From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 1F6E79C448
 for <pve-devel@lists.proxmox.com>; Tue, 24 Oct 2023 10:32:28 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id EB9F51CE65
 for <pve-devel@lists.proxmox.com>; Tue, 24 Oct 2023 10:32:27 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Tue, 24 Oct 2023 10:32:27 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 1C0DC44B00
 for <pve-devel@lists.proxmox.com>; Tue, 24 Oct 2023 10:32:27 +0200 (CEST)
Date: Tue, 24 Oct 2023 10:32:20 +0200
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <20231023131808.172494-1-f.gleumes@proxmox.com>
 <20231023131808.172494-5-f.gleumes@proxmox.com>
In-Reply-To: <20231023131808.172494-5-f.gleumes@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid)
Message-Id: <1698135215.wi12ac6f4w.astroid@yuna.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.062 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH manager 4/5] fix #4497: cli/acme: detect eab
 and ask for credentials
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2023 08:32:28 -0000

On October 23, 2023 3:18 pm, Folke Gleumes wrote:
> Since external account binding is advertised the same way as the ToS,
> it can be detected when creating an account and asked for if needed.
>=20
> Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
> ---
>  PVE/CLI/pvenode.pm | 16 ++++++++++++++--
>  1 file changed, 14 insertions(+), 2 deletions(-)
>=20
> diff --git a/PVE/CLI/pvenode.pm b/PVE/CLI/pvenode.pm
> index acef6c3b..e3d6b15a 100644
> --- a/PVE/CLI/pvenode.pm
> +++ b/PVE/CLI/pvenode.pm
> @@ -117,8 +117,9 @@ __PACKAGE__->register_method({
>  	    }
>  	}
>  	print "\nAttempting to fetch Terms of Service from '$param->{directory}=
'..\n";
> -	my $tos =3D PVE::API2::ACMEAccount->get_tos({ directory =3D> $param->{d=
irectory} });
> -	if ($tos) {
> +	my $meta =3D PVE::API2::ACMEAccount->get_meta({ directory =3D> $param->=
{directory} });
> +	if ($meta->{termsOfService}) {
> +	    my $tos =3D $meta->{termsOfService};
>  	    print "Terms of Service: $tos\n";
>  	    my $term =3D Term::ReadLine->new('pvenode');
>  	    my $agreed =3D $term->readline('Do you agree to the above terms? [y=
|N]: ');
> @@ -129,6 +130,17 @@ __PACKAGE__->register_method({
>  	} else {
>  	    print "No Terms of Service found, proceeding.\n";
>  	}
> +	if ($meta->{externalAccountRequired}) {
> +	    print "The ACME Directory uses External Account Binding\n";

s/uses/requires

and maybe s/Directory/CA/

since "directory" is just the name for the entrypoint of the API :)

> +	    my $term =3D Term::ReadLine->new('pvenode');

since this is the "interactive" user friendly mode, we might want to add
another line here to indicate that the requested values should have been
given to the user by the CA?

> +	    my $eab_kid =3D $term->readline('Enter EAB kid: ');

might be worth to s/kid/key identifer ("kid")/ to make it more
understandable for users who haven't already learned the ACME spec by
heart ;)

> +	    my $eab_hmac_key =3D $term->readline('Enter EAB HMAC key: ');
> +
> +	    $param->{eab_kid} =3D $eab_kid;
> +	    $param->{eab_hmac_key} =3D $eab_hmac_key;

maybe:

} elsif ($directory_is_custom) {
# ask for optional EAB parameters
}

> +	} else {
> +	    print "No EAB required, proceeding.\n";
> +	}
>  	print "\nAttempting to register account with '$param->{directory}'..\n"=
;
> =20
>  	$upid_exit->(PVE::API2::ACMEAccount->register_account($param));
> --=20
> 2.39.2
>=20
>=20
>=20
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>=20
>=20
>=20