Plugins/OVH.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
function Get-CurrentPluginType { 'dns-01' }

function Add-DnsTxt {
    [CmdletBinding(DefaultParameterSetName='Secure')]
    param(
        [Parameter(Mandatory,Position=0)]
        [string]$RecordName,
        [Parameter(Mandatory,Position=1)]
        [string]$TxtValue,
        [Parameter(Mandatory)]
        [string]$OVHAppKey,
        [Parameter(ParameterSetName='Secure',Mandatory)]
        [securestring]$OVHAppSecret,
        [Parameter(ParameterSetName='Secure',Mandatory)]
        [securestring]$OVHConsumerKey,
        [Parameter(ParameterSetName='DeprecatedInsecure',Mandatory)]
        [string]$OVHAppSecretInsecure,
        [Parameter(ParameterSetName='DeprecatedInsecure',Mandatory)]
        [string]$OVHConsumerKeyInsecure,
        [ValidateSet('ovh-eu','ovh-us','ovh-ca','soyoustart-eu','soyoustart-ca','kimsufi-eu','kimsufi-ca','runabove-ca')]
        [string]$OVHRegion = 'ovh-eu',
        [switch]$OVHUseModify,
        [Parameter(ValueFromRemainingArguments)]
        $ExtraParams
    )

    Connect-OVH @PSBoundParameters

    $domain = Find-OVHDomain $RecordName
    $recShort = ($RecordName -ireplace [regex]::Escape($domain), [string]::Empty).TrimEnd('.')

    $recs = @(Get-OVHTxtRecords $recShort $domain)

    if ($recs | Where-Object { $_.target -eq "`"$TxtValue`"" }) {
        Write-Debug "Record $RecordName already contains $TxtValue. Nothing to do."
    }
    elseif ($OVHUseModify) {

        Write-Debug "Checking for records to modify from the list: $(($recs.id -join ','))"

        # list the previously modified record IDs in the debug log
        if ($script:OVHModifiedRecs.Count -gt 0) {
            Write-Debug "Ignoring previously modified IDs: $(($script:OVHModifiedRecs -join ','))"
        }

        # try to modify an existing record we haven't already modified in this session
        $recsToModify = @($recs | Where-Object { $_.id -notin $script:OVHModifiedRecs })

        if ($recsToModify.Count -gt 0) {
            $modSuccess = $false

            foreach ($rec in $recsToModify) {
                $query = "$($script:OVHCreds.ApiBase)/domain/zone/$domain/record/$($rec.id)"
                $body = @{target="`"$TxtValue`""} | ConvertTo-Json -Compress
                try {
                    Write-Verbose "Attempting to modify record ID $($rec.id)."
                    Invoke-OVHRest PUT $query $body | Out-Null

                    # add the zone to be saved
                    if ($domain -notin $script:OVHZonesToSave) {
                        $script:OVHZonesToSave += $domain
                    }

                    $script:OVHModifiedRecs += $rec.id
                    $modSuccess = $true
                    break
                } catch {}
            }
            if (-not $modSuccess) {
                Write-Verbose "Failed to modify any existing records. Re-throwing the last exception."
                throw ($Error[0].Exception)
            }
        } else {
            throw "No existing records were found to modify in $domain that haven't already been modified."
        }
    }
    else {
        # add a new record
        Write-Verbose "Adding a TXT record for $RecordName with value $TxtValue"

        $query = "$($script:OVHCreds.ApiBase)/domain/zone/$domain/record"
        $body = @{
            fieldType = 'TXT'
            subDomain = $recShort
            target    = "`"$TxtValue`""
        } | ConvertTo-Json -Compress

        Invoke-OVHRest POST $query $body | Out-Null

        # add the zone to be saved
        if ($domain -notin $script:OVHZonesToSave) {
            $script:OVHZonesToSave += $domain
        }
    }


    <#
    .SYNOPSIS
        Add a DNS TXT record to OVH
 
    .DESCRIPTION
        Add a DNS TXT record to OVH
 
    .PARAMETER RecordName
        The fully qualified name of the TXT record.
 
    .PARAMETER TxtValue
        The value of the TXT record.
 
    .PARAMETER OVHAppKey
        The Application Key value associated with the OVH API application you created.
 
    .PARAMETER OVHAppSecret
        The Application Secret value associated with the OVH API application you created.
 
    .PARAMETER OVHAppSecretInsecure
        (DEPRECATED) The Application Secret value associated with the OVH API application you created.
 
    .PARAMETER OVHConsumerKey
        The Consumer Key value generated for the API application you created.
 
    .PARAMETER OVHConsumerKeyInsecure
        (DEPRECATED) The Consumer Key value generated for the API application you created.
 
    .PARAMETER OVHRegion
        The region code associated with your OVH account. Must be one of the following: 'ovh-eu','ovh-us','ovh-ca','soyoustart-eu','soyoustart-ca','kimsufi-eu','kimsufi-ca','runabove-ca'
 
    .PARAMETER OVHUseModify
        If specified, the plugin will attempt to modify existing TXT records instead of adding/removing new ones. This is only necessary when the API credential has been given modify permissions on particular record IDs instead of write access to a whole zone.
 
    .PARAMETER ExtraParams
        This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports.
 
    .EXAMPLE
        $appSecret = Read-Host -Prompt "App Secret" -AsSecureString
        $cKey = Read-Host -Prompt "Consumer Key" -AsSecureString
        $pArgs = @{OVHAppKey='xxxxxxxx'; OVHAppSecret=$appSecret; OVHConsumerKey=$cKey; OVHRegion='ovh-eu'}
        Add-DnsTxt '_acme-challenge.example.com' 'txt-value' @pArgs
 
        Adds a TXT record using SecureString parameter values.
    #>

}

function Remove-DnsTxt {
    [CmdletBinding(DefaultParameterSetName='Secure')]
    param(
        [Parameter(Mandatory,Position=0)]
        [string]$RecordName,
        [Parameter(Mandatory,Position=1)]
        [string]$TxtValue,
        [Parameter(Mandatory)]
        [string]$OVHAppKey,
        [Parameter(ParameterSetName='Secure',Mandatory)]
        [securestring]$OVHAppSecret,
        [Parameter(ParameterSetName='Secure',Mandatory)]
        [securestring]$OVHConsumerKey,
        [Parameter(ParameterSetName='DeprecatedInsecure',Mandatory)]
        [string]$OVHAppSecretInsecure,
        [Parameter(ParameterSetName='DeprecatedInsecure',Mandatory)]
        [string]$OVHConsumerKeyInsecure,
        [ValidateSet('ovh-eu','ovh-us','ovh-ca','soyoustart-eu','soyoustart-ca','kimsufi-eu','kimsufi-ca','runabove-ca')]
        [string]$OVHRegion = 'ovh-eu',
        [switch]$OVHUseModify,
        [Parameter(ValueFromRemainingArguments)]
        $ExtraParams
    )

    # if we're in modify mode, we don't do anything and leave the records as-is
    if ($OVHUseModify) {
        Write-Debug "Skipping record delete because Modify mode is enabled."
        return
    }

    Connect-OVH @PSBoundParameters

    $domain = Find-OVHDomain $RecordName
    $recShort = ($RecordName -ireplace [regex]::Escape($domain), [string]::Empty).TrimEnd('.')

    $recs = @(Get-OVHTxtRecords $recShort $domain)

    $rec = $recs | Where-Object { $_.target -eq "`"$TxtValue`"" }

    if ($rec) {
        # delete the record
        Write-Verbose "Removing TXT record for $RecordName with value $TxtValue"
        $query = "$($script:OVHCreds.ApiBase)/domain/zone/$domain/record/$($rec.id)"
        Invoke-OVHRest DELETE $query | Out-Null

        # add the zone to be saved
        if ($domain -notin $script:OVHZonesToSave) {
            $script:OVHZonesToSave += $domain
        }
    }
    else {
        Write-Debug "Record $RecordName with value $TxtValue doesn't exist. Nothing to do."
    }

    <#
    .SYNOPSIS
        Remove a DNS TXT record from OVH
 
    .DESCRIPTION
        Remove a DNS TXT record from OVH
 
    .PARAMETER RecordName
        The fully qualified name of the TXT record.
 
