client: introduce --keyfd parameter

This is a more convenient way to pass along the key when
creating encrypted backups of unprivileged containers in PVE
where the unprivileged user namespace cannot access
`/etc/pve/priv`.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2020-07-08 13:52:17 +02:00
parent c1ff544eff
commit 0351f23ba4
4 changed files with 83 additions and 27 deletions

View File

@ -158,10 +158,14 @@ fn do_load_and_decrypt_key(
path: &std::path::Path, path: &std::path::Path,
passphrase: &dyn Fn() -> Result<Vec<u8>, Error>, passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
) -> Result<([u8;32], DateTime<Local>), Error> { ) -> Result<([u8;32], DateTime<Local>), Error> {
let raw = file_get_contents(&path)?; decrypt_key(&file_get_contents(&path)?, passphrase)
let data = String::from_utf8(raw)?; }
let key_config: KeyConfig = serde_json::from_str(&data)?; pub fn decrypt_key(
mut keydata: &[u8],
passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
) -> Result<([u8;32], DateTime<Local>), Error> {
let key_config: KeyConfig = serde_json::from_reader(&mut keydata)?;
let raw_data = key_config.data; let raw_data = key_config.data;
let created = key_config.created; let created = key_config.created;

View File

@ -1,5 +1,7 @@
use std::collections::{HashSet, HashMap}; use std::collections::{HashSet, HashMap};
use std::io::{self, Write, Seek, SeekFrom}; use std::convert::TryFrom;
use std::io::{self, Read, Write, Seek, SeekFrom};
use std::os::unix::io::{FromRawFd, RawFd};
use std::path::{Path, PathBuf}; use std::path::{Path, PathBuf};
use std::pin::Pin; use std::pin::Pin;
use std::sync::{Arc, Mutex}; use std::sync::{Arc, Mutex};
@ -27,7 +29,7 @@ use proxmox_backup::client::*;
use proxmox_backup::pxar::catalog::*; use proxmox_backup::pxar::catalog::*;
use proxmox_backup::backup::{ use proxmox_backup::backup::{
archive_type, archive_type,
load_and_decrypt_key, decrypt_key,
verify_chunk_size, verify_chunk_size,
ArchiveType, ArchiveType,
AsyncReadChunk, AsyncReadChunk,
@ -66,6 +68,11 @@ pub const KEYFILE_SCHEMA: Schema = StringSchema::new(
"Path to encryption key. All data will be encrypted using this key.") "Path to encryption key. All data will be encrypted using this key.")
.schema(); .schema();
pub const KEYFD_SCHEMA: Schema = IntegerSchema::new(
"Pass an encryption key via an already opened file descriptor.")
.minimum(0)
.schema();
const CHUNK_SIZE_SCHEMA: Schema = IntegerSchema::new( const CHUNK_SIZE_SCHEMA: Schema = IntegerSchema::new(
"Chunk size in KB. Must be a power of 2.") "Chunk size in KB. Must be a power of 2.")
.minimum(64) .minimum(64)
@ -663,21 +670,48 @@ fn spawn_catalog_upload(
Ok((catalog, catalog_result_rx)) Ok((catalog, catalog_result_rx))
} }
fn keyfile_parameters(param: &Value) -> Result<(Option<PathBuf>, CryptMode), Error> { fn keyfile_parameters(param: &Value) -> Result<(Option<Vec<u8>>, CryptMode), Error> {
let keyfile = match param.get("keyfile") { let keyfile = match param.get("keyfile") {
Some(Value::String(keyfile)) => Some(keyfile), Some(Value::String(keyfile)) => Some(keyfile),
Some(_) => bail!("bad --keyfile parameter type"), Some(_) => bail!("bad --keyfile parameter type"),
None => None, None => None,
}; };
let key_fd = match param.get("keyfd") {
Some(Value::Number(key_fd)) => Some(
RawFd::try_from(key_fd
.as_i64()
.ok_or_else(|| format_err!("bad key fd: {:?}", key_fd))?
)
.map_err(|err| format_err!("bad key fd: {:?}: {}", key_fd, err))?
),
Some(_) => bail!("bad --keyfd parameter type"),
None => None,
};
let crypt_mode: Option<CryptMode> = match param.get("crypt-mode") { let crypt_mode: Option<CryptMode> = match param.get("crypt-mode") {
Some(mode) => Some(serde_json::from_value(mode.clone())?), Some(mode) => Some(serde_json::from_value(mode.clone())?),
None => None, None => None,
}; };
Ok(match (keyfile, crypt_mode) { let keydata = match (keyfile, key_fd) {
(None, None) => None,
(Some(_), Some(_)) => bail!("--keyfile and --keyfd are mutually exclusive"),
(Some(keyfile), None) => Some(file_get_contents(keyfile)?),
(None, Some(fd)) => {
let input = unsafe { std::fs::File::from_raw_fd(fd) };
let mut data = Vec::new();
let _len: usize = { input }.read_to_end(&mut data)
.map_err(|err| {
format_err!("error reading encryption key from fd {}: {}", fd, err)
})?;
Some(data)
}
};
Ok(match (keydata, crypt_mode) {
// no parameters: // no parameters:
(None, None) => match key::find_default_encryption_key()? { (None, None) => match key::read_optional_default_encryption_key()? {
Some(key) => (Some(key), CryptMode::Encrypt), Some(key) => (Some(key), CryptMode::Encrypt),
None => (None, CryptMode::None), None => (None, CryptMode::None),
}, },
@ -686,21 +720,21 @@ fn keyfile_parameters(param: &Value) -> Result<(Option<PathBuf>, CryptMode), Err
(None, Some(CryptMode::None)) => (None, CryptMode::None), (None, Some(CryptMode::None)) => (None, CryptMode::None),
// just --crypt-mode other than none // just --crypt-mode other than none
(None, Some(crypt_mode)) => match key::find_default_encryption_key()? { (None, Some(crypt_mode)) => match key::read_optional_default_encryption_key()? {
None => bail!("--crypt-mode without --keyfile and no default key file available"), None => bail!("--crypt-mode without --keyfile and no default key file available"),
Some(path) => (Some(path), crypt_mode), Some(key) => (Some(key), crypt_mode),
} }
// just --keyfile // just --keyfile
(Some(keyfile), None) => (Some(PathBuf::from(keyfile)), CryptMode::Encrypt), (Some(key), None) => (Some(key), CryptMode::Encrypt),
// --keyfile and --crypt-mode=none // --keyfile and --crypt-mode=none
(Some(_), Some(CryptMode::None)) => { (Some(_), Some(CryptMode::None)) => {
bail!("--keyfile and --crypt-mode=none are mutually exclusive"); bail!("--keyfile/--keyfd and --crypt-mode=none are mutually exclusive");
} }
// --keyfile and --crypt-mode other than none // --keyfile and --crypt-mode other than none
(Some(keyfile), Some(crypt_mode)) => (Some(PathBuf::from(keyfile)), crypt_mode), (Some(key), Some(crypt_mode)) => (Some(key), crypt_mode),
}) })
} }
@ -730,6 +764,10 @@ fn keyfile_parameters(param: &Value) -> Result<(Option<PathBuf>, CryptMode), Err
schema: KEYFILE_SCHEMA, schema: KEYFILE_SCHEMA,
optional: true, optional: true,
}, },
"keyfd": {
schema: KEYFD_SCHEMA,
optional: true,
},
"crypt-mode": { "crypt-mode": {
type: CryptMode, type: CryptMode,
optional: true, optional: true,
@ -803,7 +841,7 @@ async fn create_backup(
verify_chunk_size(size)?; verify_chunk_size(size)?;
} }
let (keyfile, crypt_mode) = keyfile_parameters(&param)?; let (keydata, crypt_mode) = keyfile_parameters(&param)?;
let backup_id = param["backup-id"].as_str().unwrap_or(&proxmox::tools::nodename()); let backup_id = param["backup-id"].as_str().unwrap_or(&proxmox::tools::nodename());
@ -902,10 +940,10 @@ async fn create_backup(
println!("Starting protocol: {}", start_time.to_rfc3339_opts(chrono::SecondsFormat::Secs, false)); println!("Starting protocol: {}", start_time.to_rfc3339_opts(chrono::SecondsFormat::Secs, false));
let (crypt_config, rsa_encrypted_key) = match keyfile { let (crypt_config, rsa_encrypted_key) = match keydata {
None => (None, None), None => (None, None),
Some(path) => { Some(key) => {
let (key, created) = load_and_decrypt_key(&path, &key::get_encryption_key_password)?; let (key, created) = decrypt_key(&key, &key::get_encryption_key_password)?;
let crypt_config = CryptConfig::new(key)?; let crypt_config = CryptConfig::new(key)?;
@ -1173,6 +1211,10 @@ We do not extraxt '.pxar' archives when writing to standard output.
schema: KEYFILE_SCHEMA, schema: KEYFILE_SCHEMA,
optional: true, optional: true,
}, },
"keyfd": {
schema: KEYFD_SCHEMA,
optional: true,
},
"crypt-mode": { "crypt-mode": {
type: CryptMode, type: CryptMode,
optional: true, optional: true,
@ -1207,12 +1249,12 @@ async fn restore(param: Value) -> Result<Value, Error> {
let target = tools::required_string_param(&param, "target")?; let target = tools::required_string_param(&param, "target")?;
let target = if target == "-" { None } else { Some(target) }; let target = if target == "-" { None } else { Some(target) };
let (keyfile, _crypt_mode) = keyfile_parameters(&param)?; let (keydata, _crypt_mode) = keyfile_parameters(&param)?;
let crypt_config = match keyfile { let crypt_config = match keydata {
None => None, None => None,
Some(path) => { Some(key) => {
let (key, _) = load_and_decrypt_key(&path, &key::get_encryption_key_password)?; let (key, _) = decrypt_key(&key, &key::get_encryption_key_password)?;
Some(Arc::new(CryptConfig::new(key)?)) Some(Arc::new(CryptConfig::new(key)?))
} }
}; };
@ -1337,6 +1379,10 @@ async fn restore(param: Value) -> Result<Value, Error> {
schema: KEYFILE_SCHEMA, schema: KEYFILE_SCHEMA,
optional: true, optional: true,
}, },
"keyfd": {
schema: KEYFD_SCHEMA,
optional: true,
},
"crypt-mode": { "crypt-mode": {
type: CryptMode, type: CryptMode,
optional: true, optional: true,
@ -1355,12 +1401,12 @@ async fn upload_log(param: Value) -> Result<Value, Error> {
let mut client = connect(repo.host(), repo.user())?; let mut client = connect(repo.host(), repo.user())?;
let (keyfile, crypt_mode) = keyfile_parameters(&param)?; let (keydata, crypt_mode) = keyfile_parameters(&param)?;
let crypt_config = match keyfile { let crypt_config = match keydata {
None => None, None => None,
Some(path) => { Some(key) => {
let (key, _created) = load_and_decrypt_key(&path, &key::get_encryption_key_password)?; let (key, _created) = decrypt_key(&key, &key::get_encryption_key_password)?;
let crypt_config = CryptConfig::new(key)?; let crypt_config = CryptConfig::new(key)?;
Some(Arc::new(crypt_config)) Some(Arc::new(crypt_config))
} }
@ -1763,7 +1809,6 @@ impl ReadAt for BufferedDynamicReadAt {
buf: &'a mut [u8], buf: &'a mut [u8],
offset: u64, offset: u64,
) -> MaybeReady<io::Result<usize>, ReadAtOperation<'a>> { ) -> MaybeReady<io::Result<usize>, ReadAtOperation<'a>> {
use std::io::Read;
MaybeReady::Ready(tokio::task::block_in_place(move || { MaybeReady::Ready(tokio::task::block_in_place(move || {
let mut reader = self.inner.lock().unwrap(); let mut reader = self.inner.lock().unwrap();
reader.seek(SeekFrom::Start(offset))?; reader.seek(SeekFrom::Start(offset))?;

