[pve-manager.git] / PVE / API2 / Certificates.pm

package PVE::API2::Certificates;

use strict;
use warnings;

use PVE::API2::ACME;
use PVE::Certificate;
use PVE::CertHelpers;;
use PVE::Exception qw(raise_param_exc);
use PVE::JSONSchema qw(get_standard_option);
use PVE::Tools qw(extract_param file_get_contents file_set_contents);

use base qw(PVE::RESTHandler);


__PACKAGE__->register_method ({
    subclass => "PVE::API2::ACME",
    path => 'acme',
});

__PACKAGE__->register_method ({
    name => 'index',
    path => '',
    method => 'GET',
    permissions => { user => 'all' },
    description => "Node index.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    node => get_standard_option('pve-node'),
	},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {},
	},
	links => [ { rel => 'child', href => "{name}" } ],
    },
    code => sub {
	my ($param) = @_;

	return [
	    { name => 'acme' },
	    { name => 'custom' },
	    { name => 'info' },
	];
    },
});

__PACKAGE__->register_method ({
    name => 'info',
    path => 'info',
    method => 'GET',
    permissions => { user => 'all' },
    proxyto => 'node',
    description => "Get information about node's certificates.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    node => get_standard_option('pve-node'),
	},
    },
    returns => {
	type => 'array',
	items => get_standard_option('pve-certificate-info'),
    },
    code => sub {
	my ($param) = @_;

	my $node_path = "/etc/pve/nodes/$param->{node}";

	my $res = [];
	my $cert_paths = [
	    '/etc/pve/pve-root-ca.pem',
	    "$node_path/pve-ssl.pem",
	    "$node_path/pveproxy-ssl.pem",
	];
	for my $path (@$cert_paths) {
	    eval {
		my $info = PVE::Certificate::get_certificate_info($path);
		push @$res, $info if $info;
	    };
	}
	return $res;
    },
});

__PACKAGE__->register_method ({
    name => 'upload_custom_cert',
    path => 'custom',
    method => 'POST',
    description => 'Upload or update custom certificate chain and key.',
    protected => 1,
    proxyto => 'node',
    parameters => {
	additionalProperties => 0,
	properties => {
	    node => get_standard_option('pve-node'),
	    certificates => {
		type => 'string',
		format => 'pem-certificate-chain',
		description => 'PEM encoded certificate (chain).',
	    },
	    key => {
		type => 'string',
		description => 'PEM encoded private key.',
		format => 'pem-string',
		optional => 1,
	    },
	    force => {
		type => 'boolean',
		description => 'Overwrite existing custom or ACME certificate files.',
		optional => 1,
		default => 0,
	    },
	    restart => {
		type => 'boolean',
		description => 'Restart pveproxy.',
		optional => 1,
		default => 0,
	    },
	},
    },
    returns => get_standard_option('pve-certificate-info'),
    code => sub {
	my ($param) = @_;

	my $node = extract_param($param, 'node');
	my $cert_prefix = PVE::CertHelpers::cert_path_prefix($node);

	my $certs = extract_param($param, 'certificates');
	$certs = PVE::Certificate::strip_leading_text($certs);

	my $key = extract_param($param, 'key');
	if ($key) {
	    $key = PVE::Certificate::strip_leading_text($key);
	} else {
	    raise_param_exc({'key' => "Attempted to upload custom certificate without (existing) key."})
		if ! -e "${cert_prefix}.key";
	}

	my $info;

	my $code = sub {
	    print "Setting custom certificate files\n";
	    $info = PVE::CertHelpers::set_cert_files($certs, $key, $cert_prefix, $param->{force});

	    if ($param->{restart}) {
		print "Restarting pveproxy\n";
		PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
	    }
	};

	PVE::CertHelpers::cert_lock(10, $code);
	die "$@\n" if $@;

	return $info;
    }});

__PACKAGE__->register_method ({
    name => 'remove_custom_cert',
    path => 'custom',
    method => 'DELETE',
    description => 'DELETE custom certificate chain and key.',
    protected => 1,
    proxyto => 'node',
    parameters => {
	additionalProperties => 0,
	properties => {
	    node => get_standard_option('pve-node'),
	    restart => {
		type => 'boolean',
		description => 'Restart pveproxy.',
		optional => 1,
		default => 0,
	    },
	},
    },
    returns => {
	type => 'null',
    },
    code => sub {
	my ($param) = @_;

	my $node = extract_param($param, 'node');
	my $cert_prefix = PVE::CertHelpers::cert_path_prefix($node);

	my $code = sub {
	    print "Deleting custom certificate files\n";
	    unlink "${cert_prefix}.pem";
	    unlink "${cert_prefix}.key";

	    if ($param->{restart}) {
		print "Restarting pveproxy\n";
		PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
	    }
	};

	PVE::CertHelpers::cert_lock(10, $code);
	die "$@\n" if $@;

	return undef;
    }});

1;
Commit	Line	Data
036475f8 FG	1	package PVE::API2::Certificates;
	2
	3	use strict;
	4	use warnings;
	5
	6	use PVE::API2::ACME;
	7	use PVE::Certificate;
	8	use PVE::CertHelpers;;
	9	use PVE::Exception qw(raise_param_exc);
	10	use PVE::JSONSchema qw(get_standard_option);
	11	use PVE::Tools qw(extract_param file_get_contents file_set_contents);
	12
	13	use base qw(PVE::RESTHandler);
	14
	15
	16	__PACKAGE__->register_method ({
	17	subclass => "PVE::API2::ACME",
	18	path => 'acme',
	19	});
	20
	21	__PACKAGE__->register_method ({
	22	name => 'index',
	23	path => '',
	24	method => 'GET',
	25	permissions => { user => 'all' },
	26	description => "Node index.",
	27	parameters => {
	28	additionalProperties => 0,
	29	properties => {
	30	node => get_standard_option('pve-node'),
	31	},
	32	},
	33	returns => {
	34	type => 'array',
	35	items => {
	36	type => "object",
	37	properties => {},
	38	},
	39	links => [ { rel => 'child', href => "{name}" } ],
	40	},
	41	code => sub {
	42	my ($param) = @_;
	43
	44	return [
	45	{ name => 'acme' },
	46	{ name => 'custom' },
	47	{ name => 'info' },
	48	];
	49	},
	50	});
	51
	52	__PACKAGE__->register_method ({
	53	name => 'info',
	54	path => 'info',
	55	method => 'GET',
	56	permissions => { user => 'all' },
	57	proxyto => 'node',
	58	description => "Get information about node's certificates.",
	59	parameters => {
	60	additionalProperties => 0,
	61	properties => {
	62	node => get_standard_option('pve-node'),
	63	},
	64	},
65	returns => {
66	type => 'array',
67	items => get_standard_option('pve-certificate-info'),
68	},
69	code => sub {
70	my ($param) = @_;
71
72	my $node_path = "/etc/pve/nodes/$param->{node}";
73
74	my $res = [];
75	my $cert_paths = [
76	'/etc/pve/pve-root-ca.pem',
77	"$node_path/pve-ssl.pem",
78	"$node_path/pveproxy-ssl.pem",
79	];
80	for my $path (@$cert_paths) {
81	eval {
82	my $info = PVE::Certificate::get_certificate_info($path);
83	push @$res, $info if $info;
84	};
85	}
86	return $res;
87	},
88	});
89
90	__PACKAGE__->register_method ({
91	name => 'upload_custom_cert',
92	path => 'custom',
93	method => 'POST',
94	description => 'Upload or update custom certificate chain and key.',
95	protected => 1,
96	proxyto => 'node',
97	parameters => {
98	additionalProperties => 0,
99	properties => {
100	node => get_standard_option('pve-node'),
101	certificates => {
102	type => 'string',
103	format => 'pem-certificate-chain',
104	description => 'PEM encoded certificate (chain).',
105	},
106	key => {
107	type => 'string',
108	description => 'PEM encoded private key.',
109	format => 'pem-string',
110	optional => 1,
111	},
112	force => {
113	type => 'boolean',
114	description => 'Overwrite existing custom or ACME certificate files.',
115	optional => 1,
116	default => 0,
117	},
118	restart => {
119	type => 'boolean',
120	description => 'Restart pveproxy.',
121	optional => 1,
122	default => 0,
123	},
124	},
125	},
126	returns => get_standard_option('pve-certificate-info'),
127	code => sub {
128	my ($param) = @_;
129
130	my $node = extract_param($param, 'node');
131	my $cert_prefix = PVE::CertHelpers::cert_path_prefix($node);
132
133	my $certs = extract_param($param, 'certificates');
134	$certs = PVE::Certificate::strip_leading_text($certs);
135
136	my $key = extract_param($param, 'key');
137	if ($key) {
138	$key = PVE::Certificate::strip_leading_text($key);
139	} else {
140	raise_param_exc({'key' => "Attempted to upload custom certificate without (existing) key."})
141	if ! -e "${cert_prefix}.key";
142	}
143
144	my $info;
145
146	my $code = sub {
147	print "Setting custom certificate files\n";
148	$info = PVE::CertHelpers::set_cert_files($certs, $key, $cert_prefix, $param->{force});
149
150	if ($param->{restart}) {
151	print "Restarting pveproxy\n";
152	PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
153	}
154	};
155
156	PVE::CertHelpers::cert_lock(10, $code);
157	die "$@\n" if $@;
158
159	return $info;
160	}});
161
162	__PACKAGE__->register_method ({
163	name => 'remove_custom_cert',
164	path => 'custom',
165	method => 'DELETE',
166	description => 'DELETE custom certificate chain and key.',
167	protected => 1,
168	proxyto => 'node',
169	parameters => {
170	additionalProperties => 0,
171	properties => {
172	node => get_standard_option('pve-node'),
173	restart => {
174	type => 'boolean',
175	description => 'Restart pveproxy.',
176	optional => 1,
177	default => 0,
178	},
179	},
180	},
181	returns => {
182	type => 'null',
183	},
184	code => sub {
185	my ($param) = @_;
186
187	my $node = extract_param($param, 'node');
188	my $cert_prefix = PVE::CertHelpers::cert_path_prefix($node);
189
190	my $code = sub {
191	print "Deleting custom certificate files\n";
192	unlink "${cert_prefix}.pem";
193	unlink "${cert_prefix}.key";
194
195	if ($param->{restart}) {
196	print "Restarting pveproxy\n";
197	PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);
198	}
199	};
200
201	PVE::CertHelpers::cert_lock(10, $code);
202	die "$@\n" if $@;
203
204	return undef;
205	}});
206
207	1;