From 113e402da57bff2d21ea2a6028c13278c4519568 Mon Sep 17 00:00:00 2001 From: John Baublitz Date: Tue, 13 Aug 2024 11:40:23 -0400 Subject: [PATCH] Add password verification for stratis-min --- dracut/90stratis/stratis-rootfs-setup | 5 +++-- src/jsonrpc/client/utils.rs | 16 +++++++++++++--- tests/stratis_min.rs | 12 +++++++++++- 3 files changed, 27 insertions(+), 6 deletions(-) diff --git a/dracut/90stratis/stratis-rootfs-setup b/dracut/90stratis/stratis-rootfs-setup index aa9af1ca57..060829ca55 100755 --- a/dracut/90stratis/stratis-rootfs-setup +++ b/dracut/90stratis/stratis-rootfs-setup @@ -20,8 +20,9 @@ if $(stratis-min pool is-stopped "$STRATIS_ROOTFS_UUID"); then ATTEMPTS_REMAINING=3 if ! while [ $((ATTEMPTS_REMAINING--)) -gt 0 ]; do - systemd-ask-password --id="stratis:$STRATIS_ROOTFS_UUID" "Enter password for Stratis pool with UUID $STRATIS_ROOTFS_UUID containing root filesystem" | - stratis-min pool start --prompt --unlock-method=keyring "$STRATIS_ROOTFS_UUID" && break + PASSWORD=$(systemd-ask-password --id="stratis:$STRATIS_ROOTFS_UUID" "Enter password for Stratis pool with UUID $STRATIS_ROOTFS_UUID containing root filesystem") + + echo -e "$PASSWORD\n$PASSWORD\n" | stratis-min pool start --prompt --unlock-method=keyring "$STRATIS_ROOTFS_UUID" && break done then echo Failed to start pool with UUID $STRATIS_ROOTFS_UUID using a passphrase >&2 diff --git a/src/jsonrpc/client/utils.rs b/src/jsonrpc/client/utils.rs index a410e60c6b..f7e54f25cd 100644 --- a/src/jsonrpc/client/utils.rs +++ b/src/jsonrpc/client/utils.rs @@ -10,7 +10,7 @@ use std::{ use nix::unistd::isatty; use termios::{tcsetattr, Termios, ECHO, ECHONL, TCSADRAIN}; -use crate::stratis::StratisResult; +use crate::stratis::{StratisError, StratisResult}; #[macro_export] macro_rules! do_request { @@ -217,8 +217,8 @@ pub fn to_suffix_repr(size: u128) -> String { }) } -pub fn prompt_password() -> StratisResult> { - print!("Enter passphrase followed by return: "); +pub fn get_passphrase(msg: &str) -> StratisResult> { + print!("{}", msg); stdout().flush()?; let stdin = stdin(); @@ -252,6 +252,16 @@ pub fn prompt_password() -> StratisResult> { } } +pub fn prompt_password() -> StratisResult> { + let pass = get_passphrase("Enter passphrase followed by return: ")?; + let verify_pass = get_passphrase("Verify passphrase: ")?; + if pass != verify_pass { + Err(StratisError::Msg("Passphrases did not match".to_string())) + } else { + Ok(pass) + } +} + #[cfg(test)] mod tests { use super::*; diff --git a/tests/stratis_min.rs b/tests/stratis_min.rs index d942f5481e..4f0be76f42 100644 --- a/tests/stratis_min.rs +++ b/tests/stratis_min.rs @@ -634,7 +634,7 @@ fn test_stratis_min_list_defaults() { fn stratis_min_key_set() { let mut cmd = Command::cargo_bin("stratis-min").unwrap(); - cmd.write_stdin("thisisatestpassphrase\n") + cmd.write_stdin("thisisatestpassphrase\nthisisatestpassphrase\n") .arg("key") .arg("set") .arg("--capture-key") @@ -643,6 +643,16 @@ fn stratis_min_key_set() { let mut cmd = Command::cargo_bin("stratis-min").unwrap(); cmd.arg("key").arg("unset").arg("testkey"); cmd.assert().success(); + + let mut cmd = Command::cargo_bin("stratis-min").unwrap(); + cmd.write_stdin("thisisatestpassphrase\ndoesnotmatch\n") + .arg("key") + .arg("set") + .arg("--capture-key") + .arg("testkey1"); + cmd.assert() + .failure() + .stderr(predicate::str::contains("Passphrases did not match")); } #[test]