proxmox-mirrors/proxmox
1
0
Fork 1
mirror of https://git.proxmox.com/git/proxmox synced 2025-08-08 12:51:29 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

acme-api: use product-config instead of custom acme api configuration

Browse Source 
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
This commit is contained in:
Dietmar Maurer 2024-05-17 11:52:57 +02:00
parent 0ffe40fcfa
commit 7c899090e4
8 changed files with 608 additions and 649 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
proxmox-acme-api/Cargo.toml
View File

@ -32,12 +32,15 @@ proxmox-router = { workspace = true, optional = true }
proxmox-sys = { workspace = true, optional = true } proxmox-sys = { workspace = true, optional = true }
proxmox-schema = { workspace = true, features = ["api-macro", "api-types"] } proxmox-schema = { workspace = true, features = ["api-macro", "api-types"] }
proxmox-acme = { workspace = true, optional = true, features = ["api-types"] } proxmox-acme = { workspace = true, optional = true, features = ["api-types"] }
proxmox-product-config = { workspace = true, optional = true }
[features] [features]
default = ["api-types"] default = ["api-types"]
api-types = ["dep:proxmox-acme", "dep:proxmox-serde"] api-types = ["dep:proxmox-acme", "dep:proxmox-serde"]
impl = [ impl = [
"api-types", "api-types",
"dep:proxmox-product-config",
"proxmox-product-config?/impl",
"dep:proxmox-acme", "dep:proxmox-acme",
"proxmox-acme?/impl", "proxmox-acme?/impl",
"proxmox-acme?/async-client", "proxmox-acme?/async-client",

216
proxmox-acme-api/src/account_api_impl.rs
View File

@ -11,9 +11,9 @@ use proxmox_acme::types::AccountData as AcmeAccountData;
use proxmox_rest_server::WorkerTask; use proxmox_rest_server::WorkerTask;
use proxmox_sys::task_warn; use proxmox_sys::task_warn;
use crate::types::{AccountEntry, AccountInfo, AcmeAccountName};
use crate::config::{AcmeApiConfig, DEFAULT_ACME_DIRECTORY_ENTRY};
use crate::account_config::AccountData; use crate::account_config::AccountData;
use crate::config::DEFAULT_ACME_DIRECTORY_ENTRY;
use crate::types::{AccountEntry, AccountInfo, AcmeAccountName};
fn account_contact_from_string(s: &str) -> Vec<String> { fn account_contact_from_string(s: &str) -> Vec<String> {
s.split(&[' ', ';', ',', '\0'][..]) s.split(&[' ', ';', ',', '\0'][..])
@ -21,114 +21,106 @@ fn account_contact_from_string(s: &str) -> Vec<String> {
.collect() .collect()
} }
impl AcmeApiConfig { pub fn list_accounts() -> Result<Vec<AccountEntry>, Error> {
pub fn list_accounts(&self) -> Result<Vec<AccountEntry>, Error> { let mut entries = Vec::new();
let mut entries = Vec::new(); super::account_config::foreach_acme_account(|name| {
self.foreach_acme_account(|name| { entries.push(AccountEntry { name });
entries.push(AccountEntry { name }); ControlFlow::Continue(())
ControlFlow::Continue(()) })?;
})?; Ok(entries)
Ok(entries) }
}
pub async fn get_account(account_name: AcmeAccountName) -> Result<AccountInfo, Error> {
pub async fn get_account( let account_data = super::account_config::load_account_config(&account_name).await?;
&self, Ok(AccountInfo {
account_name: AcmeAccountName, location: account_data.location.clone(),
) -> Result<AccountInfo, Error> { tos: account_data.tos.clone(),
let account_data = self.load_account_config(&account_name).await?; directory: account_data.directory_url.clone(),
Ok(AccountInfo { account: AcmeAccountData {
location: account_data.location.clone(), only_return_existing: false, // don't actually write this out in case it's set
tos: account_data.tos.clone(), ..account_data.account.clone()
directory: account_data.directory_url.clone(), },
account: AcmeAccountData { })
only_return_existing: false, // don't actually write this out in case it's set }
..account_data.account.clone()
}, pub async fn get_tos(directory: Option<String>) -> Result<Option<String>, Error> {
}) let directory = directory.unwrap_or_else(|| DEFAULT_ACME_DIRECTORY_ENTRY.url.to_string());
} Ok(AcmeClient::new(directory)
.terms_of_service_url()
pub async fn get_tos(&self, directory: Option<String>) -> Result<Option<String>, Error> { .await?
let directory = directory.unwrap_or_else(|| DEFAULT_ACME_DIRECTORY_ENTRY.url.to_string()); .map(str::to_owned))
Ok(AcmeClient::new(directory) }
.terms_of_service_url()
.await? pub async fn register_account(
.map(str::to_owned)) name: &AcmeAccountName,
} contact: String,
tos_url: Option<String>,
pub async fn register_account( directory_url: String,
&self, eab_creds: Option<(String, String)>,
name: &AcmeAccountName, ) -> Result<String, Error> {
contact: String, let mut client = AcmeClient::new(directory_url.clone());
tos_url: Option<String>,
directory_url: String, let contact = account_contact_from_string(&contact);
eab_creds: Option<(String, String)>, let account = client
) -> Result<String, Error> { .new_account(tos_url.is_some(), contact, None, eab_creds)
let mut client = AcmeClient::new(directory_url.clone()); .await?;
let contact = account_contact_from_string(&contact); let account = AccountData::from_account_dir_tos(account, directory_url, tos_url);
let account = client
.new_account(tos_url.is_some(), contact, None, eab_creds) super::account_config::create_account_config(&name, &account)?;
.await?;
Ok(account.location)
let account = AccountData::from_account_dir_tos(account, directory_url, tos_url); }
self.create_account_config(&name, &account)?; pub async fn deactivate_account(
worker: &WorkerTask,
Ok(account.location) name: &AcmeAccountName,
} force: bool,
) -> Result<(), Error> {
pub async fn deactivate_account( let mut account_data = super::account_config::load_account_config(name).await?;
&self, let mut client = account_data.client();
worker: &WorkerTask,
name: &AcmeAccountName, match client
force: bool, .update_account(&json!({"status": "deactivated"}))
) -> Result<(), Error> { .await
let mut account_data = self.load_account_config(name).await?; {
let mut client = account_data.client(); Ok(account) => {
account_data.account = account.data.clone();
match client super::account_config::save_account_config(&name, &account_data)?;
.update_account(&json!({"status": "deactivated"})) }
.await Err(err) if !force => return Err(err),
{ Err(err) => {
Ok(account) => { task_warn!(
account_data.account = account.data.clone(); worker,
self.save_account_config(&name, &account_data)?; "error deactivating account {}, proceedeing anyway - {}",
} name,
Err(err) if !force => return Err(err), err,
Err(err) => { );
task_warn!( }
worker, }
"error deactivating account {}, proceedeing anyway - {}",
name, super::account_config::mark_account_deactivated(&name)?;
err,
); Ok(())
} }
}
pub async fn update_account(
self.mark_account_deactivated(&name)?; name: &AcmeAccountName,
contact: Option<String>,
Ok(()) ) -> Result<(), Error> {
} let mut account_data = super::account_config::load_account_config(name).await?;
let mut client = account_data.client();
pub async fn update_account(
&self, let data = match contact {
name: &AcmeAccountName, Some(contact) => json!({
contact: Option<String>, "contact": account_contact_from_string(&contact),
) -> Result<(), Error> { }),
let mut account_data = self.load_account_config(name).await?; None => json!({}),
let mut client = account_data.client(); };
let data = match contact { let account = client.update_account(&data).await?;
Some(contact) => json!({ account_data.account = account.data.clone();
"contact": account_contact_from_string(&contact), super::account_config::save_account_config(&name, &account_data)?;
}),
None => json!({}), Ok(())
};
let account = client.update_account(&data).await?;
account_data.account = account.data.clone();
self.save_account_config(&name, &account_data)?;
Ok(())
}
} }

288
proxmox-acme-api/src/account_config.rs
View File

@ -1,9 +1,9 @@
//! ACME account configuration helpers (load/save config) //! ACME account configuration helpers (load/save config)
use std::ops::ControlFlow;
use std::fs::OpenOptions; use std::fs::OpenOptions;
use std::path::Path; use std::ops::ControlFlow;
use std::os::unix::fs::OpenOptionsExt; use std::os::unix::fs::OpenOptionsExt;
use std::path::{Path, PathBuf};
use anyhow::{bail, format_err, Error}; use anyhow::{bail, format_err, Error};
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
@ -17,7 +17,6 @@ use proxmox_acme::async_client::AcmeClient;
use proxmox_acme::types::AccountData as AcmeAccountData; use proxmox_acme::types::AccountData as AcmeAccountData;
use proxmox_acme::Account; use proxmox_acme::Account;
use crate::config::AcmeApiConfig;
use crate::types::AcmeAccountName; use crate::types::AcmeAccountName;
#[inline] #[inline]
@ -79,152 +78,155 @@ impl AccountData {
} }
} }
impl AcmeApiConfig { fn acme_account_dir() -> PathBuf {
fn acme_account_dir(&self) -> String { super::config::acme_config_dir().join("accounts")
format!("{}/{}", self.config_dir, "accounts") }
}
/// Returns the path to the account configuration file (`$config_dir/accounts/$name`). /// Returns the path to the account configuration file (`$config_dir/accounts/$name`).
pub fn account_cfg_filename(&self, name: &str) -> String { pub fn account_cfg_filename(name: &str) -> PathBuf {
format!("{}/{}", self.acme_account_dir(), name) acme_account_dir().join(name)
} }
fn make_acme_account_dir(&self) -> nix::Result<()> { fn make_acme_account_dir() -> nix::Result<()> {
self.make_acme_dir()?; super::config::make_acme_dir()?;
Self::create_acme_subdir(&self.acme_account_dir()) super::config::create_secret_subdir(acme_account_dir())
} }
pub(crate) fn foreach_acme_account<F>(&self, mut func: F) -> Result<(), Error> pub(crate) fn foreach_acme_account<F>(mut func: F) -> Result<(), Error>
where where
F: FnMut(AcmeAccountName) -> ControlFlow<Result<(), Error>>, F: FnMut(AcmeAccountName) -> ControlFlow<Result<(), Error>>,
{ {
match proxmox_sys::fs::scan_subdir(-1, self.acme_account_dir().as_str(), &SAFE_ID_REGEX) { match proxmox_sys::fs::scan_subdir(-1, acme_account_dir().as_path(), &SAFE_ID_REGEX) {
Ok(files) => { Ok(files) => {
for file in files { for file in files {
let file = file?; let file = file?;
let file_name = unsafe { file.file_name_utf8_unchecked() }; let file_name = unsafe { file.file_name_utf8_unchecked() };
if file_name.starts_with('_') { if file_name.starts_with('_') {
continue; continue;
} }
let account_name = match AcmeAccountName::from_string(file_name.to_owned()) { let account_name = match AcmeAccountName::from_string(file_name.to_owned()) {
Ok(account_name) => account_name, Ok(account_name) => account_name,
Err(_) => continue, Err(_) => continue,
}; };
if let ControlFlow::Break(result) = func(account_name) { if let ControlFlow::Break(result) = func(account_name) {
return result; return result;
}
} }
Ok(())
} }
Err(err) if err.not_found() => Ok(()), Ok(())
Err(err) => Err(err.into()),
} }
} Err(err) if err.not_found() => Ok(()),
Err(err) => Err(err.into()),
// Mark account as deactivated
pub(crate) fn mark_account_deactivated(&self, account_name: &str) -> Result<(), Error> {
let from = self.account_cfg_filename(account_name);
for i in 0..100 {
let to = self.account_cfg_filename(&format!("_deactivated_{}_{}", account_name, i));
if !Path::new(&to).exists() {
return std::fs::rename(&from, &to).map_err(|err| {
format_err!(
"failed to move account path {:?} to {:?} - {}",
from,
to,
err
)
});
}
}
bail!(
"No free slot to rename deactivated account {:?}, please cleanup {:?}",
from,
self.acme_account_dir()
);
}
// Load an existing ACME account by name.
pub(crate) async fn load_account_config(&self, account_name: &str) -> Result<AccountData, Error> {
let account_cfg_filename = self.account_cfg_filename(account_name);
let data = match tokio::fs::read(&account_cfg_filename).await {
Ok(data) => data,
Err(err) if err.kind() == std::io::ErrorKind::NotFound => {
bail!("acme account '{}' does not exist", account_name)
}
Err(err) => bail!(
"failed to load acme account from '{}' - {}",
account_cfg_filename,
err
),
};
let data: AccountData = serde_json::from_slice(&data).map_err(|err| {
format_err!(
"failed to parse acme account from '{}' - {}",
account_cfg_filename,
err
)
})?;
Ok(data)
}
// Save an new ACME account (fails if the file already exists).
pub(crate) fn create_account_config(
&self,
account_name: &AcmeAccountName,
account: &AccountData,
) -> Result<(), Error> {
self.make_acme_account_dir()?;
let account_cfg_filename = self.account_cfg_filename(account_name.as_ref());
let file = OpenOptions::new()
.write(true)
.create_new(true)
.mode(0o600)
.open(&account_cfg_filename)
.map_err(|err| format_err!("failed to open {:?} for writing: {}", account_cfg_filename, err))?;
serde_json::to_writer_pretty(file, account).map_err(|err| {
format_err!(
"failed to write acme account to {:?}: {}",
account_cfg_filename,
err
)
})?;
Ok(())
}
// Save ACME account data (overtwrite existing data).
pub(crate) fn save_account_config(
&self,
account_name: &AcmeAccountName,
account: &AccountData,
) -> Result<(), Error> {
let account_cfg_filename = self.account_cfg_filename(account_name.as_ref());
let mut data = Vec::<u8>::new();
serde_json::to_writer_pretty(&mut data, account).map_err(|err| {
format_err!(
"failed to serialize acme account to {:?}: {}",
account_cfg_filename,
err
)
})?;
self.make_acme_account_dir()?;
replace_file(
account_cfg_filename,
&data,
CreateOptions::new()
.perm(nix::sys::stat::Mode::from_bits_truncate(0o600))
.owner(nix::unistd::ROOT)
.group(nix::unistd::Gid::from_raw(0)),
true,
)
} }
} }
// Mark account as deactivated
pub(crate) fn mark_account_deactivated(account_name: &str) -> Result<(), Error> {
let from = account_cfg_filename(account_name);
for i in 0..100 {
let to = account_cfg_filename(&format!("_deactivated_{}_{}", account_name, i));
if !Path::new(&to).exists() {
return std::fs::rename(&from, &to).map_err(|err| {
format_err!(
"failed to move account path {:?} to {:?} - {}",
from,
to,
err
)
});
}
}
bail!(
"No free slot to rename deactivated account {:?}, please cleanup {:?}",
from,
acme_account_dir()
);
}
// Load an existing ACME account by name.
pub(crate) async fn load_account_config(account_name: &str) -> Result<AccountData, Error> {
let account_cfg_filename = account_cfg_filename(account_name);
let data = match tokio::fs::read(&account_cfg_filename).await {
Ok(data) => data,
Err(err) if err.kind() == std::io::ErrorKind::NotFound => {
bail!("acme account '{}' does not exist", account_name)
}
Err(err) => bail!(
"failed to load acme account from {:?} - {}",
account_cfg_filename,
err
),
};
let data: AccountData = serde_json::from_slice(&data).map_err(|err| {
format_err!(
"failed to parse acme account from {:?} - {}",
account_cfg_filename,
err
)
})?;
Ok(data)
}
// Save an new ACME account (fails if the file already exists).
pub(crate) fn create_account_config(
account_name: &AcmeAccountName,
account: &AccountData,
) -> Result<(), Error> {
make_acme_account_dir()?;
let account_cfg_filename = account_cfg_filename(account_name.as_ref());
let file = OpenOptions::new()
.write(true)
.create_new(true)
.mode(0o600)
.open(&account_cfg_filename)
.map_err(|err| {
format_err!(
"failed to open {:?} for writing: {}",
account_cfg_filename,
err
)
})?;
serde_json::to_writer_pretty(file, account).map_err(|err| {
format_err!(
"failed to write acme account to {:?}: {}",
account_cfg_filename,
err
)
})?;
Ok(())
}
// Save ACME account data (overtwrite existing data).
pub(crate) fn save_account_config(
account_name: &AcmeAccountName,
account: &AccountData,
) -> Result<(), Error> {
let account_cfg_filename = account_cfg_filename(account_name.as_ref());
let mut data = Vec::<u8>::new();
serde_json::to_writer_pretty(&mut data, account).map_err(|err| {
format_err!(
"failed to serialize acme account to {:?}: {}",
account_cfg_filename,
err
)
})?;
make_acme_account_dir()?;
replace_file(
account_cfg_filename,
&data,
CreateOptions::new()
.perm(nix::sys::stat::Mode::from_bits_truncate(0o600))
.owner(nix::unistd::ROOT)
.group(nix::unistd::Gid::from_raw(0)),
true,
)
}

352
proxmox-acme-api/src/certificate_helpers.rs
View File

@ -7,7 +7,6 @@ use proxmox_acme::async_client::AcmeClient;
use proxmox_rest_server::WorkerTask; use proxmox_rest_server::WorkerTask;
use proxmox_sys::{task_log, task_warn}; use proxmox_sys::{task_log, task_warn};
use crate::config::AcmeApiConfig;
use crate::types::{AcmeConfig, AcmeDomain}; use crate::types::{AcmeConfig, AcmeDomain};
pub struct OrderedCertificate { pub struct OrderedCertificate {
@ -15,192 +14,191 @@ pub struct OrderedCertificate {
pub private_key_pem: Vec<u8>, pub private_key_pem: Vec<u8>,
} }
impl AcmeApiConfig { pub async fn order_certificate(
pub async fn order_certificate( worker: Arc<WorkerTask>,
&self, acme_config: AcmeConfig,
worker: Arc<WorkerTask>, domains: Vec<AcmeDomain>,
acme_config: AcmeConfig, ) -> Result<Option<OrderedCertificate>, Error> {
domains: Vec<AcmeDomain>, use proxmox_acme::authorization::Status;
) -> Result<Option<OrderedCertificate>, Error> { use proxmox_acme::order::Identifier;
use proxmox_acme::authorization::Status;
use proxmox_acme::order::Identifier;
let get_domain_config = |domain: &str| { let get_domain_config = |domain: &str| {
domains domains
.iter()
.find(|d| d.domain == domain)
.ok_or_else(|| format_err!("no config for domain '{}'", domain))
};
if domains.is_empty() {
task_log!(
worker,
"No domains configured to be ordered from an ACME server."
);
return Ok(None);
}
let mut acme = self.load_account_config(&acme_config.account).await?.client();
let (plugins, _) = self.plugin_config()?;
task_log!(worker, "Placing ACME order");
let order = acme
.new_order(domains.iter().map(|d| d.domain.to_ascii_lowercase()))
.await?;
task_log!(worker, "Order URL: {}", order.location);
let identifiers: Vec<String> = order
.data
.identifiers
.iter() .iter()
.map(|identifier| match identifier { .find(|d| d.domain == domain)
Identifier::Dns(domain) => domain.clone(), .ok_or_else(|| format_err!("no config for domain '{}'", domain))
}) };
.collect();
for auth_url in &order.data.authorizations { if domains.is_empty() {
task_log!(worker, "Getting authorization details from '{}'", auth_url); task_log!(
let mut auth = acme.get_authorization(auth_url).await?; worker,
"No domains configured to be ordered from an ACME server."
let domain = match &mut auth.identifier { );
Identifier::Dns(domain) => domain.to_ascii_lowercase(), return Ok(None);
};
if auth.status == Status::Valid {
task_log!(worker, "{} is already validated!", domain);
continue;
}
task_log!(worker, "The validation for {} is pending", domain);
let domain_config: &AcmeDomain = get_domain_config(&domain)?;
let plugin_id = domain_config.plugin.as_deref().unwrap_or("standalone");
let mut plugin_cfg = crate::acme_plugin::get_acme_plugin(&plugins, plugin_id)?
.ok_or_else(|| {
format_err!("plugin '{}' for domain '{}' not found!", plugin_id, domain)
})?;
task_log!(worker, "Setting up validation plugin");
let validation_url = plugin_cfg
.setup(&mut acme, &auth, domain_config, Arc::clone(&worker))
.await?;
let result = Self::request_validation(&worker, &mut acme, auth_url, validation_url).await;
if let Err(err) = plugin_cfg
.teardown(&mut acme, &auth, domain_config, Arc::clone(&worker))
.await
{
task_warn!(
worker,
"Failed to teardown plugin '{}' for domain '{}' - {}",
plugin_id,
domain,
err
);
}
result?;
}
task_log!(worker, "All domains validated");
task_log!(worker, "Creating CSR");
let csr = proxmox_acme::util::Csr::generate(&identifiers, &Default::default())?;
let mut finalize_error_cnt = 0u8;
let order_url = &order.location;
let mut order;
loop {
use proxmox_acme::order::Status;
order = acme.get_order(order_url).await?;
match order.status {
Status::Pending => {
task_log!(worker, "still pending, trying to finalize anyway");
let finalize = order
.finalize
.as_deref()
.ok_or_else(|| format_err!("missing 'finalize' URL in order"))?;
if let Err(err) = acme.finalize(finalize, &csr.data).await {
if finalize_error_cnt >= 5 {
return Err(err);
}
finalize_error_cnt += 1;
}
tokio::time::sleep(Duration::from_secs(5)).await;
}
Status::Ready => {
task_log!(worker, "order is ready, finalizing");
let finalize = order
.finalize
.as_deref()
.ok_or_else(|| format_err!("missing 'finalize' URL in order"))?;
acme.finalize(finalize, &csr.data).await?;
tokio::time::sleep(Duration::from_secs(5)).await;
}
Status::Processing => {
task_log!(worker, "still processing, trying again in 30 seconds");
tokio::time::sleep(Duration::from_secs(30)).await;
}
Status::Valid => {
task_log!(worker, "valid");
break;
}
other => bail!("order status: {:?}", other),
}
}
task_log!(worker, "Downloading certificate");
let certificate = acme
.get_certificate(
order
.certificate
.as_deref()
.ok_or_else(|| format_err!("missing certificate url in finalized order"))?,
)
.await?;
Ok(Some(OrderedCertificate {
certificate: certificate.to_vec(),
private_key_pem: csr.private_key_pem,
}))
} }
async fn request_validation( let mut acme = super::account_config::load_account_config(&acme_config.account)
worker: &WorkerTask, .await?
acme: &mut AcmeClient, .client();
auth_url: &str,
validation_url: &str,
) -> Result<(), Error> {
task_log!(worker, "Triggering validation");
acme.request_challenge_validation(validation_url).await?;
task_log!(worker, "Sleeping for 5 seconds"); let (plugins, _) = super::plugin_config::plugin_config()?;
tokio::time::sleep(Duration::from_secs(5)).await;
loop { task_log!(worker, "Placing ACME order");
use proxmox_acme::authorization::Status;
let auth = acme.get_authorization(auth_url).await?; let order = acme
match auth.status { .new_order(domains.iter().map(|d| d.domain.to_ascii_lowercase()))
Status::Pending => { .await?;
task_log!(
worker, task_log!(worker, "Order URL: {}", order.location);
"Status is still 'pending', trying again in 10 seconds"
); let identifiers: Vec<String> = order
tokio::time::sleep(Duration::from_secs(10)).await; .data
.identifiers
.iter()
.map(|identifier| match identifier {
Identifier::Dns(domain) => domain.clone(),
})
.collect();
for auth_url in &order.data.authorizations {
task_log!(worker, "Getting authorization details from '{}'", auth_url);
let mut auth = acme.get_authorization(auth_url).await?;
let domain = match &mut auth.identifier {
Identifier::Dns(domain) => domain.to_ascii_lowercase(),
};
if auth.status == Status::Valid {
task_log!(worker, "{} is already validated!", domain);
continue;
}
task_log!(worker, "The validation for {} is pending", domain);
let domain_config: &AcmeDomain = get_domain_config(&domain)?;
let plugin_id = domain_config.plugin.as_deref().unwrap_or("standalone");
let mut plugin_cfg =
crate::acme_plugin::get_acme_plugin(&plugins, plugin_id)?.ok_or_else(|| {
format_err!("plugin '{}' for domain '{}' not found!", plugin_id, domain)
})?;
task_log!(worker, "Setting up validation plugin");
let validation_url = plugin_cfg
.setup(&mut acme, &auth, domain_config, Arc::clone(&worker))
.await?;
let result = request_validation(&worker, &mut acme, auth_url, validation_url).await;
if let Err(err) = plugin_cfg
.teardown(&mut acme, &auth, domain_config, Arc::clone(&worker))
.await
{
task_warn!(
worker,
"Failed to teardown plugin '{}' for domain '{}' - {}",
plugin_id,
domain,
err
);
}
result?;
}
task_log!(worker, "All domains validated");
task_log!(worker, "Creating CSR");
let csr = proxmox_acme::util::Csr::generate(&identifiers, &Default::default())?;
let mut finalize_error_cnt = 0u8;
let order_url = &order.location;
let mut order;
loop {
use proxmox_acme::order::Status;
order = acme.get_order(order_url).await?;
match order.status {
Status::Pending => {
task_log!(worker, "still pending, trying to finalize anyway");
let finalize = order
.finalize
.as_deref()
.ok_or_else(|| format_err!("missing 'finalize' URL in order"))?;
if let Err(err) = acme.finalize(finalize, &csr.data).await {
if finalize_error_cnt >= 5 {
return Err(err);
}
finalize_error_cnt += 1;
} }
Status::Valid => return Ok(()), tokio::time::sleep(Duration::from_secs(5)).await;
other => bail!(
"validating challenge '{}' failed - status: {:?}",
validation_url,
other
),
} }
Status::Ready => {
task_log!(worker, "order is ready, finalizing");
let finalize = order
.finalize
.as_deref()
.ok_or_else(|| format_err!("missing 'finalize' URL in order"))?;
acme.finalize(finalize, &csr.data).await?;
tokio::time::sleep(Duration::from_secs(5)).await;
}
Status::Processing => {
task_log!(worker, "still processing, trying again in 30 seconds");
tokio::time::sleep(Duration::from_secs(30)).await;
}
Status::Valid => {
task_log!(worker, "valid");
break;
}
other => bail!("order status: {:?}", other),
}
}
task_log!(worker, "Downloading certificate");
let certificate = acme
.get_certificate(
order
.certificate
.as_deref()
.ok_or_else(|| format_err!("missing certificate url in finalized order"))?,
)
.await?;
Ok(Some(OrderedCertificate {
certificate: certificate.to_vec(),
private_key_pem: csr.private_key_pem,
}))
}
async fn request_validation(
worker: &WorkerTask,
acme: &mut AcmeClient,
auth_url: &str,
validation_url: &str,
) -> Result<(), Error> {
task_log!(worker, "Triggering validation");
acme.request_challenge_validation(validation_url).await?;
task_log!(worker, "Sleeping for 5 seconds");
tokio::time::sleep(Duration::from_secs(5)).await;
loop {
use proxmox_acme::authorization::Status;
let auth = acme.get_authorization(auth_url).await?;
match auth.status {
Status::Pending => {
task_log!(
worker,
"Status is still 'pending', trying again in 10 seconds"
);
tokio::time::sleep(Duration::from_secs(10)).await;
}
Status::Valid => return Ok(()),
other => bail!(
"validating challenge '{}' failed - status: {:?}",
validation_url,
other
),
} }
} }
} }

