Skip to content

Commit d6e862c

Browse files
committed
feat: allow to configure proxy certificate and key with one unique command
1 parent 5c10ff5 commit d6e862c

File tree

3 files changed

+53
-19
lines changed

3 files changed

+53
-19
lines changed

README.md

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -95,11 +95,32 @@ clusters:
9595
proxy_certificate_key_path: /tmp/proxmox-reverse-proxy
9696
```
9797

98+
You can also use command substitution syntax and the key `proxy_certificate` to execute a command that will output a json containing the certficate and key paths.
99+
100+
```yaml
101+
clusters:
102+
- name: fr-par-1
103+
host: localhost
104+
user: pvecontrol@pve
105+
password: my.password.is.weak
106+
proxy_certificate: `$(my_custom_command login proxmox-fr-par-1)`
107+
```
108+
109+
It should output something like this:
110+
111+
```json
112+
{
113+
"cert": "/tmp/proxmox-reverse-proxy.pem",
114+
"key": "/tmp/proxmox-reverse-proxy",
115+
"anything_else": "it is ok to have other fields, they will be ignored. this is to support existing commands"
116+
}
117+
```
118+
98119
CAUTION: environment variable and `~` expansion and are not supported.
99120

100121
### Better security
101122

102-
Instead of specifying users, passwords and certificates paths in plain text in the configuration file, you can use the shell command substitution syntax `$(...)` inside the `user`, `password`, `proxy_certificate_path` and `proxy_certificate_path_key` fields; for instance:
123+
Instead of specifying users, passwords and certificates paths in plain text in the configuration file, you can use the shell command substitution syntax `$(...)` inside the `user`, `password`, `proxy_certificate` fields; for instance:
103124

104125
```yaml
105126
clusters:

src/pvecontrol/__init__.py

Lines changed: 19 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
import logging
66
import re
77
import subprocess
8+
import json
89

910
from importlib.metadata import version
1011

@@ -172,30 +173,32 @@ def run_auth_commands(clusterconfig):
172173
auth = {}
173174
regex = r"^\$\((.*)\)$"
174175

175-
for key in (
176-
"user",
177-
"password",
178-
"token_name",
179-
"token_value",
180-
"proxy_certificate_path",
181-
"proxy_certificate_key_path",
182-
):
176+
keys = ["user", "password", "token_name", "token_value"]
177+
178+
if clusterconfig["proxy_certificate"] is not None:
179+
if isinstance(clusterconfig.get("proxy_certificate"), str):
180+
keys.append("proxy_certificate")
181+
else:
182+
auth["proxy_certificate"] = clusterconfig["proxy_certificate"]
183+
184+
for key in keys:
183185
value = clusterconfig.get(key)
184186
if value is not None:
185187
result = re.match(regex, value)
186188
if result:
187189
value = _execute_command(result.group(1))
188190
auth[key] = value
189191

190-
proxy_certificate = auth.get("proxy_certificate_path")
191-
proxy_certificate_key = auth.get("proxy_certificate_key_path")
192-
if proxy_certificate != "" and proxy_certificate_key != "":
193-
auth["cert"] = (proxy_certificate, proxy_certificate_key)
192+
if "proxy_certificate" in auth and isinstance(auth["proxy_certificate"], bytes):
193+
proxy_certificate = json.loads(auth["proxy_certificate"])
194+
auth["proxy_certificate"] = {
195+
"cert": proxy_certificate.get("cert"),
196+
"key": proxy_certificate.get("key"),
197+
}
194198

195-
if "proxy_certificate_path" in auth:
196-
del auth["proxy_certificate_path"]
197-
if "proxy_certificate_key_path" in auth:
198-
del auth["proxy_certificate_key_path"]
199+
if "proxy_certificate" in auth:
200+
auth["cert"] = (auth["proxy_certificate"]["cert"], auth["proxy_certificate"]["key"])
201+
del auth["proxy_certificate"]
199202

200203
logging.debug("Auth: %s", auth)
201204
# check for "incompatible" auth options

src/pvecontrol/config.py

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,18 @@
1010
"host": str,
1111
"user": str,
1212
"password": confuse.Optional(str, None),
13-
"proxy_certificate_path": confuse.Optional(str, None),
14-
"proxy_certificate_key_path": confuse.Optional(str, None),
13+
"proxy_certificate": confuse.Optional(
14+
confuse.OneOf(
15+
[
16+
str,
17+
{
18+
"cert": str,
19+
"key": str,
20+
},
21+
]
22+
),
23+
None,
24+
),
1525
"token_name": confuse.Optional(str, None),
1626
"token_value": confuse.Optional(str, None),
1727
"node": confuse.Optional(

0 commit comments

Comments
 (0)