From 9769afb944e791f5f8625aa8b890dca129bf8d5b Mon Sep 17 00:00:00 2001
From: racitup <rich@racitup.com>
Date: Fri, 10 Dec 2021 01:10:41 +0000
Subject: [PATCH 1/7] feat: Mythic Beasts DNS API script

---
 dnsapi/dns_mythic_beasts.sh | 230 ++++++++++++++++++++++++++++++++++++
 1 file changed, 230 insertions(+)
 create mode 100755 dnsapi/dns_mythic_beasts.sh

diff --git a/dnsapi/dns_mythic_beasts.sh b/dnsapi/dns_mythic_beasts.sh
new file mode 100755
index 00000000..2d1b6551
--- /dev/null
+++ b/dnsapi/dns_mythic_beasts.sh
@@ -0,0 +1,230 @@
+#!/usr/bin/env sh
+# Mythic Beasts is a long-standing UK service provider using standards-based OAuth2 authentication
+# To test: ./acme.sh --dns dns_mythic_beasts --test --debug 1 --output-insecure --issue --domain domain.com
+# Cannot retest once cert is issued
+# OAuth2 tokens only valid for 300 seconds so we do not store
+# NOTE: This will remove all TXT records matching the fulldomain, not just the added ones (_acme-challenge.www.domain.com)
+
+# Test OAuth2 credentials
+#MB_AK="aaaaaaaaaaaaaaaa"
+#MB_AS="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
+
+# URLs
+MB_API='https://api.mythic-beasts.com/dns/v2/zones'
+MB_AUTH='https://auth.mythic-beasts.com/login'
+
+########  Public functions #####################
+
+#Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_mythic_beasts_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  _info "MYTHIC BEASTS Adding record $fulldomain = $txtvalue"
+  if ! _initAuth; then
+    return 1
+  fi
+
+  if ! _get_root "$fulldomain"; then
+    return 1
+  fi
+
+  # method path body_data
+  if _mb_rest POST "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then
+
+    if _contains "$response" "1 records added"; then
+      _info "Added, verifying..."
+      # Max 120 seconds to publish
+      for i in $(seq 1 6); do
+        # Retry on error
+        if ! _mb_rest GET "$_domain/records/$_sub_domain/TXT?verify"; then
+          _sleep 20
+        else
+          _info "Record published!"
+          return 0
+        fi
+      done
+
+    else
+      _err "\n$response"
+    fi
+
+  fi
+  _err "Add txt record error."
+  return 1
+}
+
+#Usage: rm  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_mythic_beasts_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  _info "MYTHIC BEASTS Removing record $fulldomain = $txtvalue"
+  if ! _initAuth; then
+    return 1
+  fi
+
+  if ! _get_root "$fulldomain"; then
+    return 1
+  fi
+
+  # method path body_data
+  if _mb_rest DELETE "$_domain/records/$_sub_domain/TXT" "$txtvalue"; then
+    _info "Record removed"
+    return 0
+  fi
+  _err "Remove txt record error."
+  return 1
+}
+
+####################  Private functions below ##################################
+
+#Possible formats:
+# _acme-challenge.www.example.com
+# _acme-challenge.example.com
+# _acme-challenge.example.co.uk
+# _acme-challenge.www.example.co.uk
+# _acme-challenge.sub1.sub2.www.example.co.uk
+# sub1.sub2.example.co.uk
+# example.com
+# example.co.uk
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+_get_root() {
+  domain=$1
+  i=1
+  p=1
+
+  _debug "Detect the root zone"
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    if [ -z "$h" ]; then
+      _err "Domain exhausted"
+      return 1
+    fi
+