63
proxmox-acme-api/src/config.rs
View File

@ -1,26 +1,15 @@
//! ACME API Configuration. //! ACME API Configuration.
use std::borrow::Cow; use std::borrow::Cow;
use std::path::{Path, PathBuf};
use proxmox_sys::error::SysError; use proxmox_sys::error::SysError;
use proxmox_sys::fs::CreateOptions; use proxmox_sys::fs::CreateOptions;
use proxmox_product_config::product_config;
use crate::types::KnownAcmeDirectory; use crate::types::KnownAcmeDirectory;
/// ACME API Configuration.
///
/// This struct provides access to the server side configuration, like the
/// configuration directory. All ACME API functions are implemented as member
/// fuction, so they all have access to this configuration.
///
pub struct AcmeApiConfig {
/// Path to the ACME configuration directory.
pub config_dir: &'static str,
/// Configuration file owner.
pub file_owner: fn() -> nix::unistd::User,
}
/// List of known ACME directorties. /// List of known ACME directorties.
pub const KNOWN_ACME_DIRECTORIES: &[KnownAcmeDirectory] = &[ pub const KNOWN_ACME_DIRECTORIES: &[KnownAcmeDirectory] = &[
KnownAcmeDirectory { KnownAcmeDirectory {
@ -36,33 +25,31 @@ pub const KNOWN_ACME_DIRECTORIES: &[KnownAcmeDirectory] = &[
/// Default ACME directorties. /// Default ACME directorties.
pub const DEFAULT_ACME_DIRECTORY_ENTRY: &KnownAcmeDirectory = &KNOWN_ACME_DIRECTORIES[0]; pub const DEFAULT_ACME_DIRECTORY_ENTRY: &KnownAcmeDirectory = &KNOWN_ACME_DIRECTORIES[0];
// local helpers to read/write acme configuration pub(crate) fn acme_config_dir() -> PathBuf {
impl AcmeApiConfig { product_config().absolute_path("acme")
pub(crate) fn acme_config_dir(&self) -> &'static str { }
self.config_dir
}
pub(crate) fn plugin_cfg_filename(&self) -> String { pub(crate) fn plugin_cfg_filename() -> PathBuf {
format!("{}/plugins.cfg", self.acme_config_dir()) acme_config_dir().join("plugins.cfg")
} }
pub(crate) fn plugin_cfg_lockfile(&self) -> String {
format!("{}/.plugins.lck", self.acme_config_dir())
}
pub(crate) fn create_acme_subdir(dir: &str) -> nix::Result<()> { pub(crate) fn plugin_cfg_lockfile() -> PathBuf {
let root_only = CreateOptions::new() acme_config_dir().join("plugins.lck")
.owner(nix::unistd::ROOT) }
.group(nix::unistd::Gid::from_raw(0))
.perm(nix::sys::stat::Mode::from_bits_truncate(0o700));
match proxmox_sys::fs::create_dir(dir, root_only) { pub(crate) fn create_secret_subdir<P: AsRef<Path>>(dir: P) -> nix::Result<()> {
Ok(()) => Ok(()), let root_only = CreateOptions::new()
Err(err) if err.already_exists() => Ok(()), .owner(nix::unistd::ROOT)
Err(err) => Err(err), .group(nix::unistd::Gid::from_raw(0))
} .perm(nix::sys::stat::Mode::from_bits_truncate(0o700));
}
pub(crate) fn make_acme_dir(&self) -> nix::Result<()> { match proxmox_sys::fs::create_dir(dir, root_only) {
Self::create_acme_subdir(&self.acme_config_dir()) Ok(()) => Ok(()),
Err(err) if err.already_exists() => Ok(()),
Err(err) => Err(err),
} }
} }
pub(crate) fn make_acme_dir() -> nix::Result<()> {
create_secret_subdir(acme_config_dir())
}

26
proxmox-acme-api/src/lib.rs
View File

@ -4,25 +4,37 @@
pub mod types; pub mod types;
#[cfg(feature = "impl")] #[cfg(feature = "impl")]
pub mod challenge_schemas; mod config;
#[cfg(feature = "impl")] #[cfg(feature = "impl")]
pub mod config; mod challenge_schemas;
#[cfg(feature = "impl")]
pub use challenge_schemas::get_cached_challenge_schemas;
#[cfg(feature = "impl")] #[cfg(feature = "impl")]
pub(crate) mod account_config; mod account_config;
#[cfg(feature = "impl")] #[cfg(feature = "impl")]
pub(crate) mod plugin_config; mod plugin_config;
#[cfg(feature = "impl")] #[cfg(feature = "impl")]
pub(crate) mod account_api_impl; mod account_api_impl;
#[cfg(feature = "impl")]
pub use account_api_impl::{
deactivate_account, get_account, get_tos, list_accounts, register_account, update_account,
};
#[cfg(feature = "impl")] #[cfg(feature = "impl")]
pub(crate) mod plugin_api_impl; mod plugin_api_impl;
#[cfg(feature = "impl")]
pub use plugin_api_impl::{add_plugin, delete_plugin, get_plugin, list_plugins, update_plugin};
#[cfg(feature = "impl")] #[cfg(feature = "impl")]
pub(crate) mod acme_plugin; pub(crate) mod acme_plugin;
#[cfg(feature = "impl")] #[cfg(feature = "impl")]
pub(crate) mod certificate_helpers; mod certificate_helpers;
#[cfg(feature = "impl")]
pub use certificate_helpers::order_certificate;

