From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 034BB1FF140 for ; Fri, 10 Apr 2026 18:54:37 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 83E3B22CA1; Fri, 10 Apr 2026 18:55:16 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox-backup v2 09/27] sync: add helper to check encryption key acls and load key Date: Fri, 10 Apr 2026 18:54:36 +0200 Message-ID: <20260410165454.1578501-10-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260410165454.1578501-1-c.ebner@proxmox.com> References: <20260410165454.1578501-1-c.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1775840037191 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.070 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: EUCL3R6P6DEHN6HEDTJJQG5JS2SGBZKX X-Message-ID-Hash: EUCL3R6P6DEHN6HEDTJJQG5JS2SGBZKX X-MailFrom: c.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Introduces a common helper function to be used when loading an encryption key in sync job for either push or pull direction. For given user, access to the provided key by id is checked and the key config containing the secret loaded from the file by means of the config. Signed-off-by: Christian Ebner --- src/server/sync.rs | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/src/server/sync.rs b/src/server/sync.rs index aedf4a271..9c070cd9c 100644 --- a/src/server/sync.rs +++ b/src/server/sync.rs @@ -21,12 +21,14 @@ use proxmox_router::HttpError; use pbs_api_types::{ Authid, BackupDir, BackupGroup, BackupNamespace, CryptMode, GroupListItem, SnapshotListItem, SyncDirection, SyncJobConfig, VerifyState, CLIENT_LOG_BLOB_NAME, MANIFEST_BLOB_NAME, - MAX_NAMESPACE_DEPTH, PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_READ, + MAX_NAMESPACE_DEPTH, PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_READ, PRIV_SYS_MODIFY, }; use pbs_client::{BackupReader, BackupRepository, HttpClient, RemoteChunkReader}; +use pbs_config::CachedUserInfo; use pbs_datastore::data_blob::DataBlob; use pbs_datastore::read_chunk::AsyncReadChunk; use pbs_datastore::{BackupManifest, DataStore, ListNamespacesRecursive, LocalChunkReader}; +use pbs_tools::crypt_config::CryptConfig; use crate::backup::ListAccessibleBackupGroups; use crate::server::jobstate::Job; @@ -791,3 +793,28 @@ pub(super) fn exclude_not_verified_or_encrypted( false } + +/// Helper to check user having access to the given encryption key and loading +/// the it using the passphrase from the config. +pub(crate) fn check_privs_and_load_key_config( + key_id: &str, + user: &Authid, + fail_on_archived: bool, +) -> Result>, Error> { + let user_info = CachedUserInfo::new()?; + user_info.check_privs( + user, + &["system", "encryption-keys", key_id], + PRIV_SYS_MODIFY, + true, + )?; + + let key_config = pbs_config::encryption_keys::load_key_config(key_id, fail_on_archived)?; + // pass empty passphrase to get raw key material of unprotected key + let (enc_key, _created, fingerprint) = key_config.decrypt(&|| Ok(Vec::new()))?; + + info!("Loaded encryption key '{key_id}' with fingerprint '{fingerprint}'"); + + let crypt_config = Arc::new(CryptConfig::new(enc_key)?); + Ok(Some(crypt_config)) +} -- 2.47.3