mirror of
https://github.com/borgbackup/borg.git
synced 2025-03-09 13:53:09 +00:00
upgrade --check-tam: check manifest TAM auth issues
exit with rc=1 if there are issues.
This commit is contained in:
Thomas Waldmann
parent
69a4ea7682
commit
262d6109a9
1 changed files with 39 additions and 20 deletions
|
|
@ -1610,7 +1610,7 @@ class Archiver:
|
||||||
str(cache),
|
str(cache),
|
||||||
DASHES, logger=logging.getLogger('borg.output.stats'))
|
DASHES, logger=logging.getLogger('borg.output.stats'))
|
||||||
|
|
||||||
@with_repository(fake=('tam', 'disable_tam', 'archives_tam', 'check_archives_tam'), invert_fake=True, manifest=False, exclusive=True)
|
@with_repository(fake=('tam', 'check_tam', 'disable_tam', 'archives_tam', 'check_archives_tam'), invert_fake=True, manifest=False, exclusive=True)
|
||||||
def do_upgrade(self, args, repository, manifest=None, key=None):
|
def do_upgrade(self, args, repository, manifest=None, key=None):
|
||||||
"""upgrade a repository from a previous version"""
|
"""upgrade a repository from a previous version"""
|
||||||
if args.archives_tam or args.check_archives_tam:
|
if args.archives_tam or args.check_archives_tam:
|
||||||
|
|
@ -1656,25 +1656,42 @@ class Archiver:
|
||||||
self.print_warning(f"Found {archive_tam_issues} archives with TAM issues!")
|
self.print_warning(f"Found {archive_tam_issues} archives with TAM issues!")
|
||||||
else:
|
else:
|
||||||
print("All archives are TAM authenticated.")
|
print("All archives are TAM authenticated.")
|
||||||
elif args.tam:
|
elif args.tam or args.check_tam:
|
||||||
manifest, key = Manifest.load(repository, (Manifest.Operation.CHECK,), force_tam_not_required=args.force)
|
with ignore_invalid_archive_tam():
|
||||||
if not manifest.tam_verified or not manifest.config.get(b'tam_required', False):
|
manifest_tam_issues = 0
|
||||||
print('Manifest contents:')
|
read_only = args.check_tam
|
||||||
for archive_info in manifest.archives.list(sort_by=['ts']):
|
manifest, key = Manifest.load(repository, (Manifest.Operation.CHECK,), force_tam_not_required=args.force)
|
||||||
print(format_archive(archive_info))
|
if not manifest.tam_verified or not manifest.config.get(b'tam_required', False):
|
||||||
manifest.config[b'tam_required'] = True
|
if not read_only:
|
||||||
manifest.write()
|
print('Manifest contents:')
|
||||||
repository.commit(compact=False)
|
for archive_info in manifest.archives.list(sort_by=['ts']):
|
||||||
if not key.tam_required and hasattr(key, 'change_passphrase'):
|
print(format_archive(archive_info))
|
||||||
key.tam_required = True
|
manifest.config[b'tam_required'] = True
|
||||||
key.change_passphrase(key._passphrase)
|
manifest.write()
|
||||||
print('Key updated')
|
repository.commit(compact=False)
|
||||||
if hasattr(key, 'find_key'):
|
else:
|
||||||
print('Key location:', key.find_key())
|
manifest_tam_issues += 1
|
||||||
if not tam_required(repository):
|
self.print_warning("Repository Manifest is not TAM verified or a TAM is not required!")
|
||||||
tam_file = tam_required_file(repository)
|
if not key.tam_required and hasattr(key, 'change_passphrase'):
|
||||||
open(tam_file, 'w').close()
|
if not read_only:
|
||||||
print('Updated security database')
|
key.tam_required = True
|
||||||
|
key.change_passphrase(key._passphrase)
|
||||||
|
print('Key updated')
|
||||||
|
if hasattr(key, 'find_key'):
|
||||||
|
print('Key location:', key.find_key())
|
||||||
|
else:
|
||||||
|
manifest_tam_issues += 1
|
||||||
|
self.print_warning("Key does not require TAM authentication!")
|
||||||
|
if not tam_required(repository):
|
||||||
|
if not read_only:
|
||||||
|
tam_file = tam_required_file(repository)
|
||||||
|
open(tam_file, 'w').close()
|
||||||
|
print('Updated security database')
|
||||||
|
else:
|
||||||
|
manifest_tam_issues += 1
|
||||||
|
self.print_warning("Client-side security database does not require a TAM!")
|
||||||
|
if read_only and manifest_tam_issues == 0:
|
||||||
|
print("Manifest authentication setup OK for this client and this repository.")
|
||||||
elif args.disable_tam:
|
elif args.disable_tam:
|
||||||
manifest, key = Manifest.load(repository, Manifest.NO_OPERATION_CHECK, force_tam_not_required=True)
|
manifest, key = Manifest.load(repository, Manifest.NO_OPERATION_CHECK, force_tam_not_required=True)
|
||||||
if tam_required(repository):
|
if tam_required(repository):
|
||||||
|
|
@ -5004,6 +5021,8 @@ class Archiver:
|
||||||
help='Force upgrade')
|
help='Force upgrade')
|
||||||
subparser.add_argument('--tam', dest='tam', action='store_true',
|
subparser.add_argument('--tam', dest='tam', action='store_true',
|
||||||
help='Enable manifest authentication (in key and cache) (Borg 1.0.9 and later).')
|
help='Enable manifest authentication (in key and cache) (Borg 1.0.9 and later).')
|
||||||
|
subparser.add_argument('--check-tam', dest='check_tam', action='store_true',
|
||||||
|
help='check manifest authentication (in key and cache).')
|
||||||
subparser.add_argument('--disable-tam', dest='disable_tam', action='store_true',
|
subparser.add_argument('--disable-tam', dest='disable_tam', action='store_true',
|
||||||
help='Disable manifest authentication (in key and cache).')
|
help='Disable manifest authentication (in key and cache).')
|
||||||
subparser.add_argument('--check-archives-tam', dest='check_archives_tam', action='store_true',
|
subparser.add_argument('--check-archives-tam', dest='check_archives_tam', action='store_true',
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue