From: Dominik Csapak <d.csapak@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: Re: [pmg-devel] [PATCH api 2/8] add PMG::CertHelpers module
Date: Thu, 11 Mar 2021 11:05:21 +0100 [thread overview]
Message-ID: <d10977b8-407b-cb71-cd52-ae71e1306968@proxmox.com> (raw)
In-Reply-To: <20210309141401.19237-3-w.bumiller@proxmox.com>
comments inline
On 3/9/21 3:13 PM, Wolfgang Bumiller wrote:
> Contains helpers to update certificates and provide locking
> for certificates and when accessing acme accounts.
>
> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> ---
> src/Makefile | 1 +
> src/PMG/CertHelpers.pm | 180 +++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 181 insertions(+)
> create mode 100644 src/PMG/CertHelpers.pm
>
> diff --git a/src/Makefile b/src/Makefile
> index 8891a3c..c1d4812 100644
> --- a/src/Makefile
> +++ b/src/Makefile
> @@ -55,6 +55,7 @@ LIBSOURCES = \
> PMG/HTMLMail.pm \
> PMG/ModGroup.pm \
> PMG/SMTPPrinter.pm \
> + PMG/CertHelpers.pm \
> PMG/Config.pm \
> PMG/Cluster.pm \
> PMG/ClusterConfig.pm \
> diff --git a/src/PMG/CertHelpers.pm b/src/PMG/CertHelpers.pm
> new file mode 100644
> index 0000000..2cf8a4e
> --- /dev/null
> +++ b/src/PMG/CertHelpers.pm
> @@ -0,0 +1,180 @@
> +package PMG::CertHelpers;
> +
> +use strict;
> +use warnings;
> +
> +use PVE::Certificate;
> +use PVE::JSONSchema;
> +use PVE::Tools;
> +
> +use constant {
> + API_CERT => '/etc/pmg/pmg-api.pem',
> + SMTP_CERT => '/etc/pmg/pmg-tls.pem',
> +};
> +
> +my $account_prefix = '/etc/pmg/acme';
> +
> +# TODO: Move `pve-acme-account-name` to common and reuse instead of this.
> +PVE::JSONSchema::register_standard_option('pmg-acme-account-name', {
> + description => 'ACME account config file name.',
> + type => 'string',
> + format => 'pve-configid',
> + format_description => 'name',
> + optional => 1,
> + default => 'default',
> +});
> +
> +PVE::JSONSchema::register_standard_option('pmg-acme-account-contact', {
> + type => 'string',
> + format => 'email-list',
> + description => 'Contact email addresses.',
> +});
> +
> +PVE::JSONSchema::register_standard_option('pmg-acme-directory-url', {
> + type => 'string',
> + description => 'URL of ACME CA directory endpoint.',
> + pattern => '^https?://.*',
> +});
> +
> +PVE::JSONSchema::register_format('pmg-certificate-type', sub {
> + my ($type, $noerr) = @_;
> +
> + if ($type =~ /^(?: api | smtp )$/x) {
> + return $type;
> + }
> + return undef if $noerr;
> + die "value '$type' does not look like a valid certificate type\n";
> +});
> +
> +PVE::JSONSchema::register_standard_option('pmg-certificate-type', {
> + type => 'string',
> + description => 'The TLS certificate type (API or SMTP certificate).',
> + enum => ['api', 'smtp'],
> +});
i get why you did the format and the option (you need it once as a
'-list') but would it not have been possible to reuse the format instead
of redefining the enum?
or only using the enum as variable defined somewhere?
feels weird to have a format + option that do basically
the same thing
> +
> +PVE::JSONSchema::register_format('pmg-acme-domain', sub {
> + my ($domain, $noerr) = @_;
> +
> + my $label = qr/[a-z0-9][a-z0-9_-]*/i;
> +
> + return $domain if $domain =~ /^$label(?:\.$label)+$/;
> + return undef if $noerr;
> + die "value '$domain' does not look like a valid domain name!\n";
> +});
> +
> +PVE::JSONSchema::register_format('pmg-acme-alias', sub {
> + my ($alias, $noerr) = @_;
> +
> + my $label = qr/[a-z0-9_][a-z0-9_-]*/i;
> +
> + return $alias if $alias =~ /^$label(?:\.$label)+$/;
> + return undef if $noerr;
> + die "value '$alias' does not look like a valid alias name!\n";
> +});
could we not reuse the '-domain' format here ?
i know the error message would be different then, but it is still a domain?
if not, we could refactor the regexes though
> +
> +my $local_cert_lock = '/var/lock/pmg-certs.lock';
> +my $local_acme_lock = '/var/lock/pmg-acme.lock';
> +
> +sub cert_path : prototype($) {
> + my ($type) = @_;
> + if ($type eq 'api') {
> + return API_CERT;
> + } elsif ($type eq 'smtp') {
> + return SMTP_CERT;
> + } else {
> + die "unknown certificate type '$type'\n";
> + }
> +}
> +
> +sub cert_lock {
> + my ($timeout, $code, @param) = @_;
> +
> + my $res = PVE::Tools::lock_file($local_cert_lock, $timeout, $code, @param);
> + die $@ if $@;
> + return $res;
> +}
> +
> +sub set_cert_file {
> + my ($cert, $cert_path, $force) = @_;
> +
> + my ($old_cert, $info);
> +
> + my $cert_path_old = "${cert_path}.old";
> +
> + die "Custom certificate file exists but force flag is not set.\n"
> + if !$force && -e $cert_path;
> +
> + PVE::Tools::file_copy($cert_path, $cert_path_old) if -e $cert_path;
> +
> + eval {
> + my $gid = undef;
> + if ($cert_path eq &API_CERT) {
> + $gid = getgrnam('www-data') ||
> + die "user www-data not in group file\n";
> + }
> +
> + if (defined($gid)) {
> + my $cert_path_tmp = "${cert_path}.tmp";
> + PVE::Tools::file_set_contents($cert_path_tmp, $cert, 0640);
> + if (!chown(-1, $gid, $cert_path_tmp)) {
> + my $msg =
> + "failed to change group ownership of '$cert_path_tmp' to www-data ($gid): $!\n";
> + unlink($cert_path_tmp);
> + die $msg;
> + }
> + if (!rename($cert_path_tmp, $cert_path)) {
> + my $msg =
> + "failed to rename '$cert_path_tmp' to '$cert_path': $!\n";
> + unlink($cert_path_tmp);
> + die $msg;
> + }
> + } else {
> + PVE::Tools::file_set_contents($cert_path, $cert, 0600);
> + }
> +
> + $info = PVE::Certificate::get_certificate_info($cert_path);
> + };
> + my $err = $@;
> +
> + if ($err) {
> + if (-e $cert_path_old) {
> + eval {
> + warn "Attempting to restore old certificate file..\n";
> + PVE::Tools::file_copy($cert_path_old, $cert_path);
> + };
> + warn "$@\n" if $@;
> + }
> + die "Setting certificate files failed - $err\n"
> + }
> +
> + unlink $cert_path_old;
> +
> + return $info;
> +}
> +
> +sub lock_acme {
> + my ($account_name, $timeout, $code, @param) = @_;
> +
> + my $file = "$local_acme_lock.$account_name";
> +
> + return PVE::Tools::lock_file($file, $timeout, $code, @param);
> +}
> +
is there a special reason why you die $@ if $@ above in cert_lock
but not here?
afaics, you do it manually in the later patches always anyway
> +sub acme_account_dir {
> + return $account_prefix;
> +}
> +
> +sub list_acme_accounts {
> + my $accounts = [];
> +
> + return $accounts if ! -d $account_prefix;
> +
> + PVE::Tools::dir_glob_foreach($account_prefix, qr/[^.]+.*/, sub {
> + my ($name) = @_;
> +
> + push @$accounts, $name
> + if PVE::JSONSchema::pve_verify_configid($name, 1);
> + });
> +
> + return $accounts;
> +}
>
next prev parent reply other threads:[~2021-03-11 10:05 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-09 14:13 [pmg-devel] [RFC api/gui/wtk/acme 0/many] Certificates & ACME Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 1/8] depend on libpmg-rs-perl and proxmox-acme Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 2/8] add PMG::CertHelpers module Wolfgang Bumiller
2021-03-11 10:05 ` Dominik Csapak [this message]
2021-03-12 13:55 ` Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 3/8] add PMG::NodeConfig module Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 4/8] cluster: sync acme/ and acme-plugins.conf Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 5/8] api: add ACME and ACMEPlugin module Wolfgang Bumiller
2021-03-11 10:41 ` Dominik Csapak
2021-03-12 14:10 ` Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 6/8] add certificates api endpoint Wolfgang Bumiller
2021-03-11 11:06 ` Dominik Csapak
2021-03-12 14:51 ` Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 7/8] add node-config api entry points Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 8/8] add acme and cert subcommands to pmgconfig Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH gui] add certificates and acme view Wolfgang Bumiller
2021-03-11 12:35 ` Dominik Csapak
2021-03-09 14:13 ` [pmg-devel] [PATCH acme] add missing 'use PVE::Acme' statement Wolfgang Bumiller
2021-03-12 15:00 ` [pmg-devel] applied: " Thomas Lamprecht
2021-03-09 14:13 ` [pmg-devel] [PATCH widget-toolkit 1/7] Utils: add ACME related utilities Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH widget-toolkit 2/7] add ACME related data models Wolfgang Bumiller
2021-03-11 12:41 ` Dominik Csapak
2021-03-09 14:13 ` [pmg-devel] [PATCH widget-toolkit 3/7] add ACME forms: Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH widget-toolkit 4/7] add certificate panel Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH widget-toolkit 5/7] add ACME account panel Wolfgang Bumiller
2021-03-11 13:51 ` Dominik Csapak
2021-03-11 15:14 ` Thomas Lamprecht
2021-03-11 15:16 ` Dominik Csapak
2021-03-11 15:27 ` Thomas Lamprecht
2021-03-09 14:14 ` [pmg-devel] [PATCH widget-toolkit 6/7] add ACME plugin editing Wolfgang Bumiller
2021-03-09 14:14 ` [pmg-devel] [PATCH widget-toolkit 7/7] add ACME domain editing Wolfgang Bumiller
2021-03-10 12:27 ` [pmg-devel] [RFC api/gui/wtk/acme 0/many] Certificates & ACME Dominik Csapak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d10977b8-407b-cb71-cd52-ae71e1306968@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pmg-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.