[proxmox-acme.git] / src / PVE / ACME / DNSChallenge.pm

package PVE::ACME::DNSChallenge;

use strict;
use warnings;

use Digest::SHA qw(sha256);
use PVE::Tools;

use base qw(PVE::ACME::Challenge);

my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';

sub supported_challenge_types {
    return { 'dns-01' => 1 };
}

sub type {
    return 'dns';
}

my $api_name_list = [
    'acmedns',
    'acmeproxy',
    'active24',
    'ad',
    'ali',
    'autodns',
    'aws',
    'azure',
    'cf',
    'clouddns',
    'cloudns',
    'cn',
    'conoha',
    'constellix',
    'cx',
    'cyon',
    'da',
    'ddnss',
    'desec',
    'dgon',
    'dnsimple',
    'do',
    'doapi',
    'domeneshop',
    'dp',
    'dpi',
    'dreamhost',
    'duckdns',
    'durabledns',
    'dyn',
    'dynu',
    'dynv6',
    'easydns',
    'euserv',
    'exoscale',
    'freedns',
    'gandi_livedns',
    'gcloud',
    'gd',
    'gdnsdk',
    'he',
    'hexonet',
    'hostingde',
    'infoblox',
    'internetbs',
    'inwx',
    'ispconfig',
    'jd',
    'kas',
    'kinghost',
    'knot',
    'leaseweb',
    'lexicon',
    'linode',
    'linode_v4',
    'loopia',
    'lua',
    'maradns',
    'me',
    'miab',
    'misaka',
    'myapi',
    'mydevil',
    'mydnsjp',
    'namecheap',
    'namecom',
    'namesilo',
    'nederhost',
    'neodigit',
    'netcup',
    'nic',
    'nsd',
    'nsone',
    'nsupdate',
    'nw',
    'one',
    'online',
    'openprovider',
    'opnsense',
    'ovh',
    'pdns',
    'pleskxml',
    'pointhq',
    'rackspace',
    'rcode0',
    'regru',
    'schlundtech',
    'selectel',
    'servercow',
    'tele3',
    'ultra',
    'unoeuro',
    'variomedia',
    'vscale',
    'vultr',
    'yandex',
    'zilore',
    'zone',
    'zonomi',
];

sub properties {
    return {
	api => {
	    description => "API plugin name",
	    type => 'string',
	    enum => $api_name_list,
	},
	data => {
	    type => 'string',
	    description => 'DNS plugin data.',
	},
    };
}

sub options {
    return {
	api => {},
	data => { optional => 1 },
	nodes => { optional => 1 },
	disable => { optional => 1 },
    };
}

sub extract_challenge {
    my ($self, $challenge) = @_;

    return PVE::ACME::Challenge->extract_challenge($challenge, 'dns-01');
}
    
sub get_subplugins {
    return $api_name_list;
}

my $proxmox_acme_command = sub {
    my ($self, $acme, $auth, $data, $action) = @_;

    die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});

    my $alias = $data->{alias};
    my $domain = $auth->{identifier}->{value};

    my $challenge = $self->extract_challenge($auth->{challenges});
    my $key_auth = $acme->key_authorization($challenge->{token});

    my $txtvalue = PVE::ACME::encode(sha256($key_auth));
    my $dnsplugin = $data->{plugin}->{api};
    my $plugin_conf_string = $data->{plugin}->{data};

    # for security reasons, we execute the command as nobody
    # we can't verify that the code of the DNSPlugins are harmless.
    my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--"];

    # The order of the parameters passed to proxmox-acme is important
    # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string]
    push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
    if ($alias) {
	push @$cmd, $alias;
    } else {
	push @$cmd, $domain;
    }
    push @$cmd, $txtvalue, $plugin_conf_string;

    PVE::Tools::run_command($cmd);

    $data->{url} = $challenge->{url};

    return $domain;
};

sub setup {
    my ($self, $acme, $auth, $data) = @_;

    my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
    print "Add TXT record: _acme-challenge.$domain\n";
}

sub teardown {
    my ($self, $acme, $auth, $data) = @_;

    my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
    print "Remove TXT record: _acme-challenge.$domain\n";
}

