clevis/SOURCES/Add-support-for-listing-existing-PBD-policies-in-pla.patch
2021-10-08 10:05:40 +00:00

1010 lines
31 KiB
Diff

From a128130755bcd893ccf1d70b52c13fbaf29613c9 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Sat, 30 Nov 2019 14:26:59 -0500
Subject: [PATCH] Add clevis luks list command
Usage:
clevis luks list -d DEV [-s SLT]
Examples:
clevis luks list -d device
1: sss '{"t":1,"pins":{"tang":[{"url":"addr1"},{"url":"addr2"}],"tpm2":[{"hash":"sha256","key":"ecc"}],"sss":{"t":1,"pins":{"tang":[{"url":"addr3"}]}}}}'
2: tang '{"url":"addr"}'
3: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"7"}'
clevis luks list -d device -s 3
3: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"7"}'
---
src/luks/clevis-luks-common-functions | 173 ++++++++++++++++++++++++++
src/luks/clevis-luks-list | 77 ++++++++++++
src/luks/clevis-luks-list.1.adoc | 58 +++++++++
src/luks/meson.build | 8 +-
src/luks/tests/list-recursive-luks1 | 85 +++++++++++++
src/luks/tests/list-recursive-luks2 | 85 +++++++++++++
src/luks/tests/list-sss-tang-luks1 | 77 ++++++++++++
src/luks/tests/list-sss-tang-luks2 | 77 ++++++++++++
src/luks/tests/list-tang-luks1 | 64 ++++++++++
src/luks/tests/list-tang-luks2 | 64 ++++++++++
src/luks/tests/meson.build | 36 ++++++
src/luks/tests/tests-common-functions | 76 +++++++++++
12 files changed, 879 insertions(+), 1 deletion(-)
create mode 100755 src/luks/clevis-luks-list
create mode 100644 src/luks/clevis-luks-list.1.adoc
create mode 100755 src/luks/tests/list-recursive-luks1
create mode 100755 src/luks/tests/list-recursive-luks2
create mode 100755 src/luks/tests/list-sss-tang-luks1
create mode 100755 src/luks/tests/list-sss-tang-luks2
create mode 100755 src/luks/tests/list-tang-luks1
create mode 100755 src/luks/tests/list-tang-luks2
create mode 100644 src/luks/tests/meson.build
create mode 100644 src/luks/tests/tests-common-functions
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
index d676253..9ba1812 100644
--- a/src/luks/clevis-luks-common-functions
+++ b/src/luks/clevis-luks-common-functions
@@ -141,3 +141,176 @@ findexe() {
return 1
}
+# clevis_luks_used_slots() will return the list of used slots for a given LUKS
+# device.
+clevis_luks_used_slots() {
+ local DEV="${1}"
+
+ local slots
+ if cryptsetup isLuks --type luks1 "${DEV}"; then
+ readarray -t slots < <(cryptsetup luksDump "${DEV}" \
+ | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
+ elif cryptsetup isLuks --type luks2 "${DEV}"; then
+ readarray -t slots < <(cryptsetup luksDump "${DEV}" \
+ | sed -rn 's|^\s+([0-9]+): luks2$|\1|p')
+ else
+ echo "${DEV} is not a supported LUKS device!" >&2
+ return 1
+ fi
+ echo "${slots[@]}"
+}
+
+# clevis_luks_decode_jwe() will decode a given JWE.
+clevis_luks_decode_jwe() {
+ local jwe="${1}"
+
+ local coded
+ if ! coded=$(jose jwe fmt -i- <<< "${jwe}"); then
+ return 1
+ fi
+
+ coded=$(jose fmt -j- -g protected -u- <<< "${coded}" | tr -d '"')
+ jose b64 dec -i- <<< "${coded}"
+}
+
+# clevis_luks_print_pin_config() will print the config of a given pin; i.e.
+# for tang it will display the associated url address, and for tpm2, the
+# properties in place, like the hash, for instance.
+clevis_luks_print_pin_config() {
+ local P="${1}"
+ local decoded="${2}"
+
+ local content
+ if ! content="$(jose fmt -j- -g clevis -g "${P}" -o- <<< "${decoded}")" \
+ || [[ -z "${content}" ]]; then
+ return 1
+ fi
+
+ local pin=
+ case "${P}" in
+ tang)
+ local url
+ url="$(jose fmt -j- -g url -u- <<< "${content}")"
+ pin=$(printf '{"url":"%s"}' "${url}")
+ printf "tang '%s'" "${pin}"
+ ;;
+ tpm2)
+ # Valid properties for tpm2 pin are the following:
+ # hash, key, pcr_bank, pcr_ids, pcr_digest.
+ local key
+ local value
+ for key in 'hash' 'key' 'pcr_bank' 'pcr_ids' 'pcr_digest'; do
+ if value=$(jose fmt -j- -g "${key}" -u- <<< "${content}"); then
+ pin=$(printf '%s,"%s":"%s"' "${pin}" "${key}" "${value}")
+ fi
+ done
+ # Remove possible leading comma.
+ pin=${pin/#,/}
+ printf "tpm2 '{%s}'" "${pin}"
+ ;;
+ sss)
+ local threshold
+ threshold=$(jose fmt -j- -Og t -o- <<< "${content}")
+ clevis_luks_process_sss_pin "${content}" "${threshold}"
+ ;;
+ *)
+ printf "unknown pin '%s'" "${P}"
+ ;;
+ esac
+}
+
+# clevis_luks_decode_pin_config() will receive a JWE and extract a pin config
+# from it.
+clevis_luks_decode_pin_config() {
+ local jwe="${1}"
+
+ local decoded
+ if ! decoded=$(clevis_luks_decode_jwe "${jwe}"); then
+ return 1
+ fi
+
+ local P
+ if ! P=$(jose fmt -j- -Og clevis -g pin -u- <<< "${decoded}"); then
+ return 1
+ fi
+
+ clevis_luks_print_pin_config "${P}" "${decoded}"
+}
+
+# clevis_luks_join_sss_cfg() will receive a list of configurations for a given
+# pin and returns it as list, in the format PIN [cfg1, cfg2, ..., cfgN].
+clevis_luks_join_sss_cfg() {
+ local pin="${1}"
+ local cfg="${2}"
+ cfg=$(echo "${cfg}" | tr -d "'" | sed -e 's/^,//')
+ printf '"%s":[%s]' "${pin}" "${cfg}"
+}
+
+# clevis_luks_process_sss_pin() will receive a JWE with information on the sss
+# pin config, and also its associated threshold, and will extract the info.
+clevis_luks_process_sss_pin() {
+ local jwe="${1}"
+ local threshold="${2}"
+
+ local sss_tang
+ local sss_tpm2
+ local sss
+ local pin_cfg
+ local pin
+ local cfg
+
+ local coded
+ for coded in $(jose fmt -j- -Og jwe -Af- <<< "${jwe}"| tr -d '"'); do
+ if ! pin_cfg="$(clevis_luks_decode_pin_config "${coded}")"; then
+ continue
+ fi
+ read -r pin cfg <<< "${pin_cfg}"
+ case "${pin}" in
+ tang)
+ sss_tang="${sss_tang},${cfg}"
+ ;;
+ tpm2)
+ sss_tpm2="${sss_tpm2},${cfg}"
+ ;;
+ sss)
+ sss=$(echo "${cfg}" | tr -d "'")
+ ;;
+ esac
+ done
+
+ cfg=
+ if [[ -n "${sss_tang}" ]]; then
+ cfg=$(clevis_luks_join_sss_cfg "tang" "${sss_tang}")
+ fi
+
+ if [[ -n "${sss_tpm2}" ]]; then
+ cfg="${cfg},"$(clevis_luks_join_sss_cfg "tpm2" "${sss_tpm2}")
+ fi
+
+ if [[ -n "${sss}" ]]; then
+ cfg=$(printf '%s,"sss":%s' "${cfg}" "${sss}")
+ fi
+
+ # Remove possible leading comma.
+ cfg=${cfg/#,/}
+ pin=$(printf '{"t":%d,"pins":{%s}}' "${threshold}" "${cfg}")
+ printf "sss '%s'" "${pin}"
+}
+
+# clevis_luks_read_pins_from_slot() will receive a given device and slot and
+# will then output its associated policy configuration.
+clevis_luks_read_pins_from_slot() {
+ local DEV="${1}"
+ local SLOT="${2}"
+
+ local jwe
+ if ! jwe=$(clevis_luks_read_slot "${DEV}" "${SLOT}" 2>/dev/null); then
+ return 1
+ fi
+
+ local cfg
+ if ! cfg="$(clevis_luks_decode_pin_config "${jwe}")"; then
+ return 1
+ fi
+ printf "%s: %s\n" "${SLOT}" "${cfg}"
+}
diff --git a/src/luks/clevis-luks-list b/src/luks/clevis-luks-list
new file mode 100755
index 0000000..58678c4
--- /dev/null
+++ b/src/luks/clevis-luks-list
@@ -0,0 +1,77 @@
+#!/bin/bash -e
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2017-2019 Red Hat, Inc.
+# Author: Javier Martinez Canillas <javierm@redhat.com>
+# Author: Sergio Correia <scorreia@redhat.com> - LUKS2 support.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+. clevis-luks-common-functions
+
+SUMMARY="Lists pins bound to a LUKSv1 or LUKSv2 device"
+
+function usage() {
+ echo >&2
+ echo "Usage: clevis luks list -d DEV [-s SLT]" >&2
+ echo >&2
+ echo "$SUMMARY": >&2
+ echo >&2
+ echo " -d DEV The LUKS device to list bound pins" >&2
+ echo >&2
+ echo " -s SLOT The slot number to list" >&2
+ echo >&2
+ exit 1
+}
+
+if [ ${#} -eq 1 ] && [ "${1}" = "--summary" ]; then
+ echo "${SUMMARY}"
+ exit 0
+fi
+
+while getopts ":d:s:" o; do
+ case "$o" in
+ d) DEV=${OPTARG};;
+ s) SLT=${OPTARG};;
+ *) usage;;
+ esac
+done
+
+if [ -z "${DEV}" ]; then
+ echo "Did not specify a device!" >&2
+ usage
+fi
+
+if cryptsetup isLuks --type luks1 "${DEV}"; then
+ if ! luksmeta test -d "${DEV}" 2>/dev/null; then
+ echo "The ${DEV} device is not valid!" >&2
+ exit 1
+ fi
+fi
+
+if [ -n "${SLT}" ]; then
+ clevis_luks_read_pins_from_slot "${DEV}" "${SLT}"
+else
+ if ! slots=$(clevis_luks_used_slots "${DEV}"); then
+ echo "No used slots detected for device ${DEV}!" >&2
+ exit 1
+ fi
+
+ for s in ${slots}; do
+ if ! clevis_luks_read_pins_from_slot "${DEV}" "${s}"; then
+ continue
+ fi
+ done
+fi
diff --git a/src/luks/clevis-luks-list.1.adoc b/src/luks/clevis-luks-list.1.adoc
new file mode 100644
index 0000000..2e84f05
--- /dev/null
+++ b/src/luks/clevis-luks-list.1.adoc
@@ -0,0 +1,58 @@
+CLEVIS-LUKS-LIST(1)
+===================
+:doctype: manpage
+
+
+== NAME
+
+clevis-luks-list - Lists pins bound to a LUKS device
+
+== SYNOPSIS
+
+*clevis luks list* -d DEV [-s SLT]
+
+== OVERVIEW
+
+The *clevis luks list* command list the pins bound to LUKS device.
+For example:
+
+ clevis luks list -d /dev/sda1
+
+== OPTIONS
+
+* *-d* _DEV_ :
+ The LUKS device on which to list bound pins
+
+* *-s* _SLT_ :
+ The slot to use for listing the pin from
+
+== EXAMPLES
+
+ clevis luks list -d /dev/sda1
+ 1: sss '{"t":1,"pins":{"tang":[{"url":"addr1"},{"url":"addr2"}],"tpm2":[{"hash":"sha256","key":"ecc"}],"sss":{"t":1,"pins":{"tang":[{"url":"addr3"}]}}}}'
+ 2: tang '{"url":"addr"}'
+ 3: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"7"}'
+
+As we can see in the example above, */dev/sda1* has three slots bound each with a different pin.
+- Slot #1 is bound with the _sss_ pin, and uses also tang and tpm2 pins in its policy.
+- Slot #2 is bound using the _tang_ pin
+- Slot #3 is bound with the _tpm2_ pin
+
+Note that the output of *clevis luks list* can be used with the *clevis luks bind* command, such as:
+
+ clevis luks bind -d /dev/sda1 tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha1","pcr_ids":"7"}'
+
+And we will bind another slot with a policy similar to the one we have in slot #3.
+Also note that if you are interested in a particular slot, you can pass the _-s SLT_ argument to *clevis luks list*:
+
+ clevis luks list -d /dev/sda1 -s 2
+ 2: tang '{"url":"addr"}'
+
+In the above example, we listed only the pin bound to slot #2.
+
+== SEE ALSO
+
+link:clevis-luks-bind.1.adoc[*clevis-luks-bind*(1)],
+link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
+link:clevis-encrypt-tpm2.1.adoc[*clevis-encrypt-tpm2*(1)],
+link:clevis-encrypt-sss.1.adoc[*clevis-encrypt-sss*(1)],
diff --git a/src/luks/meson.build b/src/luks/meson.build
index 7c045c4..51d82fb 100644
--- a/src/luks/meson.build
+++ b/src/luks/meson.build
@@ -20,6 +20,9 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
bins += join_paths(meson.current_source_dir(), 'clevis-luks-regen')
mans += join_paths(meson.current_source_dir(), 'clevis-luks-regen.1')
+ bins += join_paths(meson.current_source_dir(), 'clevis-luks-list')
+ mans += join_paths(meson.current_source_dir(), 'clevis-luks-list.1')
+
bins += join_paths(meson.current_source_dir(), 'clevis-luks-report')
bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-compare')
bins += join_paths(meson.current_source_dir(), 'clevis-luks-report-decode')
@@ -30,4 +33,7 @@ if libcryptsetup.found() and luksmeta.found() and pwmake.found()
mans += join_paths(meson.current_source_dir(), 'clevis-luks-unlockers.7')
else
warning('Will not install LUKS support due to missing dependencies!')
-endif
\ No newline at end of file
+endif
+
+# Tests.
+subdir('tests')
diff --git a/src/luks/tests/list-recursive-luks1 b/src/luks/tests/list-recursive-luks1
new file mode 100755
index 0000000..d9eaa3a
--- /dev/null
+++ b/src/luks/tests/list-recursive-luks1
@@ -0,0 +1,85 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+PIN="sss"
+CFG=$(printf '
+{
+ "t": 1,
+ "pins": {
+ "sss": {
+ "t": 1,
+ "pins": {
+ "sss": {
+ "t": 1,
+ "pins": {
+ "tang": [
+ {
+ "url": "ADDR","adv": "%s"
+ }
+ ]
+ }
+ }
+ }
+ }
+ }
+}
+' "${ADV}")
+
+# LUKS1.
+DEV="${TMP}/luks1-device"
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+new_device "luks1" "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" "${PIN}" "${CFG}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
+fi
+
+SLT=1
+if ! read -r slot pin cfg < <(clevis luks list -d "${DEV}" -s "${SLT}"); then
+ error "${TEST}: clevis luks list is expected to succeed for device(${DEV}) and slot (${SLT})"
+fi
+
+if [[ "${slot}" != "${SLT}:" ]]; then
+ error "${TEST}: slot (${slot}) is expected to be ${SLT}"
+fi
+
+if [[ "${pin}" != "${PIN}" ]]; then
+ error "${TEST}: pin (${pin}) is expected to be '${PIN}'"
+fi
+
+to_remove_from_cfg=$(printf ',"adv": "%s"' "${ADV}")
+cfg_for_cmp=${cfg//"${to_remove_from_cfg}"/}
+if ! pin_cfg_equal "${cfg}" "${cfg_for_cmp}"; then
+ error "${TEST}: config obtained from clevis luks list (${cfg}) is expected to match the one used to bind the test (${cfg_for_cmp})"
+fi
diff --git a/src/luks/tests/list-recursive-luks2 b/src/luks/tests/list-recursive-luks2
new file mode 100755
index 0000000..80a8278
--- /dev/null
+++ b/src/luks/tests/list-recursive-luks2
@@ -0,0 +1,85 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+PIN="sss"
+CFG=$(printf '
+{
+ "t": 1,
+ "pins": {
+ "sss": {
+ "t": 1,
+ "pins": {
+ "sss": {
+ "t": 1,
+ "pins": {
+ "tang": [
+ {
+ "url": "ADDR","adv": "%s"
+ }
+ ]
+ }
+ }
+ }
+ }
+ }
+}
+' "${ADV}")
+
+# LUKS2.
+DEV="${TMP}/luks1-device"
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+new_device "luks2" "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" "${PIN}" "${CFG}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
+fi
+
+SLT=1
+if ! read -r slot pin cfg < <(clevis luks list -d "${DEV}" -s "${SLT}"); then
+ error "${TEST}: clevis luks list is expected to succeed for device(${DEV}) and slot (${SLT})"
+fi
+
+if [[ "${slot}" != "${SLT}:" ]]; then
+ error "${TEST}: slot (${slot}) is expected to be ${SLT}"
+fi
+
+if [[ "${pin}" != "${PIN}" ]]; then
+ error "${TEST}: pin (${pin}) is expected to be '${PIN}'"
+fi
+
+to_remove_from_cfg=$(printf ',"adv": "%s"' "${ADV}")
+cfg_for_cmp=${cfg//"${to_remove_from_cfg}"/}
+if ! pin_cfg_equal "${cfg}" "${cfg_for_cmp}"; then
+ error "${TEST}: config obtained from clevis luks list (${cfg}) is expected to match the one used to bind the test (${cfg_for_cmp})"
+fi
diff --git a/src/luks/tests/list-sss-tang-luks1 b/src/luks/tests/list-sss-tang-luks1
new file mode 100755
index 0000000..086fa35
--- /dev/null
+++ b/src/luks/tests/list-sss-tang-luks1
@@ -0,0 +1,77 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+PIN="sss"
+CFG=$(printf '
+{
+ "t": 2,
+ "pins": {
+ "tang": [
+ {"url":"ADDR1","adv":"%s"},
+ {"url":"ADDR2","adv":"%s"},
+ {"url":"ADDR3","adv":"%s"},
+ {"url":"ADDR4","adv":"%s"},
+ {"url":"ADDR5","adv":"%s"}
+ ]
+ }
+}
+' "${ADV}" "${ADV}" "${ADV}" "${ADV}" "${ADV}")
+
+# LUKS1.
+DEV="${TMP}/luks1-device"
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+new_device "luks1" "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" ${PIN} "${CFG}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
+fi
+
+SLT=1
+if ! read -r slot pin cfg < <(clevis luks list -d "${DEV}" -s "${SLT}"); then
+ error "${TEST}: clevis luks list is expected to succeed for device(${DEV}) and slot (${SLT})"
+fi
+
+if [[ "${slot}" != "${SLT}:" ]]; then
+ error "${TEST}: slot (${slot}) is expected to be ${SLT}"
+fi
+
+if [[ "${pin}" != "${PIN}" ]]; then
+ error "${TEST}: pin (${pin}) is expected to be '${PIN}'"
+fi
+
+to_remove_from_cfg=$(printf ',"adv": "%s"' "${ADV}")
+cfg_for_cmp=${cfg//"${to_remove_from_cfg}"/}
+if ! pin_cfg_equal "${cfg}" "${cfg_for_cmp}"; then
+ error "${TEST}: config obtained from clevis luks list (${cfg}) is expected to match the one used to bind the test (${cfg_for_cmp})"
+fi
diff --git a/src/luks/tests/list-sss-tang-luks2 b/src/luks/tests/list-sss-tang-luks2
new file mode 100755
index 0000000..ea4cfbb
--- /dev/null
+++ b/src/luks/tests/list-sss-tang-luks2
@@ -0,0 +1,77 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+PIN="sss"
+CFG=$(printf '
+{
+ "t": 2,
+ "pins": {
+ "tang": [
+ {"url":"ADDR1","adv":"%s"},
+ {"url":"ADDR2","adv":"%s"},
+ {"url":"ADDR3","adv":"%s"},
+ {"url":"ADDR4","adv":"%s"},
+ {"url":"ADDR5","adv":"%s"}
+ ]
+ }
+}
+' "${ADV}" "${ADV}" "${ADV}" "${ADV}" "${ADV}")
+
+# LUKS2.
+DEV="${TMP}/luks1-device"
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+new_device "luks2" "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" ${PIN} "${CFG}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
+fi
+
+SLT=1
+if ! read -r slot pin cfg < <(clevis luks list -d "${DEV}" -s "${SLT}"); then
+ error "${TEST}: clevis luks list is expected to succeed for device(${DEV}) and slot (${SLT})"
+fi
+
+if [[ "${slot}" != "${SLT}:" ]]; then
+ error "${TEST}: slot (${slot}) is expected to be ${SLT}"
+fi
+
+if [[ "${pin}" != "${PIN}" ]]; then
+ error "${TEST}: pin (${pin}) is expected to be '${PIN}'"
+fi
+
+to_remove_from_cfg=$(printf ',"adv": "%s"' "${ADV}")
+cfg_for_cmp=${cfg//"${to_remove_from_cfg}"/}
+if ! pin_cfg_equal "${cfg}" "${cfg_for_cmp}"; then
+ error "${TEST}: config obtained from clevis luks list (${cfg}) is expected to match the one used to bind the test (${cfg_for_cmp})"
+fi
diff --git a/src/luks/tests/list-tang-luks1 b/src/luks/tests/list-tang-luks1
new file mode 100755
index 0000000..c526693
--- /dev/null
+++ b/src/luks/tests/list-tang-luks1
@@ -0,0 +1,64 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+PIN="tang"
+CFG=$(printf '{"url": "ADDR","adv": "%s"}' "${ADV}")
+
+# LUKS1.
+DEV="${TMP}/luks1-device"
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+new_device "luks1" "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" "${PIN}" "${CFG}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
+fi
+
+SLT=1
+if ! read -r slot pin cfg < <(clevis luks list -d "${DEV}" -s "${SLT}"); then
+ error "${TEST}: clevis luks list is expected to succeed for device(${DEV}) and slot (${SLT})"
+fi
+
+if [[ "${slot}" != "${SLT}:" ]]; then
+ error "${TEST}: slot (${slot}) is expected to be ${SLT}"
+fi
+
+if [[ "${pin}" != "${PIN}" ]]; then
+ error "${TEST}: pin (${pin}) is expected to be '${PIN}'"
+fi
+
+to_remove_from_cfg=$(printf ',"adv": "%s"' "${ADV}")
+cfg_for_cmp=${cfg//"${to_remove_from_cfg}"/}
+if ! pin_cfg_equal "${cfg}" "${cfg_for_cmp}"; then
+ error "${TEST}: config obtained from clevis luks list (${cfg}) is expected to match the one used to bind the test (${cfg_for_cmp})"
+fi
diff --git a/src/luks/tests/list-tang-luks2 b/src/luks/tests/list-tang-luks2
new file mode 100755
index 0000000..d4d4849
--- /dev/null
+++ b/src/luks/tests/list-tang-luks2
@@ -0,0 +1,64 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+TEST=$(basename "${0}")
+. tests-common-functions
+
+on_exit() {
+ [ -d "${TMP}" ] && rm -rf "${TMP}"
+}
+
+trap 'on_exit' EXIT
+trap 'exit' ERR
+
+TMP="$(mktemp -d)"
+
+ADV="${TMP}/adv.jws"
+create_tang_adv "${ADV}"
+PIN="tang"
+CFG=$(printf '{"url": "ADDR","adv": "%s"}' "${ADV}")
+
+# LUKS2.
+DEV="${TMP}/luks1-device"
+UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+new_device "luks2" "${DEV}"
+
+if ! clevis luks bind -f -d "${DEV}" "${PIN}" "${CFG}" <<< "${DEFAULT_PASS}"; then
+ error "${TEST}: Binding is expected to succeed when given a correct (${DEFAULT_PASS}) password."
+fi
+
+SLT=1
+if ! read -r slot pin cfg < <(clevis luks list -d "${DEV}" -s "${SLT}"); then
+ error "${TEST}: clevis luks list is expected to succeed for device(${DEV}) and slot (${SLT})"
+fi
+
+if [[ "${slot}" != "${SLT}:" ]]; then
+ error "${TEST}: slot (${slot}) is expected to be ${SLT}"
+fi
+
+if [[ "${pin}" != "${PIN}" ]]; then
+ error "${TEST}: pin (${pin}) is expected to be '${PIN}'"
+fi
+
+to_remove_from_cfg=$(printf ',"adv": "%s"' "${ADV}")
+cfg_for_cmp=${cfg//"${to_remove_from_cfg}"/}
+if ! pin_cfg_equal "${cfg}" "${cfg_for_cmp}"; then
+ error "${TEST}: config obtained from clevis luks list (${cfg}) is expected to match the one used to bind the test (${cfg_for_cmp})"
+fi
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
new file mode 100644
index 0000000..6513eaa
--- /dev/null
+++ b/src/luks/tests/meson.build
@@ -0,0 +1,36 @@
+# We use jq for comparing the pin config in the clevis luks list tests.
+jq = find_program('jq', required: false)
+
+env = environment()
+env.prepend('PATH',
+ join_paths(meson.source_root(), 'src'),
+ join_paths(meson.source_root(), 'src', 'luks'),
+ join_paths(meson.source_root(), 'src', 'pins', 'sss'),
+ join_paths(meson.source_root(), 'src', 'pins', 'tang'),
+ join_paths(meson.source_root(), 'src', 'pins', 'tpm2'),
+ meson.current_source_dir(),
+ meson.current_build_dir(),
+ join_paths(meson.build_root(), 'src'),
+ join_paths(meson.build_root(), 'src', 'luks'),
+ join_paths(meson.build_root(), 'src', 'pins', 'sss'),
+ join_paths(meson.build_root(), 'src', 'pins', 'tang'),
+ join_paths(meson.build_root(), 'src', 'pins', 'tpm2'),
+ separator: ':'
+)
+
+if jq.found()
+ test('list-recursive-luks1', find_program('list-recursive-luks1'), env: env)
+ test('list-tang-luks1', find_program('list-tang-luks1'), env: env)
+ test('list-sss-tang-luks1', find_program('list-sss-tang-luks1'), env: env)
+else
+ warning('Will not run "clevis luks list" tests due to missing jq dependency')
+endif
+
+# LUKS2 tests go here, and they get included if we get support for it, based
+# on the cryptsetup version.
+# Binding LUKS2 takes longer, so timeout is increased for a few tests.
+if jq.found()
+ test('list-recursive-luks2', find_program('list-recursive-luks2'), env: env, timeout: 60)
+ test('list-tang-luks2', find_program('list-tang-luks2'), env: env, timeout: 60)
+ test('list-sss-tang-luks2', find_program('list-sss-tang-luks2'), env: env, timeout: 60)
+endif
diff --git a/src/luks/tests/tests-common-functions b/src/luks/tests/tests-common-functions
new file mode 100644
index 0000000..b65a84a
--- /dev/null
+++ b/src/luks/tests/tests-common-functions
@@ -0,0 +1,76 @@
+#!/bin/bash -ex
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2019 Red Hat, Inc.
+# Author: Sergio Correia <scorreia@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# We require cryptsetup >= 2.0.4 to fully support LUKSv2.
+# Support is determined at build time.
+luks2_supported() {
+ # In RHEL8 we support LUKS2.
+ return 0
+}
+
+# Creates a tang adv to be used in the test.
+create_tang_adv() {
+ local adv="${1}"
+ local SIG="${TMP}/sig.jwk"
+ jose jwk gen -i '{"alg":"ES512"}' > "${SIG}"
+
+ local EXC="${TMP}/exc.jwk"
+ jose jwk gen -i '{"alg":"ECMR"}' > "${EXC}"
+
+ local TEMPLATE='{"protected":{"cty":"jwk-set+json"}}'
+ jose jwk pub -s -i "${SIG}" -i "${EXC}" \
+ | jose jws sig -I- -s "${TEMPLATE}" -k "${SIG}" -o "${adv}"
+}
+
+
+# Creates a new LUKS1 or LUKS2 device to be used.
+new_device() {
+ local LUKS="${1}"
+ local DEV="${2}"
+
+ local DEV_CACHED="${TMP}/${LUKS}.cached"
+
+ # Let's reuse an existing device, if there is one.
+ if [ -f "${DEV_CACHED}" ]; then
+ echo "Reusing cached ${LUKS} device..."
+ cp -f "${DEV_CACHED}" "${DEV}"
+ return 0
+ fi
+
+ fallocate -l16M "${DEV}"
+ cryptsetup luksFormat --type "${LUKS}" --batch-mode --force-password "${DEV}" <<< "${DEFAULT_PASS}"
+ # Caching the just-formatted device for possible reuse.
+ cp -f "${DEV}" "${DEV_CACHED}"
+}
+
+error() {
+ echo "${1}" >&2
+ exit 1
+}
+
+pin_cfg_equal() {
+ local cfg1="${1}"
+ local cfg2="${1}"
+
+ diff <(jq -S . < <(echo -n "${cfg1}")) \
+ <(jq -S . < <(echo -n "${cfg2}"))
+}
+
+export DEFAULT_PASS='just-some-test-password-here'
--
2.18.1