[pmg-devel] [PATCH pmg-api v3 1/2] api: document that fingerprints are a SHA 256
Maximiliano Sandoval
m.sandoval at proxmox.com
Mon Nov 18 14:20:20 CET 2024
Stoiko Ivanov <s.ivanov at proxmox.com> writes:
> Thanks for the patches!
>
> On Mon, 11 Nov 2024 10:32:30 +0100
> Maximiliano Sandoval <m.sandoval at proxmox.com> wrote:
>
>> We use the description from the standard option 'fingerprint-sha256'.
>> The option itself cannot be used as the regex allows lowercase
>> characters which don't work here.
> It would really help to get a bit more information about what exactly did
> not work, and what you tested to come to that conclusion.
I tested replacing a single character in the fingerprint with a
lowercase character and the web UI stopped working completely.
Refreshing the tab would send me back to a login screen on which it was
not possible to log in.
> As I'm quite in favor of reusing our standard-options where possible
> I gave your v2 a spin to find out what might not work - from a quick
> glance (w/o testing everything possible) - the following diff should cover
> most issues:
>
> ```
> diff --git a/src/PMG/CLI/pmgcm.pm b/src/PMG/CLI/pmgcm.pm
> index 699089e..c55ef92 100644
> --- a/src/PMG/CLI/pmgcm.pm
> +++ b/src/PMG/CLI/pmgcm.pm
> @@ -194,7 +194,7 @@ __PACKAGE__->register_method({
> };
> if ($param->{fingerprint}) {
> $setup->{cached_fingerprints} = {
> - $param->{fingerprint} => 1,
> + uc($param->{fingerprint}) => 1,
> };
> } else {
> # allow manual fingerprint verification
> diff --git a/src/PMG/Cluster.pm b/src/PMG/Cluster.pm
> index 17ba44d..789746f 100644
> --- a/src/PMG/Cluster.pm
> +++ b/src/PMG/Cluster.pm
> @@ -148,7 +148,7 @@ sub update_cert_cache {
>
> foreach my $entry (values %{$cinfo->{ids}}) {
> my $node = $entry->{name};
> - my $fp = $entry->{fingerprint};
> + my $fp = uc($entry->{fingerprint});
> if ($node && $fp) {
> $cert_cache_fingerprints->{$fp} = 1;
> $cert_cache_nodes->{$node} = $fp;
> @@ -179,7 +179,7 @@ sub check_cert_fingerprint {
>
> my $check = sub {
> for my $expected (keys %$cert_cache_fingerprints) {
> - return 1 if $fp eq $expected;
> + return 1 if uc($fp) eq $expected;
> }
> return 0;
> };
> diff --git a/src/PMG/ClusterConfig.pm b/src/PMG/ClusterConfig.pm
> index 491fede..e469ea9 100644
> --- a/src/PMG/ClusterConfig.pm
> +++ b/src/PMG/ClusterConfig.pm
> @@ -195,6 +195,7 @@ sub read_cluster_conf {
> $names_hash->{$d->{name}} = 1;
>
> $d->{cid} = $cid;
> + $d->{fingerprint} = uc($d->{fingerprint});
> $maxcid = $cid > $maxcid ? $cid : $maxcid;
> $maxcid = $d->{maxcid} if defined($d->{maxcid}) && $d->{maxcid} > $maxcid;
> $cinfo->{master} = $d if $d->{type} eq 'master';
>
> ```
>
> I tested:
> * installing this on a cluster-node where I manually changed the
> fingerprint to lower-case in /etc/pmg/cluster.conf
> * creating a cluster on the cli - but pasting the fingerprint-option in
> lower-case
> * changing the apicert (`pmgconfig apicert --force 1`), restarting
> pmgproxy and running `pmgcm update-fingerprints`)
I am not very comfortable adding a new state that might potential break
something that we did not test (or that it might break in the future)
for a feature that does not add anything for the end-user. I think it
makes more sense to simply document the current behavior.
> I also would rather not reuse the description of a standard-option for
> a slightly different copy of that option.
That is sensible, perhaps a different description could be used?
More information about the pmg-devel
mailing list