[pmg-api.git] / src / PMG / API2 / ACME.pm

package PMG::API2::ACME;

use strict;
use warnings;

use File::Path;

use PVE::Exception qw(raise_param_exc);
use PVE::JSONSchema qw(get_standard_option);
use PVE::Tools qw(extract_param);

use PVE::ACME::Challenge;

use PMG::RESTEnvironment;
use PMG::RS::Acme;
use PMG::CertHelpers;

use PMG::API2::ACMEPlugin;

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    subclass => "PMG::API2::ACMEPlugin",
    path => 'plugins',
});

# FIXME: Put this list in pve-common or proxmox-acme{,-rs}?
my $acme_directories = [
    {
	name => 'Let\'s Encrypt V2',
	url => 'https://acme-v02.api.letsencrypt.org/directory',
    },
    {
	name => 'Let\'s Encrypt V2 Staging',
	url => 'https://acme-staging-v02.api.letsencrypt.org/directory',
    },
];
my $acme_default_directory_url = $acme_directories->[0]->{url};
my $account_contact_from_param = sub {
    my @addresses = PVE::Tools::split_list(extract_param($_[0], 'contact'));
    return [ map { "mailto:$_" } @addresses ];
};
my $acme_account_dir = PMG::CertHelpers::acme_account_dir();

__PACKAGE__->register_method ({
    name => 'index',
    path => '',
    method => 'GET',
    permissions => { user => 'all' },
    description => "ACME index.",
    parameters => {
	additionalProperties => 0,
	properties => {
	},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {},
	},
	links => [ { rel => 'child', href => "{name}" } ],
    },
    code => sub {
	my ($param) = @_;

	return [
	    { name => 'account' },
	    { name => 'tos' },
	    { name => 'directories' },
	    { name => 'plugins' },
	    { name => 'challenge-schema' },
	];
    }});

__PACKAGE__->register_method ({
    name => 'account_index',
    path => 'account',
    method => 'GET',
    permissions => { check => [ 'admin', 'audit' ] },
    description => "ACME account index.",
    protected => 1,
    parameters => {
	additionalProperties => 0,
	properties => {
	},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {},
	},
	links => [ { rel => 'child', href => "{name}" } ],
    },
    code => sub {
	my ($param) = @_;

	my $accounts = PMG::CertHelpers::list_acme_accounts();
	return [ map { { name => $_ }  } @$accounts ];
    }});

# extract the optional account name and fill in the default, also return the file name
my sub extract_account_name : prototype($) {
    my ($param) = @_;

    my $account_name = extract_param($param, 'name') // 'default';
    my $account_file = "${acme_account_dir}/${account_name}";

    return ($account_name, $account_file);
}

__PACKAGE__->register_method ({
    name => 'register_account',
    path => 'account',
    method => 'POST',
    description => "Register a new ACME account with CA.",
    proxyto => 'master',
    permissions => { check => [ 'admin' ] },
    protected => 1,
    parameters => {
	additionalProperties => 0,
	properties => {
	    name => get_standard_option('pmg-acme-account-name'),
	    contact => get_standard_option('pmg-acme-account-contact'),
	    tos_url => {
		type => 'string',
		description => 'URL of CA TermsOfService - setting this indicates agreement.',
		optional => 1,
	    },
	    directory => get_standard_option('pmg-acme-directory-url', {
		default => $acme_default_directory_url,
		optional => 1,
	    }),
	    'eab-kid' => {
		type => 'string',
		description => 'Key Identifier for External Account Binding.',
		requires => 'eab-hmac-key',
		optional => 1,
	    },
	    'eab-hmac-key' => {
		type => 'string',
		description => 'HMAC key for External Account Binding.',
		requires => 'eab-kid',
		optional => 1,
	    },
	},
    },
    returns => {
	type => 'string',
    },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PMG::RESTEnvironment->get();
	my $authuser = $rpcenv->get_user();

