From ad97a7a1aa4b6b302a6c3cba1c5c7b7f19a0151b Mon Sep 17 00:00:00 2001
From: Stefan Sterz <s.sterz@proxmox.com>
Date: Thu, 9 Nov 2023 16:34:03 +0100
Subject: [PATCH] manager: check if offline subscription is for the correct
 product

previously when an offline key was set it wasn't verified that the
subscription was for the correct product. while pom only applies
subscriptions for the corresponding products, a user could manually
invoke the `subscription set-offline-key` command to circumvent that.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
---
 Cargo.toml                                     | 2 +-
 debian/control                                 | 4 ++--
 src/bin/proxmox_backup_manager/subscription.rs | 8 +++++++-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 07283bb5..e88366af 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -76,7 +76,7 @@ proxmox-section-config = "2"
 proxmox-serde = "0.1.1"
 proxmox-shared-memory = "0.3.0"
 proxmox-sortable-macro = "0.1.2"
-proxmox-subscription = { version = "0.4", features = [ "api-types" ] }
+proxmox-subscription = { version = "0.4.2", features = [ "api-types" ] }
 proxmox-sys = "0.5.0"
 proxmox-tfa = { version = "4.0.4", features = [ "api", "api-types" ] }
 proxmox-time = "1.1.2"
diff --git a/debian/control b/debian/control
index dee9ce1f..996b4a39 100644
--- a/debian/control
+++ b/debian/control
@@ -85,8 +85,8 @@ Build-Depends: bash-completion,
                librust-proxmox-serde-0.1+serde-json-dev (>= 0.1.1-~~),
                librust-proxmox-shared-memory-0.3+default-dev,
                librust-proxmox-sortable-macro-0.1+default-dev (>= 0.1.2-~~),
-               librust-proxmox-subscription-0.4+api-types-dev,
-               librust-proxmox-subscription-0.4+default-dev,
+               librust-proxmox-subscription-0.4+api-types-dev (>= 0.4.2-~~),
+               librust-proxmox-subscription-0.4+default-dev (>= 0.4.2-~~),
                librust-proxmox-sys-0.5+acl-dev,
                librust-proxmox-sys-0.5+crypt-dev,
                librust-proxmox-sys-0.5+default-dev,
diff --git a/src/bin/proxmox_backup_manager/subscription.rs b/src/bin/proxmox_backup_manager/subscription.rs
index 66161af7..12f09ecf 100644
--- a/src/bin/proxmox_backup_manager/subscription.rs
+++ b/src/bin/proxmox_backup_manager/subscription.rs
@@ -3,7 +3,7 @@ use serde_json::Value;
 
 use proxmox_router::{cli::*, ApiHandler, RpcEnvironment};
 use proxmox_schema::api;
-use proxmox_subscription::SubscriptionInfo;
+use proxmox_subscription::{ProductType, SubscriptionInfo};
 
 use proxmox_backup::api2::{self, node::subscription::subscription_file_opts};
 
@@ -51,6 +51,12 @@ pub fn set_offline_subscription_key(data: String) -> Result<(), Error> {
     if !info.is_signed() {
         bail!("Offline subscription key must be signed!");
     }
+
+    let product_type = info.get_product_type()?;
+    if product_type != ProductType::Pbs {
+        bail!("Subscription is not a PBS subscription ({product_type})!");
+    }
+
     info.check_signature(&[proxmox_subscription::files::DEFAULT_SIGNING_KEY]);
     info.check_age(false);
     info.check_server_id();