123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102 |
- #!/bin/bash -ex
- # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
- #
- # Copyright (c) 2019 Red Hat, Inc.
- # Author: Sergio Correia <scorreia@redhat.com>
- #
- # This program is free software: you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
- # the Free Software Foundation, either version 3 of the License, or
- # (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program. If not, see <http://www.gnu.org/licenses/>.
- #
- TEST="${0}"
- . tests-common-functions
- on_exit() {
- [ -d "${TMP}" ] && rm -rf "${TMP}"
- }
- trap 'on_exit' EXIT
- trap 'exit' ERR
- TMP="$(mktemp -d)"
- ADV="${TMP}/adv.jws"
- create_tang_adv "${ADV}"
- CFG="$(printf '{"url":"foobar","adv":"%s"}' "$ADV")"
- # LUKS1.
- DEV="${TMP}/luks1-device"
- UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
- # We can have a "partially" used if it is an inactive slot that has an UUID
- # already:
- # 1 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e
- # We end up in this situation if the cryptsetup step adding the key failed,
- # for instance because we provided a wrong pass phrase, and luksmeta saved
- # data anyway. We used to have an issue with clevis luks bind script, in which
- # we would still run luksmeta save even if the cryptsetup step failed.
- bind_and_verify() {
- local DEV="${1}"
- local PASS="${2}"
- local SLT="${3}"
- if ! clevis luks bind -f -d "${DEV}" tang "${CFG}" <<< "${PASS}"; then
- error "${TEST}: Binding is expected to succeed when given a correct (${PASS}) password." >&2
- fi
- if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
- error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
- fi
- if [ "${state}" != "active" ]; then
- error "${TEST}: state (${state}) is expected to be 'active'." >&2
- fi
- if [ "${uuid}" != "${UUID}" ]; then
- error "${TEST}: UUID ($uuid) is expected to be '${UUID}'." >&2
- fi
- }
- SLT=1
- NEW_PASS="new-pass"
- PASS="${DEFAULT_PASS}"
- WRONG_PASS="wrong-password-here"
- new_device "luks1" "${DEV}"
- luksmeta init -f -d "${DEV}"
- if cryptsetup luksAddKey "${DEV}" < <(echo "${WRONG_PASS}"; echo -n "${NEW_PASS}"); then
- error "${TEST}: cryptsetup should not succeed in adding key when given a wrong passphrase." >&2
- fi
- # Ok, the cryptsetup step failed, since we gave a wrong password. That means
- # that right now the luksmeta slot is inactive. Let's simulate the bad
- # condition by saving the UUID there anyway.
- echo "foo" | luksmeta save -d "${DEV}" -u "${UUID}"
- # Verify we have slot 1 like this:
- # # 1 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e
- if ! read -r _ state uuid < <(luksmeta show -d "${DEV}" | grep "^${SLT} *"); then
- error "${TEST}: Error reading LUKSmeta info for slot ${SLT} of ${DEV}." >&2
- fi
- if [ "${state}" != "inactive" ]; then
- error "${TEST}: state (${state}) is expected to be 'inactive', in case #1." >&2
- fi
- if [ "${uuid}" != "${UUID}" ]; then
- error "${TEST}: UUID ($uuid) is expected to be '${UUID}', in case #1." >&2
- fi
- # Verify if can bind correctly in this situation.
- bind_and_verify "${DEV}" "${PASS}" "1"
|