    .PARAMETER TxtValue
        The value of the TXT record.
 
    .PARAMETER OVHAppKey
        The Application Key value associated with the OVH API application you created.
 
    .PARAMETER OVHAppSecret
        The Application Secret value associated with the OVH API application you created.
 
    .PARAMETER OVHAppSecretInsecure
        (DEPRECATED) The Application Secret value associated with the OVH API application you created.
 
    .PARAMETER OVHConsumerKey
        The Consumer Key value generated for the API application you created.
 
    .PARAMETER OVHConsumerKeyInsecure
        (DEPRECATED) The Consumer Key value generated for the API application you created.
 
    .PARAMETER OVHRegion
        The region code associated with your OVH account. Must be one of the following: 'ovh-eu','ovh-us','ovh-ca','soyoustart-eu','soyoustart-ca','kimsufi-eu','kimsufi-ca','runabove-ca'
 
    .PARAMETER OVHUseModify
        If specified, the plugin will attempt to modify existing TXT records instead of adding/removing new ones. This is only necessary when the API credential has been given modify permissions on particular record IDs instead of write access to a whole zone.
 
    .PARAMETER ExtraParams
        This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports.
 
    .EXAMPLE
        $appSecret = Read-Host -Prompt "App Secret" -AsSecureString
        $cKey = Read-Host -Prompt "Consumer Key" -AsSecureString
        $pArgs = @{OVHAppKey='xxxxxxxxxxx'; OVHAppSecret=$appSecret; OVHConsumerKey=$Key; OVHRegion='ovh-eu'}
        Remove-DnsTxt '_acme-challenge.example.com' 'txt-value' @pArgs
 
        Removes a TXT record using SecureString parameter values.
    #>

}

function Save-DnsTxt {
    [CmdletBinding(DefaultParameterSetName='Secure')]
    param(
        [Parameter(Mandatory)]
        [string]$OVHAppKey,
        [Parameter(ParameterSetName='Secure',Mandatory)]
        [securestring]$OVHAppSecret,
        [Parameter(ParameterSetName='Secure',Mandatory)]
        [securestring]$OVHConsumerKey,
        [Parameter(ParameterSetName='DeprecatedInsecure',Mandatory)]
        [string]$OVHAppSecretInsecure,
        [Parameter(ParameterSetName='DeprecatedInsecure',Mandatory)]
        [string]$OVHConsumerKeyInsecure,
        [ValidateSet('ovh-eu','ovh-us','ovh-ca','soyoustart-eu','soyoustart-ca','kimsufi-eu','kimsufi-ca','runabove-ca')]
        [string]$OVHRegion = 'ovh-eu',
        [switch]$OVHUseModify,
        [Parameter(ValueFromRemainingArguments)]
        $ExtraParams
    )

    if ($script:OVHCreds) {
        # Apply zone modifications by calling the "refresh" endpoint
        foreach ($zone in $script:OVHZonesToSave) {
            Write-Verbose "Refreshing $zone zone"
            Invoke-OVHRest POST "$($script:OVHCreds.ApiBase)/domain/zone/$zone/refresh" | Out-Null
        }
        $script:OVHZonesToSave = @()
    }

    $script:OVHModifiedRecs = @()

    <#
    .SYNOPSIS
        Notifies OVH to apply zone modifications.
 
    .DESCRIPTION
        Notifies OVH to apply zone modifications.
 
    .PARAMETER OVHAppKey
        The Application Key value associated with the OVH API application you created.
 
    .PARAMETER OVHAppSecret
        The Application Secret value associated with the OVH API application you created.
 
    .PARAMETER OVHAppSecretInsecure
        (DEPRECATED) The Application Secret value associated with the OVH API application you created.
 
