#!/bin/bash -ex # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: # # Copyright (c) 2019 Red Hat, Inc. # Author: Sergio Correia # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # TEST="${0}" . tests-common-functions on_exit() { [ -d "${TMP}" ] && rm -rf "${TMP}" } trap 'on_exit' EXIT trap 'exit' ERR TMP="$(mktemp -d)" ADV="${TMP}/adv.jws" create_tang_adv "${ADV}" CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")" # LUKS1. DEV="${TMP}/luks1-device" UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e" # We can have a "partially" used if it is an inactive slot that has an UUID # already: # 1 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e # We end up in this situation if the cryptsetup step adding the key failed, # for instance because we provided a wrong pass phrase, and luksmeta saved # data anyway. We used to have an issue with clevis luks bind script, in which # we would still run luksmeta save even if the cryptsetup step failed. bind_and_verify() { local DEV="${1}" local PASS="${2}" local SLT="${3}" if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${PASS}"; then error "${TEST}: Binding is expected to succeed when given a correct (${PASS}) password." >&2 fi if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2 fi if [ "${state}" != "active" ]; then error "${TEST}: state (${state}) is expected to be 'active'." >&2 fi if [ "${uuid}" != "${UUID}" ]; then error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2 fi } SLT=1 NEW_PASS="new-pass" PASS="${DEFAULT_PASS}" WRONG_PASS="wrong-password-here" new_device "luks1" "${DEV}" luksmeta init -f -d "${DEV}" if cryptsetup luksAddKey "${DEV}" < <(echo "${WRONG_PASS}"; echo -n "${NEW_PASS}"); then error "${TEST}: cryptsetup should not succeed in adding key when given a wrong passphrase." >&2 fi # Ok, the cryptsetup step failed, since we gave a wrong password. That means # that right now the luksmeta slot is inactive. Let's simulate the bad # condition by saving the UUID there anyway. echo "foo" | luksmeta save -d "${DEV}" -u "${UUID}" # Verify we have slot 1 like this: # # 1 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2 fi if [ "${state}" != "inactive" ]; then error "${TEST}: state (${state}) is expected to be 'inactive', in case #1." >&2 fi if [ "${uuid}" != "${UUID}" ]; then error "${TEST}: UUID ($uuid) is expected to be '${UUID}', in case #1." >&2 fi # Verify if can bind correctly in this situation. bind_and_verify "${DEV}" "${PASS}" "1"