[pve-devel] [Patch V2 manager 6/8] Create ACME Plugin config.

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Apr 1 15:27:13 CEST 2020


On March 31, 2020 12:08 pm, Wolfgang Link wrote:
> With this configuration it is possible to use many different plugins
> with different providers and users.
> 
> Signed-off-by: Wolfgang Link <w.link at proxmox.com>
> ---
>  PVE/API2/ACMEPlugin.pm | 120 +++++++++++++++++++++++++++++++++++++++++
>  PVE/API2/Cluster.pm    |   6 +++
>  PVE/API2/Makefile      |   1 +
>  PVE/CLI/pvenode.pm     |  11 ++++
>  4 files changed, 138 insertions(+)
>  create mode 100644 PVE/API2/ACMEPlugin.pm
> 
> diff --git a/PVE/API2/ACMEPlugin.pm b/PVE/API2/ACMEPlugin.pm
> new file mode 100644
> index 00000000..46d9b19e
> --- /dev/null
> +++ b/PVE/API2/ACMEPlugin.pm
> @@ -0,0 +1,120 @@
> +package PVE::API2::ACMEPlugin;
> +
> +use strict;
> +use warnings;
> +
> +use PVE::ACME::Challenge;
> +use PVE::Tools qw(extract_param);
> +
> +PVE::ACME::DNSChallenge->register();
> +PVE::ACME::StandAlone->register();
> +PVE::ACME::Challenge->init();
> +
> +use base qw(PVE::RESTHandler);
> +
> +__PACKAGE__->register_method({
> +    name => 'get_plugin_options',
> +    path => 'plugin',
> +    method => 'GET',
> +    description => "Get ACME DNS plugin configuration options.",
> +    permissions => {
> +	check => ['perm', '/', [ 'Sys.Audit' ]],

this is a privilege that lots of users have (e.g., monitoring access). I 
think we need something more if we return DNS access tokens here? also, 
this needs protected=>1, since the config file is in priv/

> +    },
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	},
> +    },
> +    returns => {
> +	type => 'string',
> +    },
> +    code => sub {
> +
> +	my $config = PVE::ACME::Challenge::load_config();
> +	my $line = '';
> +	foreach my $ids (sort (keys %{$config->{ids}})) {
> +	    $line .= "name: $ids\n";
> +	    foreach my $k (sort (keys %{$config->{ids}->{$ids}})) {
> +		my $v = $config->{ids}->{$ids}->{$k};
> +		if ($k eq 'data') {
> +		    $v = PVE::Tools::encode_text($config->{ids}->{$ids}->{$k});
> +		}
> +		$line .= "$k: $v\n";
> +	    }
> +	    $line .="\n";
> +	}
> +	return $line;

why not return the parsed config?

> +    }});
> +
> +my $update_config = sub {
> +    my ($id, $op, $type, $param) = @_;
> +
> +    my $conf = PVE::ACME::Challenge::load_config();
> +
> +    if ( $op eq "add" ) {
> +	die "Section with ID: $id already exists\n"
> +	    if defined($conf->{ids}->{$id});
> +	$conf->{ids}->{$id}->{type} = $type;
> +    } elsif ($op eq "del") {
> +	delete $conf->{ids}->{$id};
> +    }
> +
> +    foreach my $opt (keys %$param) {
> +	$conf->{ids}->{$id}->{$opt} = $param->{$opt};
> +    }
> +
> +    PVE::ACME::Challenge::write_conf($conf);
> +};
> +
> +__PACKAGE__->register_method({
> +    name => 'add_plugin',
> +    path => 'plugin',
> +    method => 'POST',
> +    description => "Add ACME DNS plugin configuration.",
> +    permissions => {
> +	check => ['perm', '/', [ 'Sys.Modify' ]],
> +    },
> +    protected => 1,
> +    parameters => PVE::ACME::Challenge->createSchema(),
> +    returns => { type => "null" },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $id = extract_param($param, 'id');
> +	my $type = extract_param($param, 'type');
> +
> +	PVE::ACME::Challenge::lock_config($update_config, $id, "add", $type, $param);
> +
> +	return undef;
> +    }});
> +
> +__PACKAGE__->register_method({
> +    name => 'delete_plugin',
> +    path => 'plugin',
> +    method => 'DELETE',
> +    description => "Delete ACME DNS plugin configuration.",
> +    permissions => {
> +	check => ['perm', '/', [ 'Sys.Modify' ]],
> +    },
> +    protected => 1,
> +    parameters => {
> +		additionalProperties => 0,
> +		properties => {
> +		    id => {
> +			description => "Plugin configuration name",
> +			type => 'string',
> +		    },
> +		},
> +    },
> +    returns => { type => "null" },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $id = extract_param($param, 'id');
> +
> +	PVE::ACME::Challenge::lock_config($update_config, $id, "del", undef, $param);
> +
> +	return undef;
> +    }});
> +
> +1;
> diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm
> index c802d440..0810da0a 100644
> --- a/PVE/API2/Cluster.pm
> +++ b/PVE/API2/Cluster.pm
> @@ -21,6 +21,7 @@ use PVE::Storage;
>  use PVE::Tools qw(extract_param);
>  
>  use PVE::API2::ACMEAccount;
> +use PVE::API2::ACMEPlugin;
>  use PVE::API2::Backup;
>  use PVE::API2::Cluster::Ceph;
>  use PVE::API2::ClusterConfig;
> @@ -66,6 +67,11 @@ __PACKAGE__->register_method ({
>      path => 'acme',
>  });
>  
> +__PACKAGE__->register_method ({
> +    subclass => "PVE::API2::ACMEPlugin",
> +    path => 'acmeplugin',
> +});
> +
>  __PACKAGE__->register_method ({
>      subclass => "PVE::API2::Cluster::Ceph",
>      path => 'ceph',
> diff --git a/PVE/API2/Makefile b/PVE/API2/Makefile
> index 8554efa1..28ecc070 100644
> --- a/PVE/API2/Makefile
> +++ b/PVE/API2/Makefile
> @@ -19,6 +19,7 @@ PERLSOURCE = 			\
>  	Certificates.pm		\
>  	ACME.pm			\
>  	ACMEAccount.pm		\
> +	ACMEPlugin.pm		\
>  	NodeConfig.pm		\
>  	Scan.pm			\
>  	Hardware.pm		\
> diff --git a/PVE/CLI/pvenode.pm b/PVE/CLI/pvenode.pm
> index fd3cf52d..d9e41a8e 100644
> --- a/PVE/CLI/pvenode.pm
> +++ b/PVE/CLI/pvenode.pm
> @@ -5,6 +5,7 @@ use warnings;
>  
>  use PVE::API2::ACME;
>  use PVE::API2::ACMEAccount;
> +use PVE::API2::ACMEPlugin;
>  use PVE::API2::Certificates;
>  use PVE::API2::NodeConfig;
>  use PVE::API2::Nodes;
> @@ -207,6 +208,16 @@ our $cmddef = {
>  	    renew => [ 'PVE::API2::ACME', 'renew_certificate', [], { node => $nodename }, $upid_exit ],
>  	    revoke => [ 'PVE::API2::ACME', 'revoke_certificate', [], { node => $nodename }, $upid_exit ],
>  	},
> +	plugin => {

namespace? why not under acme like the account stuff?

> +	    get => [ 'PVE::API2::ACMEPlugin', 'get_plugin_options', [], {},
> +		     sub {
> +			 my $line = shift;
> +			 print $line;
> +		     } ],
> +	    add => [ 'PVE::API2::ACMEPlugin', 'add_plugin', ['type', 'id'] ],
> +	    del => [ 'PVE::API2::ACMEPlugin', 'delete_plugin', ['id'] ],
> +	},
> +
>      },
>  
>      wakeonlan => [ 'PVE::API2::Nodes::Nodeinfo', 'wakeonlan', [ 'node' ], {}, sub {
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 




More information about the pve-devel mailing list