Signing algorithm (bce-auth-v1):
+  # - SigningKey = HMAC-SHA256-HEX(sk, authStringPrefix)
+  # - Signature  = HMAC-SHA256-HEX(SigningKey, CanonicalRequest)
+  # Reference: https://cloud.baidu.com/doc/Reference/s/njwvz1yfu
+  _method="$1"
+  _uri="$2"
+  _query="$3"
+  _host="$4"
+  _ts="$5"
+  _expire="$6"
+  _ct="$7"
+  _payload_hash="$8"
+
+  _BAIDU_BCE_AUTH_RESULT=""
+
+  _auth_prefix="bce-auth-v1/${Baidu_AK}/${_ts}/${_expire}"
+
+  _signed_headers="content-type;host;x-bce-content-sha256;x-bce-date"
+  _canonical_uri="$(_baidu_bce_encode_path "$_uri")"
+  _canonical_query=""
+
+  _host_v="$(_baidu_trim_ws "$_host")"
+  _date_v="$(_baidu_trim_ws "$_ts")"
+  _ct_v="$(_baidu_trim_ws "$_ct")"
+  _host_e="$(printf "%s" "$_host_v" | _url_encode upper-hex)"
+  _date_e="$(printf "%s" "$_date_v" | _url_encode upper-hex)"
+  _ct_e="$(printf "%s" "$_ct_v" | _url_encode upper-hex)"
+  _hash_e="$(printf "%s" "$_payload_hash" | _url_encode upper-hex)"
+
+  _canonical_headers="content-type:${_ct_e}
+host:${_host_e}
+x-bce-content-sha256:${_hash_e}
+x-bce-date:${_date_e}"
+
+  _canonical_request="${_method}
+${_canonical_uri}
+${_canonical_query}
+${_canonical_headers}"
+
+  _sk_hex="$(printf "%s" "$Baidu_SK" | _hex_dump | tr -d " ")"
+  _signing_key="$(_baidu_hmac_sha256_hexkey "$_sk_hex" "$_auth_prefix")"
+  _signing_key_hex="$(printf "%s" "$_signing_key" | _hex_dump | tr -d " ")"
+  _signature="$(_baidu_hmac_sha256_hexkey "$_signing_key_hex" "$_canonical_request")"
+
+  _baidu_debug "baidu_bcd.auth" "bce_auth"
+  _baidu_debug "baidu_bcd.auth.auth_prefix" "bce-auth-v1/[ak]/${_ts}/${_expire}/$_signed_headers/[signature]"
+  _baidu_debug "baidu_bcd.auth.canonical_request_l" "$(printf "%s" "$_canonical_request" | sed -n 'l')"
+  _baidu_debug "baidu_bcd.auth.signature" "$(printf "%s" "$_signature" | cut -c 1-16)..."
+  _BAIDU_BCE_AUTH_RESULT="${_auth_prefix}/${_signed_headers}/${_signature}"
+  return 0
+}
+
+_baidu_bce_encode_path() {
+  _p="$1"
+  _out=""
+  if [ "${_p#"/"}" != "$_p" ]; then
+    _out="/"
+  fi
+
+  _rest="${_p#/}"
+  while [ -n "$_rest" ]; do
+    _seg="${_rest%%/*}"
+    if [ "$_seg" ]; then
+      if [ -z "$_out" ] || [ "$_out" = "/" ]; then
+        _out="${_out}$(printf "%s" "$_seg" | _url_encode upper-hex)"
+      else
+        _out="${_out}/$(printf "%s" "$_seg" | _url_encode upper-hex)"
+      fi
+    fi
+    if [ "${_rest#*/}" = "$_rest" ]; then
+      break
+    fi
+    _rest="${_rest#*/}"
+  done
+
+  if [ -z "$_out" ]; then
+    _out="/"
+  fi
+  printf "%s" "$_out"
+}
+
+# --- Utils ---
+_baidu_trim() {
+  printf "%s" "$1" | sed 's/^ *//;s/ *$//'
+}
+
+_baidu_trim_ws() {
+  printf "%s" "$1" | tr '\r\n\t' '   ' | tr -s ' ' | sed 's/^ *//;s/ *$//'
+}
+
+_baidu_dbg_trim() {
+  printf "%s" "$1" | tr '\r\n' ' ' | cut -c 1-800
+}
+
+_baidu_is_api_error() {
+  _contains "$1" "\"code\"" && _contains "$1" "\"message\""
+}
+
+_baidu_normalize_payload() {
+  _p="$(_baidu_trim "$(printf "%s" "$1" | tr -d '\r')")"
+  if [ -z "$_p" ]; then
+    printf "%s" ""
+    return 0
+  fi
+  case "$_p" in
+  \{* | \[*)
+    printf "%s" "$_p"
+    ;;
+  *)
+    printf "%s" "{$_p}"
+    ;;
+  esac
+}
+
+_baidu_redact_txt() {
+  printf "%s" "$1" | sed 's/"rdata" *: *"[^"]*"/"rdata":"[redacted]"/g'
+}
+
+_baidu_json_get_str() {
+  _json="$1"
+  _key="$2"
+  printf "%s" "$_json" | _normalizeJson | sed -n "s/.*\"${_key}\" *: *\"\\([^\"]*\\)\".*/\\1/p" | _head_n 1
+}
+
+_baidu_json_escape() {
+  _s="$1"
+  _s="$(printf "%s" "$_s" | tr -d '\r\n')"
+  printf "%s" "$_s" |
+    sed 's/\\/\\\\/g; s/	/\\t/g' |
+    _baidu_json_encode
+}
+
+_baidu_json_encode() {
+  _j_str="$(sed 's/"/\\"/g' | sed "s/\r/\\r/g")"
+  printf "%s" "$_j_str" | _hex_dump | _lower_case | sed 's/0a/5c 6e/g' | tr -d ' ' | _h2b | tr -d "\r\n"
+}
+
+_baidu_payload_list() {
+  _domain="$(_baidu_json_escape "$1")"
+  _pageNo="$2"
+  _pageSize="$3"
+  printf "%s" "{\"domain\":\"${_domain}\",\"pageNo\":${_pageNo},\"pageSize\":${_pageSize}}"
+}
+
+_baidu_payload_add_txt() {
+  _zoneName="$(_baidu_json_escape "$1")"
+  _domain="$(_baidu_json_escape "$2")"
+  _rdata="$(_baidu_json_escape "$3")"
+  _ttl="$4"
+  _view="$(_baidu_json_escape "$5")"
+  printf "%s" "{\"domain\":\"${_domain}\",\"view\":\"${_view}\",\"rdType\":\"TXT\",\"ttl\":${_ttl},\"rdata\":\"${_rdata}\",\"zoneName\":\"${_zoneName}\"}"
+}
+
+_baidu_payload_delete() {
+  _zoneName="$(_baidu_json_escape "$1")"
+  _recordId="$2"
+  printf "%s" "{\"zoneName\":\"${_zoneName}\",\"recordId\":${_recordId}}"
+}
+
+_baidu_parse_totalcount() {
+  _json="$1"
+  printf "%s" "$_json" | _egrep_o "\"totalCount\": *[0-9]*" | _head_n 1 | cut -d : -f 2 | tr -d " "
+}
+
+_baidu_calc_max_page() {
+  _total="$1"
+  _page_size="$2"
+  if [ -z "$_total" ]; then
+    printf "%s" "1"
+    return 0
+  fi
+  _max=$(((_total + _page_size - 1) / _page_size))
+  if [ "$_max" -lt 1 ]; then
+    _max=1
+  fi
+  printf "%s" "$_max"
+}
+
+_baidu_match_record_id() {
+  _line="$1"
+  _domain_e="$2"
+  _rdtype_e="$3"
+  _rdata_e="$4"
+  if ! _contains "$_line" "\"recordId\"" || (! _contains "$_line" "\"domain\":\"$_domain_e\"" && ! _contains "$_line" "\"domain\":\"${_domain_e}.\""); then
+    return 0
+  fi
+  if ! _contains "$_line" "\"rdtype\":\"$_rdtype_e\"" && ! _contains "$_line" "\"rdType\":\"$_rdtype_e\""; then
+    return 0
+  fi
+  if [ "$_rdata_e" ] && ! _contains "$_line" "\"rdata\":\"$_rdata_e\""; then
+    return 0
+  fi
+  printf "%s" "$_line" | _egrep_o "\"recordId\": *[0-9]*" | _head_n 1 | cut -d : -f 2 | tr -d " "
+}
+
+_baidu_hmac_sha256_hexkey() {
+  _key_hex="$1"
+  _msg="$2"
+  printf "%s" "$_msg" | _hmac sha256 "$_key_hex" hex
+}