From 49a751274339260fb08d49ba53854bff79a984bd Mon Sep 17 00:00:00 2001 From: shimun Date: Sat, 17 Oct 2020 18:27:12 +0200 Subject: [PATCH] dry-run --- src/cli.rs | 7 +++++-- src/cli_args/config.rs | 2 +- src/cli_args/mod.rs | 3 +++ src/luks.rs | 11 +++++++++-- 4 files changed, 18 insertions(+), 5 deletions(-) diff --git a/src/cli.rs b/src/cli.rs index 6607946..7a40941 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -358,6 +358,7 @@ pub fn run_cli() -> Fido2LuksResult<()> { name, credentials, retries, + dry_run, } => { let inputs = |q: &str, verify: bool| -> Fido2LuksResult<(Option, [u8; 32])> { get_input(&secret, &authenticator, args.interactive, q, verify) @@ -378,8 +379,9 @@ pub fn run_cli() -> Fido2LuksResult<()> { let mut luks_dev = LuksDevice::load(&luks.device)?; loop { let slot = if let Some(ref credentials) = credentials.ids { - secret(Cow::Borrowed(&credentials.0)) - .and_then(|(secret, _cred)| luks_dev.activate(&name, &secret, luks.slot)) + secret(Cow::Borrowed(&credentials.0)).and_then(|(secret, _cred)| { + luks_dev.activate(&name, &secret, luks.slot, *dry_run) + }) } else if luks_dev.is_luks2()? && !luks.disable_token { luks_dev.activate_token( &name, @@ -392,6 +394,7 @@ pub fn run_cli() -> Fido2LuksResult<()> { .map(|(secret, cred)| (secret, hex::encode(&cred.id))) }), luks.slot, + *dry_run, ) } else if luks_dev.is_luks2()? && luks.disable_token { // disable-token is mostly cosmetic in this instance diff --git a/src/cli_args/config.rs b/src/cli_args/config.rs index 00bdbbc..bb1bb57 100644 --- a/src/cli_args/config.rs +++ b/src/cli_args/config.rs @@ -210,7 +210,7 @@ mod test { fn input_salt_obtain() { assert_eq!( SecretInput::String("abc".into()) - .obtain_sha256(None) + .obtain_sha256(Some(|| Ok("123456".to_string()))) .unwrap(), [ 186, 120, 22, 191, 143, 1, 207, 234, 65, 65, 64, 222, 93, 174, 34, 35, 176, 3, 97, diff --git a/src/cli_args/mod.rs b/src/cli_args/mod.rs index a682655..5b9acad 100644 --- a/src/cli_args/mod.rs +++ b/src/cli_args/mod.rs @@ -239,6 +239,9 @@ pub enum Command { secret: SecretParameters, #[structopt(short = "r", long = "max-retries", default_value = "0")] retries: i32, + /// Don't actually mount the LUKS image + #[structopt(long = "dry-run")] + dry_run: bool, }, /// Generate a new FIDO credential #[structopt(name = "credential")] diff --git a/src/luks.rs b/src/luks.rs index 7b024ca..fc40183 100644 --- a/src/luks.rs +++ b/src/luks.rs @@ -237,10 +237,16 @@ impl LuksDevice { name: &str, secret: &[u8], slot_hint: Option, + dry_run: bool, ) -> Fido2LuksResult { self.device .activate_handle() - .activate_by_passphrase(Some(name), slot_hint, secret, CryptActivateFlags::empty()) + .activate_by_passphrase( + Some(name).filter(|_| !dry_run), + slot_hint, + secret, + CryptActivateFlags::empty(), + ) .map_err(LuksError::activate) } @@ -249,6 +255,7 @@ impl LuksDevice { name: &str, secret: impl Fn(Vec) -> Fido2LuksResult<([u8; 32], String)>, slot_hint: Option, + dry_run: bool, ) -> Fido2LuksResult { if !self.is_luks2()? { return Err(LuksError::Luks2Required.into()); @@ -292,7 +299,7 @@ impl LuksDevice { .chain(std::iter::once(None).take(slots.is_empty() as usize)), // Try all slots as last resort ); for slot in slots { - match self.activate(name, &secret, slot) { + match self.activate(name, &secret, slot, dry_run) { Err(Fido2LuksError::WrongSecret) => (), res => return res, }