WIP:blackbox_tests: add clevis binding validation

coreos · May 28, 2024 · 71395ca · 71395ca
1 parent 0069a26
commit 71395ca
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 0 deletions.
diff --git a/tests/blackbox_test.go b/tests/blackbox_test.go
@@ -318,6 +318,10 @@ func outer(t *testing.T, test types.Test, negativeTests bool) error {
 		}
 
 		for _, disk := range test.Out {
+			err = validateClevisBinding(t, disk.Partitions)
+			if err != nil {
+				return err
+			}
 			err = validateDisk(t, disk)
 			if err != nil {
 				return err

diff --git a/tests/positive/luks/creation.go b/tests/positive/luks/creation.go
@@ -118,7 +118,11 @@ func LuksWithTPM() types.Test {
 	}`
 	configMinVersion := "3.2.0"
 	in[0].Partitions.GetPartition("OEM").FilesystemType = "ext4"
+	in[0].Partitions.GetPartition("OEM").ClevisBinding = ""
+	in[0].Partitions.GetPartition("OEM").LuksDeviceName = ""
 	out[0].Partitions.GetPartition("OEM").FilesystemType = "crypto_LUKS"
+	out[0].Partitions.GetPartition("OEM").ClevisBinding = "tpm2"
+	out[0].Partitions.GetPartition("OEM").LuksDeviceName = "luks-device-b"
 
 	return types.Test{
 		Name:             name,

diff --git a/tests/types/types.go b/tests/types/types.go
@@ -86,6 +86,8 @@ type Partition struct {
 	Directories     []Directory
 	Links           []Link
 	RemovedNodes    []Node
+	ClevisBinding   string
+	LuksDeviceName  string
 }
 
 type MntDevice struct {

diff --git a/tests/validator.go b/tests/validator.go
@@ -16,6 +16,7 @@ package blackbox
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
 	"os/exec"
@@ -25,6 +26,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/coreos/ignition/v2/internal/distro"
 	"github.com/coreos/ignition/v2/internal/exec/util"
 	"github.com/coreos/ignition/v2/tests/types"
 
@@ -139,6 +141,49 @@ func formatUUID(s string) string {
 	return strings.ToUpper(strings.Replace(s, "-", "", -1))
 }
 
+func validateClevisBinding(t *testing.T, expected []*types.Partition) error {
+	for _, e := range expected {
+		if e.ClevisBinding != "" && e.LuksDeviceName == "" {
+			return fmt.Errorf("Expected LuksDeviceName for ClevisBinding %s", e.ClevisBinding)
+		}
+
+		switch e.ClevisBinding {
+		case "":
+			continue
+		case "tpm2":
+			output, err := getLuksDump(e.LuksDeviceName)
+			if err != nil {
+				return fmt.Errorf("Error getting luks metadata: %v", err)
+			}
+			if len(output.Config.Flags) > 0 && output.Config.Flags[0] != "tpm2" {
+				return fmt.Errorf("Expected tpm2 binding, got %s", output.Config.Flags[0])
+			}
+			continue
+		default:
+			return fmt.Errorf("Unknown clevis binding: %s", e.ClevisBinding)
+		}
+	}
+	return nil
+}
+
+type LuksDump struct {
+	Config struct {
+		Flags []string `json:"flags"`
+	} `json:"config"`
+}
+
+func getLuksDump(devAlias string) (LuksDump, error) {
+	dump, err := exec.Command("sudo", distro.CryptsetupCmd(), "luksDump", "--dump-json-metadata", devAlias).CombinedOutput()
+	if err != nil {
+		return LuksDump{}, err
+	}
+	var ret LuksDump
+	if err := json.Unmarshal(dump, &ret); err != nil {
+		return LuksDump{}, fmt.Errorf("parsing luks metadata: %w", err)
+	}
+	return ret, nil
+}
+
 func validateFilesystems(t *testing.T, expected []*types.Partition) error {
 	for _, e := range expected {
 		if e.FilesystemType == "" &&