mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2025-10-25 21:44:00 -07:00 
			
		
		
		
	New LUKS devices management module (#48991)
* New LUKS devices management module - new module that uses cryptsetup (LUKS) functions for management of encrypted devices - unit tests included * New LUKS devices management module - modified interface by removing 'open' option and moving its functionality into 'state' option
This commit is contained in:
		
					parent
					
						
							
								0c8c72a0bf
							
						
					
				
			
			
				commit
				
					
						68d43130d0
					
				
			
		
					 3 changed files with 744 additions and 0 deletions
				
			
		
							
								
								
									
										519
									
								
								lib/ansible/modules/crypto/luks_device.py
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										519
									
								
								lib/ansible/modules/crypto/luks_device.py
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,519 @@ | |||
| #!/usr/bin/python | ||||
| # Copyright (c) 2017 Ansible Project | ||||
| # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) | ||||
| 
 | ||||
| from __future__ import (absolute_import, division, print_function) | ||||
| __metaclass__ = type | ||||
| 
 | ||||
| ANSIBLE_METADATA = {'metadata_version': '1.1', | ||||
|                     'status': ['preview'], | ||||
|                     'supported_by': 'community'} | ||||
| 
 | ||||
| DOCUMENTATION = ''' | ||||
| --- | ||||
| module: luks_device | ||||
| 
 | ||||
| short_description: Manage encrypted (LUKS) devices | ||||
| 
 | ||||
| version_added: "2.8" | ||||
| 
 | ||||
| description: | ||||
|     - "Module manages L(LUKS,https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) | ||||
|       on given device. Supports creating, destroying, opening and closing of | ||||
|       LUKS container and adding or removing new keys." | ||||
| 
 | ||||
| options: | ||||
|     device: | ||||
|         description: | ||||
|             - "Device to work with (e.g. C(/dev/sda1)). Needed in most cases. | ||||
|               Can be omitted only when I(state=closed) together with I(name) | ||||
|               is provided." | ||||
|         type: str | ||||
|     state: | ||||
|         description: | ||||
|             - "Desired state of the LUKS container. Based on its value creates, | ||||
|               destroys, opens or closes the LUKS container on a given device." | ||||
|             - "I(present) will create LUKS container unless already present. | ||||
|               Requires I(device) and I(keyfile) options to be provided." | ||||
|             - "I(absent) will remove existing LUKS container if it exists. | ||||
|               Requires I(device) or I(name) to be specified." | ||||
|             - "I(opened) will unlock the LUKS container. If it does not exist | ||||
|               it will be created first. | ||||
|               Requires I(device) and I(keyfile) to be specified. Use | ||||
|               the I(name) option to set the name of the opened container. | ||||
|               Otherwise the name will be generated automatically and returned | ||||
|               as a part of the result." | ||||
|             - "I(closed) will lock the LUKS container. However if the container | ||||
|               does not exist it will be created. | ||||
|               Requires I(device) and I(keyfile) options to be provided. If | ||||
|               container does already exist I(device) or I(name) will suffice." | ||||
|         default: present | ||||
|         choices: [present, absent, opened, closed] | ||||
|         type: str | ||||
|     name: | ||||
|         description: | ||||
|             - "Sets container name when I(state=opened). Can be used | ||||
|               instead of I(device) when closing the existing container | ||||
|               (i.e. when I(state=closed))." | ||||
|         type: str | ||||
|     keyfile: | ||||
|         description: | ||||
|             - "Used to unlock the container and needed for most | ||||
|               of the operations. Parameter value is the path | ||||
|               to the keyfile with the passphrase." | ||||
|             - "BEWARE that working with keyfiles in plaintext is dangerous. | ||||
|               Make sure that they are protected." | ||||
|         type: path | ||||
|     new_keyfile: | ||||
|         description: | ||||
|             - "Adds additional key to given container on I(device). | ||||
|               Needs I(keyfile) option for authorization. LUKS container | ||||
|               supports up to 8 keys. Parameter value is the path | ||||
|               to the keyfile with the passphrase." | ||||
|             - "BEWARE that working with keyfiles in plaintext is dangerous. | ||||
|               Make sure that they are protected." | ||||
|         type: path | ||||
|     remove_keyfile: | ||||
|         description: | ||||
|             - "Removes given key from the container on I(device). Does not | ||||
|               remove the keyfile from filesystem. | ||||
|               Parameter value is the path to the keyfile with the passphrase." | ||||
|             - "BEWARE that it is possible to remove even the last key from the | ||||
|               container. Data in there will be irreversibly lost | ||||
|               without a warning." | ||||
|             - "BEWARE that working with keyfiles in plaintext is dangerous. | ||||
|               Make sure that they are protected." | ||||
|         type: path | ||||
| 
 | ||||
| requirements: | ||||
|     - "cryptsetup" | ||||
|     - "wipefs" | ||||
|     - "lsblk" | ||||
| 
 | ||||
| notes: | ||||
|     - "This module does not support check mode. The reason being that | ||||
|       while it is possible to chain several operations together | ||||
|       (e.g. 'create' and 'open'), the latter usually depends on changes | ||||
|       to the system done by the previous one. (LUKS cannot be opened, | ||||
|       when it does not exist.)" | ||||
| 
 | ||||
| author: | ||||
|     "Jan Pokorny (@japokorn)" | ||||
| ''' | ||||
| 
 | ||||
| EXAMPLES = ''' | ||||
| 
 | ||||
| - name: create LUKS container (remains unchanged if it already exists) | ||||
|   luks_device: | ||||
|     device: "/dev/loop0" | ||||
|     state: "present" | ||||
|     keyfile: "/vault/keyfile" | ||||
| 
 | ||||
| - name: (create and) open the LUKS container; name it "mycrypt" | ||||
|   luks_device: | ||||
|     device: "/dev/loop0" | ||||
|     state: "opened" | ||||
|     name: "mycrypt" | ||||
|     keyfile: "/vault/keyfile" | ||||
| 
 | ||||
| - name: close the existing LUKS container "mycrypt" | ||||
|   luks_device: | ||||
|     state: "closed" | ||||
|     name: "mycrypt" | ||||
| 
 | ||||
| - name: make sure LUKS container exists and is closed | ||||
|   luks_device: | ||||
|     device: "/dev/loop0" | ||||
|     state: "closed" | ||||
|     keyfile: "/vault/keyfile" | ||||
| 
 | ||||
| - name: create container if it does not exist and add new key to it | ||||
|   luks_device: | ||||
|     device: "/dev/loop0" | ||||
|     state: "present" | ||||
|     keyfile: "/vault/keyfile" | ||||
|     new_keyfile: "/vault/keyfile2" | ||||
| 
 | ||||
| - name: add new key to the LUKS container (container has to exist) | ||||
|   luks_device: | ||||
|     device: "/dev/loop0" | ||||
|     keyfile: "/vault/keyfile" | ||||
|     new_keyfile: "/vault/keyfile2" | ||||
| 
 | ||||
| - name: remove existing key from the LUKS container | ||||
|   luks_device: | ||||
|     device: "/dev/loop0" | ||||
|     remove_keyfile: "/vault/keyfile2" | ||||
| 
 | ||||
| - name: completely remove the LUKS container and its contents | ||||
|   luks_device: | ||||
|     device: "/dev/loop0" | ||||
|     state: "absent" | ||||
| ''' | ||||
| 
 | ||||
| RETURN = ''' | ||||
| name: | ||||
|     description: | ||||
|         When I(state=opened) returns (generated or given) name | ||||
|         of LUKS container. Returns None if no name is supplied. | ||||
|     returned: success | ||||
|     type: str | ||||
|     sample: "luks-c1da9a58-2fde-4256-9d9f-6ab008b4dd1b" | ||||
| ''' | ||||
| 
 | ||||
| import re | ||||
| 
 | ||||
| from ansible.module_utils.basic import AnsibleModule | ||||
| 
 | ||||
| RETURN_CODE = 0 | ||||
| STDOUT = 1 | ||||
| STDERR = 2 | ||||
| 
 | ||||
| # used to get <luks-name> out of lsblk output in format 'crypt <luks-name>' | ||||
| # regex takes care of any possible blank characters | ||||
| LUKS_NAME_REGEX = re.compile(r'\s*crypt\s+([^\s]*)\s*') | ||||
| # used to get </luks/device> out of lsblk output | ||||
| # in format 'device: </luks/device>' | ||||
| LUKS_DEVICE_REGEX = re.compile(r'\s*device:\s+([^\s]*)\s*') | ||||
| 
 | ||||
| 
 | ||||
| class Handler(object): | ||||
| 
 | ||||
|     def __init__(self, module): | ||||
|         self._module = module | ||||
|         self._lsblk_bin = self._module.get_bin_path('lsblk', True) | ||||
| 
 | ||||
|     def _run_command(self, command): | ||||
|         return self._module.run_command(command) | ||||
| 
 | ||||
|     def generate_luks_name(self, device): | ||||
|         ''' Generate name for luks based on device UUID ('luks-<UUID>'). | ||||
|             Raises ValueError when obtaining of UUID fails. | ||||
|         ''' | ||||
|         result = self._run_command([self._lsblk_bin, '-n', device, '-o', 'UUID']) | ||||
| 
 | ||||
|         if result[RETURN_CODE] != 0: | ||||
|             raise ValueError('Error while generating LUKS name for %s: %s' | ||||
|                              % (device, result[STDERR])) | ||||
|         dev_uuid = result[STDOUT].strip() | ||||
|         return 'luks-%s' % dev_uuid | ||||
| 
 | ||||
| 
 | ||||
| class CryptHandler(Handler): | ||||
| 
 | ||||
|     def __init__(self, module): | ||||
|         super(CryptHandler, self).__init__(module) | ||||
|         self._cryptsetup_bin = self._module.get_bin_path('cryptsetup', True) | ||||
| 
 | ||||
|     def get_container_name_by_device(self, device): | ||||
|         ''' obtain LUKS container name based on the device where it is located | ||||
|             return None if not found | ||||
|             raise ValueError if lsblk command fails | ||||
|         ''' | ||||
|         result = self._run_command([self._lsblk_bin, device, '-nlo', 'type,name']) | ||||
|         if result[RETURN_CODE] != 0: | ||||
|             raise ValueError('Error while obtaining LUKS name for %s: %s' | ||||
|                              % (device, result[STDERR])) | ||||
| 
 | ||||
|         m = LUKS_NAME_REGEX.search(result[STDOUT]) | ||||
| 
 | ||||
|         try: | ||||
|             name = m.group(1) | ||||
|         except AttributeError: | ||||
|             name = None | ||||
|         return name | ||||
| 
 | ||||
|     def get_container_device_by_name(self, name): | ||||
|         ''' obtain device name based on the LUKS container name | ||||
|             return None if not found | ||||
|             raise ValueError if lsblk command fails | ||||
|         ''' | ||||
|         # apparently each device can have only one LUKS container on it | ||||
|         result = self._run_command([self._cryptsetup_bin, 'status', name]) | ||||
|         if result[RETURN_CODE] != 0: | ||||
|             return None | ||||
| 
 | ||||
|         m = LUKS_DEVICE_REGEX.search(result[STDOUT]) | ||||
|         device = m.group(1) | ||||
|         return device | ||||
| 
 | ||||
|     def is_luks(self, device): | ||||
|         ''' check if the LUKS device does exist | ||||
|         ''' | ||||
|         result = self._run_command([self._cryptsetup_bin, 'isLuks', device]) | ||||
|         return result[RETURN_CODE] == 0 | ||||
| 
 | ||||
|     def run_luks_create(self, device, keyfile): | ||||
|         # create a new luks container; use batch mode to auto confirm | ||||
|         result = self._run_command([self._cryptsetup_bin, 'luksFormat', | ||||
|                                     '-q', device, keyfile]) | ||||
|         if result[RETURN_CODE] != 0: | ||||
|             raise ValueError('Error while creating LUKS on %s: %s' | ||||
|                              % (device, result[STDERR])) | ||||
| 
 | ||||
|     def run_luks_open(self, device, keyfile, name): | ||||
|         result = self._run_command([self._cryptsetup_bin, '--key-file', keyfile, | ||||
|                                     'open', '--type', 'luks', device, name]) | ||||
|         if result[RETURN_CODE] != 0: | ||||
|             raise ValueError('Error while opening LUKS container on %s: %s' | ||||
|                              % (device, result[STDERR])) | ||||
| 
 | ||||
|     def run_luks_close(self, name): | ||||
|         result = self._run_command([self._cryptsetup_bin, 'close', name]) | ||||
|         if result[RETURN_CODE] != 0: | ||||
|             raise ValueError('Error while closing LUKS container %s' % (name)) | ||||
| 
 | ||||
|     def run_luks_remove(self, device): | ||||
|         wipefs_bin = self._module.get_bin_path('wipefs', True) | ||||
| 
 | ||||
|         name = self.get_container_name_by_device(device) | ||||
|         if name is not None: | ||||
|             self.run_luks_close(name) | ||||
|         result = self._run_command([wipefs_bin, '--all', device]) | ||||
|         if result[RETURN_CODE] != 0: | ||||
|             raise ValueError('Error while wiping luks container %s: %s' | ||||
|                              % (device, result[STDERR])) | ||||
| 
 | ||||
|     def run_luks_add_key(self, device, keyfile, new_keyfile): | ||||
|         ''' Add new key to given 'device'; authentization done using 'keyfile' | ||||
|             Raises ValueError when command fails | ||||
|         ''' | ||||
|         result = self._run_command([self._cryptsetup_bin, 'luksAddKey', device, | ||||
|                                     new_keyfile, '--key-file', keyfile]) | ||||
|         if result[RETURN_CODE] != 0: | ||||
|             raise ValueError('Error while adding new LUKS key to %s: %s' | ||||
|                              % (device, result[STDERR])) | ||||
| 
 | ||||
|     def run_luks_remove_key(self, device, keyfile): | ||||
|         ''' Remove key from given device | ||||
|             Raises ValueError when command fails | ||||
|         ''' | ||||
|         result = self._run_command([self._cryptsetup_bin, 'luksRemoveKey', device, | ||||
|                                     '-q', '--key-file', keyfile]) | ||||
|         if result[RETURN_CODE] != 0: | ||||
|             raise ValueError('Error while removing LUKS key from %s: %s' | ||||
|                              % (device, result[STDERR])) | ||||
| 
 | ||||
| 
 | ||||
| class ConditionsHandler(Handler): | ||||
| 
 | ||||
|     def __init__(self, module, crypthandler): | ||||
|         super(ConditionsHandler, self).__init__(module) | ||||
|         self._crypthandler = crypthandler | ||||
| 
 | ||||
|     def luks_create(self): | ||||
|         return (self._module.params['device'] is not None and | ||||
|                 self._module.params['keyfile'] is not None and | ||||
|                 self._module.params['state'] in ('present', | ||||
|                                                  'opened', | ||||
|                                                  'closed') and | ||||
|                 not self._crypthandler.is_luks(self._module.params['device'])) | ||||
| 
 | ||||
|     def opened_luks_name(self): | ||||
|         ''' If luks is already opened, return its name. | ||||
|             If 'name' parameter is specified and differs | ||||
|             from obtained value, fail. | ||||
|             Return None otherwise | ||||
|         ''' | ||||
|         if self._module.params['state'] != 'opened': | ||||
|             return None | ||||
| 
 | ||||
|         # try to obtain luks name - it may be already opened | ||||
|         name = self._crypthandler.get_container_name_by_device( | ||||
|             self._module.params['device']) | ||||
| 
 | ||||
|         if name is None: | ||||
|             # container is not open | ||||
|             return None | ||||
| 
 | ||||
|         if (self._module.params['name'] is None): | ||||
|             # container is already opened | ||||
|             return name | ||||
| 
 | ||||
|         if (name != self._module.params['name']): | ||||
|             # the container is already open but with different name: | ||||
|             # suspicious. back off | ||||
|             self._module.fail_json(msg="LUKS container is already opened " | ||||
|                                    "under different name '%s'." % name) | ||||
| 
 | ||||
|         # container is opened and the names match | ||||
|         return name | ||||
| 
 | ||||
|     def luks_open(self): | ||||
|         if (self._module.params['device'] is None or | ||||
|                 self._module.params['keyfile'] is None or | ||||
|                 self._module.params['state'] != 'opened'): | ||||
|             # conditions for open not fulfilled | ||||
|             return False | ||||
| 
 | ||||
|         name = self.opened_luks_name() | ||||
| 
 | ||||
|         if name is None: | ||||
|             return True | ||||
|         return False | ||||
| 
 | ||||
|     def luks_close(self): | ||||
|         if ((self._module.params['name'] is None and | ||||
|                 self._module.params['device'] is None) or | ||||
|                 self._module.params['state'] != 'closed'): | ||||
|             # conditions for close not fulfilled | ||||
|             return False | ||||
| 
 | ||||
|         if self._module.params['device'] is not None: | ||||
|             name = self._crypthandler.get_container_name_by_device( | ||||
|                 self._module.params['device']) | ||||
|             # sucessfully getting name based on device means that luks is open | ||||
|             luks_is_open = name is not None | ||||
| 
 | ||||
|         if self._module.params['name'] is not None: | ||||
|             device = self._crypthandler.get_container_device_by_name( | ||||
|                 self._module.params['name']) | ||||
|             # sucessfully getting device based on name means that luks is open | ||||
|             luks_is_open = device is not None | ||||
| 
 | ||||
|         return luks_is_open | ||||
| 
 | ||||
|     def luks_add_key(self): | ||||
|         if (self._module.params['device'] is None or | ||||
|                 self._module.params['keyfile'] is None or | ||||
|                 self._module.params['new_keyfile'] is None): | ||||
|             # conditions for adding a key not fulfilled | ||||
|             return False | ||||
| 
 | ||||
|         if self._module.params['state'] == 'absent': | ||||
|             self._module.fail_json(msg="Contradiction in setup: Asking to " | ||||
|                                    "add a key to absent LUKS.") | ||||
| 
 | ||||
|         return True | ||||
| 
 | ||||
|     def luks_remove_key(self): | ||||
|         if (self._module.params['device'] is None or | ||||
|                 self._module.params['remove_keyfile'] is None): | ||||
|             # conditions for removing a key not fulfilled | ||||
|             return False | ||||
| 
 | ||||
|         if self._module.params['state'] == 'absent': | ||||
|             self._module.fail_json(msg="Contradiction in setup: Asking to " | ||||
|                                    "remove a key from absent LUKS.") | ||||
| 
 | ||||
|         return True | ||||
| 
 | ||||
|     def luks_remove(self): | ||||
|         return (self._module.params['device'] is not None and | ||||
|                 self._module.params['state'] == 'absent' and | ||||
|                 self._crypthandler.is_luks(self._module.params['device'])) | ||||
| 
 | ||||
| 
 | ||||
| def run_module(): | ||||
|     # available arguments/parameters that a user can pass | ||||
|     module_args = dict( | ||||
|         state=dict(type='str', | ||||
|                    choices=['present', 'absent', 'opened', 'closed'], | ||||
|                    required=False, | ||||
|                    default='present'), | ||||
|         device=dict(type='str', required=False), | ||||
|         name=dict(type='str', required=False), | ||||
|         keyfile=dict(type='path', required=False), | ||||
|         new_keyfile=dict(type='path', required=False), | ||||
|         remove_keyfile=dict(type='path', required=False) | ||||
|     ) | ||||
| 
 | ||||
|     # seed the result dict in the object | ||||
|     result = dict( | ||||
|         changed=False, | ||||
|         name=None | ||||
|     ) | ||||
| 
 | ||||
|     module = AnsibleModule(argument_spec=module_args, | ||||
|                            supports_check_mode=False) | ||||
| 
 | ||||
|     crypt = CryptHandler(module) | ||||
|     conditions = ConditionsHandler(module, crypt) | ||||
| 
 | ||||
|     # The conditions are in order to allow more operations in one run. | ||||
|     # (e.g. create luks and add a key to it) | ||||
| 
 | ||||
|     # luks create | ||||
|     if conditions.luks_create(): | ||||
|         try: | ||||
|             crypt.run_luks_create(module.params['device'], | ||||
|                                   module.params['keyfile']) | ||||
|         except ValueError as e: | ||||
|             module.fail_json(msg="luks_device error: %s" % e) | ||||
|         result['changed'] = True | ||||
| 
 | ||||
|     # luks open | ||||
| 
 | ||||
|     name = conditions.opened_luks_name() | ||||
|     if name is not None: | ||||
|         result['name'] = name | ||||
| 
 | ||||
|     if conditions.luks_open(): | ||||
|         name = module.params['name'] | ||||
|         if name is None: | ||||
|             try: | ||||
|                 name = crypt.generate_luks_name(module.params['device']) | ||||
|             except ValueError as e: | ||||
|                 module.fail_json(msg="luks_device error: %s" % e) | ||||
|         try: | ||||
|             crypt.run_luks_open(module.params['device'], | ||||
|                                 module.params['keyfile'], | ||||
|                                 name) | ||||
|         except ValueError as e: | ||||
|             module.fail_json(msg="luks_device error: %s" % e) | ||||
|         result['name'] = name | ||||
|         result['changed'] = True | ||||
| 
 | ||||
|     # luks close | ||||
|     if conditions.luks_close(): | ||||
|         if module.params['device'] is not None: | ||||
|             try: | ||||
|                 name = crypt.get_container_name_by_device( | ||||
|                     module.params['device']) | ||||
|             except ValueError as e: | ||||
|                 module.fail_json(msg="luks_device error: %s" % e) | ||||
|         else: | ||||
|             name = module.params['name'] | ||||
|         try: | ||||
|             crypt.run_luks_close(name) | ||||
|         except ValueError as e: | ||||
|             module.fail_json(msg="luks_device error: %s" % e) | ||||
|         result['changed'] = True | ||||
| 
 | ||||
|     # luks add key | ||||
|     if conditions.luks_add_key(): | ||||
|         try: | ||||
|             crypt.run_luks_add_key(module.params['device'], | ||||
|                                    module.params['keyfile'], | ||||
|                                    module.params['new_keyfile']) | ||||
|         except ValueError as e: | ||||
|             module.fail_json(msg="luks_device error: %s" % e) | ||||
|         result['changed'] = True | ||||
| 
 | ||||
|     # luks remove key | ||||
|     if conditions.luks_remove_key(): | ||||
|         try: | ||||
|             crypt.run_luks_remove_key(module.params['device'], | ||||
|                                       module.params['remove_keyfile']) | ||||
|         except ValueError as e: | ||||
|             module.fail_json(msg="luks_device error: %s" % e) | ||||
|         result['changed'] = True | ||||
| 
 | ||||
|     # luks remove | ||||
|     if conditions.luks_remove(): | ||||
|         try: | ||||
|             crypt.run_luks_remove(module.params['device']) | ||||
|         except ValueError as e: | ||||
|             module.fail_json(msg="luks_device error: %s" % e) | ||||
|         result['changed'] = True | ||||
| 
 | ||||
|     # Success - return result | ||||
|     module.exit_json(**result) | ||||
| 
 | ||||
| 
 | ||||
| def main(): | ||||
|     run_module() | ||||
| 
 | ||||
| 
 | ||||
| if __name__ == '__main__': | ||||
|     main() | ||||
							
								
								
									
										0
									
								
								test/units/modules/crypto/__init__.py
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										0
									
								
								test/units/modules/crypto/__init__.py
									
										
									
									
									
										Normal file
									
								
							
							
								
								
									
										225
									
								
								test/units/modules/crypto/test_luks_device.py
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										225
									
								
								test/units/modules/crypto/test_luks_device.py
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,225 @@ | |||
| import pytest | ||||
| from ansible.modules.crypto import luks_device | ||||
| 
 | ||||
| 
 | ||||
| class DummyModule(object): | ||||
|     # module to mock AnsibleModule class | ||||
|     def __init__(self): | ||||
|         self.params = dict() | ||||
| 
 | ||||
|     def fail_json(self, msg=""): | ||||
|         raise ValueError(msg) | ||||
| 
 | ||||
|     def get_bin_path(self, command, dummy): | ||||
|         return command | ||||
| 
 | ||||
| 
 | ||||
| # ===== Handler & CryptHandler methods tests ===== | ||||
| 
 | ||||
| def test_generate_luks_name(monkeypatch): | ||||
|     module = DummyModule() | ||||
|     monkeypatch.setattr(luks_device.Handler, "_run_command", | ||||
|                         lambda x, y: [0, "UUID", ""]) | ||||
|     crypt = luks_device.CryptHandler(module) | ||||
|     assert crypt.generate_luks_name("/dev/dummy") == "luks-UUID" | ||||
| 
 | ||||
| 
 | ||||
| def test_get_container_name_by_device(monkeypatch): | ||||
|     module = DummyModule() | ||||
|     monkeypatch.setattr(luks_device.Handler, "_run_command", | ||||
|                         lambda x, y: [0, "crypt container_name", ""]) | ||||
|     crypt = luks_device.CryptHandler(module) | ||||
|     assert crypt.get_container_name_by_device("/dev/dummy") == "container_name" | ||||
| 
 | ||||
| 
 | ||||
| def test_get_container_device_by_name(monkeypatch): | ||||
|     module = DummyModule() | ||||
|     monkeypatch.setattr(luks_device.Handler, "_run_command", | ||||
|                         lambda x, y: [0, "device:  /dev/luksdevice", ""]) | ||||
|     crypt = luks_device.CryptHandler(module) | ||||
|     assert crypt.get_container_device_by_name("dummy") == "/dev/luksdevice" | ||||
| 
 | ||||
| 
 | ||||
| def test_run_luks_remove(monkeypatch): | ||||
|     def run_command_check(self, command): | ||||
|         # check that wipefs command is actually called | ||||
|         assert command[0] == "wipefs" | ||||
|         return [0, "", ""] | ||||
| 
 | ||||
|     module = DummyModule() | ||||
|     monkeypatch.setattr(luks_device.CryptHandler, | ||||
|                         "get_container_name_by_device", | ||||
|                         lambda x, y: None) | ||||
|     monkeypatch.setattr(luks_device.Handler, | ||||
|                         "_run_command", | ||||
|                         run_command_check) | ||||
|     crypt = luks_device.CryptHandler(module) | ||||
|     crypt.run_luks_remove("dummy") | ||||
| 
 | ||||
| 
 | ||||
| # ===== ConditionsHandler methods data and tests ===== | ||||
| 
 | ||||
| # device, key, state, is_luks, expected | ||||
| LUKS_CREATE_DATA = ( | ||||
|     ("dummy", "key", "present", False, True), | ||||
|     (None, "key", "present", False, False), | ||||
|     ("dummy", None, "present", False, False), | ||||
|     ("dummy", "key", "absent", False, False), | ||||
|     ("dummy", "key", "opened", True, False), | ||||
|     ("dummy", "key", "closed", True, False), | ||||
|     ("dummy", "key", "present", True, False)) | ||||
| 
 | ||||
| # device, state, is_luks, expected | ||||
