[mirror_zfs.git] / tests / zfs-tests / tests / functional / cli_root / zfs_set / zfs_set_keylocation.ksh

#!/bin/ksh -p
#
# CDDL HEADER START
#
# This file and its contents are supplied under the terms of the
# Common Development and Distribution License ("CDDL"), version 1.0.
# You may only use this file in accordance with the terms of version
# 1.0 of the CDDL.
#
# A full copy of the text of the CDDL should have accompanied this
# source.  A copy of the CDDL is also available via the Internet at
# http://www.illumos.org/license/CDDL.
#
# CDDL HEADER END
#

#
# Copyright (c) 2017 Datto, Inc. All rights reserved.
#

. $STF_SUITE/include/libtest.shlib
. $STF_SUITE/tests/functional/cli_root/zfs_load-key/zfs_load-key_common.kshlib

#
# DESCRIPTION:
# Unencrypted datasets should only allow keylocation of 'none', encryption
# roots should only allow keylocation of 'prompt' and file URI, and encrypted
# child datasets should not be able to change their keylocation.
#
# STRATEGY:
# 1. Verify the key location of the default dataset is 'none'
# 2. Attempt to change the key location of the default dataset
# 3. Create an encrypted dataset using a key file
# 4. Attempt to change the key location of the encrypted dataset to 'none',
#    an invalid location, its current location, and 'prompt'
# 5. Attempt to reload the encrypted dataset key using the new key location
# 6. Create a encrypted child dataset
# 7. Verify the key location of the child dataset is 'none'
# 8. Attempt to change the key location of the child dataset
# 9. Verify the key location of the child dataset has not changed
#

verify_runnable "both"

function cleanup
{
	datasetexists $TESTPOOL/$TESTFS1 && \
		log_must zfs destroy -r $TESTPOOL/$TESTFS1
}
log_onexit cleanup

log_assert "Key location can only be 'prompt' or a file path for encryption" \
	"roots, and 'none' for unencrypted volumes"

log_must eval "echo $PASSPHRASE > /$TESTPOOL/pkey"

log_must verify_keylocation $TESTPOOL/$TESTFS "none"
log_must zfs set keylocation=none $TESTPOOL/$TESTFS
log_mustnot zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS
log_mustnot zfs set keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS
log_must verify_keylocation $TESTPOOL/$TESTFS "none"

log_must zfs create -o encryption=on -o keyformat=passphrase \
	-o keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS1

log_mustnot zfs set keylocation=none $TESTPOOL/$TESTFS1
if is_linux; then
	log_mustnot zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS1
else
	# file:///$TESTPOOL/pkey and /$TESTPOOL/pkey are equivalent on FreeBSD
	# thanks to libfetch. Eventually we want to make the other platforms
	# work this way as well, either by porting libfetch or by other means.
	log_must zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS1
fi

log_must zfs set keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS1
log_must verify_keylocation $TESTPOOL/$TESTFS1 "file:///$TESTPOOL/pkey"

log_must zfs set keylocation=prompt $TESTPOOL/$TESTFS1
log_must verify_keylocation $TESTPOOL/$TESTFS1 "prompt"

log_must zfs unmount $TESTPOOL/$TESTFS1
log_must zfs unload-key $TESTPOOL/$TESTFS1

log_must rm /$TESTPOOL/pkey
log_must eval "echo $PASSPHRASE | zfs load-key $TESTPOOL/$TESTFS1"
log_must zfs mount $TESTPOOL/$TESTFS1

log_must zfs create $TESTPOOL/$TESTFS1/child
log_must verify_keylocation $TESTPOOL/$TESTFS1/child "none"

log_mustnot zfs set keylocation=none $TESTPOOL/$TESTFS1/child
log_mustnot zfs set keylocation=prompt $TESTPOOL/$TESTFS1/child
log_mustnot zfs set keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS1/child
log_mustnot zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS1/child

log_must verify_keylocation $TESTPOOL/$TESTFS1/child "none"

log_pass "Key location can only be 'prompt' or a file path for encryption" \
	"roots, and 'none' for unencrypted volumes"
Commit	Line	Data
b5256303 TC	1	#!/bin/ksh -p
	2	#
	3	# CDDL HEADER START
	4	#
	5	# This file and its contents are supplied under the terms of the
	6	# Common Development and Distribution License ("CDDL"), version 1.0.
	7	# You may only use this file in accordance with the terms of version
	8	# 1.0 of the CDDL.
	9	#
	10	# A full copy of the text of the CDDL should have accompanied this
	11	# source. A copy of the CDDL is also available via the Internet at
	12	# http://www.illumos.org/license/CDDL.
	13	#
	14	# CDDL HEADER END
	15	#
	16
	17	#
	18	# Copyright (c) 2017 Datto, Inc. All rights reserved.
	19	#
	20
	21	. $STF_SUITE/include/libtest.shlib
	22	. $STF_SUITE/tests/functional/cli_root/zfs_load-key/zfs_load-key_common.kshlib
	23
	24	#
	25	# DESCRIPTION:
	26	# Unencrypted datasets should only allow keylocation of 'none', encryption
	27	# roots should only allow keylocation of 'prompt' and file URI, and encrypted
	28	# child datasets should not be able to change their keylocation.
	29	#
	30	# STRATEGY:
	31	# 1. Verify the key location of the default dataset is 'none'
	32	# 2. Attempt to change the key location of the default dataset
	33	# 3. Create an encrypted dataset using a key file
	34	# 4. Attempt to change the key location of the encrypted dataset to 'none',
	35	# an invalid location, its current location, and 'prompt'
	36	# 5. Attempt to reload the encrypted dataset key using the new key location
	37	# 6. Create a encrypted child dataset
	38	# 7. Verify the key location of the child dataset is 'none'
	39	# 8. Attempt to change the key location of the child dataset
	40	# 9. Verify the key location of the child dataset has not changed
	41	#
	42
	43	verify_runnable "both"
	44
	45	function cleanup
	46	{
	47	datasetexists $TESTPOOL/$TESTFS1 && \
	48	log_must zfs destroy -r $TESTPOOL/$TESTFS1
	49	}
	50	log_onexit cleanup
	51
	52	log_assert "Key location can only be 'prompt' or a file path for encryption" \
	53	"roots, and 'none' for unencrypted volumes"
	54
	55	log_must eval "echo $PASSPHRASE > /$TESTPOOL/pkey"
	56
	57	log_must verify_keylocation $TESTPOOL/$TESTFS "none"
	58	log_must zfs set keylocation=none $TESTPOOL/$TESTFS
	59	log_mustnot zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS
	60	log_mustnot zfs set keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS
	61	log_must verify_keylocation $TESTPOOL/$TESTFS "none"
	62
	63	log_must zfs create -o encryption=on -o keyformat=passphrase \
	64	-o keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS1
65
66	log_mustnot zfs set keylocation=none $TESTPOOL/$TESTFS1
7839c4b5 MM	67	if is_linux; then
	68	log_mustnot zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS1
	69	else
	70	# file:///$TESTPOOL/pkey and /$TESTPOOL/pkey are equivalent on FreeBSD
	71	# thanks to libfetch. Eventually we want to make the other platforms
	72	# work this way as well, either by porting libfetch or by other means.
	73	log_must zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS1
	74	fi
b5256303 TC	75
	76	log_must zfs set keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS1
	77	log_must verify_keylocation $TESTPOOL/$TESTFS1 "file:///$TESTPOOL/pkey"
	78
	79	log_must zfs set keylocation=prompt $TESTPOOL/$TESTFS1
	80	log_must verify_keylocation $TESTPOOL/$TESTFS1 "prompt"
	81
	82	log_must zfs unmount $TESTPOOL/$TESTFS1
	83	log_must zfs unload-key $TESTPOOL/$TESTFS1
	84
	85	log_must rm /$TESTPOOL/pkey
	86	log_must eval "echo $PASSPHRASE \| zfs load-key $TESTPOOL/$TESTFS1"
	87	log_must zfs mount $TESTPOOL/$TESTFS1
	88
	89	log_must zfs create $TESTPOOL/$TESTFS1/child
	90	log_must verify_keylocation $TESTPOOL/$TESTFS1/child "none"
	91
	92	log_mustnot zfs set keylocation=none $TESTPOOL/$TESTFS1/child
	93	log_mustnot zfs set keylocation=prompt $TESTPOOL/$TESTFS1/child
	94	log_mustnot zfs set keylocation=file:///$TESTPOOL/pkey $TESTPOOL/$TESTFS1/child
	95	log_mustnot zfs set keylocation=/$TESTPOOL/pkey $TESTPOOL/$TESTFS1/child
	96
	97	log_must verify_keylocation $TESTPOOL/$TESTFS1/child "none"
	98
	99	log_pass "Key location can only be 'prompt' or a file path for encryption" \
	100	"roots, and 'none' for unencrypted volumes"