tape: key recovery: refcator and split string/file case for cli params

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2022-04-06 16:18:05 +02:00
parent b676dbce78
commit 5525ec246f
2 changed files with 72 additions and 78 deletions

View File

@ -10,7 +10,7 @@ use proxmox_sys::sortable;
use proxmox_router::{ use proxmox_router::{
list_subdirs_api_method, Permission, Router, RpcEnvironment, RpcEnvironmentType, SubdirMap, list_subdirs_api_method, Permission, Router, RpcEnvironment, RpcEnvironmentType, SubdirMap,
}; };
use proxmox_schema::{api, param_bail}; use proxmox_schema::api;
use proxmox_section_config::SectionConfigData; use proxmox_section_config::SectionConfigData;
use proxmox_uuid::Uuid; use proxmox_uuid::Uuid;
use proxmox_sys::{task_log, task_warn}; use proxmox_sys::{task_log, task_warn};
@ -609,13 +609,14 @@ fn write_media_label(
properties: { properties: {
drive: { drive: {
schema: DRIVE_NAME_SCHEMA, schema: DRIVE_NAME_SCHEMA,
//description: "Restore the key from this drive the (encrypted) key was saved on.",
optional: true, optional: true,
}, },
password: { password: {
description: "Encryption key password.", description: "The password the key was encrypted with.",
}, },
backupkey: { key: {
description: "A previously exported paperkey in JSON format.", description: "Restore the key from this JSON string. Clashes with drive.",
type: String, type: String,
min_length: 300, min_length: 300,
max_length: 600, max_length: 600,
@ -631,40 +632,34 @@ fn write_media_label(
pub async fn restore_key( pub async fn restore_key(
drive: Option<String>, drive: Option<String>,
password: String, password: String,
backupkey: Option<String>, key: Option<String>,
) -> Result<(), Error> { ) -> Result<(), Error> {
if drive.is_some() && key.is_some() {
if (drive.is_none() && backupkey.is_none()) || (drive.is_some() && backupkey.is_some()) { bail!("cannot have both 'drive' and 'key' parameter set!");
param_bail!( } else if !drive.is_some() && !key.is_some() {
"drive", bail!("one of either 'drive' or 'key' parameter must be set!");
format_err!("Please specify either a valid drive name or a backupkey")
);
} }
if let Some(drive) = drive { if let Some(drive) = drive {
run_drive_blocking_task( run_drive_blocking_task(drive.clone(), "restore key".to_string(), move |config| {
drive.clone(), let mut drive = open_drive(&config, &drive)?;
"restore key".to_string(),
move |config| {
let mut drive = open_drive(&config, &drive)?;
let (_media_id, key_config) = drive.read_label()?; let (_media_id, key_config) = drive.read_label()?;
if let Some(key_config) = key_config { if let Some(key_config) = key_config {
let password_fn = || { Ok(password.as_bytes().to_vec()) }; let password_fn = || Ok(password.as_bytes().to_vec());
let (key, ..) = key_config.decrypt(&password_fn)?; let (key, ..) = key_config.decrypt(&password_fn)?;
insert_key(key, key_config, true)?; insert_key(key, key_config, true)?;
} else { } else {
bail!("media does not contain any encryption key configuration"); bail!("media does not contain any encryption key configuration");
}
Ok(())
} }
)
Ok(())
})
.await?; .await?;
}else if let Some(backupkey) = backupkey { } else if let Some(key) = key {
let key_config: KeyConfig = let key_config: KeyConfig =
serde_json::from_str(&backupkey).map_err(|err| format_err!("<errmsg>: {}", err))?; serde_json::from_str(&key).map_err(|err| format_err!("<errmsg>: {}", err))?;
let password_fn = || Ok(password.as_bytes().to_vec()); let password_fn = || Ok(password.as_bytes().to_vec());
let (key, ..) = key_config.decrypt(&password_fn)?; let (key, ..) = key_config.decrypt(&password_fn)?;
insert_key(key, key_config, false)?; insert_key(key, key_config, false)?;

