edit-tang-luks2 3.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116
  1. #!/bin/bash -ex
  2. # vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
  3. #
  4. # Copyright (c) 2020 Red Hat, Inc.
  5. # Author: Sergio Correia <scorreia@redhat.com>
  6. #
  7. # This program is free software: you can redistribute it and/or modify
  8. # it under the terms of the GNU General Public License as published by
  9. # the Free Software Foundation, either version 3 of the License, or
  10. # (at your option) any later version.
  11. #
  12. # This program is distributed in the hope that it will be useful,
  13. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. # GNU General Public License for more details.
  16. #
  17. # You should have received a copy of the GNU General Public License
  18. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  19. TEST=$(basename "${0}")
  20. . tests-common-functions
  21. . clevis-luks-common-functions
  22. on_exit() {
  23. local d
  24. for d in "${TMP}" "${TMP2}"; do
  25. [ ! -d "${d}" ] && continue
  26. tang_stop "${d}"
  27. rm -rf "${d}"
  28. done
  29. }
  30. trap 'on_exit' EXIT
  31. trap 'on_exit' ERR
  32. TMP="$(mktemp -d)"
  33. port=$(tang_new_random_port)
  34. tang_run "${TMP}" "${port}"
  35. url="http://localhost:${port}"
  36. cfg=$(printf '{"url":"%s"}' "${url}")
  37. # LUKS2.
  38. DEV="${TMP}/luks2-device"
  39. new_device "luks2" "${DEV}"
  40. if ! clevis luks bind -y -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
  41. error "${TEST}: Bind should have succeeded."
  42. fi
  43. # Now let's try to change the config but using the same one we already have.
  44. if clevis luks edit -d "${DEV}" -s 1 -c "${cfg}"; then
  45. error "${TEST}: edit should have failed because the config is the same."
  46. fi
  47. # And now, just a broken config.
  48. new_cfg=$(printf '{"url&:"%s"}' "${url}")
  49. if clevis luks edit -d "${DEV}" -s 1 -c "${new_cfg}"; then
  50. error "${TEST}: edit should have failed because of invalid JSON"
  51. fi
  52. # Now let's have another tang instance running and change the config to use
  53. # the new one.
  54. port2=$(tang_new_random_port)
  55. TMP2="$(mktemp -d)"
  56. tang_run "${TMP2}" "${port2}"
  57. new_url="http://localhost:${port2}"
  58. new_cfg=$(printf '{"url":"%s"}' "${new_url}")
  59. if ! clevis luks edit -d "${DEV}" -s 1 -c "${new_cfg}"; then
  60. error "${TEST}: edit should have succeeded."
  61. fi
  62. # Now we test an invalid server.
  63. new_cfg='{"url":"localhost:1"}'
  64. if clevis luks edit -d "${DEV}" -s 1 -c "${new_cfg}"; then
  65. error "${TEST}: edit should not have succeeded with a wrong server."
  66. fi
  67. # Make sure we can still unlock the device.
  68. if ! clevis_luks_unlock_device "${DEV}" >/dev/null; then
  69. error "${TEST}: we should have been able to unlock the device"
  70. fi
  71. # And now let's use sss and start with a single tang server, then add a second
  72. # one.
  73. new_device "luks2" "${DEV}"
  74. cfg=$(printf '{"t":1,"pins":{"tang":[{"url":"%s"}]}}' "${url}")
  75. if ! clevis luks bind -y -d "${DEV}" sss "${cfg}" <<< "${DEFAULT_PASS}"; then
  76. error "${TEST}: Bind should have succeeded."
  77. fi
  78. new_cfg=$(printf '{"t":1,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \
  79. "${url}" "${new_url}")
  80. if ! clevis luks edit -d "${DEV}" -s 1 -c "${new_cfg}"; then
  81. error "${TEST}: edit should have succeeded and added a new tang server"
  82. fi
  83. # Now let's change the threshold to 2.
  84. new_cfg=$(printf '{"t":2,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \
  85. "${url}" "${new_url}")
  86. if ! clevis luks edit -d "${DEV}" -s 1 -c "${new_cfg}"; then
  87. error "${TEST}: edit should have succeeded and added a new tang server"
  88. fi
  89. # And finally, let's try a broken config, with a wrong threshold.
  90. new_cfg=$(printf '{"t":3,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \
  91. "${url}" "${new_url}")
  92. if clevis luks edit -d "${DEV}" -s 1 -c "${new_cfg}"; then
  93. error "${TEST}: edit should have failed because threshold > number of servers"
  94. fi