#!/bin/bash -ex # vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: # # Copyright (c) 2020 Red Hat, Inc. # Author: Sergio Correia # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . TEST=$(basename "${0}") . tests-common-functions . clevis-luks-common-functions on_exit() { local d for d in "${TMP}" "${TMP2}"; do [ ! -d "${d}" ] && continue tang_stop "${d}" rm -rf "${d}" done } trap 'on_exit' EXIT trap 'on_exit' ERR TMP="$(mktemp -d)" port=$(tang_new_random_port) tang_run "${TMP}" "${port}" url="http://localhost:${port}" cfg=$(printf '{"url":"%s"}' "${url}") # LUKS2. DEV="${TMP}/luks2-device" new_device "luks2" "${DEV}" if ! clevis luks bind -y -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then error "${TEST}: Bind should have succeeded." fi # Now let's try to change the config but using the same one we already have. if clevis luks edit -d "${DEV}" -s 1 -c "${cfg}"; then error "${TEST}: edit should have failed because the config is the same." fi # And now, just a broken config. new_cfg=$(printf '{"url&:"%s"}' "${url}") if clevis luks edit -d "${DEV}" -s 1 -c "${new_cfg}"; then error "${TEST}: edit should have failed because of invalid JSON" fi # Now let's have another tang instance running and change the config to use # the new one. port2=$(tang_new_random_port) TMP2="$(mktemp -d)" tang_run "${TMP2}" "${port2}" new_url="http://localhost:${port2}" new_cfg=$(printf '{"url":"%s"}' "${new_url}") if ! clevis luks edit -d "${DEV}" -s 1 -c "${new_cfg}"; then error "${TEST}: edit should have succeeded." fi # Now we test an invalid server. new_cfg='{"url":"localhost:1"}' if clevis luks edit -d "${DEV}" -s 1 -c "${new_cfg}"; then error "${TEST}: edit should not have succeeded with a wrong server." fi # Make sure we can still unlock the device. if ! clevis_luks_unlock_device "${DEV}" >/dev/null; then error "${TEST}: we should have been able to unlock the device" fi # And now let's use sss and start with a single tang server, then add a second # one. new_device "luks2" "${DEV}" cfg=$(printf '{"t":1,"pins":{"tang":[{"url":"%s"}]}}' "${url}") if ! clevis luks bind -y -d "${DEV}" sss "${cfg}" <<< "${DEFAULT_PASS}"; then error "${TEST}: Bind should have succeeded." fi new_cfg=$(printf '{"t":1,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \ "${url}" "${new_url}") if ! clevis luks edit -d "${DEV}" -s 1 -c "${new_cfg}"; then error "${TEST}: edit should have succeeded and added a new tang server" fi # Now let's change the threshold to 2. new_cfg=$(printf '{"t":2,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \ "${url}" "${new_url}") if ! clevis luks edit -d "${DEV}" -s 1 -c "${new_cfg}"; then error "${TEST}: edit should have succeeded and added a new tang server" fi # And finally, let's try a broken config, with a wrong threshold. new_cfg=$(printf '{"t":3,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \ "${url}" "${new_url}") if clevis luks edit -d "${DEV}" -s 1 -c "${new_cfg}"; then error "${TEST}: edit should have failed because threshold > number of servers" fi