src/api2/config: check digest
This commit is contained in:
parent
347834df25
commit
002a191abf
@ -112,6 +112,10 @@ pub fn read_datastore(name: String) -> Result<Value, Error> {
|
||||
optional: true,
|
||||
schema: datastore::DIR_NAME_SCHEMA,
|
||||
},
|
||||
digest: {
|
||||
optional: true,
|
||||
schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
|
||||
},
|
||||
},
|
||||
},
|
||||
)]
|
||||
@ -120,12 +124,18 @@ pub fn update_datastore(
|
||||
name: String,
|
||||
comment: Option<String>,
|
||||
path: Option<String>,
|
||||
digest: Option<String>,
|
||||
) -> Result<(), Error> {
|
||||
|
||||
let _lock = crate::tools::open_file_locked(datastore::DATASTORE_CFG_LOCKFILE, std::time::Duration::new(10, 0))?;
|
||||
|
||||
// pass/compare digest
|
||||
let (mut config, _digest) = datastore::config()?;
|
||||
let (mut config, expected_digest) = datastore::config()?;
|
||||
|
||||
if let Some(ref digest) = digest {
|
||||
let digest = proxmox::tools::hex_to_digest(digest)?;
|
||||
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
|
||||
}
|
||||
|
||||
let mut data: datastore::DataStoreConfig = config.lookup("datastore", &name)?;
|
||||
|
||||
|
@ -118,6 +118,10 @@ pub fn read_remote(name: String) -> Result<Value, Error> {
|
||||
optional: true,
|
||||
schema: remotes::REMOTE_PASSWORD_SCHEMA,
|
||||
},
|
||||
digest: {
|
||||
optional: true,
|
||||
schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
|
||||
},
|
||||
},
|
||||
},
|
||||
)]
|
||||
@ -128,12 +132,17 @@ pub fn update_remote(
|
||||
host: Option<String>,
|
||||
userid: Option<String>,
|
||||
password: Option<String>,
|
||||
digest: Option<String>,
|
||||
) -> Result<(), Error> {
|
||||
|
||||
let _lock = crate::tools::open_file_locked(remotes::REMOTES_CFG_LOCKFILE, std::time::Duration::new(10, 0))?;
|
||||
|
||||
// pass/compare digest
|
||||
let (mut config, _digest) = remotes::config()?;
|
||||
let (mut config, expected_digest) = remotes::config()?;
|
||||
|
||||
if let Some(ref digest) = digest {
|
||||
let digest = proxmox::tools::hex_to_digest(digest)?;
|
||||
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
|
||||
}
|
||||
|
||||
let mut data: remotes::Remote = config.lookup("remote", &name)?;
|
||||
|
||||
|
@ -118,7 +118,7 @@ pub const ROUTER: Router = Router::new()
|
||||
&ObjectSchema::new(
|
||||
"Returns DNS server IPs and sreach domain.",
|
||||
&sorted!([
|
||||
("digest", false, &PVE_CONFIG_DIGEST_SCHEMA),
|
||||
("digest", false, &PROXMOX_CONFIG_DIGEST_SCHEMA),
|
||||
("search", true, &SEARCH_DOMAIN_SCHEMA),
|
||||
("dns1", true, &FIRST_DNS_SERVER_SCHEMA),
|
||||
("dns2", true, &SECOND_DNS_SERVER_SCHEMA),
|
||||
@ -138,7 +138,7 @@ pub const ROUTER: Router = Router::new()
|
||||
("dns1", true, &FIRST_DNS_SERVER_SCHEMA),
|
||||
("dns2", true, &SECOND_DNS_SERVER_SCHEMA),
|
||||
("dns3", true, &THIRD_DNS_SERVER_SCHEMA),
|
||||
("digest", true, &PVE_CONFIG_DIGEST_SCHEMA),
|
||||
("digest", true, &PROXMOX_CONFIG_DIGEST_SCHEMA),
|
||||
]),
|
||||
)
|
||||
).protected(true)
|
||||
|
@ -85,7 +85,7 @@ pub const PASSWORD_FORMAT: ApiStringFormat =
|
||||
ApiStringFormat::Pattern(&PASSWORD_REGEX);
|
||||
|
||||
|
||||
pub const PVE_CONFIG_DIGEST_SCHEMA: Schema = StringSchema::new(r#"\
|
||||
pub const PROXMOX_CONFIG_DIGEST_SCHEMA: Schema = StringSchema::new(r#"\
|
||||
Prevent changes if current configuration file has different SHA256 digest.
|
||||
This can be used to prevent concurrent modifications.
|
||||
"#
|
||||
|
@ -336,7 +336,6 @@ impl SectionConfig {
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// cargo test test_section_config1 -- --nocapture
|
||||
#[test]
|
||||
fn test_section_config1() {
|
||||
|
10
src/tools.rs
10
src/tools.rs
@ -428,6 +428,16 @@ pub fn join(data: &Vec<String>, sep: char) -> String {
|
||||
list
|
||||
}
|
||||
|
||||
/// Detect modified configuration files
|
||||
///
|
||||
/// This function fails with a resonable error message if checksums do not match.
|
||||
pub fn detect_modified_configuration_file(digest1: &[u8;32], digest2: &[u8;32]) -> Result<(), Error> {
|
||||
if digest1 != digest2 {
|
||||
bail!("detected modified configuration - file changed by other user? Try again.");
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// normalize uri path
|
||||
///
|
||||
/// Do not allow ".", "..", or hidden files ".XXXX"
|
||||
|
Loading…
Reference in New Issue
Block a user