cmd/fscrypt: Check that keyrings are setup

Chaning the --user flag to (optionally) check for a proper keyring setup
allows us to fail early in cases where we need a working keyring.

diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go
index 43c9cb0e3e68507e5575a99d9436335682940841..fd90626be5e9b5a9dbe9cc7d583dff1a7136a29a 100644 (file)
--- a/cmd/fscrypt/commands.go
+++ b/cmd/fscrypt/commands.go
@@ -119,7 +119,7 @@ func encryptAction(c *cli.Context) error {
 // keyring unless --skip-unlock is used. On failure, an error is returned, any
 // metadata creation is reverted, and the directory is unmodified.
 func encryptPath(path string) (err error) {
-       target, err := parseUserFlag()
+       target, err := parseUserFlag(!skipUnlockFlag.Value)
        if err != nil {
                return
        }
@@ -274,7 +274,7 @@ func unlockAction(c *cli.Context) error {
                return expectedArgsErr(c, 1, false)
        }
 
-       target, err := parseUserFlag()
+       target, err := parseUserFlag(true)
        if err != nil {
                return newExitError(c, err)
        }
@@ -357,7 +357,7 @@ func purgeAction(c *cli.Context) error {
                }
        }
 
-       target, err := parseUserFlag()
+       target, err := parseUserFlag(true)
        if err != nil {
                return newExitError(c, err)
        }
@@ -507,7 +507,7 @@ func createProtectorAction(c *cli.Context) error {
                return expectedArgsErr(c, 1, false)
        }
 
-       target, err := parseUserFlag()
+       target, err := parseUserFlag(false)
        if err != nil {
                return newExitError(c, err)
        }

diff --git a/cmd/fscrypt/flags.go b/cmd/fscrypt/flags.go
index e883a6d37180739d9aa5cd1960ceea23b5e0e80b..af03ad2382275badb2cd36962a5a1e6a6721602b 100644 (file)
--- a/cmd/fscrypt/flags.go
+++ b/cmd/fscrypt/flags.go
@@ -33,6 +33,7 @@ import (
        "github.com/urfave/cli"
 
        "github.com/google/fscrypt/actions"
+       "github.com/google/fscrypt/security"
        "github.com/google/fscrypt/util"
 )
 
@@ -283,17 +284,23 @@ func getPolicyFromFlag(flagValue string, target *user.User) (*actions.Policy, er
 
 // parseUserFlag returns the user specified by userFlag or the current effective
 // user if the flag value is missing. If the effective user is root, however, a
-// user must specified in the flag.
-func parseUserFlag() (*user.User, error) {
+// user must specified in the flag. If checkKeyring is true, we also make sure
+// there are no problems accessing the user keyring.
+func parseUserFlag(checkKeyring bool) (targetUser *user.User, err error) {
        if userFlag.Value != "" {
-               return user.Lookup(userFlag.Value)
+               targetUser, err = user.Lookup(userFlag.Value)
+       } else {
+               if util.IsUserRoot() {
+                       return nil, ErrSpecifyUser
+               }
+               targetUser, err = util.EffectiveUser()
        }
-       effectiveUser, err := util.EffectiveUser()
        if err != nil {
                return nil, err
        }
-       if util.IsUserRoot() {
-               return nil, ErrSpecifyUser
+
+       if checkKeyring {
+               _, err = security.UserKeyringID(targetUser)
        }
-       return effectiveUser, nil
+       return targetUser, err
 }