235
proxmox-acme-api/src/plugin_api_impl.rs
View File

@ -8,152 +8,141 @@ use serde_json::Value;
use proxmox_schema::param_bail; use proxmox_schema::param_bail;
use crate::config::AcmeApiConfig; use crate::types::{
use crate::types::{DeletablePluginProperty, PluginConfig, DnsPlugin, DnsPluginCore, DnsPluginCoreUpdater}; DeletablePluginProperty, DnsPlugin, DnsPluginCore, DnsPluginCoreUpdater, PluginConfig,
};
use proxmox_router::{http_bail, RpcEnvironment}; use proxmox_router::{http_bail, RpcEnvironment};
impl AcmeApiConfig { pub fn list_plugins(rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<PluginConfig>, Error> {
pub fn list_plugins( let (plugins, digest) = super::plugin_config::plugin_config()?;
&self,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<PluginConfig>, Error> {
let (plugins, digest) = self.plugin_config()?;
rpcenv["digest"] = hex::encode(digest).into(); rpcenv["digest"] = hex::encode(digest).into();
Ok(plugins Ok(plugins
.iter() .iter()
.map(|(id, (ty, data))| modify_cfg_for_api(id, ty, data)) .map(|(id, (ty, data))| modify_cfg_for_api(id, ty, data))
.collect()) .collect())
}
pub fn get_plugin(
id: String,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<PluginConfig, Error> {
let (plugins, digest) = super::plugin_config::plugin_config()?;
rpcenv["digest"] = hex::encode(digest).into();
match plugins.get(&id) {
Some((ty, data)) => Ok(modify_cfg_for_api(&id, ty, data)),
None => http_bail!(NOT_FOUND, "no such plugin"),
}
}
pub fn add_plugin(r#type: String, core: DnsPluginCore, data: String) -> Result<(), Error> {
// Currently we only support DNS plugins and the standalone plugin is "fixed":
if r#type != "dns" {
param_bail!("type", "invalid ACME plugin type: {:?}", r#type);
} }
pub fn get_plugin( let data = String::from_utf8(base64::decode(data)?)
&self, .map_err(|_| format_err!("data must be valid UTF-8"))?;
id: String,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<PluginConfig, Error> {
let (plugins, digest) = self.plugin_config()?;
rpcenv["digest"] = hex::encode(digest).into();
match plugins.get(&id) { let id = core.id.clone();
Some((ty, data)) => Ok(modify_cfg_for_api(&id, ty, data)),
None => http_bail!(NOT_FOUND, "no such plugin"), let _lock = super::plugin_config::lock_plugin_config()?;
let (mut plugins, _digest) = super::plugin_config::plugin_config()?;
if plugins.contains_key(&id) {
param_bail!("id", "ACME plugin ID {:?} already exists", id);
}
let plugin = serde_json::to_value(DnsPlugin { core, data })?;
plugins.insert(id, r#type, plugin);
super::plugin_config::save_plugin_config(&plugins)?;
Ok(())
}
pub fn update_plugin(
id: String,
update: DnsPluginCoreUpdater,
data: Option<String>,
delete: Option<Vec<DeletablePluginProperty>>,
digest: Option<String>,
) -> Result<(), Error> {
let data = data
.as_deref()
.map(base64::decode)
.transpose()?
.map(String::from_utf8)
.transpose()
.map_err(|_| format_err!("data must be valid UTF-8"))?;
let _lock = super::plugin_config::lock_plugin_config()?;
let (mut plugins, expected_digest) = super::plugin_config::plugin_config()?;
if let Some(digest) = digest {
let digest = <[u8; 32]>::from_hex(digest)?;
if digest != expected_digest {
bail!("detected modified configuration - file changed by other user? Try again.");
} }
} }
pub fn add_plugin( match plugins.get_mut(&id) {
&self, Some((ty, ref mut entry)) => {
r#type: String, if ty != "dns" {
core: DnsPluginCore, bail!("cannot update plugin of type {:?}", ty);
data: String,
) -> Result<(), Error> {
// Currently we only support DNS plugins and the standalone plugin is "fixed":
if r#type != "dns" {
param_bail!("type", "invalid ACME plugin type: {:?}", r#type);
}
let data = String::from_utf8(base64::decode(data)?)
.map_err(|_| format_err!("data must be valid UTF-8"))?;
let id = core.id.clone();
let _lock = self.lock_plugin_config()?;
let (mut plugins, _digest) = self.plugin_config()?;
if plugins.contains_key(&id) {
param_bail!("id", "ACME plugin ID {:?} already exists", id);
}
let plugin = serde_json::to_value(DnsPlugin { core, data })?;
plugins.insert(id, r#type, plugin);
self.save_plugin_config(&plugins)?;
Ok(())
}
pub fn update_plugin(
&self,
id: String,
update: DnsPluginCoreUpdater,
data: Option<String>,
delete: Option<Vec<DeletablePluginProperty>>,
digest: Option<String>,
) -> Result<(), Error> {
let data = data
.as_deref()
.map(base64::decode)
.transpose()?
.map(String::from_utf8)
.transpose()
.map_err(|_| format_err!("data must be valid UTF-8"))?;
let _lock = self.lock_plugin_config()?;
let (mut plugins, expected_digest) = self.plugin_config()?;
if let Some(digest) = digest {
let digest = <[u8; 32]>::from_hex(digest)?;
if digest != expected_digest {
bail!("detected modified configuration - file changed by other user? Try again.");
} }
}
match plugins.get_mut(&id) { let mut plugin = DnsPlugin::deserialize(&*entry)?;
Some((ty, ref mut entry)) => {
if ty != "dns" {
bail!("cannot update plugin of type {:?}", ty);
}
let mut plugin = DnsPlugin::deserialize(&*entry)?; if let Some(delete) = delete {
for delete_prop in delete {
if let Some(delete) = delete { match delete_prop {
for delete_prop in delete { DeletablePluginProperty::ValidationDelay => {
match delete_prop { plugin.core.validation_delay = None;
DeletablePluginProperty::ValidationDelay => { }
plugin.core.validation_delay = None; DeletablePluginProperty::Disable => {
} plugin.core.disable = None;
DeletablePluginProperty::Disable => {
plugin.core.disable = None;
}
} }
} }
} }
if let Some(data) = data {
plugin.data = data;
}
if let Some(api) = update.api {
plugin.core.api = api;
}
if update.validation_delay.is_some() {
plugin.core.validation_delay = update.validation_delay;
}
if update.disable.is_some() {
plugin.core.disable = update.disable;
}
*entry = serde_json::to_value(plugin)?;
} }
None => http_bail!(NOT_FOUND, "no such plugin"), if let Some(data) = data {
plugin.data = data;
}
if let Some(api) = update.api {
plugin.core.api = api;
}
if update.validation_delay.is_some() {
plugin.core.validation_delay = update.validation_delay;
}
if update.disable.is_some() {
plugin.core.disable = update.disable;
}
*entry = serde_json::to_value(plugin)?;
} }
None => http_bail!(NOT_FOUND, "no such plugin"),
self.save_plugin_config(&plugins)?;
Ok(())
} }
pub fn delete_plugin(&self, id: String) -> Result<(), Error> { super::plugin_config::save_plugin_config(&plugins)?;
let _lock = self.lock_plugin_config()?;
let (mut plugins, _digest) = self.plugin_config()?; Ok(())
if plugins.remove(&id).is_none() { }
http_bail!(NOT_FOUND, "no such plugin");
}
self.save_plugin_config(&plugins)?;
Ok(()) pub fn delete_plugin(id: String) -> Result<(), Error> {
let _lock = super::plugin_config::lock_plugin_config()?;
let (mut plugins, _digest) = super::plugin_config::plugin_config()?;
if plugins.remove(&id).is_none() {
http_bail!(NOT_FOUND, "no such plugin");
} }
super::plugin_config::save_plugin_config(&plugins)?;
Ok(())
} }
// See PMG/PVE's $modify_cfg_for_api sub // See PMG/PVE's $modify_cfg_for_api sub

74
proxmox-acme-api/src/plugin_config.rs
View File

@ -6,9 +6,9 @@ use serde_json::Value;
use proxmox_schema::{ApiType, Schema}; use proxmox_schema::{ApiType, Schema};
use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin}; use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
use proxmox_product_config::{ApiLockGuard, open_api_lockfile, replace_config};
use crate::config::AcmeApiConfig; use crate::types::{DnsPlugin, StandalonePlugin, PLUGIN_ID_SCHEMA};
use crate::types::{PLUGIN_ID_SCHEMA, DnsPlugin, StandalonePlugin};
lazy_static! { lazy_static! {
static ref CONFIG: SectionConfig = init(); static ref CONFIG: SectionConfig = init();
@ -52,62 +52,38 @@ fn init() -> SectionConfig {
config config
} }
// LockGuard for the plugin configuration pub(crate) fn lock_plugin_config() -> Result<ApiLockGuard, Error> {
pub(crate) struct AcmePluginConfigLockGuard { super::config::make_acme_dir()?;
_file: Option<std::fs::File>,
let plugin_cfg_lockfile = super::config::plugin_cfg_lockfile();
open_api_lockfile(plugin_cfg_lockfile, None, true)
} }
impl AcmeApiConfig { pub(crate) fn plugin_config() -> Result<(PluginData, [u8; 32]), Error> {
pub(crate) fn lock_plugin_config(&self) -> Result<AcmePluginConfigLockGuard, Error> { let plugin_cfg_filename = super::config::plugin_cfg_filename();
self.make_acme_dir()?;
let file_owner = (self.file_owner)();
let mode = nix::sys::stat::Mode::from_bits_truncate(0o0660); let content =
let options = proxmox_sys::fs::CreateOptions::new() proxmox_sys::fs::file_read_optional_string(&plugin_cfg_filename)?.unwrap_or_default();
.perm(mode)
.owner(file_owner.uid)
.group(file_owner.gid);
let timeout = std::time::Duration::new(10, 0); let digest = openssl::sha::sha256(content.as_bytes());
let mut data = CONFIG.parse(&plugin_cfg_filename, &content)?;
let plugin_cfg_lockfile = self.plugin_cfg_lockfile(); if data.sections.get("standalone").is_none() {
let file = proxmox_sys::fs::open_file_locked(&plugin_cfg_lockfile, timeout, true, options)?; let standalone = StandalonePlugin::default();
Ok(AcmePluginConfigLockGuard { _file: Some(file) }) data.set_data("standalone", "standalone", &standalone)
.unwrap();
} }
pub(crate) fn plugin_config(&self) -> Result<(PluginData, [u8; 32]), Error> { Ok((PluginData { data }, digest))
let plugin_cfg_filename = self.plugin_cfg_filename(); }
let content = pub(crate) fn save_plugin_config(config: &PluginData) -> Result<(), Error> {
proxmox_sys::fs::file_read_optional_string(&plugin_cfg_filename)?.unwrap_or_default(); super::config::make_acme_dir()?;
let plugin_cfg_filename = super::config::plugin_cfg_filename();
let raw = CONFIG.write(&plugin_cfg_filename, &config.data)?;
let digest = openssl::sha::sha256(content.as_bytes()); replace_config(plugin_cfg_filename, raw.as_bytes())
let mut data = CONFIG.parse(&plugin_cfg_filename, &content)?;
if data.sections.get("standalone").is_none() {
let standalone = StandalonePlugin::default();
data.set_data("standalone", "standalone", &standalone)
.unwrap();
}
Ok((PluginData { data }, digest))
}
pub(crate) fn save_plugin_config(&self, config: &PluginData) -> Result<(), Error> {
self.make_acme_dir()?;
let plugin_cfg_filename = self.plugin_cfg_filename();
let raw = CONFIG.write(&plugin_cfg_filename, &config.data)?;
let file_owner = (self.file_owner)();
let mode = nix::sys::stat::Mode::from_bits_truncate(0o0640);
// set the correct owner/group/permissions while saving file
let options = proxmox_sys::fs::CreateOptions::new()
.perm(mode)
.owner(file_owner.uid)
.group(file_owner.gid);
proxmox_sys::fs::replace_file(plugin_cfg_filename, raw.as_bytes(), options, true)
}
} }
pub(crate) struct PluginData { pub(crate) struct PluginData {