for registering, updating, refreshing and deactiving a PVE-managed ACME
account, as well as for retrieving the (optional, but required if
available) terms of service of the ACME API provider / CA.
Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
---
PVE/API2/Makefile | 1 +
PVE/API2/ACMEAccount.pm | 278 ++++++++++++++++++++++++++++++++++++++++++++++++
PVE/API2/Cluster.pm | 7 ++
3 files changed, 286 insertions(+)
create mode 100644 PVE/API2/ACMEAccount.pm
diff --git a/PVE/API2/Makefile b/PVE/API2/Makefile
index 51b8b30a..d72ddd9b 100644
--- a/PVE/API2/Makefile
+++ b/PVE/API2/Makefile
@@ -14,6 +14,7 @@ PERLSOURCE = \
Pool.pm \
Tasks.pm \
Network.pm \
+ ACMEAccount.pm \
NodeConfig.pm \
Services.pm
diff --git a/PVE/API2/ACMEAccount.pm b/PVE/API2/ACMEAccount.pm
new file mode 100644
index 00000000..49c1e7e5
--- /dev/null
+++ b/PVE/API2/ACMEAccount.pm
@@ -0,0 +1,278 @@
+package PVE::API2::ACMEAccount;
+
+use strict;
+use warnings;
+
+use PVE::ACME;
+use PVE::CertHelpers;
+use PVE::Exception qw(raise_param_exc);
+use PVE::JSONSchema qw(get_standard_option);
+use PVE::RPCEnvironment;
+use PVE::Tools qw(extract_param);
+
+use base qw(PVE::RESTHandler);
+
+my $acme_directories = {
+ le_staging => 'https://acme-staging-v02.api.letsencrypt.org/directory',
+};
+
+my $account_contact_from_param = sub {
+ my ($param) = @_;
+ return [ map { "mailto:$_"; } PVE::Tools::split_list(extract_param($param,
'contact')) ];
+};
+
+__PACKAGE__->register_method ({
+ name => 'index',
+ path => '',
+ method => 'GET',
+ permissions => { user => 'all' },
+ description => "ACMEAccount index.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ },
+ },
+ returns => {
+ type => 'array',
+ items => {
+ type => "object",
+ properties => {},
+ },
+ links => [ { rel => 'child', href => "{name}" } ],
+ },
+ code => sub {
+ my ($param) = @_;
+
+ return [
+ { name => 'account' },
+ { name => 'tos' },
+ ];
+ },
+});
+
+__PACKAGE__->register_method ({
+ name => 'account_index',
+ path => 'account',
+ method => 'GET',
+ permissions => { user => 'all' },
+ description => "ACMEAccount index.",
+ protected => 1,
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ },
+ },
+ returns => {
+ type => 'array',
+ items => {
+ type => "object",
+ properties => {},
+ },
+ links => [ { rel => 'child', href => "{name}" } ],
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $accounts = PVE::CertHelpers::list_acme_accounts();
+ return [ map { { name => $_ } } @$accounts ];
+ },
+});
+
+__PACKAGE__->register_method ({
+ name => 'register_account',
+ path => 'account',
+ method => 'POST',
+ description => "Register a new ACME account with CA.",
+ protected => 1,
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ name => get_standard_option('pve-acme-account-name'),
+ contact => get_standard_option('pve-acme-account-contact'),
+ tos_url => {
+ type => 'string',
+ description => 'URL of CA TermsOfService - setting this
indicates agreement.',
+ optional => 1,
+ },
+ directory => {
+ type => 'string',
+ description => 'URL of CA directory API endpoint.',
+ optional => 1,
+ default => $acme_directories->{le_staging},
+ },
+ },
+ },
+ returns => {
+ type => 'string',
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $account_name = extract_param($param, 'name') // 'default';
+ my $account_file =
PVE::CertHelpers::get_acme_account_file($account_name);
+
+ raise_param_exc({'name' => "ACME account config file '${account_name}'
already exists."})
+ if -e $account_file;
+
+ my $directory = extract_param($param, 'directory') //
$acme_directories->{le_staging};
+ my $contact = $account_contact_from_param->($param);
+
+ my $rpcenv = PVE::RPCEnvironment::get();
+
+ my $authuser = $rpcenv->get_user();
+
+ my $realcmd = sub {
+ PVE::Cluster::cfs_lock_acme($account_name, 10, sub {
+ die "ACME account config file '${account_name}' already
exists.\n"
+ if -e $account_file;
+
+ my $acme = PVE::ACME->new($account_file, $directory);
+ print "Generating ACME account key..\n";
+ $acme->init(4096);
+ print "Registering ACME account..\n";
+ eval { $acme->new_account($param->{tos_url}, contact =>
$contact); };
+ if ($@) {
+ warn "$@\n";
+ unlink $account_file;
+ die "Registration failed!\n";
+ }
+ print "Registration successful, account URL:
'$acme->{location}'\n";
+ });
+ die $@ if $@;
+ };
+
+ return $rpcenv->fork_worker('acmeregister', undef, $authuser, $realcmd);
+ },
+});
+
+my $update_account = sub {
+ my ($param, $msg, %info) = @_;
+
+ my $account_name = extract_param($param, 'name') // 'default';
+ my $account_file = PVE::CertHelpers::get_acme_account_file($account_name);
+
+ raise_param_exc({'name' => "ACME account config file '${account_name}'
does not exist."})
+ if ! -e $account_file;
+
+
+ my $rpcenv = PVE::RPCEnvironment::get();
+
+ my $authuser = $rpcenv->get_user();
+
+ my $realcmd = sub {
+ PVE::Cluster::cfs_lock_acme($account_name, 10, sub {
+ die "ACME account config file '${account_name}' does not exist.\n"
+ if ! -e $account_file;
+
+ my $acme = PVE::ACME->new($account_file);
+ $acme->load();
+ $acme->update_account(%info);
+ });
+ die $@ if $@;
+ };
+
+ return $rpcenv->fork_worker("acme${msg}", undef, $authuser, $realcmd);
+};
+
+__PACKAGE__->register_method ({
+ name => 'update_account',
+ path => 'account/{name}',
+ method => 'PUT',
+ description => "Update existing ACME account information with CA.",
+ protected => 1,
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ name => get_standard_option('pve-acme-account-name'),
+ contact => get_standard_option('pve-acme-account-contact'),
+ },
+ },
+ returns => {
+ type => 'string',
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $contact = $account_contact_from_param->($param);
+
+ return $update_account->($param, 'update', contact => $contact);
+ },
+});
+
+__PACKAGE__->register_method ({
+ name => 'get_account',
+ path => 'account/{name}',
+ method => 'GET',
+ description => "Refresh existing ACME account information from CA.",
+ protected => 1,
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ name => get_standard_option('pve-acme-account-name'),
+ },
+ },
+ returns => {
+ type => 'string',
+ },
+ code => sub {
+ my ($param) = @_;
+
+ return $update_account->($param, 'refresh');
+ },
+});
+
+__PACKAGE__->register_method ({
+ name => 'deactivate_account',
+ path => 'account/{name}',
+ method => 'DELETE',
+ description => "Deactivate existing ACME account at CA.",
+ protected => 1,
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ name => get_standard_option('pve-acme-account-name'),
+ },
+ },
+ returns => {
+ type => 'string',
+ },
+ code => sub {
+ my ($param) = @_;
+
+ return $update_account->($param, 'deactivate', status => 'deactivated');
+ },
+});
+
+__PACKAGE__->register_method ({
+ name => 'get_tos',
+ path => 'tos',
+ method => 'GET',
+ description => "Retrieve ACME TermsOfService URL from CA.",
+ protected => 1,
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ directory => {
+ type => 'string',
+ description => 'URL of CA directory API endpoint.',
+ optional => 1,
+ default => $acme_directories->{le_staging},
+ },
+ },
+ },
+ returns => {
+ type => 'string',
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $directory = extract_param($param, 'directory') //
$acme_directories->{le_staging};
+
+ my $acme = PVE::ACME->new(undef, $directory);
+ my $meta = $acme->get_meta();
+
+ return $meta ? $meta->{termsOfService} : undef;
+ },
+});
+
+1;
diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm
index 7f38e61c..2eac6b52 100644
--- a/PVE/API2/Cluster.pm
+++ b/PVE/API2/Cluster.pm
@@ -24,6 +24,7 @@ use PVE::JSONSchema qw(get_standard_option);
use PVE::Firewall;
use PVE::API2::Firewall::Cluster;
use PVE::API2::ReplicationConfig;
+use PVE::API2::ACMEAccount;
use base qw(PVE::RESTHandler);
@@ -52,6 +53,11 @@ __PACKAGE__->register_method ({
path => 'ha',
});
+__PACKAGE__->register_method ({
+ subclass => "PVE::API2::ACMEAccount",
+ path => 'acme',
+});
+
my $dc_schema = PVE::Cluster::get_datacenter_schema();
my $dc_properties = {
delete => {
@@ -97,6 +103,7 @@ __PACKAGE__->register_method ({
{ name => 'nextid' },
{ name => 'firewall' },
{ name => 'config' },
+ { name => 'acme' },
];
return $result;
--
2.14.2
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
