Re: [pmg-devel] [PATCH pmg-api v3 1/2] api: document that fingerprints are a SHA 256

From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: Maximiliano Sandoval <m.sandoval@proxmox.com>
Cc: pmg-devel@lists.proxmox.com
Subject: Re: [pmg-devel] [PATCH pmg-api v3 1/2] api: document that fingerprints are a SHA 256
Date: Mon, 11 Nov 2024 13:20:57 +0100	[thread overview]
Message-ID: <20241111132057.0ea5b2c2@rosa.proxmox.com> (raw)
In-Reply-To: <20241111093231.120597-1-m.sandoval@proxmox.com>

Thanks for the patches!

On Mon, 11 Nov 2024 10:32:30 +0100
Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:

> We use the description from the standard option 'fingerprint-sha256'.
> The option itself cannot be used as the regex allows lowercase
> characters which don't work here.
It would really help to get a bit more information about what exactly did
not work, and what you tested to come to that conclusion.

As I'm quite in favor of reusing our standard-options where possible
I gave your v2 a spin to find out what might not work - from a quick
glance (w/o testing everything possible) - the following diff should cover
most issues:
```

diff --git a/src/PMG/CLI/pmgcm.pm b/src/PMG/CLI/pmgcm.pm
index 699089e..c55ef92 100644
--- a/src/PMG/CLI/pmgcm.pm
+++ b/src/PMG/CLI/pmgcm.pm
@@ -194,7 +194,7 @@ __PACKAGE__->register_method({
            };
            if ($param->{fingerprint}) {
                $setup->{cached_fingerprints} = {
-                   $param->{fingerprint} => 1,
+                   uc($param->{fingerprint}) => 1,
                };
            } else {
                # allow manual fingerprint verification
diff --git a/src/PMG/Cluster.pm b/src/PMG/Cluster.pm
index 17ba44d..789746f 100644
--- a/src/PMG/Cluster.pm
+++ b/src/PMG/Cluster.pm
@@ -148,7 +148,7 @@ sub update_cert_cache {
 
     foreach my $entry (values %{$cinfo->{ids}}) {
        my $node = $entry->{name};
-       my $fp = $entry->{fingerprint};
+       my $fp = uc($entry->{fingerprint});
        if ($node && $fp) {
            $cert_cache_fingerprints->{$fp} = 1;
            $cert_cache_nodes->{$node} = $fp;
@@ -179,7 +179,7 @@ sub check_cert_fingerprint {
 
     my $check = sub {
        for my $expected (keys %$cert_cache_fingerprints) {
-           return 1 if $fp eq $expected;
+           return 1 if uc($fp) eq $expected;
        }
        return 0;
     };
diff --git a/src/PMG/ClusterConfig.pm b/src/PMG/ClusterConfig.pm
index 491fede..e469ea9 100644
--- a/src/PMG/ClusterConfig.pm
+++ b/src/PMG/ClusterConfig.pm
@@ -195,6 +195,7 @@ sub read_cluster_conf {
        $names_hash->{$d->{name}} = 1;
 
        $d->{cid} = $cid;
+       $d->{fingerprint} = uc($d->{fingerprint});
        $maxcid = $cid > $maxcid ? $cid : $maxcid;
        $maxcid = $d->{maxcid} if defined($d->{maxcid}) && $d->{maxcid} > $maxcid;
        $cinfo->{master} = $d if $d->{type} eq 'master';

```

I tested:
* installing this on a cluster-node where I manually changed the
  fingerprint to lower-case in /etc/pmg/cluster.conf
* creating a cluster on the cli - but pasting the fingerprint-option in
  lower-case
* changing the apicert (`pmgconfig apicert --force 1`), restarting
  pmgproxy and running `pmgcm update-fingerprints`) 

I also would rather not reuse the description of a standard-option for
a slightly different copy of that option.



> 
> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
> ---
> 
> Differences from v2:
>  - Use the same docstring as in pve-common
>  - Add regex pattern into the same patch
> 
>  src/PMG/API2/Cluster.pm  | 2 +-
>  src/PMG/CLI/pmgcm.pm     | 2 +-
>  src/PMG/ClusterConfig.pm | 2 +-
>  3 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/src/PMG/API2/Cluster.pm b/src/PMG/API2/Cluster.pm
> index 84dafabb..6d776548 100644
> --- a/src/PMG/API2/Cluster.pm
> +++ b/src/PMG/API2/Cluster.pm
> @@ -409,7 +409,7 @@ __PACKAGE__->register_method({
>  		type => 'string', format => 'ip',
>  	    },
>  	    fingerprint => {
> -		description => "SSL certificate fingerprint.",
> +		description => "Certificate SHA 256 fingerprint.",
>  		type => 'string',
>  		pattern => '^(:?[A-Z0-9][A-Z0-9]:){31}[A-Z0-9][A-Z0-9]$',
>  	    },
> diff --git a/src/PMG/CLI/pmgcm.pm b/src/PMG/CLI/pmgcm.pm
> index ecf9cc76..b4601de4 100644
> --- a/src/PMG/CLI/pmgcm.pm
> +++ b/src/PMG/CLI/pmgcm.pm
> @@ -167,7 +167,7 @@ __PACKAGE__->register_method({
>  		type => 'string', format => 'ip',
>  	    },
>  	    fingerprint => {
> -		description => "SSL certificate fingerprint.",
> +		description => "Certificate SHA 256 fingerprint.",
>  		type => 'string',
>  		pattern => '^(:?[A-Z0-9][A-Z0-9]:){31}[A-Z0-9][A-Z0-9]$',
>  		optional => 1,
> diff --git a/src/PMG/ClusterConfig.pm b/src/PMG/ClusterConfig.pm
> index c52508dc..ad4acd05 100644
> --- a/src/PMG/ClusterConfig.pm
> +++ b/src/PMG/ClusterConfig.pm
> @@ -73,7 +73,7 @@ sub properties {
>  	    pattern => valid_ssh_pubkey_regex(),
>  	},
>  	fingerprint => {
> -	    description => "SSL certificate fingerprint.",
> +	    description => "Certificate SHA 256 fingerprint.",
>  	    type => 'string',
>  	    pattern => '^(:?[A-Z0-9][A-Z0-9]:){31}[A-Z0-9][A-Z0-9]$',
>  	},



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

