From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 0CB84698B9 for ; Thu, 24 Mar 2022 12:50:29 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E9DFF2F684 for ; Thu, 24 Mar 2022 12:49:58 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id E03AE2F67B for ; Thu, 24 Mar 2022 12:49:57 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 8DDAD42E80 for ; Thu, 24 Mar 2022 12:49:57 +0100 (CET) From: Markus Frank To: pbs-devel@lists.proxmox.com Date: Thu, 24 Mar 2022 12:49:30 +0100 Message-Id: <20220324114930.99788-1-m.frank@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.001 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [drive.rs] Subject: [pbs-devel] [PATCH proxmox-backup v7] fix #3854 paperkey import to proxmox-tape X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Mar 2022 11:50:29 -0000 added a parameter to the cli for importing tape key via a json-parameter or via reading a exported paperkey-file or json-file. For this i also added a backupkey parameter to the api, but here it only accepts json. The cli interprets the parameter first as json-string, then json-file and last as paperkey-file. functionality: proxmox-tape key paperkey [fingerprint of existing key] > paperkey.backup proxmox-tape key restore --backupkey paperkey.backup # key from line above proxmox-tape key restore --backupkey paperkey.json # only the json proxmox-tape key restore --backupkey '{"kdf": {"Scrypt": ...' # json as string for importing the key as paperkey-file it is irrelevant, if the paperkey got exported as html or txt. Signed-off-by: Markus Frank --- Comments: * I would disallow giving this functions both a drivename and a backupkey, so that there is no confusion about the behavour. version 7: * moved to restore * added json-parameter to cli version 6: * api: removed identical tuple-matching arms and returned to checking parameter-errors earlier and adding hint if set afterwards version 5: * removed extract_text_between. I would say we can move it to a public function if another component does a similar text-extraction. * simplified text extraction version 4: * ParameterError::from to param_bail! * when hint and paperkey-file used at the same time, old hint get overwritten * added text in pbs-tools with function extract_text_between version 3: * ParameterError with method ParameterError::from * changed --paperkey_file to --paperkey-file version 2: * added format_err! and ParameterError * changed a few "ifs" to "match" src/api2/tape/drive.rs | 65 +++++++++++++++++++------- src/bin/proxmox_tape/encryption_key.rs | 59 +++++++++++++++++++++-- 2 files changed, 102 insertions(+), 22 deletions(-) diff --git a/src/api2/tape/drive.rs b/src/api2/tape/drive.rs index 526743f6..c79688ff 100644 --- a/src/api2/tape/drive.rs +++ b/src/api2/tape/drive.rs @@ -10,7 +10,7 @@ use proxmox_sys::sortable; use proxmox_router::{ list_subdirs_api_method, Permission, Router, RpcEnvironment, RpcEnvironmentType, SubdirMap, }; -use proxmox_schema::api; +use proxmox_schema::{api, param_bail}; use proxmox_section_config::SectionConfigData; use proxmox_uuid::Uuid; use proxmox_sys::{task_log, task_warn}; @@ -24,6 +24,8 @@ use pbs_api_types::{ use pbs_api_types::{PRIV_TAPE_AUDIT, PRIV_TAPE_READ, PRIV_TAPE_WRITE}; use pbs_config::CachedUserInfo; +use pbs_config::key_config::KeyConfig; +use pbs_config::tape_encryption_keys::insert_key; use pbs_tape::{ BlockReadError, sg_tape::tape_alert_flags_critical, @@ -607,10 +609,18 @@ fn write_media_label( properties: { drive: { schema: DRIVE_NAME_SCHEMA, + optional: true, }, password: { description: "Encryption key password.", }, + backupkey: { + description: "A previously exported paperkey in JSON format.", + type: String, + min_length: 300, + max_length: 600, + optional: true, + }, }, }, access: { @@ -619,29 +629,48 @@ fn write_media_label( )] /// Try to restore a tape encryption key pub async fn restore_key( - drive: String, + drive: Option, password: String, + backupkey: Option, ) -> Result<(), Error> { - run_drive_blocking_task( - drive.clone(), - "restore key".to_string(), - move |config| { - let mut drive = open_drive(&config, &drive)?; - let (_media_id, key_config) = drive.read_label()?; + if (drive.is_none() && backupkey.is_none()) || (drive.is_some() && backupkey.is_some()) { + param_bail!( + "drive", + format_err!("Please specify either a valid drive name or a backupkey") + ); + } - if let Some(key_config) = key_config { - let password_fn = || { Ok(password.as_bytes().to_vec()) }; - let (key, ..) = key_config.decrypt(&password_fn)?; - pbs_config::tape_encryption_keys::insert_key(key, key_config, true)?; - } else { - bail!("media does not contain any encryption key configuration"); + if let Some(drive) = drive { + run_drive_blocking_task( + drive.clone(), + "restore key".to_string(), + move |config| { + let mut drive = open_drive(&config, &drive)?; + + let (_media_id, key_config) = drive.read_label()?; + + if let Some(key_config) = key_config { + let password_fn = || { Ok(password.as_bytes().to_vec()) }; + let (key, ..) = key_config.decrypt(&password_fn)?; + insert_key(key, key_config, true)?; + } else { + bail!("media does not contain any encryption key configuration"); + } + + Ok(()) } + ) + .await?; + }else if let Some(backupkey) = backupkey { + let key_config: KeyConfig = + serde_json::from_str(&backupkey).map_err(|err| format_err!(": {}", err))?; + let password_fn = || Ok(password.as_bytes().to_vec()); + let (key, ..) = key_config.decrypt(&password_fn)?; + insert_key(key, key_config, false)?; + } - Ok(()) - } - ) - .await + Ok(()) } #[api( diff --git a/src/bin/proxmox_tape/encryption_key.rs b/src/bin/proxmox_tape/encryption_key.rs index 71df9ffa..471a6349 100644 --- a/src/bin/proxmox_tape/encryption_key.rs +++ b/src/bin/proxmox_tape/encryption_key.rs @@ -1,8 +1,8 @@ -use anyhow::{bail, Error}; +use anyhow::{bail, format_err, Error}; use serde_json::Value; use proxmox_router::{cli::*, ApiHandler, RpcEnvironment}; -use proxmox_schema::api; +use proxmox_schema::{api, param_bail}; use proxmox_sys::linux::tty; use pbs_api_types::{ @@ -12,6 +12,7 @@ use pbs_api_types::{ use pbs_datastore::paperkey::{PaperkeyFormat, generate_paper_key}; use pbs_config::tape_encryption_keys::{load_key_configs,complete_key_fingerprint}; +use pbs_config::key_config::KeyConfig; use proxmox_backup::api2; @@ -186,6 +187,9 @@ fn change_passphrase( Ok(()) } +pub const BEGIN_MARKER: &str = "-----BEGIN PROXMOX BACKUP KEY-----"; +pub const END_MARKER: &str = "-----END PROXMOX BACKUP KEY-----"; + #[api( input: { properties: { @@ -193,23 +197,70 @@ fn change_passphrase( schema: DRIVE_NAME_SCHEMA, optional: true, }, + "backupkey": { + description: "Importing a previously exported backupkey with either an exported paperkey-file, json-string or a json-file", + type: String, + optional: true, + }, }, }, )] /// Restore encryption key from tape (read password from stdin) async fn restore_key( mut param: Value, + backupkey: Option, rpcenv: &mut dyn RpcEnvironment, ) -> Result<(), Error> { let (config, _digest) = pbs_config::drive::config()?; - param["drive"] = crate::extract_drive_name(&mut param, &config)?.into(); + + let drive = crate::extract_drive_name(&mut param, &config); if !tty::stdin_isatty() { bail!("no password input mechanism available"); } - let password = tty::read_password("Tepe Encryption Key Password: ")?; + if (drive.is_err() && backupkey.is_none()) || (drive.is_ok() && backupkey.is_some()) { + param_bail!( + "drive", + format_err!("Please specify either a valid drive name or a backupkey") + ); + } + + if drive.is_ok() { + param["drive"] = drive.unwrap().into(); + } + + if let Some(backupkey) = backupkey { + if serde_json::from_str::(&backupkey).is_ok() { + // json as Parameter + println!("backupkey to import: {}", backupkey); + param["backupkey"] = backupkey.into(); + } else { + println!("backupkey is not a valid json. Interpreting Parameter as a filename"); + let data = proxmox_sys::fs::file_read_string(backupkey)?; + if serde_json::from_str::(&data).is_ok() { + // standalone json-file + println!("backupkey to import: {}", data); + param["backupkey"] = data.into(); + } else { + // exported paperkey-file + let start = data + .find(BEGIN_MARKER) + .ok_or_else(|| format_err!("cannot find key start marker"))? + + BEGIN_MARKER.len(); + let data_remain = &data[start..]; + let end = data_remain + .find(END_MARKER) + .ok_or_else(|| format_err!("cannot find key end marker below start marker"))?; + let backupkey_extract = &data_remain[..end]; + println!("backupkey to import: {}", backupkey_extract); + param["backupkey"] = backupkey_extract.into(); + } + } + } + + let password = tty::read_password("Tape Encryption Key Password: ")?; param["password"] = String::from_utf8(password)?.into(); let info = &api2::tape::drive::API_METHOD_RESTORE_KEY; -- 2.30.2