1;
Commit	Line	Data
98b96d9e WL	1	package PVE::ACME::DNSChallenge;
	2
	3	use strict;
	4	use warnings;
	5
	6	use Digest::SHA qw(sha256);
	7	use PVE::Tools;
	8
	9	use base qw(PVE::ACME::Challenge);
	10
	11	my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme';
	12
	13	sub supported_challenge_types {
	14	return { 'dns-01' => 1 };
	15	}
	16
	17	sub type {
	18	return 'dns';
	19	}
	20
	21	my $api_name_list = [
	22	'acmedns',
	23	'acmeproxy',
	24	'active24',
	25	'ad',
	26	'ali',
	27	'autodns',
	28	'aws',
	29	'azure',
	30	'cf',
	31	'clouddns',
	32	'cloudns',
	33	'cn',
	34	'conoha',
	35	'constellix',
	36	'cx',
	37	'cyon',
	38	'da',
	39	'ddnss',
	40	'desec',
	41	'dgon',
	42	'dnsimple',
	43	'do',
	44	'doapi',
	45	'domeneshop',
	46	'dp',
	47	'dpi',
	48	'dreamhost',
	49	'duckdns',
	50	'durabledns',
	51	'dyn',
	52	'dynu',
	53	'dynv6',
	54	'easydns',
	55	'euserv',
	56	'exoscale',
	57	'freedns',
	58	'gandi_livedns',
	59	'gcloud',
	60	'gd',
	61	'gdnsdk',
	62	'he',
	63	'hexonet',
	64	'hostingde',
65	'infoblox',
66	'internetbs',
67	'inwx',
68	'ispconfig',
69	'jd',
70	'kas',
71	'kinghost',
72	'knot',
73	'leaseweb',
74	'lexicon',
75	'linode',
76	'linode_v4',
77	'loopia',
78	'lua',
79	'maradns',
80	'me',
81	'miab',
82	'misaka',
83	'myapi',
84	'mydevil',
85	'mydnsjp',
86	'namecheap',
87	'namecom',
88	'namesilo',
89	'nederhost',
90	'neodigit',
91	'netcup',
92	'nic',
93	'nsd',
94	'nsone',
95	'nsupdate',
96	'nw',
97	'one',
98	'online',
99	'openprovider',
100	'opnsense',
101	'ovh',
102	'pdns',
103	'pleskxml',
104	'pointhq',
105	'rackspace',
106	'rcode0',
107	'regru',
108	'schlundtech',
109	'selectel',
110	'servercow',
111	'tele3',
112	'ultra',
113	'unoeuro',
114	'variomedia',
115	'vscale',
116	'vultr',
117	'yandex',
118	'zilore',
119	'zone',
120	'zonomi',
121	];
122
123	sub properties {
124	return {
125	api => {
126	description => "API plugin name",
127	type => 'string',
128	enum => $api_name_list,
129	},
130	data => {
131	type => 'string',
132	description => 'DNS plugin data.',
133	},
134	};
135	}
136
137	sub options {
138	return {
139	api => {},
13b63882	140	data => { optional => 1 },
98b96d9e WL	141	nodes => { optional => 1 },
	142	disable => { optional => 1 },
	143	};
	144	}
	145
98b96d9e WL	146	sub extract_challenge {
	147	my ($self, $challenge) = @_;
	148
	149	return PVE::ACME::Challenge->extract_challenge($challenge, 'dns-01');
	150	}
16925001 WL	151
	152	sub get_subplugins {
	153	return $api_name_list;
	154	}
98b96d9e	155
f00829fd FG	156	my $proxmox_acme_command = sub {
f00829fd FG	157	my ($self, $acme, $auth, $data, $action) = @_;
98b96d9e WL	158
98b96d9e WL	159	die "No plugin data for DNSChallenge\n" if !defined($data->{plugin});
f00829fd FG	160
	161	my $alias = $data->{alias};
	162	my $domain = $auth->{identifier}->{value};
	163
	164	my $challenge = $self->extract_challenge($auth->{challenges});
	165	my $key_auth = $acme->key_authorization($challenge->{token});
	166
	167	my $txtvalue = PVE::ACME::encode(sha256($key_auth));
98b96d9e WL	168	my $dnsplugin = $data->{plugin}->{api};
	169	my $plugin_conf_string = $data->{plugin}->{data};
	170
	171	# for security reasons, we execute the command as nobody
	172	# we can't verify that the code of the DNSPlugins are harmless.
	173	my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--"];
98b96d9e	174
f00829fd FG	175	# The order of the parameters passed to proxmox-acme is important
	176	# proxmox-acme <setup\|teardown> $plugin <$domain\|$alias> $txtvalue [$plugin_conf_string]
	177	push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin;
	178	if ($alias) {
	179	push @$cmd, $alias;
	180	} else {
	181	push @$cmd, $domain;
	182	}
	183	push @$cmd, $txtvalue, $plugin_conf_string;
	184
	185	PVE::Tools::run_command($cmd);
	186
	187	$data->{url} = $challenge->{url};
	188
	189	return $domain;
	190	};
	191
	192	sub setup {
	193	my ($self, $acme, $auth, $data) = @_;
	194
	195	my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup');
98b96d9e WL	196	print "Add TXT record: _acme-challenge.$domain\n";
	197	}
	198
98b96d9e	199	sub teardown {
f00829fd	200	my ($self, $acme, $auth, $data) = @_;
98b96d9e	201
f00829fd	202	my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown');
98b96d9e WL	203	print "Remove TXT record: _acme-challenge.$domain\n";
	204	}
	205
	206	1;