View File

@ -187,9 +187,6 @@ fn change_passphrase(
Ok(()) Ok(())
} }
pub const BEGIN_MARKER: &str = "-----BEGIN PROXMOX BACKUP KEY-----";
pub const END_MARKER: &str = "-----END PROXMOX BACKUP KEY-----";
#[api( #[api(
input: { input: {
properties: { properties: {
@ -197,69 +194,71 @@ pub const END_MARKER: &str = "-----END PROXMOX BACKUP KEY-----";
schema: DRIVE_NAME_SCHEMA, schema: DRIVE_NAME_SCHEMA,
optional: true, optional: true,
}, },
"backupkey": { key: {
description: "Importing a previously exported backupkey with either an exported paperkey-file, json-string or a json-file", description: "Import key from json string or an exported paperkey-format.",
type: String,
optional: true,
},
"key-file": {
description: "Import key from a file with either json or exported paperkey-format.",
type: String, type: String,
optional: true, optional: true,
}, },
}, },
}, },
)] )]
/// Restore encryption key from tape (read password from stdin) /// Restore encryption key from tape or from a backup file/string (reads password from stdin)
async fn restore_key( async fn restore_key(
mut param: Value, mut param: Value,
backupkey: Option<String>, key: Option<String>,
key_file: Option<String>,
rpcenv: &mut dyn RpcEnvironment, rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> { ) -> Result<(), Error> {
let drive_passed = param.get("drive").is_some();
let (config, _digest) = pbs_config::drive::config()?; if drive_passed && (key.is_some() || key_file.is_some()) {
bail!("cannot have both 'drive' and 'key(-file)' parameter set!");
let drive = crate::extract_drive_name(&mut param, &config); } else if key.is_some() && key_file.is_some() {
bail!("cannot have both 'key' and 'key-file' parameter set!");
} else if !drive_passed && !key.is_some() && !key_file.is_some() {
bail!("one of either 'drive' or 'key' parameter must be set!");
}
if !tty::stdin_isatty() { if !tty::stdin_isatty() {
bail!("no password input mechanism available"); bail!("no password input mechanism available");
} }
if (drive.is_err() && backupkey.is_none()) || (drive.is_ok() && backupkey.is_some()) { if drive_passed {
param_bail!( let (config, _digest) = pbs_config::drive::config()?;
"drive", match crate::extract_drive_name(&mut param, &config) {
format_err!("Please specify either a valid drive name or a backupkey") Ok(drive) => param["drive"] = drive.into(),
); Err(err) => param_bail!("drive", format_err!("invalid drive - {}", err)),
}
if drive.is_ok() {
param["drive"] = drive.unwrap().into();
}
if let Some(backupkey) = backupkey {
if serde_json::from_str::<KeyConfig>(&backupkey).is_ok() {
// json as Parameter
println!("backupkey to import: {}", backupkey);
param["backupkey"] = backupkey.into();
} else {
println!("backupkey is not a valid json. Interpreting Parameter as a filename");
let data = proxmox_sys::fs::file_read_string(backupkey)?;
if serde_json::from_str::<KeyConfig>(&data).is_ok() {
// standalone json-file
println!("backupkey to import: {}", data);
param["backupkey"] = data.into();
} else {
// exported paperkey-file
let start = data
.find(BEGIN_MARKER)
.ok_or_else(|| format_err!("cannot find key start marker"))?
+ BEGIN_MARKER.len();
let data_remain = &data[start..];
let end = data_remain
.find(END_MARKER)
.ok_or_else(|| format_err!("cannot find key end marker below start marker"))?;
let backupkey_extract = &data_remain[..end];
println!("backupkey to import: {}", backupkey_extract);
param["backupkey"] = backupkey_extract.into();
}
} }
} }
let key = match key_file {
Some(key_file) => Some(proxmox_sys::fs::file_read_string(key_file)?),
None => key,
};
if let Some(data) = key {
let key = if serde_json::from_str::<KeyConfig>(&data).is_ok() {
&data
} else {
const BEGIN_MARKER: &str = "-----BEGIN PROXMOX BACKUP KEY-----";
const END_MARKER: &str = "-----END PROXMOX BACKUP KEY-----";
// exported paperkey-file
let start = data
.find(BEGIN_MARKER)
.ok_or_else(|| format_err!("cannot find key start marker"))?
+ BEGIN_MARKER.len();
let data_remain = &data[start..];
let end = data_remain
.find(END_MARKER)
.ok_or_else(|| format_err!("cannot find key end marker below start marker"))?;
&data_remain[..end]
};
println!("key to import: {}", key);
param["key"] = key.into();
}
let password = tty::read_password("Tape Encryption Key Password: ")?; let password = tty::read_password("Tape Encryption Key Password: ")?;
param["password"] = String::from_utf8(password)?.into(); param["password"] = String::from_utf8(password)?.into();