From d4df1b145cbd42ac95fde04a13703dea32bf2b64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Thu, 30 Jun 2022 14:46:42 +0200
Subject: [PATCH] pvesubscription: add 'set-offline-key' command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

and disallow updating signed offline keys via regular check/update code
path.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 PVE/API2/Subscription.pm   |  5 ++++-
 PVE/CLI/pvesubscription.pm | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/PVE/API2/Subscription.pm b/PVE/API2/Subscription.pm
index 22455e3a..6768f4d5 100644
--- a/PVE/API2/Subscription.pm
+++ b/PVE/API2/Subscription.pm
@@ -169,7 +169,10 @@ __PACKAGE__->register_method ({
 	my $server_id = PVE::API2Tools::get_hwaddress();
 	my $key = $info->{key};
 
-	# key has been recently checked or is a valid, signed offline key
+	die "Updating offline key not possible - please remove and re-add subscription key to switch to online key.\n"
+	    if $info->{signature};
+
+	# key has been recently checked
 	return undef
 	    if !$param->{force}
 		&& $info->{status} eq 'active'
diff --git a/PVE/CLI/pvesubscription.pm b/PVE/CLI/pvesubscription.pm
index 751dde58..93c23936 100755
--- a/PVE/CLI/pvesubscription.pm
+++ b/PVE/CLI/pvesubscription.pm
@@ -3,6 +3,9 @@ package PVE::CLI::pvesubscription;
 use strict;
 use warnings;
 
+use MIME::Base64;
+use JSON qw(decode_json);
+
 use PVE::Tools;
 use PVE::SafeSyslog;
 use PVE::INotify;
@@ -18,6 +21,35 @@ sub setup_environment {
     PVE::RPCEnvironment->setup_default_cli_env();
 }
 
+__PACKAGE__->register_method({
+    name => 'set_offline_key',
+    path => 'set_offline_key',
+    method => 'POST',
+    description => "(Internal use only!) Set a signed subscription info blob as offline key",
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    data => {
+		type => "string",
+	    },
+	},
+    },
+    returns => { type => 'null' },
+    code => sub {
+	my ($param) = @_;
+
+	my $info = decode_json(decode_base64($param->{data}));
+	my $key = PVE::Tools::file_get_contents($PVE::API2::Subscription::signature_key_filename);
+
+	$info = Proxmox::RS::Subscription::check_signature($info);
+	$info = Proxmox::RS::Subscription::check_server_id($info);
+	$info = Proxmox::RS::Subscription::check_age($info, 0);
+
+	PVE::API2::Subscription::check_key($info->{key}, PVE::API2::Subscription::get_sockets());
+
+	PVE::API2::Subscription::write_etc_subscription($info);
+}});
+
 our $cmddef = {
     update => [ 'PVE::API2::Subscription', 'update', undef, { node => $nodename } ],
     get => [ 'PVE::API2::Subscription', 'get', undef, { node => $nodename }, 
@@ -28,6 +60,7 @@ our $cmddef = {
 		 }
 	     }],
     set => [ 'PVE::API2::Subscription', 'set', ['key'], { node => $nodename } ],
+    "set-offline-key" => [ __PACKAGE__, 'set_offline_key', ['data'] ],
     delete => [ 'PVE::API2::Subscription', 'delete', undef, { node => $nodename } ],
 };