From 5f9f283fa69024c7c06f868433ed497d1564408d Mon Sep 17 00:00:00 2001
From: "CanbiZ (MickLesk)" <47820557+MickLesk@users.noreply.github.com>
Date: Tue, 3 Mar 2026 14:42:46 +0100
Subject: [PATCH] feat(preflight): add enterprise repo subscription check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- New preflight_repo_access() warns if enterprise repos are active without subscription
- Scans /etc/apt/sources.list.d/ for enterprise.proxmox.com entries
- Tests HTTP access (detects 401/403 Unauthorized)
- Warning only — not a blocker (packages come from pve-no-subscription repo)
---
 misc/build.func | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/misc/build.func b/misc/build.func
index 6773715fa..9bcd70138 100644
--- a/misc/build.func
+++ b/misc/build.func
@@ -109,6 +109,7 @@ fi
 #   - Kernel: keyring limits (maxkeys/maxbytes for UID 100000)
 #   - Storage: rootdir support, vztmpl support, available space
 #   - Network: bridge availability, DNS resolution
+#   - Repos: enterprise repo subscription validation
 #   - Cluster: quorum status (if clustered)
 #   - Proxmox: LXC stack health, container ID availability
 #   - Template: download server reachability
@@ -344,6 +345,42 @@ preflight_dns_resolution() {
   return 0
 }
 
+# ------------------------------------------------------------------------------
+# preflight_repo_access()
+#
+# - Checks if Proxmox enterprise repos are enabled without a valid subscription
+# - Scans /etc/apt/sources.list.d/ for enterprise.proxmox.com entries
+# - Tests HTTP access to detect 401 Unauthorized
+# - Warning only (not a blocker — packages come from no-subscription repo)
+# ------------------------------------------------------------------------------
+preflight_repo_access() {
+  local enterprise_files
+  enterprise_files=$(grep -rlE '^\s*deb\s+https://enterprise\.proxmox\.com' /etc/apt/sources.list.d/ 2>/dev/null || true)
+
+  if [[ -z "$enterprise_files" ]]; then
+    preflight_pass "No enterprise repositories enabled"
+    return 0
+  fi
+
+  # Enterprise repo found — test if subscription is valid
+  local http_code
+  http_code=$(curl -sS -o /dev/null -w "%{http_code}" -m 5 "https://enterprise.proxmox.com/debian/pve/dists/" 2>/dev/null) || http_code="000"
+
+  if [[ "$http_code" == "401" || "$http_code" == "403" ]]; then
+    preflight_warn "Enterprise repo enabled without valid subscription (HTTP ${http_code})"
+    echo -e "    ${TAB}${INFO} apt-get update will show '401 Unauthorized' errors"
+    echo -e "    ${TAB}${INFO} Disable in ${GN}/etc/apt/sources.list.d/${CL} or add a subscription key"
+    return 0
+  fi
+
+  if [[ "$http_code" =~ ^2[0-9]{2}$ ]]; then
+    preflight_pass "Enterprise repository accessible (subscription valid)"
+  else
+    preflight_warn "Enterprise repo check inconclusive (HTTP ${http_code})"
+  fi
+  return 0
+}
+
 # ------------------------------------------------------------------------------
 # preflight_cluster_quorum()
 #
@@ -563,6 +600,9 @@ run_preflight() {
   preflight_network_bridge
   preflight_dns_resolution
 
+  # --- Repository checks ---
+  preflight_repo_access
+
   # --- Proxmox/Cluster checks ---
   preflight_cluster_quorum
   preflight_lxc_stack