View File

@ -16,7 +16,6 @@ use crate::{
REPO_URL_SCHEMA, REPO_URL_SCHEMA,
extract_repository_from_value, extract_repository_from_value,
record_repository, record_repository,
load_and_decrypt_key,
api_datastore_latest_snapshot, api_datastore_latest_snapshot,
complete_repository, complete_repository,
complete_backup_snapshot, complete_backup_snapshot,
@ -35,6 +34,8 @@ use crate::{
Shell, Shell,
}; };
use proxmox_backup::backup::load_and_decrypt_key;
use crate::key::get_encryption_key_password; use crate::key::get_encryption_key_password;
#[api( #[api(

View File

@ -33,6 +33,12 @@ pub fn place_default_encryption_key() -> Result<PathBuf, Error> {
super::place_xdg_file(DEFAULT_ENCRYPTION_KEY_FILE_NAME, "default encryption key file") super::place_xdg_file(DEFAULT_ENCRYPTION_KEY_FILE_NAME, "default encryption key file")
} }
pub fn read_optional_default_encryption_key() -> Result<Option<Vec<u8>>, Error> {
find_default_encryption_key()?
.map(file_get_contents)
.transpose()
}
pub fn get_encryption_key_password() -> Result<Vec<u8>, Error> { pub fn get_encryption_key_password() -> Result<Vec<u8>, Error> {
// fixme: implement other input methods // fixme: implement other input methods