From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id B79101FF140 for ; Fri, 10 Apr 2026 18:55:04 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 28A0C233BE; Fri, 10 Apr 2026 18:55:45 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox-backup v2 22/27] sync: expand source chunk reader trait by crypt config Date: Fri, 10 Apr 2026 18:54:49 +0200 Message-ID: <20260410165454.1578501-23-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260410165454.1578501-1-c.ebner@proxmox.com> References: <20260410165454.1578501-1-c.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1775840040545 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.070 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: 3QCX6K7FZGAP3S5QZQWLSULYAUIKL7LH X-Message-ID-Hash: 3QCX6K7FZGAP3S5QZQWLSULYAUIKL7LH X-MailFrom: c.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Allows to pass in the crypto config for the source chunk reader, making it possible to decrypt chunks when fetching. This will be used by the pull sync job to decrypt snapshot chunks which have been encrypted with an encryption key matching the one in the pull job configuration. Disarmed by not setting the crypt config until the rest of the logic to correctly decrypt snapshots on pull, including manifest, index files and chunks is put in place in subsequet code changes. Signed-off-by: Christian Ebner --- src/server/pull.rs | 8 ++++++-- src/server/push.rs | 4 ++-- src/server/sync.rs | 28 ++++++++++++++++++++++------ 3 files changed, 30 insertions(+), 10 deletions(-) diff --git a/src/server/pull.rs b/src/server/pull.rs index 87c71a9ab..39f4b2d75 100644 --- a/src/server/pull.rs +++ b/src/server/pull.rs @@ -304,6 +304,7 @@ async fn pull_single_archive<'a>( snapshot: &'a pbs_datastore::BackupDir, archive_info: &'a FileInfo, encountered_chunks: Arc>, + crypt_config: Option>, backend: &DatastoreBackend, ) -> Result { let archive_name = &archive_info.filename; @@ -334,7 +335,7 @@ async fn pull_single_archive<'a>( } else { let stats = pull_index_chunks( reader - .chunk_reader(archive_info.crypt_mode) + .chunk_reader(crypt_config.clone(), archive_info.crypt_mode) .context("failed to get chunk reader")?, snapshot.datastore().clone(), index, @@ -357,7 +358,7 @@ async fn pull_single_archive<'a>( } else { let stats = pull_index_chunks( reader - .chunk_reader(archive_info.crypt_mode) + .chunk_reader(crypt_config.clone(), archive_info.crypt_mode) .context("failed to get chunk reader")?, snapshot.datastore().clone(), index, @@ -471,6 +472,8 @@ async fn pull_snapshot<'a>( return Ok(sync_stats); } + let mut crypt_config = None; + let backend = ¶ms.target.backend; for item in manifest.files() { let mut path = snapshot.full_path(); @@ -517,6 +520,7 @@ async fn pull_snapshot<'a>( snapshot, item, encountered_chunks.clone(), + crypt_config.clone(), backend, ) .await?; diff --git a/src/server/push.rs b/src/server/push.rs index f433ca50d..1375958fe 100644 --- a/src/server/push.rs +++ b/src/server/push.rs @@ -1005,7 +1005,7 @@ pub(crate) async fn push_snapshot( ArchiveType::DynamicIndex => { let index = DynamicIndexReader::open(&path)?; let chunk_reader = reader - .chunk_reader(entry.chunk_crypt_mode()) + .chunk_reader(None, entry.chunk_crypt_mode()) .context("failed to get chunk reader")?; let upload_stats = push_index( &archive_name, @@ -1033,7 +1033,7 @@ pub(crate) async fn push_snapshot( ArchiveType::FixedIndex => { let index = FixedIndexReader::open(&path)?; let chunk_reader = reader - .chunk_reader(entry.chunk_crypt_mode()) + .chunk_reader(None, entry.chunk_crypt_mode()) .context("failed to get chunk reader")?; let size = index.index_bytes(); let upload_stats = push_index( diff --git a/src/server/sync.rs b/src/server/sync.rs index 6b84ae6d7..dce9c99ee 100644 --- a/src/server/sync.rs +++ b/src/server/sync.rs @@ -90,7 +90,11 @@ impl SyncStats { /// and checking whether chunk sync should be skipped. pub(crate) trait SyncSourceReader: Send + Sync { /// Returns a chunk reader with the specified encryption mode. - fn chunk_reader(&self, crypt_mode: CryptMode) -> Result, Error>; + fn chunk_reader( + &self, + crypt_config: Option>, + crypt_mode: CryptMode, + ) -> Result, Error>; /// Asynchronously loads a file from the source into a local file. /// `filename` is the name of the file to load from the source. @@ -117,9 +121,17 @@ pub(crate) struct LocalSourceReader { #[async_trait::async_trait] impl SyncSourceReader for RemoteSourceReader { - fn chunk_reader(&self, crypt_mode: CryptMode) -> Result, Error> { - let chunk_reader = - RemoteChunkReader::new(self.backup_reader.clone(), None, crypt_mode, HashMap::new()); + fn chunk_reader( + &self, + crypt_config: Option>, + crypt_mode: CryptMode, + ) -> Result, Error> { + let chunk_reader = RemoteChunkReader::new( + self.backup_reader.clone(), + crypt_config, + crypt_mode, + HashMap::new(), + ); Ok(Arc::new(chunk_reader)) } @@ -191,8 +203,12 @@ impl SyncSourceReader for RemoteSourceReader { #[async_trait::async_trait] impl SyncSourceReader for LocalSourceReader { - fn chunk_reader(&self, crypt_mode: CryptMode) -> Result, Error> { - let chunk_reader = LocalChunkReader::new(self.datastore.clone(), None, crypt_mode)?; + fn chunk_reader( + &self, + crypt_config: Option>, + crypt_mode: CryptMode, + ) -> Result, Error> { + let chunk_reader = LocalChunkReader::new(self.datastore.clone(), crypt_config, crypt_mode)?; Ok(Arc::new(chunk_reader)) } -- 2.47.3