Add manual support for manual plugin by providing auth and cleanup hook paths

2025-04-17 10:10:20 +00:00 · 2023-12-22 14:28:42 -05:00 · 2023-12-22 14:28:42 -05:00 · 56ce1ff3e7
commit 56ce1ff3e7
parent 5bc09e5470
2 changed files with 15 additions and 0 deletions
--- a/salt/modules/acme.py
+++ b/salt/modules/acme.py
@ -132,6 +132,8 @@ def cert(
    http_01_address=None,
    dns_plugin=None,
    dns_plugin_credentials=None,
+    manual_auth_hook=None,
+    manual_cleanup_hook=None,
 ):
    """
    Obtain/renew a certificate from an ACME CA, probably Let's Encrypt.
@ -168,6 +170,8 @@ def cert(
        the specified DNS plugin
    :param dns_plugin_propagate_seconds: Number of seconds to wait for DNS propogations
        before asking ACME servers to verify the DNS record. (default 10)
+    :param manual_auth_hook: Path to the manual authentication hook script.
+    :param manual_cleanup_hook: Path to the manual cleanup or post-authentication hook script.
    :rtype: dict
    :return: Dictionary with 'result' True/False/None, 'comment' and certificate's
        expiry date ('not_after')
@ -221,6 +225,11 @@ def cert(
                "result": False,
                "comment": f"DNS plugin '{dns_plugin}' is not supported",
            }
+    elif manual_auth_hook:
+        cmd.append("--manual")
+        cmd.append(f"--manual-auth-hook '{manual_auth_hook}'")
+        if manual_cleanup_hook:
+            cmd.append(f"--manual-cleanup-hook '{manual_cleanup_hook}'")
    else:
        cmd.append("--authenticator standalone")

--- a/salt/states/acme.py
+++ b/salt/states/acme.py
@ -61,6 +61,8 @@ def cert(
    http_01_address=None,
    dns_plugin=None,
    dns_plugin_credentials=None,
+    manual_auth_hook=None,
+    manual_cleanup_hook=None,
 ):
    """
    Obtain/renew a certificate from an ACME CA, probably Let's Encrypt.
@ -91,6 +93,8 @@ def cert(
    :param https_01_address: The address the server listens to during http-01 challenge.
    :param dns_plugin: Name of a DNS plugin to use (currently only 'cloudflare')
    :param dns_plugin_credentials: Path to the credentials file if required by the specified DNS plugin
+    :param manual_auth_hook: Path to the authentication hook script.
+    :param manual_cleanup_hook: Path to the cleanup or post-authentication hook script.
    """

    if certname is None:
@ -138,6 +142,8 @@ def cert(
                http_01_address=http_01_address,
                dns_plugin=dns_plugin,
                dns_plugin_credentials=dns_plugin_credentials,
+                manual_auth_hook=manual_auth_hook,
+                manual_cleanup_hook=manual_cleanup_hook,
            )
            ret["result"] = res["result"]
            ret["comment"].append(res["comment"])