From b676dbce78854e87f59228c017b45d34415e32ff Mon Sep 17 00:00:00 2001 From: Markus Frank Date: Thu, 24 Mar 2022 12:49:30 +0100 Subject: [PATCH] fix #3854 paperkey import to proxmox-tape added a parameter to the cli for importing tape key via a json-parameter or via reading a exported paperkey-file or json-file. For this i also added a backupkey parameter to the api, but here it only accepts json. The cli interprets the parameter first as json-string, then json-file and last as paperkey-file. functionality: proxmox-tape key paperkey [fingerprint of existing key] > paperkey.backup proxmox-tape key restore --backupkey paperkey.backup # key from line above proxmox-tape key restore --backupkey paperkey.json # only the json proxmox-tape key restore --backupkey '{"kdf": {"Scrypt": ...' # json as string for importing the key as paperkey-file it is irrelevant, if the paperkey got exported as html or txt. Signed-off-by: Markus Frank --- src/api2/tape/drive.rs | 65 +++++++++++++++++++------- src/bin/proxmox_tape/encryption_key.rs | 59 +++++++++++++++++++++-- 2 files changed, 102 insertions(+), 22 deletions(-) diff --git a/src/api2/tape/drive.rs b/src/api2/tape/drive.rs index 526743f6..c79688ff 100644 --- a/src/api2/tape/drive.rs +++ b/src/api2/tape/drive.rs @@ -10,7 +10,7 @@ use proxmox_sys::sortable; use proxmox_router::{ list_subdirs_api_method, Permission, Router, RpcEnvironment, RpcEnvironmentType, SubdirMap, }; -use proxmox_schema::api; +use proxmox_schema::{api, param_bail}; use proxmox_section_config::SectionConfigData; use proxmox_uuid::Uuid; use proxmox_sys::{task_log, task_warn}; @@ -24,6 +24,8 @@ use pbs_api_types::{ use pbs_api_types::{PRIV_TAPE_AUDIT, PRIV_TAPE_READ, PRIV_TAPE_WRITE}; use pbs_config::CachedUserInfo; +use pbs_config::key_config::KeyConfig; +use pbs_config::tape_encryption_keys::insert_key; use pbs_tape::{ BlockReadError, sg_tape::tape_alert_flags_critical, @@ -607,10 +609,18 @@ fn write_media_label( properties: { drive: { schema: DRIVE_NAME_SCHEMA, + optional: true, }, password: { description: "Encryption key password.", }, + backupkey: { + description: "A previously exported paperkey in JSON format.", + type: String, + min_length: 300, + max_length: 600, + optional: true, + }, }, }, access: { @@ -619,29 +629,48 @@ fn write_media_label( )] /// Try to restore a tape encryption key pub async fn restore_key( - drive: String, + drive: Option, password: String, + backupkey: Option, ) -> Result<(), Error> { - run_drive_blocking_task( - drive.clone(), - "restore key".to_string(), - move |config| { - let mut drive = open_drive(&config, &drive)?; - let (_media_id, key_config) = drive.read_label()?; + if (drive.is_none() && backupkey.is_none()) || (drive.is_some() && backupkey.is_some()) { + param_bail!( + "drive", + format_err!("Please specify either a valid drive name or a backupkey") + ); + } - if let Some(key_config) = key_config { - let password_fn = || { Ok(password.as_bytes().to_vec()) }; - let (key, ..) = key_config.decrypt(&password_fn)?; - pbs_config::tape_encryption_keys::insert_key(key, key_config, true)?; - } else { - bail!("media does not contain any encryption key configuration"); + if let Some(drive) = drive { + run_drive_blocking_task( + drive.clone(), + "restore key".to_string(), + move |config| { + let mut drive = open_drive(&config, &drive)?; + + let (_media_id, key_config) = drive.read_label()?; + + if let Some(key_config) = key_config { + let password_fn = || { Ok(password.as_bytes().to_vec()) }; + let (key, ..) = key_config.decrypt(&password_fn)?; + insert_key(key, key_config, true)?; + } else { + bail!("media does not contain any encryption key configuration"); + } + + Ok(()) } + ) + .await?; + }else if let Some(backupkey) = backupkey { + let key_config: KeyConfig = + serde_json::from_str(&backupkey).map_err(|err| format_err!(": {}", err))?; + let password_fn = || Ok(password.as_bytes().to_vec()); + let (key, ..) = key_config.decrypt(&password_fn)?; + insert_key(key, key_config, false)?; + } - Ok(()) - } - ) - .await + Ok(()) } #[api( diff --git a/src/bin/proxmox_tape/encryption_key.rs b/src/bin/proxmox_tape/encryption_key.rs index 71df9ffa..471a6349 100644 --- a/src/bin/proxmox_tape/encryption_key.rs +++ b/src/bin/proxmox_tape/encryption_key.rs @@ -1,8 +1,8 @@ -use anyhow::{bail, Error}; +use anyhow::{bail, format_err, Error}; use serde_json::Value; use proxmox_router::{cli::*, ApiHandler, RpcEnvironment}; -use proxmox_schema::api; +use proxmox_schema::{api, param_bail}; use proxmox_sys::linux::tty; use pbs_api_types::{ @@ -12,6 +12,7 @@ use pbs_api_types::{ use pbs_datastore::paperkey::{PaperkeyFormat, generate_paper_key}; use pbs_config::tape_encryption_keys::{load_key_configs,complete_key_fingerprint}; +use pbs_config::key_config::KeyConfig; use proxmox_backup::api2; @@ -186,6 +187,9 @@ fn change_passphrase( Ok(()) } +pub const BEGIN_MARKER: &str = "-----BEGIN PROXMOX BACKUP KEY-----"; +pub const END_MARKER: &str = "-----END PROXMOX BACKUP KEY-----"; + #[api( input: { properties: { @@ -193,23 +197,70 @@ fn change_passphrase( schema: DRIVE_NAME_SCHEMA, optional: true, }, + "backupkey": { + description: "Importing a previously exported backupkey with either an exported paperkey-file, json-string or a json-file", + type: String, + optional: true, + }, }, }, )] /// Restore encryption key from tape (read password from stdin) async fn restore_key( mut param: Value, + backupkey: Option, rpcenv: &mut dyn RpcEnvironment, ) -> Result<(), Error> { let (config, _digest) = pbs_config::drive::config()?; - param["drive"] = crate::extract_drive_name(&mut param, &config)?.into(); + + let drive = crate::extract_drive_name(&mut param, &config); if !tty::stdin_isatty() { bail!("no password input mechanism available"); } - let password = tty::read_password("Tepe Encryption Key Password: ")?; + if (drive.is_err() && backupkey.is_none()) || (drive.is_ok() && backupkey.is_some()) { + param_bail!( + "drive", + format_err!("Please specify either a valid drive name or a backupkey") + ); + } + + if drive.is_ok() { + param["drive"] = drive.unwrap().into(); + } + + if let Some(backupkey) = backupkey { + if serde_json::from_str::(&backupkey).is_ok() { + // json as Parameter + println!("backupkey to import: {}", backupkey); + param["backupkey"] = backupkey.into(); + } else { + println!("backupkey is not a valid json. Interpreting Parameter as a filename"); + let data = proxmox_sys::fs::file_read_string(backupkey)?; + if serde_json::from_str::(&data).is_ok() { + // standalone json-file + println!("backupkey to import: {}", data); + param["backupkey"] = data.into(); + } else { + // exported paperkey-file + let start = data + .find(BEGIN_MARKER) + .ok_or_else(|| format_err!("cannot find key start marker"))? + + BEGIN_MARKER.len(); + let data_remain = &data[start..]; + let end = data_remain + .find(END_MARKER) + .ok_or_else(|| format_err!("cannot find key end marker below start marker"))?; + let backupkey_extract = &data_remain[..end]; + println!("backupkey to import: {}", backupkey_extract); + param["backupkey"] = backupkey_extract.into(); + } + } + } + + let password = tty::read_password("Tape Encryption Key Password: ")?; param["password"] = String::from_utf8(password)?.into(); let info = &api2::tape::drive::API_METHOD_RESTORE_KEY;