mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-12 07:59:29 -05:00
disk-mapper: systemd cryptsetup unit for state disk
This commit is contained in:
Malte Poll
Malte Poll
parent
0892525915
commit
da41cb6962
@ -95,6 +95,7 @@ func main() {
|
|||||||
setupManger := setup.New(
|
setupManger := setup.New(
|
||||||
log.Named("setupManager"),
|
log.Named("setupManager"),
|
||||||
*csp,
|
*csp,
|
||||||
|
diskPath,
|
||||||
afero.Afero{Fs: afero.NewOsFs()},
|
afero.Afero{Fs: afero.NewOsFs()},
|
||||||
keyservice.New(log.Named("keyService"), issuer, metadata, 20*time.Second, 20*time.Second), // try to request a key every 20 seconds
|
keyservice.New(log.Named("keyService"), issuer, metadata, 20*time.Second, 20*time.Second), // try to request a key every 20 seconds
|
||||||
mapper,
|
mapper,
|
||||||
|
|||||||
@ -18,6 +18,7 @@ type DeviceMapper interface {
|
|||||||
DiskUUID() string
|
DiskUUID() string
|
||||||
FormatDisk(passphrase string) error
|
FormatDisk(passphrase string) error
|
||||||
MapDisk(target string, passphrase string) error
|
MapDisk(target string, passphrase string) error
|
||||||
|
UnmapDisk(target string) error
|
||||||
}
|
}
|
||||||
|
|
||||||
// KeyWaiter is an interface to request and wait for disk decryption keys.
|
// KeyWaiter is an interface to request and wait for disk decryption keys.
|
||||||
@ -26,6 +27,11 @@ type KeyWaiter interface {
|
|||||||
ResetKey()
|
ResetKey()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ConfigurationGenerator is an interface for generating systemd-cryptsetup@.service unit files.
|
||||||
|
type ConfigurationGenerator interface {
|
||||||
|
Generate(volumeName, encryptedDevice, keyFile, options string) error
|
||||||
|
}
|
||||||
|
|
||||||
// DiskMounter uses the syscall package to mount disks.
|
// DiskMounter uses the syscall package to mount disks.
|
||||||
type DiskMounter struct{}
|
type DiskMounter struct{}
|
||||||
|
|
||||||
|
|||||||
@ -14,6 +14,7 @@ import (
|
|||||||
"github.com/edgelesssys/constellation/internal/crypto"
|
"github.com/edgelesssys/constellation/internal/crypto"
|
||||||
"github.com/edgelesssys/constellation/internal/file"
|
"github.com/edgelesssys/constellation/internal/file"
|
||||||
"github.com/edgelesssys/constellation/internal/logger"
|
"github.com/edgelesssys/constellation/internal/logger"
|
||||||
|
"github.com/edgelesssys/constellation/state/internal/systemd"
|
||||||
"github.com/spf13/afero"
|
"github.com/spf13/afero"
|
||||||
"go.uber.org/zap"
|
"go.uber.org/zap"
|
||||||
)
|
)
|
||||||
@ -24,29 +25,34 @@ const (
|
|||||||
keyFile = "state.key"
|
keyFile = "state.key"
|
||||||
stateDiskMappedName = "state"
|
stateDiskMappedName = "state"
|
||||||
stateDiskMountPath = "/var/run/state"
|
stateDiskMountPath = "/var/run/state"
|
||||||
|
cryptsetupOptions = "cipher=aes-xts-plain64,integrity=hmac-sha256"
|
||||||
stateInfoPath = stateDiskMountPath + "/constellation/node_state.json"
|
stateInfoPath = stateDiskMountPath + "/constellation/node_state.json"
|
||||||
)
|
)
|
||||||
|
|
||||||
// SetupManager handles formating, mapping, mounting and unmounting of state disks.
|
// SetupManager handles formatting, mapping, mounting and unmounting of state disks.
|
||||||
type SetupManager struct {
|
type SetupManager struct {
|
||||||
log *logger.Logger
|
log *logger.Logger
|
||||||
csp string
|
csp string
|
||||||
|
diskPath string
|
||||||
fs afero.Afero
|
fs afero.Afero
|
||||||
keyWaiter KeyWaiter
|
keyWaiter KeyWaiter
|
||||||
mapper DeviceMapper
|
mapper DeviceMapper
|
||||||
mounter Mounter
|
mounter Mounter
|
||||||
|
config ConfigurationGenerator
|
||||||
openTPM vtpm.TPMOpenFunc
|
openTPM vtpm.TPMOpenFunc
|
||||||
}
|
}
|
||||||
|
|
||||||
// New initializes a SetupManager with the given parameters.
|
// New initializes a SetupManager with the given parameters.
|
||||||
func New(log *logger.Logger, csp string, fs afero.Afero, keyWaiter KeyWaiter, mapper DeviceMapper, mounter Mounter, openTPM vtpm.TPMOpenFunc) *SetupManager {
|
func New(log *logger.Logger, csp string, diskPath string, fs afero.Afero, keyWaiter KeyWaiter, mapper DeviceMapper, mounter Mounter, openTPM vtpm.TPMOpenFunc) *SetupManager {
|
||||||
return &SetupManager{
|
return &SetupManager{
|
||||||
log: log,
|
log: log,
|
||||||
csp: csp,
|
csp: csp,
|
||||||
|
diskPath: diskPath,
|
||||||
fs: fs,
|
fs: fs,
|
||||||
keyWaiter: keyWaiter,
|
keyWaiter: keyWaiter,
|
||||||
mapper: mapper,
|
mapper: mapper,
|
||||||
mounter: mounter,
|
mounter: mounter,
|
||||||
|
config: systemd.New(fs),
|
||||||
openTPM: openTPM,
|
openTPM: openTPM,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -92,6 +98,10 @@ getKey:
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if err := s.saveConfiguration(passphrase); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
return s.mounter.Unmount(stateDiskMountPath, 0)
|
return s.mounter.Unmount(stateDiskMountPath, 0)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -100,15 +110,11 @@ func (s *SetupManager) PrepareNewDisk() error {
|
|||||||
s.log.Infof("Preparing new state disk")
|
s.log.Infof("Preparing new state disk")
|
||||||
|
|
||||||
// generate and save temporary passphrase
|
// generate and save temporary passphrase
|
||||||
if err := s.fs.MkdirAll(keyPath, os.ModePerm); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
passphrase := make([]byte, crypto.RNGLengthDefault)
|
passphrase := make([]byte, crypto.RNGLengthDefault)
|
||||||
if _, err := rand.Read(passphrase); err != nil {
|
if _, err := rand.Read(passphrase); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := s.fs.WriteFile(filepath.Join(keyPath, keyFile), passphrase, 0o400); err != nil {
|
if err := s.saveConfiguration(passphrase); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -132,3 +138,17 @@ func (s *SetupManager) readMeasurementSalt(path string) ([]byte, error) {
|
|||||||
|
|
||||||
return state.MeasurementSalt, nil
|
return state.MeasurementSalt, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// saveConfiguration saves the given passphrase and cryptsetup mapping configuration to disk.
|
||||||
|
func (s *SetupManager) saveConfiguration(passphrase []byte) error {
|
||||||
|
// passphrase
|
||||||
|
if err := s.fs.MkdirAll(keyPath, os.ModePerm); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if err := s.fs.WriteFile(filepath.Join(keyPath, keyFile), passphrase, 0o400); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// systemd cryptsetup unit
|
||||||
|
return s.config.Generate(stateDiskMappedName, s.diskPath, filepath.Join(keyPath, keyFile), cryptsetupOptions)
|
||||||
|
}
|
||||||
|
|||||||
@ -26,81 +26,89 @@ func TestPrepareExistingDisk(t *testing.T) {
|
|||||||
someErr := errors.New("error")
|
someErr := errors.New("error")
|
||||||
|
|
||||||
testCases := map[string]struct {
|
testCases := map[string]struct {
|
||||||
fs afero.Afero
|
keyWaiter *stubKeyWaiter
|
||||||
keyWaiter *stubKeyWaiter
|
mapper *stubMapper
|
||||||
mapper *stubMapper
|
mounter *stubMounter
|
||||||
mounter *stubMounter
|
configGenerator *stubConfigurationGenerator
|
||||||
openTPM vtpm.TPMOpenFunc
|
openTPM vtpm.TPMOpenFunc
|
||||||
missingState bool
|
missingState bool
|
||||||
wantErr bool
|
wantErr bool
|
||||||
}{
|
}{
|
||||||
"success": {
|
"success": {
|
||||||
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
keyWaiter: &stubKeyWaiter{},
|
||||||
keyWaiter: &stubKeyWaiter{},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
mapper: &stubMapper{uuid: "test"},
|
mounter: &stubMounter{},
|
||||||
mounter: &stubMounter{},
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
openTPM: vtpm.OpenNOPTPM,
|
openTPM: vtpm.OpenNOPTPM,
|
||||||
},
|
},
|
||||||
"WaitForDecryptionKey fails": {
|
"WaitForDecryptionKey fails": {
|
||||||
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
keyWaiter: &stubKeyWaiter{waitErr: someErr},
|
||||||
keyWaiter: &stubKeyWaiter{waitErr: someErr},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
mapper: &stubMapper{uuid: "test"},
|
mounter: &stubMounter{},
|
||||||
mounter: &stubMounter{},
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
openTPM: vtpm.OpenNOPTPM,
|
openTPM: vtpm.OpenNOPTPM,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"MapDisk fails causes a repeat": {
|
"MapDisk fails causes a repeat": {
|
||||||
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
|
||||||
keyWaiter: &stubKeyWaiter{},
|
keyWaiter: &stubKeyWaiter{},
|
||||||
mapper: &stubMapper{
|
mapper: &stubMapper{
|
||||||
uuid: "test",
|
uuid: "test",
|
||||||
mapDiskErr: someErr,
|
mapDiskErr: someErr,
|
||||||
mapDiskRepeatedCalls: 2,
|
mapDiskRepeatedCalls: 2,
|
||||||
},
|
},
|
||||||
mounter: &stubMounter{},
|
mounter: &stubMounter{},
|
||||||
openTPM: vtpm.OpenNOPTPM,
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
wantErr: false,
|
openTPM: vtpm.OpenNOPTPM,
|
||||||
|
wantErr: false,
|
||||||
},
|
},
|
||||||
"MkdirAll fails": {
|
"MkdirAll fails": {
|
||||||
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
keyWaiter: &stubKeyWaiter{},
|
||||||
keyWaiter: &stubKeyWaiter{},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
mapper: &stubMapper{uuid: "test"},
|
mounter: &stubMounter{mkdirAllErr: someErr},
|
||||||
mounter: &stubMounter{mkdirAllErr: someErr},
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
openTPM: vtpm.OpenNOPTPM,
|
openTPM: vtpm.OpenNOPTPM,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"Mount fails": {
|
"Mount fails": {
|
||||||
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
keyWaiter: &stubKeyWaiter{},
|
||||||
keyWaiter: &stubKeyWaiter{},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
mapper: &stubMapper{uuid: "test"},
|
mounter: &stubMounter{mountErr: someErr},
|
||||||
mounter: &stubMounter{mountErr: someErr},
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
openTPM: vtpm.OpenNOPTPM,
|
openTPM: vtpm.OpenNOPTPM,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"Unmount fails": {
|
"Unmount fails": {
|
||||||
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
keyWaiter: &stubKeyWaiter{},
|
||||||
keyWaiter: &stubKeyWaiter{},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
mapper: &stubMapper{uuid: "test"},
|
mounter: &stubMounter{unmountErr: someErr},
|
||||||
mounter: &stubMounter{unmountErr: someErr},
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
openTPM: vtpm.OpenNOPTPM,
|
openTPM: vtpm.OpenNOPTPM,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"MarkNodeAsBootstrapped fails": {
|
"MarkNodeAsBootstrapped fails": {
|
||||||
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
keyWaiter: &stubKeyWaiter{},
|
||||||
keyWaiter: &stubKeyWaiter{},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
mapper: &stubMapper{uuid: "test"},
|
mounter: &stubMounter{unmountErr: someErr},
|
||||||
mounter: &stubMounter{unmountErr: someErr},
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
openTPM: failOpener,
|
openTPM: failOpener,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
|
},
|
||||||
|
"Generating config fails": {
|
||||||
|
keyWaiter: &stubKeyWaiter{},
|
||||||
|
mapper: &stubMapper{uuid: "test"},
|
||||||
|
mounter: &stubMounter{},
|
||||||
|
configGenerator: &stubConfigurationGenerator{generateErr: someErr},
|
||||||
|
openTPM: failOpener,
|
||||||
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"no state file": {
|
"no state file": {
|
||||||
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
keyWaiter: &stubKeyWaiter{},
|
||||||
keyWaiter: &stubKeyWaiter{},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
mapper: &stubMapper{uuid: "test"},
|
mounter: &stubMounter{},
|
||||||
mounter: &stubMounter{},
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
openTPM: vtpm.OpenNOPTPM,
|
openTPM: vtpm.OpenNOPTPM,
|
||||||
missingState: true,
|
missingState: true,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -108,21 +116,24 @@ func TestPrepareExistingDisk(t *testing.T) {
|
|||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
|
fs := afero.Afero{Fs: afero.NewMemMapFs()}
|
||||||
salt := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
|
salt := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
|
||||||
if !tc.missingState {
|
if !tc.missingState {
|
||||||
handler := file.NewHandler(tc.fs)
|
handler := file.NewHandler(fs)
|
||||||
require.NoError(t, handler.WriteJSON(stateInfoPath, nodestate.NodeState{MeasurementSalt: salt}, file.OptMkdirAll))
|
require.NoError(t, handler.WriteJSON(stateInfoPath, nodestate.NodeState{MeasurementSalt: salt}, file.OptMkdirAll))
|
||||||
}
|
}
|
||||||
|
|
||||||
setupManager := New(
|
setupManager := &SetupManager{
|
||||||
logger.NewTest(t),
|
log: logger.NewTest(t),
|
||||||
"test",
|
csp: "test",
|
||||||
tc.fs,
|
diskPath: "disk-path",
|
||||||
tc.keyWaiter,
|
fs: fs,
|
||||||
tc.mapper,
|
keyWaiter: tc.keyWaiter,
|
||||||
tc.mounter,
|
mapper: tc.mapper,
|
||||||
tc.openTPM,
|
mounter: tc.mounter,
|
||||||
)
|
config: tc.configGenerator,
|
||||||
|
openTPM: tc.openTPM,
|
||||||
|
}
|
||||||
|
|
||||||
err := setupManager.PrepareExistingDisk()
|
err := setupManager.PrepareExistingDisk()
|
||||||
if tc.wantErr {
|
if tc.wantErr {
|
||||||
@ -146,18 +157,21 @@ func failOpener() (io.ReadWriteCloser, error) {
|
|||||||
func TestPrepareNewDisk(t *testing.T) {
|
func TestPrepareNewDisk(t *testing.T) {
|
||||||
someErr := errors.New("error")
|
someErr := errors.New("error")
|
||||||
testCases := map[string]struct {
|
testCases := map[string]struct {
|
||||||
fs afero.Afero
|
fs afero.Afero
|
||||||
mapper *stubMapper
|
mapper *stubMapper
|
||||||
wantErr bool
|
configGenerator *stubConfigurationGenerator
|
||||||
|
wantErr bool
|
||||||
}{
|
}{
|
||||||
"success": {
|
"success": {
|
||||||
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
||||||
mapper: &stubMapper{uuid: "test"},
|
mapper: &stubMapper{uuid: "test"},
|
||||||
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
},
|
},
|
||||||
"creating directory fails": {
|
"creating directory fails": {
|
||||||
fs: afero.Afero{Fs: afero.NewReadOnlyFs(afero.NewMemMapFs())},
|
fs: afero.Afero{Fs: afero.NewReadOnlyFs(afero.NewMemMapFs())},
|
||||||
mapper: &stubMapper{},
|
mapper: &stubMapper{},
|
||||||
wantErr: true,
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"FormatDisk fails": {
|
"FormatDisk fails": {
|
||||||
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
||||||
@ -165,7 +179,8 @@ func TestPrepareNewDisk(t *testing.T) {
|
|||||||
uuid: "test",
|
uuid: "test",
|
||||||
formatDiskErr: someErr,
|
formatDiskErr: someErr,
|
||||||
},
|
},
|
||||||
wantErr: true,
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"MapDisk fails": {
|
"MapDisk fails": {
|
||||||
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
||||||
@ -174,7 +189,14 @@ func TestPrepareNewDisk(t *testing.T) {
|
|||||||
mapDiskErr: someErr,
|
mapDiskErr: someErr,
|
||||||
mapDiskRepeatedCalls: 1,
|
