tape: implemenmt show key

Moved API types Kdf and KeyInfo to src/api2/types/mod.rs.
This commit is contained in:
Dietmar Maurer 2021-01-20 10:20:41 +01:00
parent 301b8aa0a5
commit 69b8bc3bfa
7 changed files with 163 additions and 95 deletions

View File

@ -27,14 +27,13 @@ use crate::{
TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA, TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
PROXMOX_CONFIG_DIGEST_SCHEMA, PROXMOX_CONFIG_DIGEST_SCHEMA,
PASSWORD_HINT_SCHEMA, PASSWORD_HINT_SCHEMA,
TapeKeyMetadata, KeyInfo,
Kdf,
}, },
backup::{ backup::{
KeyConfig, KeyConfig,
Kdf,
Fingerprint, Fingerprint,
}, },
tools::format::as_fingerprint,
}; };
#[api( #[api(
@ -44,7 +43,7 @@ use crate::{
returns: { returns: {
description: "The list of tape encryption keys (with config digest).", description: "The list of tape encryption keys (with config digest).",
type: Array, type: Array,
items: { type: TapeKeyMetadata }, items: { type: KeyInfo },
}, },
)] )]
/// List existing keys /// List existing keys
@ -52,17 +51,14 @@ pub fn list_keys(
_param: Value, _param: Value,
_info: &ApiMethod, _info: &ApiMethod,
mut rpcenv: &mut dyn RpcEnvironment, mut rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<TapeKeyMetadata>, Error> { ) -> Result<Vec<KeyInfo>, Error> {
let (key_map, digest) = load_key_configs()?; let (key_map, digest) = load_key_configs()?;
let mut list = Vec::new(); let mut list = Vec::new();
for (fingerprint, item) in key_map { for (_fingerprint, item) in key_map.iter() {
list.push(TapeKeyMetadata { list.push(item.into());
hint: item.hint.unwrap_or(String::new()),
fingerprint: as_fingerprint(fingerprint.bytes()),
});
} }
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into(); rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
@ -192,6 +188,38 @@ pub fn create_key(
} }
#[api(
input: {
properties: {
fingerprint: {
schema: TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
},
},
},
returns: {
type: KeyInfo,
},
)]
/// Get key config (public key part)
pub fn read_key(
fingerprint: Fingerprint,
_rpcenv: &mut dyn RpcEnvironment,
) -> Result<KeyInfo, Error> {
let (config_map, _digest) = load_key_configs()?;
let key_config = match config_map.get(&fingerprint) {
Some(key_config) => key_config,
None => bail!("tape encryption key '{}' does not exist.", fingerprint),
};
if key_config.kdf.is_none() {
bail!("found unencrypted key - internal error");
}
Ok(key_config.into())
}
#[api( #[api(
protected: true, protected: true,
input: { input: {
@ -242,7 +270,7 @@ pub fn delete_key(
} }
const ITEM_ROUTER: Router = Router::new() const ITEM_ROUTER: Router = Router::new()
//.get(&API_METHOD_READ_KEY_METADATA) .get(&API_METHOD_READ_KEY)
.put(&API_METHOD_CHANGE_PASSPHRASE) .put(&API_METHOD_CHANGE_PASSPHRASE)
.delete(&API_METHOD_DELETE_KEY); .delete(&API_METHOD_DELETE_KEY);

View File

@ -1256,3 +1256,53 @@ pub const PASSWORD_HINT_SCHEMA: Schema = StringSchema::new("Password hint.")
.min_length(1) .min_length(1)
.max_length(64) .max_length(64)
.schema(); .schema();
#[api(default: "scrypt")]
#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
#[serde(rename_all = "lowercase")]
/// Key derivation function for password protected encryption keys.
pub enum Kdf {
/// Do not encrypt the key.
None,
/// Encrypt they key with a password using SCrypt.
Scrypt,
/// Encrtypt the Key with a password using PBKDF2
PBKDF2,
}
impl Default for Kdf {
#[inline]
fn default() -> Self {
Kdf::Scrypt
}
}
#[api(
properties: {
kdf: {
type: Kdf,
},
fingerprint: {
schema: CERT_FINGERPRINT_SHA256_SCHEMA,
optional: true,
},
},
)]
#[derive(Deserialize, Serialize)]
/// Encryption Key Information
pub struct KeyInfo {
/// Path to key (if stored in a file)
#[serde(skip_serializing_if="Option::is_none")]
pub path: Option<String>,
pub kdf: Kdf,
/// Key creation time
pub created: i64,
/// Key modification time
pub modified: i64,
/// Key fingerprint
#[serde(skip_serializing_if="Option::is_none")]
pub fingerprint: Option<String>,
/// Password hint
#[serde(skip_serializing_if="Option::is_none")]
pub hint: Option<String>,
}

View File

@ -12,7 +12,6 @@ use proxmox::api::{
use crate::api2::types::{ use crate::api2::types::{
PROXMOX_SAFE_ID_FORMAT, PROXMOX_SAFE_ID_FORMAT,
CHANGER_NAME_SCHEMA, CHANGER_NAME_SCHEMA,
CERT_FINGERPRINT_SHA256_SCHEMA,
}; };
pub const DRIVE_NAME_SCHEMA: Schema = StringSchema::new("Drive Identifier.") pub const DRIVE_NAME_SCHEMA: Schema = StringSchema::new("Drive Identifier.")
@ -206,18 +205,3 @@ pub struct LinuxDriveAndMediaStatus {
#[serde(skip_serializing_if="Option::is_none")] #[serde(skip_serializing_if="Option::is_none")]
pub medium_passes: Option<u64>, pub medium_passes: Option<u64>,
} }
#[api(
properties: {
fingerprint: {
schema: CERT_FINGERPRINT_SHA256_SCHEMA,
},
},
)]
#[derive(Deserialize, Serialize)]
/// Hardware Encryption key Metadata
pub struct TapeKeyMetadata {
/// Password hint
pub hint: String,
pub fingerprint: String,
}

View File

@ -6,31 +6,10 @@ use crate::backup::{CryptConfig, Fingerprint};
use std::io::Write; use std::io::Write;
use std::path::Path; use std::path::Path;
use proxmox::api::api;
use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions}; use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
use proxmox::try_block; use proxmox::try_block;
#[api(default: "scrypt")] use crate::api2::types::{KeyInfo, Kdf};
#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
#[serde(rename_all = "lowercase")]
/// Key derivation function for password protected encryption keys.
pub enum Kdf {
/// Do not encrypt the key.
None,
/// Encrypt they key with a password using SCrypt.
Scrypt,
/// Encrtypt the Key with a password using PBKDF2
PBKDF2,
}
impl Default for Kdf {
#[inline]
fn default() -> Self {
Kdf::Scrypt
}
}
#[derive(Deserialize, Serialize, Clone, Debug)] #[derive(Deserialize, Serialize, Clone, Debug)]
pub enum KeyDerivationConfig { pub enum KeyDerivationConfig {
@ -101,6 +80,26 @@ pub struct KeyConfig {
pub hint: Option<String>, pub hint: Option<String>,
} }
impl From<&KeyConfig> for KeyInfo {
fn from(key_config: &KeyConfig) -> Self {
Self {
path: None,
kdf: match key_config.kdf {
Some(KeyDerivationConfig::PBKDF2 { .. }) => Kdf::PBKDF2,
Some(KeyDerivationConfig::Scrypt { .. }) => Kdf::Scrypt,
None => Kdf::None,
},
created: key_config.created,
modified: key_config.modified,
fingerprint: key_config
.fingerprint
.as_ref()
.map(|fp| crate::tools::format::as_fingerprint(fp.bytes())),
hint: key_config.hint.clone(),
}
}
}
impl KeyConfig { impl KeyConfig {
pub fn new(passphrase: &[u8], kdf: Kdf) -> Result<([u8;32], Self), Error> { pub fn new(passphrase: &[u8], kdf: Kdf) -> Result<([u8;32], Self), Error> {

View File

@ -22,13 +22,13 @@ use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
use proxmox_backup::{ use proxmox_backup::{
api2::types::{ api2::types::{
PASSWORD_HINT_SCHEMA, PASSWORD_HINT_SCHEMA,
KeyInfo,
Kdf,
}, },
backup::{ backup::{
rsa_decrypt_key_config, rsa_decrypt_key_config,
CryptConfig, CryptConfig,
Kdf,
KeyConfig, KeyConfig,
KeyDerivationConfig,
}, },
tools, tools,
}; };
@ -318,31 +318,6 @@ fn change_passphrase(
Ok(()) Ok(())
} }
#[api(
properties: {
kdf: {
type: Kdf,
},
},
)]
#[derive(Deserialize, Serialize)]
/// Encryption Key Information
struct KeyInfo {
/// Path to key
path: String,
kdf: Kdf,
/// Key creation time
pub created: i64,
/// Key modification time
pub modified: i64,
/// Key fingerprint
#[serde(skip_serializing_if="Option::is_none")]
pub fingerprint: Option<String>,
/// Password hint
#[serde(skip_serializing_if="Option::is_none")]
pub hint: Option<String>,
}
#[api( #[api(
input: { input: {
properties: { properties: {
@ -378,21 +353,8 @@ fn show_key(
let output_format = get_output_format(&param); let output_format = get_output_format(&param);
let info = KeyInfo { let mut info: KeyInfo = (&config).into();
path: format!("{:?}", path), info.path = Some(format!("{:?}", path));
kdf: match config.kdf {
Some(KeyDerivationConfig::PBKDF2 { .. }) => Kdf::PBKDF2,
Some(KeyDerivationConfig::Scrypt { .. }) => Kdf::Scrypt,
None => Kdf::None,
},
created: config.created,
modified: config.modified,
fingerprint: match config.fingerprint {
Some(ref fp) => Some(format!("{}", fp)),
None => None,
},
hint: config.hint,
};
let options = proxmox::api::cli::default_table_format_options() let options = proxmox::api::cli::default_table_format_options()
.column(ColumnConfig::new("path")) .column(ColumnConfig::new("path"))

View File

@ -12,6 +12,7 @@ use proxmox::{
}; };
use proxmox_backup::{ use proxmox_backup::{
tools,
config, config,
api2::{ api2::{
self, self,
@ -19,9 +20,9 @@ use proxmox_backup::{
DRIVE_NAME_SCHEMA, DRIVE_NAME_SCHEMA,
TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA, TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
PASSWORD_HINT_SCHEMA, PASSWORD_HINT_SCHEMA,
Kdf,
}, },
}, },
backup::Kdf,
config::tape_encryption_keys::complete_key_fingerprint, config::tape_encryption_keys::complete_key_fingerprint,
}; };
@ -39,6 +40,12 @@ pub fn encryption_key_commands() -> CommandLineInterface {
.arg_param(&["fingerprint"]) .arg_param(&["fingerprint"])
.completion_cb("fingerprint", complete_key_fingerprint) .completion_cb("fingerprint", complete_key_fingerprint)
) )
.insert(
"show",
CliCommand::new(&API_METHOD_SHOW_KEY)
.arg_param(&["fingerprint"])
.completion_cb("fingerprint", complete_key_fingerprint)
)
.insert( .insert(
"restore", "restore",
CliCommand::new(&API_METHOD_RESTORE_KEY) CliCommand::new(&API_METHOD_RESTORE_KEY)
@ -54,6 +61,45 @@ pub fn encryption_key_commands() -> CommandLineInterface {
cmd_def.into() cmd_def.into()
} }
#[api(
input: {
properties: {
fingerprint: {
schema: TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
},
"output-format": {
schema: OUTPUT_FORMAT,
optional: true,
},
},
},
)]
/// Print tthe encryption key's metadata.
fn show_key(
param: Value,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
let output_format = get_output_format(&param);
let info = &api2::config::tape_encryption_keys::API_METHOD_READ_KEY;
let mut data = match info.handler {
ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
_ => unreachable!(),
};
let options = proxmox::api::cli::default_table_format_options()
.column(ColumnConfig::new("kdf"))
.column(ColumnConfig::new("created").renderer(tools::format::render_epoch))
.column(ColumnConfig::new("modified").renderer(tools::format::render_epoch))
.column(ColumnConfig::new("fingerprint"))
.column(ColumnConfig::new("hint"));
format_and_print_result_full(&mut data, &info.returns, &output_format, &options);
Ok(())
}
#[api( #[api(
input: { input: {
properties: { properties: {

View File

@ -11,9 +11,9 @@ use proxmox::tools::fs::{
}; };
use crate::{ use crate::{
api2::types::Kdf,
backup::{ backup::{
Fingerprint, Fingerprint,
Kdf,
KeyConfig, KeyConfig,
CryptConfig, CryptConfig,
}, },
@ -204,7 +204,6 @@ pub fn insert_key(key: [u8;32], key_config: KeyConfig) -> Result<(), Error> {
save_key_configs(config_map)?; save_key_configs(config_map)?;
Ok(()) Ok(())
} }
// shell completion helper // shell completion helper