[pmg-devel] [PATCH v2 api 2/8] add PMG::CertHelpers module
Wolfgang Bumiller
w.bumiller at proxmox.com
Fri Mar 12 16:23:51 CET 2021
Contains helpers to update certificates and provide locking
for certificates and when accessing acme accounts.
Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
Changes since v1:
* die in both lock helpers on error
src/Makefile | 1 +
src/PMG/CertHelpers.pm | 182 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 183 insertions(+)
create mode 100644 src/PMG/CertHelpers.pm
diff --git a/src/Makefile b/src/Makefile
index 8891a3c..c1d4812 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -55,6 +55,7 @@ LIBSOURCES = \
PMG/HTMLMail.pm \
PMG/ModGroup.pm \
PMG/SMTPPrinter.pm \
+ PMG/CertHelpers.pm \
PMG/Config.pm \
PMG/Cluster.pm \
PMG/ClusterConfig.pm \
diff --git a/src/PMG/CertHelpers.pm b/src/PMG/CertHelpers.pm
new file mode 100644
index 0000000..56b25f7
--- /dev/null
+++ b/src/PMG/CertHelpers.pm
@@ -0,0 +1,182 @@
+package PMG::CertHelpers;
+
+use strict;
+use warnings;
+
+use PVE::Certificate;
+use PVE::JSONSchema;
+use PVE::Tools;
+
+use constant {
+ API_CERT => '/etc/pmg/pmg-api.pem',
+ SMTP_CERT => '/etc/pmg/pmg-tls.pem',
+};
+
+my $account_prefix = '/etc/pmg/acme';
+
+# TODO: Move `pve-acme-account-name` to common and reuse instead of this.
+PVE::JSONSchema::register_standard_option('pmg-acme-account-name', {
+ description => 'ACME account config file name.',
+ type => 'string',
+ format => 'pve-configid',
+ format_description => 'name',
+ optional => 1,
+ default => 'default',
+});
+
+PVE::JSONSchema::register_standard_option('pmg-acme-account-contact', {
+ type => 'string',
+ format => 'email-list',
+ description => 'Contact email addresses.',
+});
+
+PVE::JSONSchema::register_standard_option('pmg-acme-directory-url', {
+ type => 'string',
+ description => 'URL of ACME CA directory endpoint.',
+ pattern => '^https?://.*',
+});
+
+PVE::JSONSchema::register_format('pmg-certificate-type', sub {
+ my ($type, $noerr) = @_;
+
+ if ($type =~ /^(?: api | smtp )$/x) {
+ return $type;
+ }
+ return undef if $noerr;
+ die "value '$type' does not look like a valid certificate type\n";
+});
+
+PVE::JSONSchema::register_standard_option('pmg-certificate-type', {
+ type => 'string',
+ description => 'The TLS certificate type (API or SMTP certificate).',
+ enum => ['api', 'smtp'],
+});
+
+PVE::JSONSchema::register_format('pmg-acme-domain', sub {
+ my ($domain, $noerr) = @_;
+
+ my $label = qr/[a-z0-9][a-z0-9_-]*/i;
+
+ return $domain if $domain =~ /^$label(?:\.$label)+$/;
+ return undef if $noerr;
+ die "value '$domain' does not look like a valid domain name!\n";
+});
+
+PVE::JSONSchema::register_format('pmg-acme-alias', sub {
+ my ($alias, $noerr) = @_;
+
+ my $label = qr/[a-z0-9_][a-z0-9_-]*/i;
+
+ return $alias if $alias =~ /^$label(?:\.$label)+$/;
+ return undef if $noerr;
+ die "value '$alias' does not look like a valid alias name!\n";
+});
+
+my $local_cert_lock = '/var/lock/pmg-certs.lock';
+my $local_acme_lock = '/var/lock/pmg-acme.lock';
+
+sub cert_path : prototype($) {
+ my ($type) = @_;
+ if ($type eq 'api') {
+ return API_CERT;
+ } elsif ($type eq 'smtp') {
+ return SMTP_CERT;
+ } else {
+ die "unknown certificate type '$type'\n";
+ }
+}
+
+sub cert_lock {
+ my ($timeout, $code, @param) = @_;
+
+ my $res = PVE::Tools::lock_file($local_cert_lock, $timeout, $code, @param);
+ die $@ if $@;
+ return $res;
+}
+
+sub set_cert_file {
+ my ($cert, $cert_path, $force) = @_;
+
+ my ($old_cert, $info);
+
+ my $cert_path_old = "${cert_path}.old";
+
+ die "Custom certificate file exists but force flag is not set.\n"
+ if !$force && -e $cert_path;
+
+ PVE::Tools::file_copy($cert_path, $cert_path_old) if -e $cert_path;
+
+ eval {
+ my $gid = undef;
+ if ($cert_path eq &API_CERT) {
+ $gid = getgrnam('www-data') ||
+ die "user www-data not in group file\n";
+ }
+
+ if (defined($gid)) {
+ my $cert_path_tmp = "${cert_path}.tmp";
+ PVE::Tools::file_set_contents($cert_path_tmp, $cert, 0640);
+ if (!chown(-1, $gid, $cert_path_tmp)) {
+ my $msg =
+ "failed to change group ownership of '$cert_path_tmp' to www-data ($gid): $!\n";
+ unlink($cert_path_tmp);
+ die $msg;
+ }
+ if (!rename($cert_path_tmp, $cert_path)) {
+ my $msg =
+ "failed to rename '$cert_path_tmp' to '$cert_path': $!\n";
+ unlink($cert_path_tmp);
+ die $msg;
+ }
+ } else {
+ PVE::Tools::file_set_contents($cert_path, $cert, 0600);
+ }
+
+ $info = PVE::Certificate::get_certificate_info($cert_path);
+ };
+ my $err = $@;
+
+ if ($err) {
+ if (-e $cert_path_old) {
+ eval {
+ warn "Attempting to restore old certificate file..\n";
+ PVE::Tools::file_copy($cert_path_old, $cert_path);
+ };
+ warn "$@\n" if $@;
+ }
+ die "Setting certificate files failed - $err\n"
+ }
+
+ unlink $cert_path_old;
+
+ return $info;
+}
+
+sub lock_acme {
+ my ($account_name, $timeout, $code, @param) = @_;
+
+ my $file = "$local_acme_lock.$account_name";
+
+ my $res = PVE::Tools::lock_file($file, $timeout, $code, @param);
+ die $@ if $@;
+ return $res;
+}
+
+sub acme_account_dir {
+ return $account_prefix;
+}
+
+sub list_acme_accounts {
+ my $accounts = [];
+
+ return $accounts if ! -d $account_prefix;
+
+ PVE::Tools::dir_glob_foreach($account_prefix, qr/[^.]+.*/, sub {
+ my ($name) = @_;
+
+ push @$accounts, $name
+ if PVE::JSONSchema::pve_verify_configid($name, 1);
+ });
+
+ return $accounts;
+}
--
2.20.1
More information about the pmg-devel
mailing list