mapDiskRepeatedCalls: 1,
|
||||||
},
|
},
|
||||||
wantErr: true,
|
configGenerator: &stubConfigurationGenerator{},
|
||||||
|
wantErr: true,
|
||||||
|
},
|
||||||
|
"Generating config fails": {
|
||||||
|
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
||||||
|
mapper: &stubMapper{uuid: "test"},
|
||||||
|
configGenerator: &stubConfigurationGenerator{generateErr: someErr},
|
||||||
|
wantErr: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -182,7 +204,14 @@ func TestPrepareNewDisk(t *testing.T) {
|
|||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
setupManager := New(logger.NewTest(t), "test", tc.fs, nil, tc.mapper, nil, nil)
|
setupManager := &SetupManager{
|
||||||
|
log: logger.NewTest(t),
|
||||||
|
csp: "test",
|
||||||
|
diskPath: "disk-path",
|
||||||
|
fs: tc.fs,
|
||||||
|
mapper: tc.mapper,
|
||||||
|
config: tc.configGenerator,
|
||||||
|
}
|
||||||
|
|
||||||
err := setupManager.PrepareNewDisk()
|
err := setupManager.PrepareNewDisk()
|
||||||
if tc.wantErr {
|
if tc.wantErr {
|
||||||
@ -203,22 +232,18 @@ func TestPrepareNewDisk(t *testing.T) {
|
|||||||
func TestReadMeasurementSalt(t *testing.T) {
|
func TestReadMeasurementSalt(t *testing.T) {
|
||||||
salt := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
|
salt := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
|
||||||
testCases := map[string]struct {
|
testCases := map[string]struct {
|
||||||
fs afero.Afero
|
|
||||||
salt []byte
|
salt []byte
|
||||||
writeFile bool
|
writeFile bool
|
||||||
wantErr bool
|
wantErr bool
|
||||||
}{
|
}{
|
||||||
"success": {
|
"success": {
|
||||||
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
|
||||||
salt: salt,
|
salt: salt,
|
||||||
writeFile: true,
|
writeFile: true,
|
||||||
},
|
},
|
||||||
"no state file": {
|
"no state file": {
|
||||||
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"missing salt": {
|
"missing salt": {
|
||||||
fs: afero.Afero{Fs: afero.NewMemMapFs()},
|
|
||||||
writeFile: true,
|
writeFile: true,
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
@ -229,13 +254,14 @@ func TestReadMeasurementSalt(t *testing.T) {
|
|||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
require := require.New(t)
|
require := require.New(t)
|
||||||
|
|
||||||
|
fs := afero.Afero{Fs: afero.NewMemMapFs()}
|
||||||
if tc.writeFile {
|
if tc.writeFile {
|
||||||
handler := file.NewHandler(tc.fs)
|
handler := file.NewHandler(fs)
|
||||||
state := nodestate.NodeState{MeasurementSalt: tc.salt}
|
state := nodestate.NodeState{MeasurementSalt: tc.salt}
|
||||||
require.NoError(handler.WriteJSON("test-state.json", state, file.OptMkdirAll))
|
require.NoError(handler.WriteJSON("test-state.json", state, file.OptMkdirAll))
|
||||||
}
|
}
|
||||||
|
|
||||||
setupManager := New(logger.NewTest(t), "test", tc.fs, nil, nil, nil, nil)
|
setupManager := New(logger.NewTest(t), "test", "disk-path", fs, nil, nil, nil, nil)
|
||||||
|
|
||||||
measurementSalt, err := setupManager.readMeasurementSalt("test-state.json")
|
measurementSalt, err := setupManager.readMeasurementSalt("test-state.json")
|
||||||
if tc.wantErr {
|
if tc.wantErr {
|
||||||
@ -254,6 +280,8 @@ type stubMapper struct {
|
|||||||
mapDiskRepeatedCalls int
|
mapDiskRepeatedCalls int
|
||||||
mapDiskCalled bool
|
mapDiskCalled bool
|
||||||
mapDiskErr error
|
mapDiskErr error
|
||||||
|
unmapDiskCalled bool
|
||||||
|
unmapDiskErr error
|
||||||
uuid string
|
uuid string
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -275,6 +303,11 @@ func (s *stubMapper) MapDisk(string, string) error {
|
|||||||
return s.mapDiskErr
|
return s.mapDiskErr
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *stubMapper) UnmapDisk(string) error {
|
||||||
|
s.unmapDiskCalled = true
|
||||||
|
return s.unmapDiskErr
|
||||||
|
}
|
||||||
|
|
||||||
type stubMounter struct {
|
type stubMounter struct {
|
||||||
mountCalled bool
|
mountCalled bool
|
||||||
mountErr error
|
mountErr error
|
||||||
@ -317,3 +350,11 @@ func (s *stubKeyWaiter) WaitForDecryptionKey(uuid, addr string) ([]byte, []byte,
|
|||||||
func (s *stubKeyWaiter) ResetKey() {
|
func (s *stubKeyWaiter) ResetKey() {
|
||||||
s.waitCalled = false
|
s.waitCalled = false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type stubConfigurationGenerator struct {
|
||||||
|
generateErr error
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *stubConfigurationGenerator) Generate(volumeName, encryptedDevice, keyFile, options string) error {
|
||||||
|
return s.generateErr
|
||||||
|
}
|
||||||
|
|||||||
113
state/internal/systemd/systemd.go
Normal file
113
state/internal/systemd/systemd.go
Normal file
@ -0,0 +1,113 @@
|
|||||||
|
package systemd
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
"strings"
|
||||||
|
"text/template"
|
||||||
|
|
||||||
|
"github.com/spf13/afero"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
systemdRuntimeUnitPath = "/run/systemd/system"
|
||||||
|
systemdUnitName = "systemd-cryptsetup@state.service"
|
||||||
|
systemdDeviceRequires = "dev-mapper-state.device.requires"
|
||||||
|
systemdCryptsetupTargetRequires = "cryptsetup.target.requires"
|
||||||
|
)
|
||||||
|
|
||||||
|
// CryptsetupUnitGenerator generates systemd-cryptsetup@.service unit files.
|
||||||
|
type CryptsetupUnitGenerator struct {
|
||||||
|
fs afero.Afero
|
||||||
|
}
|
||||||
|
|
||||||
|
// New returns a new CryptsetupUnitGenerator.
|
||||||
|
func New(fs afero.Afero) CryptsetupUnitGenerator {
|
||||||
|
return CryptsetupUnitGenerator{fs: fs}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate generates a systemd-cryptsetup@.service unit file and its dependencies.
|
||||||
|
func (g CryptsetupUnitGenerator) Generate(volumeName, encryptedDevice, keyFile, options string) error {
|
||||||
|
unitContents, err := g.configureUnit(volumeName, encryptedDevice, keyFile, options)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return g.writeUnits(unitContents)
|
||||||
|
}
|
||||||
|
|
||||||
|
// configureUnit generates the systemd-cryptsetup@.service unit file contents.
|
||||||
|
func (g CryptsetupUnitGenerator) configureUnit(volumeName, encryptedDevice, keyFile, options string) (string, error) {
|
||||||
|
deviceUnit := strings.ReplaceAll(encryptedDevice, "/", "-") + ".device"
|
||||||
|
deviceUnit = strings.TrimPrefix(deviceUnit, "-")
|
||||||
|
templ, err := template.New("").Parse(`[Unit]
|
||||||
|
Description=Cryptography Setup for %I
|
||||||
|
Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)
|
||||||
|
DefaultDependencies=no
|
||||||
|
IgnoreOnIsolate=true
|
||||||
|
After=cryptsetup-pre.target systemd-udevd-kernel.socket
|
||||||
|
Before=blockdev@dev-mapper-%i.target
|
||||||
|
Wants=blockdev@dev-mapper-%i.target
|
||||||
|
Conflicts=umount.target
|
||||||
|
Before=cryptsetup.target
|
||||||
|
RequiresMountsFor={{.keyFile}}
|
||||||
|
BindsTo={{.deviceUnit}}
|
||||||
|
After={{.deviceUnit}}
|
||||||
|
Before=umount.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
TimeoutSec=0
|
||||||
|
KeyringMode=shared
|
||||||
|
OOMScoreAdjust=500
|
||||||
|
ExecStart=/usr/lib/systemd/systemd-cryptsetup attach '{{.volumeName}}' '{{.encryptedDevice}}' '{{.keyFile}}' '{{.options}}'
|
||||||
|
ExecStop=/usr/lib/systemd/systemd-cryptsetup detach '{{.volumeName}}'
|
||||||
|
`)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
var buf bytes.Buffer
|
||||||
|
err = templ.Execute(&buf, map[string]string{
|
||||||
|
"volumeName": volumeName,
|
||||||
|
"encryptedDevice": encryptedDevice,
|
||||||
|
"deviceUnit": deviceUnit,
|
||||||
|
"keyFile": keyFile,
|
||||||
|
"options": options,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return buf.String(), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// writeUnits writes the unit file and its dependencies to the filesystem.
|
||||||
|
func (g CryptsetupUnitGenerator) writeUnits(unitContents string) error {
|
||||||
|
if err := g.fs.MkdirAll(systemdRuntimeUnitPath, os.ModePerm); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if err := g.fs.Mkdir(filepath.Join(systemdRuntimeUnitPath, systemdDeviceRequires), os.ModePerm); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if err := g.fs.Mkdir(filepath.Join(systemdRuntimeUnitPath, systemdCryptsetupTargetRequires), os.ModePerm); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
unitPath := filepath.Join(systemdRuntimeUnitPath, systemdUnitName)
|
||||||
|
if err := g.fs.WriteFile(unitPath, []byte(unitContents), 0o444); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if symlinker, ok := g.fs.Fs.(afero.Symlinker); ok {
|
||||||
|
if err := symlinker.SymlinkIfPossible(unitPath, filepath.Join(systemdRuntimeUnitPath, systemdDeviceRequires, systemdUnitName)); err != nil {
|
||||||
|
return fmt.Errorf("creating device symlink: %w", err)
|
||||||
|
}
|
||||||
|
if err := symlinker.SymlinkIfPossible(unitPath, filepath.Join(systemdRuntimeUnitPath, systemdCryptsetupTargetRequires, systemdUnitName)); err != nil {
|
||||||
|
return fmt.Errorf("creating cryptsetup target symlink: %w", err)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return errors.New("fs does not support symlinks")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
43
state/internal/systemd/systemd_test.go
Normal file
43
state/internal/systemd/systemd_test.go
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
package systemd
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
"go.uber.org/goleak"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestMain(m *testing.M) {
|
||||||
|
goleak.VerifyTestMain(m)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestConfigureUnit(t *testing.T) {
|
||||||
|
assert := assert.New(t)
|
||||||
|
generator := CryptsetupUnitGenerator{}
|
||||||
|
got, err := generator.configureUnit("volumeName", "/encrypted/device/path", "/key/file/path", "options")
|
||||||
|
assert.NoError(err)
|
||||||
|
assert.Equal(`[Unit]
|
||||||
|
Description=Cryptography Setup for %I
|
||||||
|
Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)
|
||||||
|
DefaultDependencies=no
|
||||||
|
IgnoreOnIsolate=true
|
||||||
|
After=cryptsetup-pre.target systemd-udevd-kernel.socket
|
||||||
|
Before=blockdev@dev-mapper-%i.target
|
||||||
|
Wants=blockdev@dev-mapper-%i.target
|
||||||
|
Conflicts=umount.target
|
||||||
|
Before=cryptsetup.target
|
||||||
|
RequiresMountsFor=/key/file/path
|
||||||
|
BindsTo=encrypted-device-path.device
|
||||||
|
After=encrypted-device-path.device
|
||||||
|
Before=umount.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
TimeoutSec=0
|
||||||
|
KeyringMode=shared
|
||||||
|
OOMScoreAdjust=500
|
||||||
|
ExecStart=/usr/lib/systemd/systemd-cryptsetup attach 'volumeName' '/encrypted/device/path' '/key/file/path' 'options'
|
||||||
|
ExecStop=/usr/lib/systemd/systemd-cryptsetup detach 'volumeName'
|
||||||
|
`, got)
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue
Block a user