From 3234f5639d0725ab5f5f74affeef5ec93d0eb095 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Thu, 6 Jul 2023 17:42:11 +0200 Subject: [PATCH] vzdump: pbs: factor out getting and checking encryption keys factor the common checks for disk-less and "normal" backups out into its own helper, avoiding code duplication and ensuring that the messages and checks stay in sync. The use sites for key and master key are a bit clearer, as it all just depends on them being defined or not. Signed-off-by: Thomas Lamprecht --- PVE/VZDump/QemuServer.pm | 89 +++++++++++++++++++--------------------- 1 file changed, 43 insertions(+), 46 deletions(-) diff --git a/PVE/VZDump/QemuServer.pm b/PVE/VZDump/QemuServer.pm index d0d9240b..b38d7e74 100644 --- a/PVE/VZDump/QemuServer.pm +++ b/PVE/VZDump/QemuServer.pm @@ -489,6 +489,41 @@ my sub add_backup_performance_options { } } +sub get_and_check_pbs_encryption_config { + my ($self) = @_; + + my $opts = $self->{vzdump}->{opts}; + my $scfg = $opts->{scfg}; + + my $keyfile = PVE::Storage::PBSPlugin::pbs_encryption_key_file_name($scfg, $opts->{storage}); + my $master_keyfile = PVE::Storage::PBSPlugin::pbs_master_pubkey_file_name($scfg, $opts->{storage}); + + if (-e $keyfile) { + if (-e $master_keyfile) { + $self->loginfo("enabling encryption with master key feature"); + return ($keyfile, $master_keyfile); + } elsif ($scfg->{'master-pubkey'}) { + die "master public key configured but no key file found\n"; + } else { + $self->loginfo("enabling encryption"); + return ($keyfile, undef); + } + } else { + my $encryption_fp = $scfg->{'encryption-key'}; + die "encryption configured ('$encryption_fp') but no encryption key file found!\n" + if $encryption_fp; + if (-e $master_keyfile) { + $self->log( + 'warn', + "backup target storage is configured with master-key, but no encryption key set!" + ." Ignoring master key settings and creating unencrypted backup." + ); + } + return (undef, undef); + } + die "internal error - unhandled case for getting & checking PBS encryption ($keyfile, $master_keyfile)!"; +} + sub archive_pbs { my ($self, $task, $vmid) = @_; @@ -503,8 +538,7 @@ sub archive_pbs { my $fingerprint = $scfg->{fingerprint}; my $repo = PVE::PBSClient::get_repository($scfg); my $password = PVE::Storage::PBSPlugin::pbs_get_password($scfg, $opts->{storage}); - my $keyfile = PVE::Storage::PBSPlugin::pbs_encryption_key_file_name($scfg, $opts->{storage}); - my $master_keyfile = PVE::Storage::PBSPlugin::pbs_master_pubkey_file_name($scfg, $opts->{storage}); + my ($keyfile, $master_keyfile) = $self->get_and_check_pbs_encryption_config(); my $diskcount = scalar(@{$task->{disks}}); # proxmox-backup-client can only handle raw files and block devs, so only use it (directly) for @@ -525,28 +559,9 @@ sub archive_pbs { if (defined(my $ns = $scfg->{namespace})) { push @$cmd, '--ns', $ns; } - if (-e $keyfile) { + if (defined($keyfile)) { push @$cmd, '--keyfile', $keyfile; - if (-e $master_keyfile) { - $self->loginfo("enabling encryption with master key feature"); - push @$cmd, '--master-pubkey-file', $master_keyfile; - } elsif ($scfg->{'master-pubkey'}) { - die "master public key configured but no key file found\n"; - } else { - $self->loginfo("enabling client-side encryption"); - } - } else { - my $encryption_fp = $scfg->{'encryption-key'}; - die "encryption configured ('$encryption_fp') but no encryption key file found!\n" - if $encryption_fp; - - if (-e $master_keyfile) { - $self->log( - 'warn', - "backup target storage is configured with master-key, but no encryption key set!" - ." Ignoring master key settings and creating unencrypted backup." - ); - } + push @$cmd, '--master-pubkey-file', $master_keyfile if defined($master_keyfile); } push @$cmd, "qemu-server.conf:$conffile"; @@ -586,7 +601,7 @@ sub archive_pbs { # pve-qemu supports it since 5.2.0-1 (PVE 6.4), so safe to die since PVE 8 die "master key configured but running QEMU version does not support master keys\n" - if !defined($qemu_support->{'pbs-masterkey'}) && -e $master_keyfile; + if !defined($qemu_support->{'pbs-masterkey'}) && defined($master_keyfile); $attach_tpmstate_drive->($self, $task, $vmid); @@ -610,29 +625,11 @@ sub archive_pbs { $params->{fingerprint} = $fingerprint if defined($fingerprint); $params->{'firewall-file'} = $firewall if -e $firewall; - if (-e $keyfile) { + + $params->{encrypt} = defined($keyfile) ? JSON::true : JSON::false; + if (defined($keyfile)) { $params->{keyfile} = $keyfile; - $params->{encrypt} = JSON::true; - if (-e $master_keyfile) { - $self->loginfo("enabling encryption with master key feature"); - $params->{"master-keyfile"} = $master_keyfile; - } elsif ($scfg->{'master-pubkey'}) { - die "master public key configured but no key file found\n"; - } else { - $self->loginfo("enabling encryption"); - } - } else { - my $encryption_fp = $scfg->{'encryption-key'}; - die "encryption configured ('$encryption_fp') but no encryption key file found!\n" - if $encryption_fp; - if (-e $master_keyfile) { - $self->log( - 'warn', - "backup target storage is configured with master-key, but no encryption key set!" - ." Ignoring master key settings and creating unencrypted backup." - ); - } - $params->{encrypt} = JSON::false; + $params->{"master-keyfile"} = $master_keyfile if defined($master_keyfile); } my $is_template = PVE::QemuConfig->is_template($self->{vmlist}->{$vmid});