From e84adda90b86a274ab4151cd99c5fdc9784ff167 Mon Sep 17 00:00:00 2001 From: Steven Presti Date: Tue, 30 Apr 2024 15:32:29 -0400 Subject: [PATCH] WIP:blackbox_tests: add clevis binding validation add fields to test.types.partition [ClevisBinding,LuksDeviceName] to support validating the results of luks. --- tests/blackbox_test.go | 4 +++ tests/positive/luks/creation.go | 4 +++ tests/types/types.go | 2 ++ tests/validator.go | 45 +++++++++++++++++++++++++++++++++ 4 files changed, 55 insertions(+) diff --git a/tests/blackbox_test.go b/tests/blackbox_test.go index 9f075c003..041100f5c 100644 --- a/tests/blackbox_test.go +++ b/tests/blackbox_test.go @@ -339,6 +339,10 @@ func outer(t *testing.T, test types.Test, negativeTests bool) error { } for _, disk := range test.Out { + err = validateClevisBinding(t, disk.Partitions) + if err != nil { + return err + } err = validateDisk(t, disk) if err != nil { return err diff --git a/tests/positive/luks/creation.go b/tests/positive/luks/creation.go index 3c7d6f6d8..4da8aa3ce 100644 --- a/tests/positive/luks/creation.go +++ b/tests/positive/luks/creation.go @@ -118,7 +118,11 @@ func LuksWithTPM() types.Test { }` configMinVersion := "3.2.0" in[0].Partitions.GetPartition("OEM").FilesystemType = "ext4" + in[0].Partitions.GetPartition("OEM").ClevisBinding = "" + in[0].Partitions.GetPartition("OEM").LuksDeviceName = "" out[0].Partitions.GetPartition("OEM").FilesystemType = "crypto_LUKS" + out[0].Partitions.GetPartition("OEM").ClevisBinding = "tpm2" + out[0].Partitions.GetPartition("OEM").LuksDeviceName = "luks-device-b" return types.Test{ Name: name, diff --git a/tests/types/types.go b/tests/types/types.go index d5bd3fe78..9e0aac12b 100644 --- a/tests/types/types.go +++ b/tests/types/types.go @@ -85,6 +85,8 @@ type Partition struct { Directories []Directory Links []Link RemovedNodes []Node + ClevisBinding string + LuksDeviceName string } type MntDevice struct { diff --git a/tests/validator.go b/tests/validator.go index d64957dbc..59d20f8c2 100644 --- a/tests/validator.go +++ b/tests/validator.go @@ -16,6 +16,7 @@ package blackbox import ( "context" + "encoding/json" "fmt" "os" "os/exec" @@ -25,6 +26,7 @@ import ( "strings" "testing" + "github.com/coreos/ignition/v2/internal/distro" "github.com/coreos/ignition/v2/internal/exec/util" "github.com/coreos/ignition/v2/tests/types" @@ -139,6 +141,49 @@ func formatUUID(s string) string { return strings.ToUpper(strings.Replace(s, "-", "", -1)) } +func validateClevisBinding(t *testing.T, expected []*types.Partition) error { + for _, e := range expected { + if e.ClevisBinding != "" && e.LuksDeviceName == "" { + return fmt.Errorf("Expected LuksDeviceName for ClevisBinding %s", e.ClevisBinding) + } + + switch e.ClevisBinding { + case "": + continue + case "tpm2": + output, err := getLuksDump(e.LuksDeviceName) + if err != nil { + return fmt.Errorf("Error getting luks metadata: %v", err) + } + if len(output.Config.Flags) > 0 && output.Config.Flags[0] != "tpm2" { + return fmt.Errorf("Expected tpm2 binding, got %s", output.Config.Flags[0]) + } + continue + default: + return fmt.Errorf("Unknown clevis binding: %s", e.ClevisBinding) + } + } + return nil +} + +type LuksDump struct { + Config struct { + Flags []string `json:"flags"` + } `json:"config"` +} + +func getLuksDump(devAlias string) (LuksDump, error) { + dump, err := exec.Command("sudo", distro.CryptsetupCmd(), "luksDump", "--dump-json-metadata", devAlias).CombinedOutput() + if err != nil { + return LuksDump{}, err + } + var ret LuksDump + if err := json.Unmarshal(dump, &ret); err != nil { + return LuksDump{}, fmt.Errorf("parsing luks metadata: %w", err) + } + return ret, nil +} + func validateFilesystems(t *testing.T, expected []*types.Partition) error { for _, e := range expected { if e.FilesystemType == "" &&