]>
Commit | Line | Data |
---|---|---|
b5256303 TC |
1 | #!/bin/ksh -p |
2 | # | |
3 | # CDDL HEADER START | |
4 | # | |
5 | # This file and its contents are supplied under the terms of the | |
6 | # Common Development and Distribution License ("CDDL"), version 1.0. | |
7 | # You may only use this file in accordance with the terms of version | |
8 | # 1.0 of the CDDL. | |
9 | # | |
10 | # A full copy of the text of the CDDL should have accompanied this | |
11 | # source. A copy of the CDDL is also available via the Internet at | |
12 | # http://www.illumos.org/license/CDDL. | |
13 | # | |
14 | # CDDL HEADER END | |
15 | # | |
16 | ||
17 | # | |
18 | # Copyright (c) 2017 Datto, Inc. All rights reserved. | |
19 | # | |
20 | ||
21 | . $STF_SUITE/include/libtest.shlib | |
22 | . $STF_SUITE/tests/functional/cli_root/zfs_load-key/zfs_load-key_common.kshlib | |
23 | ||
24 | # | |
25 | # DESCRIPTION: | |
26 | # Unencrypted datasets should only allow keylocation of 'none', encryption | |
27 | # roots should only allow keylocation of 'prompt' and file URI, and encrypted | |
28 | # child datasets should not be able to change their keylocation. | |
29 | # | |
30 | # STRATEGY: | |
31 | # 1. Verify the key location of the default dataset is 'none' | |
32 | # 2. Attempt to change the key location of the default dataset | |
33 | # 3. Create an encrypted dataset using a key file | |
34 | # 4. Attempt to change the key location of the encrypted dataset to 'none', | |
35 | # an invalid location, its current location, and 'prompt' | |
36 | # 5. Attempt to reload the encrypted dataset key using the new key location | |
37 | # 6. Create a encrypted child dataset | |
38 | # 7. Verify the key location of the child dataset is 'none' | |
39 | # 8. Attempt to change the key location of the child dataset | |
40 | # 9. Verify the key location of the child dataset has not changed | |
41 | # | |
42 | ||
43 | verify_runnable "both" | |
44 | ||
45 | function cleanup | |
46 | { | |
47 | datasetexists $TESTPOOL/$TESTFS1 && \ | |
48 | log_must zfs destroy -r $TESTPOOL/$TESTFS1 | |
49 | } | |
50 | log_onexit cleanup | |
51 | ||
52 | log_assert "Key location can only be 'prompt' or a file path for encryption" \ | |
53 | "roots, and 'none' for unencrypted volumes" | |
54 | ||
55 | log_must eval "echo $PASSPHRASE > /$TESTPOOL/pkey" | |
56 | ||
57 | log_must verify_keylocation $TESTPOOL/$TESTFS "none" | |
58 | log_must zfs set keylocation=none $TESTPOOL/$TESTFS | |
59 | log_mustnot zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS | |
60 | log_mustnot zfs set keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS | |
61 | log_must verify_keylocation $TESTPOOL/$TESTFS "none" | |
62 | ||
63 | log_must zfs create -o encryption=on -o keyformat=passphrase \ | |
64 | -o keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS1 | |
65 | ||
66 | log_mustnot zfs set keylocation=none $TESTPOOL/$TESTFS1 | |
7839c4b5 MM |
67 | if is_linux; then |
68 | log_mustnot zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS1 | |
69 | else | |
70 | # file:///$TESTPOOL/pkey and /$TESTPOOL/pkey are equivalent on FreeBSD | |
71 | # thanks to libfetch. Eventually we want to make the other platforms | |
72 | # work this way as well, either by porting libfetch or by other means. | |
73 | log_must zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS1 | |
74 | fi | |
b5256303 TC |
75 | |
76 | log_must zfs set keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS1 | |
77 | log_must verify_keylocation $TESTPOOL/$TESTFS1 "file:///$TESTPOOL/pkey" | |
78 | ||
79 | log_must zfs set keylocation=prompt $TESTPOOL/$TESTFS1 | |
80 | log_must verify_keylocation $TESTPOOL/$TESTFS1 "prompt" | |
81 | ||
82 | log_must zfs unmount $TESTPOOL/$TESTFS1 | |
83 | log_must zfs unload-key $TESTPOOL/$TESTFS1 | |
84 | ||
85 | log_must rm /$TESTPOOL/pkey | |
86 | log_must eval "echo $PASSPHRASE | zfs load-key $TESTPOOL/$TESTFS1" | |
87 | log_must zfs mount $TESTPOOL/$TESTFS1 | |
88 | ||
89 | log_must zfs create $TESTPOOL/$TESTFS1/child | |
90 | log_must verify_keylocation $TESTPOOL/$TESTFS1/child "none" | |
91 | ||
92 | log_mustnot zfs set keylocation=none $TESTPOOL/$TESTFS1/child | |
93 | log_mustnot zfs set keylocation=prompt $TESTPOOL/$TESTFS1/child | |
94 | log_mustnot zfs set keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS1/child | |
95 | log_mustnot zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS1/child | |
96 | ||
97 | log_must verify_keylocation $TESTPOOL/$TESTFS1/child "none" | |
98 | ||
99 | log_pass "Key location can only be 'prompt' or a file path for encryption" \ | |
100 | "roots, and 'none' for unencrypted volumes" |