From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 747821FF137 for ; Tue, 14 Apr 2026 14:13:03 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A53EA16E28; Tue, 14 Apr 2026 14:13:52 +0200 (CEST) Content-Type: text/plain; charset=UTF-8 Date: Tue, 14 Apr 2026 14:13:45 +0200 Message-Id: Subject: Re: [PATCH installer v3 28/38] assistant: support adding an authorization token for HTTP-based answers From: "Lukas Wagner" To: "Christoph Heiss" , Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 X-Mailer: aerc 0.21.0-0-g5549850facc2-dirty References: <20260403165437.2166551-1-c.heiss@proxmox.com> <20260403165437.2166551-29-c.heiss@proxmox.com> In-Reply-To: <20260403165437.2166551-29-c.heiss@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1776168749766 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.054 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [utils.rs,main.rs] Message-ID-Hash: NGECZUKSWMPXVFJIVQZHPHDUCJL6YKHP X-Message-ID-Hash: NGECZUKSWMPXVFJIVQZHPHDUCJL6YKHP X-MailFrom: l.wagner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Fri Apr 3, 2026 at 6:54 PM CEST, Christoph Heiss wrote: > If '--answer-auth-token :' is passed, the > token will be saved to the internal auto-installer HTTP settings. > > The `HttpOptions` is not marked with `deny_unknown_fields`, so adding an > additional field is also backwards-compatible. > > Signed-off-by: Christoph Heiss > --- > Changes v2 -> v3: > * new patch > > proxmox-auto-install-assistant/src/main.rs | 18 ++++++++++++++++++ > proxmox-auto-installer/src/utils.rs | 2 ++ > proxmox-fetch-answer/src/main.rs | 1 + > 3 files changed, 21 insertions(+) > > diff --git a/proxmox-auto-install-assistant/src/main.rs b/proxmox-auto-in= stall-assistant/src/main.rs > index 22a8e39..901ab81 100644 > --- a/proxmox-auto-install-assistant/src/main.rs > +++ b/proxmox-auto-install-assistant/src/main.rs > @@ -271,6 +271,13 @@ struct CommandPrepareISOArgs { > /// > /// Implies '--pxe'. > pxe_loader: Option, > + > + /// Only useful in combination with '--fetch-from http'. Token the a= utomated installer should > + /// use for retrieving an answer file. > + /// > + /// If set, the automated installer will include an 'Authorization' = header in the HTTP POST > + /// for retrieving the answer, in the format 'Authorization: Proxmox= InstallerToken '. > + answer_auth_token: Option, > } As briefly discussed off-list, I wonder if we should just use `Bearer` here? It originated from OAuth 2.0 in RFC 6750, but from my understanding it has also become quite well established outside of OAuth contexts for any kind of opaque authentication token. No hard feelings though, can be kept as it is right now, if you prefer that. > =20 > impl cli::Subcommand for CommandPrepareISOArgs { > @@ -290,6 +297,7 @@ impl cli::Subcommand for CommandPrepareISOArgs { > on_first_boot: args.opt_value_from_str("--on-first-boot")?, > pxe: args.contains("--pxe") || pxe_loader.is_some(), > pxe_loader, > + answer_auth_token: args.opt_value_from_str("--answer-auth-to= ken")?, > // Needs to be last > input: args.free_from_str()?, > }) > @@ -382,6 +390,15 @@ OPTIONS: > =20 > Implies '--pxe'. > =20 > + --answer-auth-token > + Only useful in combination with '--fetch-from http'. Token the= automated installer should > + use for retrieving an answer file. > + > + must be of format ':'. > + > + If set, the automated installer will include an 'Authorization= ' header in the HTTP POST > + for retrieving the answer, in the format 'Authorization: Proxm= oxInstallerToken '. > + > -h, --help Print this help > -V, --version Print version > "#, > @@ -744,6 +761,7 @@ fn prepare_iso(args: &CommandPrepareISOArgs) -> Resul= t<()> { > http: HttpOptions { > url: args.url.clone(), > cert_fingerprint: args.cert_fingerprint.clone(), > + token: args.answer_auth_token.clone(), > }, > }; > let mut instmode_file_tmp =3D tmp_base.clone(); > diff --git a/proxmox-auto-installer/src/utils.rs b/proxmox-auto-installer= /src/utils.rs > index 884a08e..09b3408 100644 > --- a/proxmox-auto-installer/src/utils.rs > +++ b/proxmox-auto-installer/src/utils.rs > @@ -131,6 +131,8 @@ pub struct HttpOptions { > pub url: Option, > #[serde(default, skip_serializing_if =3D "Option::is_none")] > pub cert_fingerprint: Option, > + #[serde(default, skip_serializing_if =3D "Option::is_none")] > + pub token: Option, > } > =20 > #[derive(Deserialize, Serialize, Debug)] > diff --git a/proxmox-fetch-answer/src/main.rs b/proxmox-fetch-answer/src/= main.rs > index c599bef..18b27e7 100644 > --- a/proxmox-fetch-answer/src/main.rs > +++ b/proxmox-fetch-answer/src/main.rs > @@ -98,6 +98,7 @@ fn settings_from_cli_args(args: &[String]) -> Result { > http: HttpOptions { > url: args.get(2).cloned(), > cert_fingerprint: args.get(3).cloned(), > + token: None, > }, > }) > }