From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id EC04F69F10 for ; Fri, 12 Mar 2021 16:24:32 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 6E0DD347EF for ; Fri, 12 Mar 2021 16:24:32 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id AEA12346D1 for ; Fri, 12 Mar 2021 16:24:26 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 780A6463F9 for ; Fri, 12 Mar 2021 16:24:26 +0100 (CET) From: Wolfgang Bumiller To: pmg-devel@lists.proxmox.com Date: Fri, 12 Mar 2021 16:23:59 +0100 Message-Id: <20210312152421.30114-11-w.bumiller@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210312152421.30114-1-w.bumiller@proxmox.com> References: <20210312152421.30114-1-w.bumiller@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.031 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_FILL_THIS_FORM_SHORT 0.01 Fill in a short form with personal information URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [cluster.pm, clusterconfig.pm, modgroup.pm, config.pm, htmlmail.pm, smtpprinter.pm, certhelpers.pm] Subject: [pmg-devel] [PATCH v2 api 2/8] add PMG::CertHelpers module X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2021 15:24:33 -0000 Contains helpers to update certificates and provide locking for certificates and when accessing acme accounts. Signed-off-by: Wolfgang Bumiller --- Changes since v1: * die in both lock helpers on error src/Makefile | 1 + src/PMG/CertHelpers.pm | 182 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 183 insertions(+) create mode 100644 src/PMG/CertHelpers.pm diff --git a/src/Makefile b/src/Makefile index 8891a3c..c1d4812 100644 --- a/src/Makefile +++ b/src/Makefile @@ -55,6 +55,7 @@ LIBSOURCES = \ PMG/HTMLMail.pm \ PMG/ModGroup.pm \ PMG/SMTPPrinter.pm \ + PMG/CertHelpers.pm \ PMG/Config.pm \ PMG/Cluster.pm \ PMG/ClusterConfig.pm \ diff --git a/src/PMG/CertHelpers.pm b/src/PMG/CertHelpers.pm new file mode 100644 index 0000000..56b25f7 --- /dev/null +++ b/src/PMG/CertHelpers.pm @@ -0,0 +1,182 @@ +package PMG::CertHelpers; + +use strict; +use warnings; + +use PVE::Certificate; +use PVE::JSONSchema; +use PVE::Tools; + +use constant { + API_CERT => '/etc/pmg/pmg-api.pem', + SMTP_CERT => '/etc/pmg/pmg-tls.pem', +}; + +my $account_prefix = '/etc/pmg/acme'; + +# TODO: Move `pve-acme-account-name` to common and reuse instead of this. +PVE::JSONSchema::register_standard_option('pmg-acme-account-name', { + description => 'ACME account config file name.', + type => 'string', + format => 'pve-configid', + format_description => 'name', + optional => 1, + default => 'default', +}); + +PVE::JSONSchema::register_standard_option('pmg-acme-account-contact', { + type => 'string', + format => 'email-list', + description => 'Contact email addresses.', +}); + +PVE::JSONSchema::register_standard_option('pmg-acme-directory-url', { + type => 'string', + description => 'URL of ACME CA directory endpoint.', + pattern => '^https?://.*', +}); + +PVE::JSONSchema::register_format('pmg-certificate-type', sub { + my ($type, $noerr) = @_; + + if ($type =~ /^(?: api | smtp )$/x) { + return $type; + } + return undef if $noerr; + die "value '$type' does not look like a valid certificate type\n"; +}); + +PVE::JSONSchema::register_standard_option('pmg-certificate-type', { + type => 'string', + description => 'The TLS certificate type (API or SMTP certificate).', + enum => ['api', 'smtp'], +}); + +PVE::JSONSchema::register_format('pmg-acme-domain', sub { + my ($domain, $noerr) = @_; + + my $label = qr/[a-z0-9][a-z0-9_-]*/i; + + return $domain if $domain =~ /^$label(?:\.$label)+$/; + return undef if $noerr; + die "value '$domain' does not look like a valid domain name!\n"; +}); + +PVE::JSONSchema::register_format('pmg-acme-alias', sub { + my ($alias, $noerr) = @_; + + my $label = qr/[a-z0-9_][a-z0-9_-]*/i; + + return $alias if $alias =~ /^$label(?:\.$label)+$/; + return undef if $noerr; + die "value '$alias' does not look like a valid alias name!\n"; +}); + +my $local_cert_lock = '/var/lock/pmg-certs.lock'; +my $local_acme_lock = '/var/lock/pmg-acme.lock'; + +sub cert_path : prototype($) { + my ($type) = @_; + if ($type eq 'api') { + return API_CERT; + } elsif ($type eq 'smtp') { + return SMTP_CERT; + } else { + die "unknown certificate type '$type'\n"; + } +} + +sub cert_lock { + my ($timeout, $code, @param) = @_; + + my $res = PVE::Tools::lock_file($local_cert_lock, $timeout, $code, @param); + die $@ if $@; + return $res; +} + +sub set_cert_file { + my ($cert, $cert_path, $force) = @_; + + my ($old_cert, $info); + + my $cert_path_old = "${cert_path}.old"; + + die "Custom certificate file exists but force flag is not set.\n" + if !$force && -e $cert_path; + + PVE::Tools::file_copy($cert_path, $cert_path_old) if -e $cert_path; + + eval { + my $gid = undef; + if ($cert_path eq &API_CERT) { + $gid = getgrnam('www-data') || + die "user www-data not in group file\n"; + } + + if (defined($gid)) { + my $cert_path_tmp = "${cert_path}.tmp"; + PVE::Tools::file_set_contents($cert_path_tmp, $cert, 0640); + if (!chown(-1, $gid, $cert_path_tmp)) { + my $msg = + "failed to change group ownership of '$cert_path_tmp' to www-data ($gid): $!\n"; + unlink($cert_path_tmp); + die $msg; + } + if (!rename($cert_path_tmp, $cert_path)) { + my $msg = + "failed to rename '$cert_path_tmp' to '$cert_path': $!\n"; + unlink($cert_path_tmp); + die $msg; + } + } else { + PVE::Tools::file_set_contents($cert_path, $cert, 0600); + } + + $info = PVE::Certificate::get_certificate_info($cert_path); + }; + my $err = $@; + + if ($err) { + if (-e $cert_path_old) { + eval { + warn "Attempting to restore old certificate file..\n"; + PVE::Tools::file_copy($cert_path_old, $cert_path); + }; + warn "$@\n" if $@; + } + die "Setting certificate files failed - $err\n" + } + + unlink $cert_path_old; + + return $info; +} + +sub lock_acme { + my ($account_name, $timeout, $code, @param) = @_; + + my $file = "$local_acme_lock.$account_name"; + + my $res = PVE::Tools::lock_file($file, $timeout, $code, @param); + die $@ if $@; + return $res; +} + +sub acme_account_dir { + return $account_prefix; +} + +sub list_acme_accounts { + my $accounts = []; + + return $accounts if ! -d $account_prefix; + + PVE::Tools::dir_glob_foreach($account_prefix, qr/[^.]+.*/, sub { + my ($name) = @_; + + push @$accounts, $name + if PVE::JSONSchema::pve_verify_configid($name, 1); + }); + + return $accounts; +} -- 2.20.1