diff --git a/cmd/config.go b/cmd/config.go new file mode 100644 index 0000000..32b7517 --- /dev/null +++ b/cmd/config.go @@ -0,0 +1,45 @@ +package cmd + +import ( + "fmt" + "os" + + "git.wntrmute.dev/kyle/arca/internal/config" + "github.com/spf13/cobra" +) + +var configCmd = &cobra.Command{ + Use: "config", + Short: "Manage arca configuration", +} + +var configCheckCmd = &cobra.Command{ + Use: "check", + Short: "Validate the config file", + RunE: runConfigCheck, +} + +func init() { + configCmd.AddCommand(configCheckCmd) + rootCmd.AddCommand(configCmd) +} + +func runConfigCheck(cmd *cobra.Command, args []string) error { + cfg := config.Load() + + if len(cfg.Devices) == 0 { + fmt.Println("No devices configured.") + return nil + } + + errs := config.Validate(cfg) + if len(errs) == 0 { + fmt.Printf("Config OK (%d device(s))\n", len(cfg.Devices)) + return nil + } + + for _, e := range errs { + fmt.Fprintln(os.Stderr, e) + } + return fmt.Errorf("config has %d issue(s)", len(errs)) +} diff --git a/cmd/format.go b/cmd/format.go new file mode 100644 index 0000000..6ea1760 --- /dev/null +++ b/cmd/format.go @@ -0,0 +1,19 @@ +package cmd + +import ( + "fmt" + + "git.wntrmute.dev/kyle/arca/internal/unlock" +) + +// formatMethod returns a parenthesized string describing how a device +// was unlocked, e.g. "(fido2, key slot 1)" or "(passphrase)". +func formatMethod(r *unlock.Result) string { + if r.Method == "" { + return "" + } + if r.KeySlot != "" { + return fmt.Sprintf("(%s, key slot %s)", r.Method, r.KeySlot) + } + return fmt.Sprintf("(%s)", r.Method) +} diff --git a/cmd/mount.go b/cmd/mount.go index f026670..e41c350 100644 --- a/cmd/mount.go +++ b/cmd/mount.go @@ -85,36 +85,43 @@ func runMount(cmd *cobra.Command, args []string) error { return err } + methodInfo := formatMethod(result) + if result.Privileged { mnt, err := cryptsetup.Mount(result.Device.DevicePath, mp) if err != nil { return fmt.Errorf("mounting: %w", err) } - fmt.Println(mnt) + fmt.Printf("%s %s\n", mnt, methodInfo) return nil } if mp != "" { fmt.Fprintf(os.Stderr, "warning: --mountpoint is ignored for udisks2 mounts (passphrase/keyfile path)\n") } - return doMount(client, result.Device, "") + return doMountWithInfo(client, result.Device, "", methodInfo) } func doMount(client *udisks.Client, cleartext *udisks.BlockDevice, mp string) error { + return doMountWithInfo(client, cleartext, mp, "") +} + +func doMountWithInfo(client *udisks.Client, cleartext *udisks.BlockDevice, mp, methodInfo string) error { + var mnt string + var err error if mp != "" { - // udisks2 doesn't support custom mount points; use privileged mount. - mnt, err := cryptsetup.Mount(cleartext.DevicePath, mp) - if err != nil { - return fmt.Errorf("mounting: %w", err) - } - fmt.Println(mnt) - return nil + mnt, err = cryptsetup.Mount(cleartext.DevicePath, mp) + } else { + mnt, err = client.Mount(cleartext) } - mnt, err := client.Mount(cleartext) if err != nil { return fmt.Errorf("mounting: %w", err) } - fmt.Println(mnt) + if methodInfo != "" { + fmt.Printf("%s %s\n", mnt, methodInfo) + } else { + fmt.Println(mnt) + } return nil } diff --git a/cmd/remove.go b/cmd/remove.go new file mode 100644 index 0000000..63fe86a --- /dev/null +++ b/cmd/remove.go @@ -0,0 +1,38 @@ +package cmd + +import ( + "fmt" + + "git.wntrmute.dev/kyle/arca/internal/config" + "github.com/spf13/cobra" +) + +var removeCmd = &cobra.Command{ + Use: "remove ", + Short: "Remove a device from the config", + Args: cobra.ExactArgs(1), + RunE: runRemove, + ValidArgsFunction: completeDeviceOrAlias, +} + +func init() { + rootCmd.AddCommand(removeCmd) +} + +func runRemove(cmd *cobra.Command, args []string) error { + alias := args[0] + cfg := config.Load() + + if _, ok := cfg.Devices[alias]; !ok { + return fmt.Errorf("no device with alias %q in config", alias) + } + + delete(cfg.Devices, alias) + + if err := cfg.Save(); err != nil { + return fmt.Errorf("saving config: %w", err) + } + + fmt.Printf("Removed %q from config\n", alias) + return nil +} diff --git a/cmd/status.go b/cmd/status.go index e87cea8..8ae79b7 100644 --- a/cmd/status.go +++ b/cmd/status.go @@ -10,6 +10,12 @@ import ( "github.com/spf13/cobra" ) +var ( + filterMounted bool + filterUnlocked bool + filterLocked bool +) + var statusCmd = &cobra.Command{ Use: "status", Short: "Show LUKS volume status", @@ -17,6 +23,9 @@ var statusCmd = &cobra.Command{ } func init() { + statusCmd.Flags().BoolVar(&filterMounted, "mounted", false, "show only mounted devices") + statusCmd.Flags().BoolVar(&filterUnlocked, "unlocked", false, "show only unlocked (but not mounted) devices") + statusCmd.Flags().BoolVar(&filterLocked, "locked", false, "show only locked devices") rootCmd.AddCommand(statusCmd) } @@ -34,6 +43,8 @@ func runStatus(cmd *cobra.Command, args []string) error { return err } + filtering := filterMounted || filterUnlocked || filterLocked + w := tabwriter.NewWriter(os.Stdout, 0, 4, 2, ' ', 0) fmt.Fprintln(w, "DEVICE\tUUID\tALIAS\tSTATE\tMOUNTPOINT") @@ -50,6 +61,23 @@ func runStatus(cmd *cobra.Command, args []string) error { } } + if filtering { + switch state { + case "mounted": + if !filterMounted { + continue + } + case "unlocked": + if !filterUnlocked { + continue + } + case "locked": + if !filterLocked { + continue + } + } + } + fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", dev.DevicePath, dev.UUID, alias, state, mountpoint) } diff --git a/cmd/unlock.go b/cmd/unlock.go index b07c4cc..d8a6d33 100644 --- a/cmd/unlock.go +++ b/cmd/unlock.go @@ -54,6 +54,6 @@ func runUnlock(cmd *cobra.Command, args []string) error { return err } - fmt.Printf("Unlocked %s -> %s\n", target, result.Device.DevicePath) + fmt.Printf("Unlocked %s -> %s %s\n", target, result.Device.DevicePath, formatMethod(result)) return nil } diff --git a/internal/config/validate.go b/internal/config/validate.go new file mode 100644 index 0000000..d5dcbca --- /dev/null +++ b/internal/config/validate.go @@ -0,0 +1,60 @@ +package config + +import ( + "fmt" + "os" + "regexp" +) + +var ( + ValidMethods = []string{"passphrase", "keyfile", "fido2", "tpm2"} + uuidPattern = regexp.MustCompile(`^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`) +) + +// Validate checks the config for common issues. Returns a list of errors. +func Validate(cfg *Config) []error { + var errs []error + + for alias, dev := range cfg.Devices { + if dev.UUID == "" { + errs = append(errs, fmt.Errorf("%s: missing uuid", alias)) + } else if !uuidPattern.MatchString(dev.UUID) { + errs = append(errs, fmt.Errorf("%s: malformed uuid %q", alias, dev.UUID)) + } + + for _, m := range dev.Methods { + if !isValidMethod(m) { + errs = append(errs, fmt.Errorf("%s: unknown method %q (valid: %v)", alias, m, ValidMethods)) + } + } + + hasKeyfileMethod := false + for _, m := range dev.Methods { + if m == "keyfile" { + hasKeyfileMethod = true + break + } + } + + if hasKeyfileMethod && dev.Keyfile == "" { + errs = append(errs, fmt.Errorf("%s: method 'keyfile' listed but no keyfile path set", alias)) + } + + if dev.Keyfile != "" { + if _, err := os.Stat(dev.Keyfile); err != nil { + errs = append(errs, fmt.Errorf("%s: keyfile %q not found (may be on removable media)", alias, dev.Keyfile)) + } + } + } + + return errs +} + +func isValidMethod(m string) bool { + for _, v := range ValidMethods { + if m == v { + return true + } + } + return false +} diff --git a/internal/cryptsetup/cryptsetup.go b/internal/cryptsetup/cryptsetup.go index 73621ca..17fdd43 100644 --- a/internal/cryptsetup/cryptsetup.go +++ b/internal/cryptsetup/cryptsetup.go @@ -1,31 +1,49 @@ package cryptsetup import ( + "bytes" "fmt" + "io" "os" "os/exec" "path/filepath" + "regexp" "strings" "git.wntrmute.dev/kyle/arca/internal/verbose" ) +// OpenResult holds information about a successful cryptsetup open. +type OpenResult struct { + KeySlot string // e.g., "1", or "" if not parsed +} + +var keySlotPattern = regexp.MustCompile(`Key slot (\d+) unlocked`) + // Open opens a LUKS device using cryptsetup with token-based unlock. -func Open(devicePath, mapperName string) error { - args := withTokenPluginEnv([]string{"cryptsetup", "open", devicePath, mapperName, "--token-only"}) +// Returns info about which key slot was used. +func Open(devicePath, mapperName string) (OpenResult, error) { + args := withTokenPluginEnv([]string{"cryptsetup", "open", devicePath, mapperName, "--token-only", "-v"}) args = withPrivilege(args) verbose.Printf("exec: %s", strings.Join(args, " ")) + var buf bytes.Buffer cmd := exec.Command(args[0], args[1:]...) cmd.Stdin = os.Stdin cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr + cmd.Stderr = io.MultiWriter(os.Stderr, &buf) if err := cmd.Run(); err != nil { - return fmt.Errorf("cryptsetup open --token-only: %w", err) + return OpenResult{}, fmt.Errorf("cryptsetup open --token-only: %w", err) } - return nil + + var result OpenResult + if m := keySlotPattern.FindStringSubmatch(buf.String()); len(m) > 1 { + result.KeySlot = m[1] + } + + return result, nil } // Close closes a LUKS mapping. diff --git a/internal/unlock/unlock.go b/internal/unlock/unlock.go index 20b12d7..3133ee5 100644 --- a/internal/unlock/unlock.go +++ b/internal/unlock/unlock.go @@ -14,7 +14,9 @@ import ( // Result holds the outcome of a successful unlock. type Result struct { Device *udisks.BlockDevice - Privileged bool // true if unlock required root (cryptsetup path) + Privileged bool // true if unlock required root (cryptsetup path) + Method string // which method succeeded: "fido2", "tpm2", "passphrase", "keyfile" + KeySlot string // key slot used, from cryptsetup verbose output (or "") } // Options configures the unlock behavior. @@ -58,19 +60,19 @@ func (u *Unlocker) tryMethod(dev *udisks.BlockDevice, method string) (*Result, e if err != nil { return nil, err } - return &Result{Device: ct, Privileged: false}, nil + return &Result{Device: ct, Privileged: false, Method: method}, nil case "keyfile": ct, err := u.unlockKeyfile(dev) if err != nil { return nil, err } - return &Result{Device: ct, Privileged: false}, nil + return &Result{Device: ct, Privileged: false, Method: method}, nil case "fido2", "tpm2": - ct, err := u.unlockCryptsetup(dev) + ct, openResult, err := u.unlockCryptsetup(dev) if err != nil { return nil, err } - return &Result{Device: ct, Privileged: true}, nil + return &Result{Device: ct, Privileged: true, Method: method, KeySlot: openResult.KeySlot}, nil default: return nil, fmt.Errorf("unknown unlock method: %s", method) } @@ -98,19 +100,20 @@ func (u *Unlocker) unlockKeyfile(dev *udisks.BlockDevice) (*udisks.BlockDevice, return u.client.UnlockWithKeyfile(dev, contents) } -func (u *Unlocker) unlockCryptsetup(dev *udisks.BlockDevice) (*udisks.BlockDevice, error) { +func (u *Unlocker) unlockCryptsetup(dev *udisks.BlockDevice) (*udisks.BlockDevice, cryptsetup.OpenResult, error) { name := cryptsetup.MapperName(dev.DevicePath) - if err := cryptsetup.Open(dev.DevicePath, name); err != nil { - return nil, fmt.Errorf("%w (is the FIDO2/TPM2 key plugged in?)", err) + openResult, err := cryptsetup.Open(dev.DevicePath, name) + if err != nil { + return nil, openResult, fmt.Errorf("%w (is the FIDO2/TPM2 key plugged in?)", err) } // Wait for udisks2 to pick up the new dm device. for i := 0; i < 10; i++ { ct, err := u.client.CleartextDevice(dev) if err == nil { - return ct, nil + return ct, openResult, nil } time.Sleep(200 * time.Millisecond) } - return nil, fmt.Errorf("timed out waiting for udisks2 to discover cleartext device") + return nil, openResult, fmt.Errorf("timed out waiting for udisks2 to discover cleartext device") }