From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 03BFC1FF170 for ; Thu, 21 Aug 2025 13:55:15 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id F0FA61EDD1; Thu, 21 Aug 2025 13:55:14 +0200 (CEST) Message-ID: <9eba7c9d-0940-4bf9-9696-628b33e847ed@proxmox.com> Date: Thu, 21 Aug 2025 13:55:10 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta To: Lukas Wagner , Proxmox Datacenter Manager development discussion References: <20250821084229.1523597-1-d.csapak@proxmox.com> <20250821084229.1523597-5-d.csapak@proxmox.com> Content-Language: en-US From: Dominik Csapak In-Reply-To: X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1755777310157 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.021 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pdm-devel] [PATCH datacenter-manager v3 04/23] server: add probe-tls endpoint X-BeenThere: pdm-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Datacenter Manager development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pdm-devel-bounces@lists.proxmox.com Sender: "pdm-devel" On 8/21/25 1:46 PM, Lukas Wagner wrote: > On Thu Aug 21, 2025 at 10:39 AM CEST, Dominik Csapak wrote: >> so that we can probe pve endpoints regarding fingerprint/certificate >> validity >> >> Signed-off-by: Dominik Csapak >> --- >> server/src/api/pve/mod.rs | 36 ++++++++++++++++++++++++++++++++++-- >> 1 file changed, 34 insertions(+), 2 deletions(-) >> >> diff --git a/server/src/api/pve/mod.rs b/server/src/api/pve/mod.rs >> index 1a3a725..c03d352 100644 >> --- a/server/src/api/pve/mod.rs >> +++ b/server/src/api/pve/mod.rs >> @@ -13,7 +13,7 @@ use proxmox_schema::property_string::PropertyString; >> use proxmox_section_config::typed::SectionConfigData; >> use proxmox_sortable_macro::sortable; >> >> -use pdm_api_types::remotes::{NodeUrl, Remote, RemoteType, REMOTE_ID_SCHEMA}; >> +use pdm_api_types::remotes::{NodeUrl, Remote, RemoteType, TlsProbeOutcome, REMOTE_ID_SCHEMA}; >> use pdm_api_types::resource::PveResource; >> use pdm_api_types::{ >> Authid, RemoteUpid, HOST_OPTIONAL_PORT_FORMAT, PRIV_RESOURCE_AUDIT, PRIV_RESOURCE_DELETE, >> @@ -27,8 +27,8 @@ use pve_api_types::{ClusterResourceKind, ClusterResourceType}; >> >> use super::resources::{map_pve_lxc, map_pve_node, map_pve_qemu, map_pve_storage}; >> >> -use crate::connection; >> use crate::connection::PveClient; >> +use crate::connection::{self, probe_tls_connection}; >> use crate::remote_tasks; >> >> mod lxc; >> @@ -44,6 +44,7 @@ pub const ROUTER: Router = Router::new() >> #[sortable] >> const SUBDIRS: SubdirMap = &sorted!([ >> ("remotes", &REMOTES_ROUTER), >> + ("probe-tls", &Router::new().post(&API_METHOD_PROBE_TLS)), >> ("scan", &Router::new().post(&API_METHOD_SCAN_REMOTE_PVE)), >> ( >> "realms", >> @@ -299,6 +300,37 @@ fn check_guest_delete_perms( >> ) >> } >> >> +#[api( >> + input: { >> + properties: { >> + hostname: { >> + type: String, >> + format: &HOST_OPTIONAL_PORT_FORMAT, >> + description: "Hostname (with optional port) of the target remote", >> + }, >> + fingerprint: { >> + type: String, >> + description: "Fingerprint of the target remote.", >> + optional: true, >> + }, >> + }, >> + }, >> + access: { >> + permission: >> + &Permission::Privilege(&["/"], PRIV_SYS_MODIFY, false), > > Does it make sense to require SYS_MODIFY here? Technically the user of > the PDM API could also probe themselves, since they have the hostname > anyway. > Is this to limit the abuse potential of some rogue logged-in > user hammering other servers with TLS probe requests while 'hiding' behind > PDM? the idea i had here was similar as to how we decided for permissions on pve with the query download url api (there we need sys.audit + sys.modify on '/' or Sys.AccessNetwork on '/nodes/{node}' which we don't have in pdm) the pdm is potentially in a network segment that is not reachable from where the user sits, so the user can potentially probe internal network resources. Even if the info leak is not dramatical, enumerating ip/hostnames (from the certificate) can be bad. > >> + }, >> +)] >> +/// Probe the hosts TLS certificate. >> +/// >> +/// If the certificate is not trusted with the given parameters, returns the certificate >> +/// information. >> +async fn probe_tls( >> + hostname: String, >> + fingerprint: Option, >> +) -> Result { >> + probe_tls_connection(RemoteType::Pve, hostname, fingerprint).await >> +} >> + >> #[api( >> input: { >> properties: { > _______________________________________________ pdm-devel mailing list pdm-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel