[pbs-devel] [PATCH backup v3 1/2] pbs-client: read credentials from $CREDENTIALS_DIRECTORY
Maximiliano Sandoval
m.sandoval at proxmox.com
Wed Mar 26 11:51:41 CET 2025
Allows to load credentials passed down by systemd. A possible use-case
is safely storing the server's password in a file encrypted by the
systems TPM, e.g. via
```
systemd-ask-password -n | systemd-creds encrypt --name=proxmox-backup-client.password - my-api-token.cred
```
which then can be used via
```
systemd-run --pipe --wait --property=LoadCredentialEncrypted=proxmox-backup-client.password:my-api-token.cred \
proxmox-backup-client ...
```
or from inside a service.
Signed-off-by: Maximiliano Sandoval <m.sandoval at proxmox.com>
---
Differences from v2:
- Rename credentials to `proxmox-backup-client.{encryption-,}password`
Differences from v1:
- Report errors on get_credential instead of returning None
- Make get_secret_from_env private
- Add a bit of logging
- Simplify helpers
pbs-client/src/tools/key_source.rs | 4 +-
pbs-client/src/tools/mod.rs | 80 +++++++++++++++++++++++++++++-
2 files changed, 80 insertions(+), 4 deletions(-)
diff --git a/pbs-client/src/tools/key_source.rs b/pbs-client/src/tools/key_source.rs
index 7968e0c2a..94b86e8b6 100644
--- a/pbs-client/src/tools/key_source.rs
+++ b/pbs-client/src/tools/key_source.rs
@@ -345,8 +345,8 @@ pub(crate) unsafe fn set_test_default_master_pubkey(value: Result<Option<Vec<u8>
pub fn get_encryption_key_password() -> Result<Vec<u8>, Error> {
// fixme: implement other input methods
- if let Some(password) = super::get_secret_from_env("PBS_ENCRYPTION_PASSWORD")? {
- return Ok(password.as_bytes().to_vec());
+ if let Some(password) = super::get_encryption_password()? {
+ return Ok(password);
}
// If we're on a TTY, query the user for a password
diff --git a/pbs-client/src/tools/mod.rs b/pbs-client/src/tools/mod.rs
index 8068dc004..d231ab567 100644
--- a/pbs-client/src/tools/mod.rs
+++ b/pbs-client/src/tools/mod.rs
@@ -28,6 +28,16 @@ pub mod key_source;
const ENV_VAR_PBS_FINGERPRINT: &str = "PBS_FINGERPRINT";
const ENV_VAR_PBS_PASSWORD: &str = "PBS_PASSWORD";
+const ENV_VAR_PBS_ENCRYPTION_PASSWORD: &str = "PBS_ENCRYPTION_PASSWORD";
+
+/// Directory with system [credential]s. See systemd-creds(1).
+///
+/// [credential]: https://systemd.io/CREDENTIALS/
+const ENV_VAR_CREDENTIALS_DIRECTORY: &str = "CREDENTIALS_DIRECTORY";
+/// Credential name of the encryption password.
+const CRED_PBS_ENCRYPTION_PASSWORD: &str = "proxmox-backup-client.encryption-password";
+/// Credential name of the the password.
+const CRED_PBS_PASSWORD: &str = "proxmox-backup-client.password";
pub const REPO_URL_SCHEMA: Schema = StringSchema::new("Repository URL.")
.format(&BACKUP_REPO_URL)
@@ -40,6 +50,30 @@ pub const CHUNK_SIZE_SCHEMA: Schema = IntegerSchema::new("Chunk size in KB. Must
.default(4096)
.schema();
+/// Retrieves a secret stored in a [credential] provided by systemd.
+///
+/// Returns `Ok(None)` if the credential does not exist.
+///
+/// [credential]: https://systemd.io/CREDENTIALS/
+fn get_credential(cred_name: &str) -> std::io::Result<Option<Vec<u8>>> {
+ let Some(creds_dir) = std::env::var_os(ENV_VAR_CREDENTIALS_DIRECTORY) else {
+ return Ok(None);
+ };
+ let path = std::path::Path::new(&creds_dir).join(cred_name);
+
+ proxmox_log::debug!("attempting to use credential {cred_name} from {creds_dir:?}",);
+ // We read the whole contents without a BufRead. As per systemd-creds(1):
+ // Credentials are limited-size binary or textual objects.
+ match std::fs::read(&path) {
+ Ok(bytes) => Ok(Some(bytes)),
+ Err(err) if err.kind() == std::io::ErrorKind::NotFound => {
+ proxmox_log::debug!("no {cred_name} credential found in {creds_dir:?}");
+ Ok(None)
+ }
+ Err(err) => Err(err),
+ }
+}
+
/// Helper to read a secret through a environment variable (ENV).
///
/// Tries the following variable names in order and returns the value
@@ -118,6 +152,48 @@ pub fn get_secret_from_env(base_name: &str) -> Result<Option<String>, Error> {
Ok(None)
}
+/// Gets the backup server's password.
+///
+/// Looks for a password in the `PBS_PASSWORD` environment variable, if there
+/// isn't one it reads the `proxmox-backup-client.password` [credential].
+///
+/// Returns `Ok(None)` if neither the environment variable or credentials are
+/// present.
+///
+/// [credential]: https://systemd.io/CREDENTIALS/
+pub fn get_password() -> Result<Option<String>, Error> {
+ if let Some(password) = get_secret_from_env(ENV_VAR_PBS_PASSWORD)? {
+ Ok(Some(password))
+ } else if let Some(password) = get_credential(CRED_PBS_PASSWORD)? {
+ String::from_utf8(password)
+ .map(Option::Some)
+ .map_err(|_err| format_err!("non-utf8 password credential"))
+ } else {
+ Ok(None)
+ }
+}
+
+/// Gets an encryption password.
+///
+///
+/// Looks for a password in the `PBS_ENCRYPTION_PASSWORD` environment variable,
+/// if there isn't one it reads the `proxmox-backup-client.encryption-password`
+/// [credential].
+///
+/// Returns `Ok(None)` if neither the environment variable or credentials are
+/// present.
+///
+/// [credential]: https://systemd.io/CREDENTIALS/
+pub fn get_encryption_password() -> Result<Option<Vec<u8>>, Error> {
+ if let Some(password) = get_secret_from_env(ENV_VAR_PBS_ENCRYPTION_PASSWORD)? {
+ Ok(Some(password.into_bytes()))
+ } else if let Some(password) = get_credential(CRED_PBS_ENCRYPTION_PASSWORD)? {
+ Ok(Some(password))
+ } else {
+ Ok(None)
+ }
+}
+
pub fn get_default_repository() -> Option<String> {
std::env::var("PBS_REPOSITORY").ok()
}
@@ -181,7 +257,7 @@ fn connect_do(
) -> Result<HttpClient, Error> {
let fingerprint = std::env::var(ENV_VAR_PBS_FINGERPRINT).ok();
- let password = get_secret_from_env(ENV_VAR_PBS_PASSWORD)?;
+ let password = get_password()?;
let options = HttpClientOptions::new_interactive(password, fingerprint).rate_limit(rate_limit);
HttpClient::new(server, port, auth_id, options)
@@ -190,7 +266,7 @@ fn connect_do(
/// like get, but simply ignore errors and return Null instead
pub async fn try_get(repo: &BackupRepository, url: &str) -> Value {
let fingerprint = std::env::var(ENV_VAR_PBS_FINGERPRINT).ok();
- let password = get_secret_from_env(ENV_VAR_PBS_PASSWORD).unwrap_or(None);
+ let password = get_password().unwrap_or(None);
// ticket cache, but no questions asked
let options = HttpClientOptions::new_interactive(password, fingerprint).interactive(false);
--
2.39.5
More information about the pbs-devel
mailing list