Add config validation, remove command, status filtering, and unlock method display

config check: validates UUID format, recognized methods, keyfile consistency and existence. Reports all issues with alias context. remove: deletes a device from config by alias. Inverse of add. status: --mounted, --unlocked, --locked flags filter the device table. Flags combine as OR. mount/unlock: display which method succeeded and key slot used, e.g. "(fido2, key slot 1)". cryptsetup Open now runs with -v and parses "Key slot N unlocked" from stderr via io.MultiWriter. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 10:22:52 -07:00
parent ce10c41466
commit e9247c720a
9 changed files with 245 additions and 27 deletions
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -0,0 +1,45 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"git.wntrmute.dev/kyle/arca/internal/config"
+	"github.com/spf13/cobra"
+)
+
+var configCmd = &cobra.Command{
+	Use:   "config",
+	Short: "Manage arca configuration",
+}
+
+var configCheckCmd = &cobra.Command{
+	Use:   "check",
+	Short: "Validate the config file",
+	RunE:  runConfigCheck,
+}
+
+func init() {
+	configCmd.AddCommand(configCheckCmd)
+	rootCmd.AddCommand(configCmd)
+}
+
+func runConfigCheck(cmd *cobra.Command, args []string) error {
+	cfg := config.Load()
+
+	if len(cfg.Devices) == 0 {
+		fmt.Println("No devices configured.")
+		return nil
+	}
+
+	errs := config.Validate(cfg)
+	if len(errs) == 0 {
+		fmt.Printf("Config OK (%d device(s))\n", len(cfg.Devices))
+		return nil
+	}
+
+	for _, e := range errs {
+		fmt.Fprintln(os.Stderr, e)
+	}
+	return fmt.Errorf("config has %d issue(s)", len(errs))
+}
--- a/cmd/format.go
+++ b/cmd/format.go
@@ -0,0 +1,19 @@
+package cmd
+
+import (
+	"fmt"
+
+	"git.wntrmute.dev/kyle/arca/internal/unlock"
+)
+
+// formatMethod returns a parenthesized string describing how a device
+// was unlocked, e.g. "(fido2, key slot 1)" or "(passphrase)".
+func formatMethod(r *unlock.Result) string {
+	if r.Method == "" {
+		return ""
+	}
+	if r.KeySlot != "" {
+		return fmt.Sprintf("(%s, key slot %s)", r.Method, r.KeySlot)
+	}
+	return fmt.Sprintf("(%s)", r.Method)
+}
--- a/cmd/mount.go
+++ b/cmd/mount.go
@@ -85,36 +85,43 @@ func runMount(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	methodInfo := formatMethod(result)
+
 	if result.Privileged {
 		mnt, err := cryptsetup.Mount(result.Device.DevicePath, mp)
 		if err != nil {
 			return fmt.Errorf("mounting: %w", err)
 		}
-		fmt.Println(mnt)
+		fmt.Printf("%s %s\n", mnt, methodInfo)
 		return nil
 	}

 	if mp != "" {
 		fmt.Fprintf(os.Stderr, "warning: --mountpoint is ignored for udisks2 mounts (passphrase/keyfile path)\n")
 	}
-	return doMount(client, result.Device, "")
+	return doMountWithInfo(client, result.Device, "", methodInfo)
 }

 func doMount(client *udisks.Client, cleartext *udisks.BlockDevice, mp string) error {
+	return doMountWithInfo(client, cleartext, mp, "")
+}
+
+func doMountWithInfo(client *udisks.Client, cleartext *udisks.BlockDevice, mp, methodInfo string) error {
+	var mnt string
+	var err error
 	if mp != "" {
-		// udisks2 doesn't support custom mount points; use privileged mount.
-		mnt, err := cryptsetup.Mount(cleartext.DevicePath, mp)
-		if err != nil {
-			return fmt.Errorf("mounting: %w", err)
-		}
-		fmt.Println(mnt)
-		return nil
+		mnt, err = cryptsetup.Mount(cleartext.DevicePath, mp)
+	} else {
+		mnt, err = client.Mount(cleartext)
 	}
-	mnt, err := client.Mount(cleartext)
 	if err != nil {
 		return fmt.Errorf("mounting: %w", err)
 	}
-	fmt.Println(mnt)
+	if methodInfo != "" {
+		fmt.Printf("%s %s\n", mnt, methodInfo)
+	} else {
+		fmt.Println(mnt)
+	}
 	return nil
 }

--- a/cmd/remove.go
+++ b/cmd/remove.go
@@ -0,0 +1,38 @@
+package cmd
+
+import (
+	"fmt"
+
+	"git.wntrmute.dev/kyle/arca/internal/config"
+	"github.com/spf13/cobra"
+)
+
+var removeCmd = &cobra.Command{
+	Use:               "remove <alias>",
+	Short:             "Remove a device from the config",
+	Args:              cobra.ExactArgs(1),
+	RunE:              runRemove,
+	ValidArgsFunction: completeDeviceOrAlias,
+}
+
+func init() {
+	rootCmd.AddCommand(removeCmd)
+}
+
+func runRemove(cmd *cobra.Command, args []string) error {
+	alias := args[0]
+	cfg := config.Load()
+
+	if _, ok := cfg.Devices[alias]; !ok {
+		return fmt.Errorf("no device with alias %q in config", alias)
+	}
+
+	delete(cfg.Devices, alias)
+
+	if err := cfg.Save(); err != nil {
+		return fmt.Errorf("saving config: %w", err)
+	}
+
+	fmt.Printf("Removed %q from config\n", alias)
+	return nil
+}
--- a/cmd/status.go
+++ b/cmd/status.go
@@ -10,6 +10,12 @@ import (
 	"github.com/spf13/cobra"
 )

+var (
+	filterMounted  bool
+	filterUnlocked bool
+	filterLocked   bool
+)
+
 var statusCmd = &cobra.Command{
 	Use:   "status",
 	Short: "Show LUKS volume status",
@@ -17,6 +23,9 @@ var statusCmd = &cobra.Command{
 }

 func init() {
+	statusCmd.Flags().BoolVar(&filterMounted, "mounted", false, "show only mounted devices")
+	statusCmd.Flags().BoolVar(&filterUnlocked, "unlocked", false, "show only unlocked (but not mounted) devices")
+	statusCmd.Flags().BoolVar(&filterLocked, "locked", false, "show only locked devices")
 	rootCmd.AddCommand(statusCmd)
 }

@@ -34,6 +43,8 @@ func runStatus(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	filtering := filterMounted || filterUnlocked || filterLocked
+
 	w := tabwriter.NewWriter(os.Stdout, 0, 4, 2, ' ', 0)
 	fmt.Fprintln(w, "DEVICE\tUUID\tALIAS\tSTATE\tMOUNTPOINT")

@@ -50,6 +61,23 @@ func runStatus(cmd *cobra.Command, args []string) error {
 			}
 		}

+		if filtering {
+			switch state {
+			case "mounted":
+				if !filterMounted {
+					continue
+				}
+			case "unlocked":
+				if !filterUnlocked {
+					continue
+				}
+			case "locked":
+				if !filterLocked {
+					continue
+				}
+			}
+		}
+
 		fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n",
 			dev.DevicePath, dev.UUID, alias, state, mountpoint)
 	}
--- a/cmd/unlock.go
+++ b/cmd/unlock.go
@@ -54,6 +54,6 @@ func runUnlock(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	fmt.Printf("Unlocked %s -> %s\n", target, result.Device.DevicePath)
+	fmt.Printf("Unlocked %s -> %s %s\n", target, result.Device.DevicePath, formatMethod(result))
 	return nil
 }
--- a/internal/config/validate.go
+++ b/internal/config/validate.go
@@ -0,0 +1,60 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"regexp"
+)
+
+var (
+	ValidMethods = []string{"passphrase", "keyfile", "fido2", "tpm2"}
+	uuidPattern  = regexp.MustCompile(`^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`)
+)
+
+// Validate checks the config for common issues. Returns a list of errors.
+func Validate(cfg *Config) []error {
+	var errs []error
+
+	for alias, dev := range cfg.Devices {
+		if dev.UUID == "" {
+			errs = append(errs, fmt.Errorf("%s: missing uuid", alias))
+		} else if !uuidPattern.MatchString(dev.UUID) {
+			errs = append(errs, fmt.Errorf("%s: malformed uuid %q", alias, dev.UUID))
+		}
+
+		for _, m := range dev.Methods {
+			if !isValidMethod(m) {
+				errs = append(errs, fmt.Errorf("%s: unknown method %q (valid: %v)", alias, m, ValidMethods))
+			}
+		}
+
+		hasKeyfileMethod := false
+		for _, m := range dev.Methods {
+			if m == "keyfile" {
+				hasKeyfileMethod = true
+				break
+			}
+		}
+
+		if hasKeyfileMethod && dev.Keyfile == "" {
+			errs = append(errs, fmt.Errorf("%s: method 'keyfile' listed but no keyfile path set", alias))
+		}
+
+		if dev.Keyfile != "" {
+			if _, err := os.Stat(dev.Keyfile); err != nil {
+				errs = append(errs, fmt.Errorf("%s: keyfile %q not found (may be on removable media)", alias, dev.Keyfile))
+			}
+		}
+	}
+
+	return errs
+}
+
+func isValidMethod(m string) bool {
+	for _, v := range ValidMethods {
+		if m == v {
+			return true
+		}
+	}
+	return false
+}
--- a/internal/cryptsetup/cryptsetup.go
+++ b/internal/cryptsetup/cryptsetup.go
@@ -1,31 +1,49 @@
 package cryptsetup

 import (
+	"bytes"
 	"fmt"
+	"io"
 	"os"
 	"os/exec"
 	"path/filepath"
+	"regexp"
 	"strings"

 	"git.wntrmute.dev/kyle/arca/internal/verbose"
 )

+// OpenResult holds information about a successful cryptsetup open.
+type OpenResult struct {
+	KeySlot string // e.g., "1", or "" if not parsed
+}
+
+var keySlotPattern = regexp.MustCompile(`Key slot (\d+) unlocked`)
+
 // Open opens a LUKS device using cryptsetup with token-based unlock.
-func Open(devicePath, mapperName string) error {
-	args := withTokenPluginEnv([]string{"cryptsetup", "open", devicePath, mapperName, "--token-only"})
+// Returns info about which key slot was used.
+func Open(devicePath, mapperName string) (OpenResult, error) {
+	args := withTokenPluginEnv([]string{"cryptsetup", "open", devicePath, mapperName, "--token-only", "-v"})
 	args = withPrivilege(args)

 	verbose.Printf("exec: %s", strings.Join(args, " "))

+	var buf bytes.Buffer
 	cmd := exec.Command(args[0], args[1:]...)
 	cmd.Stdin = os.Stdin
 	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
+	cmd.Stderr = io.MultiWriter(os.Stderr, &buf)

 	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("cryptsetup open --token-only: %w", err)
+		return OpenResult{}, fmt.Errorf("cryptsetup open --token-only: %w", err)
 	}
-	return nil
+
+	var result OpenResult
+	if m := keySlotPattern.FindStringSubmatch(buf.String()); len(m) > 1 {
+		result.KeySlot = m[1]
+	}
+
+	return result, nil
 }

 // Close closes a LUKS mapping.
--- a/internal/unlock/unlock.go
+++ b/internal/unlock/unlock.go
@@ -14,7 +14,9 @@ import (
 // Result holds the outcome of a successful unlock.
 type Result struct {
 	Device     *udisks.BlockDevice
-	Privileged bool // true if unlock required root (cryptsetup path)
+	Privileged bool   // true if unlock required root (cryptsetup path)
+	Method     string // which method succeeded: "fido2", "tpm2", "passphrase", "keyfile"
+	KeySlot    string // key slot used, from cryptsetup verbose output (or "")
 }

 // Options configures the unlock behavior.
@@ -58,19 +60,19 @@ func (u *Unlocker) tryMethod(dev *udisks.BlockDevice, method string) (*Result, e
 		if err != nil {
 			return nil, err
 		}
-		return &Result{Device: ct, Privileged: false}, nil
+		return &Result{Device: ct, Privileged: false, Method: method}, nil
 	case "keyfile":
 		ct, err := u.unlockKeyfile(dev)
 		if err != nil {
 			return nil, err
 		}
-		return &Result{Device: ct, Privileged: false}, nil
+		return &Result{Device: ct, Privileged: false, Method: method}, nil
 	case "fido2", "tpm2":
-		ct, err := u.unlockCryptsetup(dev)
+		ct, openResult, err := u.unlockCryptsetup(dev)
 		if err != nil {
 			return nil, err
 		}
-		return &Result{Device: ct, Privileged: true}, nil
+		return &Result{Device: ct, Privileged: true, Method: method, KeySlot: openResult.KeySlot}, nil
 	default:
 		return nil, fmt.Errorf("unknown unlock method: %s", method)
 	}
@@ -98,19 +100,20 @@ func (u *Unlocker) unlockKeyfile(dev *udisks.BlockDevice) (*udisks.BlockDevice,
 	return u.client.UnlockWithKeyfile(dev, contents)
 }

-func (u *Unlocker) unlockCryptsetup(dev *udisks.BlockDevice) (*udisks.BlockDevice, error) {
+func (u *Unlocker) unlockCryptsetup(dev *udisks.BlockDevice) (*udisks.BlockDevice, cryptsetup.OpenResult, error) {
 	name := cryptsetup.MapperName(dev.DevicePath)
-	if err := cryptsetup.Open(dev.DevicePath, name); err != nil {
-		return nil, fmt.Errorf("%w (is the FIDO2/TPM2 key plugged in?)", err)
+	openResult, err := cryptsetup.Open(dev.DevicePath, name)
+	if err != nil {
+		return nil, openResult, fmt.Errorf("%w (is the FIDO2/TPM2 key plugged in?)", err)
 	}

 	// Wait for udisks2 to pick up the new dm device.
 	for i := 0; i < 10; i++ {
 		ct, err := u.client.CleartextDevice(dev)
 		if err == nil {
-			return ct, nil
+			return ct, openResult, nil
 		}
 		time.Sleep(200 * time.Millisecond)
 	}
-	return nil, fmt.Errorf("timed out waiting for udisks2 to discover cleartext device")
+	return nil, openResult, fmt.Errorf("timed out waiting for udisks2 to discover cleartext device")
 }