From: Dominik Csapak <d.csapak@proxmox.com>
To: Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>, Stefan Sterz <s.sterz@proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox-backup v2 1/2] fix #3853: api: add force option to tape key change-passphrase
Date: Mon, 14 Feb 2022 10:20:12 +0100 [thread overview]
Message-ID: <24789990-1e3c-33ba-97d9-23b9f65e9e9f@proxmox.com> (raw)
In-Reply-To: <20220210142325.2595867-1-s.sterz@proxmox.com>
one nit inline (could be done as a followup)
On 2/10/22 15:23, Stefan Sterz wrote:
> When force is used, the current passphrase is not required. Instead
> it will be read from the file pointed to by TAPE_KEYS_FILENAME and
> the old key configuration will be overwritten using the new
> passphrase. Requires super user privileges.
>
> Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
> ---
> v1->v2: check for root privileges moved into the api endpoint, better
> descriptions and errors strings and incorporated some nitpicks.
>
> Thanks for the feedback to Thomas Lamprecht, Dominik Csapak, and
> Wolfgang Bumiller.
>
> src/api2/config/tape_encryption_keys.rs | 41 +++++++++++++++++++++----
> 1 file changed, 35 insertions(+), 6 deletions(-)
>
> diff --git a/src/api2/config/tape_encryption_keys.rs b/src/api2/config/tape_encryption_keys.rs
> index 1ad99377..25cc6cc0 100644
> --- a/src/api2/config/tape_encryption_keys.rs
> +++ b/src/api2/config/tape_encryption_keys.rs
> @@ -1,4 +1,4 @@
> -use anyhow::{bail, Error};
> +use anyhow::{format_err, bail, Error};
> use serde_json::Value;
> use hex::FromHex;
>
> @@ -6,12 +6,14 @@ use proxmox_router::{ApiMethod, Router, RpcEnvironment, Permission};
> use proxmox_schema::api;
>
> use pbs_api_types::{
> - Fingerprint, KeyInfo, Kdf,
> + Authid, Fingerprint, KeyInfo, Kdf,
> TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
> PROXMOX_CONFIG_DIGEST_SCHEMA, PASSWORD_HINT_SCHEMA,
> PRIV_TAPE_AUDIT, PRIV_TAPE_MODIFY,
> };
>
> +use pbs_config::CachedUserInfo;
> +
> use pbs_config::key_config::KeyConfig;
> use pbs_config::open_backup_lockfile;
> use pbs_config::tape_encryption_keys::{
> @@ -70,6 +72,7 @@ pub fn list_keys(
> password: {
> description: "The current password.",
> min_length: 5,
> + optional: true,
> },
> "new-password": {
> description: "The new password.",
> @@ -78,6 +81,12 @@ pub fn list_keys(
> hint: {
> schema: PASSWORD_HINT_SCHEMA,
> },
> + force: {
> + optional: true,
> + type: bool,
> + description: "Reset the passphrase for a tape key, using the root-only accessible copy.",
> + default: false,
> + },
> digest: {
> optional: true,
> schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
> @@ -91,12 +100,13 @@ pub fn list_keys(
> /// Change the encryption key's password (and password hint).
> pub fn change_passphrase(
> kdf: Option<Kdf>,
> - password: String,
> + password: Option<String>,
> new_password: String,
> hint: String,
> + force: bool,
> fingerprint: Fingerprint,
> digest: Option<String>,
> - _rpcenv: &mut dyn RpcEnvironment
> + rpcenv: &mut dyn RpcEnvironment
> ) -> Result<(), Error> {
>
> let kdf = kdf.unwrap_or_default();
> @@ -116,10 +126,29 @@ pub fn change_passphrase(
>
> let key_config = match config_map.get(&fingerprint) {
> Some(key_config) => key_config,
> - None => bail!("tape encryption key '{}' does not exist.", fingerprint),
> + None => bail!("tape encryption key configuration '{}' does not exist.", fingerprint),
> + };
> +
> + let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
> + let user_info = CachedUserInfo::new()?;
> +
> + if force && !user_info.is_superuser(&auth_id) {
> + bail!("resetting the key's passphrase requires root privileges")
> + }
> +
> + let (key, created, fingerprint) = match (force, &password) {
> + (true, Some(_)) => bail!("password is not allowed when using force"),
> + (false, None) => bail!("missing parameter: password"),
those two errors could make use of 'ParameterError'
see proxmox-schema/src/schema.rs
> + (false, Some(pass)) => key_config.decrypt(&|| Ok(pass.as_bytes().to_vec()))?,
> + (true, None) => {
> + let key = load_keys()?.0.get(&fingerprint).ok_or_else(|| {
> + format_err!("failed to reset passphrase, could not find key '{}'", fingerprint)
> + })?.key;
> +
> + (key, key_config.created, fingerprint)
> + }
> };
>
> - let (key, created, fingerprint) = key_config.decrypt(&|| Ok(password.as_bytes().to_vec()))?;
> let mut new_key_config = KeyConfig::with_key(&key, new_password.as_bytes(), kdf)?;
> new_key_config.created = created; // keep original value
> new_key_config.hint = Some(hint);
next prev parent reply other threads:[~2022-02-14 9:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-10 14:23 Stefan Sterz
2022-02-10 14:23 ` [pbs-devel] [PATCH proxmox-backup v2 2/2] fix #3853: tape cli: add force flag to " Stefan Sterz
2022-02-14 9:14 ` [pbs-devel] applied-series: [PATCH proxmox-backup v2 1/2] fix #3853: api: add force option to tape " Thomas Lamprecht
2022-02-14 9:20 ` Dominik Csapak [this message]
2022-02-14 9:57 ` [pbs-devel] " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=24789990-1e3c-33ba-97d9-23b9f65e9e9f@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
--cc=s.sterz@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.