crypt_reboot 0.1.0

data/lib/crypt_reboot/kexec_patching_loader.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  # Patch initramfs and load it along with kernel using kexec,
+  # so it is ready to be executed.
+  class KexecPatchingLoader
+    def call(boot_config = BootConfig.new(
+      kernel: Config.kernel,
+      initramfs: Config.initramfs,
+      cmdline: Config.cmdline
+    ))
+      generator.call(boot_config.initramfs) do |patched_initramfs|
+        patched_boot_config = boot_config.with_initramfs(patched_initramfs)
+        loader.call(patched_boot_config)
+      end
+    end
+
+    private
+
+    attr_reader :generator, :loader
+
+    def initialize(generator: PatchedInitramfsGenerator.new,
+                   loader: Kexec::Loader.new)
+      @generator = generator
+      @loader = loader
+    end
+  end
+end

data/lib/crypt_reboot/lazy_config.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  # Return getter lambdas instead of configuration settings directly
+  class LazyConfig
+    class << self
+      def method_missing(method_name, *args, **kwargs, &block)
+        return super unless instance.respond_to?(method_name)
+
+        -> { instance.send(method_name, *args, **kwargs, &block) }
+      end
+
+      def respond_to_missing?(name, *_, **_)
+        instance.respond_to?(name)
+      end
+
+      def instance
+        Config.instance
+      end
+    end
+  end
+end

data/lib/crypt_reboot/luks/checker.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Luks
+    # Return true in case given device is LUKS (of given version is provided), false otherwise
+    class Checker
+      def call(headevice, version = :any)
+        args = version == :any ? [] : ['--type', version]
+        runner.call(binary, 'isLuks', 'none', '--header', headevice, *args)
+      end
+
+      private
+
+      def binary
+        lazy_binary.call
+      end
+
+      attr_reader :lazy_binary, :runner
+
+      def initialize(lazy_binary: LazyConfig.cryptsetup_path,
+                     runner: Runner::Boolean.new)
+        @lazy_binary = lazy_binary
+        @runner = runner
+      end
+    end
+  end
+end

data/lib/crypt_reboot/luks/data.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Luks
+    # Value-object with encryption parameters
+    class Data
+      attr_reader :cipher, :offset, :sector_size, :key
+
+      def ==(other)
+        cipher == other.cipher && offset == other.offset &&
+          sector_size == other.sector_size && key == other.key
+      end
+
+      def key_bits
+        key.bytesize * 8
+      end
+
+      def with_key(new_key)
+        self.class.new(
+          cipher: cipher,
+          offset: offset,
+          sector_size: sector_size,
+          key: new_key
+        )
+      end
+
+      private
+
+      def initialize(cipher:, offset:, sector_size:, key: '')
+        @cipher = cipher
+        @offset = offset
+        @sector_size = sector_size
+        @key = key
+      end
+    end
+  end
+end

data/lib/crypt_reboot/luks/data_fetcher.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Luks
+    # Fetch LUKS data including key (user will be asked for passphrase)
+    class DataFetcher
+      def call(headevice)
+        version = detector.call(headevice)
+        data = dumper.call(headevice, version)
+        pass = asker.call("Enter passphrase to unlock #{headevice}: ")
+        key = key_fetcher.call(headevice, pass)
+        data.with_key(key)
+      end
+
+      private
+
+      attr_reader :detector, :dumper, :asker, :key_fetcher
+
+      def initialize(detector: VersionDetector.new,
+                     dumper: Dumper.new,
+                     asker: PassphraseAsker.new,
+                     key_fetcher: KeyFetcher.new)
+        @detector = detector
+        @dumper = dumper
+        @asker = asker
+        @key_fetcher = key_fetcher
+      end
+    end
+  end
+end

data/lib/crypt_reboot/luks/dumper/luks_v1_parser.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Luks
+    class Dumper
+      # Parse LUKS1
+      class LuksV1Parser
+        ParsingError = Class.new StandardError
+
+        def call(lines)
+          data = parse_lines(lines)
+          instantiate(data.to_h)
+        end
+
+        private
+
+        SECTOR_SIZE = 512 # LUKS1 support only this sector size
+        private_constant :SECTOR_SIZE
+
+        def instantiate(raw)
+          data_class.new(
+            cipher: [raw.fetch(:cipher_name), raw.fetch(:cipher_mode)].join('-'),
+            offset: raw.fetch(:offset),
+            sector_size: SECTOR_SIZE
+          )
+        rescue KeyError => e
+          raise ParsingError, 'Parsing failed because of missing data', cause: e
+        end
+
+        def parse_lines(lines)
+          map_generator.call.tap do |result|
+            lines.each do |line|
+              update_result!(result, line: line)
+            end
+          end
+        end
+
+        def update_result!(result, line:)
+          case line
+          when /^Cipher name:\s+([\w-]+)$/
+            result[:cipher_name] = Regexp.last_match(1)
+          when /^Cipher mode:\s+([\w-]+)$/
+            result[:cipher_mode] = Regexp.last_match(1)
+          when /^Payload offset:\s+(\d+)$/
+            # LUKS1 provides offset in sectors
+            result[:offset] = Regexp.last_match(1).to_i * SECTOR_SIZE
+          end
+        rescue duplicate_exception => e
+          raise ParsingError, "Parsing failed on: `#{line}`", cause: e
+        end
+
+        attr_reader :data_class, :map_generator, :duplicate_exception
+
+        def initialize(data_class: Data,
+                       map_generator: -> { SingleAssignRestrictedMap.new },
+                       duplicate_exception: SingleAssignRestrictedMap::AlreadyAssigned)
+          @data_class = data_class
+          @map_generator = map_generator
+          @duplicate_exception = duplicate_exception
+        end
+      end
+    end
+  end
+end

data/lib/crypt_reboot/luks/dumper/luks_v2_parser.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Luks
+    class Dumper
+      # Parse LUKS2
+      class LuksV2Parser
+        ParsingError = Class.new StandardError
+
+        def call(lines)
+          data = parse_lines(lines)
+          instantiate(data.to_h)
+        end
+
+        private
+
+        def instantiate(args)
+          data_class.new(**args)
+        rescue ArgumentError => e
+          raise ParsingError, 'Parsing failed because of missing data', cause: e
+        end
+
+        def parse_lines(lines)
+          map_generator.call.tap do |result|
+            section_found = false
+            lines.each do |line|
+              if section_found
+                break if line =~ /^\w/
+
+                update_result!(result, line: line)
+              end
+              line =~ /^Data segments:/ && section_found = true
+            end
+          end
+        end
+
+        def update_result!(result, line:)
+          case line
+          when /offset:\s+(\d+) \[bytes\]/
+            result[:offset] = Regexp.last_match(1).to_i
+          when /cipher:\s+([\w-]+)$/
+            result[:cipher] = Regexp.last_match(1)
+          when /sector:\s+(\d+) \[bytes\]/
+            result[:sector_size] = Regexp.last_match(1).to_i
+          end
+        rescue duplicate_exception => e
+          raise ParsingError, "Parsing failed on: `#{line}`", cause: e
+        end
+
+        attr_reader :data_class, :map_generator, :duplicate_exception
+
+        def initialize(data_class: Data,
+                       map_generator: -> { SingleAssignRestrictedMap.new },
+                       duplicate_exception: SingleAssignRestrictedMap::AlreadyAssigned)
+          @data_class = data_class
+          @map_generator = map_generator
+          @duplicate_exception = duplicate_exception
+        end
+      end
+    end
+  end
+end

data/lib/crypt_reboot/luks/dumper.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Luks
+    # Depending on LUKS version, delegates parsing to different parser
+    class Dumper
+      def call(headevice, version)
+        dump = runner.call(binary, 'luksDump', 'none', '--header', headevice)
+        parser = parsers.fetch(version)
+        parser.call(dump)
+      end
+
+      private
+
+      def binary
+        lazy_binary.call
+      end
+
+      attr_reader :lazy_binary, :runner, :parsers
+
+      def initialize(lazy_binary: LazyConfig.cryptsetup_path,
+                     runner: Runner::Lines.new,
+                     parsers: { 'LUKS2' => LuksV2Parser.new, 'LUKS1' => LuksV1Parser.new })
+        @lazy_binary = lazy_binary
+        @runner = runner
+        @parsers = parsers
+      end
+    end
+  end
+end

data/lib/crypt_reboot/luks/key_fetcher.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Luks
+    # Fetch LUKS key
+    class KeyFetcher
+      InvalidPassphrase = Class.new StandardError
+
+      def call(headevice, passphrase)
+        temp_provider.call do |key_file|
+          luks_dump(headevice, key_file, passphrase)
+          file_reader.call(key_file)
+        end
+      end
+
+      private
+
+      def luks_dump(headevice, master_key_file, passphrase)
+        runner.call(
+          binary, 'luksDump', 'none', '--header', headevice,
+          '--dump-master-key', '--master-key-file', master_key_file,
+          '--key-file', '-',
+          input: passphrase
+        )
+      rescue run_exception
+        # For simplicity sake let's assume it's invalid passphrase.
+        # Other errors such as invalid device/header were handled by previous validation.
+        raise InvalidPassphrase
+      end
+
+      def binary
+        lazy_binary.call
+      end
+
+      attr_reader :lazy_binary, :runner, :run_exception, :file_reader, :temp_provider
+
+      def initialize(lazy_binary: LazyConfig.cryptsetup_path,
+                     runner: Runner::Lines.new,
+                     run_exception: Runner::ExitError,
+                     file_reader: File.method(:read),
+                     temp_provider: SafeTemp::FileName.new)
+        @lazy_binary = lazy_binary
+        @runner = runner
+        @run_exception = run_exception
+        @file_reader = file_reader
+        @temp_provider = temp_provider
+      end
+    end
+  end
+end

data/lib/crypt_reboot/luks/version_detector.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Luks
+    # Return LUKS version or raise the exception if given file doesn't represent a valid LUKS device
+    class VersionDetector
+      Error              = Class.new StandardError
+      NotLuks            = Class.new Error
+      UnsupportedVersion = Class.new Error
+
+      def call(headevice)
+        version = supported_versions.find do |tested_version|
+          checker.call(headevice, tested_version)
+        end
+        return version if version
+        raise UnsupportedVersion if checker.call(headevice)
+
+        raise NotLuks
+      end
+
+      private
+
+      attr_reader :checker, :supported_versions
+
+      def initialize(checker: Checker.new,
+                     supported_versions: %w[LUKS2 LUKS1])
+        @checker = checker
+        @supported_versions = supported_versions
+      end
+    end
+  end
+end

data/lib/crypt_reboot/passphrase_asker.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'io/console'
+
+module CryptReboot
+  # Ask user for passphrase and return it
+  class PassphraseAsker
+    def call(prompt)
+      print prompt
+      $stdin.noecho(&:gets).chomp
+    ensure
+      puts
+    end
+  end
+end

data/lib/crypt_reboot/patched_initramfs_generator.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  # Yield path to patched version of provided initramfs
+  class PatchedInitramfsGenerator
+    def call(initramfs_path, &block)
+      patch = squeezer.call(initramfs_path)
+      patcher.call(initramfs_path, patch, &block)
+    end
+
+    private
+
+    attr_reader :squeezer, :patcher
+
+    def initialize(squeezer: InitramfsPatchSqueezer.new,
+                   patcher: Initramfs::Patcher.new)
+      @squeezer = squeezer
+      @patcher = patcher
+    end
+  end
+end

data/lib/crypt_reboot/rebooter.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  # Perform the reboot or exit (doesn't return)
+  class Rebooter
+    def call(act = !Config.prepare_only)
+      act ? runner.call : exiter.call
+    end
+
+    private
+
+    attr_reader :runner, :exiter
+
+    def initialize(runner: -> { Process.exec Config.reboot_path },
+                   exiter: -> { exit 0 })
+      @runner = runner
+      @exiter = exiter
+    end
+  end
+end

data/lib/crypt_reboot/runner/binary.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Runner
+    # Return stdout as string
+    class Binary < Generic
+      def call(*args, **opts)
+        super(*args, **opts.merge(binary: true)).out
+      end
+    end
+  end
+end

data/lib/crypt_reboot/runner/boolean.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Runner
+    # Return true or false, depending if command succeeded or failed
+    class Boolean < Generic
+      def call(...)
+        super(...).success?
+      end
+
+      private
+
+      def initialize(**opts)
+        super(**opts.merge(run_method: :run!))
+      end
+    end
+  end
+end