| LUKS_REMOVE_DATA = ( | ||||
|     ("dummy", "absent", True, True), | ||||
|     (None, "absent", True, False), | ||||
|     ("dummy", "present", True, False), | ||||
|     ("dummy", "absent", False, False)) | ||||
| 
 | ||||
| # device, key, state, name, name_by_dev, expected | ||||
| LUKS_OPEN_DATA = ( | ||||
|     ("dummy", "key", "present", "name", None, False), | ||||
|     ("dummy", "key", "absent", "name", None, False), | ||||
|     ("dummy", "key", "closed", "name", None, False), | ||||
|     ("dummy", "key", "opened", "name", None, True), | ||||
|     (None, "key", "opened", "name", None, False), | ||||
|     ("dummy", None, "opened", "name", None, False), | ||||
|     ("dummy", "key", "opened", "name", "name", False), | ||||
|     ("dummy", "key", "opened", "beer", "name", "exception")) | ||||
| 
 | ||||
| # device, dev_by_name, name, name_by_dev, state, expected | ||||
| LUKS_CLOSE_DATA = ( | ||||
|     ("dummy", "dummy", "name", "name", "present", False), | ||||
|     ("dummy", "dummy", "name", "name", "absent", False), | ||||
|     ("dummy", "dummy", "name", "name", "opened", False), | ||||
|     ("dummy", "dummy", "name", "name", "closed", True), | ||||
|     (None, "dummy", "name", "name", "closed", True), | ||||
|     ("dummy", "dummy", None, "name", "closed", True), | ||||
|     (None, "dummy", None, "name", "closed", False)) | ||||
| 
 | ||||
| # device, key, new_key, state, expected | ||||
| LUKS_ADD_KEY_DATA = ( | ||||
|     ("dummy", "key", "new_key", "present", True), | ||||
|     (None, "key", "new_key", "present", False), | ||||
|     ("dummy", None, "new_key", "present", False), | ||||
|     ("dummy", "key", None, "present", False), | ||||
|     ("dummy", "key", "new_key", "absent", "exception")) | ||||
| 
 | ||||
| # device, remove_key, state, expected | ||||
| LUKS_REMOVE_KEY_DATA = ( | ||||
|     ("dummy", "key", "present", True), | ||||
|     (None, "key", "present", False), | ||||
|     ("dummy", None, "present", False), | ||||
|     ("dummy", "key", "absent", "exception")) | ||||
| 
 | ||||
| 
 | ||||
| @pytest.mark.parametrize("device, keyfile, state, is_luks, expected", | ||||
|                          ((d[0], d[1], d[2], d[3], d[4]) | ||||
|                           for d in LUKS_CREATE_DATA)) | ||||
| def test_luks_create(device, keyfile, state, is_luks, expected, monkeypatch): | ||||
|     module = DummyModule() | ||||
| 
 | ||||
|     module.params["device"] = device | ||||
|     module.params["keyfile"] = keyfile | ||||
|     module.params["state"] = state | ||||
| 
 | ||||
|     monkeypatch.setattr(luks_device.CryptHandler, "is_luks", | ||||
|                         lambda x, y: is_luks) | ||||
|     crypt = luks_device.CryptHandler(module) | ||||
|     conditions = luks_device.ConditionsHandler(module, crypt) | ||||
|     assert conditions.luks_create() == expected | ||||
| 
 | ||||
| 
 | ||||
| @pytest.mark.parametrize("device, state, is_luks, expected", | ||||
|                          ((d[0], d[1], d[2], d[3]) | ||||
|                           for d in LUKS_REMOVE_DATA)) | ||||
| def test_luks_remove(device, state, is_luks, expected, monkeypatch): | ||||
|     module = DummyModule() | ||||
| 
 | ||||
|     module.params["device"] = device | ||||
|     module.params["state"] = state | ||||
| 
 | ||||
|     monkeypatch.setattr(luks_device.CryptHandler, "is_luks", | ||||
|                         lambda x, y: is_luks) | ||||
|     crypt = luks_device.CryptHandler(module) | ||||
|     conditions = luks_device.ConditionsHandler(module, crypt) | ||||
|     assert conditions.luks_remove() == expected | ||||
| 
 | ||||
| 
 | ||||
| @pytest.mark.parametrize("device, keyfile, state, name, " | ||||
|                          "name_by_dev, expected", | ||||
|                          ((d[0], d[1], d[2], d[3], d[4], d[5]) | ||||
|                           for d in LUKS_OPEN_DATA)) | ||||
| def test_luks_open(device, keyfile, state, name, name_by_dev, | ||||
|                    expected, monkeypatch): | ||||
|     module = DummyModule() | ||||
|     module.params["device"] = device | ||||
|     module.params["keyfile"] = keyfile | ||||
|     module.params["state"] = state | ||||
|     module.params["name"] = name | ||||
| 
 | ||||
|     monkeypatch.setattr(luks_device.CryptHandler, | ||||
|                         "get_container_name_by_device", | ||||
|                         lambda x, y: name_by_dev) | ||||
|     crypt = luks_device.CryptHandler(module) | ||||
|     conditions = luks_device.ConditionsHandler(module, crypt) | ||||
|     try: | ||||
|         assert conditions.luks_open() == expected | ||||
|     except ValueError: | ||||
|         assert expected == "exception" | ||||
| 
 | ||||
| 
 | ||||
| @pytest.mark.parametrize("device, dev_by_name, name, name_by_dev, " | ||||
|                          "state, expected", | ||||
|                          ((d[0], d[1], d[2], d[3], d[4], d[5]) | ||||
|                           for d in LUKS_CLOSE_DATA)) | ||||
| def test_luks_close(device, dev_by_name, name, name_by_dev, state, | ||||
|                     expected, monkeypatch): | ||||
|     module = DummyModule() | ||||
|     module.params["device"] = device | ||||
|     module.params["name"] = name | ||||
|     module.params["state"] = state | ||||
| 
 | ||||
|     monkeypatch.setattr(luks_device.CryptHandler, | ||||
|                         "get_container_name_by_device", | ||||
|                         lambda x, y: name_by_dev) | ||||
|     monkeypatch.setattr(luks_device.CryptHandler, | ||||
|                         "get_container_device_by_name", | ||||
|                         lambda x, y: dev_by_name) | ||||
|     crypt = luks_device.CryptHandler(module) | ||||
|     conditions = luks_device.ConditionsHandler(module, crypt) | ||||
|     assert conditions.luks_close() == expected | ||||
| 
 | ||||
| 
 | ||||
| @pytest.mark.parametrize("device, keyfile, new_keyfile, state, expected", | ||||
|                          ((d[0], d[1], d[2], d[3], d[4]) | ||||
|                           for d in LUKS_ADD_KEY_DATA)) | ||||
| def test_luks_add_key(device, keyfile, new_keyfile, state, expected, monkeypatch): | ||||
|     module = DummyModule() | ||||
|     module.params["device"] = device | ||||
|     module.params["keyfile"] = keyfile | ||||
|     module.params["new_keyfile"] = new_keyfile | ||||
|     module.params["state"] = state | ||||
| 
 | ||||
|     conditions = luks_device.ConditionsHandler(module, module) | ||||
|     try: | ||||
|         assert conditions.luks_add_key() == expected | ||||
|     except ValueError: | ||||
|         assert expected == "exception" | ||||
| 
 | ||||
| 
 | ||||
| @pytest.mark.parametrize("device, remove_keyfile, state, expected", | ||||
|                          ((d[0], d[1], d[2], d[3]) | ||||
|                           for d in LUKS_REMOVE_KEY_DATA)) | ||||
| def test_luks_remove_key(device, remove_keyfile, state, expected, monkeypatch): | ||||
| 
 | ||||
|     module = DummyModule() | ||||
|     module.params["device"] = device | ||||
|     module.params["remove_keyfile"] = remove_keyfile | ||||
|     module.params["state"] = state | ||||
| 
 | ||||
|     conditions = luks_device.ConditionsHandler(module, module) | ||||
|     try: | ||||
|         assert conditions.luks_remove_key() == expected | ||||
|     except ValueError: | ||||
|         assert expected == "exception" | ||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue