client: add --encryption boolen parameter
This can be used to explicitly disable encryption even if a default key file exists in ~/.config. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller
parent
887018bb79
commit
96ee857752
@ -65,6 +65,11 @@ pub const KEYFILE_SCHEMA: Schema = StringSchema::new(
|
|||||||
"Path to encryption key. All data will be encrypted using this key.")
|
"Path to encryption key. All data will be encrypted using this key.")
|
||||||
.schema();
|
.schema();
|
||||||
|
|
||||||
|
pub const ENCRYPTION_SCHEMA: Schema = BooleanSchema::new(
|
||||||
|
"Explicitly enable or disable encryption. \
|
||||||
|
(Allows disabling encryption when a default key file is present.)")
|
||||||
|
.schema();
|
||||||
|
|
||||||
const CHUNK_SIZE_SCHEMA: Schema = IntegerSchema::new(
|
const CHUNK_SIZE_SCHEMA: Schema = IntegerSchema::new(
|
||||||
"Chunk size in KB. Must be a power of 2.")
|
"Chunk size in KB. Must be a power of 2.")
|
||||||
.minimum(64)
|
.minimum(64)
|
||||||
@ -659,6 +664,37 @@ fn spawn_catalog_upload(
|
|||||||
Ok((catalog, catalog_result_rx))
|
Ok((catalog, catalog_result_rx))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn keyfile_parameters(param: &Value) -> Result<Option<PathBuf>, Error> {
|
||||||
|
Ok(match (param.get("keyfile"), param.get("encryption")) {
|
||||||
|
// no parameters:
|
||||||
|
(None, None) => key::optional_default_key_path()?,
|
||||||
|
|
||||||
|
// just --encryption=false
|
||||||
|
(None, Some(Value::Bool(false))) => None,
|
||||||
|
|
||||||
|
// just --encryption=true
|
||||||
|
(None, Some(Value::Bool(true))) => match key::optional_default_key_path()? {
|
||||||
|
None => bail!("--encryption=false without --keyfile and no default key file available"),
|
||||||
|
Some(path) => Some(path),
|
||||||
|
}
|
||||||
|
|
||||||
|
// just --keyfile
|
||||||
|
(Some(Value::String(keyfile)), None) => Some(PathBuf::from(keyfile)),
|
||||||
|
|
||||||
|
// --keyfile and --encryption=false
|
||||||
|
(Some(Value::String(_)), Some(Value::Bool(false))) => {
|
||||||
|
bail!("--keyfile and --encryption=false are mutually exclusive");
|
||||||
|
}
|
||||||
|
|
||||||
|
// --keyfile and --encryption=true
|
||||||
|
(Some(Value::String(keyfile)), Some(Value::Bool(true))) => Some(PathBuf::from(keyfile)),
|
||||||
|
|
||||||
|
// wrong value types:
|
||||||
|
(Some(_), _) => bail!("bad --keyfile parameter"),
|
||||||
|
(_, Some(_)) => bail!("bad --encryption parameter"),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
#[api(
|
#[api(
|
||||||
input: {
|
input: {
|
||||||
properties: {
|
properties: {
|
||||||
@ -685,6 +721,10 @@ fn spawn_catalog_upload(
|
|||||||
schema: KEYFILE_SCHEMA,
|
schema: KEYFILE_SCHEMA,
|
||||||
optional: true,
|
optional: true,
|
||||||
},
|
},
|
||||||
|
encryption: {
|
||||||
|
schema: ENCRYPTION_SCHEMA,
|
||||||
|
optional: true,
|
||||||
|
},
|
||||||
"skip-lost-and-found": {
|
"skip-lost-and-found": {
|
||||||
type: Boolean,
|
type: Boolean,
|
||||||
description: "Skip lost+found directory.",
|
description: "Skip lost+found directory.",
|
||||||
@ -754,10 +794,7 @@ async fn create_backup(
|
|||||||
verify_chunk_size(size)?;
|
verify_chunk_size(size)?;
|
||||||
}
|
}
|
||||||
|
|
||||||
let keyfile = match param["keyfile"].as_str() {
|
let keyfile = keyfile_parameters(¶m)?;
|
||||||
Some(path) => Some(PathBuf::from(path)),
|
|
||||||
None => key::optional_default_key_path()?,
|
|
||||||
};
|
|
||||||
|
|
||||||
let backup_id = param["backup-id"].as_str().unwrap_or(&proxmox::tools::nodename());
|
let backup_id = param["backup-id"].as_str().unwrap_or(&proxmox::tools::nodename());
|
||||||
|
|
||||||
@ -1122,6 +1159,10 @@ We do not extraxt '.pxar' archives when writing to standard output.
|
|||||||
schema: KEYFILE_SCHEMA,
|
schema: KEYFILE_SCHEMA,
|
||||||
optional: true,
|
optional: true,
|
||||||
},
|
},
|
||||||
|
encryption: {
|
||||||
|
schema: ENCRYPTION_SCHEMA,
|
||||||
|
optional: true,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
)]
|
)]
|
||||||
@ -1152,10 +1193,7 @@ async fn restore(param: Value) -> Result<Value, Error> {
|
|||||||
let target = tools::required_string_param(¶m, "target")?;
|
let target = tools::required_string_param(¶m, "target")?;
|
||||||
let target = if target == "-" { None } else { Some(target) };
|
let target = if target == "-" { None } else { Some(target) };
|
||||||
|
|
||||||
let keyfile = match param["keyfile"].as_str() {
|
let keyfile = keyfile_parameters(¶m)?;
|
||||||
Some(path) => Some(PathBuf::from(path)),
|
|
||||||
None => key::optional_default_key_path()?,
|
|
||||||
};
|
|
||||||
|
|
||||||
let crypt_config = match keyfile {
|
let crypt_config = match keyfile {
|
||||||
None => None,
|
None => None,
|
||||||
@ -1285,6 +1323,10 @@ async fn restore(param: Value) -> Result<Value, Error> {
|
|||||||
schema: KEYFILE_SCHEMA,
|
schema: KEYFILE_SCHEMA,
|
||||||
optional: true,
|
optional: true,
|
||||||
},
|
},
|
||||||
|
encryption: {
|
||||||
|
schema: ENCRYPTION_SCHEMA,
|
||||||
|
optional: true,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
)]
|
)]
|
||||||
@ -1299,10 +1341,7 @@ async fn upload_log(param: Value) -> Result<Value, Error> {
|
|||||||
|
|
||||||
let mut client = connect(repo.host(), repo.user())?;
|
let mut client = connect(repo.host(), repo.user())?;
|
||||||
|
|
||||||
let keyfile = match param["keyfile"].as_str() {
|
let keyfile = keyfile_parameters(¶m)?;
|
||||||
Some(path) => Some(PathBuf::from(path)),
|
|
||||||
None => key::optional_default_key_path()?,
|
|
||||||
};
|
|
||||||
|
|
||||||
let crypt_config = match keyfile {
|
let crypt_config = match keyfile {
|
||||||
None => None,
|
None => None,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user