+    # Use the status errors to find the domain, continue on 403 Access denied
+    # method path body_data
+    _mb_rest GET "$h/records"
+    ret="$?"
+    if [ "$ret" -eq 0 ]; then
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _domain="$h"
+      _debug _sub_domain "$_sub_domain"
+      _debug _domain "$_domain"
+      return 0
+    elif [ "$ret" -eq 1 ]; then
+      return 1
+    fi
+
+    p=$i
+    i=$(_math "$i" + 1)
+
+    if [ "$i" -gt 50 ]; then
+      break
+    fi
+  done
+  _err "Domain too long"
+  return 1
+}
+
+_initAuth() {
+  MB_AK="${MB_AK:-$(_readaccountconf_mutable MB_AK)}"
+  MB_AS="${MB_AS:-$(_readaccountconf_mutable MB_AS)}"
+
+  if [ -z "$MB_AK" ] || [ -z "$MB_AS" ]; then
+    MB_AK=""
+    MB_AS=""
+    _err "Please specify an OAuth2 Key & Secret"
+    return 1
+  fi
+
+  _saveaccountconf_mutable MB_AK "$MB_AK"
+  _saveaccountconf_mutable MB_AS "$MB_AS"
+
+  if ! _oauth2; then
+    return 1
+  fi
+
+  _info "Checking authentication"
+  _secure_debug access_token "$MB_TK"
+  _sleep 1
+
+  # GET a list of zones
+  # method path body_data
+  if ! _mb_rest GET ""; then
+    _err "The token is invalid"
+    return 1
+  fi
+  _info "Token OK"
+  return 0
+}
+
+_oauth2() {
+  # HTTP Basic Authentication
+  _H1="Authorization: Basic $(echo "$MB_AK:$MB_AS" | _base64)"
+  _H2="Accepts: application/json"
+  export _H1 _H2
+  body="grant_type=client_credentials"
+
+  _info "Getting OAuth2 token..."
+  # body  url [needbase64] [POST|PUT|DELETE] [ContentType]
+  response="$(_post "$body" "$MB_AUTH" "" "POST" "application/x-www-form-urlencoded")"
+  if _contains "$response" "\"token_type\":\"bearer\""; then
+    MB_TK="$(echo "$response" | _egrep_o "access_token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')"
+    if [ -z "$MB_TK" ]; then
+      _err "Unable to get access_token"
+      _err "\n$response"
+      return 1
+    fi
+  else
+    _err "OAuth2 token_type not Bearer"
+    _err "\n$response"
+    return 1
+  fi
+  _debug2 response "$response"
+  return 0
+}
+
+# method path body_data
+_mb_rest() {
+  # URL encoded body for single API operations
+  m="$1"
+  ep="$2"
+  data="$3"
+
+  if [ -z "$ep" ]; then
+    _mb_url="$MB_API"
+  else
+    _mb_url="$MB_API/$ep"
+  fi
+
+  _H1="Authorization: Bearer $MB_TK"
+  _H2="Accepts: application/json"
+  export _H1 _H2
+  if [ "$data" ] || [ "$m" = "POST" ] || [ "$m" = "PUT" ] || [ "$m" = "DELETE" ]; then
+    # body  url [needbase64] [POST|PUT|DELETE] [ContentType]
+    response="$(_post "data=$data" "$_mb_url" "" "$m" "application/x-www-form-urlencoded")"
+  else
+    response="$(_get "$_mb_url")"
+  fi
+
+  if [ "$?" != "0" ]; then
+    _err "Request error"
+    return 1
+  fi
+
+  header="$(cat "$HTTP_HEADER")"
+  status="$(echo "$header" | _egrep_o "^HTTP[^ ]* .*$" | cut -d " " -f 2-100 | tr -d "\f\n")"
+  code="$(echo "$status" | _egrep_o "^[0-9]*")"
+  if [ "$code" -ge 400 ] || _contains "$response" "\"error\"" || _contains "$response" "invalid_client"; then
+    _err "error $status"
+    _err "\n$response"
+    _debug "\n$header"
+    return 2
+  fi
+
+  _debug2 response "$response"
+  return 0
+}

From 962ce380cdc3ff74d956b5eb8a6d6a4103f19f4f Mon Sep 17 00:00:00 2001
From: racitup <rich@racitup.com>
Date: Mon, 20 Dec 2021 00:31:15 +0000
Subject: [PATCH 2/7] fix: floating token for github

