Merge pull request #1685 from prestist/luks-blackbox-tests

Luks blackbox tests

Author: prestist

tests/blackbox_test.go

@@ -19,13 +19,15 @@ import (
 	"flag"
 	"fmt"
 	"os"
+	"os/exec"
 	"os/signal"
 	"path/filepath"
 	"strings"
 	"testing"
 	"time"
 
 	"github.com/coreos/ignition/v2/config"
+	"github.com/coreos/ignition/v2/internal/exec/util"
 	"github.com/coreos/ignition/v2/tests/register"
 	"github.com/coreos/ignition/v2/tests/servers"
 	"github.com/coreos/ignition/v2/tests/types"
@@ -259,13 +261,20 @@ func outer(t *testing.T, test types.Test, negativeTests bool) error {
 	// If we're not expecting the config to be bad, make sure it passes
 	// validation.
 	if !test.ConfigShouldBeBad {
-		_, rpt, err := config.Parse([]byte(test.Config))
+		renderedConfig, rpt, err := config.Parse([]byte(test.Config))
 		if rpt.IsFatal() {
 			return fmt.Errorf("test has bad config: %s", rpt.String())
 		}
 		if err != nil {
 			return fmt.Errorf("error parsing config: %v", err)
 		}
+		defer func() {
+			for _, luks := range renderedConfig.Storage.Luks {
+				if err := removeLuksDevice(luks.Name); err != nil {
+					t.Error(fmt.Errorf("failed to remove existing LUKS device %s: %v", luks.Name, err))
+				}
+			}
+		}()
 	}
 
 	// Ignition config
@@ -347,3 +356,19 @@ func outer(t *testing.T, test types.Test, negativeTests bool) error {
 		return fmt.Errorf("Expected failure and ignition succeeded")
 	}
 }
+
+// Remove a LUKS device
+func removeLuksDevice(deviceName string) error {
+	deviceExists, err := util.PathExists(fmt.Sprintf("/dev/mapper/%s", deviceName))
+	if err != nil {
+		return fmt.Errorf("failed to check if device exists at %s: %v", deviceName, err)
+	}
+	if deviceExists {
+		cmd := exec.Command("sudo", "cryptsetup", "luksClose", deviceName)
+		if err := cmd.Run(); err != nil {
+			return fmt.Errorf("failed to remove LUKS device %s: %v", deviceName, err)
+		}
+	}
+
+	return nil
+}

tests/negative/luks/creation.go

@@ -0,0 +1,59 @@
+// Copyright 2023 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package luks
+
+import (
+	"github.com/coreos/ignition/v2/tests/register"
+	"github.com/coreos/ignition/v2/tests/types"
+)
+
+func init() {
+	register.Register(register.NegativeTest, LuksFailToEncryptFormatedDevice())
+}
+
+// Fail to encrypt a device which is formatted without "WipeVolume"
+func LuksFailToEncryptFormatedDevice() types.Test {
+	name := "luks.formatedDevice.noWipeVolume"
+	in := types.GetBaseDisk()
+	out := types.GetBaseDisk()
+	mntDevices := []types.MntDevice{
+		{
+			Label:        "OEM",
+			Substitution: "$DEVICE",
+		},
+	}
+	config := `{
+		"ignition": { "version": "$version" },
+		"storage": {
+		  "luks": [
+			{
+			  "device": "$DEVICE",
+			  "name": "$uuid1",
+			  "wipeVolume": false
+			}
+		  ]
+		}
+	}`
+	configMinVersion := "3.2.0"
+
+	return types.Test{
+		Name:             name,
+		In:               in,
+		Out:              out,
+		MntDevices:       mntDevices,
+		Config:           config,
+		ConfigMinVersion: configMinVersion,
+	}
+}

tests/positive/luks/creation.go

@@ -0,0 +1,105 @@
+// Copyright 2023 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package luks
+
+import (
+	"github.com/coreos/ignition/v2/tests/register"
+	"github.com/coreos/ignition/v2/tests/types"
+)
+
+func init() {
+	register.Register(register.PositiveTest, LuksWithKeyfileKey())
+	register.Register(register.PositiveTest, LuksWithTPM2())
+
+}
+
+func LuksWithKeyfileKey() types.Test {
+	name := "luks.formattedDevice.wipeVolume.keyfile"
+	in := types.GetBaseDisk()
+	out := types.GetBaseDisk()
+	mntDevices := []types.MntDevice{
+		{
+			Label:        "OEM",
+			Substitution: "$DEVICE",
+		},
+	}
+	config := `{
+		"ignition": { "version": "$version" },
+		"storage": {
+		  "luks": [
+			{
+			  "device": "$DEVICE",
+			  "name": "$uuid1",
+			  "keyFile": {
+				"compression": "",
+				"source": "data:,REPLACE-THIS-WITH-YOUR-KEY-MATERIAL"
+			  },
+			  "wipeVolume": true
+			}
+		  ]
+		}
+	}`
+	configMinVersion := "3.2.0"
+	in[0].Partitions.GetPartition("OEM").FilesystemType = "ext4"
+	out[0].Partitions.GetPartition("OEM").FilesystemType = "crypto_LUKS"
+
+	return types.Test{
+		Name:             name,
+		In:               in,
+		Out:              out,
+		MntDevices:       mntDevices,
+		Config:           config,
+		ConfigMinVersion: configMinVersion,
+	}
+}
+
+func LuksWithTPM2() types.Test {
+	name := "luks.formattedDevice.wipeVolume.tpm2"
+	in := types.GetBaseDisk()
+	out := types.GetBaseDisk()
+	mntDevices := []types.MntDevice{
+		{
+			Label:        "OEM",
+			Substitution: "$DEVICE",
+		},
+	}
+	config := `{
+		"ignition": { "version": "$version" },
+		"storage": {
+		  "luks": [
+			{
+			  "clevis": {
+				"tpm2": true
+			  },	
+			  "device": "$DEVICE",
+			  "name": "$uuid1",
+			  "wipeVolume": true
+			}
+		  ]
+		}
+	}`
+	configMinVersion := "3.2.0"
+	in[0].Partitions.GetPartition("OEM").FilesystemType = "ext4"
+	out[0].Partitions.GetPartition("OEM").FilesystemType = "crypto_LUKS"
+
+	return types.Test{
+		Name:             name,
+		In:               in,
+		Out:              out,
+		MntDevices:       mntDevices,
+		Config:           config,
+		ConfigMinVersion: configMinVersion,
+	}
+}

tests/registry/registry.go

@@ -19,6 +19,7 @@ import (
 	_ "github.com/coreos/ignition/v2/tests/negative/files"
 	_ "github.com/coreos/ignition/v2/tests/negative/filesystems"
 	_ "github.com/coreos/ignition/v2/tests/negative/general"
+	_ "github.com/coreos/ignition/v2/tests/negative/luks"
 	_ "github.com/coreos/ignition/v2/tests/negative/partitions"
 	_ "github.com/coreos/ignition/v2/tests/negative/proxy"
 	_ "github.com/coreos/ignition/v2/tests/negative/regression"
@@ -27,6 +28,7 @@ import (
 	_ "github.com/coreos/ignition/v2/tests/positive/files"
 	_ "github.com/coreos/ignition/v2/tests/positive/filesystems"
 	_ "github.com/coreos/ignition/v2/tests/positive/general"
+	_ "github.com/coreos/ignition/v2/tests/positive/luks"
 	_ "github.com/coreos/ignition/v2/tests/positive/partitions"
 	_ "github.com/coreos/ignition/v2/tests/positive/passwd"
 	_ "github.com/coreos/ignition/v2/tests/positive/proxy"