From: Folke Gleumes <f.gleumes@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [pmg-devel] [PATCH backup 4/8] cli: acme: add possibility to set eab via the cli
Date: Tue, 14 Nov 2023 15:14:04 +0100 [thread overview]
Message-ID: <20231114141408.228705-6-f.gleumes@proxmox.com> (raw)
In-Reply-To: <20231114141408.228705-1-f.gleumes@proxmox.com>
If the ca demands external account binding credentials, the user will be
asked for them. If a custom directory is used, the user will be asked if
eab should be used.
Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
---
src/acme/client.rs | 2 +-
src/bin/proxmox_backup_manager/acme.rs | 51 +++++++++++++++++++++-----
2 files changed, 43 insertions(+), 10 deletions(-)
diff --git a/src/acme/client.rs b/src/acme/client.rs
index 1396eb2c..6130748b 100644
--- a/src/acme/client.rs
+++ b/src/acme/client.rs
@@ -577,7 +577,7 @@ impl AcmeClient {
Self::execute(&mut self.http_client, request, &mut self.nonce).await
}
- async fn directory(&mut self) -> Result<&Directory, Error> {
+ pub async fn directory(&mut self) -> Result<&Directory, Error> {
Ok(Self::get_directory(
&mut self.http_client,
&self.directory_url,
diff --git a/src/bin/proxmox_backup_manager/acme.rs b/src/bin/proxmox_backup_manager/acme.rs
index 17ca5958..f3e62115 100644
--- a/src/bin/proxmox_backup_manager/acme.rs
+++ b/src/bin/proxmox_backup_manager/acme.rs
@@ -103,8 +103,8 @@ async fn register_account(
contact: String,
directory: Option<String>,
) -> Result<(), Error> {
- let directory = match directory {
- Some(directory) => directory,
+ let (directory_url, custom_directory) = match directory {
+ Some(directory) => (directory, true),
None => {
println!("Directory endpoints:");
for (i, dir) in KNOWN_ACME_DIRECTORIES.iter().enumerate() {
@@ -122,12 +122,12 @@ async fn register_account(
match input.trim().parse::<usize>() {
Ok(n) if n < KNOWN_ACME_DIRECTORIES.len() => {
- break KNOWN_ACME_DIRECTORIES[n].url.to_owned();
+ break (KNOWN_ACME_DIRECTORIES[n].url.to_owned(), false);
}
Ok(n) if n == KNOWN_ACME_DIRECTORIES.len() => {
input.clear();
std::io::stdin().read_line(&mut input)?;
- break input.trim().to_owned();
+ break (input.trim().to_owned(), true);
}
_ => eprintln!("Invalid selection."),
}
@@ -140,9 +140,13 @@ async fn register_account(
}
};
- println!("Attempting to fetch Terms of Service from {:?}", directory);
- let mut client = AcmeClient::new(directory.clone());
- let tos_agreed = if let Some(tos_url) = client.terms_of_service_url().await? {
+ println!(
+ "Attempting to fetch Terms of Service from {:?}",
+ directory_url
+ );
+ let mut client = AcmeClient::new(directory_url.clone());
+ let directory = client.directory().await?;
+ let tos_agreed = if let Some(tos_url) = directory.terms_of_service_url() {
println!("Terms of Service: {}", tos_url);
print!("Do you agree to the above terms? [y|N]: ");
std::io::stdout().flush()?;
@@ -154,7 +158,36 @@ async fn register_account(
true
};
- println!("Attempting to register account with {:?}...", directory);
+ let mut eab_enabled = directory.external_account_binding_required();
+ if !eab_enabled && custom_directory {
+ print!("Do you want to use external account binding? [y|N]: ");
+ std::io::stdout().flush()?;
+ let mut input = String::new();
+ std::io::stdin().read_line(&mut input)?;
+ eab_enabled = input.trim().eq_ignore_ascii_case("y");
+ } else if eab_enabled {
+ println!("The CA requires external account binding.");
+ }
+
+ let eab_creds = if eab_enabled {
+ println!("You should have received a key id and a key from your CA.");
+
+ print!("Enter EAB key id: ");
+ std::io::stdout().flush()?;
+ let mut eab_kid = String::new();
+ std::io::stdin().read_line(&mut eab_kid)?;
+
+ print!("Enter EAB key: ");
+ std::io::stdout().flush()?;
+ let mut eab_hmac_key = String::new();
+ std::io::stdin().read_line(&mut eab_hmac_key)?;
+
+ Some((eab_kid.trim().to_owned(), eab_hmac_key.trim().to_owned()))
+ } else {
+ None
+ };
+
+ println!("Attempting to register account with {:?}...", directory_url);
let account = api2::config::acme::do_register_account(
&mut client,
@@ -162,7 +195,7 @@ async fn register_account(
tos_agreed,
contact,
None,
- None,
+ eab_creds,
)
.await?;
--
2.39.2
next prev parent reply other threads:[~2023-11-14 14:14 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-14 14:13 [pmg-devel] [PATCH acme-rs/backup/perl-rs/pmg-api 0/8] add external account binding to pmg and pbs Folke Gleumes
2023-11-14 14:14 ` [pmg-devel] [PATCH acme-rs 1/8] add external account binding Folke Gleumes
2023-11-14 14:14 ` [pmg-devel] [PATCH acme-rs 2/8] add meta fields returned by the directory Folke Gleumes
2023-12-04 10:56 ` [pmg-devel] applied: " Wolfgang Bumiller
2023-11-14 14:14 ` [pmg-devel] [PATCH] expand helper function by eab credentials Folke Gleumes
2023-12-04 10:57 ` [pmg-devel] applied: " Wolfgang Bumiller
2023-11-14 14:14 ` [pmg-devel] [PATCH backup 3/8] acme: api: add eab options to api Folke Gleumes
2023-11-14 14:14 ` Folke Gleumes [this message]
2023-11-14 14:14 ` [pmg-devel] [PATCH perl-rs 5/8] acme: add eab fields for pmg Folke Gleumes
2023-12-06 11:37 ` [pmg-devel] applied: " Wolfgang Bumiller
2023-11-14 14:14 ` [pmg-devel] [PATCH pmg-api 6/8] api: acme: add eab parameters Folke Gleumes
2023-11-14 14:14 ` [pmg-devel] [PATCH pmg-api 7/8] api: acme: deprecate tos endpoint in favor of new meta endpoint Folke Gleumes
2023-11-14 14:14 ` [pmg-devel] [PATCH pmg-api 8/8] cli: acme: expose acme eab options on the cli Folke Gleumes
2023-12-06 11:41 ` [pmg-devel] applied: " Wolfgang Bumiller
2023-12-06 11:59 ` [pmg-devel] applied-series: [PATCH acme-rs/backup/perl-rs/pmg-api 0/8] add external account binding to pmg and pbs Wolfgang Bumiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231114141408.228705-6-f.gleumes@proxmox.com \
--to=f.gleumes@proxmox.com \
--cc=pmg-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox