[pve-devel] [PATCH manager 2/5] fix #4497: acme: add support for external account bindings
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Oct 24 10:32:42 CEST 2023
On October 23, 2023 3:18 pm, Folke Gleumes wrote:
> Signed-off-by: Folke Gleumes <f.gleumes at proxmox.com>
> ---
> PVE/API2/ACMEAccount.pm | 27 ++++++++++++++++++++++++++-
> 1 file changed, 26 insertions(+), 1 deletion(-)
>
> diff --git a/PVE/API2/ACMEAccount.pm b/PVE/API2/ACMEAccount.pm
> index b790843a..daae18d8 100644
> --- a/PVE/API2/ACMEAccount.pm
> +++ b/PVE/API2/ACMEAccount.pm
> @@ -115,6 +115,16 @@ __PACKAGE__->register_method ({
> default => $acme_default_directory_url,
> optional => 1,
> }),
> + eab_kid => {
> + type => 'string',
> + description => 'Key Identifier for External Account Binding.',
> + optional => 1,
> + },
> + eab_hmac_key => {
> + type => 'string',
> + description => 'HMAC key for External Account Binding.',
> + optional => 1,
> + },
Nit: s/_/-/ for new parameters :)
> },
> },
> returns => {
> @@ -130,8 +140,15 @@ __PACKAGE__->register_method ({
> my $account_file = "${acme_account_dir}/${account_name}";
> mkdir $acme_account_dir if ! -e $acme_account_dir;
>
> + my $eab_kid = extract_param($param, 'eab_kid');
> + my $eab_hmac_key = extract_param($param, 'eab_hmac_key');
> +
> raise_param_exc({'name' => "ACME account config file '${account_name}' already exists."})
> if -e $account_file;
> + raise_param_exc({'eab_kid' => "'eab_hmac_key' must be defined if 'eab_kid' is set."})
> + if defined($eab_kid) and not defined($eab_hmac_key);
> + raise_param_exc({'eab_hmac_key' => "'eab_kid' must be defined if 'eab_hmac_key' is set."})
> + if defined($eab_hmac_key) and not defined($eab_kid);
these two checks can be encoded directly in the schema by adding
requires => "name-of-require-parameter"
to both definitions, pointing at the other one. if a caller only
provides either of them and not both (or none), the schema check will
error:
eab_hmac_key: missing property - 'eab_kid' requires this property
without needing any manual handling in the API endpoint handler sub.
>
> my $directory = extract_param($param, 'directory') // $acme_default_directory_url;
> my $contact = $account_contact_from_param->($param);
> @@ -145,7 +162,15 @@ __PACKAGE__->register_method ({
> print "Generating ACME account key..\n";
> $acme->init(4096);
> print "Registering ACME account..\n";
> - eval { $acme->new_account($param->{tos_url}, contact => $contact); };
> + my $info = {contact => $contact};
> + if (defined($eab_kid) and defined($eab_hmac_key)) {
> + $info->{eab} = {
> + kid => $eab_kid,
> + hmac_key => $eab_hmac_key
> + };
> + }
> +
> + eval { $acme->new_account($param->{tos_url}, $info); };
if you switch this line to %$info or $info->%*, the new_account sub can
still take the hash directly instead of a reference, but see comments on
the proxmox-acme patch for possibly nicer signatures.
> if (my $err = $@) {
> unlink $account_file;
> die "Registration failed: $err\n";
> --
> 2.39.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
More information about the pve-devel
mailing list