-
Notifications
You must be signed in to change notification settings - Fork 148
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
InhibitWhenLuks: modify the inhibitor to use LuksDump
Consume LuksDump messages to decide whether the upgrade process should be inhibited. If all devices are LUKS2 with clevis TPM2 binding, don't inhibit.
- Loading branch information
Showing
2 changed files
with
155 additions
and
30 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
105 changes: 90 additions & 15 deletions
105
repos/system_upgrade/common/actors/inhibitwhenluks/tests/test_inhibitwhenluks.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,34 +1,109 @@ | ||
from leapp.models import CephInfo, LsblkEntry, StorageInfo | ||
from leapp.libraries.common.config import version | ||
from leapp.models import CephInfo, LuksDump, LuksToken, TargetUserSpaceUpgradeTasks | ||
from leapp.reporting import Report | ||
from leapp.snactor.fixture import current_actor_context | ||
from leapp.utils.report import is_inhibitor | ||
|
||
|
||
def test_actor_with_luks(current_actor_context): | ||
with_luks = [LsblkEntry(name='luks-132', kname='kname1', maj_min='253:0', rm='0', size='10G', bsize=10*(1 << 39), | ||
ro='0', tp='crypt', mountpoint='', parent_name='', parent_path='')] | ||
def test_actor_with_luks1(monkeypatch, current_actor_context): | ||
monkeypatch.setattr(version, 'get_target_major_version', lambda: '8') | ||
current_actor_context.feed(CephInfo(encrypted_volumes=[])) | ||
luks_dump = LuksDump( | ||
version=1, | ||
uuid="dd09e6d4-b595-4f1c-80b8-fd47540e6464", | ||
device_path="/dev/sda", | ||
device_name="sda") | ||
current_actor_context.feed(luks_dump) | ||
current_actor_context.run() | ||
assert current_actor_context.consume(Report) | ||
report_fields = current_actor_context.consume(Report)[0].report | ||
assert is_inhibitor(report_fields) | ||
assert not current_actor_context.consume(TargetUserSpaceUpgradeTasks) | ||
|
||
assert report_fields['title'].startswith("Detected LUKS1 encrypted partition") | ||
assert luks_dump.device_name in report_fields['title'] | ||
|
||
current_actor_context.feed(StorageInfo(lsblk=with_luks)) | ||
|
||
def test_actor_with_luks2(monkeypatch, current_actor_context): | ||
monkeypatch.setattr(version, 'get_target_major_version', lambda: '8') | ||
current_actor_context.feed(CephInfo(encrypted_volumes=[])) | ||
luks_dump = LuksDump( | ||
version=2, | ||
uuid="27b57c75-9adf-4744-ab04-9eb99726a301", | ||
device_path="/dev/sda", | ||
device_name="sda") | ||
current_actor_context.feed(luks_dump) | ||
current_actor_context.run() | ||
assert current_actor_context.consume(Report) | ||
report_fields = current_actor_context.consume(Report)[0].report | ||
assert is_inhibitor(report_fields) | ||
assert not current_actor_context.consume(TargetUserSpaceUpgradeTasks) | ||
|
||
assert luks_dump.device_name in report_fields['title'] | ||
assert "without clevis TPM2 binding" in report_fields['title'] | ||
|
||
def test_actor_with_luks_ceph_only(current_actor_context): | ||
with_luks = [LsblkEntry(name='luks-132', kname='kname1', maj_min='253:0', rm='0', size='10G', bsize=10*(1 << 39), | ||
ro='0', tp='crypt', mountpoint='', parent_name='', parent_path='')] | ||
ceph_volume = ['luks-132'] | ||
current_actor_context.feed(StorageInfo(lsblk=with_luks)) | ||
current_actor_context.feed(CephInfo(encrypted_volumes=ceph_volume)) | ||
|
||
def test_actor_with_luks2_invalid_token(monkeypatch, current_actor_context): | ||
monkeypatch.setattr(version, 'get_target_major_version', lambda: '8') | ||
current_actor_context.feed(CephInfo(encrypted_volumes=[])) | ||
luks_dump = LuksDump( | ||
version=2, | ||
uuid="dc1dbe37-6644-4094-9839-8fc5dcbec0c6", | ||
device_path="/dev/sda", | ||
device_name="sda", | ||
tokens=[LuksToken(token_id=0, keyslot=1, token_type="clevis")]) | ||
current_actor_context.feed(luks_dump) | ||
current_actor_context.run() | ||
assert current_actor_context.consume(Report) | ||
report_fields = current_actor_context.consume(Report)[0].report | ||
assert is_inhibitor(report_fields) | ||
|
||
assert luks_dump.device_name in report_fields['title'] | ||
assert "without clevis TPM2 binding" in report_fields['title'] | ||
assert not current_actor_context.consume(TargetUserSpaceUpgradeTasks) | ||
|
||
|
||
def test_actor_with_luks2_clevis_tpm_token(monkeypatch, current_actor_context): | ||
monkeypatch.setattr(version, 'get_target_major_version', lambda: '8') | ||
current_actor_context.feed(CephInfo(encrypted_volumes=[])) | ||
luks_dump = LuksDump( | ||
version=2, | ||
uuid="83050bd9-61c6-4ff0-846f-bfd3ac9bfc67", | ||
device_path="/dev/sda", | ||
device_name="sda", | ||
tokens=[LuksToken(token_id=0, keyslot=1, token_type="clevis-tpm2")]) | ||
current_actor_context.feed(luks_dump) | ||
current_actor_context.run() | ||
assert not current_actor_context.consume(Report) | ||
|
||
upgrade_tasks = current_actor_context.consume(TargetUserSpaceUpgradeTasks) | ||
assert len(upgrade_tasks) == 1 | ||
assert set(upgrade_tasks[0].install_rpms) == set([ | ||
'clevis', | ||
'clevis-dracut', | ||
'clevis-systemd', | ||
'clevis-udisks2', | ||
'clevis-luks', | ||
'cryptsetup', | ||
'tpm2-tss', | ||
'tpm2-tools', | ||
'tpm2-abrmd' | ||
]) | ||
|
||
def test_actor_without_luks(current_actor_context): | ||
without_luks = [LsblkEntry(name='sda1', kname='sda1', maj_min='8:0', rm='0', size='10G', bsize=10*(1 << 39), | ||
ro='0', tp='part', mountpoint='/boot', parent_name='', parent_path='')] | ||
|
||
current_actor_context.feed(StorageInfo(lsblk=without_luks)) | ||
def test_actor_with_luks2_ceph(monkeypatch, current_actor_context): | ||
monkeypatch.setattr(version, 'get_target_major_version', lambda: '8') | ||
ceph_volume = ['sda'] | ||
current_actor_context.feed(CephInfo(encrypted_volumes=ceph_volume)) | ||
luks_dump = LuksDump( | ||
version=2, | ||
uuid="0edb8c11-1a04-4abd-a12d-93433ee7b8d8", | ||
device_path="/dev/sda", | ||
device_name="sda", | ||
tokens=[LuksToken(token_id=0, keyslot=1, token_type="clevis")]) | ||
current_actor_context.feed(luks_dump) | ||
current_actor_context.run() | ||
assert not current_actor_context.consume(Report) | ||
|
||
# make sure we don't needlessly include clevis packages, when there is no clevis token | ||
assert not current_actor_context.consume(TargetUserSpaceUpgradeTasks) |