vzdump: pbs: factor out getting and checking encryption keys

factor the common checks for disk-less and "normal" backups out into
its own helper, avoiding code duplication and ensuring that the
messages and checks stay in sync.

The use sites for key and master key are a bit clearer, as it all
just depends on them being defined or not.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/PVE/VZDump/QemuServer.pm b/PVE/VZDump/QemuServer.pm
index d0d9240b8dd41e3020200bedb94cc76e7b597be3..b38d7e741d32b655dcc17f75deac704776859531 100644 (file)
--- a/PVE/VZDump/QemuServer.pm
+++ b/PVE/VZDump/QemuServer.pm
@@ -489,6 +489,41 @@ my sub add_backup_performance_options {
     }
 }
 
+sub get_and_check_pbs_encryption_config {
+    my ($self) = @_;
+
+    my $opts = $self->{vzdump}->{opts};
+    my $scfg = $opts->{scfg};
+
+    my $keyfile = PVE::Storage::PBSPlugin::pbs_encryption_key_file_name($scfg, $opts->{storage});
+    my $master_keyfile = PVE::Storage::PBSPlugin::pbs_master_pubkey_file_name($scfg, $opts->{storage});
+
+    if (-e $keyfile) {
+       if (-e $master_keyfile) {
+           $self->loginfo("enabling encryption with master key feature");
+           return ($keyfile, $master_keyfile);
+       } elsif ($scfg->{'master-pubkey'}) {
+           die "master public key configured but no key file found\n";
+       } else {
+           $self->loginfo("enabling encryption");
+           return ($keyfile, undef);
+       }
+    } else {
+       my $encryption_fp = $scfg->{'encryption-key'};
+       die "encryption configured ('$encryption_fp') but no encryption key file found!\n"
+           if $encryption_fp;
+       if (-e $master_keyfile) {
+           $self->log(
+               'warn',
+               "backup target storage is configured with master-key, but no encryption key set!"
+               ." Ignoring master key settings and creating unencrypted backup."
+           );
+       }
+       return (undef, undef);
+    }
+    die "internal error - unhandled case for getting & checking PBS encryption ($keyfile, $master_keyfile)!";
+}
+
 sub archive_pbs {
     my ($self, $task, $vmid) = @_;
 
@@ -503,8 +538,7 @@ sub archive_pbs {
     my $fingerprint = $scfg->{fingerprint};
     my $repo = PVE::PBSClient::get_repository($scfg);
     my $password = PVE::Storage::PBSPlugin::pbs_get_password($scfg, $opts->{storage});
-    my $keyfile = PVE::Storage::PBSPlugin::pbs_encryption_key_file_name($scfg, $opts->{storage});
-    my $master_keyfile = PVE::Storage::PBSPlugin::pbs_master_pubkey_file_name($scfg, $opts->{storage});
+    my ($keyfile, $master_keyfile) = $self->get_and_check_pbs_encryption_config();
 
     my $diskcount = scalar(@{$task->{disks}});
     # proxmox-backup-client can only handle raw files and block devs, so only use it (directly) for
@@ -525,28 +559,9 @@ sub archive_pbs {
        if (defined(my $ns = $scfg->{namespace})) {
            push @$cmd, '--ns', $ns;
        }
-       if (-e $keyfile) {
+       if (defined($keyfile)) {
            push @$cmd, '--keyfile', $keyfile;
-           if (-e $master_keyfile) {
-               $self->loginfo("enabling encryption with master key feature");
-               push @$cmd, '--master-pubkey-file', $master_keyfile;
-           } elsif ($scfg->{'master-pubkey'}) {
-               die "master public key configured but no key file found\n";
-           } else {
-               $self->loginfo("enabling client-side encryption");
-           }
-       } else {
-           my $encryption_fp = $scfg->{'encryption-key'};
-           die "encryption configured ('$encryption_fp') but no encryption key file found!\n"
-               if $encryption_fp;
-
-           if (-e $master_keyfile) {
-               $self->log(
-                   'warn',
-                   "backup target storage is configured with master-key, but no encryption key set!"
-                   ." Ignoring master key settings and creating unencrypted backup."
-               );
-           }
+           push @$cmd, '--master-pubkey-file', $master_keyfile if defined($master_keyfile);
        }
 
        push @$cmd, "qemu-server.conf:$conffile";
@@ -586,7 +601,7 @@ sub archive_pbs {
 
        # pve-qemu supports it since 5.2.0-1 (PVE 6.4), so safe to die since PVE 8
        die "master key configured but running QEMU version does not support master keys\n"
-           if !defined($qemu_support->{'pbs-masterkey'}) && -e $master_keyfile;
+           if !defined($qemu_support->{'pbs-masterkey'}) && defined($master_keyfile);
 
        $attach_tpmstate_drive->($self, $task, $vmid);
 
@@ -610,29 +625,11 @@ sub archive_pbs {
 
        $params->{fingerprint} = $fingerprint if defined($fingerprint);
        $params->{'firewall-file'} = $firewall if -e $firewall;
-       if (-e $keyfile) {
+
+       $params->{encrypt} = defined($keyfile) ? JSON::true : JSON::false;
+       if (defined($keyfile)) {
            $params->{keyfile} = $keyfile;
-           $params->{encrypt} = JSON::true;
-           if (-e $master_keyfile) {
-               $self->loginfo("enabling encryption with master key feature");
-               $params->{"master-keyfile"} = $master_keyfile;
-           } elsif ($scfg->{'master-pubkey'}) {
-               die "master public key configured but no key file found\n";
-           } else {
-               $self->loginfo("enabling encryption");
-           }
-       } else {
-           my $encryption_fp = $scfg->{'encryption-key'};
-           die "encryption configured ('$encryption_fp') but no encryption key file found!\n"
-               if $encryption_fp;
-           if (-e $master_keyfile) {
-               $self->log(
-                   'warn',
-                   "backup target storage is configured with master-key, but no encryption key set!"
-                   ." Ignoring master key settings and creating unencrypted backup."
-               );
-           }
-           $params->{encrypt} = JSON::false;
+           $params->{"master-keyfile"} = $master_keyfile if defined($master_keyfile);
        }
 
        my $is_template = PVE::QemuConfig->is_template($self->{vmlist}->{$vmid});