From e8b5ad6b45787520e01ed24d592ac5ac67dce17b Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Thu, 4 Jul 2024 14:31:24 +0200
Subject: [PATCH] access-control: use ConfigDigest for digests

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 proxmox-access-control/Cargo.toml  | 4 +++-
 proxmox-access-control/src/acl.rs  | 7 ++++---
 proxmox-access-control/src/user.rs | 5 +++--
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/proxmox-access-control/Cargo.toml b/proxmox-access-control/Cargo.toml
index 6bf58367..d7f1bf8e 100644
--- a/proxmox-access-control/Cargo.toml
+++ b/proxmox-access-control/Cargo.toml
@@ -18,10 +18,11 @@ serde.workspace = true
 serde_json = { workspace = true, optional = true }
 
 proxmox-auth-api = { workspace = true, features = [ "api-types" ] }
+proxmox-config-digest = { workspace = true, optional = true, features = [ "openssl" ] }
+proxmox-product-config = { workspace = true, optional = true }
 proxmox-router = { workspace = true, optional = true }
 proxmox-schema.workspace = true
 proxmox-section-config = { workspace = true, optional = true }
-proxmox-product-config = { workspace = true, optional = true }
 proxmox-shared-memory = { workspace = true, optional = true }
 proxmox-sys = { workspace = true, features = [ "crypt" ], optional = true }
 proxmox-time = { workspace = true }
@@ -31,6 +32,7 @@ default = []
 impl = [
     "dep:nix",
     "dep:openssl",
+    "dep:proxmox-config-digest",
     "dep:proxmox-product-config",
     "dep:proxmox-router",
     "dep:proxmox-section-config",
diff --git a/proxmox-access-control/src/acl.rs b/proxmox-access-control/src/acl.rs
index 80f71367..cab7eb20 100644
--- a/proxmox-access-control/src/acl.rs
+++ b/proxmox-access-control/src/acl.rs
@@ -6,6 +6,7 @@ use std::sync::{Arc, OnceLock, RwLock};
 use anyhow::{bail, Error};
 
 use proxmox_auth_api::types::{Authid, Userid};
+use proxmox_config_digest::ConfigDigest;
 use proxmox_product_config::{open_api_lockfile, replace_privileged_config, ApiLockGuard};
 
 use crate::init::{access_conf, acl_config, acl_config_lock};
@@ -455,7 +456,7 @@ impl AclTree {
         Ok(())
     }
 
-    fn load(filename: &Path) -> Result<(Self, [u8; 32]), Error> {
+    fn load(filename: &Path) -> Result<(Self, ConfigDigest), Error> {
         let mut tree = Self::new();
 
         let raw = match std::fs::read_to_string(filename) {
@@ -469,7 +470,7 @@ impl AclTree {
             }
         };
 
-        let digest = openssl::sha::sha256(raw.as_bytes());
+        let digest = ConfigDigest::from_slice(raw.as_bytes());
 
         for (linenr, line) in raw.lines().enumerate() {
             let line = line.trim();
@@ -564,7 +565,7 @@ pub fn lock_config() -> Result<ApiLockGuard, Error> {
 }
 
 /// Reads the [`AclTree`] from the [default path](ACL_CFG_FILENAME).
-pub fn config() -> Result<(AclTree, [u8; 32]), Error> {
+pub fn config() -> Result<(AclTree, ConfigDigest), Error> {
     let path = acl_config();
     AclTree::load(&path)
 }
diff --git a/proxmox-access-control/src/user.rs b/proxmox-access-control/src/user.rs
index fe5d6ff5..c28176dd 100644
--- a/proxmox-access-control/src/user.rs
+++ b/proxmox-access-control/src/user.rs
@@ -4,6 +4,7 @@ use std::sync::{Arc, OnceLock, RwLock};
 use anyhow::{bail, Error};
 
 use proxmox_auth_api::types::Authid;
+use proxmox_config_digest::ConfigDigest;
 use proxmox_product_config::{open_api_lockfile, replace_privileged_config, ApiLockGuard};
 use proxmox_schema::*;
 use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
@@ -44,10 +45,10 @@ pub fn lock_config() -> Result<ApiLockGuard, Error> {
     open_api_lockfile(user_config_lock(), None, true)
 }
 
-pub fn config() -> Result<(SectionConfigData, [u8; 32]), Error> {
+pub fn config() -> Result<(SectionConfigData, ConfigDigest), Error> {
     let content = proxmox_sys::fs::file_read_optional_string(user_config())?.unwrap_or_default();
 
-    let digest = openssl::sha::sha256(content.as_bytes());
+    let digest = ConfigDigest::from_slice(content.as_bytes());
     let data = get_or_init_config().parse(user_config(), &content)?;
 
     Ok((data, digest))