]>
Commit | Line | Data |
---|---|---|
1 | package PVE::ACME::DNSChallenge; | |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use Digest::SHA qw(sha256); | |
7 | use JSON; | |
8 | ||
9 | use PVE::Tools; | |
10 | ||
11 | use PVE::ACME; | |
12 | ||
13 | use base qw(PVE::ACME::Challenge); | |
14 | ||
15 | my $ACME_PATH = '/usr/share/proxmox-acme/proxmox-acme'; | |
16 | ||
17 | sub supported_challenge_types { | |
18 | return ["dns-01"]; | |
19 | } | |
20 | ||
21 | sub type { | |
22 | return 'dns'; | |
23 | } | |
24 | ||
25 | my $DNS_API_CHALLENGE_SCHEMA_FN = '/usr/share/proxmox-acme/dns-challenge-schema.json'; | |
26 | ||
27 | my $plugin_cache; | |
28 | sub get_supported_plugins { | |
29 | if (!$plugin_cache) { | |
30 | $plugin_cache = -e $DNS_API_CHALLENGE_SCHEMA_FN # we allow this to be optional as not all users require | |
31 | ? from_json(PVE::Tools::file_get_contents($DNS_API_CHALLENGE_SCHEMA_FN)) | |
32 | : {}; | |
33 | } | |
34 | return $plugin_cache; | |
35 | } | |
36 | ||
37 | sub properties { | |
38 | my $plugins = get_supported_plugins(); | |
39 | return { | |
40 | api => { | |
41 | description => "API plugin name", | |
42 | type => 'string', | |
43 | enum => [sort keys %$plugins], | |
44 | }, | |
45 | data => { | |
46 | type => 'string', | |
47 | description => 'DNS plugin data. (base64 encoded)', | |
48 | }, | |
49 | 'validation-delay' => { | |
50 | type => 'integer', | |
51 | description => 'Extra delay in seconds to wait before requesting validation.' | |
52 | .' Allows to cope with a long TTL of DNS records.', | |
53 | # low default, but our bet is that the acme-challenge domain isn't | |
54 | # cached at all, so it hopefully shouldn't run into TTL issues | |
55 | default => 30, | |
56 | optional => 1, | |
57 | minimum => 0, | |
58 | maximum => 2 * 24 * 60 * 60, | |
59 | } | |
60 | }; | |
61 | } | |
62 | ||
63 | sub options { | |
64 | return { | |
65 | api => {}, | |
66 | data => { optional => 1 }, | |
67 | nodes => { optional => 1 }, | |
68 | disable => { optional => 1 }, | |
69 | 'validation-delay' => { optional => 1 }, | |
70 | }; | |
71 | } | |
72 | ||
73 | my $proxmox_acme_command = sub { | |
74 | my ($self, $acme, $auth, $data, $action) = @_; | |
75 | ||
76 | die "No plugin data for DNSChallenge\n" if !defined($data->{plugin}); | |
77 | ||
78 | my $alias = $data->{alias}; | |
79 | my $domain = $auth->{identifier}->{value}; | |
80 | ||
81 | my $challenge = $self->extract_challenge($auth->{challenges}); | |
82 | my $key_auth = $acme->key_authorization($challenge->{token}); | |
83 | ||
84 | my $txtvalue = PVE::ACME::encode(sha256($key_auth)); | |
85 | my $dnsplugin = $data->{plugin}->{api}; | |
86 | my $plugin_conf_string = $data->{plugin}->{data}; | |
87 | ||
88 | # for security reasons, we execute the command as nobody | |
89 | # we can't verify that the code of the DNSPlugins are harmless. | |
90 | my $cmd = ["setpriv", "--reuid", "nobody", "--regid", "nogroup", "--clear-groups", "--reset-env", "--"]; | |
91 | ||
92 | # The order of the parameters passed to proxmox-acme is important | |
93 | # proxmox-acme <setup|teardown> $plugin <$domain|$alias> $txtvalue [$plugin_conf_string] | |
94 | push @$cmd, "/bin/bash", $ACME_PATH, $action, $dnsplugin; | |
95 | if ($alias) { | |
96 | push @$cmd, $alias; | |
97 | } else { | |
98 | push @$cmd, $domain; | |
99 | } | |
100 | my $input = "$txtvalue\n"; | |
101 | $input .= "$plugin_conf_string\n" if $plugin_conf_string; | |
102 | ||
103 | PVE::Tools::run_command($cmd, input => $input); | |
104 | ||
105 | $data->{url} = $challenge->{url}; | |
106 | ||
107 | return $domain; | |
108 | }; | |
109 | ||
110 | sub setup { | |
111 | my ($self, $acme, $auth, $data) = @_; | |
112 | ||
113 | my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'setup'); | |
114 | print "Add TXT record: _acme-challenge.$domain\n"; | |
115 | ||
116 | my $delay = $data->{plugin}->{'validation-delay'} // 30; | |
117 | if ($delay > 0) { | |
118 | print "Sleeping $delay seconds to wait for TXT record propagation\n"; | |
119 | sleep($delay); # don't care for EINTR | |
120 | } | |
121 | } | |
122 | ||
123 | sub teardown { | |
124 | my ($self, $acme, $auth, $data) = @_; | |
125 | ||
126 | my $domain = $proxmox_acme_command->($self, $acme, $auth, $data, 'teardown'); | |
127 | print "Remove TXT record: _acme-challenge.$domain\n"; | |
128 | } | |
129 | ||
130 | 1; |