Commit Graph

4304 Commits

Author SHA1 Message Date
Dietmar Maurer
8ca37d6a65 cleanup: factor out decrypt_key_config 2021-01-19 11:20:07 +01:00
Thomas Lamprecht
ac163a7c18 ui: tfa/totp: fix setting issuer in secret URL
it's recommended to set the issuer for both, the get parameter and
the initial issuer label prefix[0].

[0]: https://github.com/google/google-authenticator/wiki/Key-Uri-Format#label

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-01-18 16:27:02 +01:00
Wolfgang Bumiller
9b6bddb24c tfa: remove/empty description for recovery keys
While the user chosen description is not allowed to be
empty, we do leave it empty for recovery keys, as a "dummy
description" makes little sense...

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-01-18 15:20:39 +01:00
Thomas Lamprecht
f57ae48286 ui: tfa: fix ctime column width
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-01-18 14:31:15 +01:00
Wolfgang Bumiller
4cbd7eb7f9 gui: tfa: make description fill the remaining space
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-01-18 14:06:12 +01:00
Wolfgang Bumiller
310686726a gui: tfa: show when entries were created
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-01-18 14:06:12 +01:00
Wolfgang Bumiller
ad5cee1d22 tfa: add 'created' timestamp to entries
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-01-18 14:06:12 +01:00
Oguz Bektas
bad6e32075 docs: fix typo in client manpage
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
2021-01-18 13:52:11 +01:00
Wolfgang Bumiller
8ae6d28cd4 gui: enumerate recovery keys and list in 2nd factor window
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-01-18 13:51:23 +01:00
Wolfgang Bumiller
ca1060862e tfa: remember recovery indices
and tell the client which keys are still available rather
than just yes/no/low

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-01-18 13:51:23 +01:00
Dietmar Maurer
8a0046f519 tape: implement encrypted backup - simple version
This is just a proof of concept, only storing the encryption key fingerprint
inside the media-set label.
2021-01-18 13:38:22 +01:00
Dietmar Maurer
84cbdb35c4 implement FromStr for Fingerprint 2021-01-18 13:38:22 +01:00
Dietmar Maurer
1e93fbb5c1 tape: add encrypt property to media pool configuration 2021-01-18 13:38:22 +01:00
Dietmar Maurer
619554af2b tape: clear encryption key before writing labels
We always write labels unencrypted.
2021-01-18 13:38:22 +01:00
Dietmar Maurer
d5a48b5ce4 tape: add hardware encryption key managenent api 2021-01-18 13:38:22 +01:00
Thomas Lamprecht
4e9cc3e97c ui: tfa: fix title for removal confirmation
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-01-18 13:28:02 +01:00
Thomas Lamprecht
492bc2ba63 ui: tfa/recovery: add print button to key info window
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-01-18 10:45:47 +01:00
Thomas Lamprecht
995492100a ui: tfa/recovery: fix copy button text, add icon
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-01-18 10:45:28 +01:00
Thomas Lamprecht
854319d88c ui: tfa/recovery: disallow to close key info window with ESC
to avoid accidental closing it

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-01-18 10:44:40 +01:00
Thomas Lamprecht
3189d05134 ui: tfa: specify which confirmation password is required
Clarify that the password of the user one wants to add TFA too is
required, which is not necessarily the one of the current logged in
user. Use an empty text for that.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-01-18 10:12:23 +01:00
Thomas Lamprecht
b2a43b987c ui: tfa totp: whitespace and padding fix
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-01-18 10:10:16 +01:00
Thomas Lamprecht
6676409f7f ui: access: stream line add/edit/.. button order and separators
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-01-18 09:33:29 +01:00
Fabian Grünbichler
44de5bcc00 pull: add error context for initial group list call
otherwise the user is confronted with a generic error like "permission
check failed" with no indication that it refers to a request made to the
remote PBS instance..

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-01-18 06:51:05 +01:00
Fabian Grünbichler
e2956c605d pull: rustfmt
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-01-18 06:50:23 +01:00
Dietmar Maurer
b22b6c2299 tape: encryption scsi command cleanup 2021-01-16 18:24:04 +01:00
Dietmar Maurer
90950c9c20 tape: add scsi commands to control drive hardware encryption 2021-01-16 15:59:05 +01:00
Dietmar Maurer
0c5b9e7820 tape: sgutils2.rs - add do_out_command()
Make it possible to run commands that writes data.
2021-01-16 15:59:05 +01:00
Thomas Lamprecht
a9ffa010c8 ui: webauthn config: set default values for unconfigured case
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-01-15 16:25:47 +01:00
Thomas Lamprecht
a6a903293b ui: webauthn config: use ID instead of Id/id
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-01-15 16:25:26 +01:00
Wolfgang Bumiller
3fffcb5d77 gui: tfa configuration
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-01-15 15:19:52 +01:00
Wolfgang Bumiller
a670b99db1 tfa: add webauthn configuration API entry points
Currently there's not yet a node config and the WA config is
somewhat "tightly coupled" to the user entries in that
changing it can lock them all out, so for now I opted for
fewer reorganization and just use a digest of the
canonicalized config here, and keep it all in the tfa.json
file.

Experimentally using the flatten feature on the methods with
an`Updater` struct similar to what the api macro is supposed
to be able to derive on its own in the future.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-01-15 15:19:52 +01:00
Wolfgang Bumiller
aefd74197a bakckup::manifest: use tools::json for canonical representation
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-01-15 15:19:52 +01:00
Wolfgang Bumiller
9ff747ef50 add tools::json for canonical json generation
moving this from backup::manifest, no functional changes

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-01-15 15:19:52 +01:00
Dietmar Maurer
a08a198577 tape: do not abort backup if tape drive does not support tape-alert-flags 2021-01-15 11:43:17 +01:00
Dietmar Maurer
4cfb123448 tape: update restore docu 2021-01-15 09:44:46 +01:00
Thomas Lamprecht
198ebc6c86 d/rules: patch out wrongly linked libraries from ELFs
this is a HACK!

It seems that due to lots of binaries getting compiled from a single
crate the compiler is confused when linking in dependencies to each
binaries ELF.

It picks up the combined set (union) of all dependencies and sets
those to every ELF. This results in the client, for example, linking
to libapt-pkg or libsystemd even if none of that symbols are used..

This could be possibly fixed by restructuring the source tree into
sub crates/workspaces or what not, not really tested and *lots* of
work.

So as stop gap measure use `ldd -u` to find out unused linkage and
remove them using `patchelf`.

While this works well, and seems to not interfere with any debug
symbol usage or other usage in general it still is a hack and should
be dropped once the restructuring of the source tree has shown to
bring similar effects.

This allows for much easier re-use of the generated client .deb
package on other Debian derivaties (e.g., Ubuntu) which got blocked
until now due to wrong libt-apt verison or the like.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-01-15 08:52:53 +01:00
Thomas Lamprecht
a8abcd9b30 debian/control: set VCS urls
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-01-15 08:52:53 +01:00
Thomas Lamprecht
b7469f5a9a d/control: sort and fix whitespace errors
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-01-15 08:52:53 +01:00
Oguz Bektas
6bbe49aa14 access: restrict password changes on @pam realm to superuser
for behavior consistency with `update_user`

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
2021-01-15 08:49:22 +01:00
Oguz Bektas
5aa1019010 access: limit editing pam credentials to superuser
modifying @pam users credentials should be only possible for root@pam,
otherwise it can have unintended consequences.

also enforce the same limit on user creation (except self_service check,
since it makes no sense during user creation)

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
2021-01-15 08:49:22 +01:00
Fabian Grünbichler
29a59b380c proxmox 0.10: adapt to moved ParameterSchema
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-01-14 16:01:33 +01:00
Fabian Grünbichler
0bfcea6a11 cleanup: remove unnecessary 'mut' and '.clone()'
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-01-14 16:01:33 +01:00
Fabian Grünbichler
19f5aa252f examples: unify h2 examples
update them to the new tokio-openssl API and remove socket buffer size
setting - it was removed from the TcpStream API, and is now only
available via TcpSocket (which can in turn be converted to a
TcpListener), but this is not needed for this example.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-01-14 16:01:33 +01:00
Fabian Grünbichler
89e9134a3f hyper: use new hyper::upgrade
the old Body::on_upgrade method is no more

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-01-14 16:01:33 +01:00
Fabian Grünbichler
b5a202acb6 tokio 1.0: update to new Signal interface
Signal does not yet re-implement Stream (and is not yet wrapped in
tokio-stream either).

see https://github.com/tokio-rs/tokio/pull/3383

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-01-14 16:01:33 +01:00
Fabian Grünbichler
0f860f712f tokio 1.0: update to new tokio-openssl interface
connect/accept are now happening on pinned SslStreams

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-01-14 16:01:33 +01:00
Fabian Grünbichler
7c66701366 tokio 1.0: use ReceiverStream from tokio-stream
to wrap a Receiver in a Stream. this will likely move back into tokio
proper once we have a std Stream..

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-01-14 16:01:33 +01:00
Fabian Grünbichler
585e90c0de tokio: adapt to 1.0 process:Child changes
Child itself is no longer a Future, but it has a new wait() async fn
that does the same thing

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-01-14 16:01:33 +01:00
Fabian Grünbichler
5c852d5b82 tokio: adapt to 1.0 runtime changes
enter() now returns a guard, and the builder got revamped to make the
choice between MT and current thread explicit.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-01-14 16:01:33 +01:00
Fabian Grünbichler
484172b5f8 tokio 1.0: AsyncRead/Seek with ReadBuf
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-01-14 16:01:33 +01:00