manager: check if offline subscription is for the correct product

previously when an offline key was set it wasn't verified that the
subscription was for the correct product. while pom only applies
subscriptions for the corresponding products, a user could manually
invoke the `subscription set-offline-key` command to circumvent that.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
This commit is contained in:
Stefan Sterz 2023-11-09 16:34:03 +01:00 committed by Fabian Grünbichler
parent 2711e94e3a
commit ad97a7a1aa
3 changed files with 10 additions and 4 deletions

View File

@ -76,7 +76,7 @@ proxmox-section-config = "2"
proxmox-serde = "0.1.1"
proxmox-shared-memory = "0.3.0"
proxmox-sortable-macro = "0.1.2"
proxmox-subscription = { version = "0.4", features = [ "api-types" ] }
proxmox-subscription = { version = "0.4.2", features = [ "api-types" ] }
proxmox-sys = "0.5.0"
proxmox-tfa = { version = "4.0.4", features = [ "api", "api-types" ] }
proxmox-time = "1.1.2"

4
debian/control vendored
View File

@ -85,8 +85,8 @@ Build-Depends: bash-completion,
librust-proxmox-serde-0.1+serde-json-dev (>= 0.1.1-~~),
librust-proxmox-shared-memory-0.3+default-dev,
librust-proxmox-sortable-macro-0.1+default-dev (>= 0.1.2-~~),
librust-proxmox-subscription-0.4+api-types-dev,
librust-proxmox-subscription-0.4+default-dev,
librust-proxmox-subscription-0.4+api-types-dev (>= 0.4.2-~~),
librust-proxmox-subscription-0.4+default-dev (>= 0.4.2-~~),
librust-proxmox-sys-0.5+acl-dev,
librust-proxmox-sys-0.5+crypt-dev,
librust-proxmox-sys-0.5+default-dev,

View File

@ -3,7 +3,7 @@ use serde_json::Value;
use proxmox_router::{cli::*, ApiHandler, RpcEnvironment};
use proxmox_schema::api;
use proxmox_subscription::SubscriptionInfo;
use proxmox_subscription::{ProductType, SubscriptionInfo};
use proxmox_backup::api2::{self, node::subscription::subscription_file_opts};
@ -51,6 +51,12 @@ pub fn set_offline_subscription_key(data: String) -> Result<(), Error> {
if !info.is_signed() {
bail!("Offline subscription key must be signed!");
}
let product_type = info.get_product_type()?;
if product_type != ProductType::Pbs {
bail!("Subscription is not a PBS subscription ({product_type})!");
}
info.check_signature(&[proxmox_subscription::files::DEFAULT_SIGNING_KEY]);
info.check_age(false);
info.check_server_id();