---
 dnsapi/dns_mythic_beasts.sh | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/dnsapi/dns_mythic_beasts.sh b/dnsapi/dns_mythic_beasts.sh
index 2d1b6551..3cff3b02 100755
--- a/dnsapi/dns_mythic_beasts.sh
+++ b/dnsapi/dns_mythic_beasts.sh
@@ -161,7 +161,20 @@ _initAuth() {
   return 0
 }
 
+# Github appears to use an outbound proxy for requests which means subsequent requests may not have the same
+# source IP. The standard Mythic Beasts OAuth2 tokens are tied to an IP, meaning github test requests fail
+# authentication. This works arounds this by using an undocumented MB API to obtain a token not tied to an
+# IP just for the github tests.
 _oauth2() {
+  printenv
+  if [ -z "$TEST_DNS_SLEEP" ]; then
+    return _oauth2_std
+  else
+    return _oauth2_github
+  fi
+}
+
+_oauth2_std() {
   # HTTP Basic Authentication
   _H1="Authorization: Basic $(echo "$MB_AK:$MB_AS" | _base64)"
   _H2="Accepts: application/json"
@@ -187,6 +200,24 @@ _oauth2() {
   return 0
 }
 
+_oauth2_github() {
+  _H1="Accepts: application/json"
+  export _H1
+  body="{\"login\":{\"handle\":$MB_AK,\"pass\":$MB_AS,\"floating\":1}}"
+
+  _info "Getting Floating token..."
+  # body  url [needbase64] [POST|PUT|DELETE] [ContentType]
+  response="$(_post "$body" "$MB_AUTH" "" "POST" "application/json")"
+  MB_TK="$(echo "$response" | _egrep_o "\"token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')"
+  if [ -z "$MB_TK" ]; then
+    _err "Unable to get access_token"
+    _err "\n$response"
+    return 1
+  fi
+  _debug2 response "$response"
+  return 0
+}
+
 # method path body_data
 _mb_rest() {
   # URL encoded body for single API operations

From bf66df2a291aa503bbf47a670d50d00fb7d8c259 Mon Sep 17 00:00:00 2001
From: racitup <rich@racitup.com>
Date: Mon, 20 Dec 2021 00:35:14 +0000
Subject: [PATCH 3/7] fix: correct return value

---
 dnsapi/dns_mythic_beasts.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/dnsapi/dns_mythic_beasts.sh b/dnsapi/dns_mythic_beasts.sh
index 3cff3b02..9de5d34c 100755
--- a/dnsapi/dns_mythic_beasts.sh
+++ b/dnsapi/dns_mythic_beasts.sh
@@ -168,10 +168,11 @@ _initAuth() {
 _oauth2() {
   printenv
   if [ -z "$TEST_DNS_SLEEP" ]; then
-    return _oauth2_std
+    _oauth2_std
   else
-    return _oauth2_github
+    _oauth2_github
   fi
+  return $?
 }
 
 _oauth2_std() {

From 9c4ac24a66bea1f2ef1c6ea40441fba84e663f07 Mon Sep 17 00:00:00 2001
From: racitup <rich@racitup.com>
Date: Mon, 20 Dec 2021 00:50:33 +0000
Subject: [PATCH 4/7] fix: debugging

---
 dnsapi/dns_mythic_beasts.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dnsapi/dns_mythic_beasts.sh b/dnsapi/dns_mythic_beasts.sh
index 9de5d34c..96230bf1 100755
--- a/dnsapi/dns_mythic_beasts.sh
+++ b/dnsapi/dns_mythic_beasts.sh
@@ -166,7 +166,7 @@ _initAuth() {
 # authentication. This works arounds this by using an undocumented MB API to obtain a token not tied to an
 # IP just for the github tests.
 _oauth2() {
-  printenv
+  _info "$(printenv)"
   if [ -z "$TEST_DNS_SLEEP" ]; then
     _oauth2_std
   else
@@ -211,7 +211,7 @@ _oauth2_github() {
   response="$(_post "$body" "$MB_AUTH" "" "POST" "application/json")"
   MB_TK="$(echo "$response" | _egrep_o "\"token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d '"')"
   if [ -z "$MB_TK" ]; then
-    _err "Unable to get access_token"
+    _err "Unable to get token"
     _err "\n$response"
     return 1
   fi

From 6351b5d0dc6a30e77ff3191f71f5f3bc66fc3cd3 Mon Sep 17 00:00:00 2001
From: racitup <rich@racitup.com>
Date: Mon, 20 Dec 2021 00:58:37 +0000
Subject: [PATCH 5/7] fix: github switch

---
 dnsapi/dns_mythic_beasts.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dnsapi/dns_mythic_beasts.sh b/dnsapi/dns_mythic_beasts.sh
index 96230bf1..8956ec36 100755
--- a/dnsapi/dns_mythic_beasts.sh
+++ b/dnsapi/dns_mythic_beasts.sh
@@ -166,8 +166,8 @@ _initAuth() {
 # authentication. This works arounds this by using an undocumented MB API to obtain a token not tied to an
 # IP just for the github tests.
 _oauth2() {
-  _info "$(printenv)"
-  if [ -z "$TEST_DNS_SLEEP" ]; then
+  _info "DOMAIN: $TEST_DNS"
+  if [ "$TEST_DNS" != "dns_mythic_beasts" ]; then
     _oauth2_std
   else
     _oauth2_github

From d940f17390785693a68bb414b0dd8318a6693460 Mon Sep 17 00:00:00 2001
From: racitup <rich@racitup.com>
Date: Mon, 20 Dec 2021 01:09:02 +0000
Subject: [PATCH 6/7] fix: token request body quoting

---
 dnsapi/dns_mythic_beasts.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dnsapi/dns_mythic_beasts.sh b/dnsapi/dns_mythic_beasts.sh
index 8956ec36..77eed04f 100755
--- a/dnsapi/dns_mythic_beasts.sh
+++ b/dnsapi/dns_mythic_beasts.sh
@@ -166,7 +166,6 @@ _initAuth() {
 # authentication. This works arounds this by using an undocumented MB API to obtain a token not tied to an
 # IP just for the github tests.
 _oauth2() {
-  _info "DOMAIN: $TEST_DNS"
   if [ "$TEST_DNS" != "dns_mythic_beasts" ]; then
     _oauth2_std
   else
@@ -204,7 +203,7 @@ _oauth2_std() {
 _oauth2_github() {
   _H1="Accepts: application/json"
   export _H1
-  body="{\"login\":{\"handle\":$MB_AK,\"pass\":$MB_AS,\"floating\":1}}"
+  body="{\"login\":{\"handle\":\"$MB_AK\",\"pass\":\"$MB_AS\",\"floating\":1}}"
 
   _info "Getting Floating token..."
   # body  url [needbase64] [POST|PUT|DELETE] [ContentType]

From ce47ccecc4b290609728f50b89d270579664c7fe Mon Sep 17 00:00:00 2001
From: racitup <rich@racitup.com>
Date: Tue, 28 Dec 2021 14:45:02 +0000
Subject: [PATCH 7/7] fix: Neilpang review

---
 dnsapi/dns_mythic_beasts.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/dnsapi/dns_mythic_beasts.sh b/dnsapi/dns_mythic_beasts.sh
index 77eed04f..294ae84c 100755
--- a/dnsapi/dns_mythic_beasts.sh
+++ b/dnsapi/dns_mythic_beasts.sh
@@ -163,13 +163,13 @@ _initAuth() {
 
 # Github appears to use an outbound proxy for requests which means subsequent requests may not have the same
 # source IP. The standard Mythic Beasts OAuth2 tokens are tied to an IP, meaning github test requests fail
-# authentication. This works arounds this by using an undocumented MB API to obtain a token not tied to an
+# authentication. This is a work around using an undocumented MB API to obtain a token not tied to an
 # IP just for the github tests.
 _oauth2() {
-  if [ "$TEST_DNS" != "dns_mythic_beasts" ]; then
-    _oauth2_std
-  else
+  if [ "$GITHUB_ACTIONS" = "true" ]; then
     _oauth2_github
+  else
+    _oauth2_std
   fi
   return $?
 }