[pbs-devel] [PATCH proxmox-backup 08/10] client: refactor crypto_parameter handling

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 08/10] client: refactor crypto_parameter handling
Date: Fri,  5 Feb 2021 16:35:34 +0100	[thread overview]
Message-ID: <20210205153535.2578184-10-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20210205153535.2578184-1-f.gruenbichler@proxmox.com>

pull out the crypt-mode to logically group arms and make the whole mess
a bit more "human-parsable".

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
IMHO this makes more sense this way, otherwise we have too many
combinations that we have to keep in mind in a single match..

 src/bin/proxmox-backup-client.rs | 117 ++++++++++++++++---------------
 1 file changed, 59 insertions(+), 58 deletions(-)

diff --git a/src/bin/proxmox-backup-client.rs b/src/bin/proxmox-backup-client.rs
index 76e82184..89d77d04 100644
--- a/src/bin/proxmox-backup-client.rs
+++ b/src/bin/proxmox-backup-client.rs
@@ -694,87 +694,88 @@ fn crypto_parameters(param: &Value) -> Result<CryptoParams, Error> {
         }
     };
 
-    Ok(match (keydata, master_pubkey_data, mode) {
-        // no parameters:
-        (None, None, None) => match key::read_optional_default_encryption_key()? {
-            None => CryptoParams { mode: CryptMode::None, enc_key: None, master_pubkey: None },
-            enc_key => {
-                eprintln!("Encrypting with default encryption key!");
-                let master_pubkey = key::read_optional_default_master_pubkey()?;
-                CryptoParams {
-                    mode: CryptMode::Encrypt,
-                    enc_key,
-                    master_pubkey,
-                }
+    let res = match mode {
+        // no crypt mode, enable encryption if keys are available
+        None => match (keydata, master_pubkey_data) {
+            // only default keys if available
+            (None, None) => match key::read_optional_default_encryption_key()? {
+                None => CryptoParams { mode: CryptMode::None, enc_key: None, master_pubkey: None },
+                enc_key => {
+                    eprintln!("Encrypting with default encryption key!");
+                    let master_pubkey = key::read_optional_default_master_pubkey()?;
+                    CryptoParams {
+                        mode: CryptMode::Encrypt,
+                        enc_key,
+                        master_pubkey,
+                    }
+                },
+            },
+
+            // explicit master key, default enc key needed
+            (None, master_pubkey) => match key::read_optional_default_encryption_key()? {
+                None => bail!("--master-pubkey-file/--master-pubkey-fd specified, but no key available"),
+                enc_key => {
+                    eprintln!("Encrypting with default encryption key!");
+                    CryptoParams {
+                        mode: CryptMode::Encrypt,
+                        enc_key,
+                        master_pubkey,
+                    }
+                },
             },
-        },
 
-        // just --crypt-mode=none
-        (None, None, Some(CryptMode::None)) => CryptoParams { mode: CryptMode::None, enc_key: None, master_pubkey: None },
+            // explicit keyfile, maybe default master key
+            (enc_key, None) => CryptoParams { mode: CryptMode::Encrypt, enc_key, master_pubkey: key::read_optional_default_master_pubkey()? },
 
-        // --keyfile and --crypt-mode=none
-        (Some(_), _, Some(CryptMode::None)) => {
-            bail!("--keyfile/--keyfd and --crypt-mode=none are mutually exclusive");
+            // explicit keyfile and master key
+            (enc_key, master_pubkey) => CryptoParams { mode: CryptMode::Encrypt, enc_key, master_pubkey },
         },
 
-        // --master-pubkey-file and --crypt-mode=none
-        (_, Some(_), Some(CryptMode::None)) => {
-            bail!("--master-pubkey-file/--master-pubkey-fd and --crypt-mode=none are mutually exclusive");
+        // explicitly disabled encryption
+        Some(CryptMode::None) => match (keydata, master_pubkey_data) {
+            // no keys => OK, no encryption
+            (None, None) => CryptoParams { mode: CryptMode::None, enc_key: None, master_pubkey: None },
+
+            // --keyfile and --crypt-mode=none
+            (Some(_), _) => bail!("--keyfile/--keyfd and --crypt-mode=none are mutually exclusive"),
+
+            // --master-pubkey-file and --crypt-mode=none
+            (_, Some(_)) => bail!("--master-pubkey-file/--master-pubkey-fd and --crypt-mode=none are mutually exclusive"),
         },
 
