arca/cmd/mount.go

package cmd

import (
	"fmt"
	"os"
	"strings"

	"git.wntrmute.dev/kyle/arca/internal/config"
	"git.wntrmute.dev/kyle/arca/internal/cryptsetup"
	"git.wntrmute.dev/kyle/arca/internal/udisks"
	"git.wntrmute.dev/kyle/arca/internal/unlock"
	"git.wntrmute.dev/kyle/arca/internal/verbose"
	"github.com/spf13/cobra"
	"golang.org/x/term"
)

var mountpoint string

var mountCmd = &cobra.Command{
	Use:               "mount <device|alias>",
	Short:             "Unlock and mount a LUKS volume",
	Args:              cobra.ExactArgs(1),
	RunE:              runMount,
	ValidArgsFunction: completeDeviceOrAlias,
}

func init() {
	mountCmd.Flags().StringVarP(&mountpoint, "mountpoint", "m", "", "mount point override (privileged path only)")
	rootCmd.AddCommand(mountCmd)
}

func runMount(cmd *cobra.Command, args []string) error {
	cfg := config.Load()
	target := args[0]

	client, err := udisks.NewClient()
	if err != nil {
		return fmt.Errorf("connecting to udisks2: %w", err)
	}
	defer client.Close()

	devCfg := cfg.ResolveDevice(target)

	// CLI flag overrides config mountpoint.
	mp := devCfg.Mountpoint
	if mountpoint != "" {
		mp = mountpoint
	}

	dev, err := client.FindDevice(devCfg.UUID, target)
	if err != nil {
		return err
	}

	// Check if already unlocked.
	if cleartext, err := client.CleartextDevice(dev); err == nil {
		// Already unlocked — check if mounted too.
		if existing, mounted := client.IsMounted(cleartext); mounted {
			fmt.Println(existing)
			return nil
		}
		// Unlocked but not mounted — mount it. If the mapper name
		// indicates arca opened it via cryptsetup (privileged path),
		// use privileged mount since udisks2 won't authorize it.
		if isPrivilegedMapping(dev) {
			verbose.Printf("detected arca-managed mapping, using privileged mount")
			mnt, err := cryptsetup.Mount(cleartext.DevicePath, mp)
			if err != nil {
				return fmt.Errorf("mounting: %w", err)
			}
			fmt.Println(mnt)
			return nil
		}
		return doMount(client, cleartext, mp)
	}

	// Need to unlock.
	u := unlock.New(client, unlock.Options{
		ReadPassphrase: readPassphrase,
		KeyfilePath:    devCfg.Keyfile,
	})

	result, err := u.Unlock(dev, devCfg.Methods)
	if err != nil {
		return err
	}

	methodInfo := formatMethod(result)

	if result.Privileged {
		mnt, err := cryptsetup.Mount(result.Device.DevicePath, mp)
		if err != nil {
			return fmt.Errorf("mounting: %w", err)
		}
		fmt.Printf("%s %s\n", mnt, methodInfo)
		return nil
	}

	if mp != "" {
		fmt.Fprintf(os.Stderr, "warning: --mountpoint is ignored for udisks2 mounts (passphrase/keyfile path)\n")
	}
	return doMountWithInfo(client, result.Device, "", methodInfo)
}

func doMount(client *udisks.Client, cleartext *udisks.BlockDevice, mp string) error {
	return doMountWithInfo(client, cleartext, mp, "")
}

func doMountWithInfo(client *udisks.Client, cleartext *udisks.BlockDevice, mp, methodInfo string) error {
	var mnt string
	var err error
	if mp != "" {
		mnt, err = cryptsetup.Mount(cleartext.DevicePath, mp)
	} else {
		mnt, err = client.Mount(cleartext)
	}
	if err != nil {
		return fmt.Errorf("mounting: %w", err)
	}
	if methodInfo != "" {
		fmt.Printf("%s %s\n", mnt, methodInfo)
	} else {
		fmt.Println(mnt)
	}
	return nil
}

// isPrivilegedMapping checks if a LUKS device was opened via arca's
// cryptsetup path by checking if the expected mapper name exists.
func isPrivilegedMapping(dev *udisks.BlockDevice) bool {
	expected := cryptsetup.MapperName(dev.DevicePath)
	_, err := os.Stat("/dev/mapper/" + expected)
	return err == nil && strings.HasPrefix(expected, "arca-")
}

func readPassphrase() (string, error) {
	fmt.Fprint(os.Stderr, "Passphrase: ")
	pass, err := term.ReadPassword(int(os.Stdin.Fd()))
	fmt.Fprintln(os.Stderr)
	if err != nil {
		return "", fmt.Errorf("reading passphrase: %w", err)
	}
	return string(pass), nil
}