package cmd import ( "fmt" "os" "strings" "git.wntrmute.dev/kyle/arca/internal/config" "git.wntrmute.dev/kyle/arca/internal/cryptsetup" "git.wntrmute.dev/kyle/arca/internal/udisks" "git.wntrmute.dev/kyle/arca/internal/unlock" "git.wntrmute.dev/kyle/arca/internal/verbose" "github.com/spf13/cobra" "golang.org/x/term" ) var mountpoint string var mountCmd = &cobra.Command{ Use: "mount ", Short: "Unlock and mount a LUKS volume", Args: cobra.ExactArgs(1), RunE: runMount, ValidArgsFunction: completeDeviceOrAlias, } func init() { mountCmd.Flags().StringVarP(&mountpoint, "mountpoint", "m", "", "mount point override (privileged path only)") rootCmd.AddCommand(mountCmd) } func runMount(cmd *cobra.Command, args []string) error { cfg := config.Load() target := args[0] client, err := udisks.NewClient() if err != nil { return fmt.Errorf("connecting to udisks2: %w", err) } defer client.Close() devCfg := cfg.ResolveDevice(target) // CLI flag overrides config mountpoint. mp := devCfg.Mountpoint if mountpoint != "" { mp = mountpoint } dev, err := client.FindDevice(devCfg.UUID, target) if err != nil { return err } // Check if already unlocked. if cleartext, err := client.CleartextDevice(dev); err == nil { // Already unlocked — check if mounted too. if existing, mounted := client.IsMounted(cleartext); mounted { fmt.Println(existing) return nil } // Unlocked but not mounted — mount it. If the mapper name // indicates arca opened it via cryptsetup (privileged path), // use privileged mount since udisks2 won't authorize it. if isPrivilegedMapping(dev) { verbose.Printf("detected arca-managed mapping, using privileged mount") mnt, err := cryptsetup.Mount(cleartext.DevicePath, mp) if err != nil { return fmt.Errorf("mounting: %w", err) } fmt.Println(mnt) return nil } return doMount(client, cleartext, mp) } // Need to unlock. u := unlock.New(client, unlock.Options{ ReadPassphrase: readPassphrase, KeyfilePath: devCfg.Keyfile, }) result, err := u.Unlock(dev, devCfg.Methods) if err != nil { return err } methodInfo := formatMethod(result) if result.Privileged { mnt, err := cryptsetup.Mount(result.Device.DevicePath, mp) if err != nil { return fmt.Errorf("mounting: %w", err) } fmt.Printf("%s %s\n", mnt, methodInfo) return nil } if mp != "" { fmt.Fprintf(os.Stderr, "warning: --mountpoint is ignored for udisks2 mounts (passphrase/keyfile path)\n") } return doMountWithInfo(client, result.Device, "", methodInfo) } func doMount(client *udisks.Client, cleartext *udisks.BlockDevice, mp string) error { return doMountWithInfo(client, cleartext, mp, "") } func doMountWithInfo(client *udisks.Client, cleartext *udisks.BlockDevice, mp, methodInfo string) error { var mnt string var err error if mp != "" { mnt, err = cryptsetup.Mount(cleartext.DevicePath, mp) } else { mnt, err = client.Mount(cleartext) } if err != nil { return fmt.Errorf("mounting: %w", err) } if methodInfo != "" { fmt.Printf("%s %s\n", mnt, methodInfo) } else { fmt.Println(mnt) } return nil } // isPrivilegedMapping checks if a LUKS device was opened via arca's // cryptsetup path by checking if the expected mapper name exists. func isPrivilegedMapping(dev *udisks.BlockDevice) bool { expected := cryptsetup.MapperName(dev.DevicePath) _, err := os.Stat("/dev/mapper/" + expected) return err == nil && strings.HasPrefix(expected, "arca-") } func readPassphrase() (string, error) { fmt.Fprint(os.Stderr, "Passphrase: ") pass, err := term.ReadPassword(int(os.Stdin.Fd())) fmt.Fprintln(os.Stderr) if err != nil { return "", fmt.Errorf("reading passphrase: %w", err) } return string(pass), nil }