From 57be034ce4700fb07c10b771628c1c63d8483d09 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Thu, 23 Dec 2021 11:39:08 -0600 Subject: [PATCH] cli-tests: add helper functions to get protector descriptors --- cli-tests/common.sh | 34 ++++++++++++++++++++++++++++++++ cli-tests/t_change_passphrase.sh | 2 +- cli-tests/t_encrypt_login.sh | 11 +++-------- 3 files changed, 38 insertions(+), 9 deletions(-) diff --git a/cli-tests/common.sh b/cli-tests/common.sh index 0ace2b9..1d7b17b 100644 --- a/cli-tests/common.sh +++ b/cli-tests/common.sh @@ -72,6 +72,40 @@ _get_enabled_fs_count() echo "$count" } +# Gets the descriptor of the given protector. +_get_protector_descriptor() +{ + local mnt=$1 + local source=$2 + + case $source in + custom) + local name=$3 + local description="custom protector \\\"$name\\\"" + ;; + login) + local user=$3 + local description="login protector for $user" + ;; + *) + _fail "Unknown protector source $source" + esac + + local descriptor + descriptor=$(fscrypt status "$mnt" | + awk -F ' *' '{ if ($3 == "'"$description"'") print $1 }') + if [ -z "$descriptor" ]; then + _fail "Can't find $description on $mnt" + fi + echo "$descriptor" +} + +# Gets the descriptor of the login protector for $TEST_USER. +_get_login_descriptor() +{ + _get_protector_descriptor "$MNT_ROOT" login "$TEST_USER" +} + # Prints the number of filesystems that have fscrypt metadata. _get_setup_fs_count() { diff --git a/cli-tests/t_change_passphrase.sh b/cli-tests/t_change_passphrase.sh index 204512d..1360bc2 100755 --- a/cli-tests/t_change_passphrase.sh +++ b/cli-tests/t_change_passphrase.sh @@ -14,7 +14,7 @@ echo pass1 | fscrypt encrypt --quiet --name=prot --skip-unlock "$dir" _print_header "Try to unlock with wrong passphrase" _expect_failure "echo pass2 | fscrypt unlock --quiet '$dir'" _expect_failure "mkdir '$dir/subdir'" -protector=$(fscrypt status "$dir" | awk '/custom protector/{print $1}') +protector=$(_get_protector_descriptor "$dir" custom prot) _print_header "Change passphrase" echo $'pass1\npass2' | \ diff --git a/cli-tests/t_encrypt_login.sh b/cli-tests/t_encrypt_login.sh index e03122d..c42fec7 100755 --- a/cli-tests/t_encrypt_login.sh +++ b/cli-tests/t_encrypt_login.sh @@ -27,18 +27,13 @@ show_status() fi } -get_login_protector() -{ - fscrypt status "$dir" | awk '/login protector/{print $1}' -} - begin "Encrypt with login protector" chown "$TEST_USER" "$dir" _user_do "echo TEST_USER_PASS | fscrypt encrypt --quiet --source=pam_passphrase '$dir'" show_status true recovery_passphrase=$(grep -E '^ +[a-z]{20}$' "$dir/fscrypt_recovery_readme.txt" | sed 's/^ +//') -recovery_protector=$(fscrypt status "$dir" | awk '/Recovery passphrase/{print $1}') -login_protector=$(get_login_protector) +recovery_protector=$(_get_protector_descriptor "$MNT" custom 'Recovery passphrase for dir') +login_protector=$(_get_login_descriptor) _print_header "=> Lock, then unlock with login passphrase" _user_do "fscrypt lock '$dir'" # FIXME: should we be able to use $MNT:$login_protector here? @@ -63,7 +58,7 @@ begin "Encrypt with login protector as root" echo TEST_USER_PASS | fscrypt encrypt --quiet --source=pam_passphrase --user="$TEST_USER" "$dir" show_status true # The newly-created login protector should be owned by the user, not root. -login_protector=$(get_login_protector) +login_protector=$(_get_login_descriptor) owner=$(stat -c "%U:%G" "$MNT_ROOT/.fscrypt/protectors/$login_protector") echo -e "\nProtector is owned by $owner" -- 2.39.5