luks_device: add support for keyslots (#664)

* luks_device: add support for keyslots * luks_device: replace python3 format strings with python2 format strings, remove print statements * luks_device: add missing copyright information in keyslot integration test files * luks_device: updated failing unit tests for keyslot support * luks_device: improve detection of luks version * luks_device: Update documentation on keyslot parameters, minor code improvements * luks_device: improve validation of keyslot parameters, fix tests for systems that do not support luks2 * luks_device: correct spelling and errors in documentation and output, check all possible locations for LUKS2 header
2026-05-07 05:43:06 +00:00 · 2023-10-29 10:53:00 +01:00
parent 428550165a
commit 6504e67139
4 changed files with 407 additions and 21 deletions
--- a/tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml
+++ b/tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml
@@ -0,0 +1,178 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Create luks with keyslot 4 (check)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: present
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
+    keyslot: 4
+    pbkdf:
+      iteration_time: 0.1
+  check_mode: true
+  become: true
+  register: create_luks_slot4_check
+- name: Create luks with keyslot 4
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: present
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
+    keyslot: 4
+    pbkdf:
+      iteration_time: 0.1
+  become: true
+  register: create_luks_slot4
+- name: Create luks with keyslot 4 (idempotent)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: present
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
+    keyslot: 4
+    pbkdf:
+      iteration_time: 0.1
+  become: true
+  register: create_luks_slot4_idem
+- name: Create luks with keyslot 4 (idempotent, check)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: present
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
+    keyslot: 4
+    pbkdf:
+      iteration_time: 0.1
+  check_mode: true
+  become: true
+  register: create_luks_slot4_idem_check
+- name: Dump luks header
+  command: "cryptsetup luksDump {{ cryptfile_device }}"
+  become: true
+  register: luks_header_slot4
+- assert:
+    that:
+    - create_luks_slot4_check is changed
+    - create_luks_slot4 is changed
+    - create_luks_slot4_idem is not changed
+    - create_luks_slot4_idem_check is not changed
+    - "'Key Slot 4: ENABLED' in luks_header_slot4.stdout or '4: luks2' in luks_header_slot4.stdout"
+
+- name: Add key in slot 2 (check)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: present
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
+    new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
+    new_keyslot: 2
+    pbkdf:
+      iteration_time: 0.1
+  check_mode: true
+  become: true
+  register: add_luks_slot2_check
+- name: Add key in slot 2
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: present
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
+    new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
+    new_keyslot: 2
+    pbkdf:
+      iteration_time: 0.1
+  become: true
+  register: add_luks_slot2
+- name: Add key in slot 2 (idempotent)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: present
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
+    new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
+    new_keyslot: 2
+    pbkdf:
+      iteration_time: 0.1
+  become: true
+  register: add_luks_slot2_idem
+- name: Add key in slot 2 (idempotent, check)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: present
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
+    new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
+    new_keyslot: 2
+    pbkdf:
+      iteration_time: 0.1
+  check_mode: true
+  become: true
+  register: add_luks_slot2_idem_check
+- name: Dump luks header
+  command: "cryptsetup luksDump {{ cryptfile_device }}"
+  become: true
+  register: luks_header_slot2
+- assert:
+    that:
+    - add_luks_slot2_check is changed
+    - add_luks_slot2 is changed
+    - add_luks_slot2_idem is not changed
+    - add_luks_slot2_idem_check is not changed
+    - "'Key Slot 2: ENABLED' in luks_header_slot2.stdout or '2: luks2' in luks_header_slot2.stdout"
+
+- name: Check remove slot 4 without key
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    remove_keyslot: 4
+  ignore_errors: true
+  become: true
+  register: kill_slot4_nokey
+- name: Check remove slot 4 with slot 4 key
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    remove_keyslot: 4
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
+  ignore_errors: true
+  become: true
+  register: kill_slot4_key_slot4
+- assert:
+    that:
+    - kill_slot4_nokey is failed
+    - kill_slot4_key_slot4 is failed
+
+- name: Remove key in slot 4 (check)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    keyfile: "{{ remote_tmp_dir }}/keyfile2"
+    remove_keyslot: 4
+  check_mode: true
+  become: true
+  register: kill_luks_slot4_check
+- name: Remove key in slot 4
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    keyfile: "{{ remote_tmp_dir }}/keyfile2"
+    remove_keyslot: 4
+  become: true
+  register: kill_luks_slot4
+- name: Remove key in slot 4 (idempotent)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    keyfile: "{{ remote_tmp_dir }}/keyfile2"
+    remove_keyslot: 4
+  become: true
+  register: kill_luks_slot4_idem
+- name: Remove key in slot 4 (idempotent)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    keyfile: "{{ remote_tmp_dir }}/keyfile2"
+    remove_keyslot: 4
+  check_mode: true
+  become: true
+  register: kill_luks_slot4_idem_check
+- name: Dump luks header
+  command: "cryptsetup luksDump {{ cryptfile_device }}"
+  become: true
+  register: luks_header_slot4_removed
+- assert:
+    that:
+    - kill_luks_slot4_check is changed
+    - kill_luks_slot4 is changed
+    - kill_luks_slot4_idem is not changed
+    - kill_luks_slot4_idem_check is not changed
+    - "'Key Slot 4: DISABLED' in luks_header_slot4_removed.stdout or not '4: luks' in luks_header_slot4_removed.stdout"
--- a/tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml
+++ b/tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml
@@ -0,0 +1,79 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Check invalid slot (luks1, 8)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: present
+    type: luks1
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
+    keyslot: 8
+    pbkdf:
+      iteration_time: 0.1
+  ignore_errors: true
+  become: true
+  register: create_luks1_slot8
+- name: Check invalid slot (luks2, 32)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: present
+    type: luks2
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
+    keyslot: 32
+    pbkdf:
+      iteration_time: 0.1
+  ignore_errors: true
+  become: true
+  register: create_luks2_slot32
+- name: Check invalid slot (no luks type, 8)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: present
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
+    keyslot: 8
+    pbkdf:
+      iteration_time: 0.1
+  ignore_errors: true
+  become: true
+  register: create_luks_slot8
+- assert:
+    that:
+    - create_luks1_slot8 is failed
+    - create_luks2_slot32 is failed
+    - create_luks_slot8 is failed
+
+- name: Check valid slot (luks2, 8)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: present
+    type: luks2
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
+    keyslot: 8
+    pbkdf:
+      iteration_time: 0.1
+  become: true
+  ignore_errors: true
+  register: create_luks2_slot8
+- name: Make sure that the previous task only fails if LUKS2 is not supported
+  assert:
+    that:
+    - "'Unknown option --type' in create_luks2_slot8.msg"
+  when: create_luks2_slot8 is failed
+- name: Check add valid slot (no luks type, 10)
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: present
+    keyfile: "{{ remote_tmp_dir }}/keyfile1"
+    new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
+    new_keyslot: 10
+    pbkdf:
+      iteration_time: 0.1
+  become: true
+  register: create_luks_slot10
+  when: create_luks2_slot8 is changed
+- assert:
+    that:
+    - create_luks_slot10 is changed
+  when: create_luks2_slot8 is changed
--- a/tests/unit/plugins/modules/test_luks_device.py
+++ b/tests/unit/plugins/modules/test_luks_device.py
@@ -148,16 +148,16 @@ LUKS_ADD_KEY_DATA = (

 # device, remove_key, remove_passphrase, state, label, expected
 LUKS_REMOVE_KEY_DATA = (
-    ("dummy", "key", None, "present", None, True),
-    (None, "key", None, "present", None, False),
-    (None, "key", None, "present", "labelName", True),
-    ("dummy", None, None, "present", None, False),
-    ("dummy", "key", None, "absent", None, "exception"),
-    ("dummy", None, "foo", "present", None, True),
-    (None, None, "foo", "present", None, False),
-    (None, None, "foo", "present", "labelName", True),
-    ("dummy", None, None, "present", None, False),
-    ("dummy", None, "foo", "absent", None, "exception"))
+    ("dummy", "key", None, None, "present", None, True),
+    (None, "key", None, None, "present", None, False),
+    (None, "key", None, None, "present", "labelName", True),
+    ("dummy", None, None, None, "present", None, False),
+    ("dummy", "key", None, None, "absent", None, "exception"),
+    ("dummy", None, "foo", None, "present", None, True),
+    (None, None, "foo", None, "present", None, False),
+    (None, None, "foo", None, "present", "labelName", True),
+    ("dummy", None, None, None, "present", None, False),
+    ("dummy", None, "foo", None, "absent", None, "exception"))


@pytest.mark.parametrize("device, keyfile, passphrase, state, is_luks, " +
@@ -291,17 +291,18 @@ def test_luks_add_key(device, keyfile, passphrase, new_keyfile, new_passphrase,
        assert expected == "exception"


-@pytest.mark.parametrize("device, remove_keyfile, remove_passphrase, state, " +
-                         "label, expected",
-                         ((d[0], d[1], d[2], d[3], d[4], d[5])
+@pytest.mark.parametrize("device, remove_keyfile, remove_passphrase, remove_keyslot, " +
+                         "state, label, expected",
+                         ((d[0], d[1], d[2], d[3], d[4], d[5], d[6])
                          for d in LUKS_REMOVE_KEY_DATA))
-def test_luks_remove_key(device, remove_keyfile, remove_passphrase, state,
+def test_luks_remove_key(device, remove_keyfile, remove_passphrase, remove_keyslot, state,
                         label, expected, monkeypatch):

    module = DummyModule()
    module.params["device"] = device
    module.params["remove_keyfile"] = remove_keyfile
    module.params["remove_passphrase"] = remove_passphrase
+    module.params["remove_keyslot"] = remove_keyslot
    module.params["state"] = state
    module.params["label"] = label