[pve-devel] [PATCH manager 4/5] fix #4497: cli/acme: detect eab and ask for credentials
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Oct 24 10:32:20 CEST 2023
On October 23, 2023 3:18 pm, Folke Gleumes wrote:
> Since external account binding is advertised the same way as the ToS,
> it can be detected when creating an account and asked for if needed.
>
> Signed-off-by: Folke Gleumes <f.gleumes at proxmox.com>
> ---
> PVE/CLI/pvenode.pm | 16 ++++++++++++++--
> 1 file changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/PVE/CLI/pvenode.pm b/PVE/CLI/pvenode.pm
> index acef6c3b..e3d6b15a 100644
> --- a/PVE/CLI/pvenode.pm
> +++ b/PVE/CLI/pvenode.pm
> @@ -117,8 +117,9 @@ __PACKAGE__->register_method({
> }
> }
> print "\nAttempting to fetch Terms of Service from '$param->{directory}'..\n";
> - my $tos = PVE::API2::ACMEAccount->get_tos({ directory => $param->{directory} });
> - if ($tos) {
> + my $meta = PVE::API2::ACMEAccount->get_meta({ directory => $param->{directory} });
> + if ($meta->{termsOfService}) {
> + my $tos = $meta->{termsOfService};
> print "Terms of Service: $tos\n";
> my $term = Term::ReadLine->new('pvenode');
> my $agreed = $term->readline('Do you agree to the above terms? [y|N]: ');
> @@ -129,6 +130,17 @@ __PACKAGE__->register_method({
> } else {
> print "No Terms of Service found, proceeding.\n";
> }
> + if ($meta->{externalAccountRequired}) {
> + print "The ACME Directory uses External Account Binding\n";
s/uses/requires
and maybe s/Directory/CA/
since "directory" is just the name for the entrypoint of the API :)
> + my $term = Term::ReadLine->new('pvenode');
since this is the "interactive" user friendly mode, we might want to add
another line here to indicate that the requested values should have been
given to the user by the CA?
> + my $eab_kid = $term->readline('Enter EAB kid: ');
might be worth to s/kid/key identifer ("kid")/ to make it more
understandable for users who haven't already learned the ACME spec by
heart ;)
> + my $eab_hmac_key = $term->readline('Enter EAB HMAC key: ');
> +
> + $param->{eab_kid} = $eab_kid;
> + $param->{eab_hmac_key} = $eab_hmac_key;
maybe:
} elsif ($directory_is_custom) {
# ask for optional EAB parameters
}
> + } else {
> + print "No EAB required, proceeding.\n";
> + }
> print "\nAttempting to register account with '$param->{directory}'..\n";
>
> $upid_exit->(PVE::API2::ACMEAccount->register_account($param));
> --
> 2.39.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
More information about the pve-devel
mailing list