Commit 4caaf4d1 authored by Maarten de Waard's avatar Maarten de Waard 🤘🏻
Browse files

Merge branch '24-make-device-paths-configurable' into 'master'

Make device paths runtime configurable

Closes #24

See merge request !19
parents afa111ad cb3709ef
......@@ -18,8 +18,8 @@ int callback_encryption_get(const struct _u_request * request,
bool can_encrypt = true;
json_t * messages = json_array();
if (path_exists(DATA_PARTITION_DEVICE) &&
is_encrypted_device(DATA_PARTITION_DEVICE))
if (path_exists(config.data_partition_device) &&
is_encrypted_device(config.data_partition_device))
{
encrypted = true;
}
......@@ -29,7 +29,7 @@ int callback_encryption_get(const struct _u_request * request,
can_encrypt_nullable = &can_encrypt;
// Mount the filesystem on the unencrypted device.
int r = temporary_mount(ROOT_DEVICE, UNENCRYPTED_TMP_MOUNTPOINT,
int r = temporary_mount(config.root_device, UNENCRYPTED_TMP_MOUNTPOINT,
FILESYSTEM_TYPE);
if (r != 0)
{
......
......@@ -45,15 +45,15 @@ int callback_encryption_init_post(const struct _u_request * request,
// Check if the device isn't already encrypted.
// Actually we check if the device has any partitions; if so, we're not in
// the expected situation of an unpartitioned unencrypted root device.
if (path_exists(INFO_PARTITION_DEVICE))
if (path_exists(config.info_partition_device))
{
// The device is already encrypted; we don't want to encrypt it again.
return send_simple_response(response, 500, "error",
"already encrypted");
"already encrypted");
}
// Mount the filesystem on the unencrypted device.
r = temporary_mount(ROOT_DEVICE, UNENCRYPTED_TMP_MOUNTPOINT,
r = temporary_mount(config.root_device, UNENCRYPTED_TMP_MOUNTPOINT,
FILESYSTEM_TYPE);
if (r != 0)
{
......@@ -78,7 +78,7 @@ int callback_encryption_init_post(const struct _u_request * request,
"copying existing root device contents to memory");
char * command = NULL;
asprintf(&command, "rsync -a %s/ %s", UNENCRYPTED_TMP_MOUNTPOINT,
TMP_LOCATION);
config.tmp_data_location);
r = system(command);
if (r != 0)
{
......@@ -105,7 +105,7 @@ int callback_encryption_init_post(const struct _u_request * request,
// Check whether the authorized_keys file exists on root device.
char * authorized_keys_path = NULL;
asprintf(&authorized_keys_path, "%s%s",
TMP_LOCATION, AUTHORIZED_KEYS_PATH);
config.tmp_data_location, AUTHORIZED_KEYS_PATH);
struct stat st = {0};
if (stat(authorized_keys_path, &st) == -1)
{
......@@ -117,9 +117,10 @@ int callback_encryption_init_post(const struct _u_request * request,
}
// Re-partition device.
y_log_message(Y_LOG_LEVEL_ERROR, "repartitioning device %s", ROOT_DEVICE);
y_log_message(Y_LOG_LEVEL_ERROR, "repartitioning device %s",
config.root_device);
command = NULL;
asprintf(&command, "sgdisk -a 8192 -n 1:0:48M -N 2 %s", ROOT_DEVICE);
asprintf(&command, "sgdisk -a 8192 -n 1:0:48M -N 2 %s", config.root_device);
r = system(command);
if (r != 0)
{
......@@ -151,7 +152,7 @@ int callback_encryption_init_post(const struct _u_request * request,
y_log_message(Y_LOG_LEVEL_DEBUG, "creating filesystem on info partition");
command = NULL;
asprintf(&command, "mkfs -t %s %s", FILESYSTEM_TYPE,
INFO_PARTITION_DEVICE);
config.info_partition_device);
y_log_message(Y_LOG_LEVEL_DEBUG, "command: %s", command);
r = system(command);
if (r != 0)
......@@ -164,7 +165,7 @@ int callback_encryption_init_post(const struct _u_request * request,
// Mount the info partition.
y_log_message(Y_LOG_LEVEL_DEBUG, "mounting info partition");
r = temporary_mount(INFO_PARTITION_DEVICE, INFO_TMP_MOUNTPOINT,
r = temporary_mount(config.info_partition_device, INFO_TMP_MOUNTPOINT,
FILESYSTEM_TYPE);
if (r != 0)
{
......@@ -230,8 +231,8 @@ int callback_encryption_init_post(const struct _u_request * request,
// Initialise encrypted container on data partition.
y_log_message(Y_LOG_LEVEL_DEBUG,
"creating encrypted container at %s", DATA_PARTITION_DEVICE);
r = create_encrypted_device(DATA_PARTITION_DEVICE, password);
"creating encrypted container at %s", config.data_partition_device);
r = create_encrypted_device(config.data_partition_device, password);
if (r != 0)
{
y_log_message(Y_LOG_LEVEL_ERROR,
......@@ -242,8 +243,8 @@ int callback_encryption_init_post(const struct _u_request * request,
// Unlock the new container.
y_log_message(Y_LOG_LEVEL_DEBUG, "unlocking encrypted device");
r = encryption_unlock(DATA_PARTITION_DEVICE, MAPPED_DEVICE_NAME,
password);
r = encryption_unlock(config.data_partition_device,
config.mapped_device_name, password);
if (r != 0)
{
y_log_message(Y_LOG_LEVEL_ERROR,
......@@ -255,7 +256,8 @@ int callback_encryption_init_post(const struct _u_request * request,
// Create filesystem in the new container.
y_log_message(Y_LOG_LEVEL_DEBUG, "creating filesystem in new container");
command = NULL;
asprintf(&command, "mkfs -t %s %s", FILESYSTEM_TYPE, MAPPED_DEVICE_PATH);
asprintf(&command, "mkfs -t %s %s",
FILESYSTEM_TYPE, config.mapped_device_path);
r = system(command);
if (r != 0)
{
......@@ -267,7 +269,7 @@ int callback_encryption_init_post(const struct _u_request * request,
// Mount the unlocked container.
y_log_message(Y_LOG_LEVEL_DEBUG, "mounting new filesystem");
r = temporary_mount(MAPPED_DEVICE_PATH, DATA_TMP_MOUNTPOINT,
r = temporary_mount(config.mapped_device_path, DATA_TMP_MOUNTPOINT,
FILESYSTEM_TYPE);
if (r != 0)
{
......@@ -281,7 +283,8 @@ int callback_encryption_init_post(const struct _u_request * request,
y_log_message(Y_LOG_LEVEL_DEBUG,
"copying root device contents from memory");
command = NULL;
asprintf(&command, "rsync -a %s/ %s", TMP_LOCATION, DATA_TMP_MOUNTPOINT);
asprintf(&command, "rsync -a %s/ %s",
config.tmp_data_location, DATA_TMP_MOUNTPOINT);
r = system(command);
if (r != 0)
{
......@@ -306,7 +309,7 @@ int callback_encryption_init_post(const struct _u_request * request,
// Lock the container.
y_log_message(Y_LOG_LEVEL_DEBUG, "locking encrypted device");
r = encryption_lock(MAPPED_DEVICE_NAME);
r = encryption_lock(config.mapped_device_name);
if (r != 0)
{
y_log_message(Y_LOG_LEVEL_ERROR,
......
......@@ -74,7 +74,7 @@ int callback_encryption_keys_delete(const struct _u_request * request,
// Initialise encrypted container.
struct crypt_device * cd = NULL;
r = container_initialise(&cd, DATA_PARTITION_DEVICE, true);
r = container_initialise(&cd, config.data_partition_device, true);
if (r < 0)
{
crypt_free(cd);
......
......@@ -12,7 +12,7 @@ int callback_encryption_keys_get(const struct _u_request * request,
// Initialise encrypted container.
struct crypt_device * cd = NULL;
r = container_initialise(&cd, DATA_PARTITION_DEVICE, true);
r = container_initialise(&cd, config.data_partition_device, true);
// A negative return code indicates that something went wrong with the
// initialisation of the encrypted container, so we need to free it.
// A positive return code means we couldn't even attempt the initialisation,
......
......@@ -59,7 +59,7 @@ int encryption_keys_change(const struct _u_request * request,
// Initialise encrypted container.
struct crypt_device * cd = NULL;
r = container_initialise(&cd, DATA_PARTITION_DEVICE, true);
r = container_initialise(&cd, config.data_partition_device, true);
if (r < 0)
{
crypt_free(cd);
......
......@@ -38,7 +38,7 @@ int callback_encryption_remove_post(const struct _u_request * request,
}
// Check if the device is encrypted.
if (! is_encrypted_device(DATA_PARTITION_DEVICE))
if (! is_encrypted_device(config.data_partition_device))
{
// The device is not encrypted, so this command does not make sense.
return send_simple_response(response, 400, "error",
......@@ -47,7 +47,7 @@ int callback_encryption_remove_post(const struct _u_request * request,
// Unlock the container.
y_log_message(Y_LOG_LEVEL_INFO, "unlocking encrypted device");
r = encryption_unlock(DATA_PARTITION_DEVICE, MAPPED_DEVICE_NAME,
r = encryption_unlock(config.data_partition_device, config.mapped_device_name,
password);
if (r == -1)
{
......@@ -64,7 +64,7 @@ int callback_encryption_remove_post(const struct _u_request * request,
}
// Mount the filesystem on the encrypted data partition.
r = temporary_mount(MAPPED_DEVICE_PATH, DATA_TMP_MOUNTPOINT,
r = temporary_mount(config.mapped_device_path, DATA_TMP_MOUNTPOINT,
FILESYSTEM_TYPE);
if (r != 0)
{
......@@ -87,7 +87,8 @@ int callback_encryption_remove_post(const struct _u_request * request,
y_log_message(Y_LOG_LEVEL_DEBUG,
"copying existing root device contents to memory");
char * command = NULL;
asprintf(&command, "rsync -a %s/ %s", DATA_TMP_MOUNTPOINT, TMP_LOCATION);
asprintf(&command, "rsync -a %s/ %s",
DATA_TMP_MOUNTPOINT, config.tmp_data_location);
r = system(command);
if(r != 0)
{
......@@ -112,7 +113,7 @@ int callback_encryption_remove_post(const struct _u_request * request,
// Lock the container.
y_log_message(Y_LOG_LEVEL_DEBUG, "locking encrypted device");
r = encryption_lock(MAPPED_DEVICE_NAME);
r = encryption_lock(config.mapped_device_name);
if (r != 0)
{
y_log_message(Y_LOG_LEVEL_ERROR,
......@@ -137,9 +138,9 @@ int callback_encryption_remove_post(const struct _u_request * request,
// Remove all partitions from the device.
y_log_message(Y_LOG_LEVEL_DEBUG,
"removing partitions from device %s", ROOT_DEVICE);
"removing partitions from device %s", config.root_device);
command = NULL;
asprintf(&command, "sgdisk -Z %s", ROOT_DEVICE);
asprintf(&command, "sgdisk -Z %s", config.root_device);
r = system(command);
if (r != 0)
{
......@@ -153,7 +154,7 @@ int callback_encryption_remove_post(const struct _u_request * request,
y_log_message(Y_LOG_LEVEL_DEBUG,
"creating filesystem on unencrypted device");
command = NULL;
asprintf(&command, "mkfs -t %s %s", FILESYSTEM_TYPE, ROOT_DEVICE);
asprintf(&command, "mkfs -t %s %s", FILESYSTEM_TYPE, config.root_device);
r = system(command);
if (r != 0)
{
......@@ -165,7 +166,7 @@ int callback_encryption_remove_post(const struct _u_request * request,
// Mount the new filesystem.
y_log_message(Y_LOG_LEVEL_DEBUG, "mounting new filesystem");
r = temporary_mount(ROOT_DEVICE, UNENCRYPTED_TMP_MOUNTPOINT,
r = temporary_mount(config.root_device, UNENCRYPTED_TMP_MOUNTPOINT,
FILESYSTEM_TYPE);
if (r != 0)
{
......@@ -180,7 +181,7 @@ int callback_encryption_remove_post(const struct _u_request * request,
"copying root device contents from memory");
command = NULL;
asprintf(&command, "rsync -a %s/ %s",
TMP_LOCATION, UNENCRYPTED_TMP_MOUNTPOINT);
config.tmp_data_location, UNENCRYPTED_TMP_MOUNTPOINT);
r = system(command);
if (r != 0)
{
......
......@@ -11,7 +11,7 @@ int destroy_active_keyslots()
// Initialise encrypted container.
struct crypt_device * cd = NULL;
r = container_initialise(&cd, DATA_PARTITION_DEVICE, true);
r = container_initialise(&cd, config.data_partition_device, true);
if (r < 0)
{
crypt_free(cd);
......@@ -80,7 +80,7 @@ int callback_encryption_selfdestruct_post(const struct _u_request * request,
"Overwriting start of data partition with zeroes");
char * command = NULL;
asprintf(&command, "head -c %d /dev/zero > %s; sync",
LUKS_HEADER_SIZE, DATA_PARTITION_DEVICE);
LUKS_HEADER_SIZE, config.data_partition_device);
r = system(command);
if (r != 0)
{
......
......@@ -18,8 +18,8 @@ int callback_encryption_unlock_post(const struct _u_request * request,
return send_simple_response(response, 400, "error", "missing password");
}
int unlock_status = encryption_unlock(DATA_PARTITION_DEVICE,
MAPPED_DEVICE_NAME, password);
int unlock_status = encryption_unlock(config.data_partition_device,
config.mapped_device_name, password);
if (unlock_status == -1)
{
......
......@@ -5,6 +5,7 @@
#include <auxiliary.c>
#include <encryption_functions.c>
#include <runtime-config.c>
#include <api/default.c>
#include <api/encryption_get.c>
#include <api/encryption_init_post.c>
......@@ -21,9 +22,18 @@
int main(int argc, char ** argv)
{
// Set global configuration from command line arguments.
set_config_from_arguments(argc, argv);
y_init_logs("cryptops-api", Y_LOG_MODE_CONSOLE, Y_LOG_LEVEL_DEBUG,
NULL, "Starting cryptops-api");
y_log_message(Y_LOG_LEVEL_DEBUG, "root_device: %s", config.root_device);
y_log_message(Y_LOG_LEVEL_DEBUG, "info_partition_device: %s", config.info_partition_device);
y_log_message(Y_LOG_LEVEL_DEBUG, "data_partition_device: %s", config.data_partition_device);
y_log_message(Y_LOG_LEVEL_DEBUG, "mapped_device_name: %s", config.mapped_device_name);
y_log_message(Y_LOG_LEVEL_DEBUG, "mapped_device_path: %s", config.mapped_device_path);
// Set address to bind to.
struct sockaddr_in address;
bzero(&address, sizeof(address));
......
......@@ -3,13 +3,6 @@
#define PORT 8000
#define BIND_ADDRESS "127.0.0.1"
// Device paths.
#define ROOT_DEVICE "/dev/xvda"
#define INFO_PARTITION_DEVICE ROOT_DEVICE "1"
#define DATA_PARTITION_DEVICE ROOT_DEVICE "2"
#define MAPPED_DEVICE_NAME "xvda1_crypt"
#define MAPPED_DEVICE_PATH "/dev/mapper/" MAPPED_DEVICE_NAME
// Filesystem parameters.
#define FILESYSTEM_TYPE "xfs"
......@@ -23,7 +16,6 @@
#define UNENCRYPTED_TMP_MOUNTPOINT "/tmp/mnt-plain"
#define INFO_TMP_MOUNTPOINT "/tmp/mnt-info"
#define DATA_TMP_MOUNTPOINT "/tmp/mnt-data"
#define TMP_LOCATION "/tmp/" MAPPED_DEVICE_NAME
// Ssh configuration file locations.
#define AUTHORIZED_KEYS_DIR "/root/.ssh"
......
struct config
{
char * root_device;
char * info_partition_device;
char * data_partition_device;
char * mapped_device_name;
char * mapped_device_path;
char * tmp_data_location;
};
extern struct config config;
struct config config;
void set_config_from_arguments(int argc, char ** argv)
{
if (argc < 3)
{
printf("Not enough arguments. Usage:\n cryptops-api ROOTDEV CRYPTNAME\n");
exit(1);
}
config.root_device = argv[1];
config.mapped_device_name = argv[2];
asprintf(&config.info_partition_device, "%s1", config.root_device);
asprintf(&config.data_partition_device, "%s2", config.root_device);
asprintf(&config.mapped_device_path, "/dev/mapper/%s", config.mapped_device_name);
asprintf(&config.tmp_data_location, "/tmp/%s", config.mapped_device_name);
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment