Re: [pve-devel] [PATCH manager 4/5] fix #4497: cli/acme: detect eab and ask for credentials

Tue, 24 Oct 2023 01:32:34 -0700 

On October 23, 2023 3:18 pm, Folke Gleumes wrote:
> Since external account binding is advertised the same way as the ToS,
> it can be detected when creating an account and asked for if needed.
> 
> Signed-off-by: Folke Gleumes <f.gleu...@proxmox.com>
> ---
>  PVE/CLI/pvenode.pm | 16 ++++++++++++++--
>  1 file changed, 14 insertions(+), 2 deletions(-)
> 
> diff --git a/PVE/CLI/pvenode.pm b/PVE/CLI/pvenode.pm
> index acef6c3b..e3d6b15a 100644
> --- a/PVE/CLI/pvenode.pm
> +++ b/PVE/CLI/pvenode.pm
> @@ -117,8 +117,9 @@ __PACKAGE__->register_method({
>           }
>       }
>       print "\nAttempting to fetch Terms of Service from 
> '$param->{directory}'..\n";
> -     my $tos = PVE::API2::ACMEAccount->get_tos({ directory => 
> $param->{directory} });
> -     if ($tos) {
> +     my $meta = PVE::API2::ACMEAccount->get_meta({ directory => 
> $param->{directory} });
> +     if ($meta->{termsOfService}) {
> +         my $tos = $meta->{termsOfService};
>           print "Terms of Service: $tos\n";
>           my $term = Term::ReadLine->new('pvenode');
>           my $agreed = $term->readline('Do you agree to the above terms? 
> [y|N]: ');
> @@ -129,6 +130,17 @@ __PACKAGE__->register_method({
>       } else {
>           print "No Terms of Service found, proceeding.\n";
>       }
> +     if ($meta->{externalAccountRequired}) {
> +         print "The ACME Directory uses External Account Binding\n";

s/uses/requires

and maybe s/Directory/CA/

since "directory" is just the name for the entrypoint of the API :)

> +         my $term = Term::ReadLine->new('pvenode');

since this is the "interactive" user friendly mode, we might want to add
another line here to indicate that the requested values should have been
given to the user by the CA?

> +         my $eab_kid = $term->readline('Enter EAB kid: ');

might be worth to s/kid/key identifer ("kid")/ to make it more
understandable for users who haven't already learned the ACME spec by
heart ;)

> +         my $eab_hmac_key = $term->readline('Enter EAB HMAC key: ');
> +
> +         $param->{eab_kid} = $eab_kid;
> +         $param->{eab_hmac_key} = $eab_hmac_key;

maybe:

} elsif ($directory_is_custom) {
# ask for optional EAB parameters
}

> +     } else {
> +         print "No EAB required, proceeding.\n";
> +     }
>       print "\nAttempting to register account with '$param->{directory}'..\n";
>  
>       $upid_exit->(PVE::API2::ACMEAccount->register_account($param));
> -- 
> 2.39.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to