1010 lines
31 KiB
Diff
1010 lines
31 KiB
Diff
From a128130755bcd893ccf1d70b52c13fbaf29613c9 Mon Sep 17 00:00:00 2001
|
|
From: Sergio Correia <scorreia@redhat.com>
|
|
Date: Sat, 30 Nov 2019 14:26:59 -0500
|
|
Subject: [PATCH] Add clevis luks list command
|
|
|
|
Usage:
|
|
clevis luks list -d DEV [-s SLT]
|
|
|
|
Examples:
|
|
|
|
clevis luks list -d device
|
|
1: sss '{"t":1,"pins":{"tang":[{"url":"addr1"},{"url":"addr2"}],"tpm2":[{"hash":"sha256","key":"ecc"}],"sss":{"t":1,"pins":{"tang":[{"url":"addr3"}]}}}}'
|
|
2: tang '{"url":"addr"}'
|
|
3: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"7"}'
|
|
|
|
clevis luks list -d device -s 3
|
|
3: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"7"}'
|
|
---
|
|
src/luks/clevis-luks-common-functions | 173 ++++++++++++++++++++++++++
|
|
src/luks/clevis-luks-list | 77 ++++++++++++
|
|
src/luks/clevis-luks-list.1.adoc | 58 +++++++++
|
|
src/luks/meson.build | 8 +-
|
|
src/luks/tests/list-recursive-luks1 | 85 +++++++++++++
|
|
src/luks/tests/list-recursive-luks2 | 85 +++++++++++++
|
|
src/luks/tests/list-sss-tang-luks1 | 77 ++++++++++++
|
|
src/luks/tests/list-sss-tang-luks2 | 77 ++++++++++++
|
|
src/luks/tests/list-tang-luks1 | 64 ++++++++++
|
|
src/luks/tests/list-tang-luks2 | 64 ++++++++++
|
|
src/luks/tests/meson.build | 36 ++++++
|
|
src/luks/tests/tests-common-functions | 76 +++++++++++
|
|
12 files changed, 879 insertions(+), 1 deletion(-)
|
|
create mode 100755 src/luks/clevis-luks-list
|
|
create mode 100644 src/luks/clevis-luks-list.1.adoc
|
|
create mode 100755 src/luks/tests/list-recursive-luks1
|
|
create mode 100755 src/luks/tests/list-recursive-luks2
|
|
create mode 100755 src/luks/tests/list-sss-tang-luks1
|
|
create mode 100755 src/luks/tests/list-sss-tang-luks2
|
|
create mode 100755 src/luks/tests/list-tang-luks1
|
|
create mode 100755 src/luks/tests/list-tang-luks2
|
|
create mode 100644 src/luks/tests/meson.build
|
|
create mode 100644 src/luks/tests/tests-common-functions
|
|
|
|
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
|
|
index d676253..9ba1812 100644
|
|
--- a/src/luks/clevis-luks-common-functions
|
|
+++ b/src/luks/clevis-luks-common-functions
|
|
@@ -141,3 +141,176 @@ findexe() {
|
|
return 1
|
|
}
|
|
|
|
+# clevis_luks_used_slots() will return the list of used slots for a given LUKS
|
|
+# device.
|
|
+clevis_luks_used_slots() {
|
|
+ local DEV="${1}"
|
|
+
|
|
+ local slots
|
|
+ if cryptsetup isLuks --type luks1 "${DEV}"; then
|
|
+ readarray -t slots < <(cryptsetup luksDump "${DEV}" \
|
|
+ | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
|
|
+ elif cryptsetup isLuks --type luks2 "${DEV}"; then
|
|
+ readarray -t slots < <(cryptsetup luksDump "${DEV}" \
|
|
+ | sed -rn 's|^\s+([0-9]+): luks2$|\1|p')
|
|
+ else
|
|
+ echo "${DEV} is not a supported LUKS device!" >&2
|
|
+ return 1
|
|
+ fi
|
|
+ echo "${slots[@]}"
|
|
+}
|
|
+
|
|
+# clevis_luks_decode_jwe() will decode a given JWE.
|
|
+clevis_luks_decode_jwe() {
|
|
+ local jwe="${1}"
|
|
+
|
|
+ local coded
|
|
+ if ! coded=$(jose jwe fmt -i- <<< "${jwe}"); then
|
|
+ return 1
|
|
+ fi
|
|
+
|
|
+ coded=$(jose fmt -j- -g protected -u- <<< "${coded}" | tr -d '"')
|
|
+ jose b64 dec -i- <<< "${coded}"
|
|
+}
|
|
+
|
|
+# clevis_luks_print_pin_config() will print the config of a given pin; i.e.
|
|
+# for tang it will display the associated url address, and for tpm2, the
|
|
+# properties in place, like the hash, for instance.
|
|
+clevis_luks_print_pin_config() {
|
|
+ local P="${1}"
|
|
+ local decoded="${2}"
|
|
+
|
|
+ local content
|
|
+ if ! content="$(jose fmt -j- -g clevis -g "${P}" -o- <<< "${decoded}")" \
|
|
+ || [[ -z "${content}" ]]; then
|
|
+ return 1
|
|
+ fi
|
|
+
|
|
+ local pin=
|
|
+ case "${P}" in
|
|
+ tang)
|
|
+ local url
|
|
+ url="$(jose fmt -j- -g url -u- <<< "${content}")"
|
|
+ pin=$(printf '{"url":"%s"}' "${url}")
|
|
+ printf "tang '%s'" "${pin}"
|
|
+ ;;
|
|
+ tpm2)
|
|
+ # Valid properties for tpm2 pin are the following:
|
|
+ # hash, key, pcr_bank, pcr_ids, pcr_digest.
|
|
+ local key
|
|
+ local value
|
|
+ for key in 'hash' 'key' 'pcr_bank' 'pcr_ids' 'pcr_digest'; do
|
|
+ if value=$(jose fmt -j- -g "${key}" -u- <<< "${content}"); then
|
|
+ pin=$(printf '%s,"%s":"%s"' "${pin}" "${key}" "${value}")
|
|
+ fi
|
|
+ done
|
|
+ # Remove possible leading comma.
|
|
+ pin=${pin/#,/}
|
|
+ printf "tpm2 '{%s}'" "${pin}"
|
|
+ ;;
|
|
+ sss)
|
|
+ local threshold
|
|
+ threshold=$(jose fmt -j- -Og t -o- <<< "${content}")
|
|
+ clevis_luks_process_sss_pin "${content}" "${threshold}"
|
|
+ ;;
|
|
+ *)
|
|
+ printf "unknown pin '%s'" "${P}"
|
|
+ ;;
|
|
+ esac
|
|
+}
|
|
+
|
|
+# clevis_luks_decode_pin_config() will receive a JWE and extract a pin config
|
|
+# from it.
|
|
+clevis_luks_decode_pin_config() {
|
|
+ local jwe="${1}"
|
|
+
|
|
+ local decoded
|
|
+ if ! decoded=$(clevis_luks_decode_jwe "${jwe}"); then
|
|
+ return 1
|
|
+ fi
|
|
+
|
|
+ local P
|
|
+ if ! P=$(jose fmt -j- -Og clevis -g pin -u- <<< "${decoded}"); then
|
|
+ return 1
|
|
+ fi
|
|
+
|
|
+ clevis_luks_print_pin_config "${P}" "${decoded}"
|
|
+}
|
|
+
|
|
+# clevis_luks_join_sss_cfg() will receive a list of configurations for a given
|
|
+# pin and returns it as list, in the format PIN [cfg1, cfg2, ..., cfgN].
|
|
+clevis_luks_join_sss_cfg() {
|
|
+ local pin="${1}"
|
|
+ local cfg="${2}"
|
|
+ cfg=$(echo "${cfg}" | tr -d "'" | sed -e 's/^,//')
|
|
+ printf '"%s":[%s]' "${pin}" "${cfg}"
|
|
+}
|
|
+
|
|
+# clevis_luks_process_sss_pin() will receive a JWE with information on the sss
|
|
+# pin config, and also its associated threshold, and will extract the info.
|
|
+clevis_luks_process_sss_pin() {
|
|
+ local jwe="${1}"
|
|
+ local threshold="${2}"
|
|
+
|
|
+ local sss_tang
|
|
+ local sss_tpm2
|
|
+ local sss
|
|
+ local pin_cfg
|
|
+ local pin
|
|
+ local cfg
|
|
+
|
|
+ local coded
|
|
+ for coded in $(jose fmt -j- -Og jwe -Af- <<< "${jwe}"| tr -d '"'); do
|
|
+ if ! pin_cfg="$(clevis_luks_decode_pin_config "${coded}")"; then
|
|
+ continue
|
|
+ fi
|
|
+ read -r pin cfg <<< "${pin_cfg}"
|
|
+ case "${pin}" in
|
|
+ tang)
|
|
+ sss_tang="${sss_tang},${cfg}"
|
|
+ ;;
|
|
+ tpm2)
|
|
+ sss_tpm2="${sss_tpm2},${cfg}"
|
|
+ ;;
|
|
+ sss)
|
|
+ sss=$(echo "${cfg}" | tr -d "'")
|
|
+ ;;
|
|
+ esac
|
|
+ done
|
|
+
|
|
+ cfg=
|
|
+ if [[ -n "${sss_tang}" ]]; then
|
|
+ cfg=$(clevis_luks_join_sss_cfg "tang" "${sss_tang}")
|
|
+ fi
|
|
+
|
|
+ if [[ -n "${sss_tpm2}" ]]; then
|
|
+ cfg="${cfg},"$(clevis_luks_join_sss_cfg "tpm2" "${sss_tpm2}")
|
|
+ fi
|
|
+
|
|
+ if [[ -n "${sss}" ]]; then
|
|
+ cfg=$(printf '%s,"sss":%s' "${cfg}" "${sss}")
|
|
+ fi
|
|
+
|
|
+ # Remove possible leading comma.
|
|
+ cfg=${cfg/#,/}
|
|
+ pin=$(printf '{"t":%d,"pins":{%s}}' "${threshold}" "${cfg}")
|
|
+ printf "sss '%s'" "${pin}"
|
|
+}
|
|
+
|
|
+# clevis_luks_read_pins_from_slot() will receive a given device and slot and
|
|
+# will then output its associated policy configuration.
|
|
+clevis_luks_read_pins_from_slot() {
|
|
+ local DEV="${1}"
|
|
+ local SLOT="${2}"
|
|
+
|
|
+ local jwe
|
|
+ if ! jwe=$(clevis_luks_read_slot "${DEV}" "${SLOT}" 2>/dev/null); then
|
|
+ return 1
|
|
+ fi
|
|
+
|
|
+ local cfg
|
|
+ if ! cfg="$(clevis_luks_decode_pin_config "${jwe}")"; then
|
|
+ return 1
|
|
+ fi
|
|
+ printf "%s: %s\n" "${SLOT}" "${cfg}"
|
|
+}
|
|
diff --git a/src/luks/clevis-luks-list b/src/luks/clevis-luks-list
|
|
new file mode 100755
|
|
index 0000000..58678c4
|
|
--- /dev/null
|
|
+++ b/src/luks/clevis-luks-list
|
|
@@ -0,0 +1,77 @@
|
|
+#!/bin/bash -e
|
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
|
+#
|
|
+# Copyright (c) 2017-2019 Red Hat, Inc.
|
|
+# Author: Javier Martinez Canillas <javierm@redhat.com>
|
|
+# Author: Sergio Correia <scorreia@redhat.com> - LUKS2 support.
|
|
+#
|
|
+# This program is free software: you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation, either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+#
|
|
+
|
|
+. clevis-luks-common-functions
|
|
+
|
|
+SUMMARY="Lists pins bound to a LUKSv1 or LUKSv2 device"
|
|
+
|
|
+function usage() {
|
|
+ echo >&2
|
|
+ echo "Usage: clevis luks list -d DEV [-s SLT]" >&2
|
|
+ echo >&2
|
|
+ echo "$SUMMARY": >&2
|
|
+ echo >&2
|
|
+ echo " -d DEV The LUKS device to list bound pins" >&2
|
|
+ echo >&2
|
|
+ echo " -s SLOT The slot number to list" >&2
|
|
+ echo >&2
|
|
+ exit 1
|
|
+}
|
|
+
|
|
+if [ ${#} -eq 1 ] && [ "${1}" = "--summary" ]; then
|
|
+ echo "${SUMMARY}"
|
|
+ exit 0
|
|
+fi
|
|
+
|
|
+while getopts ":d:s:" o; do
|
|
+ case "$o" in
|
|
+ d) DEV=${OPTARG};;
|
|
+ s) SLT=${OPTARG};;
|
|
+ *) usage;;
|
|
+ esac
|
|
+done
|
|
+
|
|
+if [ -z "${DEV}" ]; then
|
|
+ echo "Did not specify a device!" >&2
|
|
+ usage
|
|
+fi
|
|
+
|
|
+if cryptsetup isLuks --type luks1 "${DEV}"; then
|
|
+ if ! luksmeta test -d "${DEV}" 2>/dev/null; then
|
|
+ echo "The ${DEV} device is not valid!" >&2
|
|
+ exit 1
|
|
+ fi
|
|
+fi
|
|
+
|
|
+if [ -n "${SLT}" ]; then
|
|
+ clevis_luks_read_pins_from_slot "${DEV}" "${SLT}"
|
|
+else
|
|
+ if ! slots=$(clevis_luks_used_slots "${DEV}"); then
|
|
+ echo "No used slots detected for device ${DEV}!" >&2
|
|
+ exit 1
|
|
+ fi
|
|
+
|
|
+ for s in ${slots}; do
|
|
+ if ! clevis_luks_read_pins_from_slot "${DEV}" "${s}"; then
|
|
+ continue
|
|
+ fi
|
|
+ done
|
|
+fi
|
|
diff --git a/src/luks/clevis-luks-list.1.adoc b/src/luks/clevis-luks-list.1.adoc
|
|
new file mode 100644
|
|
index 0000000..2e84f05
|
|
--- /dev/null
|
|
+++ b/src/luks/clevis-luks-list.1.adoc
|
|
@@ -0,0 +1,58 @@
|
|
+CLEVIS-LUKS-LIST(1)
|
|
+===================
|
|
+:doctype: manpage
|
|
+
|
|
+
|
|
+== NAME
|
|
+
|
|
+clevis-luks-list - Lists pins bound to a LUKS device
|
|
+
|
|
+== SYNOPSIS
|
|
+
|
|
+*clevis luks list* -d DEV [-s SLT]
|
|
+
|
|
+== OVERVIEW
|
|
+
|
|
+The *clevis luks list* command list the pins bound to LUKS device.
|
|
+For example:
|
|
+
|
|
+ clevis luks list -d /dev/sda1
|
|
+
|
|
+== OPTIONS
|
|
+
|
|
+* *-d* _DEV_ :
|
|
+ The LUKS device on which to list bound pins
|
|
+
|
|
+* *-s* _SLT_ :
|
|
+ The slot to use for listing the pin from
|
|
+
|
|
+== EXAMPLES
|
|
+
|
|
+ clevis luks list -d /dev/sda1
|
|
+ 1: sss '{"t":1,"pins":{"tang":[{"url":"addr1"},{"url":"addr2"}],"tpm2":[{"hash":"sha256","key":"ecc"}],"sss":{"t":1,"pins":{"tang":[{"url":"addr3"}]}}}}'
|
|
+ 2: tang '{"url":"addr"}'
|
|
+ 3: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"7"}'
|
|
+
|
|
+As we can see in the example above, */dev/sda1* has three slots bound each with a different pin.
|
|
+- Slot #1 is bound with the _sss_ pin, and uses also tang and tpm2 pins in its policy.
|
|
+- Slot #2 is bound using the _tang_ pin
|
|
+- Slot #3 is bound with the _tpm2_ pin
|
|
+
|
|
+Note that the output of *clevis luks list* can be used with the *clevis luks bind* command, such as:
|
|
+
|
|
+ clevis luks bind -d /dev/sda1 tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"7"}'
|
|
+
|
|
+And we will bind another slot with a policy similar to the one we have in slot #3.
|
|
+Also note that if you are interested in a particular slot, you can pass the _-s SLT_ argument to *clevis luks list*:
|
|
+
|
|
+ clevis luks list -d /dev/sda1 -s 2
|
|
+ 2: tang '{"url":"addr"}'
|
|
+
|
|
+In the above example, we listed only the pin bound to slot #2.
|
|
+
|
|
+== SEE ALSO
|
|
+
|
|
+link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)],
|
|
+link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
|
|
+link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)],
|
|
+link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
|
|
diff --git a/src/luks/meson.build b/src/luks/meson.build
|
|
index 7c045c4..51d82fb 100644
|
|
--- a/src/luks/meson.build
|
|
+++ b/src/luks/meson.build
|
|
@@ -20,6 +20,9 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
|
|
bins += join_paths(meson.current_source_dir(), 'clevis-luks-regen')
|
|
mans += join_paths(meson.current_source_dir(), 'clevis-luks-regen.1')
|
|
|
|
+ bins += join_paths(meson.current_source_dir(), 'clevis-luks-list')
|
|
+ mans += join_paths(meson.current_source_dir(), 'clevis-luks-list.1')
|
|
+
|
|
bins += join_paths(meson.current_source_dir(), 'clevis-luks-report')
|
|
bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-compare')
|
|
bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-decode')
|
|
@@ -30,4 +33,7 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
|
|
mans += join_paths(meson.current_source_dir(), 'clevis-luks-unlockers.7')
|
|
else
|
|
warning('Will not install LUKS support due to missing dependencies!')
|
|
-endif
|
|
\ No newline at end of file
|
|
+endif
|
|
+
|
|
+# Tests.
|
|
+subdir('tests')
|
|
diff --git a/src/luks/tests/list-recursive-luks1 b/src/luks/tests/list-recursive-luks1
|
|
new file mode 100755
|
|
index 0000000..d9eaa3a
|
|
--- /dev/null
|
|
+++ b/src/luks/tests/list-recursive-luks1
|
|
@@ -0,0 +1,85 @@
|
|
+#!/bin/bash -ex
|
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
|
+#
|
|
+# Copyright (c) 2019 Red Hat, Inc.
|
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
|
+#
|
|
+# This program is free software: you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation, either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+#
|
|
+
|
|
+TEST=$(basename "${0}")
|
|
+. tests-common-functions
|
|
+
|
|
+on_exit() {
|
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
|
+}
|
|
+
|
|
+trap 'on_exit' EXIT
|
|
+trap 'exit' ERR
|
|
+
|
|
+TMP="$(mktemp -d)"
|
|
+
|
|
+ADV="${TMP}/adv.jws"
|
|
+create_tang_adv "${ADV}"
|
|
+PIN="sss"
|
|
+CFG=$(printf '
|
|
+{
|
|
+ "t": 1,
|
|
+ "pins": {
|
|
+ "sss": {
|
|
+ "t": 1,
|
|
+ "pins": {
|
|
+ "sss": {
|
|
+ "t": 1,
|
|
+ "pins": {
|
|
+ "tang": [
|
|
+ {
|
|
+ "url": "ADDR","adv": "%s"
|
|
+ }
|
|
+ ]
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+}
|
|
+' "${ADV}")
|
|
+
|
|
+# LUKS1.
|
|
+DEV="${TMP}/luks1-device"
|
|
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
|
+new_device "luks1" "${DEV}"
|
|
+
|
|
+if ! clevis luks bind -f -d "${DEV}" "${PIN}" "${CFG}" <<< "${DEFAULT_PASS}"; then
|
|
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
|
|
+fi
|
|
+
|
|
+SLT=1
|
|
+if ! read -r slot pin cfg < <(clevis luks list -d "${DEV}" -s "${SLT}"); then
|
|
+ error "${TEST}: clevis luks list is expected to succeed for device(${DEV}) and slot (${SLT})"
|
|
+fi
|
|
+
|
|
+if [[ "${slot}" != "${SLT}:" ]]; then
|
|
+ error "${TEST}: slot (${slot}) is expected to be ${SLT}"
|
|
+fi
|
|
+
|
|
+if [[ "${pin}" != "${PIN}" ]]; then
|
|
+ error "${TEST}: pin (${pin}) is expected to be '${PIN}'"
|
|
+fi
|
|
+
|
|
+to_remove_from_cfg=$(printf ',"adv": "%s"' "${ADV}")
|
|
+cfg_for_cmp=${cfg//"${to_remove_from_cfg}"/}
|
|
+if ! pin_cfg_equal "${cfg}" "${cfg_for_cmp}"; then
|
|
+ error "${TEST}: config obtained from clevis luks list (${cfg}) is expected to match the one used to bind the test (${cfg_for_cmp})"
|
|
+fi
|
|
diff --git a/src/luks/tests/list-recursive-luks2 b/src/luks/tests/list-recursive-luks2
|
|
new file mode 100755
|
|
index 0000000..80a8278
|
|
--- /dev/null
|
|
+++ b/src/luks/tests/list-recursive-luks2
|
|
@@ -0,0 +1,85 @@
|
|
+#!/bin/bash -ex
|
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
|
+#
|
|
+# Copyright (c) 2019 Red Hat, Inc.
|
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
|
+#
|
|
+# This program is free software: you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation, either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+#
|
|
+
|
|
+TEST=$(basename "${0}")
|
|
+. tests-common-functions
|
|
+
|
|
+on_exit() {
|
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
|
+}
|
|
+
|
|
+trap 'on_exit' EXIT
|
|
+trap 'exit' ERR
|
|
+
|
|
+TMP="$(mktemp -d)"
|
|
+
|
|
+ADV="${TMP}/adv.jws"
|
|
+create_tang_adv "${ADV}"
|
|
+PIN="sss"
|
|
+CFG=$(printf '
|
|
+{
|
|
+ "t": 1,
|
|
+ "pins": {
|
|
+ "sss": {
|
|
+ "t": 1,
|
|
+ "pins": {
|
|
+ "sss": {
|
|
+ "t": 1,
|
|
+ "pins": {
|
|
+ "tang": [
|
|
+ {
|
|
+ "url": "ADDR","adv": "%s"
|
|
+ }
|
|
+ ]
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+}
|
|
+' "${ADV}")
|
|
+
|
|
+# LUKS2.
|
|
+DEV="${TMP}/luks1-device"
|
|
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
|
+new_device "luks2" "${DEV}"
|
|
+
|
|
+if ! clevis luks bind -f -d "${DEV}" "${PIN}" "${CFG}" <<< "${DEFAULT_PASS}"; then
|
|
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
|
|
+fi
|
|
+
|
|
+SLT=1
|
|
+if ! read -r slot pin cfg < <(clevis luks list -d "${DEV}" -s "${SLT}"); then
|
|
+ error "${TEST}: clevis luks list is expected to succeed for device(${DEV}) and slot (${SLT})"
|
|
+fi
|
|
+
|
|
+if [[ "${slot}" != "${SLT}:" ]]; then
|
|
+ error "${TEST}: slot (${slot}) is expected to be ${SLT}"
|
|
+fi
|
|
+
|
|
+if [[ "${pin}" != "${PIN}" ]]; then
|
|
+ error "${TEST}: pin (${pin}) is expected to be '${PIN}'"
|
|
+fi
|
|
+
|
|
+to_remove_from_cfg=$(printf ',"adv": "%s"' "${ADV}")
|
|
+cfg_for_cmp=${cfg//"${to_remove_from_cfg}"/}
|
|
+if ! pin_cfg_equal "${cfg}" "${cfg_for_cmp}"; then
|
|
+ error "${TEST}: config obtained from clevis luks list (${cfg}) is expected to match the one used to bind the test (${cfg_for_cmp})"
|
|
+fi
|
|
diff --git a/src/luks/tests/list-sss-tang-luks1 b/src/luks/tests/list-sss-tang-luks1
|
|
new file mode 100755
|
|
index 0000000..086fa35
|
|
--- /dev/null
|
|
+++ b/src/luks/tests/list-sss-tang-luks1
|
|
@@ -0,0 +1,77 @@
|
|
+#!/bin/bash -ex
|
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
|
+#
|
|
+# Copyright (c) 2019 Red Hat, Inc.
|
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
|
+#
|
|
+# This program is free software: you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation, either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+#
|
|
+
|
|
+TEST=$(basename "${0}")
|
|
+. tests-common-functions
|
|
+
|
|
+on_exit() {
|
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
|
+}
|
|
+
|
|
+trap 'on_exit' EXIT
|
|
+trap 'exit' ERR
|
|
+
|
|
+TMP="$(mktemp -d)"
|
|
+
|
|
+ADV="${TMP}/adv.jws"
|
|
+create_tang_adv "${ADV}"
|
|
+PIN="sss"
|
|
+CFG=$(printf '
|
|
+{
|
|
+ "t": 2,
|
|
+ "pins": {
|
|
+ "tang": [
|
|
+ {"url":"ADDR1","adv":"%s"},
|
|
+ {"url":"ADDR2","adv":"%s"},
|
|
+ {"url":"ADDR3","adv":"%s"},
|
|
+ {"url":"ADDR4","adv":"%s"},
|
|
+ {"url":"ADDR5","adv":"%s"}
|
|
+ ]
|
|
+ }
|
|
+}
|
|
+' "${ADV}" "${ADV}" "${ADV}" "${ADV}" "${ADV}")
|
|
+
|
|
+# LUKS1.
|
|
+DEV="${TMP}/luks1-device"
|
|
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
|
+new_device "luks1" "${DEV}"
|
|
+
|
|
+if ! clevis luks bind -f -d "${DEV}" ${PIN} "${CFG}" <<< "${DEFAULT_PASS}"; then
|
|
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
|
|
+fi
|
|
+
|
|
+SLT=1
|
|
+if ! read -r slot pin cfg < <(clevis luks list -d "${DEV}" -s "${SLT}"); then
|
|
+ error "${TEST}: clevis luks list is expected to succeed for device(${DEV}) and slot (${SLT})"
|
|
+fi
|
|
+
|
|
+if [[ "${slot}" != "${SLT}:" ]]; then
|
|
+ error "${TEST}: slot (${slot}) is expected to be ${SLT}"
|
|
+fi
|
|
+
|
|
+if [[ "${pin}" != "${PIN}" ]]; then
|
|
+ error "${TEST}: pin (${pin}) is expected to be '${PIN}'"
|
|
+fi
|
|
+
|
|
+to_remove_from_cfg=$(printf ',"adv": "%s"' "${ADV}")
|
|
+cfg_for_cmp=${cfg//"${to_remove_from_cfg}"/}
|
|
+if ! pin_cfg_equal "${cfg}" "${cfg_for_cmp}"; then
|
|
+ error "${TEST}: config obtained from clevis luks list (${cfg}) is expected to match the one used to bind the test (${cfg_for_cmp})"
|
|
+fi
|
|
diff --git a/src/luks/tests/list-sss-tang-luks2 b/src/luks/tests/list-sss-tang-luks2
|
|
new file mode 100755
|
|
index 0000000..ea4cfbb
|
|
--- /dev/null
|
|
+++ b/src/luks/tests/list-sss-tang-luks2
|
|
@@ -0,0 +1,77 @@
|
|
+#!/bin/bash -ex
|
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
|
+#
|
|
+# Copyright (c) 2019 Red Hat, Inc.
|
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
|
+#
|
|
+# This program is free software: you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation, either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+#
|
|
+
|
|
+TEST=$(basename "${0}")
|
|
+. tests-common-functions
|
|
+
|
|
+on_exit() {
|
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
|
+}
|
|
+
|
|
+trap 'on_exit' EXIT
|
|
+trap 'exit' ERR
|
|
+
|
|
+TMP="$(mktemp -d)"
|
|
+
|
|
+ADV="${TMP}/adv.jws"
|
|
+create_tang_adv "${ADV}"
|
|
+PIN="sss"
|
|
+CFG=$(printf '
|
|
+{
|
|
+ "t": 2,
|
|
+ "pins": {
|
|
+ "tang": [
|
|
+ {"url":"ADDR1","adv":"%s"},
|
|
+ {"url":"ADDR2","adv":"%s"},
|
|
+ {"url":"ADDR3","adv":"%s"},
|
|
+ {"url":"ADDR4","adv":"%s"},
|
|
+ {"url":"ADDR5","adv":"%s"}
|
|
+ ]
|
|
+ }
|
|
+}
|
|
+' "${ADV}" "${ADV}" "${ADV}" "${ADV}" "${ADV}")
|
|
+
|
|
+# LUKS2.
|
|
+DEV="${TMP}/luks1-device"
|
|
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
|
+new_device "luks2" "${DEV}"
|
|
+
|
|
+if ! clevis luks bind -f -d "${DEV}" ${PIN} "${CFG}" <<< "${DEFAULT_PASS}"; then
|
|
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
|
|
+fi
|
|
+
|
|
+SLT=1
|
|
+if ! read -r slot pin cfg < <(clevis luks list -d "${DEV}" -s "${SLT}"); then
|
|
+ error "${TEST}: clevis luks list is expected to succeed for device(${DEV}) and slot (${SLT})"
|
|
+fi
|
|
+
|
|
+if [[ "${slot}" != "${SLT}:" ]]; then
|
|
+ error "${TEST}: slot (${slot}) is expected to be ${SLT}"
|
|
+fi
|
|
+
|
|
+if [[ "${pin}" != "${PIN}" ]]; then
|
|
+ error "${TEST}: pin (${pin}) is expected to be '${PIN}'"
|
|
+fi
|
|
+
|
|
+to_remove_from_cfg=$(printf ',"adv": "%s"' "${ADV}")
|
|
+cfg_for_cmp=${cfg//"${to_remove_from_cfg}"/}
|
|
+if ! pin_cfg_equal "${cfg}" "${cfg_for_cmp}"; then
|
|
+ error "${TEST}: config obtained from clevis luks list (${cfg}) is expected to match the one used to bind the test (${cfg_for_cmp})"
|
|
+fi
|
|
diff --git a/src/luks/tests/list-tang-luks1 b/src/luks/tests/list-tang-luks1
|
|
new file mode 100755
|
|
index 0000000..c526693
|
|
--- /dev/null
|
|
+++ b/src/luks/tests/list-tang-luks1
|
|
@@ -0,0 +1,64 @@
|
|
+#!/bin/bash -ex
|
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
|
+#
|
|
+# Copyright (c) 2019 Red Hat, Inc.
|
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
|
+#
|
|
+# This program is free software: you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation, either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+#
|
|
+
|
|
+TEST=$(basename "${0}")
|
|
+. tests-common-functions
|
|
+
|
|
+on_exit() {
|
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
|
+}
|
|
+
|
|
+trap 'on_exit' EXIT
|
|
+trap 'exit' ERR
|
|
+
|
|
+TMP="$(mktemp -d)"
|
|
+
|
|
+ADV="${TMP}/adv.jws"
|
|
+create_tang_adv "${ADV}"
|
|
+PIN="tang"
|
|
+CFG=$(printf '{"url": "ADDR","adv": "%s"}' "${ADV}")
|
|
+
|
|
+# LUKS1.
|
|
+DEV="${TMP}/luks1-device"
|
|
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
|
+new_device "luks1" "${DEV}"
|
|
+
|
|
+if ! clevis luks bind -f -d "${DEV}" "${PIN}" "${CFG}" <<< "${DEFAULT_PASS}"; then
|
|
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
|
|
+fi
|
|
+
|
|
+SLT=1
|
|
+if ! read -r slot pin cfg < <(clevis luks list -d "${DEV}" -s "${SLT}"); then
|
|
+ error "${TEST}: clevis luks list is expected to succeed for device(${DEV}) and slot (${SLT})"
|
|
+fi
|
|
+
|
|
+if [[ "${slot}" != "${SLT}:" ]]; then
|
|
+ error "${TEST}: slot (${slot}) is expected to be ${SLT}"
|
|
+fi
|
|
+
|
|
+if [[ "${pin}" != "${PIN}" ]]; then
|
|
+ error "${TEST}: pin (${pin}) is expected to be '${PIN}'"
|
|
+fi
|
|
+
|
|
+to_remove_from_cfg=$(printf ',"adv": "%s"' "${ADV}")
|
|
+cfg_for_cmp=${cfg//"${to_remove_from_cfg}"/}
|
|
+if ! pin_cfg_equal "${cfg}" "${cfg_for_cmp}"; then
|
|
+ error "${TEST}: config obtained from clevis luks list (${cfg}) is expected to match the one used to bind the test (${cfg_for_cmp})"
|
|
+fi
|
|
diff --git a/src/luks/tests/list-tang-luks2 b/src/luks/tests/list-tang-luks2
|
|
new file mode 100755
|
|
index 0000000..d4d4849
|
|
--- /dev/null
|
|
+++ b/src/luks/tests/list-tang-luks2
|
|
@@ -0,0 +1,64 @@
|
|
+#!/bin/bash -ex
|
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
|
+#
|
|
+# Copyright (c) 2019 Red Hat, Inc.
|
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
|
+#
|
|
+# This program is free software: you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation, either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+#
|
|
+
|
|
+TEST=$(basename "${0}")
|
|
+. tests-common-functions
|
|
+
|
|
+on_exit() {
|
|
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
|
|
+}
|
|
+
|
|
+trap 'on_exit' EXIT
|
|
+trap 'exit' ERR
|
|
+
|
|
+TMP="$(mktemp -d)"
|
|
+
|
|
+ADV="${TMP}/adv.jws"
|
|
+create_tang_adv "${ADV}"
|
|
+PIN="tang"
|
|
+CFG=$(printf '{"url": "ADDR","adv": "%s"}' "${ADV}")
|
|
+
|
|
+# LUKS2.
|
|
+DEV="${TMP}/luks1-device"
|
|
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
|
|
+new_device "luks2" "${DEV}"
|
|
+
|
|
+if ! clevis luks bind -f -d "${DEV}" "${PIN}" "${CFG}" <<< "${DEFAULT_PASS}"; then
|
|
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
|
|
+fi
|
|
+
|
|
+SLT=1
|
|
+if ! read -r slot pin cfg < <(clevis luks list -d "${DEV}" -s "${SLT}"); then
|
|
+ error "${TEST}: clevis luks list is expected to succeed for device(${DEV}) and slot (${SLT})"
|
|
+fi
|
|
+
|
|
+if [[ "${slot}" != "${SLT}:" ]]; then
|
|
+ error "${TEST}: slot (${slot}) is expected to be ${SLT}"
|
|
+fi
|
|
+
|
|
+if [[ "${pin}" != "${PIN}" ]]; then
|
|
+ error "${TEST}: pin (${pin}) is expected to be '${PIN}'"
|
|
+fi
|
|
+
|
|
+to_remove_from_cfg=$(printf ',"adv": "%s"' "${ADV}")
|
|
+cfg_for_cmp=${cfg//"${to_remove_from_cfg}"/}
|
|
+if ! pin_cfg_equal "${cfg}" "${cfg_for_cmp}"; then
|
|
+ error "${TEST}: config obtained from clevis luks list (${cfg}) is expected to match the one used to bind the test (${cfg_for_cmp})"
|
|
+fi
|
|
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
|
|
new file mode 100644
|
|
index 0000000..6513eaa
|
|
--- /dev/null
|
|
+++ b/src/luks/tests/meson.build
|
|
@@ -0,0 +1,36 @@
|
|
+# We use jq for comparing the pin config in the clevis luks list tests.
|
|
+jq = find_program('jq', required: false)
|
|
+
|
|
+env = environment()
|
|
+env.prepend('PATH',
|
|
+ join_paths(meson.source_root(), 'src'),
|
|
+ join_paths(meson.source_root(), 'src', 'luks'),
|
|
+ join_paths(meson.source_root(), 'src', 'pins', 'sss'),
|
|
+ join_paths(meson.source_root(), 'src', 'pins', 'tang'),
|
|
+ join_paths(meson.source_root(), 'src', 'pins', 'tpm2'),
|
|
+ meson.current_source_dir(),
|
|
+ meson.current_build_dir(),
|
|
+ join_paths(meson.build_root(), 'src'),
|
|
+ join_paths(meson.build_root(), 'src', 'luks'),
|
|
+ join_paths(meson.build_root(), 'src', 'pins', 'sss'),
|
|
+ join_paths(meson.build_root(), 'src', 'pins', 'tang'),
|
|
+ join_paths(meson.build_root(), 'src', 'pins', 'tpm2'),
|
|
+ separator: ':'
|
|
+)
|
|
+
|
|
+if jq.found()
|
|
+ test('list-recursive-luks1', find_program('list-recursive-luks1'), env: env)
|
|
+ test('list-tang-luks1', find_program('list-tang-luks1'), env: env)
|
|
+ test('list-sss-tang-luks1', find_program('list-sss-tang-luks1'), env: env)
|
|
+else
|
|
+ warning('Will not run "clevis luks list" tests due to missing jq dependency')
|
|
+endif
|
|
+
|
|
+# LUKS2 tests go here, and they get included if we get support for it, based
|
|
+# on the cryptsetup version.
|
|
+# Binding LUKS2 takes longer, so timeout is increased for a few tests.
|
|
+if jq.found()
|
|
+ test('list-recursive-luks2', find_program('list-recursive-luks2'), env: env, timeout: 60)
|
|
+ test('list-tang-luks2', find_program('list-tang-luks2'), env: env, timeout: 60)
|
|
+ test('list-sss-tang-luks2', find_program('list-sss-tang-luks2'), env: env, timeout: 60)
|
|
+endif
|
|
diff --git a/src/luks/tests/tests-common-functions b/src/luks/tests/tests-common-functions
|
|
new file mode 100644
|
|
index 0000000..b65a84a
|
|
--- /dev/null
|
|
+++ b/src/luks/tests/tests-common-functions
|
|
@@ -0,0 +1,76 @@
|
|
+#!/bin/bash -ex
|
|
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
|
+#
|
|
+# Copyright (c) 2019 Red Hat, Inc.
|
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
|
+#
|
|
+# This program is free software: you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation, either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+#
|
|
+
|
|
+# We require cryptsetup >= 2.0.4 to fully support LUKSv2.
|
|
+# Support is determined at build time.
|
|
+luks2_supported() {
|
|
+ # In RHEL8 we support LUKS2.
|
|
+ return 0
|
|
+}
|
|
+
|
|
+# Creates a tang adv to be used in the test.
|
|
+create_tang_adv() {
|
|
+ local adv="${1}"
|
|
+ local SIG="${TMP}/sig.jwk"
|
|
+ jose jwk gen -i '{"alg":"ES512"}' > "${SIG}"
|
|
+
|
|
+ local EXC="${TMP}/exc.jwk"
|
|
+ jose jwk gen -i '{"alg":"ECMR"}' > "${EXC}"
|
|
+
|
|
+ local TEMPLATE='{"protected":{"cty":"jwk-set+json"}}'
|
|
+ jose jwk pub -s -i "${SIG}" -i "${EXC}" \
|
|
+ | jose jws sig -I- -s "${TEMPLATE}" -k "${SIG}" -o "${adv}"
|
|
+}
|
|
+
|
|
+
|
|
+# Creates a new LUKS1 or LUKS2 device to be used.
|
|
+new_device() {
|
|
+ local LUKS="${1}"
|
|
+ local DEV="${2}"
|
|
+
|
|
+ local DEV_CACHED="${TMP}/${LUKS}.cached"
|
|
+
|
|
+ # Let's reuse an existing device, if there is one.
|
|
+ if [ -f "${DEV_CACHED}" ]; then
|
|
+ echo "Reusing cached ${LUKS} device..."
|
|
+ cp -f "${DEV_CACHED}" "${DEV}"
|
|
+ return 0
|
|
+ fi
|
|
+
|
|
+ fallocate -l16M "${DEV}"
|
|
+ cryptsetup luksFormat --type "${LUKS}" --batch-mode --force-password "${DEV}" <<< "${DEFAULT_PASS}"
|
|
+ # Caching the just-formatted device for possible reuse.
|
|
+ cp -f "${DEV}" "${DEV_CACHED}"
|
|
+}
|
|
+
|
|
+error() {
|
|
+ echo "${1}" >&2
|
|
+ exit 1
|
|
+}
|
|
+
|
|
+pin_cfg_equal() {
|
|
+ local cfg1="${1}"
|
|
+ local cfg2="${1}"
|
|
+
|
|
+ diff <(jq -S . < <(echo -n "${cfg1}")) \
|
|
+ <(jq -S . < <(echo -n "${cfg2}"))
|
|
+}
|
|
+
|
|
+export DEFAULT_PASS='just-some-test-password-here'
|
|
--
|
|
2.18.1
|
|
|