From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 2422CBA0E7 for ; Wed, 13 Dec 2023 16:39:01 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DFA49C7EC for ; Wed, 13 Dec 2023 16:38:30 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 13 Dec 2023 16:38:29 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 14B0B472D6 for ; Wed, 13 Dec 2023 16:38:29 +0100 (CET) From: Christian Ebner To: pbs-devel@lists.proxmox.com Date: Wed, 13 Dec 2023 16:38:14 +0100 Message-Id: <20231213153819.391392-4-c.ebner@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20231213153819.391392-1-c.ebner@proxmox.com> References: <20231213153819.391392-1-c.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.055 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pbs-devel] [RFC proxmox-backup 3/8] api: config: sanity check jobs api endpoints X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2023 15:39:01 -0000 Adds the api endpoints to create, read/list, update and delete sanity check configurations. Signed-off-by: Christian Ebner --- src/api2/config/mod.rs | 2 + src/api2/config/sanity_check.rs | 296 ++++++++++++++++++++++++++++++++ 2 files changed, 298 insertions(+) create mode 100644 src/api2/config/sanity_check.rs diff --git a/src/api2/config/mod.rs b/src/api2/config/mod.rs index 6cfeaea1..8409ad80 100644 --- a/src/api2/config/mod.rs +++ b/src/api2/config/mod.rs @@ -13,6 +13,7 @@ pub mod media_pool; pub mod metrics; pub mod prune; pub mod remote; +pub mod sanity_check; pub mod sync; pub mod tape_backup_job; pub mod tape_encryption_keys; @@ -30,6 +31,7 @@ const SUBDIRS: SubdirMap = &sorted!([ ("metrics", &metrics::ROUTER), ("prune", &prune::ROUTER), ("remote", &remote::ROUTER), + ("sanity-check", &sync::ROUTER), ("sync", &sync::ROUTER), ("tape-backup-job", &tape_backup_job::ROUTER), ("tape-encryption-keys", &tape_encryption_keys::ROUTER), diff --git a/src/api2/config/sanity_check.rs b/src/api2/config/sanity_check.rs new file mode 100644 index 00000000..c708b952 --- /dev/null +++ b/src/api2/config/sanity_check.rs @@ -0,0 +1,296 @@ +use anyhow::Error; +use hex::FromHex; +use proxmox_sys::task_log; +use proxmox_sys::WorkerTaskContext; +use serde::{Deserialize, Serialize}; +use serde_json::Value; + +use proxmox_router::{http_bail, Permission, Router, RpcEnvironment}; +use proxmox_schema::{api, param_bail}; + +use pbs_api_types::{ + Authid, SanityCheckJobConfig, SanityCheckJobConfigUpdater, JOB_ID_SCHEMA, PRIV_SYS_AUDIT, + PRIV_SYS_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA, +}; +use pbs_config::{sanity_check, CachedUserInfo}; + +#[api( + input: { + properties: {}, + }, + returns: { + description: "List configured sanity checks schedules.", + type: Array, + items: { type: SanityCheckJobConfig }, + }, + access: { + permission: &Permission::Anybody, + description: "Requires Sys.Audit.", + }, +)] +/// List all scheduled sanity check jobs. +pub fn list_sanity_check_jobs( + _param: Value, + rpcenv: &mut dyn RpcEnvironment, +) -> Result, Error> { + let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; + let user_info = CachedUserInfo::new()?; + user_info.check_privs(&auth_id, &["/"], PRIV_SYS_AUDIT | PRIV_SYS_MODIFY, true)?; + + let (config, digest) = sanity_check::config()?; + let list = config.convert_to_typed_array("sanity-check")?; + + rpcenv["digest"] = hex::encode(digest).into(); + + Ok(list) +} + +pub fn do_create_sanity_check_job( + config: SanityCheckJobConfig, + worker: Option<&dyn WorkerTaskContext>, +) -> Result<(), Error> { + let _lock = sanity_check::lock_config()?; + + let (mut section_config, _digest) = sanity_check::config()?; + + if section_config.sections.get(&config.id).is_some() { + param_bail!("id", "job '{}' already exists.", config.id); + } + + section_config.set_data(&config.id, "sanity-check", &config)?; + + sanity_check::save_config(§ion_config)?; + + crate::server::jobstate::create_state_file("sanitycheckjob", &config.id)?; + + if let Some(worker) = worker { + task_log!(worker, "Sanity check job created: {}", config.id); + } + + Ok(()) +} + +#[api( + protected: true, + input: { + properties: { + config: { + type: SanityCheckJobConfig, + flatten: true, + }, + }, + }, + access: { + permission: &Permission::Anybody, + description: "Requires Sys.Modify.", + }, +)] +/// Create a new sanity check job. +pub fn create_sanity_check_job( + config: SanityCheckJobConfig, + rpcenv: &mut dyn RpcEnvironment, +) -> Result<(), Error> { + let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; + let user_info = CachedUserInfo::new()?; + user_info.check_privs(&auth_id, &["/"], PRIV_SYS_MODIFY, true)?; + + do_create_sanity_check_job(config, None) +} + +#[api( + input: { + properties: { + id: { + schema: JOB_ID_SCHEMA, + }, + }, + }, + returns: { type: SanityCheckJobConfig }, + access: { + permission: &Permission::Anybody, + description: "Requires Sys.Audit.", + }, +)] +/// Read a sanity check job configuration. +pub fn read_sanity_check_job( + id: String, + rpcenv: &mut dyn RpcEnvironment, +) -> Result { + let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; + let user_info = CachedUserInfo::new()?; + user_info.check_privs(&auth_id, &["/"], PRIV_SYS_AUDIT, true)?; + + let (config, digest) = sanity_check::config()?; + let sanity_check_job: SanityCheckJobConfig = config.lookup("sanity-check", &id)?; + + rpcenv["digest"] = hex::encode(digest).into(); + + Ok(sanity_check_job) +} + +#[api] +#[derive(Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +/// Deletable property name +pub enum DeletableProperty { + /// Delete the comment. + Comment, + /// Unset the disable flag. + Disable, + /// Unset the notify-user. + NotifyUser, +} + +#[api( + protected: true, + input: { + properties: { + id: { + schema: JOB_ID_SCHEMA, + }, + update: { + type: SanityCheckJobConfigUpdater, + flatten: true, + }, + delete: { + description: "List of properties to delete.", + type: Array, + optional: true, + items: { + type: DeletableProperty, + } + }, + digest: { + optional: true, + schema: PROXMOX_CONFIG_DIGEST_SCHEMA, + }, + }, + }, + access: { + permission: &Permission::Anybody, + description: "Requires Sys.Modify.", + }, +)] +/// Update sanity check job config. +#[allow(clippy::too_many_arguments)] +pub fn update_sanity_check_job( + id: String, + update: SanityCheckJobConfigUpdater, + delete: Option>, + digest: Option, + rpcenv: &mut dyn RpcEnvironment, +) -> Result<(), Error> { + let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; + let user_info = CachedUserInfo::new()?; + user_info.check_privs(&auth_id, &["/"], PRIV_SYS_MODIFY, true)?; + + let _lock = sanity_check::lock_config()?; + + // pass/compare digest + let (mut config, expected_digest) = sanity_check::config()?; + if let Some(ref digest) = digest { + let digest = <[u8; 32]>::from_hex(digest)?; + crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?; + } + + let mut data: SanityCheckJobConfig = config.lookup("sanity-check", &id)?; + + if let Some(delete) = delete { + for delete_prop in delete { + match delete_prop { + DeletableProperty::Comment => { + data.comment = None; + } + DeletableProperty::Disable => { + data.disable = false; + } + DeletableProperty::NotifyUser => { + data.options.notify_user = None; + } + } + } + } + + let mut schedule_changed = false; + if let Some(schedule) = update.schedule { + schedule_changed = data.schedule != schedule; + data.schedule = schedule; + } + + if let Some(value) = update.comment { + data.comment = Some(value); + } + if let Some(value) = update.disable { + data.disable = value; + } + if let Some(value) = update.options.notify_user { + data.options.notify_user = Some(value); + } + + config.set_data(&id, "sanity-check", &data)?; + + sanity_check::save_config(&config)?; + + if schedule_changed { + crate::server::jobstate::update_job_last_run_time("sanitycheckjob", &id)?; + } + + Ok(()) +} + +#[api( + protected: true, + input: { + properties: { + id: { + schema: JOB_ID_SCHEMA, + }, + digest: { + optional: true, + schema: PROXMOX_CONFIG_DIGEST_SCHEMA, + }, + }, + }, + access: { + permission: &Permission::Anybody, + description: "Requires Sys.Modify.", + }, +)] +/// Remove a sanity check job configuration +pub fn delete_sanity_check_job( + id: String, + digest: Option, + rpcenv: &mut dyn RpcEnvironment, +) -> Result<(), Error> { + let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; + let user_info = CachedUserInfo::new()?; + user_info.check_privs(&auth_id, &["/"], PRIV_SYS_MODIFY, true)?; + + let _lock = sanity_check::lock_config()?; + + let (mut config, expected_digest) = sanity_check::config()?; + if let Some(ref digest) = digest { + let digest = <[u8; 32]>::from_hex(digest)?; + crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?; + } + + if config.sections.remove(&id).is_none() { + http_bail!(NOT_FOUND, "job '{}' does not exist.", id); + } + + sanity_check::save_config(&config)?; + + crate::server::jobstate::remove_state_file("sanitycheckjob", &id)?; + + Ok(()) +} + +const ITEM_ROUTER: Router = Router::new() + .get(&API_METHOD_READ_SANITY_CHECK_JOB) + .put(&API_METHOD_UPDATE_SANITY_CHECK_JOB) + .delete(&API_METHOD_DELETE_SANITY_CHECK_JOB); + +pub const ROUTER: Router = Router::new() + .get(&API_METHOD_LIST_SANITY_CHECK_JOBS) + .post(&API_METHOD_CREATE_SANITY_CHECK_JOB) + .match_all("id", &ITEM_ROUTER); -- 2.39.2