[pve-manager.git] / PVE / CertHelpers.pm

package PVE::CertHelpers;

use strict;
use warnings;

use PVE::Certificate;
use PVE::JSONSchema;
use PVE::Tools;

my $account_prefix = '/etc/pve/priv/acme';

PVE::JSONSchema::register_standard_option('pve-acme-account-name', {
    description => 'ACME account config file name.',
    type => 'string',
    format => 'pve-configid',
    format_description => 'name',
    optional => 1,
    default => 'default',
});

PVE::JSONSchema::register_standard_option('pve-acme-account-contact', {
    type => 'string',
    format => 'email-list',
    description => 'Contact email addresses.',
});

PVE::JSONSchema::register_standard_option('pve-acme-directory-url', {
    type => 'string',
    description => 'URL of ACME CA directory endpoint.',
    pattern => '^https?://.*',
});

my $local_cert_lock = '/var/lock/pve-certs.lock';

sub cert_path_prefix {
    my ($node) = @_;

    return "/etc/pve/nodes/${node}/pveproxy-ssl";
}

sub cert_lock {
    my ($timeout, $code, @param) = @_;

    return PVE::Tools::lock_file($local_cert_lock, $timeout, $code, @param);
}

sub set_cert_files {
    my ($cert, $key, $path_prefix, $force) = @_;

    my ($old_cert, $old_key, $info);

    my $cert_path = "${path_prefix}.pem";
    my $cert_path_tmp = "${path_prefix}.pem.old";
    my $key_path = "${path_prefix}.key";
    my $key_path_tmp = "${path_prefix}.key.old";

    die "Custom certificate file exists but force flag is not set.\n"
	if !$force && -e $cert_path;
    die "Custom certificate key file exists but force flag is not set.\n"
	if !$force && -e $key_path;

    PVE::Tools::file_copy($cert_path, $cert_path_tmp) if -e $cert_path;
    PVE::Tools::file_copy($key_path, $key_path_tmp) if -e $key_path;

    eval {
	PVE::Tools::file_set_contents($cert_path, $cert);
	PVE::Tools::file_set_contents($key_path, $key) if $key;
	$info = PVE::Certificate::get_certificate_info($cert_path);
    };
    my $err = $@;

    if ($err) {
	if (-e $cert_path_tmp && -e $key_path_tmp) {
	    eval {
		warn "Attempting to restore old certificate files..\n";
		PVE::Tools::file_copy($cert_path_tmp, $cert_path);
		PVE::Tools::file_copy($key_path_tmp, $key_path);
	    };
	    warn "$@\n" if $@;
	}
	die "Setting certificate files failed - $err\n"
    }

    unlink $cert_path_tmp;
    unlink $key_path_tmp;

    return $info;
}

sub acme_account_dir {
    return $account_prefix;
}

sub list_acme_accounts {
    my $accounts = [];

    return $accounts if ! -d $account_prefix;

    PVE::Tools::dir_glob_foreach($account_prefix, qr/[^.]+.*/, sub {
	my ($name) = @_;

	push @$accounts, $name
	    if PVE::JSONSchema::pve_verify_configid($name, 1);
    });

    return $accounts;
}
Commit	Line	Data
ccfd6ea6 FG	1	package PVE::CertHelpers;
	2
	3	use strict;
	4	use warnings;
	5
	6	use PVE::Certificate;
	7	use PVE::JSONSchema;
	8	use PVE::Tools;
	9
	10	my $account_prefix = '/etc/pve/priv/acme';
	11
	12	PVE::JSONSchema::register_standard_option('pve-acme-account-name', {
	13	description => 'ACME account config file name.',
	14	type => 'string',
	15	format => 'pve-configid',
	16	format_description => 'name',
	17	optional => 1,
	18	default => 'default',
	19	});
	20
	21	PVE::JSONSchema::register_standard_option('pve-acme-account-contact', {
	22	type => 'string',
	23	format => 'email-list',
	24	description => 'Contact email addresses.',
	25	});
	26
	27	PVE::JSONSchema::register_standard_option('pve-acme-directory-url', {
	28	type => 'string',
	29	description => 'URL of ACME CA directory endpoint.',
	30	pattern => '^https?://.*',
	31	});
	32
	33	my $local_cert_lock = '/var/lock/pve-certs.lock';
	34
	35	sub cert_path_prefix {
	36	my ($node) = @_;
	37
	38	return "/etc/pve/nodes/${node}/pveproxy-ssl";
	39	}
	40
	41	sub cert_lock {
	42	my ($timeout, $code, @param) = @_;
	43
	44	return PVE::Tools::lock_file($local_cert_lock, $timeout, $code, @param);
	45	}
	46
	47	sub set_cert_files {
	48	my ($cert, $key, $path_prefix, $force) = @_;
	49
	50	my ($old_cert, $old_key, $info);
	51
	52	my $cert_path = "${path_prefix}.pem";
	53	my $cert_path_tmp = "${path_prefix}.pem.old";
	54	my $key_path = "${path_prefix}.key";
	55	my $key_path_tmp = "${path_prefix}.key.old";
	56
	57	die "Custom certificate file exists but force flag is not set.\n"
	58	if !$force && -e $cert_path;
	59	die "Custom certificate key file exists but force flag is not set.\n"
	60	if !$force && -e $key_path;
	61
	62	PVE::Tools::file_copy($cert_path, $cert_path_tmp) if -e $cert_path;
	63	PVE::Tools::file_copy($key_path, $key_path_tmp) if -e $key_path;
	64
65	eval {
66	PVE::Tools::file_set_contents($cert_path, $cert);
67	PVE::Tools::file_set_contents($key_path, $key) if $key;
68	$info = PVE::Certificate::get_certificate_info($cert_path);
69	};
70	my $err = $@;
71
72	if ($err) {
73	if (-e $cert_path_tmp && -e $key_path_tmp) {
74	eval {
75	warn "Attempting to restore old certificate files..\n";
76	PVE::Tools::file_copy($cert_path_tmp, $cert_path);
77	PVE::Tools::file_copy($key_path_tmp, $key_path);
78	};
79	warn "$@\n" if $@;
80	}
81	die "Setting certificate files failed - $err\n"
82	}
83
84	unlink $cert_path_tmp;
85	unlink $key_path_tmp;
86
87	return $info;
88	}
89
90	sub acme_account_dir {
91	return $account_prefix;
92	}
93
94	sub list_acme_accounts {
95	my $accounts = [];
96
97	return $accounts if ! -d $account_prefix;
98
99	PVE::Tools::dir_glob_foreach($account_prefix, qr/[^.]+.*/, sub {
100	my ($name) = @_;
101
102	push @$accounts, $name
103	if PVE::JSONSchema::pve_verify_configid($name, 1);
104	});
105
106	return $accounts;
107	}