internet/community.crypto
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.crypto.git synced 2026-05-07 05:43:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

luks_device: add support for keyslots (#664)

Browse Source 
* luks_device: add support for keyslots

* luks_device: replace python3 format strings with python2 format strings, remove print statements

* luks_device: add missing copyright information in keyslot integration test files

* luks_device: updated failing unit tests for keyslot support

* luks_device: improve detection of luks version

* luks_device: Update documentation on keyslot parameters, minor code improvements

* luks_device: improve validation of keyslot parameters, fix tests for systems that do not support luks2

* luks_device: correct spelling and errors in documentation and output, check all possible locations for LUKS2 header
This commit is contained in:
Steffen Gufler
2023-10-29 10:53:00 +01:00
committed by GitHub
parent 428550165a
commit 6504e67139
4 changed files with 407 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

178
tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml Normal file
View File

@@ -0,0 +1,178 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Create luks with keyslot 4 (check)
luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
keyslot: 4
pbkdf:
iteration_time: 0.1
check_mode: true
become: true
register: create_luks_slot4_check
- name: Create luks with keyslot 4
luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
keyslot: 4
pbkdf:
iteration_time: 0.1
become: true
register: create_luks_slot4
- name: Create luks with keyslot 4 (idempotent)
luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
keyslot: 4
pbkdf:
iteration_time: 0.1
become: true
register: create_luks_slot4_idem
- name: Create luks with keyslot 4 (idempotent, check)
luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
keyslot: 4
pbkdf:
iteration_time: 0.1
check_mode: true
become: true
register: create_luks_slot4_idem_check
- name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header_slot4
- assert:
that:
- create_luks_slot4_check is changed
- create_luks_slot4 is changed
- create_luks_slot4_idem is not changed
- create_luks_slot4_idem_check is not changed
- "'Key Slot 4: ENABLED' in luks_header_slot4.stdout or '4: luks2' in luks_header_slot4.stdout"
- name: Add key in slot 2 (check)
luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
new_keyslot: 2
pbkdf:
iteration_time: 0.1
check_mode: true
become: true
register: add_luks_slot2_check
- name: Add key in slot 2
luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
new_keyslot: 2
pbkdf:
iteration_time: 0.1
become: true
register: add_luks_slot2
- name: Add key in slot 2 (idempotent)
luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
new_keyslot: 2
pbkdf:
iteration_time: 0.1
become: true
register: add_luks_slot2_idem
- name: Add key in slot 2 (idempotent, check)
luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
new_keyslot: 2
pbkdf:
iteration_time: 0.1
check_mode: true
become: true
register: add_luks_slot2_idem_check
- name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header_slot2
- assert:
that:
- add_luks_slot2_check is changed
- add_luks_slot2 is changed
- add_luks_slot2_idem is not changed
- add_luks_slot2_idem_check is not changed
- "'Key Slot 2: ENABLED' in luks_header_slot2.stdout or '2: luks2' in luks_header_slot2.stdout"
- name: Check remove slot 4 without key
luks_device:
device: "{{ cryptfile_device }}"
remove_keyslot: 4
ignore_errors: true
become: true
register: kill_slot4_nokey
- name: Check remove slot 4 with slot 4 key
luks_device:
device: "{{ cryptfile_device }}"
remove_keyslot: 4
keyfile: "{{ remote_tmp_dir }}/keyfile1"
ignore_errors: true
become: true
register: kill_slot4_key_slot4
- assert:
that:
- kill_slot4_nokey is failed
- kill_slot4_key_slot4 is failed
- name: Remove key in slot 4 (check)
luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
check_mode: true
become: true
register: kill_luks_slot4_check
- name: Remove key in slot 4
luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
become: true
register: kill_luks_slot4
- name: Remove key in slot 4 (idempotent)
luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
become: true
register: kill_luks_slot4_idem
- name: Remove key in slot 4 (idempotent)
luks_device:
device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4
check_mode: true
become: true
register: kill_luks_slot4_idem_check
- name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true
register: luks_header_slot4_removed
- assert:
that:
- kill_luks_slot4_check is changed
- kill_luks_slot4 is changed
- kill_luks_slot4_idem is not changed
- kill_luks_slot4_idem_check is not changed
- "'Key Slot 4: DISABLED' in luks_header_slot4_removed.stdout or not '4: luks' in luks_header_slot4_removed.stdout"

79
tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml Normal file
View File

@@ -0,0 +1,79 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Check invalid slot (luks1, 8)
luks_device:
device: "{{ cryptfile_device }}"
state: present
type: luks1
keyfile: "{{ remote_tmp_dir }}/keyfile1"
keyslot: 8
pbkdf:
iteration_time: 0.1
ignore_errors: true
become: true
register: create_luks1_slot8
- name: Check invalid slot (luks2, 32)
luks_device:
device: "{{ cryptfile_device }}"
state: present
type: luks2
keyfile: "{{ remote_tmp_dir }}/keyfile1"
keyslot: 32
pbkdf:
iteration_time: 0.1
ignore_errors: true
become: true
register: create_luks2_slot32
- name: Check invalid slot (no luks type, 8)
luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
keyslot: 8
pbkdf:
iteration_time: 0.1
ignore_errors: true
become: true
register: create_luks_slot8
- assert:
that:
- create_luks1_slot8 is failed
- create_luks2_slot32 is failed
- create_luks_slot8 is failed
- name: Check valid slot (luks2, 8)
luks_device:
device: "{{ cryptfile_device }}"
state: present
type: luks2
keyfile: "{{ remote_tmp_dir }}/keyfile1"
keyslot: 8
pbkdf:
iteration_time: 0.1
become: true
ignore_errors: true
register: create_luks2_slot8
- name: Make sure that the previous task only fails if LUKS2 is not supported
assert:
that:
- "'Unknown option --type' in create_luks2_slot8.msg"
when: create_luks2_slot8 is failed
- name: Check add valid slot (no luks type, 10)
luks_device:
device: "{{ cryptfile_device }}"
state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1"
new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
new_keyslot: 10
pbkdf:
iteration_time: 0.1
become: true
register: create_luks_slot10
when: create_luks2_slot8 is changed
- assert:
that:
- create_luks_slot10 is changed
when: create_luks2_slot8 is changed