kyle/arca
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: kyle:v1.2.1
Branches Tags
kyle:master
kyle:v1.3.0 kyle:v1.2.1 kyle:v1.2.0 kyle:v1.1.0 kyle:v1.0.0
..
compare: kyle:v1.3.0
Branches Tags
kyle:master
kyle:v1.3.0 kyle:v1.2.1 kyle:v1.2.0 kyle:v1.1.0 kyle:v1.0.0

2 Commits
v1.2.1 ... v1.3.0

Author SHA1 Message Date
Kyle Isom
4d014f7872 Bump version to 1.3.0 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-24 11:04:42 -07:00
Kyle Isom
e9247c720a Add config validation, remove command, status filtering, and unlock method display 
config check: validates UUID format, recognized methods, keyfile
consistency and existence. Reports all issues with alias context.

remove: deletes a device from config by alias. Inverse of add.

status: --mounted, --unlocked, --locked flags filter the device table.
Flags combine as OR.

mount/unlock: display which method succeeded and key slot used, e.g.
"(fido2, key slot 1)". cryptsetup Open now runs with -v and parses
"Key slot N unlocked" from stderr via io.MultiWriter.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-24 10:22:52 -07:00
10 changed files with 246 additions and 28 deletions
Expand all files Collapse all files

45
cmd/config.go Normal file
View File

@@ -0,0 +1,45 @@
package cmd
import (
"fmt"
"os"
"git.wntrmute.dev/kyle/arca/internal/config"
"github.com/spf13/cobra"
)
var configCmd = &cobra.Command{
Use: "config",
Short: "Manage arca configuration",
}
var configCheckCmd = &cobra.Command{
Use: "check",
Short: "Validate the config file",
RunE: runConfigCheck,
}
func init() {
configCmd.AddCommand(configCheckCmd)
rootCmd.AddCommand(configCmd)
}
func runConfigCheck(cmd *cobra.Command, args []string) error {
cfg := config.Load()
if len(cfg.Devices) == 0 {
fmt.Println("No devices configured.")
return nil
}
errs := config.Validate(cfg)
if len(errs) == 0 {
fmt.Printf("Config OK (%d device(s))\n", len(cfg.Devices))
return nil
}
for _, e := range errs {
fmt.Fprintln(os.Stderr, e)
}
return fmt.Errorf("config has %d issue(s)", len(errs))
}

19
cmd/format.go Normal file
View File

@@ -0,0 +1,19 @@
package cmd
import (
"fmt"
"git.wntrmute.dev/kyle/arca/internal/unlock"
)
// formatMethod returns a parenthesized string describing how a device
// was unlocked, e.g. "(fido2, key slot 1)" or "(passphrase)".
func formatMethod(r *unlock.Result) string {
if r.Method == "" {
return ""
}
if r.KeySlot != "" {
return fmt.Sprintf("(%s, key slot %s)", r.Method, r.KeySlot)
}
return fmt.Sprintf("(%s)", r.Method)
}

29
cmd/mount.go
View File

@@ -85,36 +85,43 @@ func runMount(cmd *cobra.Command, args []string) error {
return err return err
} }
methodInfo := formatMethod(result)
if result.Privileged { if result.Privileged {
mnt, err := cryptsetup.Mount(result.Device.DevicePath, mp) mnt, err := cryptsetup.Mount(result.Device.DevicePath, mp)
if err != nil { if err != nil {
return fmt.Errorf("mounting: %w", err) return fmt.Errorf("mounting: %w", err)
} }
fmt.Println(mnt) fmt.Printf("%s %s\n", mnt, methodInfo)
return nil return nil
} }
if mp != "" { if mp != "" {
fmt.Fprintf(os.Stderr, "warning: --mountpoint is ignored for udisks2 mounts (passphrase/keyfile path)\n") fmt.Fprintf(os.Stderr, "warning: --mountpoint is ignored for udisks2 mounts (passphrase/keyfile path)\n")
} }
return doMount(client, result.Device, "") return doMountWithInfo(client, result.Device, "", methodInfo)
} }
func doMount(client *udisks.Client, cleartext *udisks.BlockDevice, mp string) error { func doMount(client *udisks.Client, cleartext *udisks.BlockDevice, mp string) error {
return doMountWithInfo(client, cleartext, mp, "")
}
func doMountWithInfo(client *udisks.Client, cleartext *udisks.BlockDevice, mp, methodInfo string) error {
var mnt string
var err error
if mp != "" { if mp != "" {
// udisks2 doesn't support custom mount points; use privileged mount. mnt, err = cryptsetup.Mount(cleartext.DevicePath, mp)
mnt, err := cryptsetup.Mount(cleartext.DevicePath, mp) } else {
if err != nil { mnt, err = client.Mount(cleartext)
return fmt.Errorf("mounting: %w", err)
}
fmt.Println(mnt)
return nil
} }
mnt, err := client.Mount(cleartext)
if err != nil { if err != nil {
return fmt.Errorf("mounting: %w", err) return fmt.Errorf("mounting: %w", err)
} }
fmt.Println(mnt) if methodInfo != "" {
fmt.Printf("%s %s\n", mnt, methodInfo)
} else {
fmt.Println(mnt)
}
return nil return nil
} }

38
cmd/remove.go Normal file
View File

@@ -0,0 +1,38 @@
package cmd
import (
"fmt"
"git.wntrmute.dev/kyle/arca/internal/config"
"github.com/spf13/cobra"
)
var removeCmd = &cobra.Command{
Use: "remove <alias>",
Short: "Remove a device from the config",
Args: cobra.ExactArgs(1),
RunE: runRemove,
ValidArgsFunction: completeDeviceOrAlias,
}
func init() {
rootCmd.AddCommand(removeCmd)
}
func runRemove(cmd *cobra.Command, args []string) error {
alias := args[0]
cfg := config.Load()
if _, ok := cfg.Devices[alias]; !ok {
return fmt.Errorf("no device with alias %q in config", alias)
}
delete(cfg.Devices, alias)
if err := cfg.Save(); err != nil {
return fmt.Errorf("saving config: %w", err)
}
fmt.Printf("Removed %q from config\n", alias)
return nil
}

28
cmd/status.go
View File

@@ -10,6 +10,12 @@ import (
"github.com/spf13/cobra" "github.com/spf13/cobra"
) )
var (
filterMounted bool
filterUnlocked bool
filterLocked bool
)
var statusCmd = &cobra.Command{ var statusCmd = &cobra.Command{
Use: "status", Use: "status",
Short: "Show LUKS volume status", Short: "Show LUKS volume status",
@@ -17,6 +23,9 @@ var statusCmd = &cobra.Command{
} }
func init() { func init() {
statusCmd.Flags().BoolVar(&filterMounted, "mounted", false, "show only mounted devices")
statusCmd.Flags().BoolVar(&filterUnlocked, "unlocked", false, "show only unlocked (but not mounted) devices")
statusCmd.Flags().BoolVar(&filterLocked, "locked", false, "show only locked devices")
rootCmd.AddCommand(statusCmd) rootCmd.AddCommand(statusCmd)
} }
@@ -34,6 +43,8 @@ func runStatus(cmd *cobra.Command, args []string) error {
return err return err
} }
filtering := filterMounted || filterUnlocked || filterLocked
w := tabwriter.NewWriter(os.Stdout, 0, 4, 2, ' ', 0) w := tabwriter.NewWriter(os.Stdout, 0, 4, 2, ' ', 0)
fmt.Fprintln(w, "DEVICE\tUUID\tALIAS\tSTATE\tMOUNTPOINT") fmt.Fprintln(w, "DEVICE\tUUID\tALIAS\tSTATE\tMOUNTPOINT")
@@ -50,6 +61,23 @@ func runStatus(cmd *cobra.Command, args []string) error {
} }
} }
if filtering {
switch state {
case "mounted":
if !filterMounted {
continue
}
case "unlocked":
if !filterUnlocked {
continue
}
case "locked":
if !filterLocked {
continue
}
}
}
fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n",
dev.DevicePath, dev.UUID, alias, state, mountpoint) dev.DevicePath, dev.UUID, alias, state, mountpoint)
} }

2
cmd/unlock.go
View File

@@ -54,6 +54,6 @@ func runUnlock(cmd *cobra.Command, args []string) error {
return err return err
} }
fmt.Printf("Unlocked %s -> %s\n", target, result.Device.DevicePath) fmt.Printf("Unlocked %s -> %s %s\n", target, result.Device.DevicePath, formatMethod(result))
return nil return nil
} }

2
flake.nix
View File

@@ -10,7 +10,7 @@
let let
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
version = "1.2.0"; version = "1.3.0";
in in
{ {
packages.${system}.default = pkgs.buildGoModule { packages.${system}.default = pkgs.buildGoModule {

60
internal/config/validate.go Normal file
View File

@@ -0,0 +1,60 @@
package config
import (
"fmt"
"os"
"regexp"
)
var (
ValidMethods = []string{"passphrase", "keyfile", "fido2", "tpm2"}
uuidPattern = regexp.MustCompile(`^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`)
)
// Validate checks the config for common issues. Returns a list of errors.
func Validate(cfg *Config) []error {
var errs []error
for alias, dev := range cfg.Devices {
if dev.UUID == "" {
errs = append(errs, fmt.Errorf("%s: missing uuid", alias))
} else if !uuidPattern.MatchString(dev.UUID) {
errs = append(errs, fmt.Errorf("%s: malformed uuid %q", alias, dev.UUID))
}
for _, m := range dev.Methods {
if !isValidMethod(m) {
errs = append(errs, fmt.Errorf("%s: unknown method %q (valid: %v)", alias, m, ValidMethods))
}
}
hasKeyfileMethod := false
for _, m := range dev.Methods {
if m == "keyfile" {
hasKeyfileMethod = true
break
}
}
if hasKeyfileMethod && dev.Keyfile == "" {
errs = append(errs, fmt.Errorf("%s: method 'keyfile' listed but no keyfile path set", alias))
}
if dev.Keyfile != "" {
if _, err := os.Stat(dev.Keyfile); err != nil {
errs = append(errs, fmt.Errorf("%s: keyfile %q not found (may be on removable media)", alias, dev.Keyfile))
}
}
}
return errs
}
func isValidMethod(m string) bool {
for _, v := range ValidMethods {
if m == v {
return true
}
}
return false
}

28
internal/cryptsetup/cryptsetup.go
View File

@@ -1,31 +1,49 @@
package cryptsetup package cryptsetup
import ( import (
"bytes"
"fmt" "fmt"
"io"
"os" "os"
"os/exec" "os/exec"
"path/filepath" "path/filepath"
"regexp"
"strings" "strings"
"git.wntrmute.dev/kyle/arca/internal/verbose" "git.wntrmute.dev/kyle/arca/internal/verbose"
) )
// OpenResult holds information about a successful cryptsetup open.
type OpenResult struct {
KeySlot string // e.g., "1", or "" if not parsed
}
var keySlotPattern = regexp.MustCompile(`Key slot (\d+) unlocked`)
// Open opens a LUKS device using cryptsetup with token-based unlock. // Open opens a LUKS device using cryptsetup with token-based unlock.
func Open(devicePath, mapperName string) error { // Returns info about which key slot was used.
args := withTokenPluginEnv([]string{"cryptsetup", "open", devicePath, mapperName, "--token-only"}) func Open(devicePath, mapperName string) (OpenResult, error) {
args := withTokenPluginEnv([]string{"cryptsetup", "open", devicePath, mapperName, "--token-only", "-v"})
args = withPrivilege(args) args = withPrivilege(args)
verbose.Printf("exec: %s", strings.Join(args, " ")) verbose.Printf("exec: %s", strings.Join(args, " "))
var buf bytes.Buffer
cmd := exec.Command(args[0], args[1:]...) cmd := exec.Command(args[0], args[1:]...)
cmd.Stdin = os.Stdin cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr cmd.Stderr = io.MultiWriter(os.Stderr, &buf)
if err := cmd.Run(); err != nil { if err := cmd.Run(); err != nil {
return fmt.Errorf("cryptsetup open --token-only: %w", err) return OpenResult{}, fmt.Errorf("cryptsetup open --token-only: %w", err)
} }
return nil
var result OpenResult
if m := keySlotPattern.FindStringSubmatch(buf.String()); len(m) > 1 {
result.KeySlot = m[1]
}
return result, nil
} }
// Close closes a LUKS mapping. // Close closes a LUKS mapping.

23
internal/unlock/unlock.go
View File

@@ -14,7 +14,9 @@ import (
// Result holds the outcome of a successful unlock. // Result holds the outcome of a successful unlock.
type Result struct { type Result struct {
Device *udisks.BlockDevice Device *udisks.BlockDevice
Privileged bool // true if unlock required root (cryptsetup path) Privileged bool // true if unlock required root (cryptsetup path)
Method string // which method succeeded: "fido2", "tpm2", "passphrase", "keyfile"
KeySlot string // key slot used, from cryptsetup verbose output (or "")
} }
// Options configures the unlock behavior. // Options configures the unlock behavior.
@@ -58,19 +60,19 @@ func (u *Unlocker) tryMethod(dev *udisks.BlockDevice, method string) (*Result, e
if err != nil { if err != nil {
return nil, err return nil, err
} }
return &Result{Device: ct, Privileged: false}, nil return &Result{Device: ct, Privileged: false, Method: method}, nil
case "keyfile": case "keyfile":
ct, err := u.unlockKeyfile(dev) ct, err := u.unlockKeyfile(dev)
if err != nil { if err != nil {
return nil, err return nil, err
} }
return &Result{Device: ct, Privileged: false}, nil return &Result{Device: ct, Privileged: false, Method: method}, nil
case "fido2", "tpm2": case "fido2", "tpm2":
ct, err := u.unlockCryptsetup(dev) ct, openResult, err := u.unlockCryptsetup(dev)
if err != nil { if err != nil {
return nil, err return nil, err
} }
return &Result{Device: ct, Privileged: true}, nil return &Result{Device: ct, Privileged: true, Method: method, KeySlot: openResult.KeySlot}, nil
default: default:
return nil, fmt.Errorf("unknown unlock method: %s", method) return nil, fmt.Errorf("unknown unlock method: %s", method)
} }
@@ -98,19 +100,20 @@ func (u *Unlocker) unlockKeyfile(dev *udisks.BlockDevice) (*udisks.BlockDevice,
return u.client.UnlockWithKeyfile(dev, contents) return u.client.UnlockWithKeyfile(dev, contents)
} }
func (u *Unlocker) unlockCryptsetup(dev *udisks.BlockDevice) (*udisks.BlockDevice, error) { func (u *Unlocker) unlockCryptsetup(dev *udisks.BlockDevice) (*udisks.BlockDevice, cryptsetup.OpenResult, error) {
name := cryptsetup.MapperName(dev.DevicePath) name := cryptsetup.MapperName(dev.DevicePath)
if err := cryptsetup.Open(dev.DevicePath, name); err != nil { openResult, err := cryptsetup.Open(dev.DevicePath, name)
return nil, fmt.Errorf("%w (is the FIDO2/TPM2 key plugged in?)", err) if err != nil {
return nil, openResult, fmt.Errorf("%w (is the FIDO2/TPM2 key plugged in?)", err)
} }
// Wait for udisks2 to pick up the new dm device. // Wait for udisks2 to pick up the new dm device.
for i := 0; i < 10; i++ { for i := 0; i < 10; i++ {
ct, err := u.client.CleartextDevice(dev) ct, err := u.client.CleartextDevice(dev)
if err == nil { if err == nil {
return ct, nil return ct, openResult, nil
} }
time.Sleep(200 * time.Millisecond) time.Sleep(200 * time.Millisecond)
} }
return nil, fmt.Errorf("timed out waiting for udisks2 to discover cleartext device") return nil, openResult, fmt.Errorf("timed out waiting for udisks2 to discover cleartext device")
} }