Add a kickstart test for escrow packets and backup passphrases

dashea · May 18, 2015 · f1753f9 · clumens · May 19, 2015 · f1753f9
1 parent a79aad1
commit f1753f9
Show file tree

Hide file tree

Showing 2 changed files with 155 additions and 0 deletions.
diff --git a/tests/kickstart_tests/escrow-cert.ks b/tests/kickstart_tests/escrow-cert.ks
@@ -0,0 +1,107 @@
+%pre
+# Create an nss database for the escrow certifcate
+mkdir -p /tmp/escrow_test/nss
+certutil -d /tmp/escrow_test/nss --empty-password -N
+
+# Create a self-signed certificate
+# certutil waits for input if not provided with entropy data (-z). Use some
+# crappy data from urandom in the hope of leaving some entropy for the LUKS
+# operations to use later.
+dd if=/dev/urandom of=/tmp/escrow_test/entropy bs=20 count=1
+certutil -d /tmp/escrow_test/nss -S -x -n escrow_cert \
+    -s 'CN=Escrow Test' -t ',,TC' -z /tmp/escrow_test/entropy
+
+# Export the certificate
+certutil -d /tmp/escrow_test/nss -L -n escrow_cert -a -o /tmp/escrow_test/escrow.crt
+%end
+
+url --url=http://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/$basearch/os/
+install
+network --bootproto=dhcp
+
+bootloader --timeout=1
+zerombr
+clearpart --all
+part --fstype=ext4 --size=4400 /
+part --fstype=ext4 --size=500 /boot
+part --fstype=swap --size=500 swap
+
+# Create a partition that's easy to umount and poke at in %post
+part --fstype=ext4 --size=500 --encrypted --passphrase='passphrase' --escrowcert=file:///tmp/escrow_test/escrow.crt --backuppassphrase /home
+
+keyboard us
+lang en
+timezone America/New_York
+rootpw qweqwe
+shutdown
+
+%pre-install
+# Copy the escrow database to the install path so we can use it during %post
+mkdir $ANA_INSTALL_PATH/root
+cp -a /tmp/escrow_test $ANA_INSTALL_PATH/root/
+%end
+
+%packages
+volume_key
+%end
+
+%post
+# First, check that the escrow stuff is there
+ls "/root/*-escrow" >/dev/null 2>&1
+if [[ $? != 0 ]]; then
+    echo '*** escrow packet was not created' > /root/RESULT
+    exit 1
+fi
+
+ls "/root/*-escrow-backup-passphrase" >/dev/null 2>&1
+if [[ $? != 0 ]]; then
+    echo '*** backup passphrase was not created' > /root/RESULT
+    exit 1
+fi
+
+# Get the LUKS device UUID from the escrow packet filename
+uuid="$(basename /root/*-escrow | sed 's|-escrow$||')"
+
+# umount and close the LUKS device
+umount /home
+cryptsetup close /dev/mapper/luks-$uuid
+
+# Try out the backup passphrase
+backup_passphrase="$(volume_key --secrets -d /root/escrow_test/nss /root/$uuid-escrow-backup-passphrase | sed -n '/^Passphrase:/s|^Passphrase:[[:space:]]*||p')"
+
+if [[ $? != 0 ]] || [[ -z "$backup_passphrase" ]]; then
+    echo '*** unable to parse backup passphrase' > /root/RESULT
+    exit 1
+fi
+
+echo -n $backup_passphrase | cryptsetup open -q --key-file - --type luks --test-passphrase /dev/disk/by-uuid/$uuid
+if [[ $? != 0 ]]; then
+    echo '*** unable to decrypt volume with backup passphrase' > /root/RESULT
+    exit 1
+fi
+
+# Restore access to the volume with the escrow packet
+# First, re-encrypt the packet with a passphrase
+echo -n -e 'packet passphrase\0packet passphrase\0' | volume_key --reencrypt -b -d /root/escrow_test/nss /root/$uuid-escrow -o /root/escrow-out
+if [[ $? != 0 ]] || [[ ! -f /root/escrow-out ]]; then
+    echo '*** unable to reencrypt escrow packet' > /root/RESULT
+    exit 1
+fi
+
+# Use the escrow packet to set a new passphrase on the LUKS volume
+echo -n -e 'packet passphrase\0volume passphrase\0volume passphrase\0' | volume_key --restore -b /dev/disk/by-uuid/$uuid /root/escrow-out
+if [[ $? != 0 ]]; then
+    echo '*** unable to restore volume access with escrow packet' > /root/RESULT
+    exit 1
+fi
+
+# Make sure the new passphrase actually works
+echo -n 'volume passphrase' | cryptsetup open -q --key-file - --type luks --test-passphrase /dev/disk/by-uuid/$uuid
+if [[ $? != 0 ]]; then
+    echo '*** unable to open volume with restored passphrase' > /root/RESULT
+    exit 1
+fi
+
+echo 'SUCCESS' > /root/RESULT
+
+%end
diff --git a/tests/kickstart_tests/escrow-cert.sh b/tests/kickstart_tests/escrow-cert.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+#
+# Copyright (C) 2015  Red Hat, Inc.
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of
+# the GNU General Public License v.2, or (at your option) any later version.
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY expressed or implied, including the implied warranties of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
+# Public License for more details.  You should have received a copy of the
+# GNU General Public License along with this program; if not, write to the
+# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301, USA.  Any Red Hat trademarks that are incorporated in the
+# source code or documentation are not subject to the GNU General Public
+# License and may only be used or replicated with the express permission of
+# Red Hat, Inc.
+#
+# Red Hat Author(s): David Shea <dshea@redhat.com>
+
+kernel_args() {
+    echo vnc
+}
+
+prepare() {
+    ks=$1
+    tmpdir=$2
+
+    echo ${ks}
+}
+
+validate() {
+    img=$1
+
+    # There should be a /root/RESULT file with results in it.  Check
+    # its contents and decide whether the test finally succeeded or
+    # not.
+    result=$(virt-cat -a ${img} -m /dev/sda2 /root/RESULT)
+    if [[ $? != 0 ]]; then
+        status=1
+        echo '*** /root/RESULT does not exist in VM image.'
+    elif [[ "${result}" != "SUCCESS" ]]; then
+        status=1
+        echo "${result}"
+    fi
+
+    return ${status}
+}