From 334361df19bbe4d81450fdbd279aeb345af24f1f Mon Sep 17 00:00:00 2001 From: Steven Presti Date: Fri, 26 Apr 2024 09:56:26 -0400 Subject: [PATCH 1/2] blackbox_test: add support for luks tests Until now, the blackbox tests would not correctly cleanup after running a test with a luks device. Now Luks devices can be tested using blackbox test framework. --- tests/blackbox_test.go | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/tests/blackbox_test.go b/tests/blackbox_test.go index 086d65666..aa3d50f73 100644 --- a/tests/blackbox_test.go +++ b/tests/blackbox_test.go @@ -19,6 +19,7 @@ import ( "flag" "fmt" "os" + "os/exec" "os/signal" "path/filepath" "strings" @@ -26,6 +27,7 @@ import ( "time" "github.com/coreos/ignition/v2/config" + "github.com/coreos/ignition/v2/internal/exec/util" "github.com/coreos/ignition/v2/tests/register" "github.com/coreos/ignition/v2/tests/servers" "github.com/coreos/ignition/v2/tests/types" @@ -259,13 +261,20 @@ func outer(t *testing.T, test types.Test, negativeTests bool) error { // If we're not expecting the config to be bad, make sure it passes // validation. if !test.ConfigShouldBeBad { - _, rpt, err := config.Parse([]byte(test.Config)) + renderedConfig, rpt, err := config.Parse([]byte(test.Config)) if rpt.IsFatal() { return fmt.Errorf("test has bad config: %s", rpt.String()) } if err != nil { return fmt.Errorf("error parsing config: %v", err) } + defer func() { + for _, luks := range renderedConfig.Storage.Luks { + if err := removeLuksDevice(luks.Name); err != nil { + t.Error(fmt.Errorf("failed to remove existing LUKS device %s: %v", luks.Name, err)) + } + } + }() } // Ignition config @@ -347,3 +356,19 @@ func outer(t *testing.T, test types.Test, negativeTests bool) error { return fmt.Errorf("Expected failure and ignition succeeded") } } + +// Remove a LUKS device +func removeLuksDevice(deviceName string) error { + deviceExists, err := util.PathExists(fmt.Sprintf("/dev/mapper/%s", deviceName)) + if err != nil { + return fmt.Errorf("failed to check if device exists at %s: %v", deviceName, err) + } + if deviceExists { + cmd := exec.Command("sudo", "cryptsetup", "luksClose", deviceName) + if err := cmd.Run(); err != nil { + return fmt.Errorf("failed to remove LUKS device %s: %v", deviceName, err) + } + } + + return nil +} From 62786092a246cf376f3196b8016b032516b26a14 Mon Sep 17 00:00:00 2001 From: Steven Presti Date: Fri, 26 Apr 2024 09:58:40 -0400 Subject: [PATCH 2/2] tests/*/luks: add blackbox tests for luks Fixes #1554 --- tests/negative/luks/creation.go | 59 ++++++++++++++++++ tests/positive/luks/creation.go | 105 ++++++++++++++++++++++++++++++++ tests/registry/registry.go | 2 + 3 files changed, 166 insertions(+) create mode 100644 tests/negative/luks/creation.go create mode 100644 tests/positive/luks/creation.go diff --git a/tests/negative/luks/creation.go b/tests/negative/luks/creation.go new file mode 100644 index 000000000..678dc5d3a --- /dev/null +++ b/tests/negative/luks/creation.go @@ -0,0 +1,59 @@ +// Copyright 2023 CoreOS, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package luks + +import ( + "github.com/coreos/ignition/v2/tests/register" + "github.com/coreos/ignition/v2/tests/types" +) + +func init() { + register.Register(register.NegativeTest, LuksFailToEncryptFormatedDevice()) +} + +// Fail to encrypt a device which is formatted without "WipeVolume" +func LuksFailToEncryptFormatedDevice() types.Test { + name := "luks.formatedDevice.noWipeVolume" + in := types.GetBaseDisk() + out := types.GetBaseDisk() + mntDevices := []types.MntDevice{ + { + Label: "OEM", + Substitution: "$DEVICE", + }, + } + config := `{ + "ignition": { "version": "$version" }, + "storage": { + "luks": [ + { + "device": "$DEVICE", + "name": "$uuid1", + "wipeVolume": false + } + ] + } + }` + configMinVersion := "3.2.0" + + return types.Test{ + Name: name, + In: in, + Out: out, + MntDevices: mntDevices, + Config: config, + ConfigMinVersion: configMinVersion, + } +} diff --git a/tests/positive/luks/creation.go b/tests/positive/luks/creation.go new file mode 100644 index 000000000..7a6d11414 --- /dev/null +++ b/tests/positive/luks/creation.go @@ -0,0 +1,105 @@ +// Copyright 2023 CoreOS, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package luks + +import ( + "github.com/coreos/ignition/v2/tests/register" + "github.com/coreos/ignition/v2/tests/types" +) + +func init() { + register.Register(register.PositiveTest, LuksWithKeyfileKey()) + register.Register(register.PositiveTest, LuksWithTPM2()) + +} + +func LuksWithKeyfileKey() types.Test { + name := "luks.formattedDevice.wipeVolume.keyfile" + in := types.GetBaseDisk() + out := types.GetBaseDisk() + mntDevices := []types.MntDevice{ + { + Label: "OEM", + Substitution: "$DEVICE", + }, + } + config := `{ + "ignition": { "version": "$version" }, + "storage": { + "luks": [ + { + "device": "$DEVICE", + "name": "$uuid1", + "keyFile": { + "compression": "", + "source": "data:,REPLACE-THIS-WITH-YOUR-KEY-MATERIAL" + }, + "wipeVolume": true + } + ] + } + }` + configMinVersion := "3.2.0" + in[0].Partitions.GetPartition("OEM").FilesystemType = "ext4" + out[0].Partitions.GetPartition("OEM").FilesystemType = "crypto_LUKS" + + return types.Test{ + Name: name, + In: in, + Out: out, + MntDevices: mntDevices, + Config: config, + ConfigMinVersion: configMinVersion, + } +} + +func LuksWithTPM2() types.Test { + name := "luks.formattedDevice.wipeVolume.tpm2" + in := types.GetBaseDisk() + out := types.GetBaseDisk() + mntDevices := []types.MntDevice{ + { + Label: "OEM", + Substitution: "$DEVICE", + }, + } + config := `{ + "ignition": { "version": "$version" }, + "storage": { + "luks": [ + { + "clevis": { + "tpm2": true + }, + "device": "$DEVICE", + "name": "$uuid1", + "wipeVolume": true + } + ] + } + }` + configMinVersion := "3.2.0" + in[0].Partitions.GetPartition("OEM").FilesystemType = "ext4" + out[0].Partitions.GetPartition("OEM").FilesystemType = "crypto_LUKS" + + return types.Test{ + Name: name, + In: in, + Out: out, + MntDevices: mntDevices, + Config: config, + ConfigMinVersion: configMinVersion, + } +} diff --git a/tests/registry/registry.go b/tests/registry/registry.go index 917106b1e..dc0f01fa2 100644 --- a/tests/registry/registry.go +++ b/tests/registry/registry.go @@ -19,6 +19,7 @@ import ( _ "github.com/coreos/ignition/v2/tests/negative/files" _ "github.com/coreos/ignition/v2/tests/negative/filesystems" _ "github.com/coreos/ignition/v2/tests/negative/general" + _ "github.com/coreos/ignition/v2/tests/negative/luks" _ "github.com/coreos/ignition/v2/tests/negative/partitions" _ "github.com/coreos/ignition/v2/tests/negative/proxy" _ "github.com/coreos/ignition/v2/tests/negative/regression" @@ -27,6 +28,7 @@ import ( _ "github.com/coreos/ignition/v2/tests/positive/files" _ "github.com/coreos/ignition/v2/tests/positive/filesystems" _ "github.com/coreos/ignition/v2/tests/positive/general" + _ "github.com/coreos/ignition/v2/tests/positive/luks" _ "github.com/coreos/ignition/v2/tests/positive/partitions" _ "github.com/coreos/ignition/v2/tests/positive/passwd" _ "github.com/coreos/ignition/v2/tests/positive/proxy"