constellation/mount/cryptmapper/cryptmapper_test.go

package cryptmapper

import (
	"context"
	"errors"
	"testing"

	"github.com/edgelesssys/constellation/mount/kms"
	cryptsetup "github.com/martinjungblut/go-cryptsetup"
	"github.com/stretchr/testify/assert"
)

var testDEK = []byte{
	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
}

type stubCryptDevice struct {
	initErr       error
	activateErr   error
	deactivateErr error
	formatErr     error
	loadErr       error
	wipeErr       error
}

func (c *stubCryptDevice) Init(devicePath string) error {
	return c.initErr
}

func (c *stubCryptDevice) ActivateByVolumeKey(deviceName, volumeKey string, volumeKeySize, flags int) error {
	return c.activateErr
}

func (c *stubCryptDevice) Deactivate(deviceName string) error {
	return c.deactivateErr
}

func (c *stubCryptDevice) Format(deviceType cryptsetup.DeviceType, genericParams cryptsetup.GenericParams) error {
	return c.formatErr
}

func (c *stubCryptDevice) Free() bool {
	return true
}

func (c *stubCryptDevice) Load(cryptsetup.DeviceType) error {
	return c.loadErr
}

func (c *stubCryptDevice) Wipe(devicePath string, pattern int, offset, length uint64, wipeBlockSize int, flags int, progress func(size, offset uint64) int) error {
	return c.wipeErr
}

func TestCloseCryptDevice(t *testing.T) {
	testCases := map[string]struct {
		mapper      *stubCryptDevice
		errExpected bool
	}{
		"success": {
			mapper:      &stubCryptDevice{},
			errExpected: false,
		},
		"error on Init": {
			mapper: &stubCryptDevice{
				initErr: errors.New("error"),
			},
			errExpected: true,
		},
		"error on Deactivate": {
			mapper: &stubCryptDevice{
				deactivateErr: errors.New("error"),
			},
			errExpected: true,
		},
	}

	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			assert := assert.New(t)

			err := closeCryptDevice(tc.mapper, "/dev/some-device", "volume0", "test")
			if tc.errExpected {
				assert.Error(err)
			} else {
				assert.NoError(err)
			}
		})
	}

	mapper := New(kms.NewStaticKMS(), &stubCryptDevice{})
	err := mapper.CloseCryptDevice("volume01-unit-test")
	assert.NoError(t, err)
}

func TestOpenCryptDevice(t *testing.T) {
	someErr := errors.New("error")

	testCases := map[string]struct {
		source      string
		volumeID    string
		dek         string
		integrity   bool
		mapper      *stubCryptDevice
		diskInfo    func(disk string) (string, error)
		errExpected bool
	}{
		"success with Load": {
			source:      "/dev/some-device",
			volumeID:    "volume0",
			dek:         string(testDEK),
			mapper:      &stubCryptDevice{},
			diskInfo:    func(disk string) (string, error) { return "", nil },
			errExpected: false,
		},
		"success with error on Load": {
			source:      "/dev/some-device",
			volumeID:    "volume0",
			dek:         string(testDEK),
			mapper:      &stubCryptDevice{loadErr: someErr},
			diskInfo:    func(disk string) (string, error) { return "", nil },
			errExpected: false,
		},
		"success with integrity": {
			source:      "/dev/some-device",
			volumeID:    "volume0",
			dek:         string(append(testDEK, testDEK[:32]...)),
			integrity:   true,
			mapper:      &stubCryptDevice{loadErr: someErr},
			diskInfo:    func(disk string) (string, error) { return "", nil },
			errExpected: false,
		},
		"incorrect key size": {
			source:      "/dev/some-device",
			volumeID:    "volume0",
			dek:         "short",
			mapper:      &stubCryptDevice{},
			diskInfo:    func(disk string) (string, error) { return "", nil },
			errExpected: true,
		},
		"error on Init": {
			source:      "/dev/some-device",
			volumeID:    "volume0",
			dek:         string(testDEK),
			mapper:      &stubCryptDevice{initErr: someErr},
			diskInfo:    func(disk string) (string, error) { return "", nil },
			errExpected: true,
		},
		"error on Format": {
			source:      "/dev/some-device",
			volumeID:    "volume0",
			dek:         string(testDEK),
			mapper:      &stubCryptDevice{loadErr: someErr, formatErr: someErr},
			diskInfo:    func(disk string) (string, error) { return "", nil },
			errExpected: true,
		},
		"error on Activate": {
			source:      "/dev/some-device",
			volumeID:    "volume0",
			dek:         string(testDEK),
			mapper:      &stubCryptDevice{activateErr: someErr},
			diskInfo:    func(disk string) (string, error) { return "", nil },
			errExpected: true,
		},
		"error on diskInfo": {
			source:      "/dev/some-device",
			volumeID:    "volume0",
			dek:         string(testDEK),
			mapper:      &stubCryptDevice{loadErr: someErr},
			diskInfo:    func(disk string) (string, error) { return "", someErr },
			errExpected: true,
		},
		"disk is already formatted": {
			source:      "/dev/some-device",
			volumeID:    "volume0",
			dek:         string(testDEK),
			mapper:      &stubCryptDevice{loadErr: someErr},
			diskInfo:    func(disk string) (string, error) { return "ext4", nil },
			errExpected: true,
		},
		"error with integrity on wipe": {
			source:      "/dev/some-device",
			volumeID:    "volume0",
			dek:         string(append(testDEK, testDEK[:32]...)),
			integrity:   true,
			mapper:      &stubCryptDevice{loadErr: someErr, wipeErr: someErr},
			diskInfo:    func(disk string) (string, error) { return "", nil },
			errExpected: true,
		},
		"error with integrity on activate": {
			source:      "/dev/some-device",
			volumeID:    "volume0",
			dek:         string(append(testDEK, testDEK[:32]...)),
			integrity:   true,
			mapper:      &stubCryptDevice{loadErr: someErr, activateErr: someErr},
			diskInfo:    func(disk string) (string, error) { return "", nil },
			errExpected: true,
		},
		"error with integrity on deactivate": {
			source:      "/dev/some-device",
			volumeID:    "volume0",
			dek:         string(append(testDEK, testDEK[:32]...)),
			integrity:   true,
			mapper:      &stubCryptDevice{loadErr: someErr, deactivateErr: someErr},
			diskInfo:    func(disk string) (string, error) { return "", nil },
			errExpected: true,
		},
	}

	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			assert := assert.New(t)

			out, err := openCryptDevice(tc.mapper, tc.source, tc.volumeID, tc.dek, tc.integrity, tc.diskInfo)
			if tc.errExpected {
				assert.Error(err)
			} else {
				assert.NoError(err)
				assert.Equal(cryptPrefix+tc.volumeID, out)
			}
		})
	}

	mapper := New(kms.NewStaticKMS(), &stubCryptDevice{})
	_, err := mapper.OpenCryptDevice(context.Background(), "/dev/some-device", "volume01", false)
	assert.NoError(t, err)
}