feat: allow to configure proxy certificate and key with one unique co…

…mmand
enix · Feb 14, 2025 · d6e862c · d6e862c
1 parent 5c10ff5
commit d6e862c
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 19 deletions.
diff --git a/README.md b/README.md
@@ -95,11 +95,32 @@ clusters:
     proxy_certificate_key_path: /tmp/proxmox-reverse-proxy
 ```
 
+You can also use command substitution syntax and the key `proxy_certificate` to execute a command that will output a json containing the certficate and key paths.
+
+```yaml
+clusters:
+  - name: fr-par-1
+    host: localhost
+    user: pvecontrol@pve
+    password: my.password.is.weak
+    proxy_certificate: `$(my_custom_command login proxmox-fr-par-1)`
+```
+
+It should output something like this:
+
+```json
+{
+  "cert": "/tmp/proxmox-reverse-proxy.pem",
+  "key": "/tmp/proxmox-reverse-proxy",
+  "anything_else": "it is ok to have other fields, they will be ignored. this is to support existing commands"
+}
+```
+
 CAUTION: environment variable and `~` expansion and are not supported.
 
 ### Better security
 
-Instead of specifying users, passwords and certificates paths in plain text in the configuration file, you can use the shell command substitution syntax `$(...)` inside the `user`, `password`, `proxy_certificate_path` and `proxy_certificate_path_key` fields; for instance:
+Instead of specifying users, passwords and certificates paths in plain text in the configuration file, you can use the shell command substitution syntax `$(...)` inside the `user`, `password`, `proxy_certificate` fields; for instance:
 
 ```yaml
 clusters:

diff --git a/src/pvecontrol/__init__.py b/src/pvecontrol/__init__.py
@@ -5,6 +5,7 @@
 import logging
 import re
 import subprocess
+import json
 
 from importlib.metadata import version
 
@@ -172,30 +173,32 @@ def run_auth_commands(clusterconfig):
     auth = {}
     regex = r"^\$\((.*)\)$"
 
-    for key in (
-        "user",
-        "password",
-        "token_name",
-        "token_value",
-        "proxy_certificate_path",
-        "proxy_certificate_key_path",
-    ):
+    keys = ["user", "password", "token_name", "token_value"]
+
+    if clusterconfig["proxy_certificate"] is not None:
+        if isinstance(clusterconfig.get("proxy_certificate"), str):
+            keys.append("proxy_certificate")
+        else:
+            auth["proxy_certificate"] = clusterconfig["proxy_certificate"]
+
+    for key in keys:
         value = clusterconfig.get(key)
         if value is not None:
             result = re.match(regex, value)
             if result:
                 value = _execute_command(result.group(1))
             auth[key] = value
 
-    proxy_certificate = auth.get("proxy_certificate_path")
-    proxy_certificate_key = auth.get("proxy_certificate_key_path")
-    if proxy_certificate != "" and proxy_certificate_key != "":
-        auth["cert"] = (proxy_certificate, proxy_certificate_key)
+    if "proxy_certificate" in auth and isinstance(auth["proxy_certificate"], bytes):
+        proxy_certificate = json.loads(auth["proxy_certificate"])
+        auth["proxy_certificate"] = {
+            "cert": proxy_certificate.get("cert"),
+            "key": proxy_certificate.get("key"),
+        }
 
-    if "proxy_certificate_path" in auth:
-        del auth["proxy_certificate_path"]
-    if "proxy_certificate_key_path" in auth:
-        del auth["proxy_certificate_key_path"]
+    if "proxy_certificate" in auth:
+        auth["cert"] = (auth["proxy_certificate"]["cert"], auth["proxy_certificate"]["key"])
+        del auth["proxy_certificate"]
 
     logging.debug("Auth: %s", auth)
     # check for "incompatible" auth options

diff --git a/src/pvecontrol/config.py b/src/pvecontrol/config.py
@@ -10,8 +10,18 @@
             "host": str,
             "user": str,
             "password": confuse.Optional(str, None),
-            "proxy_certificate_path": confuse.Optional(str, None),
-            "proxy_certificate_key_path": confuse.Optional(str, None),
+            "proxy_certificate": confuse.Optional(
+                confuse.OneOf(
+                    [
+                        str,
+                        {
+                            "cert": str,
+                            "key": str,
+                        },
+                    ]
+                ),
+                None,
+            ),
             "token_name": confuse.Optional(str, None),
             "token_value": confuse.Optional(str, None),
             "node": confuse.Optional(