data/lib/crypt_reboot/runner/generic.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'tty-command'
+
+module CryptReboot
+  module Runner
+    # Run an external process. Abstract class, use descendants.
+    class Generic
+      private
+
+      def call(*args, input: nil, output_file: nil, binary: false)
+        options = build_options(input, output_file, binary)
+        cmd.send(run_method, *args, **options)
+      rescue exceptions[:exit] => e
+        raise ExitError, cause: e
+      rescue exceptions[:not_found] => e
+        raise CommandNotFound, cause: e
+      end
+
+      def build_options(input, output_file, binary)
+        {}.tap do |options|
+          options[:input] = input if input
+          options[:out] = output_file if output_file
+          options[:binmode] = true if binary
+        end
+      end
+
+      def cmd
+        lazy_cmd.call
+      end
+
+      attr_reader :lazy_cmd, :run_method, :exceptions
+
+      def initialize(lazy_cmd: -> { TTY::Command.new(uuid: false, printer: Config.debug ? :pretty : :null) },
+                     run_method: :run,
+                     exceptions: {
+                       exit: TTY::Command::ExitError,
+                       not_found: Errno::ENOENT
+                     })
+        @lazy_cmd = lazy_cmd
+        @run_method = run_method
+        @exceptions = exceptions
+      end
+    end
+  end
+end

data/lib/crypt_reboot/runner/lines.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Runner
+    # Return standard output in form of lines.
+    # Newline characters are removed.
+    class Lines < Generic
+      def call(...)
+        super(...).to_a
+      end
+    end
+  end
+end

data/lib/crypt_reboot/runner/no_result.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Runner
+    # Return nil
+    class NoResult < Generic
+      def call(...)
+        super(...)
+        nil
+      end
+    end
+  end
+end

data/lib/crypt_reboot/runner/text.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Runner
+    # Return stdout as string
+    class Text < Generic
+      def call(...)
+        super(...).out
+      end
+    end
+  end
+end

data/lib/crypt_reboot/runner.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module Runner
+    ExitError = Class.new StandardError
+    CommandNotFound = Class.new StandardError
+  end
+end

data/lib/crypt_reboot/safe_temp/directory.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'tmpdir'
+
+module CryptReboot
+  module SafeTemp
+    # Create temporary directory, mounts tmpfs and yields tmp dir location.
+    # Make sure to cleanup afterwards.
+    class Directory
+      def call
+        tmp_maker.call do |dir|
+          mounter.call(dir) do
+            yield dir
+          end
+        end
+      end
+
+      private
+
+      attr_reader :mounter, :tmp_maker
+
+      def initialize(mounter: Mounter.new, tmp_maker: Dir.method(:mktmpdir))
+        @mounter = mounter
+        @tmp_maker = tmp_maker
+      end
+    end
+  end
+end

data/lib/crypt_reboot/safe_temp/file_name.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module SafeTemp
+    # Yield non-existing temporary file name located in a safe dir.
+    # Afterwards the directory containing this file is deleted.
+    class FileName
+      def call(name = 'file')
+        dir_provider.call do |dir|
+          yield File.join(dir, name)
+        end
+      end
+
+      private
+
+      attr_reader :dir_provider
+
+      def initialize(dir_provider: Directory.new)
+        @dir_provider = dir_provider
+      end
+    end
+  end
+end

data/lib/crypt_reboot/safe_temp/mounter.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module CryptReboot
+  module SafeTemp
+    # Mount tmpfs at the given mount point, yield and unmount
+    class Mounter
+      def call(dir, &block)
+        mounter.call(dir)
+        run(dir, &block)
+      end
+
+      private
+
+      def run(dir, &block)
+        block.call
+      ensure
+        umounter.call(dir)
+      end
+
+      attr_reader :runner, :mounter, :umounter
+
+      def initialize(runner: Runner::NoResult.new,
+                     mounter: lambda { |dir|
+                                runner.call(Config.mount_path, '-t', 'tmpfs', '-o', 'mode=700', 'none', dir)
+                              },
+                     umounter: ->(dir) { runner.call(Config.umount_path, dir) })
+        @runner = runner
+        @mounter = mounter
+        @umounter = umounter
+      end
+    end
+  end
+end