From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <s.reiter@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id DB05675DA2;
 Thu, 22 Apr 2021 17:35:09 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id CDA4A1EB62;
 Thu, 22 Apr 2021 17:35:09 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 6C0F71EB23;
 Thu, 22 Apr 2021 17:35:04 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 440414642E;
 Thu, 22 Apr 2021 17:35:04 +0200 (CEST)
From: Stefan Reiter <s.reiter@proxmox.com>
To: pve-devel@lists.proxmox.com,
	pbs-devel@lists.proxmox.com
Date: Thu, 22 Apr 2021 17:34:47 +0200
Message-Id: <20210422153457.12265-4-s.reiter@proxmox.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20210422153457.12265-1-s.reiter@proxmox.com>
References: <20210422153457.12265-1-s.reiter@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.031 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [proxmox-file-restore.rs]
Subject: [pve-devel] [PATCH v2 proxmox-backup 03/13] file-restore: support
 encrypted VM backups
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2021 15:35:10 -0000

Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
---

new in v2

 src/bin/proxmox-file-restore.rs              | 22 +++++++++++++++++---
 src/bin/proxmox_file_restore/block_driver.rs |  1 +
 src/bin/proxmox_file_restore/qemu_helper.rs  |  9 ++++++--
 3 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/src/bin/proxmox-file-restore.rs b/src/bin/proxmox-file-restore.rs
index 2726eeb7..3d750152 100644
--- a/src/bin/proxmox-file-restore.rs
+++ b/src/bin/proxmox-file-restore.rs
@@ -30,7 +30,7 @@ pub mod proxmox_client_tools;
 use proxmox_client_tools::{
     complete_group_or_snapshot, complete_repository, connect, extract_repository_from_value,
     key_source::{
-        crypto_parameters, format_key_source, get_encryption_key_password, KEYFD_SCHEMA,
+        crypto_parameters_keep_fd, format_key_source, get_encryption_key_password, KEYFD_SCHEMA,
         KEYFILE_SCHEMA,
     },
     REPO_URL_SCHEMA,
@@ -76,6 +76,18 @@ fn parse_path(path: String, base64: bool) -> Result<ExtractPath, Error> {
     }
 }
 
+fn keyfile_path(param: &Value) -> Option<String> {
+    if let Some(Value::String(keyfile)) = param.get("keyfile") {
+        return Some(keyfile.to_owned());
+    }
+
+    if let Some(Value::Number(keyfd)) = param.get("keyfd") {
+        return Some(format!("/dev/fd/{}", keyfd));
+    }
+
+    None
+}
+
 #[api(
    input: {
        properties: {
@@ -138,7 +150,8 @@ async fn list(
     let snapshot: BackupDir = snapshot.parse()?;
     let path = parse_path(path, base64)?;
 
-    let crypto = crypto_parameters(&param)?;
+    let keyfile = keyfile_path(&param);
+    let crypto = crypto_parameters_keep_fd(&param)?;
     let crypt_config = match crypto.enc_key {
         None => None,
         Some(ref key) => {
@@ -210,6 +223,7 @@ async fn list(
                 manifest,
                 repo,
                 snapshot,
+                keyfile,
             };
             let driver: Option<BlockDriverType> = match param.get("driver") {
                 Some(drv) => Some(serde_json::from_value(drv.clone())?),
@@ -309,7 +323,8 @@ async fn extract(
         None => Some(std::env::current_dir()?),
     };
 
-    let crypto = crypto_parameters(&param)?;
+    let keyfile = keyfile_path(&param);
+    let crypto = crypto_parameters_keep_fd(&param)?;
     let crypt_config = match crypto.enc_key {
         None => None,
         Some(ref key) => {
@@ -360,6 +375,7 @@ async fn extract(
                 manifest,
                 repo,
                 snapshot,
+                keyfile,
             };
             let driver: Option<BlockDriverType> = match param.get("driver") {
                 Some(drv) => Some(serde_json::from_value(drv.clone())?),
diff --git a/src/bin/proxmox_file_restore/block_driver.rs b/src/bin/proxmox_file_restore/block_driver.rs
index 924503a7..ba9794e3 100644
--- a/src/bin/proxmox_file_restore/block_driver.rs
+++ b/src/bin/proxmox_file_restore/block_driver.rs
@@ -21,6 +21,7 @@ pub struct SnapRestoreDetails {
     pub repo: BackupRepository,
     pub snapshot: BackupDir,
     pub manifest: BackupManifest,
+    pub keyfile: Option<String>,
 }
 
 /// Return value of a BlockRestoreDriver.status() call, 'id' must be valid for .stop(id)
diff --git a/src/bin/proxmox_file_restore/qemu_helper.rs b/src/bin/proxmox_file_restore/qemu_helper.rs
index 7fd2f1f8..0f3a7feb 100644
--- a/src/bin/proxmox_file_restore/qemu_helper.rs
+++ b/src/bin/proxmox_file_restore/qemu_helper.rs
@@ -190,9 +190,14 @@ pub async fn start_vm(
             continue;
         }
         drives.push("-drive".to_owned());
+        let keyfile = if let Some(ref keyfile) = details.keyfile {
+            format!(",,keyfile={}", keyfile)
+        } else {
+            "".to_owned()
+        };
         drives.push(format!(
-            "file=pbs:repository={},,snapshot={},,archive={},read-only=on,if=none,id=drive{}",
-            details.repo, details.snapshot, file, id
+            "file=pbs:repository={},,snapshot={},,archive={}{},read-only=on,if=none,id=drive{}",
+            details.repo, details.snapshot, file, keyfile, id
         ));
         drives.push("-device".to_owned());
         // drive serial is used by VM to map .fidx files to /dev paths
-- 
2.20.1