From 16007e3229dc13ec29b9c11608acf0d5c5e58b45 Mon Sep 17 00:00:00 2001
From: Lee Clemens <sftw@leeclemens.net>
Date: Fri, 22 Dec 2023 14:28:42 -0500
Subject: [PATCH] Add manual support for manual plugin by providing auth and
 cleanup hook paths

---
 salt/modules/acme.py | 9 +++++++++
 salt/states/acme.py  | 6 ++++++
 2 files changed, 15 insertions(+)

diff --git a/salt/modules/acme.py b/salt/modules/acme.py
index af87f48bf277..659b3ce8183f 100644
--- a/salt/modules/acme.py
+++ b/salt/modules/acme.py
@@ -132,6 +132,8 @@ def cert(
     http_01_address=None,
     dns_plugin=None,
     dns_plugin_credentials=None,
+    manual_auth_hook=None,
+    manual_cleanup_hook=None,
 ):
     """
     Obtain/renew a certificate from an ACME CA, probably Let's Encrypt.
@@ -168,6 +170,8 @@ def cert(
         the specified DNS plugin
     :param dns_plugin_propagate_seconds: Number of seconds to wait for DNS propogations
         before asking ACME servers to verify the DNS record. (default 10)
+    :param manual_auth_hook: Path to the manual authentication hook script.
+    :param manual_cleanup_hook: Path to the manual cleanup or post-authentication hook script.
     :rtype: dict
     :return: Dictionary with 'result' True/False/None, 'comment' and certificate's
         expiry date ('not_after')
@@ -221,6 +225,11 @@ def cert(
                 "result": False,
                 "comment": f"DNS plugin '{dns_plugin}' is not supported",
             }
+    elif manual_auth_hook:
+        cmd.append("--manual")
+        cmd.append(f"--manual-auth-hook '{manual_auth_hook}'")
+        if manual_cleanup_hook:
+            cmd.append(f"--manual-cleanup-hook '{manual_cleanup_hook}'")
     else:
         cmd.append("--authenticator standalone")
 
diff --git a/salt/states/acme.py b/salt/states/acme.py
index ae5a7a8399c5..b7a02282dacb 100644
--- a/salt/states/acme.py
+++ b/salt/states/acme.py
@@ -61,6 +61,8 @@ def cert(
     http_01_address=None,
     dns_plugin=None,
     dns_plugin_credentials=None,
+    manual_auth_hook=None,
+    manual_cleanup_hook=None,
 ):
     """
     Obtain/renew a certificate from an ACME CA, probably Let's Encrypt.
@@ -91,6 +93,8 @@ def cert(
     :param https_01_address: The address the server listens to during http-01 challenge.
     :param dns_plugin: Name of a DNS plugin to use (currently only 'cloudflare')
     :param dns_plugin_credentials: Path to the credentials file if required by the specified DNS plugin
+    :param manual_auth_hook: Path to the authentication hook script.
+    :param manual_cleanup_hook: Path to the cleanup or post-authentication hook script.
     """
 
     if certname is None:
@@ -138,6 +142,8 @@ def cert(
                 http_01_address=http_01_address,
                 dns_plugin=dns_plugin,
                 dns_plugin_credentials=dns_plugin_credentials,
+                manual_auth_hook=manual_auth_hook,
+                manual_cleanup_hook=manual_cleanup_hook,
             )
             ret["result"] = res["result"]
             ret["comment"].append(res["comment"])