tape: implemenmt show key
Moved API types Kdf and KeyInfo to src/api2/types/mod.rs.
This commit is contained in:
parent
301b8aa0a5
commit
69b8bc3bfa
@ -27,14 +27,13 @@ use crate::{
|
|||||||
TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
|
TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
|
||||||
PROXMOX_CONFIG_DIGEST_SCHEMA,
|
PROXMOX_CONFIG_DIGEST_SCHEMA,
|
||||||
PASSWORD_HINT_SCHEMA,
|
PASSWORD_HINT_SCHEMA,
|
||||||
TapeKeyMetadata,
|
KeyInfo,
|
||||||
|
Kdf,
|
||||||
},
|
},
|
||||||
backup::{
|
backup::{
|
||||||
KeyConfig,
|
KeyConfig,
|
||||||
Kdf,
|
|
||||||
Fingerprint,
|
Fingerprint,
|
||||||
},
|
},
|
||||||
tools::format::as_fingerprint,
|
|
||||||
};
|
};
|
||||||
|
|
||||||
#[api(
|
#[api(
|
||||||
@ -44,7 +43,7 @@ use crate::{
|
|||||||
returns: {
|
returns: {
|
||||||
description: "The list of tape encryption keys (with config digest).",
|
description: "The list of tape encryption keys (with config digest).",
|
||||||
type: Array,
|
type: Array,
|
||||||
items: { type: TapeKeyMetadata },
|
items: { type: KeyInfo },
|
||||||
},
|
},
|
||||||
)]
|
)]
|
||||||
/// List existing keys
|
/// List existing keys
|
||||||
@ -52,17 +51,14 @@ pub fn list_keys(
|
|||||||
_param: Value,
|
_param: Value,
|
||||||
_info: &ApiMethod,
|
_info: &ApiMethod,
|
||||||
mut rpcenv: &mut dyn RpcEnvironment,
|
mut rpcenv: &mut dyn RpcEnvironment,
|
||||||
) -> Result<Vec<TapeKeyMetadata>, Error> {
|
) -> Result<Vec<KeyInfo>, Error> {
|
||||||
|
|
||||||
let (key_map, digest) = load_key_configs()?;
|
let (key_map, digest) = load_key_configs()?;
|
||||||
|
|
||||||
let mut list = Vec::new();
|
let mut list = Vec::new();
|
||||||
|
|
||||||
for (fingerprint, item) in key_map {
|
for (_fingerprint, item) in key_map.iter() {
|
||||||
list.push(TapeKeyMetadata {
|
list.push(item.into());
|
||||||
hint: item.hint.unwrap_or(String::new()),
|
|
||||||
fingerprint: as_fingerprint(fingerprint.bytes()),
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
|
||||||
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
||||||
@ -192,6 +188,38 @@ pub fn create_key(
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#[api(
|
||||||
|
input: {
|
||||||
|
properties: {
|
||||||
|
fingerprint: {
|
||||||
|
schema: TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
returns: {
|
||||||
|
type: KeyInfo,
|
||||||
|
},
|
||||||
|
)]
|
||||||
|
/// Get key config (public key part)
|
||||||
|
pub fn read_key(
|
||||||
|
fingerprint: Fingerprint,
|
||||||
|
_rpcenv: &mut dyn RpcEnvironment,
|
||||||
|
) -> Result<KeyInfo, Error> {
|
||||||
|
|
||||||
|
let (config_map, _digest) = load_key_configs()?;
|
||||||
|
|
||||||
|
let key_config = match config_map.get(&fingerprint) {
|
||||||
|
Some(key_config) => key_config,
|
||||||
|
None => bail!("tape encryption key '{}' does not exist.", fingerprint),
|
||||||
|
};
|
||||||
|
|
||||||
|
if key_config.kdf.is_none() {
|
||||||
|
bail!("found unencrypted key - internal error");
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(key_config.into())
|
||||||
|
}
|
||||||
|
|
||||||
#[api(
|
#[api(
|
||||||
protected: true,
|
protected: true,
|
||||||
input: {
|
input: {
|
||||||
@ -242,7 +270,7 @@ pub fn delete_key(
|
|||||||
}
|
}
|
||||||
|
|
||||||
const ITEM_ROUTER: Router = Router::new()
|
const ITEM_ROUTER: Router = Router::new()
|
||||||
//.get(&API_METHOD_READ_KEY_METADATA)
|
.get(&API_METHOD_READ_KEY)
|
||||||
.put(&API_METHOD_CHANGE_PASSPHRASE)
|
.put(&API_METHOD_CHANGE_PASSPHRASE)
|
||||||
.delete(&API_METHOD_DELETE_KEY);
|
.delete(&API_METHOD_DELETE_KEY);
|
||||||
|
|
||||||
|
@ -1256,3 +1256,53 @@ pub const PASSWORD_HINT_SCHEMA: Schema = StringSchema::new("Password hint.")
|
|||||||
.min_length(1)
|
.min_length(1)
|
||||||
.max_length(64)
|
.max_length(64)
|
||||||
.schema();
|
.schema();
|
||||||
|
|
||||||
|
#[api(default: "scrypt")]
|
||||||
|
#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
|
||||||
|
#[serde(rename_all = "lowercase")]
|
||||||
|
/// Key derivation function for password protected encryption keys.
|
||||||
|
pub enum Kdf {
|
||||||
|
/// Do not encrypt the key.
|
||||||
|
None,
|
||||||
|
/// Encrypt they key with a password using SCrypt.
|
||||||
|
Scrypt,
|
||||||
|
/// Encrtypt the Key with a password using PBKDF2
|
||||||
|
PBKDF2,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Default for Kdf {
|
||||||
|
#[inline]
|
||||||
|
fn default() -> Self {
|
||||||
|
Kdf::Scrypt
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#[api(
|
||||||
|
properties: {
|
||||||
|
kdf: {
|
||||||
|
type: Kdf,
|
||||||
|
},
|
||||||
|
fingerprint: {
|
||||||
|
schema: CERT_FINGERPRINT_SHA256_SCHEMA,
|
||||||
|
optional: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
)]
|
||||||
|
#[derive(Deserialize, Serialize)]
|
||||||
|
/// Encryption Key Information
|
||||||
|
pub struct KeyInfo {
|
||||||
|
/// Path to key (if stored in a file)
|
||||||
|
#[serde(skip_serializing_if="Option::is_none")]
|
||||||
|
pub path: Option<String>,
|
||||||
|
pub kdf: Kdf,
|
||||||
|
/// Key creation time
|
||||||
|
pub created: i64,
|
||||||
|
/// Key modification time
|
||||||
|
pub modified: i64,
|
||||||
|
/// Key fingerprint
|
||||||
|
#[serde(skip_serializing_if="Option::is_none")]
|
||||||
|
pub fingerprint: Option<String>,
|
||||||
|
/// Password hint
|
||||||
|
#[serde(skip_serializing_if="Option::is_none")]
|
||||||
|
pub hint: Option<String>,
|
||||||
|
}
|
||||||
|
@ -12,8 +12,7 @@ use proxmox::api::{
|
|||||||
use crate::api2::types::{
|
use crate::api2::types::{
|
||||||
PROXMOX_SAFE_ID_FORMAT,
|
PROXMOX_SAFE_ID_FORMAT,
|
||||||
CHANGER_NAME_SCHEMA,
|
CHANGER_NAME_SCHEMA,
|
||||||
CERT_FINGERPRINT_SHA256_SCHEMA,
|
};
|
||||||
};
|
|
||||||
|
|
||||||
pub const DRIVE_NAME_SCHEMA: Schema = StringSchema::new("Drive Identifier.")
|
pub const DRIVE_NAME_SCHEMA: Schema = StringSchema::new("Drive Identifier.")
|
||||||
.format(&PROXMOX_SAFE_ID_FORMAT)
|
.format(&PROXMOX_SAFE_ID_FORMAT)
|
||||||
@ -206,18 +205,3 @@ pub struct LinuxDriveAndMediaStatus {
|
|||||||
#[serde(skip_serializing_if="Option::is_none")]
|
#[serde(skip_serializing_if="Option::is_none")]
|
||||||
pub medium_passes: Option<u64>,
|
pub medium_passes: Option<u64>,
|
||||||
}
|
}
|
||||||
|
|
||||||
#[api(
|
|
||||||
properties: {
|
|
||||||
fingerprint: {
|
|
||||||
schema: CERT_FINGERPRINT_SHA256_SCHEMA,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
)]
|
|
||||||
#[derive(Deserialize, Serialize)]
|
|
||||||
/// Hardware Encryption key Metadata
|
|
||||||
pub struct TapeKeyMetadata {
|
|
||||||
/// Password hint
|
|
||||||
pub hint: String,
|
|
||||||
pub fingerprint: String,
|
|
||||||
}
|
|
||||||
|
@ -6,31 +6,10 @@ use crate::backup::{CryptConfig, Fingerprint};
|
|||||||
use std::io::Write;
|
use std::io::Write;
|
||||||
use std::path::Path;
|
use std::path::Path;
|
||||||
|
|
||||||
use proxmox::api::api;
|
|
||||||
use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
|
use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
|
||||||
use proxmox::try_block;
|
use proxmox::try_block;
|
||||||
|
|
||||||
#[api(default: "scrypt")]
|
use crate::api2::types::{KeyInfo, Kdf};
|
||||||
#[derive(Clone, Copy, Debug, Deserialize, Serialize)]
|
|
||||||
#[serde(rename_all = "lowercase")]
|
|
||||||
/// Key derivation function for password protected encryption keys.
|
|
||||||
pub enum Kdf {
|
|
||||||
/// Do not encrypt the key.
|
|
||||||
None,
|
|
||||||
|
|
||||||
/// Encrypt they key with a password using SCrypt.
|
|
||||||
Scrypt,
|
|
||||||
|
|
||||||
/// Encrtypt the Key with a password using PBKDF2
|
|
||||||
PBKDF2,
|
|
||||||
}
|
|
||||||
|
|
||||||
impl Default for Kdf {
|
|
||||||
#[inline]
|
|
||||||
fn default() -> Self {
|
|
||||||
Kdf::Scrypt
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#[derive(Deserialize, Serialize, Clone, Debug)]
|
#[derive(Deserialize, Serialize, Clone, Debug)]
|
||||||
pub enum KeyDerivationConfig {
|
pub enum KeyDerivationConfig {
|
||||||
@ -101,6 +80,26 @@ pub struct KeyConfig {
|
|||||||
pub hint: Option<String>,
|
pub hint: Option<String>,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl From<&KeyConfig> for KeyInfo {
|
||||||
|
fn from(key_config: &KeyConfig) -> Self {
|
||||||
|
Self {
|
||||||
|
path: None,
|
||||||
|
kdf: match key_config.kdf {
|
||||||
|
Some(KeyDerivationConfig::PBKDF2 { .. }) => Kdf::PBKDF2,
|
||||||
|
Some(KeyDerivationConfig::Scrypt { .. }) => Kdf::Scrypt,
|
||||||
|
None => Kdf::None,
|
||||||
|
},
|
||||||
|
created: key_config.created,
|
||||||
|
modified: key_config.modified,
|
||||||
|
fingerprint: key_config
|
||||||
|
.fingerprint
|
||||||
|
.as_ref()
|
||||||
|
.map(|fp| crate::tools::format::as_fingerprint(fp.bytes())),
|
||||||
|
hint: key_config.hint.clone(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
impl KeyConfig {
|
impl KeyConfig {
|
||||||
|
|
||||||
pub fn new(passphrase: &[u8], kdf: Kdf) -> Result<([u8;32], Self), Error> {
|
pub fn new(passphrase: &[u8], kdf: Kdf) -> Result<([u8;32], Self), Error> {
|
||||||
|
@ -22,13 +22,13 @@ use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
|
|||||||
use proxmox_backup::{
|
use proxmox_backup::{
|
||||||
api2::types::{
|
api2::types::{
|
||||||
PASSWORD_HINT_SCHEMA,
|
PASSWORD_HINT_SCHEMA,
|
||||||
|
KeyInfo,
|
||||||
|
Kdf,
|
||||||
},
|
},
|
||||||
backup::{
|
backup::{
|
||||||
rsa_decrypt_key_config,
|
rsa_decrypt_key_config,
|
||||||
CryptConfig,
|
CryptConfig,
|
||||||
Kdf,
|
|
||||||
KeyConfig,
|
KeyConfig,
|
||||||
KeyDerivationConfig,
|
|
||||||
},
|
},
|
||||||
tools,
|
tools,
|
||||||
};
|
};
|
||||||
@ -318,31 +318,6 @@ fn change_passphrase(
|
|||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
#[api(
|
|
||||||
properties: {
|
|
||||||
kdf: {
|
|
||||||
type: Kdf,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
)]
|
|
||||||
#[derive(Deserialize, Serialize)]
|
|
||||||
/// Encryption Key Information
|
|
||||||
struct KeyInfo {
|
|
||||||
/// Path to key
|
|
||||||
path: String,
|
|
||||||
kdf: Kdf,
|
|
||||||
/// Key creation time
|
|
||||||
pub created: i64,
|
|
||||||
/// Key modification time
|
|
||||||
pub modified: i64,
|
|
||||||
/// Key fingerprint
|
|
||||||
#[serde(skip_serializing_if="Option::is_none")]
|
|
||||||
pub fingerprint: Option<String>,
|
|
||||||
/// Password hint
|
|
||||||
#[serde(skip_serializing_if="Option::is_none")]
|
|
||||||
pub hint: Option<String>,
|
|
||||||
}
|
|
||||||
|
|
||||||
#[api(
|
#[api(
|
||||||
input: {
|
input: {
|
||||||
properties: {
|
properties: {
|
||||||
@ -378,21 +353,8 @@ fn show_key(
|
|||||||
|
|
||||||
let output_format = get_output_format(¶m);
|
let output_format = get_output_format(¶m);
|
||||||
|
|
||||||
let info = KeyInfo {
|
let mut info: KeyInfo = (&config).into();
|
||||||
path: format!("{:?}", path),
|
info.path = Some(format!("{:?}", path));
|
||||||
kdf: match config.kdf {
|
|
||||||
Some(KeyDerivationConfig::PBKDF2 { .. }) => Kdf::PBKDF2,
|
|
||||||
Some(KeyDerivationConfig::Scrypt { .. }) => Kdf::Scrypt,
|
|
||||||
None => Kdf::None,
|
|
||||||
},
|
|
||||||
created: config.created,
|
|
||||||
modified: config.modified,
|
|
||||||
fingerprint: match config.fingerprint {
|
|
||||||
Some(ref fp) => Some(format!("{}", fp)),
|
|
||||||
None => None,
|
|
||||||
},
|
|
||||||
hint: config.hint,
|
|
||||||
};
|
|
||||||
|
|
||||||
let options = proxmox::api::cli::default_table_format_options()
|
let options = proxmox::api::cli::default_table_format_options()
|
||||||
.column(ColumnConfig::new("path"))
|
.column(ColumnConfig::new("path"))
|
||||||
|
@ -12,6 +12,7 @@ use proxmox::{
|
|||||||
};
|
};
|
||||||
|
|
||||||
use proxmox_backup::{
|
use proxmox_backup::{
|
||||||
|
tools,
|
||||||
config,
|
config,
|
||||||
api2::{
|
api2::{
|
||||||
self,
|
self,
|
||||||
@ -19,9 +20,9 @@ use proxmox_backup::{
|
|||||||
DRIVE_NAME_SCHEMA,
|
DRIVE_NAME_SCHEMA,
|
||||||
TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
|
TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
|
||||||
PASSWORD_HINT_SCHEMA,
|
PASSWORD_HINT_SCHEMA,
|
||||||
|
Kdf,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
backup::Kdf,
|
|
||||||
config::tape_encryption_keys::complete_key_fingerprint,
|
config::tape_encryption_keys::complete_key_fingerprint,
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -39,6 +40,12 @@ pub fn encryption_key_commands() -> CommandLineInterface {
|
|||||||
.arg_param(&["fingerprint"])
|
.arg_param(&["fingerprint"])
|
||||||
.completion_cb("fingerprint", complete_key_fingerprint)
|
.completion_cb("fingerprint", complete_key_fingerprint)
|
||||||
)
|
)
|
||||||
|
.insert(
|
||||||
|
"show",
|
||||||
|
CliCommand::new(&API_METHOD_SHOW_KEY)
|
||||||
|
.arg_param(&["fingerprint"])
|
||||||
|
.completion_cb("fingerprint", complete_key_fingerprint)
|
||||||
|
)
|
||||||
.insert(
|
.insert(
|
||||||
"restore",
|
"restore",
|
||||||
CliCommand::new(&API_METHOD_RESTORE_KEY)
|
CliCommand::new(&API_METHOD_RESTORE_KEY)
|
||||||
@ -54,6 +61,45 @@ pub fn encryption_key_commands() -> CommandLineInterface {
|
|||||||
cmd_def.into()
|
cmd_def.into()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[api(
|
||||||
|
input: {
|
||||||
|
properties: {
|
||||||
|
fingerprint: {
|
||||||
|
schema: TAPE_ENCRYPTION_KEY_FINGERPRINT_SCHEMA,
|
||||||
|
},
|
||||||
|
"output-format": {
|
||||||
|
schema: OUTPUT_FORMAT,
|
||||||
|
optional: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
)]
|
||||||
|
/// Print tthe encryption key's metadata.
|
||||||
|
fn show_key(
|
||||||
|
param: Value,
|
||||||
|
rpcenv: &mut dyn RpcEnvironment,
|
||||||
|
) -> Result<(), Error> {
|
||||||
|
|
||||||
|
let output_format = get_output_format(¶m);
|
||||||
|
|
||||||
|
let info = &api2::config::tape_encryption_keys::API_METHOD_READ_KEY;
|
||||||
|
let mut data = match info.handler {
|
||||||
|
ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
|
||||||
|
_ => unreachable!(),
|
||||||
|
};
|
||||||
|
|
||||||
|
let options = proxmox::api::cli::default_table_format_options()
|
||||||
|
.column(ColumnConfig::new("kdf"))
|
||||||
|
.column(ColumnConfig::new("created").renderer(tools::format::render_epoch))
|
||||||
|
.column(ColumnConfig::new("modified").renderer(tools::format::render_epoch))
|
||||||
|
.column(ColumnConfig::new("fingerprint"))
|
||||||
|
.column(ColumnConfig::new("hint"));
|
||||||
|
|
||||||
|
format_and_print_result_full(&mut data, &info.returns, &output_format, &options);
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
#[api(
|
#[api(
|
||||||
input: {
|
input: {
|
||||||
properties: {
|
properties: {
|
||||||
|
@ -11,9 +11,9 @@ use proxmox::tools::fs::{
|
|||||||
};
|
};
|
||||||
|
|
||||||
use crate::{
|
use crate::{
|
||||||
|
api2::types::Kdf,
|
||||||
backup::{
|
backup::{
|
||||||
Fingerprint,
|
Fingerprint,
|
||||||
Kdf,
|
|
||||||
KeyConfig,
|
KeyConfig,
|
||||||
CryptConfig,
|
CryptConfig,
|
||||||
},
|
},
|
||||||
@ -204,7 +204,6 @@ pub fn insert_key(key: [u8;32], key_config: KeyConfig) -> Result<(), Error> {
|
|||||||
save_key_configs(config_map)?;
|
save_key_configs(config_map)?;
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// shell completion helper
|
// shell completion helper
|
||||||
|
Loading…
Reference in New Issue
Block a user