Unable to use restore from backup due to missing authentication

[dvzrv]

Hi! 👋

I'm using this crate in the nethsm crate and noticed that one of the endpoints that reliably fails for me is the one for restoring from backup (I always get a 400 response code).

I have already reported this in the nethsm repository, please see Nitrokey/nethsm#5 for further details.

In short, it appears as if authentication and authorization handling is missing in the relevant function:

nethsm-sdk-rs/src/apis/default_api.rs

Lines 3353 to 3401 in 569321d

	pub fn system_restore_post(
	configuration: &configuration::Configuration,
	arguments: Option<crate::models::RestoreRequestArguments>,
	backup_file: Option<std::vec::Vec<u8>>,
	) -> Result<ResponseContent<()>, Error<SystemRestorePostError>> {
	let local_var_configuration = configuration;
	let local_var_client = &local_var_configuration.client;
	let local_var_uri_str = format!("{}/system/restore", local_var_configuration.base_path);
	let mut local_var_req_builder = local_var_client.request("POST", local_var_uri_str.as_str());
	if let Some(ref local_var_user_agent) = local_var_configuration.user_agent {
	local_var_req_builder = local_var_req_builder.set("user-agent", local_var_user_agent);
	}
	local_var_req_builder = local_var_req_builder.set("content-type", "multipart/form-data");
	let local_var_resp = local_var_req_builder.call()?;
	let local_var_headers = super::get_header_map(&local_var_resp);
	let local_var_status = local_var_resp.status();
	let mut local_var_content = vec![];
	local_var_resp
	.into_reader()
	.read_to_end(&mut local_var_content)?;
	let local_var_content_clone = local_var_content.clone();
	if !local_var_status >= 400 {
	let local_var_result = ResponseContent {
	status: local_var_status,
	content: local_var_content_clone,
	entity: (),
	headers: local_var_headers,
	};
	Ok(local_var_result)
	} else {
	let local_var_entity: SystemRestorePostError = serde_json::from_slice(&local_var_content)?;
	let local_var_error = ResponseContent {
	status: local_var_status,
	content: local_var_content,
	entity: local_var_entity,
	headers: local_var_headers,
	};
	Err(Error::ResponseError(local_var_error))
	}
	}

Compare to:

nethsm-sdk-rs/src/apis/default_api.rs

Lines 3300 to 3349 in 569321d

	pub fn system_reboot_post(
	configuration: &configuration::Configuration,
	) -> Result<ResponseContent<()>, Error<SystemRebootPostError>> {
	let local_var_configuration = configuration;
	let local_var_client = &local_var_configuration.client;
	let local_var_uri_str = format!("{}/system/reboot", local_var_configuration.base_path);
	let mut local_var_req_builder = local_var_client.request("POST", local_var_uri_str.as_str());
	if let Some(ref local_var_user_agent) = local_var_configuration.user_agent {
	local_var_req_builder = local_var_req_builder.set("user-agent", local_var_user_agent);
	}
	if let Some(ref local_var_auth_conf) = local_var_configuration.basic_auth {
	let value = super::basic_auth(local_var_auth_conf);
	local_var_req_builder = local_var_req_builder.set("authorization", &value);
	};
	let local_var_resp = local_var_req_builder.call()?;
	let local_var_headers = super::get_header_map(&local_var_resp);
	let local_var_status = local_var_resp.status();
	let mut local_var_content = vec![];
	local_var_resp
	.into_reader()
	.read_to_end(&mut local_var_content)?;
	let local_var_content_clone = local_var_content.clone();
	if !local_var_status >= 400 {
	let local_var_result = ResponseContent {
	status: local_var_status,
	content: local_var_content_clone,
	entity: (),
	headers: local_var_headers,
	};
	Ok(local_var_result)
	} else {
	let local_var_entity: SystemRebootPostError = serde_json::from_slice(&local_var_content)?;
	let local_var_error = ResponseContent {
	status: local_var_status,
	content: local_var_content,
	entity: local_var_entity,
	headers: local_var_headers,
	};
	Err(Error::ResponseError(local_var_error))
	}
	}

I am tracking this issue downstream in https://gitlab.archlinux.org/archlinux/signstar/-/issues/8

[robin-nitrokey]

AFAIS this is caused by a missing security field for the restore endpoint in the API spec, so let’s continue the discussion in the NetHSM issue.

[robin-nitrokey]

This should now work both for the unauthenticated/complete restore and the authenticated/partial restore. Please report back if there are still issues with it.

[dvzrv]

Oof, I was under the impression, that this has already been added in a released version of nethsm-sdk-rs.

I'm currently testing on the actual hardware but am still running into this issue unfortunately.

[dvzrv]

Alright, after using a88b461 I am now able to do restore from backup on an already provisioned system.
However, for an unprovisioned system it does not yet work (still status code 400).

(I have sent test cases, wireshark dumps and shell logs out of band).

[robin-nitrokey]

AFAIS the unprovisioned case has now been fixed too so this is really resolved.