    .PARAMETER OVHConsumerKey
        The Consumer Key value generated for the API application you created.
 
    .PARAMETER OVHConsumerKeyInsecure
        (DEPRECATED) The Consumer Key value generated for the API application you created.
 
    .PARAMETER OVHRegion
        The region code associated with your OVH account. Must be one of the following: 'ovh-eu','ovh-us','ovh-ca','soyoustart-eu','soyoustart-ca','kimsufi-eu','kimsufi-ca','runabove-ca'
 
    .PARAMETER OVHUseModify
        If specified, the plugin will attempt to modify existing TXT records instead of adding/removing new ones. This is only necessary when the API credential has been given modify permissions on particular record IDs instead of write access to a whole zone.
 
    .PARAMETER ExtraParams
        This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports.
    #>

}

############################
# Helper Functions
############################

# API Docs
# https://api.ovh.com/

function Connect-OVH {
    [CmdletBinding(DefaultParameterSetName='Secure')]
    param(
        [Parameter(Mandatory)]
        [string]$OVHAppKey,
        [Parameter(ParameterSetName='Secure',Mandatory)]
        [securestring]$OVHAppSecret,
        [Parameter(ParameterSetName='Secure',Mandatory)]
        [securestring]$OVHConsumerKey,
        [Parameter(ParameterSetName='DeprecatedInsecure',Mandatory)]
        [string]$OVHAppSecretInsecure,
        [Parameter(ParameterSetName='DeprecatedInsecure',Mandatory)]
        [string]$OVHConsumerKeyInsecure,
        [ValidateSet('ovh-eu','ovh-us','ovh-ca','soyoustart-eu','soyoustart-ca','kimsufi-eu','kimsufi-ca','runabove-ca')]
        [string]$OVHRegion = 'ovh-eu',
        [Parameter(ValueFromRemainingArguments)]
        $ExtraConnectParams
    )

    # generate plain text versions of the secure params we can work with
    if ('Secure' -eq $PSCmdlet.ParameterSetName) {
        $OVHAppSecretInsecure = [pscredential]::new('a',$OVHAppSecret).GetNetworkCredential().Password
        $OVHConsumerKeyInsecure = [pscredential]::new('a',$OVHConsumerKey).GetNetworkCredential().Password
    }

    # determine the region specific API endpoint
    $apiBase = switch ($OVHRegion) {
        'ovh-eu'        { 'https://eu.api.ovh.com/1.0'; break }
        'ovh-us'        { 'https://api.us.ovhcloud.com/1.0'; break }
        'ovh-ca'        { 'https://ca.api.ovh.com/1.0'; break }
        'soyoustart-eu' { 'https://eu.api.soyoustart.com/1.0'; break }
        'soyoustart-ca' { 'https://ca.api.soyoustart.com/1.0'; break }
        'kimsufi-eu'    { 'https://eu.api.kimsufi.com/1.0'; break }
        'kimsufi-ca'    { 'https://ca.api.kimsufi.com/1.0'; break }
        'runabove-ca'   { 'https://api.runabove.com/1.0'; break }
        default { throw "Unknown OVHRegion: $OVHRegion" }
    }

    $script:OVHCreds = @{
        AppKey = $OVHAppKey
        AppSecret = $OVHAppSecretInsecure
        ConsumerKey = $OVHConsumerKeyInsecure
        ApiBase = $apiBase
    }

    # setup a tracking variable for zones we need to "refresh"
    if (-not $script:OVHZonesToSave) { $script:OVHZonesToSave = @() }

    # setup a tracking variable for modified records
    if (-not $script:OVHModifiedRecs) { $script:OVHModifiedRecs = @() }


}

function Invoke-OVHRest {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory)]
        [string]$Method,
        [Parameter(Mandatory)]
        [string]$Url,
        [string]$Body
    )

    if (-not $script:OVHCreds) { throw "OVH Credentials not found in memory" }
    $c = $script:OVHCreds

    # build the string to hash for the signature
    # AppSecret '+' ConsumerKey '+' Method '+' Query '+' Body '+' Timestamp
    $unixNow = (Get-DateTimeOffsetNow).ToUnixTimeSeconds()
    $strToSign = "$($c.AppSecret)+$($c.ConsumerKey)+$($Method)+$($Url)+$($Body)+$($unixNow)"

    # hash it and make the signature
    # '$1$' + SHA1_HEX($strToHash)
    $sha1 = [Security.Cryptography.SHA1CryptoServiceProvider]::new()
    $strBytes = [Text.Encoding]::UTF8.GetBytes($strToSign)
    $hashHex = [BitConverter]::ToString($sha1.ComputeHash($strBytes)).Replace('-','').ToLower()
    $signature = "`$1`$$hashHex"

    $restArgs = @{
        Method = $Method
        Uri = $Url
        Headers = @{
            'X-Ovh-Application' = $c.AppKey
            'X-Ovh-Timestamp' = $unixNow
            'X-Ovh-Signature' = $signature
            'X-Ovh-Consumer' = $c.ConsumerKey
        }
        ContentType = 'application/json'
    }
    # add the body if there is one
    if ($Body) { $restArgs.Body = $Body }

    Invoke-RestMethod @restArgs @script:UseBasic -EA Stop
}

function Find-OVHDomain {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory)]
        [string]$RecordName
    )

    # setup a module variable to cache the record to zone ID mapping
    # so it's quicker to find later
    if (!$script:OVHRecordZones) { $script:OVHRecordZones = @{} }

    # check for the record in the cache
    if ($script:OVHRecordZones.ContainsKey($RecordName)) {
        return $script:OVHRecordZones.$RecordName
    }

    # Search for the zone from longest to shortest set of FQDN pieces.
    $pieces = $RecordName.Split('.')
    for ($i=0; $i -lt ($pieces.Count-1); $i++) {
        $zoneTest = $pieces[$i..($pieces.Count-1)] -join '.'
        Write-Debug "Checking $zoneTest"
        try {
            # a non-error response indicates the zone exists
            Invoke-OvhRest GET "$($script:OVHCreds.ApiBase)/domain/zone/$zoneTest/record?fieldType=TXT" | Out-Null
            # save the zone name
            $script:OVHRecordZones.$RecordName = $zoneTest
            return $zoneTest
        } catch {
            # re-throw anything except a 403 or 404 because they indicate the zone
            # either doesn't exist or we haven't been given access to it.
            if (403 -eq $_.Exception.Response.StatusCode.value__) {
                Write-Debug "$zoneTest either doesn't exist or our credentials haven't been given read access to it."
            }
            elseif (404 -eq $_.Exception.Response.StatusCode.value__) {
                Write-Debug "$zoneTest does not exist"
            }
            else { throw }
        }
    }

    throw "No zone found for $RecordName"
}

function Get-OVHTxtRecords {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory)]
        [string]$RecordShort,
        [Parameter(Mandatory)]
        [string]$Domain
    )

    # First we search for just the record and type which only returns a list of record IDs when found
    $query = "$($script:OVHCreds.ApiBase)/domain/zone/$Domain/record?fieldType=TXT&subDomain=$RecordShort"
    $recIDs = Invoke-OVHRest GET $query
    if (-not $recIDs) {
        return $null
    }

    # now we loop through the IDs to request the record details so we can check if the target matches
    foreach ($id in $recIDs) {
        Invoke-OVHRest GET "$($script:OVHCreds.ApiBase)/domain/zone/$Domain/record/$id"
    }
}

function Invoke-OVHSetup {
    [CmdletBinding(DefaultParameterSetName='AllOrList')]
    param(
        [Parameter(Mandatory,Position=0)]
        [string]$AppKey,
        [ValidateSet('ovh-eu','ovh-us','ovh-ca','soyoustart-eu','soyoustart-ca','kimsufi-eu','kimsufi-ca','runabove-ca')]
        [string]$OVHRegion = 'ovh-eu',
        [Parameter(ParameterSetName='AllOrList')]
        [string[]]$Zone,
        [Parameter(ParameterSetName='Custom',Mandatory)]
        [object[]]$AccessRules
    )

    # So when creating an OVH app key, they don't give you the "Consumer Key" by default. They have
    # this funky OAuth'ish process where you have to login with the pre-created key/secret. The response
    # contains what will be your Consumer Key and a generated URL that the user must go to and explicitly
    # login and grant the permissions you've requested for a particular duration. Thankfully, unlimited
    # is an option.
    #
    # This is a helper function that the user must manually run once in order to generate the Consumer Key
    # value prior to the first certificate request.

    # determine the region specific API endpoint
    $apiBase = switch ($OVHRegion) {
        'ovh-eu'        { 'https://eu.api.ovh.com/1.0'; break }
        'ovh-us'        { 'https://api.us.ovhcloud.com/1.0'; break }
        'ovh-ca'        { 'https://ca.api.ovh.com/1.0'; break }
        'soyoustart-eu' { 'https://eu.api.soyoustart.com/1.0'; break }
        'soyoustart-ca' { 'https://ca.api.soyoustart.com/1.0'; break }
        'kimsufi-eu'    { 'https://eu.api.kimsufi.com/1.0'; break }
        'kimsufi-ca'    { 'https://ca.api.kimsufi.com/1.0'; break }
        'runabove-ca'   { 'https://api.runabove.com/1.0'; break }
        default { throw "Unknown OVHRegion: $OVHRegion" }
    }

    $header = @{ 'X-Ovh-Application' = $AppKey }

    # build the body that will request permissions for this app
    $body = @{
        redirection = 'https://github.com/rmbolger/Posh-ACME/wiki/OVH-Success-Redirect'
    }

    if ('AllOrList' -eq $PSCmdlet.ParameterSetName) {
        if ($Zone) {
            # setup permissions for a specific set of zones
            $body.accessRules = @()
            foreach ($z in $Zone) {
                $body.accessRules += @(
                    @{ method = 'GET';    path = "/domain/zone/$z/record*" }
                    @{ method = 'POST';   path = "/domain/zone/$z/record" }
                    @{ method = 'DELETE'; path = "/domain/zone/$z/record/*" }
                    @{ method = 'POST';   path = "/domain/zone/$z/refresh" }
                )
            }
        } else {
            # setup permissions for all zones
            $body.accessRules = @(
                @{ method = 'GET';    path = '/domain/zone/*/record*' }
                @{ method = 'POST';   path = '/domain/zone/*/record' }
                @{ method = 'DELETE'; path = '/domain/zone/*/record/*' }
                @{ method = 'POST';   path = '/domain/zone/*/refresh' }
            )
        }
    } else {
        # setup custom permissions
        $body.accessRules = $AccessRules
    }

    $bodyJson = $body | ConvertTo-Json -Compress

    $UseBasic = @{}
    if ('UseBasicParsing' -in (Get-Command Invoke-RestMethod).Parameters.Keys) {
        $UseBasic.UseBasicParsing = $true
    }

    try {
        $response = Invoke-RestMethod "$($apiBase)/auth/credential" -Method Post -Body $bodyJson `
            -Headers $header -ContentType 'application/json' @UseBasic -EA Stop
    } catch { throw }

    if (-not $response -or -not $response.state) {
        throw "Empty auth response state"
    }
    if ($response.state -ne 'pendingValidation') {
        throw "Unexpected auth response: $(($response | ConvertTo-Json -Compress))"
    }

    Write-Host "`nPlease visit the following link, select Validity = `"Unlimited`", and then Log In:`n"
    Write-Host ($response.validationUrl)
    Read-Host "`nWhen finished, press Enter to continue" | Out-Null

    Write-Host "`n`nIf log in was successful, you may now use the following Consumer Key value in your plugin args:`n"
    Write-Host " >>> $($response.consumerKey) <<< "
}