From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 2E4511FF136 for ; Mon, 20 Apr 2026 18:16:05 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A8BF0854C; Mon, 20 Apr 2026 18:15:54 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox-backup v4 10/30] sync: add helper to check encryption key acls and load key Date: Mon, 20 Apr 2026 18:15:13 +0200 Message-ID: <20260420161533.1055484-11-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260420161533.1055484-1-c.ebner@proxmox.com> References: <20260420161533.1055484-1-c.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1776701664850 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.070 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: RD2OFPYJ3AEJU2OU7CHF4IQN4MJ52UTZ X-Message-ID-Hash: RD2OFPYJ3AEJU2OU7CHF4IQN4MJ52UTZ X-MailFrom: c.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Introduces a common helper function to be used when loading an encryption key in sync job for either push or pull direction. For given user, access to the provided key by id is checked and the key config containing the secret loaded from the file by means of the config. Signed-off-by: Christian Ebner --- src/server/sync.rs | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/src/server/sync.rs b/src/server/sync.rs index aedf4a271..18480a109 100644 --- a/src/server/sync.rs +++ b/src/server/sync.rs @@ -21,12 +21,14 @@ use proxmox_router::HttpError; use pbs_api_types::{ Authid, BackupDir, BackupGroup, BackupNamespace, CryptMode, GroupListItem, SnapshotListItem, SyncDirection, SyncJobConfig, VerifyState, CLIENT_LOG_BLOB_NAME, MANIFEST_BLOB_NAME, - MAX_NAMESPACE_DEPTH, PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_READ, + MAX_NAMESPACE_DEPTH, PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_READ, PRIV_SYS_MODIFY, }; use pbs_client::{BackupReader, BackupRepository, HttpClient, RemoteChunkReader}; +use pbs_config::CachedUserInfo; use pbs_datastore::data_blob::DataBlob; use pbs_datastore::read_chunk::AsyncReadChunk; use pbs_datastore::{BackupManifest, DataStore, ListNamespacesRecursive, LocalChunkReader}; +use pbs_tools::crypt_config::CryptConfig; use crate::backup::ListAccessibleBackupGroups; use crate::server::jobstate::Job; @@ -791,3 +793,27 @@ pub(super) fn exclude_not_verified_or_encrypted( false } + +/// Helper to check if user has access to given encryption key and load it from config. +pub(crate) fn check_privs_and_load_key_config( + key_id: &str, + user: &Authid, + fail_on_archived: bool, +) -> Result, Error> { + let user_info = CachedUserInfo::new()?; + user_info.check_privs( + user, + &["system", "encryption-keys", key_id], + PRIV_SYS_MODIFY, + true, + )?; + + let key_config = pbs_config::encryption_keys::load_key_config(key_id, fail_on_archived)?; + // pass empty passphrase to get raw key material of unprotected key + let (enc_key, _created, fingerprint) = key_config.decrypt(&|| Ok(Vec::new()))?; + + info!("Loaded encryption key '{key_id}' with fingerprint '{fingerprint}'"); + + let crypt_config = Arc::new(CryptConfig::new(enc_key)?); + Ok(crypt_config) +} -- 2.47.3