From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id BB7C41FF137 for ; Tue, 14 Apr 2026 14:59:54 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 60B5318FF9; Tue, 14 Apr 2026 15:00:23 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox-backup v3 29/30] api: encryption keys: allow to toggle the archived state for keys Date: Tue, 14 Apr 2026 14:59:22 +0200 Message-ID: <20260414125923.892345-30-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260414125923.892345-1-c.ebner@proxmox.com> References: <20260414125923.892345-1-c.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1776171503525 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.930 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_MAILER 2 Automated Mailer Tag Left in Email SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: ZHW6CDXSL6NP63KWXLIKWAPWLF4BGX3R X-Message-ID-Hash: ZHW6CDXSL6NP63KWXLIKWAPWLF4BGX3R X-MailFrom: c.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Adapt the api endpoint to not only allow to archive a key, but rather allow to toggle its archived state by setting or stripping the optional `archived-at` timestamp in the config. Expose this in the ui by adapting the corresponding button accordingly. Signed-off-by: Christian Ebner --- changes since version 2: - not present in previous version note: kept this as separate patch for now as unsure if this should be split into 2 dedicated api points instead? pbs-config/src/encryption_keys.rs | 10 ++++++---- src/api2/config/encryption_keys.rs | 6 +++--- www/config/EncryptionKeysView.js | 24 +++++++++++++++++------- 3 files changed, 26 insertions(+), 14 deletions(-) diff --git a/pbs-config/src/encryption_keys.rs b/pbs-config/src/encryption_keys.rs index fd5989a98..2120ae861 100644 --- a/pbs-config/src/encryption_keys.rs +++ b/pbs-config/src/encryption_keys.rs @@ -196,16 +196,18 @@ pub fn delete_key(id: &str, mut config: SectionConfigData) -> Result Result<(), Error> { let mut key: CryptKey = config.lookup(ENCRYPTION_KEYS_CFG_TYPE_ID, id)?; if key.archived_at.is_some() { - bail!("key already marked as archived"); + // was archived, mark as active again + key.archived_at = None; + } else { + // was not archived, mark as archived + key.archived_at = Some(proxmox_time::epoch_i64()); } - key.archived_at = Some(proxmox_time::epoch_i64()); - config.set_data(id, ENCRYPTION_KEYS_CFG_TYPE_ID, &key)?; let raw = CONFIG.write(ENCRYPTION_KEYS_CFG_FILENAME, &config)?; // drops config lock diff --git a/src/api2/config/encryption_keys.rs b/src/api2/config/encryption_keys.rs index d3097929d..a10430b25 100644 --- a/src/api2/config/encryption_keys.rs +++ b/src/api2/config/encryption_keys.rs @@ -126,8 +126,8 @@ pub fn create_key( permission: &Permission::Privilege(&["system", "encryption-keys", "{id}"], PRIV_SYS_MODIFY, false), }, )] -/// Mark the key by given id as archived, no longer usable to encrypt contents. -pub fn archive_key( +/// Toggle the archive state for the key by given id, archived keys are no longer usable to encrypt contents. +pub fn toggle_key_archive_state( id: String, digest: Option, _rpcenv: &mut dyn RpcEnvironment, @@ -210,7 +210,7 @@ fn encryption_key_in_use(id: &str) -> Result>, Error> { } const ITEM_ROUTER: Router = Router::new() - .post(&API_METHOD_ARCHIVE_KEY) + .post(&API_METHOD_TOGGLE_KEY_ARCHIVE_STATE) .delete(&API_METHOD_DELETE_KEY); pub const ROUTER: Router = Router::new() diff --git a/www/config/EncryptionKeysView.js b/www/config/EncryptionKeysView.js index 35f147799..77542932d 100644 --- a/www/config/EncryptionKeysView.js +++ b/www/config/EncryptionKeysView.js @@ -38,7 +38,7 @@ Ext.define('PBS.config.EncryptionKeysView', { }).show(); }, - archiveEncryptionKey: function () { + toggleEncryptionKeyArchiveState: function () { let me = this; let view = me.getView(); let selection = view.getSelection(); @@ -246,14 +246,24 @@ Ext.define('PBS.config.EncryptionKeysView', { '-', { xtype: 'proxmoxButton', - text: gettext('Archive'), - handler: 'archiveEncryptionKey', + text: gettext('Toggle Archived'), + handler: 'toggleEncryptionKeyArchiveState', dangerous: true, - confirmMsg: Ext.String.format( - gettext('Archiving will render the key unusable to encrypt new content, proceed?'), - ), + confirmMsg: (item) => { + let msg; + if (item.data['archived-at']) { + msg = gettext( + 'Are you sure you want to restore the archived key to be active again?', + ); + } else { + msg = gettext( + 'Archiving will render the key unusable to encrypt new content, proceed?', + ); + } + return Ext.String.format(msg); + }, disabled: true, - enableFn: (item) => item.data.type === 'sync' && !item.data['archived-at'], + enableFn: (item) => item.data.type === 'sync', }, '-', { -- 2.47.3