32107571d1
Selectel Cloud DNS v2 requires a project IAM token in X-Auth-Token, not the raw service-user secret; the previous client sent the static secret directly and got 401. The client now parses Credentials.Secret as a Creds JSON blob (username/password/account_id/project_name), exchanges it for a token via the Identity API (POST /identity/v3/auth/tokens), and caches the token in memory per-account until 5 minutes before expiry. ListZones/GetRecords/ ApplyChanges send the cached IAM token instead of the raw secret. provider.Provider gains a Validate(ctx, Credentials) method so a bad account can be rejected via trial login at creation time; all Provider fakes across provider/registry/api/service test packages implement it as a no-op stub for now (Task 2 will make api's mock configurable). Security: the service-user password is folded into the token cache key via SHA-256 (never stored in the clear) so a password change invalidates the cached token; identity errors are generic and never echo the request body. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
33 lines
1.0 KiB
Go
33 lines
1.0 KiB
Go
package provider
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/vasyakrg/dns-autoresolver/internal/diff"
|
|
"github.com/vasyakrg/dns-autoresolver/internal/model"
|
|
)
|
|
|
|
// Credentials holds the provider-specific secret. It is stored encrypted and,
|
|
// once decrypted, is a provider-defined value — for Selectel a JSON blob with
|
|
// the service-user credentials (see selectel.Creds).
|
|
type Credentials struct {
|
|
Secret string
|
|
}
|
|
|
|
// Zone is a provider-neutral DNS zone reference.
|
|
type Zone struct {
|
|
ID string
|
|
Name string
|
|
}
|
|
|
|
// Provider is implemented per DNS provider (Selectel first).
|
|
type Provider interface {
|
|
Name() string
|
|
ListZones(ctx context.Context, creds Credentials) ([]Zone, error)
|
|
GetRecords(ctx context.Context, creds Credentials, zoneID string) ([]model.Record, error)
|
|
ApplyChanges(ctx context.Context, creds Credentials, zoneID string, cs diff.Changeset) error
|
|
// Validate checks the credentials are usable (e.g. a trial auth), so a
|
|
// bad account is rejected at creation time rather than at first import.
|
|
Validate(ctx context.Context, creds Credentials) error
|
|
}
|