[pbs-devel] [PATCH proxmox-backup 1/3] refactor CertInfo to tools

[pbs-devel] [PATCH proxmox-backup 1/3] refactor CertInfo to tools

[Dominik Csapak]

we want to reuse some of the functionality elsewhere

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 src/bin/proxmox_backup_manager/cert.rs | 29 ++---------
 src/tools.rs                           |  1 +
 src/tools/cert.rs                      | 67 ++++++++++++++++++++++++++
 3 files changed, 73 insertions(+), 24 deletions(-)
 create mode 100644 src/tools/cert.rs

diff --git a/src/bin/proxmox_backup_manager/cert.rs b/src/bin/proxmox_backup_manager/cert.rs
index f5f725a..845c8ed 100644
--- a/src/bin/proxmox_backup_manager/cert.rs
+++ b/src/bin/proxmox_backup_manager/cert.rs
@@ -1,32 +1,18 @@
-use std::path::PathBuf;
-
 use anyhow::{bail, Error};
 
 use proxmox::api::{api, cli::*};
 
 use proxmox_backup::config;
-use proxmox_backup::configdir;
 use proxmox_backup::auth_helpers::*;
-
-fn x509name_to_string(name: &openssl::x509::X509NameRef) -> Result<String, Error> {
-    let mut parts = Vec::new();
-    for entry in name.entries() {
-        parts.push(format!("{} = {}", entry.object().nid().short_name()?, entry.data().as_utf8()?));
-    }
-    Ok(parts.join(", "))
-}
+use proxmox_backup::tools::cert::CertInfo;
 
 #[api]
 /// Display node certificate information.
 fn cert_info() -> Result<(), Error> {
 
-    let cert_path = PathBuf::from(configdir!("/proxy.pem"));
+    let cert = CertInfo::new()?;
 
-    let cert_pem = proxmox::tools::fs::file_get_contents(&cert_path)?;
-
-    let cert = openssl::x509::X509::from_pem(&cert_pem)?;
-
-    println!("Subject: {}", x509name_to_string(cert.subject_name())?);
+    println!("Subject: {}", cert.subject_name()?);
 
     if let Some(san) = cert.subject_alt_names() {
         for name in san.iter() {
@@ -42,17 +28,12 @@ fn cert_info() -> Result<(), Error> {
         }
     }
 
-    println!("Issuer: {}", x509name_to_string(cert.issuer_name())?);
+    println!("Issuer: {}", cert.issuer_name()?);
     println!("Validity:");
     println!("    Not Before: {}", cert.not_before());
     println!("    Not After : {}", cert.not_after());
 
-    let fp = cert.digest(openssl::hash::MessageDigest::sha256())?;
-    let fp_string = proxmox::tools::digest_to_hex(&fp);
-    let fp_string = fp_string.as_bytes().chunks(2).map(|v| std::str::from_utf8(v).unwrap())
-        .collect::<Vec<&str>>().join(":");
-
-    println!("Fingerprint (sha256): {}", fp_string);
+    println!("Fingerprint (sha256): {}", cert.fingerprint()?);
 
