This plugin is has noticeably more required fields than most
other plugins due to the requirement that all requests to
the OCI REST API must be cryptographically signed by the client
using the draft standard proposed in draft-cavage-http-signatures-08[1].
The OCI specific implementation details of the draft standard are
documented in the Developer Guide[2].
NOTE: there is maximum allowed clock skew of five minutes between the
client and the API endpoint. Requests will be denied if the skew is
greater.
This PR also includes a minor tweak to the Solaris job in the DNS
workflow so that it uses the pre-installed GNU tools, curl and OpenSSL 1.1.1.
Without these changes, the signature generation function does not
work on Solaris.
[1]: https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-08
[2]: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/signingrequests.htm#five
Signed-off-by: Avi Miller <avi.miller@oracle.com>
This escapes special characters used in POSIX sed to prevent mismatches.
e.g. `SYNO_Certficiate=*.example.com` would not match a description of
"*.example.com" and would look to match any number of double quotes (the
last character in the sed regex prior to certificate description),
followed by any single character, followed by "example", followed by any
character, followed by "com".
After this change, it will properly match `*.example.com` and not
`""zexamplefcom`.
Additionally we now store the certificate description as base64 encoded
to prevent issues with single quotes.
Tested on DSM 7.0-41222 (VDSM) and DSM 6.2.4-25556 (DS1515+).
As noted by @buxm, previous fix didn't work for all versions of DSM 6.
The better fix appears to be simply not outputting the "as_default"
parameter unless we are doing something with the default certificate.
For some DSM installs, it appears that setting the "default" flag to the
string "false" actually sets it to true. This causes Synology to set
the last updated certificate to be the default certificate. Using an
empty string appears to still be accepted as a false-y value for DSMs
where this isn't happening and corrects the behavior in the cases that
it was.
Credit to @Run-King for identifying the fix and @buxm for reporting.
On systems that /bin/sh is served by shells other than bash, or
shells that don't implement the same syntax as the bash printf builtin,
printf -- fails to produce the output necessary for standalone operation.
The test case for this was SmartOS, which uses ksh93 as its /bin/sh.
This change uses the more generic method of passing a format parameter
of a single string, and then the argument to replace it with.