tape: implemenmt show key

Moved API types Kdf and KeyInfo to src/api2/types/mod.rs.
2021-01-20 10:20:41 +01:00
parent 301b8aa0a5
commit 69b8bc3bfa
7 changed files with 163 additions and 95 deletions
--- a/src/api2/config/tape_encryption_keys.rs
+++ b/src/api2/config/tape_encryption_keys.rs
@ -27,14 +27,13 @@ use crate::{
        TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
        PROXMOX_CONFIG_DIGEST_SCHEMA,
        PASSWORD_HINT_SCHEMA,
-        TapeKeyMetadata,
+        KeyInfo,
+        Kdf,
    },
    backup::{
        KeyConfig,
-        Kdf,
        Fingerprint,
    },
-    tools::format::as_fingerprint,
 };

 #[api(
@ -44,7 +43,7 @@ use crate::{
    returns: {
        description: "The list of tape encryption keys (with config digest).",
        type: Array,
-        items: { type: TapeKeyMetadata },
+        items: { type: KeyInfo },
    },
 )]
 /// List existing keys
@ -52,17 +51,14 @@ pub fn list_keys(
    _param: Value,
    _info: &ApiMethod,
    mut rpcenv: &mut dyn RpcEnvironment,
-) -> Result<Vec<TapeKeyMetadata>, Error> {
+) -> Result<Vec<KeyInfo>, Error> {

    let (key_map, digest) = load_key_configs()?;

    let mut list = Vec::new();

-    for (fingerprint, item) in key_map {
-        list.push(TapeKeyMetadata {
-            hint: item.hint.unwrap_or(String::new()),
-            fingerprint: as_fingerprint(fingerprint.bytes()),
-        });
+    for (_fingerprint, item) in key_map.iter() {
+        list.push(item.into());
    }

    rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
@ -192,6 +188,38 @@ pub fn create_key(
 }


+#[api(
+    input: {
+        properties: {
+            fingerprint: {
+                schema: TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
+            },
+        },
+    },
+    returns: {
+        type: KeyInfo,
+    },
+)]
+/// Get key config (public key part)
+pub fn read_key(
+    fingerprint: Fingerprint,
+    _rpcenv: &mut dyn RpcEnvironment,
+) -> Result<KeyInfo, Error> {
+
+    let (config_map, _digest) = load_key_configs()?;
+
+    let key_config = match config_map.get(&fingerprint) {
+        Some(key_config) => key_config,
+        None => bail!("tape encryption key '{}' does not exist.", fingerprint),
+    };
+
+    if key_config.kdf.is_none() {
+        bail!("found unencrypted key - internal error");
+    }
+
+    Ok(key_config.into())
+}
+
 #[api(
    protected: true,
    input: {
@ -242,7 +270,7 @@ pub fn delete_key(
 }

 const ITEM_ROUTER: Router = Router::new()
-    //.get(&API_METHOD_READ_KEY_METADATA)
+    .get(&API_METHOD_READ_KEY)
    .put(&API_METHOD_CHANGE_PASSPHRASE)
    .delete(&API_METHOD_DELETE_KEY);

--- a/src/api2/types/mod.rs
+++ b/src/api2/types/mod.rs
@ -1256,3 +1256,53 @@ pub const PASSWORD_HINT_SCHEMA: Schema = StringSchema::new("Password hint.")
    .min_length(1)
    .max_length(64)
    .schema();
+
+#[api(default: "scrypt")]
+#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
+#[serde(rename_all = "lowercase")]
+/// Key derivation function for password protected encryption keys.
+pub enum Kdf {
+    /// Do not encrypt the key.
+    None,
+    /// Encrypt they key with a password using SCrypt.
+    Scrypt,
+    /// Encrtypt the Key with a password using PBKDF2
+    PBKDF2,
+}
+
+impl Default for Kdf {
+    #[inline]
+    fn default() -> Self {
+        Kdf::Scrypt
+    }
+}
+
+#[api(
+    properties: {
+        kdf: {
+            type: Kdf,
+        },
+        fingerprint: {
+            schema: CERT_FINGERPRINT_SHA256_SCHEMA,
+            optional: true,
+        },
+    },
+)]
+#[derive(Deserialize, Serialize)]
+/// Encryption Key Information
+pub struct KeyInfo {
+    /// Path to key (if stored in a file)
+    #[serde(skip_serializing_if="Option::is_none")]
+    pub path: Option<String>,
+    pub kdf: Kdf,
+    /// Key creation time
+    pub created: i64,
+    /// Key modification time
+    pub modified: i64,
+    /// Key fingerprint
+    #[serde(skip_serializing_if="Option::is_none")]
+    pub fingerprint: Option<String>,
+    /// Password hint
+    #[serde(skip_serializing_if="Option::is_none")]
+    pub hint: Option<String>,
+}
--- a/src/api2/types/tape/drive.rs
+++ b/src/api2/types/tape/drive.rs
@ -12,8 +12,7 @@ use proxmox::api::{
 use crate::api2::types::{
    PROXMOX_SAFE_ID_FORMAT,
    CHANGER_NAME_SCHEMA,
-    CERT_FINGERPRINT_SHA256_SCHEMA,
- };
+};

 pub const DRIVE_NAME_SCHEMA: Schema = StringSchema::new("Drive Identifier.")
    .format(&PROXMOX_SAFE_ID_FORMAT)
@ -206,18 +205,3 @@ pub struct LinuxDriveAndMediaStatus {
    #[serde(skip_serializing_if="Option::is_none")]
    pub medium_passes: Option<u64>,
 }
-
-#[api(
-    properties: {
-        fingerprint: {
-            schema: CERT_FINGERPRINT_SHA256_SCHEMA,
-        },
-    },
-)]
-#[derive(Deserialize, Serialize)]
-/// Hardware Encryption key Metadata
-pub struct TapeKeyMetadata {
-    /// Password hint
-    pub hint: String,
-    pub fingerprint: String,
-}