Add prechecks for all key description-related operations

Author: jbaublitz

src/engine/strat_engine/engine.rs

@@ -27,7 +27,7 @@ use crate::{
             backstore::ProcessedPathInfos,
             cmd::verify_executables,
             dm::get_dm,
-            keys::StratKeyActions,
+            keys::{validate_key_descs, StratKeyActions},
             liminal::{find_all, DeviceSet, LiminalDevices},
             names::KeyDescription,
             ns::MemoryFilesystem,
@@ -108,6 +108,10 @@ impl StratEngine {
         blockdev_paths: &[&Path],
         encryption_info: Option<&InputEncryptionInfo>,
     ) -> StratisResult<CreateAction<PoolUuid>> {
+        if let Some(ei) = encryption_info {
+            validate_key_descs(ei.key_descs())?;
+        }
+
         validate_name(name)?;
         let name = Name::new(name.to_owned());
 
@@ -526,6 +530,10 @@ impl Engine for StratEngine {
         encryption_info: Option<&InputEncryptionInfo>,
         integrity_spec: IntegritySpec,
     ) -> StratisResult<CreateAction<PoolUuid>> {
+        if let Some(ei) = encryption_info {
+            validate_key_descs(ei.key_descs())?;
+        }
+
         validate_name(name)?;
         let name = Name::new(name.to_owned());
         let integrity_spec = ValidatedIntegritySpec::try_from(integrity_spec)?;

src/engine/strat_engine/keys.rs

@@ -32,6 +32,14 @@ pub(super) fn search_key_persistent(key_desc: &KeyDescription) -> StratisResult<
     search_key(keyring_id, key_desc.to_system_string())
 }
 
+/// Validate that all key descriptions
+pub fn validate_key_descs<'a>(iter: impl Iterator<Item = &'a KeyDescription>) -> StratisResult<()> {
+    for key_desc in iter {
+        search_key_persistent(key_desc)?;
+    }
+    Ok(())
+}
+
 /// Search the process keyring for the given key description.
 pub(super) fn search_key_process(
     key_desc: &VolumeKeyKeyDescription,

src/engine/strat_engine/pool/v1.rs

@@ -20,6 +20,7 @@ use stratisd_proc_macros::strat_pool_impl_gen;
 #[cfg(any(test, feature = "extras"))]
 use crate::engine::strat_engine::{
     backstore::UnownedDevices,
+    keys::validate_key_descs,
     metadata::MDADataSize,
     thinpool::{ThinPoolSizeParams, DATA_BLOCK_SIZE},
 };
@@ -37,6 +38,7 @@ use crate::{
                 ProcessedPathInfos,
             },
             crypt::{handle::v1::CryptHandle, CLEVIS_LUKS_TOKEN_ID, LUKS2_TOKEN_ID},
+            keys::search_key_persistent,
             liminal::DeviceSet,
             metadata::disown_device,
             serde_structs::{FlexDevsSave, PoolSave, Recordable},
@@ -189,6 +191,10 @@ impl StratPool {
         devices: UnownedDevices,
         encryption_info: Option<&InputEncryptionInfo>,
     ) -> StratisResult<(PoolUuid, StratPool)> {
+        if let Some(ei) = encryption_info {
+            validate_key_descs(ei.key_descs())?;
+        }
+
         let pool_uuid = PoolUuid::new_v4();
 
         // FIXME: Initializing with the minimum MDA size is not necessarily
@@ -769,6 +775,8 @@ impl Pool for StratPool {
             return Err(StratisError::Msg("Specifying the token slot for binding is not supported in V1 pools; please migrate to V2 pools to use this feature".to_string()));
         }
 
+        search_key_persistent(key_description)?;
+
         let changed = self.backstore.bind_keyring(key_description)?;
         if changed {
             Ok(CreateAction::Created((Key, LUKS2_TOKEN_ID)))
@@ -788,6 +796,13 @@ impl Pool for StratPool {
             return Err(StratisError::Msg("Specifying the token slot for rebinding is not supported in V1 pools; please migrate to V2 pools to use this feature".to_string()));
         }
 
