Re: [pmg-devel] [PATCH pmg-api v3 1/2] api: document that fingerprints are a SHA 256

[Maximiliano Sandoval <m.sandoval@proxmox.com>]

Stoiko Ivanov <s.ivanov@proxmox.com> writes:

> Thanks for the patches!
>
> On Mon, 11 Nov 2024 10:32:30 +0100
> Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
>
>> We use the description from the standard option 'fingerprint-sha256'.
>> The option itself cannot be used as the regex allows lowercase
>> characters which don't work here.
> It would really help to get a bit more information about what exactly did
> not work, and what you tested to come to that conclusion.

I tested replacing a single character in the fingerprint with a
lowercase character and the web UI stopped working completely.
Refreshing the tab would send me back to a login screen on which it was
not possible to log in.

> As I'm quite in favor of reusing our standard-options where possible
> I gave your v2 a spin to find out what might not work - from a quick
> glance (w/o testing everything possible) - the following diff should cover
> most issues:
>
> ```
> diff --git a/src/PMG/CLI/pmgcm.pm b/src/PMG/CLI/pmgcm.pm
> index 699089e..c55ef92 100644
> --- a/src/PMG/CLI/pmgcm.pm
> +++ b/src/PMG/CLI/pmgcm.pm
> @@ -194,7 +194,7 @@ __PACKAGE__->register_method({
>             };
>             if ($param->{fingerprint}) {
>                 $setup->{cached_fingerprints} = {
> -                   $param->{fingerprint} => 1,
> +                   uc($param->{fingerprint}) => 1,
>                 };
>             } else {
>                 # allow manual fingerprint verification
> diff --git a/src/PMG/Cluster.pm b/src/PMG/Cluster.pm
> index 17ba44d..789746f 100644
> --- a/src/PMG/Cluster.pm
> +++ b/src/PMG/Cluster.pm
> @@ -148,7 +148,7 @@ sub update_cert_cache {
>
>      foreach my $entry (values %{$cinfo->{ids}}) {
>         my $node = $entry->{name};
> -       my $fp = $entry->{fingerprint};
> +       my $fp = uc($entry->{fingerprint});
>         if ($node && $fp) {
>             $cert_cache_fingerprints->{$fp} = 1;
>             $cert_cache_nodes->{$node} = $fp;
> @@ -179,7 +179,7 @@ sub check_cert_fingerprint {
>
>      my $check = sub {
>         for my $expected (keys %$cert_cache_fingerprints) {
> -           return 1 if $fp eq $expected;
> +           return 1 if uc($fp) eq $expected;
>         }
>         return 0;
>      };
> diff --git a/src/PMG/ClusterConfig.pm b/src/PMG/ClusterConfig.pm
> index 491fede..e469ea9 100644
> --- a/src/PMG/ClusterConfig.pm
> +++ b/src/PMG/ClusterConfig.pm
> @@ -195,6 +195,7 @@ sub read_cluster_conf {
>         $names_hash->{$d->{name}} = 1;
>
>         $d->{cid} = $cid;
> +       $d->{fingerprint} = uc($d->{fingerprint});
>         $maxcid = $cid > $maxcid ? $cid : $maxcid;
>         $maxcid = $d->{maxcid} if defined($d->{maxcid}) && $d->{maxcid} > $maxcid;
>         $cinfo->{master} = $d if $d->{type} eq 'master';
>
> ```
>
> I tested:
> * installing this on a cluster-node where I manually changed the
>   fingerprint to lower-case in /etc/pmg/cluster.conf
> * creating a cluster on the cli - but pasting the fingerprint-option in
>   lower-case
> * changing the apicert (`pmgconfig apicert --force 1`), restarting
>   pmgproxy and running `pmgcm update-fingerprints`)

I am not very comfortable adding a new state that might potential break
something that we did not test (or that it might break in the future)
for a feature that does not add anything for the end-user. I think it
makes more sense to simply document the current behavior.

> I also would rather not reuse the description of a standard-option for
> a slightly different copy of that option.

That is sensible, perhaps a different description could be used?


_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel