[pve-devel] [v3 manager 3/7] add ACME account API endpoints
Fabian Grünbichler
f.gruenbichler at proxmox.com
Fri Apr 27 14:02:10 CEST 2018
for registering, updating, refreshing and deactiving a PVE-managed ACME
account, as well as for retrieving the (optional, but required if
available) terms of service of the ACME API provider / CA.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
PVE/API2/Makefile | 1 +
PVE/API2/ACMEAccount.pm | 364 ++++++++++++++++++++++++++++++++++++++++++++++++
PVE/API2/Cluster.pm | 7 +
3 files changed, 372 insertions(+)
create mode 100644 PVE/API2/ACMEAccount.pm
diff --git a/PVE/API2/Makefile b/PVE/API2/Makefile
index 51b8b30a..d72ddd9b 100644
--- a/PVE/API2/Makefile
+++ b/PVE/API2/Makefile
@@ -14,6 +14,7 @@ PERLSOURCE = \
Pool.pm \
Tasks.pm \
Network.pm \
+ ACMEAccount.pm \
NodeConfig.pm \
Services.pm
diff --git a/PVE/API2/ACMEAccount.pm b/PVE/API2/ACMEAccount.pm
new file mode 100644
index 00000000..31c157d9
--- /dev/null
+++ b/PVE/API2/ACMEAccount.pm
@@ -0,0 +1,364 @@
+package PVE::API2::ACMEAccount;
+
+use strict;
+use warnings;
+
+use PVE::ACME;
+use PVE::CertHelpers;
+use PVE::Exception qw(raise_param_exc);
+use PVE::JSONSchema qw(get_standard_option);
+use PVE::RPCEnvironment;
+use PVE::Tools qw(extract_param);
+
+use base qw(PVE::RESTHandler);
+
+my $acme_directories = [
+ {
+ name => 'Let\'s Encrypt V2',
+ url => 'https://acme-v02.api.letsencrypt.org/directory',
+ },
+ {
+ name => 'Let\'s Encrypt V2 Staging',
+ url => 'https://acme-staging-v02.api.letsencrypt.org/directory',
+ },
+];
+
+my $acme_default_directory_url = $acme_directories->[0]->{url};
+
+my $account_contact_from_param = sub {
+ my ($param) = @_;
+ return [ map { "mailto:$_" } PVE::Tools::split_list(extract_param($param, 'contact')) ];
+};
+
+my $acme_account_dir = PVE::CertHelpers::acme_account_dir();
+
+__PACKAGE__->register_method ({
+ name => 'index',
+ path => '',
+ method => 'GET',
+ permissions => { user => 'all' },
+ description => "ACMEAccount index.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ },
+ },
+ returns => {
+ type => 'array',
+ items => {
+ type => "object",
+ properties => {},
+ },
+ links => [ { rel => 'child', href => "{name}" } ],
+ },
+ code => sub {
+ my ($param) = @_;
+
+ return [
+ { name => 'account' },
+ { name => 'tos' },
+ { name => 'directories' },
+ ];
+ }});
+
+__PACKAGE__->register_method ({
+ name => 'account_index',
+ path => 'account',
+ method => 'GET',
+ permissions => { user => 'all' },
+ description => "ACMEAccount index.",
+ protected => 1,
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ },
+ },
+ returns => {
+ type => 'array',
+ items => {
+ type => "object",
+ properties => {},
+ },
+ links => [ { rel => 'child', href => "{name}" } ],
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $accounts = PVE::CertHelpers::list_acme_accounts();
+ return [ map { { name => $_ } } @$accounts ];
+ }});
+
+__PACKAGE__->register_method ({
+ name => 'register_account',
+ path => 'account',
+ method => 'POST',
+ description => "Register a new ACME account with CA.",
+ protected => 1,
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ name => get_standard_option('pve-acme-account-name'),
+ contact => get_standard_option('pve-acme-account-contact'),
+ tos_url => {
+ type => 'string',
+ description => 'URL of CA TermsOfService - setting this indicates agreement.',
+ optional => 1,
+ },
+ directory => get_standard_option('pve-acme-directory-url', {
+ default => $acme_default_directory_url,
+ optional => 1,
+ }),
+ },
+ },
+ returns => {
+ type => 'string',
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $account_name = extract_param($param, 'name') // 'default';
+ my $account_file = "${acme_account_dir}/${account_name}";
+
+ mkdir $acme_account_dir;
+
+ raise_param_exc({'name' => "ACME account config file '${account_name}' already exists."})
+ if -e $account_file;
+
+ my $directory = extract_param($param, 'directory') // $acme_default_directory_url;
+ my $contact = $account_contact_from_param->($param);
+
+ my $rpcenv = PVE::RPCEnvironment::get();
+
+ my $authuser = $rpcenv->get_user();
+
+ my $realcmd = sub {
+ PVE::Cluster::cfs_lock_acme($account_name, 10, sub {
+ die "ACME account config file '${account_name}' already exists.\n"
+ if -e $account_file;
+
+ my $acme = PVE::ACME->new($account_file, $directory);
+ print "Generating ACME account key..\n";
+ $acme->init(4096);
+ print "Registering ACME account..\n";
+ eval { $acme->new_account($param->{tos_url}, contact => $contact); };
+ if ($@) {
+ warn "$@\n";
+ unlink $account_file;
+ die "Registration failed!\n";
+ }
+ print "Registration successful, account URL: '$acme->{location}'\n";
+ });
+ die $@ if $@;
+ };
+
+ return $rpcenv->fork_worker('acmeregister', undef, $authuser, $realcmd);
+ }});
+
+my $update_account = sub {
+ my ($param, $msg, %info) = @_;
+
+ my $account_name = extract_param($param, 'name');
+ my $account_file = "${acme_account_dir}/${account_name}";
+
+ raise_param_exc({'name' => "ACME account config file '${account_name}' does not exist."})
+ if ! -e $account_file;
+
+
+ my $rpcenv = PVE::RPCEnvironment::get();
+
+ my $authuser = $rpcenv->get_user();
+
+ my $realcmd = sub {
+ PVE::Cluster::cfs_lock_acme($account_name, 10, sub {
+ die "ACME account config file '${account_name}' does not exist.\n"
+ if ! -e $account_file;
+
+ my $acme = PVE::ACME->new($account_file);
+ $acme->load();
+ $acme->update_account(%info);
+ if ($info{status} && $info{status} eq 'deactivated') {
+ my $deactivated_name;
+ for my $i (0..100) {
+ my $candidate = "${acme_account_dir}/_deactivated_${account_name}_${i}";
+ if (! -e $candidate) {
+ $deactivated_name = $candidate;
+ last;
+ }
+ }
+ if ($deactivated_name) {
+ print "Renaming account file from '$account_file' to '$deactivated_name'\n";
+ rename($account_file, $deactivated_name) or
+ warn ".. failed - $!\n";
+ } else {
+ warn "No free slot to rename deactivated account file '$account_file', leaving in place\n";
+ }
+ }
+ });
+ die $@ if $@;
+ };
+
+ return $rpcenv->fork_worker("acme${msg}", undef, $authuser, $realcmd);
+};
+
+__PACKAGE__->register_method ({
+ name => 'update_account',
+ path => 'account/{name}',
+ method => 'PUT',
+ description => "Update existing ACME account information with CA. Note: not specifying any new account information triggers a refresh.",
+ protected => 1,
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ name => get_standard_option('pve-acme-account-name'),
+ contact => get_standard_option('pve-acme-account-contact', {
+ optional => 1,
+ }),
+ },
+ },
+ returns => {
+ type => 'string',
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $contact = $account_contact_from_param->($param);
+ if (scalar @$contact) {
+ return $update_account->($param, 'update', contact => $contact);
+ } else {
+ return $update_account->($param, 'refresh');
+ }
+ }});
+
+__PACKAGE__->register_method ({
+ name => 'get_account',
+ path => 'account/{name}',
+ method => 'GET',
+ description => "Return existing ACME account information.",
+ protected => 1,
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ name => get_standard_option('pve-acme-account-name'),
+ },
+ },
+ returns => {
+ type => 'object',
+ additionalProperties => 0,
+ properties => {
+ account => {
+ type => 'object',
+ optional => 1,
+ },
+ directory => get_standard_option('pve-acme-directory-url', {
+ optional => 1,
+ }),
+ location => {
+ type => 'string',
+ optional => 1,
+ },
+ tos => {
+ type => 'string',
+ optional => 1,
+ },
+ },
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $account_name = extract_param($param, 'name');
+ my $account_file = "${acme_account_dir}/${account_name}";
+
+ raise_param_exc({'name' => "ACME account config file '${account_name}' does not exist."})
+ if ! -e $account_file;
+
+ my $acme = PVE::ACME->new($account_file);
+ $acme->load();
+
+ my $res = {};
+ $res->{account} = $acme->{account};
+ $res->{directory} = $acme->{directory};
+ $res->{location} = $acme->{location};
+ $res->{tos} = $acme->{tos};
+
+ return $res;
+ }});
+
+__PACKAGE__->register_method ({
+ name => 'deactivate_account',
+ path => 'account/{name}',
+ method => 'DELETE',
+ description => "Deactivate existing ACME account at CA.",
+ protected => 1,
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ name => get_standard_option('pve-acme-account-name'),
+ },
+ },
+ returns => {
+ type => 'string',
+ },
+ code => sub {
+ my ($param) = @_;
+
+ return $update_account->($param, 'deactivate', status => 'deactivated');
+ }});
+
+__PACKAGE__->register_method ({
+ name => 'get_tos',
+ path => 'tos',
+ method => 'GET',
+ description => "Retrieve ACME TermsOfService URL from CA.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ directory => get_standard_option('pve-acme-directory-url', {
+ default => $acme_default_directory_url,
+ optional => 1,
+ }),
+ },
+ },
+ returns => {
+ type => 'string',
+ description => 'ACME TermsOfService URL.',
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $directory = extract_param($param, 'directory') // $acme_default_directory_url;
+
+ my $acme = PVE::ACME->new(undef, $directory);
+ my $meta = $acme->get_meta();
+
+ return $meta ? $meta->{termsOfService} : undef;
+ }});
+
+__PACKAGE__->register_method ({
+ name => 'get_directories',
+ path => 'directories',
+ method => 'GET',
+ description => "Get named known ACME directory endpoints.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {},
+ },
+ returns => {
+ type => 'array',
+ items => {
+ type => 'object',
+ additionalProperties => 0,
+ properties => {
+ name => {
+ type => 'string',
+ },
+ url => get_standard_option('pve-acme-directory-url'),
+ },
+ },
+ },
+ code => sub {
+ my ($param) = @_;
+
+ return $acme_directories;
+ }});
+
+1;
diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm
index 7f38e61c..2eac6b52 100644
--- a/PVE/API2/Cluster.pm
+++ b/PVE/API2/Cluster.pm
@@ -24,6 +24,7 @@ use PVE::JSONSchema qw(get_standard_option);
use PVE::Firewall;
use PVE::API2::Firewall::Cluster;
use PVE::API2::ReplicationConfig;
+use PVE::API2::ACMEAccount;
use base qw(PVE::RESTHandler);
@@ -52,6 +53,11 @@ __PACKAGE__->register_method ({
path => 'ha',
});
+__PACKAGE__->register_method ({
+ subclass => "PVE::API2::ACMEAccount",
+ path => 'acme',
+});
+
my $dc_schema = PVE::Cluster::get_datacenter_schema();
my $dc_properties = {
delete => {
@@ -97,6 +103,7 @@ __PACKAGE__->register_method ({
{ name => 'nextid' },
{ name => 'firewall' },
{ name => 'config' },
+ { name => 'acme' },
];
return $result;
--
2.14.2
More information about the pve-devel
mailing list