[proxmox-acme.git] / src / PVE / ACME / DNSChallenge.pm

package PVE::ACME::DNSChallenge;

use strict;
use warnings;

use Digest::SHA qw(sha256);
use PVE::Tools;

use base qw(PVE::ACME::Challenge);

my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';

sub supported_challenge_types {
    return ["dns-01"];
}

sub type {
    return 'dns';
}

my $plugin_names = [
    'acmedns',
    'acmeproxy',
    'active24',
    'ad',
    'ali',
    'autodns',
    'aws',
    'azure',
    'cf',
    'clouddns',
    'cloudns',
    'cn',
    'conoha',
    'constellix',
    'cx',
    'cyon',
    'da',
    'ddnss',
    'desec',
    'dgon',
    'dnsimple',
    'do',
    'doapi',
    'domeneshop',
    'dp',
    'dpi',
    'dreamhost',
    'duckdns',
    'durabledns',
    'dyn',
    'dynu',
    'dynv6',
    'easydns',
    'euserv',
    'exoscale',
    'freedns',
    'gandi_livedns',
    'gcloud',
    'gd',
    'gdnsdk',
    'he',
    'hexonet',
    'hostingde',
    'infoblox',
    'internetbs',
    'inwx',
    'ispconfig',
    'jd',
    'kas',
    'kinghost',
    'knot',
    'leaseweb',
    'lexicon',
    'linode',
    'linode_v4',
    'loopia',
    'lua',
    'maradns',
    'me',
    'miab',
    'misaka',
    'myapi',
    'mydevil',
    'mydnsjp',
    'namecheap',
    'namecom',
    'namesilo',
    'nederhost',
    'neodigit',
    'netcup',
    'nic',
    'nsd',
    'nsone',
    'nsupdate',
    'nw',
    'one',
    'online',
    'openprovider',
    'opnsense',
    'ovh',
    'pdns',
    'pleskxml',
    'pointhq',
    'rackspace',
    'rcode0',
    'regru',
    'schlundtech',
    'selectel',
    'servercow',
    'tele3',
    'ultra',
    'unoeuro',
    'variomedia',
    'vscale',
    'vultr',
    'yandex',
    'zilore',
    'zone',
    'zonomi',
];

sub properties {
    return {
	api => {
	    description => "API plugin name",
	    type => 'string',
	    enum => $plugin_names,
	},
	data => {
	    type => 'string',
	    description => 'DNS plugin data.',
	},
    };
}

sub options {
    return {
	api => {},
	data => { optional => 1 },
	nodes => { optional => 1 },
	disable => { optional => 1 },
    };
}

my $proxmox_acme_command = sub {
    my ($self, $acme, $auth, $data, $action) = @_;

    die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});

    my $alias = $data->{alias};
    my $domain = $auth->{identifier}->{value};

    my $challenge = $self->extract_challenge($auth->{challenges});
    my $key_auth = $acme->key_authorization($challenge->{token});

    my $txtvalue = PVE::ACME::encode(sha256($key_auth));
    my $dnsplugin = $data->{plugin}->{api};
    my $plugin_conf_string = $data->{plugin}->{data};

    # for security reasons, we execute the command as nobody
    # we can't verify that the code of the DNSPlugins are harmless.
    my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];

    # The order of the parameters passed to proxmox-acme is important
    # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
    push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
    if ($alias) {
	push @$cmd, $alias;
    } else {
	push @$cmd, $domain;
    }
    my $input = "$txtvalue\n";
    $input .= "$plugin_conf_string\n" if $plugin_conf_string;

    PVE::Tools::run_command($cmd, input => $input);

    $data->{url} = $challenge->{url};

    return $domain;
};

sub setup {
    my ($self, $acme, $auth, $data) = @_;

    my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
    print "Add TXT record: _acme-challenge.$domain\n";
}

sub teardown {
    my ($self, $acme, $auth, $data) = @_;

    my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
    print "Remove TXT record: _acme-challenge.$domain\n";
}