	my ($account_name, $account_file) = extract_account_name($param);
	mkpath $acme_account_dir if ! -e $acme_account_dir;

	raise_param_exc({'name' => "ACME account config file '${account_name}' already exists."})
	    if -e $account_file;

	my $directory = extract_param($param, 'directory') // $acme_default_directory_url;
	my $contact = $account_contact_from_param->($param);
	my $eab_kid = extract_param($param, 'eab-kid');
	my $eab_hmac_key = extract_param($param, 'eab-hmac-key');

	my $realcmd = sub {
	    PMG::CertHelpers::lock_acme($account_name, 10, sub {
		die "ACME account config file '${account_name}' already exists.\n"
		    if -e $account_file;

		print "Registering new ACME account..\n";
		my $acme = PMG::RS::Acme->new($directory);
		eval {
		    $acme->new_account($account_file, defined($param->{tos_url}), $contact, undef, $eab_kid, $eab_hmac_key);
		};
		if (my $err = $@) {
		    unlink $account_file;
		    die "Registration failed: $err\n";
		}
		my $location = $acme->location();
		print "Registration successful, account URL: '$location'\n";
	    });
	};

	return $rpcenv->fork_worker('acmeregister', undef, $authuser, $realcmd);
    }});

my $update_account = sub {
    my ($param, $msg, $force_deactivate, %info) = @_;

    my ($account_name, $account_file) = extract_account_name($param);

    raise_param_exc({'name' => "ACME account config file '${account_name}' does not exist."})
	if ! -e $account_file;


    my $rpcenv = PMG::RESTEnvironment->get();
    my $authuser = $rpcenv->get_user();

    my $realcmd = sub {
	PMG::CertHelpers::lock_acme($account_name, 10, sub {
	    die "ACME account config file '${account_name}' does not exist.\n"
		if ! -e $account_file;

	    my $acme = PMG::RS::Acme->load($account_file);
	    eval {
		$acme->update_account(\%info);
	    };
	    if (my $err = $@) {
		die $err if !$force_deactivate;
		warn "got error, but forced to continue - $err\n";
	    }
	    if ($info{status} && $info{status} eq 'deactivated') {
		my $deactivated_name;
		for my $i (0..100) {
		    my $candidate = "${acme_account_dir}/_deactivated_${account_name}_${i}";
		    if (! -e $candidate) {
			$deactivated_name = $candidate;
			last;
		    }
		}
		if ($deactivated_name) {
		    print "Renaming account file from '$account_file' to '$deactivated_name'\n";
		    rename($account_file, $deactivated_name) or
			warn ".. failed - $!\n";
		} else {
		    warn "No free slot to rename deactivated account file '$account_file', leaving in place\n";
		}
	    }
	});
    };

    return $rpcenv->fork_worker("acme${msg}", undef, $authuser, $realcmd);
};

__PACKAGE__->register_method ({
    name => 'update_account',
    path => 'account/{name}',
    method => 'PUT',
    description => "Update existing ACME account information with CA. Note: not specifying any new account information triggers a refresh.",
    proxyto => 'master',
    permissions => { check => [ 'admin' ] },
    protected => 1,
    parameters => {
	additionalProperties => 0,
	properties => {
	    name => get_standard_option('pmg-acme-account-name'),
	    contact => get_standard_option('pmg-acme-account-contact', {
		optional => 1,
	    }),
	},
    },
    returns => {
	type => 'string',
    },
    code => sub {
	my ($param) = @_;

	my $contact = $account_contact_from_param->($param);
	if (scalar @$contact) {
	    return $update_account->($param, 'update', 0, contact => $contact);
	} else {
	    return $update_account->($param, 'refresh', 0);
	}
    }});

