[pve-devel] [PATCH acme 1/5] fix #4497: add support for external account bindings
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Oct 24 11:07:14 CEST 2023
mostly stylistic nits inline, but also a comment w.r.t. FWICT needles ABI
breakage.
Am 23/10/2023 um 15:18 schrieb Folke Gleumes:
> implementation acording to rfc855 section 7.3.4
s/acording/according/
>
> Signed-off-by: Folke Gleumes <f.gleumes at proxmox.com>
> ---
> src/PVE/ACME.pm | 43 +++++++++++++++++++++++++++++++++++--------
> 1 file changed, 35 insertions(+), 8 deletions(-)
>
> @@ -251,6 +251,28 @@ sub jws {
> };
> }
>
> +# EAB signing using the HS256 alg (HMAC/SHA256).
At least write out the acronym "external account binding" out once here,
or maybe expand the method name "external_account_binding", for clarity.
> +sub eab {
> + my ($self, $eab_kid, $eab_hmac_key, $url) = @_;
> +
> @@ -329,21 +351,26 @@ sub __new_account {
> return $self->{account};
> }
>
> -# Create a new account using data in %info.
> +# Create a new account using data in $info.
> # Optionally pass $tos_url to agree to the given Terms of Service
> # POST to newAccount endpoint
> # Expects a '201 Created' reply
> # Saves and returns the account data
> sub new_account {
> - my ($self, $tos_url, %info) = @_;
> + my ($self, $tos_url, $info) = @_;
This needlessly breaks older call sites though? Why not keep the plain hash
here, you do not really win anything by switching to a hash ref, or?
Let's avoid churn w.r.t. breaking older package dependencies, if not really
required..
> my $url = $self->_method('newAccount');
>
> + if ($info->{'eab'}) {
nit: eab doesn't need quoting
And if you keep the method signature to accept a hash (not a hash reference)
here you could do something like:
if (my $eab = $info{eab}) {
my $eab_hmac_key = decode_base64($eab->{hmac_key});
# ..
}
> + my $eab_hmac_key = decode_base64($info->{'eab'}->{hmac_key});
nit: inconsistent hash key quoting in the same statement
> + $info->{externalAccountBinding} = $self->eab($info->{'eab'}->{kid}, $eab_hmac_key, $url);
> + }
> +
> if ($tos_url) {
> $self->{tos} = $tos_url;
> - $info{termsOfServiceAgreed} = JSON::true;> + $info->{termsOfServiceAgreed} = JSON::true;
can be avoided by keeping the hash
> }
>
> - return $self->__new_account(201, $url, 1, %info);
> + return $self->__new_account(201, $url, 1, %{$info});
like above, can be avoided
> }
>
> # Update existing account with new %info
More information about the pve-devel
mailing list