[PATCH proxmox-backup v3 13/30] api: config: allow encryption key manipulation for sync job

[Christian Ebner <c.ebner@proxmox.com>]

Since the SyncJobConfig got extended to include an optional active
encryption key, set the default to none.
Extend the api config update handler to also set, update or delete
the active encryption key based on the provided parameters.

Associated keys will also be updated accordingly, however it is
assured that the previously active key will remain associated, if
changed.

They encryption key will be used to encrypt unencrypted backup
snapshots during push sync. Any of the associated keys will be used
to decrypt snapshots with matching key fingerprint during pull sync.

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
changes since version 2:
- add flag to check for not allowing to set archived key as active encryption key.
- drop associated keys also on active encryption key update, readd rotated one afterwards if required.

 src/api2/config/sync.rs | 65 +++++++++++++++++++++++++++++++++++++++--
 1 file changed, 62 insertions(+), 3 deletions(-)

diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs
index 75b99c2a7..26ce29ed2 100644
--- a/src/api2/config/sync.rs
+++ b/src/api2/config/sync.rs
@@ -330,6 +330,22 @@ pub fn read_sync_job(id: String, rpcenv: &mut dyn RpcEnvironment) -> Result<Sync
     Ok(sync_job)
 }
 
+fn keep_previous_key_as_associated(
+    current_active: Option<&String>,
+    associated_keys: &mut Option<Vec<String>>,
+) {
+    if let Some(prev) = current_active {
+        match associated_keys {
+            Some(ref mut keys) => {
+                if !keys.contains(prev) {
+                    keys.push(prev.clone());
+                }
+            }
+            None => *associated_keys = Some(vec![prev.clone()]),
+        }
+    }
+}
+
 #[api()]
 #[derive(Serialize, Deserialize)]
 #[serde(rename_all = "kebab-case")]
@@ -373,6 +389,10 @@ pub enum DeletableProperty {
     UnmountOnDone,
     /// Delete the sync_direction property,
     SyncDirection,
+    /// Delete the active encryption key property,
+    ActiveEncryptionKey,
+    /// Delete associated key property,
+    AssociatedKey,
 }
 
 #[api(
@@ -414,7 +434,7 @@ required sync job owned by user. Additionally, remove vanished requires RemoteDa
 #[allow(clippy::too_many_arguments)]
 pub fn update_sync_job(
     id: String,
-    update: SyncJobConfigUpdater,
+    mut update: SyncJobConfigUpdater,
     delete: Option<Vec<DeletableProperty>>,
     digest: Option<String>,
     rpcenv: &mut dyn RpcEnvironment,
@@ -437,6 +457,9 @@ pub fn update_sync_job(
     }
 
     if let Some(delete) = delete {
+        // temporarily hold the previosly active key in case of updates,
+        // so it can be readded as associated key afterwards.
+        let mut previous_active_encryption_key = None;
         for delete_prop in delete {
             match delete_prop {
                 DeletableProperty::Remote => {
@@ -496,8 +519,23 @@ pub fn update_sync_job(
                 DeletableProperty::SyncDirection => {
                     data.sync_direction = None;
                 }
+                DeletableProperty::ActiveEncryptionKey => {
+                    // Previously active encryption keys are always rotated to
+                    // become an associated key in order to hinder unintended
+                    // deletion (e.g. key got rotated for the push, but it still
+                    // is intended to be used for  restore/pull existing snapshots).
+                    previous_active_encryption_key = data.active_encryption_key.take();
+                }
+                DeletableProperty::AssociatedKey => {
+                    // Previous active encryption key might be added as associated below.
+                    data.associated_key = None;
+                }
             }
         }
+        keep_previous_key_as_associated(
+            previous_active_encryption_key.as_ref(),
+            &mut data.associated_key,
+        );
     }
 
     if let Some(comment) = update.comment {
@@ -524,8 +562,8 @@ pub fn update_sync_job(
     if let Some(remote_ns) = update.remote_ns {
         data.remote_ns = Some(remote_ns);
     }
-    if let Some(owner) = update.owner {
-        data.owner = Some(owner);
+    if let Some(owner) = &update.owner {
+        data.owner = Some(owner.clone());
     }
     if let Some(group_filter) = update.group_filter {
         data.group_filter = Some(group_filter);
@@ -555,6 +593,25 @@ pub fn update_sync_job(
         data.sync_direction = Some(sync_direction);
     }
 
+    if let Some(active_encryption_key) = update.active_encryption_key {
+        let owner = update.owner.as_ref().unwrap_or_else(|| {
+            data.owner
+                .as_ref()
+                .unwrap_or_else(|| Authid::root_auth_id())
+        });
+        sync_user_can_access_optional_key(Some(&active_encryption_key), owner, true)?;
+
+        keep_previous_key_as_associated(
+            data.active_encryption_key.as_ref(),
+            &mut update.associated_key,
+        );
+        data.active_encryption_key = Some(active_encryption_key);
+    }
+
+    if let Some(associated_key) = update.associated_key {
+        data.associated_key = Some(associated_key);
+    }
+
     if update.limit.rate_in.is_some() {
         data.limit.rate_in = update.limit.rate_in;
     }
@@ -727,6 +784,8 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
         run_on_mount: None,
         unmount_on_done: None,
         sync_direction: None, // use default
+        active_encryption_key: None,
+        associated_key: None,
     };
 
     // should work without ACLs
-- 
2.47.3