Skip to content

Commit

Permalink
storage: Tang keyserver and passphrase management for Stratis
Browse files Browse the repository at this point in the history
  • Loading branch information
mvollmer authored and jelly committed Aug 9, 2023
1 parent c0089cf commit 4133eb9
Show file tree
Hide file tree
Showing 7 changed files with 554 additions and 86 deletions.
23 changes: 21 additions & 2 deletions pkg/storaged/client.js
Original file line number Diff line number Diff line change
Expand Up @@ -379,13 +379,31 @@ function update_indices() {
}

client.blocks_stratis_stopped_pool = { };
client.stratis_stopped_pool_key_description = { };
client.stratis_stopped_pool_clevis_info = { };
for (const uuid in client.stratis_manager.StoppedPools) {
const devs = client.stratis_manager.StoppedPools[uuid].devs.v;
for (const d of devs) {
block = client.slashdevs_block[d.devnode];
if (block)
client.blocks_stratis_stopped_pool[block.path] = uuid;
}
const kinfo = client.stratis_manager.StoppedPools[uuid].key_description;
if (kinfo &&
kinfo.t == "(bv)" &&
kinfo.v[0] &&
kinfo.v[1].t == "(bs)" &&
kinfo.v[1].v[0]) {
client.stratis_stopped_pool_key_description[uuid] = kinfo.v[1].v[1];
}
const cinfo = client.stratis_manager.StoppedPools[uuid].clevis_info;
if (cinfo &&
cinfo.t == "(bv)" &&
cinfo.v[0] &&
cinfo.v[1].t == "(b(ss))" &&
cinfo.v[1].v[0]) {
client.stratis_stopped_pool_clevis_info[uuid] = cinfo.v[1].v[1];
}
}

client.blocks_cleartext = { };
Expand Down Expand Up @@ -970,11 +988,11 @@ function stratis3_start() {
return client.stratis_manager.StartPool(uuid, [!!unlock_method, unlock_method || ""]);
};

client.stratis_create_pool = (name, devs, key_desc) => {
client.stratis_create_pool = (name, devs, key_desc, clevis_info) => {
return client.stratis_manager.CreatePool(name, [false, 0],
devs,
key_desc ? [true, key_desc] : [false, ""],
[false, ["", ""]]);
clevis_info ? [true, clevis_info] : [false, ["", ""]]);
};

client.stratis_list_keys = () => {
Expand All @@ -986,6 +1004,7 @@ function stratis3_start() {
};

client.features.stratis = true;
client.features.stratis_crypto_binding = true;
client.stratis_pools = client.stratis_manager.client.proxies("org.storage.stratis3.pool." +
stratis3_interface_revision,
"/org/storage/stratis3",
Expand Down
60 changes: 31 additions & 29 deletions pkg/storaged/crypto-keyslots.jsx
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ const _ = cockpit.gettext;
/* Tang advertisement utilities
*/

function get_tang_adv(url) {
export function get_tang_adv(url) {
return cockpit.spawn(["curl", "-sSf", url + "/adv"], { err: "message" })
.then(JSON.parse)
.catch(error => {
Expand Down Expand Up @@ -487,7 +487,7 @@ function parse_url(url) {
}
}

function validate_url(url) {
export function validate_url(url) {
if (url.length === 0)
return _("Address cannot be empty");
if (!parse_url(url))
Expand Down Expand Up @@ -614,39 +614,41 @@ function add_or_update_tang(dlg, vals, block, url, adv, old_key, passphrase) {
.catch(request_passphrase_on_error_handler(dlg, vals, passphrase, block));
}

function edit_tang_adv(client, block, key, url, adv, passphrase) {
export const TangKeyVerification = ({ url, adv }) => {
const parsed = parse_url(url);
const cmd = cockpit.format("ssh $0 tang-show-keys $1", parsed.hostname, parsed.port);

const sigkey_thps = compute_sigkey_thps(tang_adv_payload(adv));

return (
<TextContent>
<Text component={TextVariants.p}>{_("Check the key hash with the Tang server.")}</Text>

<Text component={TextVariants.h3}>{_("How to check")}</Text>
<Text component={TextVariants.p}>
{_("In a terminal, run: ")}
<ClipboardCopy hoverTip={_("Copy to clipboard")}
clickTip={_("Successfully copied to clipboard!")}
variant="inline-compact"
isCode>
{cmd}
</ClipboardCopy>
</Text>
<Text component={TextVariants.p}>
{_("Check that the SHA-256 or SHA-1 hash from the command matches this dialog.")}
</Text>

<Text component={TextVariants.h3}>{_("SHA-256")}</Text>
{ sigkey_thps.map(s => <Text key={s.sha256} component={TextVariants.pre}>{s.sha256}</Text>) }

<Text component={TextVariants.h3}>{_("SHA-1")}</Text>
{ sigkey_thps.map(s => <Text key={s.sha1} component={TextVariants.pre}>{s.sha1}</Text>) }
</TextContent>);
};

function edit_tang_adv(client, block, key, url, adv, passphrase) {
const dlg = dialog_open({
Title: _("Verify key"),
Body: (
<TextContent>
<Text component={TextVariants.p}>{_("Check the key hash with the Tang server.")}</Text>

<Text component={TextVariants.h3}>{_("How to check")}</Text>
<Text component={TextVariants.p}>
{_("In a terminal, run: ")}
<ClipboardCopy hoverTip={_("Copy to clipboard")}
clickTip={_("Successfully copied to clipboard!")}
variant="inline-compact"
isCode>
{cmd}
</ClipboardCopy>
</Text>
<Text component={TextVariants.p}>
{_("Check that the SHA-256 or SHA-1 hash from the command matches this dialog.")}
</Text>

<Text component={TextVariants.h3}>{_("SHA-256")}</Text>
{ sigkey_thps.map(s => <Text key={s.sha256} component={TextVariants.pre}>{s.sha256}</Text>) }

<Text component={TextVariants.h3}>{_("SHA-1")}</Text>
{ sigkey_thps.map(s => <Text key={s.sha1} component={TextVariants.pre}>{s.sha1}</Text>) }
</TextContent>
),
Body: <TangKeyVerification url={url} adv={adv} />,
Fields: existing_passphrase_fields(_("Saving a new passphrase requires unlocking the disk. Please provide a current disk passphrase.")),
Action: {
Title: _("Trust key"),
Expand Down
Loading

0 comments on commit 4133eb9

Please sign in to comment.