-        // --master-pubkey-file and nothing else
-        (None, master_pubkey, None) => {
-            match key::read_optional_default_encryption_key()? {
-                None => bail!("--master-pubkey-file/--master-pubkey-fd specified, but no key available"),
+        // explicitly enabled encryption
+        Some(mode) => match (keydata, master_pubkey_data) {
+            // no key, maybe master key
+            (None, master_pubkey) => match key::read_optional_default_encryption_key()? {
+                None => bail!("--crypt-mode without --keyfile and no default key file available"),
                 enc_key => {
                     eprintln!("Encrypting with default encryption key!");
+                    let master_pubkey = match master_pubkey {
+                        None => key::read_optional_default_master_pubkey()?,
+                        master_pubkey => master_pubkey,
+                    };
+
                     CryptoParams {
-                        mode: CryptMode::Encrypt,
+                        mode,
                         enc_key,
                         master_pubkey,
                     }
                 },
-            }
-        },
+            },
 
-        // --crypt-mode other than none, without keyfile, with or without master key
-        (None, master_pubkey, Some(mode)) => match key::read_optional_default_encryption_key()? {
-            None => bail!("--crypt-mode without --keyfile and no default key file available"),
-            enc_key => {
-                eprintln!("Encrypting with default encryption key!");
+            // --keyfile and --crypt-mode other than none
+            (enc_key, master_pubkey) => {
                 let master_pubkey = match master_pubkey {
                     None => key::read_optional_default_master_pubkey()?,
                     master_pubkey => master_pubkey,
                 };
 
-                CryptoParams {
-                    mode,
-                    enc_key,
-                    master_pubkey,
-                }
+                CryptoParams { mode, enc_key, master_pubkey }
             },
-        }
-
-        // just --keyfile
-        (enc_key, master_pubkey, None) => {
-            let master_pubkey = match master_pubkey {
-                None => key::read_optional_default_master_pubkey()?,
-                master_pubkey => master_pubkey,
-            };
-
-            CryptoParams { mode: CryptMode::Encrypt, enc_key, master_pubkey }
         },
+    };
 
-        // --keyfile and --crypt-mode other than none
-        (enc_key, master_pubkey, Some(mode)) => {
-            let master_pubkey = match master_pubkey {
-                None => key::read_optional_default_master_pubkey()?,
-                master_pubkey => master_pubkey,
-            };
-
-            CryptoParams { mode, enc_key, master_pubkey }
-        },
-    })
+    Ok(res)
 }
 
 #[test]
-- 
2.20.1

next prev parent reply	other threads:[~2021-02-05 15:37 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-05 15:35 [pbs-devel] [PATCH proxmox-backup 00/11] extend master key feature Fabian Grünbichler
2021-02-05 15:35 ` [pbs-devel] [PATCH proxmox-backup 01/10] key: make 'default' master key explicit Fabian Grünbichler
2021-02-05 15:35 ` [pbs-devel] [PATCH storage] pbs: allow setting up a master key Fabian Grünbichler
2021-02-05 15:35 ` [pbs-devel] [PATCH proxmox-backup 02/10] key: add show-master-pubkey command Fabian Grünbichler
2021-02-05 15:35 ` [pbs-devel] [PATCH proxmox-backup 03/10] key: rustfmt module Fabian Grünbichler
2021-02-05 15:35 ` [pbs-devel] [PATCH proxmox-backup 04/10] client: add test for keyfile_parameters Fabian Grünbichler
2021-02-06  8:00   ` Dietmar Maurer
2021-02-05 15:35 ` [pbs-devel] [PATCH proxmox-backup 05/10] client: refactor keyfile_parameters Fabian Grünbichler
2021-02-05 15:35 ` [pbs-devel] [PATCH proxmox-backup 06/10] client: allow passing specific master key Fabian Grünbichler
2021-02-05 15:35 ` [pbs-devel] [PATCH proxmox-backup 07/10] client: extend tests for master key handling Fabian Grünbichler
2021-02-05 15:35 ` Fabian Grünbichler [this message]
2021-02-05 15:35 ` [pbs-devel] [PATCH proxmox-backup 09/10] client: track key source, print when used Fabian Grünbichler
2021-02-06  8:13 ` [pbs-devel] applied: [PATCH proxmox-backup 00/11] extend master key feature Dietmar Maurer
2021-02-08 11:02   ` Fabian Grünbichler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210205153535.2578184-10-f.gruenbichler@proxmox.com \
    --to=f.gruenbichler@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal