From 690c7f8101cc0a4a6ec5ef610245eafc8a850dff Mon Sep 17 00:00:00 2001 From: Ian Littman Date: Sun, 17 Nov 2024 00:46:07 -0600 Subject: [PATCH] Add LUKS passphrase retrieval service test --- server/service/hosts_test.go | 68 ++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/server/service/hosts_test.go b/server/service/hosts_test.go index 5b0837cf60c2..ebca688f3ff6 100644 --- a/server/service/hosts_test.go +++ b/server/service/hosts_test.go @@ -19,6 +19,7 @@ import ( "github.com/fleetdm/fleet/v4/server/contexts/viewer" "github.com/fleetdm/fleet/v4/server/datastore/mysql" "github.com/fleetdm/fleet/v4/server/fleet" + "github.com/fleetdm/fleet/v4/server/mdm" apple_mdm "github.com/fleetdm/fleet/v4/server/mdm/apple" "github.com/fleetdm/fleet/v4/server/mdm/apple/mobileconfig" "github.com/fleetdm/fleet/v4/server/mdm/nanodep/tokenpki" @@ -1448,6 +1449,73 @@ func TestHostEncryptionKey(t *testing.T) { }) } }) + + t.Run("Linux encryption", func(t *testing.T) { + ds := new(mock.Store) + host := &fleet.Host{ID: 1, Platform: "ubuntu"} + symmetricKey := "this_is_a_32_byte_symmetric_key!" + passphrase := "this_is_a_passphrase" + base64EncryptedKey, err := mdm.EncryptAndEncode(passphrase, symmetricKey) + require.NoError(t, err) + + ds.HostLiteFunc = func(ctx context.Context, id uint) (*fleet.Host, error) { + return host, nil + } + + ds.NewActivityFunc = func( + ctx context.Context, user *fleet.User, activity fleet.ActivityDetails, details []byte, createdAt time.Time, + ) error { + return nil + } + ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) { // needed for new activity + return &fleet.AppConfig{}, nil + } + + // error when no server private key + fleetCfg.Server.PrivateKey = "" + svc, ctx := newTestServiceWithConfig(t, ds, fleetCfg, nil, nil) + ctx = test.UserContext(ctx, test.UserAdmin) + key, err := svc.HostEncryptionKey(ctx, 1) + require.Error(t, err, "private key is unavailable") + require.Nil(t, key) + + // error when key is not set + ds.GetHostDiskEncryptionKeyFunc = func(ctx context.Context, id uint) (*fleet.HostDiskEncryptionKey, error) { + return &fleet.HostDiskEncryptionKey{}, nil + } + fleetCfg.Server.PrivateKey = symmetricKey + svc, ctx = newTestServiceWithConfig(t, ds, fleetCfg, nil, nil) + ctx = test.UserContext(ctx, test.UserAdmin) + key, err = svc.HostEncryptionKey(ctx, 1) + require.Error(t, err, "host encryption key is not set") + require.Nil(t, key) + + // error when key is not set + ds.GetHostDiskEncryptionKeyFunc = func(ctx context.Context, id uint) (*fleet.HostDiskEncryptionKey, error) { + return &fleet.HostDiskEncryptionKey{ + Base64Encrypted: "thisIsWrong", + Decryptable: ptr.Bool(true), + }, nil + } + svc, ctx = newTestServiceWithConfig(t, ds, fleetCfg, nil, nil) + ctx = test.UserContext(ctx, test.UserAdmin) + key, err = svc.HostEncryptionKey(ctx, 1) + require.Error(t, err, "decrypt host encryption key") + require.Nil(t, key) + + // happy path + ds.GetHostDiskEncryptionKeyFunc = func(ctx context.Context, id uint) (*fleet.HostDiskEncryptionKey, error) { + return &fleet.HostDiskEncryptionKey{ + Base64Encrypted: base64EncryptedKey, + Decryptable: ptr.Bool(true), + }, nil + } + svc, ctx = newTestServiceWithConfig(t, ds, fleetCfg, nil, nil) + ctx = test.UserContext(ctx, test.UserAdmin) + key, err = svc.HostEncryptionKey(ctx, 1) + require.NoError(t, err) + require.Equal(t, passphrase, key.DecryptedValue) + }) } func TestHostMDMProfileDetail(t *testing.T) {