1;
Commit	Line	Data
98b96d9e WL	1	package PVE::ACME::DNSChallenge;
	2
	3	use strict;
	4	use warnings;
	5
	6	use Digest::SHA qw(sha256);
	7	use PVE::Tools;
	8
	9	use base qw(PVE::ACME::Challenge);
	10
	11	my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
	12
	13	sub supported_challenge_types {
122626b3	14	return ["dns-01"];
98b96d9e WL	15	}
	16
	17	sub type {
	18	return 'dns';
	19	}
	20
d93b0e87	21	my $plugin_names = [
98b96d9e WL	22	'acmedns',
	23	'acmeproxy',
	24	'active24',
	25	'ad',
	26	'ali',
	27	'autodns',
	28	'aws',
	29	'azure',
	30	'cf',
	31	'clouddns',
	32	'cloudns',
	33	'cn',
	34	'conoha',
	35	'constellix',
	36	'cx',
	37	'cyon',
	38	'da',
	39	'ddnss',
	40	'desec',
	41	'dgon',
	42	'dnsimple',
	43	'do',
	44	'doapi',
	45	'domeneshop',
	46	'dp',
	47	'dpi',
	48	'dreamhost',
	49	'duckdns',
	50	'durabledns',
	51	'dyn',
	52	'dynu',
	53	'dynv6',
	54	'easydns',
	55	'euserv',
	56	'exoscale',
	57	'freedns',
	58	'gandi_livedns',
	59	'gcloud',
	60	'gd',
	61	'gdnsdk',
	62	'he',
	63	'hexonet',
	64	'hostingde',
	65	'infoblox',
	66	'internetbs',
	67	'inwx',
	68	'ispconfig',
	69	'jd',
	70	'kas',
	71	'kinghost',
	72	'knot',
	73	'leaseweb',
	74	'lexicon',
	75	'linode',
	76	'linode_v4',
	77	'loopia',
	78	'lua',
	79	'maradns',
	80	'me',
	81	'miab',
	82	'misaka',
	83	'myapi',
	84	'mydevil',
	85	'mydnsjp',
86	'namecheap',
87	'namecom',
88	'namesilo',
89	'nederhost',
90	'neodigit',
91	'netcup',
92	'nic',
93	'nsd',
94	'nsone',
95	'nsupdate',
96	'nw',
97	'one',
98	'online',
99	'openprovider',
100	'opnsense',
101	'ovh',
102	'pdns',
103	'pleskxml',
104	'pointhq',
105	'rackspace',
106	'rcode0',
107	'regru',
108	'schlundtech',
109	'selectel',
110	'servercow',
111	'tele3',
112	'ultra',
113	'unoeuro',
114	'variomedia',
115	'vscale',
116	'vultr',
117	'yandex',
118	'zilore',
119	'zone',
120	'zonomi',
121	];
122
123	sub properties {
124	return {
125	api => {
126	description => "API plugin name",
127	type => 'string',
d93b0e87	128	enum => $plugin_names,
98b96d9e WL	129	},
	130	data => {
	131	type => 'string',
	132	description => 'DNS plugin data.',
	133	},
	134	};
	135	}
	136
	137	sub options {
	138	return {
	139	api => {},
13b63882	140	data => { optional => 1 },
98b96d9e WL	141	nodes => { optional => 1 },
	142	disable => { optional => 1 },
	143	};
	144	}
	145
f00829fd FG	146	my $proxmox_acme_command = sub {
f00829fd FG	147	my ($self, $acme, $auth, $data, $action) = @_;
98b96d9e WL	148
98b96d9e WL	149	die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});
f00829fd FG	150
	151	my $alias = $data->{alias};
	152	my $domain = $auth->{identifier}->{value};
	153
	154	my $challenge = $self->extract_challenge($auth->{challenges});
	155	my $key_auth = $acme->key_authorization($challenge->{token});
	156
	157	my $txtvalue = PVE::ACME::encode(sha256($key_auth));
98b96d9e WL	158	my $dnsplugin = $data->{plugin}->{api};
	159	my $plugin_conf_string = $data->{plugin}->{data};
	160
	161	# for security reasons, we execute the command as nobody
	162	# we can't verify that the code of the DNSPlugins are harmless.
f0ed0733	163	my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
98b96d9e	164
f00829fd FG	165	# The order of the parameters passed to proxmox-acme is important
	166	# proxmox-acme <setup\|teardown> $plugin <$domain\|$alias> $txtvalue [$plugin_conf_string]
	167	push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
	168	if ($alias) {
	169	push @$cmd, $alias;
	170	} else {
	171	push @$cmd, $domain;
	172	}
13bc64ea FG	173	my $input = "$txtvalue\n";
13bc64ea FG	174	$input .= "$plugin_conf_string\n" if $plugin_conf_string;
f00829fd	175
13bc64ea	176	PVE::Tools::run_command($cmd, input => $input);
f00829fd FG	177
	178	$data->{url} = $challenge->{url};
	179
	180	return $domain;
	181	};
	182
	183	sub setup {
	184	my ($self, $acme, $auth, $data) = @_;
	185
	186	my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
98b96d9e WL	187	print "Add TXT record: _acme-challenge.$domain\n";
	188	}
	189
98b96d9e	190	sub teardown {
f00829fd	191	my ($self, $acme, $auth, $data) = @_;
98b96d9e	192
f00829fd	193	my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
98b96d9e WL	194	print "Remove TXT record: _acme-challenge.$domain\n";
	195	}
	196
	197	1;