From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pdm-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 6486D1FF13C
	for <inbox@lore.proxmox.com>; Thu, 30 Apr 2026 14:50:44 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 449577CFD;
	Thu, 30 Apr 2026 14:50:44 +0200 (CEST)
From: Christoph Heiss <c.heiss@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [PATCH installer v4 37/40] fetch-answer: send auto-installer HTTP
 authorization token if set
Date: Thu, 30 Apr 2026 14:47:06 +0200
Message-ID: <20260430124712.1614305-38-c.heiss@proxmox.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260430124712.1614305-1-c.heiss@proxmox.com>
References: <20260430124712.1614305-1-c.heiss@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1777553341150
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.075 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: FO6ZAD3OI7QGEFJZJVKJZ3WWSC5B3EB4
X-Message-ID-Hash: FO6ZAD3OI7QGEFJZJVKJZ3WWSC5B3EB4
X-MailFrom: c.heiss@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Datacenter Manager development discussion
 <pdm-devel.lists.proxmox.com>
List-Help: <mailto:pdm-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pdm-devel-owner@lists.proxmox.com>
List-Post: <mailto:pdm-devel@lists.proxmox.com>
List-Subscribe: <mailto:pdm-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pdm-devel-leave@lists.proxmox.com>

If an authorization token is present in the internal auto-installer
HTTP configuration, add it as

  Authorization: ProxmoxInstallerToken <token>

header to the POST HTTP request when retrieving the answer.

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * replace `ProxmoxInstallerToken` -> `Bearer`
  * move error reporting change to separate patch

Changes v2 -> v3:
  * new patch

 proxmox-fetch-answer/src/fetch_plugins/http.rs |  8 ++++++++
 proxmox-fetch-answer/src/main.rs               | 16 +++++++++++-----
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/proxmox-fetch-answer/src/fetch_plugins/http.rs b/proxmox-fetch-answer/src/fetch_plugins/http.rs
index 2282af0..1251da6 100644
--- a/proxmox-fetch-answer/src/fetch_plugins/http.rs
+++ b/proxmox-fetch-answer/src/fetch_plugins/http.rs
@@ -95,6 +95,14 @@ impl FetchFromHTTP {
             HeaderValue::from_str("application/json, application/toml;q=0.5")?,
         );
 
+        if let Some(token) = &settings.token {
+            info!("Authentication token provided through ISO.");
+            headers.insert(
+                http::header::AUTHORIZATION,
+                HeaderValue::from_str(&format!("Bearer {token}"))?,
+            );
+        }
+
         let http::Response { body, content_type } =
             http::post(&answer_url, fingerprint.as_deref(), headers, payload)?;
 
diff --git a/proxmox-fetch-answer/src/main.rs b/proxmox-fetch-answer/src/main.rs
index 18b27e7..2c49ac2 100644
--- a/proxmox-fetch-answer/src/main.rs
+++ b/proxmox-fetch-answer/src/main.rs
@@ -23,8 +23,13 @@ const CLI_USAGE_HELPTEXT: &str = concat!(
 
 Commands:
   iso         Fetch the builtin answer file from the ISO
+
   http        Fetch the answer file via HTTP(S)
-              Additional parameters: [<http-url>] [<tls-cert-fingerprint>]
+              Additional parameters: [<http-url>] [<tls-cert-fingerprint>] [<auth-token>]
+
+              To provide an authentication token without a certificate fingerprint, pass an
+              empty string to <tls-cert-fingerprint>.
+
   partition   Fetch the answer file from a mountable partition
               Additional parameters: [<partition-label>]
 
@@ -80,8 +85,8 @@ fn settings_from_cli_args(args: &[String]) -> Result<AutoInstSettings> {
         FetchAnswerFrom::Iso if args.len() > 2 => {
             bail!("'iso' mode does not take any additional arguments")
         }
-        FetchAnswerFrom::Http if args.len() > 4 => {
-            bail!("'http' mode takes at most 2 additional arguments")
+        FetchAnswerFrom::Http if args.len() > 5 => {
+            bail!("'http' mode takes at most 3 additional arguments")
         }
         FetchAnswerFrom::Partition if args.len() > 3 => {
             bail!("'partition' mode takes at most 1 additional argument")
@@ -97,8 +102,9 @@ fn settings_from_cli_args(args: &[String]) -> Result<AutoInstSettings> {
             .cloned()?,
         http: HttpOptions {
             url: args.get(2).cloned(),
-            cert_fingerprint: args.get(3).cloned(),
-            token: None,
+            // treat empty value as not existing
+            cert_fingerprint: args.get(3).cloned().filter(|s| !s.is_empty()),
+            token: args.get(4).cloned(),
         },
     })
 }
-- 
2.53.0