proxmox-tape: api: restore_key-code moved to tape-encryption-keys
The restore_key api-endpoint is tape/drive/{drive}/restore-key.
Since I cannot set the url parameter for the drivename to null or
undefined, when restoring by exported-key, I moved the
added restore_key-api-code to
"create_key aka POST api2/json/config/tape-encryption-keys" and
added an ApiHandler call in the cli's "restore_key" to call
"create_key" in the api.
Signed-off-by: Markus Frank <m.frank@proxmox.com>
This commit is contained in:
Markus Frank
Thomas Lamprecht
parent
e3746a329e
commit
ae60eed310
|
|
@ -182,6 +182,14 @@ pub fn change_passphrase(
|
||||||
},
|
},
|
||||||
hint: {
|
hint: {
|
||||||
schema: PASSWORD_HINT_SCHEMA,
|
schema: PASSWORD_HINT_SCHEMA,
|
||||||
|
optional: true,
|
||||||
|
},
|
||||||
|
key: {
|
||||||
|
description: "A previously exported paperkey in JSON format.",
|
||||||
|
type: String,
|
||||||
|
min_length: 300,
|
||||||
|
max_length: 600,
|
||||||
|
optional: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
@ -196,8 +204,9 @@ pub fn change_passphrase(
|
||||||
pub fn create_key(
|
pub fn create_key(
|
||||||
kdf: Option<Kdf>,
|
kdf: Option<Kdf>,
|
||||||
password: String,
|
password: String,
|
||||||
hint: String,
|
hint: Option<String>,
|
||||||
_rpcenv: &mut dyn RpcEnvironment,
|
key: Option<String>,
|
||||||
|
_rpcenv: &mut dyn RpcEnvironment
|
||||||
) -> Result<Fingerprint, Error> {
|
) -> Result<Fingerprint, Error> {
|
||||||
let kdf = kdf.unwrap_or_default();
|
let kdf = kdf.unwrap_or_default();
|
||||||
|
|
||||||
|
|
@ -207,13 +216,33 @@ pub fn create_key(
|
||||||
format_err!("Please specify a key derivation function (none is not allowed here).")
|
format_err!("Please specify a key derivation function (none is not allowed here).")
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
if hint.is_none() && key.is_none() {
|
||||||
|
param_bail!(
|
||||||
|
"hint",
|
||||||
|
format_err!("Please specify either a hint or a key")
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
let (key, mut key_config) = KeyConfig::new(password.as_bytes(), kdf)?;
|
let (key_decrypt, mut key_config, fingerprint) = match key {
|
||||||
key_config.hint = Some(hint);
|
Some(key) => {
|
||||||
|
let key_config: KeyConfig =
|
||||||
|
serde_json::from_str(&key).map_err(|err| format_err!("<errmsg>: {}", err))?;
|
||||||
|
let password_fn = || Ok(password.as_bytes().to_vec());
|
||||||
|
let (key_decrypt, _created, fingerprint) = key_config.decrypt(&password_fn)?;
|
||||||
|
(key_decrypt, key_config, fingerprint)
|
||||||
|
}
|
||||||
|
None => {
|
||||||
|
let (key_decrypt, key_config) = KeyConfig::new(password.as_bytes(), kdf)?;
|
||||||
|
let fingerprint = key_config.fingerprint.clone().unwrap();
|
||||||
|
(key_decrypt, key_config, fingerprint)
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
let fingerprint = key_config.fingerprint.clone().unwrap();
|
if hint.is_some() {
|
||||||
|
key_config.hint = hint;
|
||||||
|
}
|
||||||
|
|
||||||
insert_key(key, key_config, false)?;
|
insert_key(key_decrypt, key_config, false)?;
|
||||||
|
|
||||||
Ok(fingerprint)
|
Ok(fingerprint)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,6 @@ use pbs_api_types::{
|
||||||
|
|
||||||
use pbs_api_types::{PRIV_TAPE_AUDIT, PRIV_TAPE_READ, PRIV_TAPE_WRITE};
|
use pbs_api_types::{PRIV_TAPE_AUDIT, PRIV_TAPE_READ, PRIV_TAPE_WRITE};
|
||||||
|
|
||||||
use pbs_config::key_config::KeyConfig;
|
|
||||||
use pbs_config::tape_encryption_keys::insert_key;
|
use pbs_config::tape_encryption_keys::insert_key;
|
||||||
use pbs_config::CachedUserInfo;
|
use pbs_config::CachedUserInfo;
|
||||||
use pbs_tape::{
|
use pbs_tape::{
|
||||||
|
|
@ -610,18 +609,10 @@ fn write_media_label(
|
||||||
drive: {
|
drive: {
|
||||||
schema: DRIVE_NAME_SCHEMA,
|
schema: DRIVE_NAME_SCHEMA,
|
||||||
//description: "Restore the key from this drive the (encrypted) key was saved on.",
|
//description: "Restore the key from this drive the (encrypted) key was saved on.",
|
||||||
optional: true,
|
|
||||||
},
|
},
|
||||||
password: {
|
password: {
|
||||||
description: "The password the key was encrypted with.",
|
description: "The password the key was encrypted with.",
|
||||||
},
|
},
|
||||||
key: {
|
|
||||||
description: "Restore the key from this JSON string. Clashes with drive.",
|
|
||||||
type: String,
|
|
||||||
min_length: 300,
|
|
||||||
max_length: 600,
|
|
||||||
optional: true,
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
access: {
|
access: {
|
||||||
|
|
@ -630,40 +621,26 @@ fn write_media_label(
|
||||||
)]
|
)]
|
||||||
/// Try to restore a tape encryption key
|
/// Try to restore a tape encryption key
|
||||||
pub async fn restore_key(
|
pub async fn restore_key(
|
||||||
drive: Option<String>,
|
drive: String,
|
||||||
password: String,
|
password: String,
|
||||||
key: Option<String>,
|
|
||||||
) -> Result<(), Error> {
|
) -> Result<(), Error> {
|
||||||
if drive.is_some() && key.is_some() {
|
|
||||||
bail!("cannot have both 'drive' and 'key' parameter set!");
|
|
||||||
} else if !drive.is_some() && !key.is_some() {
|
|
||||||
bail!("one of either 'drive' or 'key' parameter must be set!");
|
|
||||||
}
|
|
||||||
|
|
||||||
if let Some(drive) = drive {
|
run_drive_blocking_task(drive.clone(), "restore key".to_string(), move |config| {
|
||||||
run_drive_blocking_task(drive.clone(), "restore key".to_string(), move |config| {
|
let mut drive = open_drive(&config, &drive)?;
|
||||||
let mut drive = open_drive(&config, &drive)?;
|
|
||||||
|
|
||||||
let (_media_id, key_config) = drive.read_label()?;
|
let (_media_id, key_config) = drive.read_label()?;
|
||||||
|
|
||||||
if let Some(key_config) = key_config {
|
if let Some(key_config) = key_config {
|
||||||
let password_fn = || Ok(password.as_bytes().to_vec());
|
let password_fn = || Ok(password.as_bytes().to_vec());
|
||||||
let (key, ..) = key_config.decrypt(&password_fn)?;
|
let (key, ..) = key_config.decrypt(&password_fn)?;
|
||||||
insert_key(key, key_config, true)?;
|
insert_key(key, key_config, true)?;
|
||||||
} else {
|
} else {
|
||||||
bail!("media does not contain any encryption key configuration");
|
bail!("media does not contain any encryption key configuration");
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
})
|
})
|
||||||
.await?;
|
.await?;
|
||||||
} else if let Some(key) = key {
|
|
||||||
let key_config: KeyConfig =
|
|
||||||
serde_json::from_str(&key).map_err(|err| format_err!("<errmsg>: {}", err))?;
|
|
||||||
let password_fn = || Ok(password.as_bytes().to_vec());
|
|
||||||
let (key, ..) = key_config.decrypt(&password_fn)?;
|
|
||||||
insert_key(key, key_config, false)?;
|
|
||||||
}
|
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -247,12 +247,19 @@ async fn restore_key(
|
||||||
|
|
||||||
let password = tty::read_password("Tape Encryption Key Password: ")?;
|
let password = tty::read_password("Tape Encryption Key Password: ")?;
|
||||||
param["password"] = String::from_utf8(password)?.into();
|
param["password"] = String::from_utf8(password)?.into();
|
||||||
|
if drive_passed {
|
||||||
let info = &api2::tape::drive::API_METHOD_RESTORE_KEY;
|
let info = &api2::tape::drive::API_METHOD_RESTORE_KEY;
|
||||||
match info.handler {
|
match info.handler {
|
||||||
ApiHandler::Async(handler) => (handler)(param, info, rpcenv).await?,
|
ApiHandler::Async(handler) => (handler)(param, info, rpcenv).await?,
|
||||||
_ => unreachable!(),
|
_ => unreachable!(),
|
||||||
};
|
};
|
||||||
|
} else {
|
||||||
|
let info = &api2::config::tape_encryption_keys::API_METHOD_CREATE_KEY;
|
||||||
|
match info.handler {
|
||||||
|
ApiHandler::Sync(handler) => (handler)(param, info, rpcenv)?,
|
||||||
|
_ => unreachable!(),
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue