[proxmox-acme.git] / src / PVE / ACME / DNSChallenge.pm

package PVE::ACME::DNSChallenge;

use strict;
use warnings;

use Digest::SHA qw(sha256);
use JSON;

use PVE::Tools;

use PVE::ACME;

use base qw(PVE::ACME::Challenge);

my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';

sub supported_challenge_types {
    return ["dns-01"];
}

sub type {
    return 'dns';
}

my $DNS_API_CHALLENGE_SCHEMA_FN = '/usr/share/proxmox-acme/dns-challenge-schema.json';

my $plugin_cache;
sub get_supported_plugins {
    if (!$plugin_cache) {
	$plugin_cache = -e $DNS_API_CHALLENGE_SCHEMA_FN # we allow this to be optional as not all users require
	    ? from_json(PVE::Tools::file_get_contents($DNS_API_CHALLENGE_SCHEMA_FN))
	    : {};
    }
    return $plugin_cache;
}

sub properties {
    my $plugins = get_supported_plugins();
    return {
	api => {
	    description => "API plugin name",
	    type => 'string',
	    enum => [sort keys %$plugins],
	},
	data => {
	    type => 'string',
	    description => 'DNS plugin data. (base64 encoded)',
	},
	'validation-delay' => {
	    type => 'integer',
	    description => 'Extra delay in seconds to wait before requesting validation.'
	        .' Allows to cope with a long TTL of DNS records.',
	    # low default, but our bet is that the acme-challenge domain isn't
	    # cached at all, so it hopefully shouldn't run into TTL issues
	    default => 30,
	    optional => 1,
	    minimum => 0,
	    maximum => 2 * 24 * 60 * 60,
	},
	'use-proxy' => {
	    description => "Flag indicating whether a http proxy should be used.",
	    type => 'boolean',
	    optional => 1,
	},
    };
}

sub options {
    return {
	api => {},
	data => { optional => 1 },
	nodes => { optional => 1 },
	disable => { optional => 1 },
	'validation-delay' => { optional => 1 },
	'use-proxy' => { optional => 1 },
    };
}

my $proxmox_acme_command = sub {
    my ($self, $acme, $auth, $data, $action) = @_;

    die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});

    my $alias = $data->{alias};
    my $domain = $auth->{identifier}->{value};

    my $challenge = $self->extract_challenge($auth->{challenges});
    my $key_auth = $acme->key_authorization($challenge->{token});

    my $txtvalue = PVE::ACME::encode(sha256($key_auth));
    my $dnsplugin = $data->{plugin}->{api};
    my $plugin_conf_string = $data->{plugin}->{data};
    my $proxy = $data->{plugin}->{proxy};

    # for security reasons, we execute the command as nobody
    # we can't verify that the code of the DNSPlugins are harmless.
    my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];

    # The order of the parameters passed to proxmox-acme is important
    # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
    push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
    if ($alias) {
	push @$cmd, $alias;
    } else {
	push @$cmd, $domain;
    }
    my $input = "$txtvalue\n";
    $input .= "$plugin_conf_string\n" if $plugin_conf_string;
    $input .= "https_proxy=$proxy\nhttp_proxy=$proxy\n" if $proxy;

    PVE::Tools::run_command($cmd, input => $input);

    $data->{url} = $challenge->{url};

    return $domain;
};

sub setup {
    my ($self, $acme, $auth, $data) = @_;

    my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
    print "Add TXT record: _acme-challenge.$domain\n";

    my $delay = $data->{plugin}->{'validation-delay'} // 30;
    if ($delay > 0) {
	print "Sleeping $delay seconds to wait for TXT record propagation\n";
	sleep($delay); # don't care for EINTR
    }
}

sub teardown {
    my ($self, $acme, $auth, $data) = @_;

    my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
    print "Remove TXT record: _acme-challenge.$domain\n";
}

1;
Commit	Line	Data
98b96d9e WL	1	package PVE::ACME::DNSChallenge;
	2
	3	use strict;
	4	use warnings;
	5
	6	use Digest::SHA qw(sha256);
4195bf0a TL	7	use JSON;
4195bf0a TL	8
98b96d9e WL	9	use PVE::Tools;
98b96d9e WL	10
c617455e WB	11	use PVE::ACME;
c617455e WB	12
98b96d9e WL	13	use base qw(PVE::ACME::Challenge);
	14
	15	my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
	16
	17	sub supported_challenge_types {
122626b3	18	return ["dns-01"];
98b96d9e WL	19	}
	20
	21	sub type {
	22	return 'dns';
	23	}
	24
4195bf0a	25	my $DNS_API_CHALLENGE_SCHEMA_FN = '/usr/share/proxmox-acme/dns-challenge-schema.json';
6f5be4aa	26
e2483043	27	my $plugin_cache;
e3924936	28	sub get_supported_plugins {
e2483043 TL	29	if (!$plugin_cache) {
	30	$plugin_cache = -e $DNS_API_CHALLENGE_SCHEMA_FN # we allow this to be optional as not all users require
	31	? from_json(PVE::Tools::file_get_contents($DNS_API_CHALLENGE_SCHEMA_FN))
	32	: {};
	33	}
	34	return $plugin_cache;
e3924936	35	}
98b96d9e WL	36
98b96d9e WL	37	sub properties {
e2483043	38	my $plugins = get_supported_plugins();
98b96d9e WL	39	return {
	40	api => {
	41	description => "API plugin name",
	42	type => 'string',
6f5be4aa	43	enum => [sort keys %$plugins],
98b96d9e WL	44	},
	45	data => {
	46	type => 'string',
6372e898	47	description => 'DNS plugin data. (base64 encoded)',
98b96d9e	48	},
4317ba99 TL	49	'validation-delay' => {
	50	type => 'integer',
	51	description => 'Extra delay in seconds to wait before requesting validation.'
	52	.' Allows to cope with a long TTL of DNS records.',
	53	# low default, but our bet is that the acme-challenge domain isn't
	54	# cached at all, so it hopefully shouldn't run into TTL issues
	55	default => 30,
	56	optional => 1,
	57	minimum => 0,
	58	maximum => 2 * 24 * 60 * 60,
e1088f61 SI	59	},
	60	'use-proxy' => {
	61	description => "Flag indicating whether a http proxy should be used.",
	62	type => 'boolean',
	63	optional => 1,
	64	},
98b96d9e WL	65	};
	66	}
	67
	68	sub options {
	69	return {
	70	api => {},
13b63882	71	data => { optional => 1 },
98b96d9e WL	72	nodes => { optional => 1 },
98b96d9e WL	73	disable => { optional => 1 },
4317ba99	74	'validation-delay' => { optional => 1 },
e1088f61	75	'use-proxy' => { optional => 1 },
98b96d9e WL	76	};
	77	}
	78
f00829fd FG	79	my $proxmox_acme_command = sub {
f00829fd FG	80	my ($self, $acme, $auth, $data, $action) = @_;
98b96d9e WL	81
98b96d9e WL	82	die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});
f00829fd FG	83
	84	my $alias = $data->{alias};
	85	my $domain = $auth->{identifier}->{value};
	86
	87	my $challenge = $self->extract_challenge($auth->{challenges});
	88	my $key_auth = $acme->key_authorization($challenge->{token});
	89
	90	my $txtvalue = PVE::ACME::encode(sha256($key_auth));
98b96d9e WL	91	my $dnsplugin = $data->{plugin}->{api};
98b96d9e WL	92	my $plugin_conf_string = $data->{plugin}->{data};
e1088f61	93	my $proxy = $data->{plugin}->{proxy};
98b96d9e WL	94
	95	# for security reasons, we execute the command as nobody
	96	# we can't verify that the code of the DNSPlugins are harmless.
f0ed0733	97	my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"];
98b96d9e	98
f00829fd FG	99	# The order of the parameters passed to proxmox-acme is important
	100	# proxmox-acme <setup\|teardown> $plugin <$domain\|$alias> $txtvalue [$plugin_conf_string]
	101	push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
	102	if ($alias) {
	103	push @$cmd, $alias;
	104	} else {
	105	push @$cmd, $domain;
	106	}
13bc64ea FG	107	my $input = "$txtvalue\n";
13bc64ea FG	108	$input .= "$plugin_conf_string\n" if $plugin_conf_string;
e1088f61	109	$input .= "https_proxy=$proxy\nhttp_proxy=$proxy\n" if $proxy;
f00829fd	110
13bc64ea	111	PVE::Tools::run_command($cmd, input => $input);
f00829fd FG	112
	113	$data->{url} = $challenge->{url};
	114
	115	return $domain;
	116	};
	117
	118	sub setup {
	119	my ($self, $acme, $auth, $data) = @_;
	120
	121	my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
98b96d9e	122	print "Add TXT record: _acme-challenge.$domain\n";
4317ba99	123
1192b595	124	my $delay = $data->{plugin}->{'validation-delay'} // 30;
4317ba99 TL	125	if ($delay > 0) {
	126	print "Sleeping $delay seconds to wait for TXT record propagation\n";
	127	sleep($delay); # don't care for EINTR
	128	}
98b96d9e WL	129	}
98b96d9e WL	130
98b96d9e	131	sub teardown {
f00829fd	132	my ($self, $acme, $auth, $data) = @_;
98b96d9e	133
f00829fd	134	my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
98b96d9e WL	135	print "Remove TXT record: _acme-challenge.$domain\n";
	136	}
	137
	138	1;