From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 1C2761FF15F for ; Mon, 18 Nov 2024 14:28:46 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 70C6110AEC; Mon, 18 Nov 2024 14:28:51 +0100 (CET) References: <20241111093231.120597-1-m.sandoval@proxmox.com> <20241111132057.0ea5b2c2@rosa.proxmox.com> User-agent: mu4e 1.10.8; emacs 29.4 From: Maximiliano Sandoval To: Stoiko Ivanov Date: Mon, 18 Nov 2024 14:20:20 +0100 In-reply-to: <20241111132057.0ea5b2c2@rosa.proxmox.com> Message-ID: MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.154 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_NUMSUBJECT 0.5 Subject ends in numbers excluding current years SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pmg-devel] [PATCH pmg-api v3 1/2] api: document that fingerprints are a SHA 256 X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: pmg-devel@lists.proxmox.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pmg-devel-bounces@lists.proxmox.com Sender: "pmg-devel" Stoiko Ivanov writes: > Thanks for the patches! > > On Mon, 11 Nov 2024 10:32:30 +0100 > Maximiliano Sandoval wrote: > >> We use the description from the standard option 'fingerprint-sha256'. >> The option itself cannot be used as the regex allows lowercase >> characters which don't work here. > It would really help to get a bit more information about what exactly did > not work, and what you tested to come to that conclusion. I tested replacing a single character in the fingerprint with a lowercase character and the web UI stopped working completely. Refreshing the tab would send me back to a login screen on which it was not possible to log in. > As I'm quite in favor of reusing our standard-options where possible > I gave your v2 a spin to find out what might not work - from a quick > glance (w/o testing everything possible) - the following diff should cover > most issues: > > ``` > diff --git a/src/PMG/CLI/pmgcm.pm b/src/PMG/CLI/pmgcm.pm > index 699089e..c55ef92 100644 > --- a/src/PMG/CLI/pmgcm.pm > +++ b/src/PMG/CLI/pmgcm.pm > @@ -194,7 +194,7 @@ __PACKAGE__->register_method({ > }; > if ($param->{fingerprint}) { > $setup->{cached_fingerprints} = { > - $param->{fingerprint} => 1, > + uc($param->{fingerprint}) => 1, > }; > } else { > # allow manual fingerprint verification > diff --git a/src/PMG/Cluster.pm b/src/PMG/Cluster.pm > index 17ba44d..789746f 100644 > --- a/src/PMG/Cluster.pm > +++ b/src/PMG/Cluster.pm > @@ -148,7 +148,7 @@ sub update_cert_cache { > > foreach my $entry (values %{$cinfo->{ids}}) { > my $node = $entry->{name}; > - my $fp = $entry->{fingerprint}; > + my $fp = uc($entry->{fingerprint}); > if ($node && $fp) { > $cert_cache_fingerprints->{$fp} = 1; > $cert_cache_nodes->{$node} = $fp; > @@ -179,7 +179,7 @@ sub check_cert_fingerprint { > > my $check = sub { > for my $expected (keys %$cert_cache_fingerprints) { > - return 1 if $fp eq $expected; > + return 1 if uc($fp) eq $expected; > } > return 0; > }; > diff --git a/src/PMG/ClusterConfig.pm b/src/PMG/ClusterConfig.pm > index 491fede..e469ea9 100644 > --- a/src/PMG/ClusterConfig.pm > +++ b/src/PMG/ClusterConfig.pm > @@ -195,6 +195,7 @@ sub read_cluster_conf { > $names_hash->{$d->{name}} = 1; > > $d->{cid} = $cid; > + $d->{fingerprint} = uc($d->{fingerprint}); > $maxcid = $cid > $maxcid ? $cid : $maxcid; > $maxcid = $d->{maxcid} if defined($d->{maxcid}) && $d->{maxcid} > $maxcid; > $cinfo->{master} = $d if $d->{type} eq 'master'; > > ``` > > I tested: > * installing this on a cluster-node where I manually changed the > fingerprint to lower-case in /etc/pmg/cluster.conf > * creating a cluster on the cli - but pasting the fingerprint-option in > lower-case > * changing the apicert (`pmgconfig apicert --force 1`), restarting > pmgproxy and running `pmgcm update-fingerprints`) I am not very comfortable adding a new state that might potential break something that we did not test (or that it might break in the future) for a feature that does not add anything for the end-user. I think it makes more sense to simply document the current behavior. > I also would rather not reuse the description of a standard-option for > a slightly different copy of that option. That is sensible, perhaps a different description could be used? _______________________________________________ pmg-devel mailing list pmg-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel