From: Dominik Csapak <d.csapak@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: Re: [pmg-devel] [PATCH api 2/8] add PMG::CertHelpers module
Date: Thu, 11 Mar 2021 11:05:21 +0100 [thread overview]
Message-ID: <d10977b8-407b-cb71-cd52-ae71e1306968@proxmox.com> (raw)
In-Reply-To: <20210309141401.19237-3-w.bumiller@proxmox.com>
comments inline
On 3/9/21 3:13 PM, Wolfgang Bumiller wrote:
> Contains helpers to update certificates and provide locking
> for certificates and when accessing acme accounts.
>
> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> ---
> src/Makefile | 1 +
> src/PMG/CertHelpers.pm | 180 +++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 181 insertions(+)
> create mode 100644 src/PMG/CertHelpers.pm
>
> diff --git a/src/Makefile b/src/Makefile
> index 8891a3c..c1d4812 100644
> --- a/src/Makefile
> +++ b/src/Makefile
> @@ -55,6 +55,7 @@ LIBSOURCES = \
> PMG/HTMLMail.pm \
> PMG/ModGroup.pm \
> PMG/SMTPPrinter.pm \
> + PMG/CertHelpers.pm \
> PMG/Config.pm \
> PMG/Cluster.pm \
> PMG/ClusterConfig.pm \
> diff --git a/src/PMG/CertHelpers.pm b/src/PMG/CertHelpers.pm
> new file mode 100644
> index 0000000..2cf8a4e
> --- /dev/null
> +++ b/src/PMG/CertHelpers.pm
> @@ -0,0 +1,180 @@
> +package PMG::CertHelpers;
> +
> +use strict;
> +use warnings;
> +
> +use PVE::Certificate;
> +use PVE::JSONSchema;
> +use PVE::Tools;
> +
> +use constant {
> + API_CERT => '/etc/pmg/pmg-api.pem',
> + SMTP_CERT => '/etc/pmg/pmg-tls.pem',
> +};
> +
> +my $account_prefix = '/etc/pmg/acme';
> +
> +# TODO: Move `pve-acme-account-name` to common and reuse instead of this.
> +PVE::JSONSchema::register_standard_option('pmg-acme-account-name', {
> + description => 'ACME account config file name.',
> + type => 'string',
> + format => 'pve-configid',
> + format_description => 'name',
> + optional => 1,
> + default => 'default',
> +});
> +
> +PVE::JSONSchema::register_standard_option('pmg-acme-account-contact', {
> + type => 'string',
> + format => 'email-list',
> + description => 'Contact email addresses.',
> +});
> +
> +PVE::JSONSchema::register_standard_option('pmg-acme-directory-url', {
> + type => 'string',
> + description => 'URL of ACME CA directory endpoint.',
> + pattern => '^https?://.*',
> +});
> +
> +PVE::JSONSchema::register_format('pmg-certificate-type', sub {
> + my ($type, $noerr) = @_;
> +
> + if ($type =~ /^(?: api | smtp )$/x) {
> + return $type;
> + }
> + return undef if $noerr;
> + die "value '$type' does not look like a valid certificate type\n";
> +});
> +
> +PVE::JSONSchema::register_standard_option('pmg-certificate-type', {
> + type => 'string',
> + description => 'The TLS certificate type (API or SMTP certificate).',
> + enum => ['api', 'smtp'],
> +});
i get why you did the format and the option (you need it once as a
'-list') but would it not have been possible to reuse the format instead
of redefining the enum?
or only using the enum as variable defined somewhere?
feels weird to have a format + option that do basically
the same thing
> +
> +PVE::JSONSchema::register_format('pmg-acme-domain', sub {
> + my ($domain, $noerr) = @_;
> +
> + my $label = qr/[a-z0-9][a-z0-9_-]*/i;
> +
> + return $domain if $domain =~ /^$label(?:\.$label)+$/;
> + return undef if $noerr;
> + die "value '$domain' does not look like a valid domain name!\n";
> +});
> +
> +PVE::JSONSchema::register_format('pmg-acme-alias', sub {
> + my ($alias, $noerr) = @_;
> +
> + my $label = qr/[a-z0-9_][a-z0-9_-]*/i;
> +
> + return $alias if $alias =~ /^$label(?:\.$label)+$/;
> + return undef if $noerr;
> + die "value '$alias' does not look like a valid alias name!\n";
> +});
could we not reuse the '-domain' format here ?
i know the error message would be different then, but it is still a domain?
if not, we could refactor the regexes though
> +
> +my $local_cert_lock = '/var/lock/pmg-certs.lock';
> +my $local_acme_lock = '/var/lock/pmg-acme.lock';
> +
> +sub cert_path : prototype($) {
> + my ($type) = @_;
> + if ($type eq 'api') {
> + return API_CERT;
> + } elsif ($type eq 'smtp') {
> + return SMTP_CERT;
> + } else {
> + die "unknown certificate type '$type'\n";
> + }
> +}
> +
> +sub cert_lock {
> + my ($timeout, $code, @param) = @_;
> +
> + my $res = PVE::Tools::lock_file($local_cert_lock, $timeout, $code, @param);
> + die $@ if $@;
> + return $res;
> +}
> +
> +sub set_cert_file {
> + my ($cert, $cert_path, $force) = @_;
> +
> + my ($old_cert, $info);
> +
> + my $cert_path_old = "${cert_path}.old";
> +
> + die "Custom certificate file exists but force flag is not set.\n"
> + if !$force && -e $cert_path;
> +
> + PVE::Tools::file_copy($cert_path, $cert_path_old) if -e $cert_path;
> +
> + eval {
> + my $gid = undef;
> + if ($cert_path eq &API_CERT) {
> + $gid = getgrnam('www-data') ||
> + die "user www-data not in group file\n";
> + }
> +
> + if (defined($gid)) {
> + my $cert_path_tmp = "${cert_path}.tmp";
> + PVE::Tools::file_set_contents($cert_path_tmp, $cert, 0640);
> + if (!chown(-1, $gid, $cert_path_tmp)) {
> + my $msg =
> + "failed to change group ownership of '$cert_path_tmp' to www-data ($gid): $!\n";
> + unlink($cert_path_tmp);
> + die $msg;
> + }
> + if (!rename($cert_path_tmp, $cert_path)) {
> + my $msg =
> + "failed to rename '$cert_path_tmp' to '$cert_path': $!\n";
> + unlink($cert_path_tmp);
> + die $msg;
> + }
> + } else {
> + PVE::Tools::file_set_contents($cert_path, $cert, 0600);
> + }
> +
> + $info = PVE::Certificate::get_certificate_info($cert_path);
> + };
> + my $err = $@;
> +
> + if ($err) {
> + if (-e $cert_path_old) {
> + eval {
> + warn "Attempting to restore old certificate file..\n";
> + PVE::Tools::file_copy($cert_path_old, $cert_path);
> + };
> + warn "$@\n" if $@;
> + }
> + die "Setting certificate files failed - $err\n"
> + }
> +
> + unlink $cert_path_old;
> +
> + return $info;
> +}
> +
> +sub lock_acme {
> + my ($account_name, $timeout, $code, @param) = @_;
> +
> + my $file = "$local_acme_lock.$account_name";
> +
> + return PVE::Tools::lock_file($file, $timeout, $code, @param);
> +}
> +
is there a special reason why you die $@ if $@ above in cert_lock
but not here?
afaics, you do it manually in the later patches always anyway
> +sub acme_account_dir {
> + return $account_prefix;
> +}
> +
> +sub list_acme_accounts {
> + my $accounts = [];
> +
> + return $accounts if ! -d $account_prefix;
> +
> + PVE::Tools::dir_glob_foreach($account_prefix, qr/[^.]+.*/, sub {
> + my ($name) = @_;
> +
> + push @$accounts, $name
> + if PVE::JSONSchema::pve_verify_configid($name, 1);
> + });
> +
> + return $accounts;
> +}
>
next prev parent reply other threads:[~2021-03-11 10:05 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-09 14:13 [pmg-devel] [RFC api/gui/wtk/acme 0/many] Certificates & ACME Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 1/8] depend on libpmg-rs-perl and proxmox-acme Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 2/8] add PMG::CertHelpers module Wolfgang Bumiller
2021-03-11 10:05 ` Dominik Csapak [this message]
2021-03-12 13:55 ` Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 3/8] add PMG::NodeConfig module Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 4/8] cluster: sync acme/ and acme-plugins.conf Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 5/8] api: add ACME and ACMEPlugin module Wolfgang Bumiller
2021-03-11 10:41 ` Dominik Csapak
2021-03-12 14:10 ` Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 6/8] add certificates api endpoint Wolfgang Bumiller
2021-03-11 11:06 ` Dominik Csapak
2021-03-12 14:51 ` Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 7/8] add node-config api entry points Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH api 8/8] add acme and cert subcommands to pmgconfig Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH gui] add certificates and acme view Wolfgang Bumiller
2021-03-11 12:35 ` Dominik Csapak
2021-03-09 14:13 ` [pmg-devel] [PATCH acme] add missing 'use PVE::Acme' statement Wolfgang Bumiller
2021-03-12 15:00 ` [pmg-devel] applied: " Thomas Lamprecht
2021-03-09 14:13 ` [pmg-devel] [PATCH widget-toolkit 1/7] Utils: add ACME related utilities Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH widget-toolkit 2/7] add ACME related data models Wolfgang Bumiller
2021-03-11 12:41 ` Dominik Csapak
2021-03-09 14:13 ` [pmg-devel] [PATCH widget-toolkit 3/7] add ACME forms: Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH widget-toolkit 4/7] add certificate panel Wolfgang Bumiller
2021-03-09 14:13 ` [pmg-devel] [PATCH widget-toolkit 5/7] add ACME account panel Wolfgang Bumiller
2021-03-11 13:51 ` Dominik Csapak
2021-03-11 15:14 ` Thomas Lamprecht
2021-03-11 15:16 ` Dominik Csapak
2021-03-11 15:27 ` Thomas Lamprecht
2021-03-09 14:14 ` [pmg-devel] [PATCH widget-toolkit 6/7] add ACME plugin editing Wolfgang Bumiller
2021-03-09 14:14 ` [pmg-devel] [PATCH widget-toolkit 7/7] add ACME domain editing Wolfgang Bumiller
2021-03-10 12:27 ` [pmg-devel] [RFC api/gui/wtk/acme 0/many] Certificates & ACME Dominik Csapak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d10977b8-407b-cb71-cd52-ae71e1306968@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pmg-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox