[pve-devel] [PATCH v2 common 3/4] acme: add challenge plugins

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Apr 30 08:35:52 CEST 2018 

On Fri, Apr 27, 2018 at 03:38:26PM +0200, Thomas Lamprecht wrote:
> On 4/19/18 2:01 PM, Fabian Grünbichler wrote:
> > Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> > ---
> >  src/PVE/ACME/Challenge.pm  | 22 ++++++++++++++
> >  src/PVE/ACME/StandAlone.pm | 74 ++++++++++++++++++++++++++++++++++++++++++++++
> >  2 files changed, 96 insertions(+)
> >  create mode 100644 src/PVE/ACME/Challenge.pm
> >  create mode 100644 src/PVE/ACME/StandAlone.pm
> > 
> > diff --git a/src/PVE/ACME/Challenge.pm b/src/PVE/ACME/Challenge.pm
> > new file mode 100644
> > index 0000000..40d32b6
> > --- /dev/null
> > +++ b/src/PVE/ACME/Challenge.pm
> > @@ -0,0 +1,22 @@
> > +package PVE::ACME::Challenge;
> > +
> > +use strict;
> > +use warnings;
> > +
> > +sub supported_challenge_types {
> > +    return {};
> > +}
> > +
> > +sub setup {
> > +    my ($class, $acme, $authorization) = @_;
> > +
> > +    die "implement me\n";
> > +}
> > +
> > +sub teardown {
> > +    my ($self) = @_;
> > +
> > +    die "implement me\n";
> > +}
> > +
> > +1;
> > diff --git a/src/PVE/ACME/StandAlone.pm b/src/PVE/ACME/StandAlone.pm
> > new file mode 100644
> > index 0000000..0d82213
> > --- /dev/null
> > +++ b/src/PVE/ACME/StandAlone.pm
> > @@ -0,0 +1,74 @@
> > +package PVE::ACME::StandAlone;
> > +
> > +use strict;
> > +use warnings;
> > +
> > +use base qw(PVE::ACME::Challenge);
> > +
> > +sub supported_challenge_types {
> > +    return { 'http-01' => 1 };
> > +}
> > +
> > +sub setup {
> > +    my ($class, $acme, $authorization) = @_;
> > +
> > +    my $challenges = $authorization->{challenges};
> > +    die "no challenges defined in authorization\n" if !$challenges;
> > +
> > +    my $http_challenges = [ grep {$_->{type} eq 'http-01'} @$challenges ];
> > +    die "no http-01 challenge defined in authorization\n"
> > +	if ! scalar $http_challenges;
> > +
> > +    my $http_challenge = $http_challenges->[0];
> > +
> > +    die "no token found in http-01 challenge\n" if !$http_challenge->{token};
> > +
> > +    my $key_authorization = $acme->key_authorization($http_challenge->{token});
> > +
> > +    my $server = PVE::ACME::StandAlone::Server->new(80);
> > +    $server->{key_auth} = $key_authorization;
> > +    my $pid = $server->background();
> > +
> > +    my $self = {
> > +	server => $server,
> > +	pid => $pid,
> > +	authorization => $authorization,
> > +	key_auth => $key_authorization,
> > +	url => $http_challenge->{url},
> > +    };
> > +
> > +    return bless $self, $class;
> > +}
> > +
> > +sub teardown {
> > +    my ($self) = @_;
> > +
> > +    kill 'KILL', $self->{pid};
> > +}
> > +
> > +1;
> > +
> > +package PVE::ACME::StandAlone::Server;
> > +
> > +use HTTP::Server::Simple::CGI;
> > +use base qw(HTTP::Server::Simple::CGI);
> 
> needs a new dependency on libhttp-server-simple-perl ...
> 
> We depend already on libwww-perl here (and access-control and apiclient),
> which also provides a server module AFAIK.
> 
> Maybe it would be nicer to reuse this, if possible?

yes, like I mentioned in v1, this can be switched out for any other
"serve content $foo under path $bar" HTTP server implementation.

I'll take a stab at implementing it with HTTP::Daemon :)

> 
> > +
> > +sub handle_request {
> > +    my $self = shift;
> > +    my $cgi  = shift;
> > +
> > +    my $key_auth = $self->{key_auth};
> > +    $key_auth =~ /^(.*)\..*$/;
> > +    my $token = $1;
> > +
> > +    my $path = $cgi->path_info();
> > +    if ($path eq "/.well-known/acme-challenge/${token}") {
> > +	print "HTTP/1.0 200 OK\r\n";
> > +	print $cgi->header, $key_auth;
> > +    } else {
> > +	print "HTTP/1.0 404 Not found\r\n";
> > +	print $cgi->header;
> > +    }
> > +}
> > +
> > +1;
> > 
> 
>

More information about the pve-devel mailing list