dns plugin: improve 'data' string encoding/passing

encode the full multi-line string as base64 single-line string on each config write, and decode at config parse time. pass both the data key/value pairs and the secret txtvalue via STDIN instead of as command line arguments. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2025-04-28 15:46:11 +00:00 · 2020-04-17 15:09:34 +02:00 · 2020-04-17 15:09:34 +02:00 · 13bc64ea1d
commit 13bc64ea1d
parent f0ed07330c
3 changed files with 34 additions and 24 deletions
--- a/src/PVE/ACME/Challenge.pm
+++ b/src/PVE/ACME/Challenge.pm
@ -47,6 +47,26 @@ sub parse_config {
    return $cfg;
 }

+sub encode_value {
+    my ($self, $type, $key, $value) = @_;
+
+    if ($key eq 'data') {
+	$value = MIME::Base64::encode_base64url($value);
+    }
+
+    return $value;
+};
+
+sub decode_value {
+    my ($self, $type, $key, $value) = @_;
+
+    if ($key eq 'data') {
+	$value = MIME::Base64::decode_base64url($value);
+    }
+
+    return $value;
+};
+
 sub supported_challenge_types {
    return [];
 }
--- a/src/PVE/ACME/DNSChallenge.pm
+++ b/src/PVE/ACME/DNSChallenge.pm
@ -170,9 +170,10 @@ my $proxmox_acme_command = sub {
    } else {
 	push @$cmd, $domain;
    }
-    push @$cmd, $txtvalue, $plugin_conf_string;
+    my $input = "$txtvalue\n";
+    $input .= "$plugin_conf_string\n" if $plugin_conf_string;

-    PVE::Tools::run_command($cmd);
+    PVE::Tools::run_command($cmd, input => $input);

    $data->{url} = $challenge->{url};

--- a/src/proxmox-acme
+++ b/src/proxmox-acme
@ -583,21 +583,15 @@ _source_plugin_config() {

 # Proxmox implementation to inject the DNSAPI variables
 _load_plugin_config() {
-    tmp_str="${plugin_conf_string//[^,]}"
-    index="$(_math ${#tmp_str} + 1)"
-    while [ "$index" -gt "0" ]
-    do
-	field=$(_getfield $plugin_conf_string "$index" ",")
-	ADDR=(${field/=/ })
+    while IFS= read -r line; do
+	ADDR=(${line/=/ })
 	key="${ADDR[0]}"
 	value="${ADDR[1]}"

-	# decode base64 encoded values
-	value=$(echo $value | /usr/bin/openssl base64 -d -A)
-
 	# acme.sh uses eval insted of export
-	export "$key"="$value"
-	index="$(_math "$index" - 1)"
+	if [ -n "$key" ]; then
+	    export "$key"="$value"
+	fi
    done
 }

@ -613,13 +607,11 @@ setup() {
  dns_plugin="dns_$1"
  dns_plugin_path="${DNS_PLUGIN_PATH}/${dns_plugin}.sh"
  fqdn="_acme-challenge.$2"
-  txtvalue=$3
+  DEBUG=$3
+  IFS= read -r txtvalue
  plugin_conf_string=$4
-  DEBUG=$5

-  if [ -n "$plugin_conf_string" ]; then
-     _load_plugin_config
-  fi
+  _load_plugin_config

  if ! . "$dns_plugin_path"; then
    _err "Load file $dns_plugin error."
@ -642,13 +634,10 @@ teardown() {
  dns_plugin="dns_$1"
  dns_plugin_path="${DNS_PLUGIN_PATH}/${dns_plugin}.sh"
  fqdn="_acme-challenge.$2"
-  txtvalue=$3
-  plugin_conf_string=$4
-  DEBUG=$5
+  DEBUG=$3
+  IFS= read -r txtvalue

-  if [ -n "$plugin_conf_string" ]; then
-     _load_plugin_config
-  fi
+  _load_plugin_config

  if ! . "$dns_plugin_path"; then
    _err "Load file $dns_plugin error."