Add LUKS passphrase retrieval service test

fleetdm · Nov 17, 2024 · 690c7f8 · 690c7f8
1 parent 3150160
commit 690c7f8
Showing 1 changed file with 68 additions and 0 deletions.
diff --git a/server/service/hosts_test.go b/server/service/hosts_test.go
@@ -19,6 +19,7 @@ import (
 	"github.com/fleetdm/fleet/v4/server/contexts/viewer"
 	"github.com/fleetdm/fleet/v4/server/datastore/mysql"
 	"github.com/fleetdm/fleet/v4/server/fleet"
+	"github.com/fleetdm/fleet/v4/server/mdm"
 	apple_mdm "github.com/fleetdm/fleet/v4/server/mdm/apple"
 	"github.com/fleetdm/fleet/v4/server/mdm/apple/mobileconfig"
 	"github.com/fleetdm/fleet/v4/server/mdm/nanodep/tokenpki"
@@ -1448,6 +1449,73 @@ func TestHostEncryptionKey(t *testing.T) {
 			})
 		}
 	})
+
+	t.Run("Linux encryption", func(t *testing.T) {
+		ds := new(mock.Store)
+		host := &fleet.Host{ID: 1, Platform: "ubuntu"}
+		symmetricKey := "this_is_a_32_byte_symmetric_key!"
+		passphrase := "this_is_a_passphrase"
+		base64EncryptedKey, err := mdm.EncryptAndEncode(passphrase, symmetricKey)
+		require.NoError(t, err)
+
+		ds.HostLiteFunc = func(ctx context.Context, id uint) (*fleet.Host, error) {
+			return host, nil
+		}
+
+		ds.NewActivityFunc = func(
+			ctx context.Context, user *fleet.User, activity fleet.ActivityDetails, details []byte, createdAt time.Time,
+		) error {
+			return nil
+		}
+		ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) { // needed for new activity
+			return &fleet.AppConfig{}, nil
+		}
+
+		// error when no server private key
+		fleetCfg.Server.PrivateKey = ""
+		svc, ctx := newTestServiceWithConfig(t, ds, fleetCfg, nil, nil)
+		ctx = test.UserContext(ctx, test.UserAdmin)
+		key, err := svc.HostEncryptionKey(ctx, 1)
+		require.Error(t, err, "private key is unavailable")
+		require.Nil(t, key)
+
+		// error when key is not set
+		ds.GetHostDiskEncryptionKeyFunc = func(ctx context.Context, id uint) (*fleet.HostDiskEncryptionKey, error) {
+			return &fleet.HostDiskEncryptionKey{}, nil
+		}
+		fleetCfg.Server.PrivateKey = symmetricKey
+		svc, ctx = newTestServiceWithConfig(t, ds, fleetCfg, nil, nil)
+		ctx = test.UserContext(ctx, test.UserAdmin)
+		key, err = svc.HostEncryptionKey(ctx, 1)
+		require.Error(t, err, "host encryption key is not set")
+		require.Nil(t, key)
+
+		// error when key is not set
+		ds.GetHostDiskEncryptionKeyFunc = func(ctx context.Context, id uint) (*fleet.HostDiskEncryptionKey, error) {
+			return &fleet.HostDiskEncryptionKey{
+				Base64Encrypted: "thisIsWrong",
+				Decryptable:     ptr.Bool(true),
+			}, nil
+		}
+		svc, ctx = newTestServiceWithConfig(t, ds, fleetCfg, nil, nil)
+		ctx = test.UserContext(ctx, test.UserAdmin)
+		key, err = svc.HostEncryptionKey(ctx, 1)
+		require.Error(t, err, "decrypt host encryption key")
+		require.Nil(t, key)
+
+		// happy path
+		ds.GetHostDiskEncryptionKeyFunc = func(ctx context.Context, id uint) (*fleet.HostDiskEncryptionKey, error) {
+			return &fleet.HostDiskEncryptionKey{
+				Base64Encrypted: base64EncryptedKey,
+				Decryptable:     ptr.Bool(true),
+			}, nil
+		}
+		svc, ctx = newTestServiceWithConfig(t, ds, fleetCfg, nil, nil)
+		ctx = test.UserContext(ctx, test.UserAdmin)
+		key, err = svc.HostEncryptionKey(ctx, 1)
+		require.NoError(t, err)
+		require.Equal(t, passphrase, key.DecryptedValue)
+	})
 }
 
 func TestHostMDMProfileDetail(t *testing.T) {