storage: Tang keyserver and passphrase management for Stratis

cockpit-project · Aug 9, 2023 · 4133eb9 · 4133eb9
1 parent c0089cf
commit 4133eb9
Show file tree

Hide file tree

Showing 7 changed files with 554 additions and 86 deletions.
diff --git a/pkg/storaged/client.js b/pkg/storaged/client.js
@@ -379,13 +379,31 @@ function update_indices() {
  }
 
  client.blocks_stratis_stopped_pool = { };
+ client.stratis_stopped_pool_key_description = { };
+ client.stratis_stopped_pool_clevis_info = { };
  for (const uuid in client.stratis_manager.StoppedPools) {
  const devs = client.stratis_manager.StoppedPools[uuid].devs.v;
  for (const d of devs) {
  block = client.slashdevs_block[d.devnode];
  if (block)
  client.blocks_stratis_stopped_pool[block.path] = uuid;
  }
+ const kinfo = client.stratis_manager.StoppedPools[uuid].key_description;
+ if (kinfo &&
+ kinfo.t == "(bv)" &&
+ kinfo.v[0] &&
+ kinfo.v[1].t == "(bs)" &&
+ kinfo.v[1].v[0]) {
+ client.stratis_stopped_pool_key_description[uuid] = kinfo.v[1].v[1];
+ }
+ const cinfo = client.stratis_manager.StoppedPools[uuid].clevis_info;
+ if (cinfo &&
+ cinfo.t == "(bv)" &&
+ cinfo.v[0] &&
+ cinfo.v[1].t == "(b(ss))" &&
+ cinfo.v[1].v[0]) {
+ client.stratis_stopped_pool_clevis_info[uuid] = cinfo.v[1].v[1];
+ }
  }
 
  client.blocks_cleartext = { };
@@ -970,11 +988,11 @@ function stratis3_start() {
  return client.stratis_manager.StartPool(uuid, [!!unlock_method, unlock_method || ""]);
  };
 
- client.stratis_create_pool = (name, devs, key_desc) => {
+ client.stratis_create_pool = (name, devs, key_desc, clevis_info) => {
  return client.stratis_manager.CreatePool(name, [false, 0],
  devs,
  key_desc ? [true, key_desc] : [false, ""],
- [false, ["", ""]]);
+ clevis_info ? [true, clevis_info] : [false, ["", ""]]);
  };
 
  client.stratis_list_keys = () => {
@@ -986,6 +1004,7 @@ function stratis3_start() {
  };
 
  client.features.stratis = true;
+ client.features.stratis_crypto_binding = true;
  client.stratis_pools = client.stratis_manager.client.proxies("org.storage.stratis3.pool." +
  stratis3_interface_revision,
  "/org/storage/stratis3",

diff --git a/pkg/storaged/crypto-keyslots.jsx b/pkg/storaged/crypto-keyslots.jsx
@@ -52,7 +52,7 @@ const _ = cockpit.gettext;
 /* Tang advertisement utilities
  */
 
-function get_tang_adv(url) {
+export function get_tang_adv(url) {
  return cockpit.spawn(["curl", "-sSf", url + "/adv"], { err: "message" })
  .then(JSON.parse)
  .catch(error => {
@@ -487,7 +487,7 @@ function parse_url(url) {
  }
 }
 
-function validate_url(url) {
+export function validate_url(url) {
  if (url.length === 0)
  return _("Address cannot be empty");
  if (!parse_url(url))
@@ -614,39 +614,41 @@ function add_or_update_tang(dlg, vals, block, url, adv, old_key, passphrase) {
  .catch(request_passphrase_on_error_handler(dlg, vals, passphrase, block));
 }
 
-function edit_tang_adv(client, block, key, url, adv, passphrase) {
+export const TangKeyVerification = ({ url, adv }) => {
  const parsed = parse_url(url);
  const cmd = cockpit.format("ssh $0 tang-show-keys $1", parsed.hostname, parsed.port);
-
  const sigkey_thps = compute_sigkey_thps(tang_adv_payload(adv));
 
+ return (
+ <TextContent>
+ <Text component={TextVariants.p}>{_("Check the key hash with the Tang server.")}</Text>
+
+ <Text component={TextVariants.h3}>{_("How to check")}</Text>
+ <Text component={TextVariants.p}>
+ {_("In a terminal, run: ")}
+ <ClipboardCopy hoverTip={_("Copy to clipboard")}
+ clickTip={_("Successfully copied to clipboard!")}
+ variant="inline-compact"
+ isCode>
+ {cmd}
+ </ClipboardCopy>
+ </Text>
+ <Text component={TextVariants.p}>
+ {_("Check that the SHA-256 or SHA-1 hash from the command matches this dialog.")}
+ </Text>
+
+ <Text component={TextVariants.h3}>{_("SHA-256")}</Text>
+ { sigkey_thps.map(s => <Text key={s.sha256} component={TextVariants.pre}>{s.sha256}</Text>) }
+
+ <Text component={TextVariants.h3}>{_("SHA-1")}</Text>
+ { sigkey_thps.map(s => <Text key={s.sha1} component={TextVariants.pre}>{s.sha1}</Text>) }
+ </TextContent>);
+};
+
+function edit_tang_adv(client, block, key, url, adv, passphrase) {
  const dlg = dialog_open({
  Title: _("Verify key"),
- Body: (
- <TextContent>
- <Text component={TextVariants.p}>{_("Check the key hash with the Tang server.")}</Text>
-
- <Text component={TextVariants.h3}>{_("How to check")}</Text>
- <Text component={TextVariants.p}>
- {_("In a terminal, run: ")}
- <ClipboardCopy hoverTip={_("Copy to clipboard")}
- clickTip={_("Successfully copied to clipboard!")}
- variant="inline-compact"
- isCode>
- {cmd}
- </ClipboardCopy>
- </Text>
- <Text component={TextVariants.p}>
- {_("Check that the SHA-256 or SHA-1 hash from the command matches this dialog.")}
- </Text>
-
- <Text component={TextVariants.h3}>{_("SHA-256")}</Text>
- { sigkey_thps.map(s => <Text key={s.sha256} component={TextVariants.pre}>{s.sha256}</Text>) }
-
- <Text component={TextVariants.h3}>{_("SHA-1")}</Text>
- { sigkey_thps.map(s => <Text key={s.sha1} component={TextVariants.pre}>{s.sha1}</Text>) }
- </TextContent>
- ),
+ Body: <TangKeyVerification url={url} adv={adv} />,
  Fields: existing_passphrase_fields(_("Saving a new passphrase requires unlocking the disk. Please provide a current disk passphrase.")),
  Action: {
  Title: _("Trust key"),