]>
Commit | Line | Data |
---|---|---|
98b96d9e WL |
1 | package PVE::ACME::DNSChallenge; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use Digest::SHA qw(sha256); | |
4195bf0a TL |
7 | use JSON; |
8 | ||
98b96d9e WL |
9 | use PVE::Tools; |
10 | ||
c617455e WB |
11 | use PVE::ACME; |
12 | ||
98b96d9e WL |
13 | use base qw(PVE::ACME::Challenge); |
14 | ||
15 | my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme'; | |
16 | ||
17 | sub supported_challenge_types { | |
122626b3 | 18 | return ["dns-01"]; |
98b96d9e WL |
19 | } |
20 | ||
21 | sub type { | |
22 | return 'dns'; | |
23 | } | |
24 | ||
4195bf0a | 25 | my $DNS_API_CHALLENGE_SCHEMA_FN = '/usr/share/proxmox-acme/dns-challenge-schema.json'; |
6f5be4aa | 26 | |
e2483043 | 27 | my $plugin_cache; |
e3924936 | 28 | sub get_supported_plugins { |
e2483043 TL |
29 | if (!$plugin_cache) { |
30 | $plugin_cache = -e $DNS_API_CHALLENGE_SCHEMA_FN # we allow this to be optional as not all users require | |
31 | ? from_json(PVE::Tools::file_get_contents($DNS_API_CHALLENGE_SCHEMA_FN)) | |
32 | : {}; | |
33 | } | |
34 | return $plugin_cache; | |
e3924936 | 35 | } |
98b96d9e WL |
36 | |
37 | sub properties { | |
e2483043 | 38 | my $plugins = get_supported_plugins(); |
98b96d9e WL |
39 | return { |
40 | api => { | |
41 | description => "API plugin name", | |
42 | type => 'string', | |
6f5be4aa | 43 | enum => [sort keys %$plugins], |
98b96d9e WL |
44 | }, |
45 | data => { | |
46 | type => 'string', | |
6372e898 | 47 | description => 'DNS plugin data. (base64 encoded)', |
98b96d9e | 48 | }, |
4317ba99 TL |
49 | 'validation-delay' => { |
50 | type => 'integer', | |
51 | description => 'Extra delay in seconds to wait before requesting validation.' | |
52 | .' Allows to cope with a long TTL of DNS records.', | |
53 | # low default, but our bet is that the acme-challenge domain isn't | |
54 | # cached at all, so it hopefully shouldn't run into TTL issues | |
55 | default => 30, | |
56 | optional => 1, | |
57 | minimum => 0, | |
58 | maximum => 2 * 24 * 60 * 60, | |
e1088f61 SI |
59 | }, |
60 | 'use-proxy' => { | |
61 | description => "Flag indicating whether a http proxy should be used.", | |
62 | type => 'boolean', | |
63 | optional => 1, | |
64 | }, | |
98b96d9e WL |
65 | }; |
66 | } | |
67 | ||
68 | sub options { | |
69 | return { | |
70 | api => {}, | |
13b63882 | 71 | data => { optional => 1 }, |
98b96d9e WL |
72 | nodes => { optional => 1 }, |
73 | disable => { optional => 1 }, | |
4317ba99 | 74 | 'validation-delay' => { optional => 1 }, |
e1088f61 | 75 | 'use-proxy' => { optional => 1 }, |
98b96d9e WL |
76 | }; |
77 | } | |
78 | ||
f00829fd FG |
79 | my $proxmox_acme_command = sub { |
80 | my ($self, $acme, $auth, $data, $action) = @_; | |
98b96d9e WL |
81 | |
82 | die "No plugin data for DNSChallenge\n" if !defined($data->{plugin}); | |
f00829fd FG |
83 | |
84 | my $alias = $data->{alias}; | |
85 | my $domain = $auth->{identifier}->{value}; | |
86 | ||
87 | my $challenge = $self->extract_challenge($auth->{challenges}); | |
88 | my $key_auth = $acme->key_authorization($challenge->{token}); | |
89 | ||
90 | my $txtvalue = PVE::ACME::encode(sha256($key_auth)); | |
98b96d9e WL |
91 | my $dnsplugin = $data->{plugin}->{api}; |
92 | my $plugin_conf_string = $data->{plugin}->{data}; | |
e1088f61 | 93 | my $proxy = $data->{plugin}->{proxy}; |
98b96d9e WL |
94 | |
95 | # for security reasons, we execute the command as nobody | |
96 | # we can't verify that the code of the DNSPlugins are harmless. | |
f0ed0733 | 97 | my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"]; |
98b96d9e | 98 | |
f00829fd FG |
99 | # The order of the parameters passed to proxmox-acme is important |
100 | # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string] | |
101 | push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin; | |
102 | if ($alias) { | |
103 | push @$cmd, $alias; | |
104 | } else { | |
105 | push @$cmd, $domain; | |
106 | } | |
13bc64ea FG |
107 | my $input = "$txtvalue\n"; |
108 | $input .= "$plugin_conf_string\n" if $plugin_conf_string; | |
e1088f61 | 109 | $input .= "https_proxy=$proxy\nhttp_proxy=$proxy\n" if $proxy; |
f00829fd | 110 | |
13bc64ea | 111 | PVE::Tools::run_command($cmd, input => $input); |
f00829fd FG |
112 | |
113 | $data->{url} = $challenge->{url}; | |
114 | ||
115 | return $domain; | |
116 | }; | |
117 | ||
118 | sub setup { | |
119 | my ($self, $acme, $auth, $data) = @_; | |
120 | ||
121 | my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup'); | |
98b96d9e | 122 | print "Add TXT record: _acme-challenge.$domain\n"; |
4317ba99 | 123 | |
1192b595 | 124 | my $delay = $data->{plugin}->{'validation-delay'} // 30; |
4317ba99 TL |
125 | if ($delay > 0) { |
126 | print "Sleeping $delay seconds to wait for TXT record propagation\n"; | |
127 | sleep($delay); # don't care for EINTR | |
128 | } | |
98b96d9e WL |
129 | } |
130 | ||
98b96d9e | 131 | sub teardown { |
f00829fd | 132 | my ($self, $acme, $auth, $data) = @_; |
98b96d9e | 133 | |
f00829fd | 134 | my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown'); |
98b96d9e WL |
135 | print "Remove TXT record: _acme-challenge.$domain\n"; |
136 | } | |
137 | ||
138 | 1; |