+        if let Some(ei) = self.encryption_info_legacy() {
+            if let Some(kd) = ei.key_description()? {
+                search_key_persistent(kd)?;
+            }
+        }
+        search_key_persistent(new_key_desc)?;
+
         match self.backstore.rebind_keyring(new_key_desc)? {
             Some(true) => Ok(RenameAction::Renamed(Key)),
             Some(false) => Ok(RenameAction::Identity),

src/engine/strat_engine/pool/v2.rs

@@ -30,6 +30,7 @@ use crate::{
                 ProcessedPathInfos, UnownedDevices,
             },
             crypt::DEFAULT_CRYPT_DATA_OFFSET_V2,
+            keys::{search_key_persistent, validate_key_descs},
             liminal::DeviceSet,
             metadata::{disown_device, MDADataSize},
             serde_structs::{FlexDevsSave, PoolFeatures, PoolSave, Recordable},
@@ -41,7 +42,8 @@ use crate::{
             Key, KeyDescription, Name, OffsetDirection, OptionalTokenSlotInput, PoolDiff,
             PoolEncryptionInfo, PoolUuid, PropChangeAction, ReencryptedDevice, RegenAction,
             RenameAction, SetCreateAction, SetDeleteAction, SizedKeyMemory, StratFilesystemDiff,
-            StratPoolDiff, StratSigblockVersion, TokenUnlockMethod, ValidatedIntegritySpec,
+            StratPoolDiff, StratSigblockVersion, TokenUnlockMethod, UnlockMechanism,
+            ValidatedIntegritySpec,
         },
     },
     stratis::{StratisError, StratisResult},
@@ -158,6 +160,10 @@ impl StratPool {
         encryption_info: Option<&InputEncryptionInfo>,
         integrity_spec: ValidatedIntegritySpec,
     ) -> StratisResult<(PoolUuid, StratPool)> {
+        if let Some(ei) = encryption_info {
+            validate_key_descs(ei.key_descs())?;
+        }
+
         let pool_uuid = PoolUuid::new_v4();
 
         // FIXME: Initializing with the minimum MDA size is not necessarily
@@ -692,6 +698,8 @@ impl Pool for StratPool {
         token_slot: OptionalTokenSlotInput,
         key_description: &KeyDescription,
     ) -> StratisResult<CreateAction<(Key, u32)>> {
+        search_key_persistent(key_description)?;
+
         let changed = self.backstore.bind_keyring(token_slot, key_description)?;
         match changed {
             Some(t) => {
@@ -708,6 +716,41 @@ impl Pool for StratPool {
         token_slot: Option<u32>,
         new_key_desc: &KeyDescription,
     ) -> StratisResult<RenameAction<Key>> {
+        if let Some(e) = self.encryption_info() {
+            match e {
+                Either::Left(ei) => match token_slot {
+                    Some(t) => {
+                        let info = ei.get_info(t).ok_or_else(|| {
+                            StratisError::Msg(format!(
+                                "Failed to find key description for token slot {t}"
+                            ))
+                        })?;
+                        match info {
+                            UnlockMechanism::KeyDesc(kd) => {
+                                search_key_persistent(kd)?;
+                            }
+                            _ => {
+                                return Err(StratisError::Msg(format!(
+                                    "Token slot {t} is associated with a Clevis binding"
+                                )));
+                            }
+                        }
+                    }
+                    None => {
+                        if let Some((_, kd)) = ei.single_key_description() {
+                            search_key_persistent(kd)?;
+                        }
+                    }
+                },
+                Either::Right(pei) => {
+                    if let Some(kd) = pei.key_description()? {
+                        search_key_persistent(kd)?;
+                    }
+                }
+            }
+        }
+        search_key_persistent(new_key_desc)?;
+
         match self.backstore.rebind_keyring(token_slot, new_key_desc)? {
             Some(true) => Ok(RenameAction::Renamed(Key)),
             Some(false) => Ok(RenameAction::Identity),
@@ -1216,6 +1259,8 @@ impl Pool for StratPool {
         pool_uuid: PoolUuid,
         encryption_info: &InputEncryptionInfo,
     ) -> StratisResult<CreateAction<(u32, (u32, SizedKeyMemory))>> {
+        validate_key_descs(encryption_info.key_descs())?;
+
         match self.backstore.encryption_info() {
             Some(_) => Ok(CreateAction::Identity),
             None => {

src/engine/types/keys.rs

@@ -245,6 +245,15 @@ impl InputEncryptionInfo {
             clevis_infos_with_token_id,
         ))
     }
+
+    pub fn key_descs(&self) -> impl Iterator<Item = &KeyDescription> {
+        self.encryption_infos
+            .iter()
+            .filter_map(|(_, enc)| match enc {
+                UnlockMechanism::KeyDesc(k) => Some(k),
+                _ => None,
+            })
+    }
 }
 
 impl From<EncryptionInfo> for InputEncryptionInfo {