ceph-csi/internal/util/cryptsetup.go

/*
Copyright 2019 The Ceph-CSI Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package util

import (
	"bytes"
	"fmt"
	"os/exec"
	"strings"
)

// LuksFormat sets up volume as an encrypted LUKS partition.
func LuksFormat(devicePath, passphrase string) (stdout, stderr []byte, err error) {
	return execCryptsetupCommand(&passphrase, "-q", "luksFormat", "--hash", "sha256", devicePath, "-d", "/dev/stdin")
}

// LuksOpen opens LUKS encrypted partition and sets up a mapping.
func LuksOpen(devicePath, mapperFile, passphrase string) (stdout, stderr []byte, err error) {
	return execCryptsetupCommand(&passphrase, "luksOpen", devicePath, mapperFile, "-d", "/dev/stdin")
}

// LuksClose removes existing mapping.
func LuksClose(mapperFile string) (stdout, stderr []byte, err error) {
	return execCryptsetupCommand(nil, "luksClose", mapperFile)
}

// LuksStatus returns encryption status of a provided device.
func LuksStatus(mapperFile string) (stdout, stderr []byte, err error) {
	return execCryptsetupCommand(nil, "status", mapperFile)
}

func execCryptsetupCommand(stdin *string, args ...string) (stdout, stderr []byte, err error) {
	var (
		program       = "cryptsetup"
		cmd           = exec.Command(program, args...) // #nosec:G204, commands executing not vulnerable.
		sanitizedArgs = StripSecretInArgs(args)
		stdoutBuf     bytes.Buffer
		stderrBuf     bytes.Buffer
	)

	cmd.Stdout = &stdoutBuf
	cmd.Stderr = &stderrBuf
	if stdin != nil {
		cmd.Stdin = strings.NewReader(*stdin)
	}

	if err := cmd.Run(); err != nil {
		return stdoutBuf.Bytes(), stderrBuf.Bytes(), fmt.Errorf("an error (%v)"+
			" occurred while running %s args: %v", err, program, sanitizedArgs)
	}

	return stdoutBuf.Bytes(), nil, nil
}
Adds PVC encryption with LUKS Adds encryption in StorageClass as a parameter. Encryption passphrase is stored in kubernetes secrets per StorageClass. Implements rbd volume encryption relying on dm-crypt and cryptsetup using LUKS extension The change is related to proposal made earlier. This is a first part of the full feature that adds encryption with passphrase stored in secrets. Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Signed-off-by: Ioannis Papaioannou ioannis.papaioannou@workday.com Signed-off-by: Paul Mc Auley paul.mcauley@workday.com Signed-off-by: Sergio de Carvalho sergio.carvalho@workday.com 2019-12-13 11:41:32 +00:00			`/*`
			`Copyright 2019 The Ceph-CSI Authors.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package util`

			`import (`
			`"bytes"`
			`"fmt"`
			`"os/exec"`
			`"strings"`
			`)`

cleanup: address godot warnings Top level comments should end in a period Signed-off-by: Yug <yuggupta27@gmail.com> 2020-07-19 12:21:03 +00:00			`// LuksFormat sets up volume as an encrypted LUKS partition.`
Adds PVC encryption with LUKS Adds encryption in StorageClass as a parameter. Encryption passphrase is stored in kubernetes secrets per StorageClass. Implements rbd volume encryption relying on dm-crypt and cryptsetup using LUKS extension The change is related to proposal made earlier. This is a first part of the full feature that adds encryption with passphrase stored in secrets. Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Signed-off-by: Ioannis Papaioannou ioannis.papaioannou@workday.com Signed-off-by: Paul Mc Auley paul.mcauley@workday.com Signed-off-by: Sergio de Carvalho sergio.carvalho@workday.com 2019-12-13 11:41:32 +00:00			`func LuksFormat(devicePath, passphrase string) (stdout, stderr []byte, err error) {`
			`return execCryptsetupCommand(&passphrase, "-q", "luksFormat", "--hash", "sha256", devicePath, "-d", "/dev/stdin")`
			`}`

cleanup: address godot warnings Top level comments should end in a period Signed-off-by: Yug <yuggupta27@gmail.com> 2020-07-19 12:21:03 +00:00			`// LuksOpen opens LUKS encrypted partition and sets up a mapping.`
Adds PVC encryption with LUKS Adds encryption in StorageClass as a parameter. Encryption passphrase is stored in kubernetes secrets per StorageClass. Implements rbd volume encryption relying on dm-crypt and cryptsetup using LUKS extension The change is related to proposal made earlier. This is a first part of the full feature that adds encryption with passphrase stored in secrets. Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Signed-off-by: Ioannis Papaioannou ioannis.papaioannou@workday.com Signed-off-by: Paul Mc Auley paul.mcauley@workday.com Signed-off-by: Sergio de Carvalho sergio.carvalho@workday.com 2019-12-13 11:41:32 +00:00			`func LuksOpen(devicePath, mapperFile, passphrase string) (stdout, stderr []byte, err error) {`
			`return execCryptsetupCommand(&passphrase, "luksOpen", devicePath, mapperFile, "-d", "/dev/stdin")`
			`}`

cleanup: address godot warnings Top level comments should end in a period Signed-off-by: Yug <yuggupta27@gmail.com> 2020-07-19 12:21:03 +00:00			`// LuksClose removes existing mapping.`
Adds PVC encryption with LUKS Adds encryption in StorageClass as a parameter. Encryption passphrase is stored in kubernetes secrets per StorageClass. Implements rbd volume encryption relying on dm-crypt and cryptsetup using LUKS extension The change is related to proposal made earlier. This is a first part of the full feature that adds encryption with passphrase stored in secrets. Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Signed-off-by: Ioannis Papaioannou ioannis.papaioannou@workday.com Signed-off-by: Paul Mc Auley paul.mcauley@workday.com Signed-off-by: Sergio de Carvalho sergio.carvalho@workday.com 2019-12-13 11:41:32 +00:00			`func LuksClose(mapperFile string) (stdout, stderr []byte, err error) {`
			`return execCryptsetupCommand(nil, "luksClose", mapperFile)`
			`}`

cleanup: address godot warnings Top level comments should end in a period Signed-off-by: Yug <yuggupta27@gmail.com> 2020-07-19 12:21:03 +00:00			`// LuksStatus returns encryption status of a provided device.`
Adds PVC encryption with LUKS Adds encryption in StorageClass as a parameter. Encryption passphrase is stored in kubernetes secrets per StorageClass. Implements rbd volume encryption relying on dm-crypt and cryptsetup using LUKS extension The change is related to proposal made earlier. This is a first part of the full feature that adds encryption with passphrase stored in secrets. Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Signed-off-by: Ioannis Papaioannou ioannis.papaioannou@workday.com Signed-off-by: Paul Mc Auley paul.mcauley@workday.com Signed-off-by: Sergio de Carvalho sergio.carvalho@workday.com 2019-12-13 11:41:32 +00:00			`func LuksStatus(mapperFile string) (stdout, stderr []byte, err error) {`
			`return execCryptsetupCommand(nil, "status", mapperFile)`
			`}`

			`func execCryptsetupCommand(stdin *string, args ...string) (stdout, stderr []byte, err error) {`
			`var (`
			`program = "cryptsetup"`
cleanup: address gosec warnings gosec warns about security problems by scanning the Go AST. Issues Reported: G101 (CWE-798): Potential hardcoded credentials (Confidence: LOW, Severity: HIGH) G204 (CWE-78): Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM) G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) Signed-off-by: Yug <yuggupta27@gmail.com> 2020-07-20 12:49:05 +00:00			`cmd = exec.Command(program, args...) // #nosec:G204, commands executing not vulnerable.`
Adds PVC encryption with LUKS Adds encryption in StorageClass as a parameter. Encryption passphrase is stored in kubernetes secrets per StorageClass. Implements rbd volume encryption relying on dm-crypt and cryptsetup using LUKS extension The change is related to proposal made earlier. This is a first part of the full feature that adds encryption with passphrase stored in secrets. Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com Signed-off-by: Ioannis Papaioannou ioannis.papaioannou@workday.com Signed-off-by: Paul Mc Auley paul.mcauley@workday.com Signed-off-by: Sergio de Carvalho sergio.carvalho@workday.com 2019-12-13 11:41:32 +00:00			`sanitizedArgs = StripSecretInArgs(args)`
			`stdoutBuf bytes.Buffer`
			`stderrBuf bytes.Buffer`
			`)`

			`cmd.Stdout = &stdoutBuf`
			`cmd.Stderr = &stderrBuf`
			`if stdin != nil {`
			`cmd.Stdin = strings.NewReader(*stdin)`
			`}`

			`if err := cmd.Run(); err != nil {`
			`return stdoutBuf.Bytes(), stderrBuf.Bytes(), fmt.Errorf("an error (%v)"+`
			`" occurred while running %s args: %v", err, program, sanitizedArgs)`
			`}`

			`return stdoutBuf.Bytes(), nil, nil`
			`}`