__PACKAGE__->register_method ({
    name => 'get_account',
    path => 'account/{name}',
    method => 'GET',
    description => "Return existing ACME account information.",
    protected => 1,
    proxyto => 'master',
    parameters => {
	additionalProperties => 0,
	properties => {
	    name => get_standard_option('pmg-acme-account-name'),
	},
    },
    returns => {
	type => 'object',
	additionalProperties => 0,
	properties => {
	    account => {
		type => 'object',
		optional => 1,
		renderer => 'yaml',
	    },
	    directory => get_standard_option('pmg-acme-directory-url', {
		optional => 1,
	    }),
	    location => {
		type => 'string',
		optional => 1,
	    },
	    tos => {
		type => 'string',
		optional => 1,
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my ($account_name, $account_file) = extract_account_name($param);

	raise_param_exc({'name' => "ACME account config file '${account_name}' does not exist."})
	    if ! -e $account_file;

	my $acme = PMG::RS::Acme->load($account_file);
	my $data = $acme->account();

	return {
	    account => $data->{account},
	    tos => $data->{tos},
	    location => $data->{location},
	    directory => $data->{directoryUrl},
	};
    }});

__PACKAGE__->register_method ({
    name => 'deactivate_account',
    path => 'account/{name}',
    method => 'DELETE',
    description => "Deactivate existing ACME account at CA.",
    protected => 1,
    proxyto => 'master',
    permissions => { check => [ 'admin' ] },
    parameters => {
	additionalProperties => 0,
	properties => {
	    name => get_standard_option('pmg-acme-account-name'),
	    force => {
		type => 'boolean',
		description =>
		    'Delete account data even if the server refuses to deactivate the account.',
		optional => 1,
		default => 0,
	    },
	},
    },
    returns => {
	type => 'string',
    },
    code => sub {
	my ($param) = @_;

	my $force_deactivate = extract_param($param, 'force');

	return $update_account->($param, 'deactivate', $force_deactivate, status => 'deactivated');
    }});

__PACKAGE__->register_method ({
    name => 'get_tos',
    path => 'tos',
    method => 'GET',
    description => "Retrieve ACME TermsOfService URL from CA.",
    permissions => { user => 'all' },
    parameters => {
	additionalProperties => 0,
	properties => {
	    directory => get_standard_option('pmg-acme-directory-url', {
		default => $acme_default_directory_url,
		optional => 1,
	    }),
	},
    },
    returns => {
	type => 'string',
	optional => 1,
	description => 'ACME TermsOfService URL.',
    },
    code => sub {
	my ($param) = @_;

	my $directory = extract_param($param, 'directory') // $acme_default_directory_url;

	my $acme = PMG::RS::Acme->new($directory);
	my $meta = $acme->get_meta();

	return $meta ? $meta->{termsOfService} : undef;
    }});

__PACKAGE__->register_method ({
    name => 'get_directories',
    path => 'directories',
    method => 'GET',
    description => "Get named known ACME directory endpoints.",
    permissions => { user => 'all' },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => 'object',
	    additionalProperties => 0,
	    properties => {
		name => {
		    type => 'string',
		},
		url => get_standard_option('pmg-acme-directory-url'),
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	return $acme_directories;
    }});

__PACKAGE__->register_method ({
    name => 'challenge-schema',
    path => 'challenge-schema',
    method => 'GET',
    description => "Get schema of ACME challenge types.",
    permissions => { user => 'all' },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => 'object',
	    additionalProperties => 0,
	    properties => {
		id => {
		    type => 'string',
		},
		name => {
		    description => 'Human readable name, falls back to id',
		    type => 'string',
		},
		type => {
		    type => 'string',
		},
		schema => {
		    type => 'object',
		},
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my $plugin_type_enum = PVE::ACME::Challenge->lookup_types();

	my $res = [];

	for my $type (@$plugin_type_enum) {
	    my $plugin = PVE::ACME::Challenge->lookup($type);
	    next if !$plugin->can('get_supported_plugins');

	    my $plugin_type = $plugin->type();
	    my $plugins = $plugin->get_supported_plugins();
	    for my $id (sort keys %$plugins) {
		my $schema = $plugins->{$id};
		push @$res, {
		    id => $id,
		    name => $schema->{name} // $id,
		    type => $plugin_type,
		    schema => $schema,
		};
	    }
	}

	return $res;
    }});

1;
Commit	Line	Data
5000937e WB	1	package PMG::API2::ACME;
	2
	3	use strict;
	4	use warnings;
	5
5d30f586 SI	6	use File::Path;
5d30f586 SI	7
5000937e WB	8	use PVE::Exception qw(raise_param_exc);
	9	use PVE::JSONSchema qw(get_standard_option);
	10	use PVE::Tools qw(extract_param);
	11
	12	use PVE::ACME::Challenge;
	13
	14	use PMG::RESTEnvironment;
	15	use PMG::RS::Acme;
	16	use PMG::CertHelpers;
	17
	18	use PMG::API2::ACMEPlugin;
	19
	20	use base qw(PVE::RESTHandler);
	21
	22	__PACKAGE__->register_method ({
	23	subclass => "PMG::API2::ACMEPlugin",
	24	path => 'plugins',
	25	});
	26
	27	# FIXME: Put this list in pve-common or proxmox-acme{,-rs}?
	28	my $acme_directories = [
	29	{
	30	name => 'Let\'s Encrypt V2',
	31	url => 'https://acme-v02.api.letsencrypt.org/directory',
	32	},
	33	{
	34	name => 'Let\'s Encrypt V2 Staging',
	35	url => 'https://acme-staging-v02.api.letsencrypt.org/directory',
	36	},
	37	];
	38	my $acme_default_directory_url = $acme_directories->[0]->{url};
	39	my $account_contact_from_param = sub {
	40	my @addresses = PVE::Tools::split_list(extract_param($_[0], 'contact'));
	41	return [ map { "mailto:$_" } @addresses ];
	42	};
	43	my $acme_account_dir = PMG::CertHelpers::acme_account_dir();
	44
	45	__PACKAGE__->register_method ({
	46	name => 'index',
	47	path => '',
	48	method => 'GET',
	49	permissions => { user => 'all' },
	50	description => "ACME index.",
	51	parameters => {
	52	additionalProperties => 0,
	53	properties => {
	54	},
	55	},
	56	returns => {
	57	type => 'array',
	58	items => {
	59	type => "object",
	60	properties => {},
	61	},
	62	links => [ { rel => 'child', href => "{name}" } ],
	63	},
	64	code => sub {
	65	my ($param) = @_;
	66
	67	return [
	68	{ name => 'account' },
	69	{ name => 'tos' },
	70	{ name => 'directories' },
	71	{ name => 'plugins' },
72	{ name => 'challenge-schema' },
73	];
74	}});
75
76	__PACKAGE__->register_method ({
77	name => 'account_index',
78	path => 'account',
79	method => 'GET',
80	permissions => { check => [ 'admin', 'audit' ] },
81	description => "ACME account index.",
82	protected => 1,
83	parameters => {
84	additionalProperties => 0,
85	properties => {
86	},
87	},
88	returns => {
89	type => 'array',
90	items => {
91	type => "object",
92	properties => {},
93	},
94	links => [ { rel => 'child', href => "{name}" } ],
95	},
96	code => sub {
97	my ($param) = @_;
98
99	my $accounts = PMG::CertHelpers::list_acme_accounts();
100	return [ map { { name => $_ } } @$accounts ];
101	}});
102
103	# extract the optional account name and fill in the default, also return the file name
104	my sub extract_account_name : prototype($) {
105	my ($param) = @_;
106
107	my $account_name = extract_param($param, 'name') // 'default';
108	my $account_file = "${acme_account_dir}/${account_name}";
109
110	return ($account_name, $account_file);
111	}
112
113	__PACKAGE__->register_method ({
114	name => 'register_account',
115	path => 'account',
116	method => 'POST',
117	description => "Register a new ACME account with CA.",
118	proxyto => 'master',
119	permissions => { check => [ 'admin' ] },
120	protected => 1,
121	parameters => {
122	additionalProperties => 0,
123	properties => {
124	name => get_standard_option('pmg-acme-account-name'),
125	contact => get_standard_option('pmg-acme-account-contact'),
126	tos_url => {
127	type => 'string',
128	description => 'URL of CA TermsOfService - setting this indicates agreement.',
129	optional => 1,
130	},
131	directory => get_standard_option('pmg-acme-directory-url', {
132	default => $acme_default_directory_url,
133	optional => 1,
134	}),
5406f703 FG	135	'eab-kid' => {
	136	type => 'string',
	137	description => 'Key Identifier for External Account Binding.',
	138	requires => 'eab-hmac-key',
	139	optional => 1,
	140	},
	141	'eab-hmac-key' => {
	142	type => 'string',
	143	description => 'HMAC key for External Account Binding.',
	144	requires => 'eab-kid',
	145	optional => 1,
	146	},
5000937e WB	147	},
	148	},
	149	returns => {
	150	type => 'string',
	151	},
	152	code => sub {
	153	my ($param) = @_;
	154
	155	my $rpcenv = PMG::RESTEnvironment->get();
	156	my $authuser = $rpcenv->get_user();
	157
	158	my ($account_name, $account_file) = extract_account_name($param);
b6e3ea16	159	mkpath $acme_account_dir if ! -e $acme_account_dir;
5000937e WB	160
	161	raise_param_exc({'name' => "ACME account config file '${account_name}' already exists."})
	162	if -e $account_file;
	163
	164	my $directory = extract_param($param, 'directory') // $acme_default_directory_url;
	165	my $contact = $account_contact_from_param->($param);
5406f703 FG	166	my $eab_kid = extract_param($param, 'eab-kid');
5406f703 FG	167	my $eab_hmac_key = extract_param($param, 'eab-hmac-key');
5000937e WB	168
	169	my $realcmd = sub {
	170	PMG::CertHelpers::lock_acme($account_name, 10, sub {
	171	die "ACME account config file '${account_name}' already exists.\n"
	172	if -e $account_file;
	173
	174	print "Registering new ACME account..\n";
	175	my $acme = PMG::RS::Acme->new($directory);
	176	eval {
5406f703	177	$acme->new_account($account_file, defined($param->{tos_url}), $contact, undef, $eab_kid, $eab_hmac_key);
5000937e WB	178	};
	179	if (my $err = $@) {
	180	unlink $account_file;
	181	die "Registration failed: $err\n";
	182	}
	183	my $location = $acme->location();
	184	print "Registration successful, account URL: '$location'\n";
	185	});
	186	};
	187
	188	return $rpcenv->fork_worker('acmeregister', undef, $authuser, $realcmd);
	189	}});
	190
	191	my $update_account = sub {
b9725bac	192	my ($param, $msg, $force_deactivate, %info) = @_;
5000937e WB	193
	194	my ($account_name, $account_file) = extract_account_name($param);
	195
	196	raise_param_exc({'name' => "ACME account config file '${account_name}' does not exist."})
	197	if ! -e $account_file;
	198
	199
	200	my $rpcenv = PMG::RESTEnvironment->get();
	201	my $authuser = $rpcenv->get_user();
	202
	203	my $realcmd = sub {
	204	PMG::CertHelpers::lock_acme($account_name, 10, sub {
	205	die "ACME account config file '${account_name}' does not exist.\n"
	206	if ! -e $account_file;
	207
	208	my $acme = PMG::RS::Acme->load($account_file);
b9725bac WB	209	eval {
	210	$acme->update_account(\%info);
	211	};
	212	if (my $err = $@) {
	213	die $err if !$force_deactivate;
	214	warn "got error, but forced to continue - $err\n";
	215	}
5000937e WB	216	if ($info{status} && $info{status} eq 'deactivated') {
	217	my $deactivated_name;
	218	for my $i (0..100) {
	219	my $candidate = "${acme_account_dir}/_deactivated_${account_name}_${i}";
	220	if (! -e $candidate) {
	221	$deactivated_name = $candidate;
	222	last;
	223	}
	224	}
	225	if ($deactivated_name) {
	226	print "Renaming account file from '$account_file' to '$deactivated_name'\n";
	227	rename($account_file, $deactivated_name) or
	228	warn ".. failed - $!\n";
	229	} else {
	230	warn "No free slot to rename deactivated account file '$account_file', leaving in place\n";
	231	}
	232	}
	233	});
	234	};
	235
	236	return $rpcenv->fork_worker("acme${msg}", undef, $authuser, $realcmd);
	237	};
	238
	239	__PACKAGE__->register_method ({
	240	name => 'update_account',
	241	path => 'account/{name}',
	242	method => 'PUT',
	243	description => "Update existing ACME account information with CA. Note: not specifying any new account information triggers a refresh.",
	244	proxyto => 'master',
	245	permissions => { check => [ 'admin' ] },
	246	protected => 1,
	247	parameters => {
	248	additionalProperties => 0,
	249	properties => {
	250	name => get_standard_option('pmg-acme-account-name'),
	251	contact => get_standard_option('pmg-acme-account-contact', {
	252	optional => 1,
	253	}),
	254	},
	255	},
	256	returns => {
	257	type => 'string',
	258	},
	259	code => sub {
	260	my ($param) = @_;
	261
	262	my $contact = $account_contact_from_param->($param);
	263	if (scalar @$contact) {
b9725bac	264	return $update_account->($param, 'update', 0, contact => $contact);
5000937e	265	} else {
b9725bac	266	return $update_account->($param, 'refresh', 0);
5000937e WB	267	}
	268	}});
	269
	270	__PACKAGE__->register_method ({
	271	name => 'get_account',
	272	path => 'account/{name}',
	273	method => 'GET',
	274	description => "Return existing ACME account information.",
	275	protected => 1,
	276	proxyto => 'master',
	277	parameters => {
	278	additionalProperties => 0,
	279	properties => {
	280	name => get_standard_option('pmg-acme-account-name'),
	281	},
	282	},
	283	returns => {
	284	type => 'object',
	285	additionalProperties => 0,
	286	properties => {
	287	account => {
	288	type => 'object',
	289	optional => 1,
	290	renderer => 'yaml',
	291	},
	292	directory => get_standard_option('pmg-acme-directory-url', {
	293	optional => 1,
	294	}),
	295	location => {
	296	type => 'string',
	297	optional => 1,
	298	},
	299	tos => {
	300	type => 'string',
	301	optional => 1,
	302	},
	303	},
	304	},
	305	code => sub {
	306	my ($param) = @_;
	307
	308	my ($account_name, $account_file) = extract_account_name($param);
	309
	310	raise_param_exc({'name' => "ACME account config file '${account_name}' does not exist."})
	311	if ! -e $account_file;
	312
	313	my $acme = PMG::RS::Acme->load($account_file);
	314	my $data = $acme->account();
	315
	316	return {
	317	account => $data->{account},
	318	tos => $data->{tos},
	319	location => $data->{location},
	320	directory => $data->{directoryUrl},
	321	};
	322	}});
	323
	324	__PACKAGE__->register_method ({
	325	name => 'deactivate_account',
	326	path => 'account/{name}',
	327	method => 'DELETE',
	328	description => "Deactivate existing ACME account at CA.",
	329	protected => 1,
	330	proxyto => 'master',
331	permissions => { check => [ 'admin' ] },
332	parameters => {
333	additionalProperties => 0,
334	properties => {
335	name => get_standard_option('pmg-acme-account-name'),
b9725bac WB	336	force => {
	337	type => 'boolean',
	338	description =>
	339	'Delete account data even if the server refuses to deactivate the account.',
	340	optional => 1,
	341	default => 0,
	342	},
5000937e WB	343	},
	344	},
	345	returns => {
	346	type => 'string',
	347	},
	348	code => sub {
	349	my ($param) = @_;
	350
b9725bac WB	351	my $force_deactivate = extract_param($param, 'force');
	352
	353	return $update_account->($param, 'deactivate', $force_deactivate, status => 'deactivated');
5000937e WB	354	}});
	355
	356	__PACKAGE__->register_method ({
	357	name => 'get_tos',
	358	path => 'tos',
	359	method => 'GET',
	360	description => "Retrieve ACME TermsOfService URL from CA.",
	361	permissions => { user => 'all' },
	362	parameters => {
	363	additionalProperties => 0,
	364	properties => {
	365	directory => get_standard_option('pmg-acme-directory-url', {
	366	default => $acme_default_directory_url,
	367	optional => 1,
	368	}),
	369	},
	370	},
	371	returns => {
	372	type => 'string',
	373	optional => 1,
	374	description => 'ACME TermsOfService URL.',
	375	},
	376	code => sub {
	377	my ($param) = @_;
	378
	379	my $directory = extract_param($param, 'directory') // $acme_default_directory_url;
	380
	381	my $acme = PMG::RS::Acme->new($directory);
	382	my $meta = $acme->get_meta();
	383
	384	return $meta ? $meta->{termsOfService} : undef;
	385	}});
	386
	387	__PACKAGE__->register_method ({
	388	name => 'get_directories',
	389	path => 'directories',
	390	method => 'GET',
	391	description => "Get named known ACME directory endpoints.",
	392	permissions => { user => 'all' },
	393	parameters => {
	394	additionalProperties => 0,
	395	properties => {},
	396	},
	397	returns => {
	398	type => 'array',
	399	items => {
	400	type => 'object',
	401	additionalProperties => 0,
	402	properties => {
	403	name => {
	404	type => 'string',
	405	},
	406	url => get_standard_option('pmg-acme-directory-url'),
	407	},
	408	},
	409	},
	410	code => sub {
	411	my ($param) = @_;
	412
	413	return $acme_directories;
	414	}});
	415
	416	__PACKAGE__->register_method ({
	417	name => 'challenge-schema',
418	path => 'challenge-schema',
419	method => 'GET',
420	description => "Get schema of ACME challenge types.",
421	permissions => { user => 'all' },
422	parameters => {
423	additionalProperties => 0,
424	properties => {},
425	},
426	returns => {
427	type => 'array',
428	items => {
429	type => 'object',
430	additionalProperties => 0,
431	properties => {
432	id => {
433	type => 'string',
434	},
435	name => {
436	description => 'Human readable name, falls back to id',
437	type => 'string',
438	},
439	type => {
440	type => 'string',
441	},
442	schema => {
443	type => 'object',
444	},
445	},
446	},
447	},
448	code => sub {
449	my ($param) = @_;
450
451	my $plugin_type_enum = PVE::ACME::Challenge->lookup_types();
452
453	my $res = [];
454
455	for my $type (@$plugin_type_enum) {
456	my $plugin = PVE::ACME::Challenge->lookup($type);
457	next if !$plugin->can('get_supported_plugins');
458
459	my $plugin_type = $plugin->type();
460	my $plugins = $plugin->get_supported_plugins();
461	for my $id (sort keys %$plugins) {
462	my $schema = $plugins->{$id};
463	push @$res, {
464	id => $id,
465	name => $schema->{name} // $id,
466	type => $plugin_type,
467	schema => $schema,
468	};
469	}
470	}
471
472	return $res;
473	}});
474
475	1;