     let pubkey = cert.public_key()?;
     println!("Public key type: {}", openssl::nid::Nid::from_raw(pubkey.id().as_raw()).long_name()?);
diff --git a/src/tools.rs b/src/tools.rs
index 75c8d9f..4bfc35c 100644
--- a/src/tools.rs
+++ b/src/tools.rs
@@ -23,6 +23,7 @@ pub use proxmox::tools::fd::Fd;
 pub mod acl;
 pub mod async_io;
 pub mod borrow;
+pub mod cert;
 pub mod daemon;
 pub mod disks;
 pub mod fs;
diff --git a/src/tools/cert.rs b/src/tools/cert.rs
new file mode 100644
index 0000000..0c7e9e5
--- /dev/null
+++ b/src/tools/cert.rs
@@ -0,0 +1,67 @@
+use std::path::PathBuf;
+
+use anyhow::Error;
+use openssl::x509::{X509, GeneralName};
+use openssl::stack::Stack;
+use openssl::pkey::{Public, PKey};
+
+use crate::configdir;
+
+pub struct CertInfo {
+    x509: X509,
+}
+
+fn x509name_to_string(name: &openssl::x509::X509NameRef) -> Result<String, Error> {
+    let mut parts = Vec::new();
+    for entry in name.entries() {
+        parts.push(format!("{} = {}", entry.object().nid().short_name()?, entry.data().as_utf8()?));
+    }
+    Ok(parts.join(", "))
+}
+
+impl CertInfo {
+    pub fn new() -> Result<Self, Error> {
+        Self::from_path(PathBuf::from(configdir!("/proxy.pem")))
+    }
+
+    pub fn from_path(path: PathBuf) -> Result<Self, Error> {
+        let cert_pem = proxmox::tools::fs::file_get_contents(&path)?;
+        let x509 = openssl::x509::X509::from_pem(&cert_pem)?;
+        Ok(Self{
+            x509
+        })
+    }
+
+    pub fn subject_alt_names(&self) -> Option<Stack<GeneralName>> {
+        self.x509.subject_alt_names()
+    }
+
+    pub fn subject_name(&self) -> Result<String, Error> {
+        Ok(x509name_to_string(self.x509.subject_name())?)
+    }
+
+    pub fn issuer_name(&self) -> Result<String, Error> {
+        Ok(x509name_to_string(self.x509.issuer_name())?)
+    }
+
+    pub fn fingerprint(&self) -> Result<String, Error> {
+        let fp = self.x509.digest(openssl::hash::MessageDigest::sha256())?;
+        let fp_string = proxmox::tools::digest_to_hex(&fp);
+        let fp_string = fp_string.as_bytes().chunks(2).map(|v| std::str::from_utf8(v).unwrap())
+            .collect::<Vec<&str>>().join(":");
+        Ok(fp_string)
+    }
+
+    pub fn public_key(&self) -> Result<PKey<Public>, Error> {
+        let pubkey = self.x509.public_key()?;
+        Ok(pubkey)
+    }
+
+    pub fn not_before(&self) -> &openssl::asn1::Asn1TimeRef {
+        self.x509.not_before()
+    }
+
+    pub fn not_after(&self) -> &openssl::asn1::Asn1TimeRef {
+        self.x509.not_after()
+    }
+}
-- 
2.20.1

[pbs-devel] [PATCH proxmox-backup 2/3] api2/node/status: add fingerprint

[Dominik Csapak]

and rename get_usage to get_status (since its not usage only anymore)

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 src/api2/node/status.rs | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/src/api2/node/status.rs b/src/api2/node/status.rs
index 970c136..14d4b58 100644
--- a/src/api2/node/status.rs
+++ b/src/api2/node/status.rs
@@ -10,6 +10,7 @@ use proxmox::api::{api, ApiMethod, Router, RpcEnvironment, Permission};
 
 use crate::api2::types::*;
 use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_POWER_MANAGEMENT};
+use crate::tools::cert::CertInfo;
 
 #[api(
     input: {
@@ -46,14 +47,24 @@ use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_POWER_MANAGEMENT};
                 description: "Total CPU usage since last query.",
                 optional: true,
             },
-        }
+            info: {
+                type: Object,
+                description: "contains node information",
+                properties: {
+                    fingerprint: {
+                        description: "The SSL Fingerprint",
+                        type: String,
+                    },
+                },
+            },
+        },
     },
     access: {
         permission: &Permission::Privilege(&["system", "status"], PRIV_SYS_AUDIT, false),
     },
 )]
 /// Read node memory, CPU and (root) disk usage
-fn get_usage(
+fn get_status(
     _param: Value,
     _info: &ApiMethod,
     _rpcenv: &mut dyn RpcEnvironment,
@@ -63,6 +74,10 @@ fn get_usage(
     let kstat: procfs::ProcFsStat = procfs::read_proc_stat()?;
     let disk_usage = crate::tools::disks::disk_usage(Path::new("/"))?;
 
+    // get fingerprint
+    let cert = CertInfo::new()?;
+    let fp = cert.fingerprint()?;
+
     Ok(json!({
         "memory": {
             "total": meminfo.memtotal,
@@ -74,7 +89,10 @@ fn get_usage(
             "total": disk_usage.total,
             "used": disk_usage.used,
             "free": disk_usage.avail,
-        }
+        },
+        "info": {
+            "fingerprint": fp,
+        },
     }))
 }
 
@@ -122,5 +140,5 @@ fn reboot_or_shutdown(command: NodePowerCommand) -> Result<(), Error> {
 }
 
 pub const ROUTER: Router = Router::new()
-    .get(&API_METHOD_GET_USAGE)
+    .get(&API_METHOD_GET_STATUS)
     .post(&API_METHOD_REBOOT_OR_SHUTDOWN);
-- 
2.20.1

[pbs-devel] [PATCH proxmox-backup 3/3] ui: add show fingerprint button to dashboard

[Dominik Csapak]

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 www/Dashboard.js | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/www/Dashboard.js b/www/Dashboard.js
index 10d4261..9ac30b2 100644
--- a/www/Dashboard.js
+++ b/www/Dashboard.js
@@ -76,6 +76,7 @@ Ext.define('PBS.Dashboard', {
 	    let viewmodel = me.getViewModel();
 
 	    let res = records[0].data;
+	    viewmodel.set('fingerprint', res.info.fingerprint || Proxmox.Utils.unknownText);
 
 	    let cpu = res.cpu,
 	        mem = res.memory,
@@ -91,6 +92,34 @@ Ext.define('PBS.Dashboard', {
 	    hdPanel.updateValue(root.used / root.total);
 	},
 
+	showFingerPrint: function() {
+	    let me = this;
+	    let vm = me.getViewModel();
+	    let fingerprint = vm.get('fingerprint');
+	    Ext.create('Ext.window.Window', {
+		modal: true,
+		width: 600,
+		title: gettext('Fingerprint'),
+		layout: 'form',
+		bodyPadding: '10 0',
+		items: [
+		    {
+			xtype: 'textfield',
+			value: fingerprint,
+			editable: false,
+		    },
+		],
+		buttons: [
+		    {
+			text: gettext("OK"),
+			handler: function() {
+			    this.up('window').close();
+			},
+		    },
+		],
+	    }).show();
+	},
+
 	updateTasks: function(store, records, success) {
 	    if (!success) return;
 	    let me = this;
@@ -134,11 +163,16 @@ Ext.define('PBS.Dashboard', {
 	    timespan: 300, // in seconds
 	    hours: 12, // in hours
 	    error_shown: false,
+	    fingerprint: "",
 	    'bytes_in': 0,
 	    'bytes_out': 0,
 	    'avg_ptime': 0.0
 	},
 
+	formulas: {
+	    disableFPButton: (get) => get('fingerprint') === "",
+	},
+
 	stores: {
 	    usage: {
 		storeid: 'dash-usage',
@@ -211,6 +245,16 @@ Ext.define('PBS.Dashboard', {
 	    iconCls: 'fa fa-tasks',
 	    title: gettext('Server Resources'),
 	    bodyPadding: '0 20 0 20',
+	    tools: [
+		{
+		    xtype: 'button',
+		    text: gettext('Show Fingerprint'),
+		    handler: 'showFingerPrint',
+		    bind: {
+			disabled: '{disableFPButton}',
+		    },
+		},
+	    ],
 	    layout: {
 		type: 'hbox',
 		align: 'center'
-- 
2.20.1

[pbs-devel] applied: [PATCH proxmox-backup 1/3] refactor CertInfo to tools

[Dietmar Maurer]

applied all 3 patches

> On 07/10/2020 10:51 AM Dominik Csapak <d.csapak@proxmox.com> wrote:
> 
>  
> we want to reuse some of the functionality elsewhere
> 
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
>  src/bin/proxmox_backup_manager/cert.rs | 29 ++---------
>  src/tools.rs                           |  1 +
>  src/tools/cert.rs                      | 67 ++++++++++++++++++++++++++
>  3 files changed, 73 insertions(+), 24 deletions(-)
>  create mode 100644 src/tools/cert.rs
> 
> diff --git a/src/bin/proxmox_backup_manager/cert.rs b/src/bin/proxmox_backup_manager/cert.rs
> index f5f725a..845c8ed 100644
> --- a/src/bin/proxmox_backup_manager/cert.rs
> +++ b/src/bin/proxmox_backup_manager/cert.rs
> @@ -1,32 +1,18 @@
> -use std::path::PathBuf;
> -
>  use anyhow::{bail, Error};
>  
>  use proxmox::api::{api, cli::*};
>  
>  use proxmox_backup::config;
> -use proxmox_backup::configdir;
>  use proxmox_backup::auth_helpers::*;
> -
> -fn x509name_to_string(name: &openssl::x509::X509NameRef) -> Result<String, Error> {
> -    let mut parts = Vec::new();
> -    for entry in name.entries() {
> -        parts.push(format!("{} = {}", entry.object().nid().short_name()?, entry.data().as_utf8()?));
> -    }
> -    Ok(parts.join(", "))
> -}
> +use proxmox_backup::tools::cert::CertInfo;
>  
>  #[api]
>  /// Display node certificate information.
>  fn cert_info() -> Result<(), Error> {
>  
> -    let cert_path = PathBuf::from(configdir!("/proxy.pem"));
> +    let cert = CertInfo::new()?;
>  
> -    let cert_pem = proxmox::tools::fs::file_get_contents(&cert_path)?;
> -
> -    let cert = openssl::x509::X509::from_pem(&cert_pem)?;
> -
> -    println!("Subject: {}", x509name_to_string(cert.subject_name())?);
> +    println!("Subject: {}", cert.subject_name()?);
>  
>      if let Some(san) = cert.subject_alt_names() {
>          for name in san.iter() {
> @@ -42,17 +28,12 @@ fn cert_info() -> Result<(), Error> {
>          }
>      }
>  
> -    println!("Issuer: {}", x509name_to_string(cert.issuer_name())?);
> +    println!("Issuer: {}", cert.issuer_name()?);
>      println!("Validity:");
>      println!("    Not Before: {}", cert.not_before());
>      println!("    Not After : {}", cert.not_after());
>  
> -    let fp = cert.digest(openssl::hash::MessageDigest::sha256())?;
> -    let fp_string = proxmox::tools::digest_to_hex(&fp);
> -    let fp_string = fp_string.as_bytes().chunks(2).map(|v| std::str::from_utf8(v).unwrap())
> -        .collect::<Vec<&str>>().join(":");
> -
> -    println!("Fingerprint (sha256): {}", fp_string);
> +    println!("Fingerprint (sha256): {}", cert.fingerprint()?);
>  
>      let pubkey = cert.public_key()?;
>      println!("Public key type: {}", openssl::nid::Nid::from_raw(pubkey.id().as_raw()).long_name()?);
> diff --git a/src/tools.rs b/src/tools.rs
> index 75c8d9f..4bfc35c 100644
> --- a/src/tools.rs
> +++ b/src/tools.rs
> @@ -23,6 +23,7 @@ pub use proxmox::tools::fd::Fd;
>  pub mod acl;
>  pub mod async_io;
>  pub mod borrow;
> +pub mod cert;
>  pub mod daemon;
>  pub mod disks;
>  pub mod fs;
> diff --git a/src/tools/cert.rs b/src/tools/cert.rs
> new file mode 100644
> index 0000000..0c7e9e5
> --- /dev/null
> +++ b/src/tools/cert.rs
> @@ -0,0 +1,67 @@
> +use std::path::PathBuf;
> +
> +use anyhow::Error;
> +use openssl::x509::{X509, GeneralName};
> +use openssl::stack::Stack;
> +use openssl::pkey::{Public, PKey};
> +
> +use crate::configdir;
> +
> +pub struct CertInfo {
> +    x509: X509,
> +}
> +
> +fn x509name_to_string(name: &openssl::x509::X509NameRef) -> Result<String, Error> {
> +    let mut parts = Vec::new();
> +    for entry in name.entries() {
> +        parts.push(format!("{} = {}", entry.object().nid().short_name()?, entry.data().as_utf8()?));
> +    }
> +    Ok(parts.join(", "))
> +}
> +
> +impl CertInfo {
> +    pub fn new() -> Result<Self, Error> {
> +        Self::from_path(PathBuf::from(configdir!("/proxy.pem")))
> +    }
> +
> +    pub fn from_path(path: PathBuf) -> Result<Self, Error> {
> +        let cert_pem = proxmox::tools::fs::file_get_contents(&path)?;
> +        let x509 = openssl::x509::X509::from_pem(&cert_pem)?;
> +        Ok(Self{
> +            x509
> +        })
> +    }
> +
> +    pub fn subject_alt_names(&self) -> Option<Stack<GeneralName>> {
> +        self.x509.subject_alt_names()
> +    }
> +
> +    pub fn subject_name(&self) -> Result<String, Error> {
> +        Ok(x509name_to_string(self.x509.subject_name())?)
> +    }
> +
> +    pub fn issuer_name(&self) -> Result<String, Error> {
> +        Ok(x509name_to_string(self.x509.issuer_name())?)
> +    }
> +
> +    pub fn fingerprint(&self) -> Result<String, Error> {
> +        let fp = self.x509.digest(openssl::hash::MessageDigest::sha256())?;
> +        let fp_string = proxmox::tools::digest_to_hex(&fp);
> +        let fp_string = fp_string.as_bytes().chunks(2).map(|v| std::str::from_utf8(v).unwrap())
> +            .collect::<Vec<&str>>().join(":");
> +        Ok(fp_string)
> +    }
> +
> +    pub fn public_key(&self) -> Result<PKey<Public>, Error> {
> +        let pubkey = self.x509.public_key()?;
> +        Ok(pubkey)
> +    }
> +
> +    pub fn not_before(&self) -> &openssl::asn1::Asn1TimeRef {
> +        self.x509.not_before()
> +    }
> +
> +    pub fn not_after(&self) -> &openssl::asn1::Asn1TimeRef {
> +        self.x509.not_after()
> +    }
> +}
> -- 
> 2.20.1
> 
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel