mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
creds: introduce --transcode=help and friends and use them in shell completion (#35579)
Follow-ups for 783f794e89
(#35537).
This commit is contained in:
commit
2d80c9c801
@ -234,7 +234,8 @@
|
||||
<listitem><para>When specified with the <command>cat</command> or <command>decrypt</command>
|
||||
commands, transcodes the output before showing it. Takes one of <literal>base64</literal>,
|
||||
<literal>unbase64</literal>, <literal>hex</literal> or <literal>unhex</literal> as argument, in order
|
||||
to encode/decode the credential data with Base64 or as series of hexadecimal values.</para>
|
||||
to encode/decode the credential data with Base64 or as series of hexadecimal values. The special
|
||||
value <literal>help</literal> may be used to list supported transcode types.</para>
|
||||
|
||||
<para>Note that this has no effect on the <command>encrypt</command> command, as encrypted
|
||||
credentials are unconditionally encoded in Base64.</para>
|
||||
@ -340,7 +341,8 @@
|
||||
information). If set to <literal>auto-initrd</literal> a TPM2 key is used if a TPM2 is found. If not
|
||||
a fixed zero length key is used, equivalent to <literal>null</literal> mode. This option is
|
||||
particularly useful to generate credentials files that are encrypted/authenticated against TPM2 where
|
||||
available but still work on systems lacking support for this.</para>
|
||||
available but still work on systems lacking support for this. The special value
|
||||
<literal>help</literal> may be used to list supported key types.</para>
|
||||
|
||||
<para>The <option>-H</option> switch is a shortcut for <option>--with-key=host</option>. Similar,
|
||||
<option>-T</option> is a shortcut for <option>--with-key=tpm2</option>.</para>
|
||||
|
@ -25,10 +25,9 @@ __contains_word() {
|
||||
}
|
||||
|
||||
__get_tpm2_devices() {
|
||||
local i
|
||||
for i in /dev/tpmrm*; do
|
||||
[ -c "$i" ] && printf '%s\n' "$i"
|
||||
done
|
||||
local a b c
|
||||
systemd-creds --no-legend --quiet --tpm2-device=list 2>/dev/null | \
|
||||
{ while read -r a b c; do echo " $a"; done }
|
||||
}
|
||||
|
||||
__get_creds() {
|
||||
@ -129,10 +128,10 @@ _systemd_creds() {
|
||||
comps=$( systemd-creds --json=help 2>/dev/null )
|
||||
;;
|
||||
--transcode)
|
||||
comps='base64 unbase64 hex unhex'
|
||||
comps=$( systemd-creds --no-legend --transcode=help 2>/dev/null )
|
||||
;;
|
||||
--with-key)
|
||||
comps='host tpm2 host+tpm2 null auto auto-initrd'
|
||||
comps=$( systemd-creds --no-legend --with-key=help 2>/dev/null )
|
||||
;;
|
||||
esac
|
||||
COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
|
||||
|
@ -101,7 +101,7 @@ ssize_t string_table_lookup(const char * const *table, size_t len, const char *k
|
||||
_DEFINE_STRING_TABLE_LOOKUP_FROM_STRING_FALLBACK(name,type,max,static)
|
||||
|
||||
#define DUMP_STRING_TABLE(name,type,max) \
|
||||
do { \
|
||||
({ \
|
||||
flockfile(stdout); \
|
||||
for (type _k = 0; _k < (max); _k++) { \
|
||||
const char *_t; \
|
||||
@ -112,4 +112,5 @@ ssize_t string_table_lookup(const char * const *table, size_t len, const char *k
|
||||
fputc_unlocked('\n', stdout); \
|
||||
} \
|
||||
funlockfile(stdout); \
|
||||
} while (false)
|
||||
0; \
|
||||
})
|
||||
|
@ -77,7 +77,53 @@ static const char* transcode_mode_table[_TRANSCODE_MAX] = {
|
||||
[TRANSCODE_UNHEX] = "unhex",
|
||||
};
|
||||
|
||||
DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(transcode_mode, TranscodeMode);
|
||||
DEFINE_PRIVATE_STRING_TABLE_LOOKUP(transcode_mode, TranscodeMode);
|
||||
|
||||
typedef enum CredKeyType {
|
||||
CRED_KEY_TYPE_AUTO,
|
||||
CRED_KEY_TYPE_AUTO_INITRD,
|
||||
CRED_KEY_TYPE_HOST,
|
||||
CRED_KEY_TYPE_TPM2,
|
||||
CRED_KEY_TYPE_TPM2_PUBLIC,
|
||||
CRED_KEY_TYPE_HOST_TPM2,
|
||||
CRED_KEY_TYPE_TPM2_HOST,
|
||||
CRED_KEY_TYPE_HOST_TPM2_PUBLIC,
|
||||
CRED_KEY_TYPE_TPM2_PUBLIC_HOST,
|
||||
CRED_KEY_TYPE_NULL,
|
||||
CRED_KEY_TYPE_ABSENT,
|
||||
_CRED_KEY_TYPE_MAX,
|
||||
_CRED_KEY_TYPE_INVALID = -EINVAL,
|
||||
} CredKeyType;
|
||||
|
||||
static const char* cred_key_type_table[_CRED_KEY_TYPE_MAX] = {
|
||||
[CRED_KEY_TYPE_AUTO] = "auto",
|
||||
[CRED_KEY_TYPE_AUTO_INITRD] = "auto-initrd",
|
||||
[CRED_KEY_TYPE_HOST] = "host",
|
||||
[CRED_KEY_TYPE_TPM2] = "tpm2",
|
||||
[CRED_KEY_TYPE_TPM2_PUBLIC] = "tpm2-with-public-key",
|
||||
[CRED_KEY_TYPE_HOST_TPM2] = "host+tpm2",
|
||||
[CRED_KEY_TYPE_TPM2_HOST] = "tpm2+host",
|
||||
[CRED_KEY_TYPE_HOST_TPM2_PUBLIC] = "host+tpm2-with-public-key",
|
||||
[CRED_KEY_TYPE_TPM2_PUBLIC_HOST] = "tpm2-with-public-key+host",
|
||||
[CRED_KEY_TYPE_NULL] = "null",
|
||||
[CRED_KEY_TYPE_ABSENT] = "tpm2-absent",
|
||||
};
|
||||
|
||||
DEFINE_PRIVATE_STRING_TABLE_LOOKUP(cred_key_type, CredKeyType);
|
||||
|
||||
static sd_id128_t cred_key_id[_CRED_KEY_TYPE_MAX] = {
|
||||
[CRED_KEY_TYPE_AUTO] = _CRED_AUTO,
|
||||
[CRED_KEY_TYPE_AUTO_INITRD] = _CRED_AUTO_INITRD,
|
||||
[CRED_KEY_TYPE_HOST] = CRED_AES256_GCM_BY_HOST,
|
||||
[CRED_KEY_TYPE_TPM2] = CRED_AES256_GCM_BY_TPM2_HMAC,
|
||||
[CRED_KEY_TYPE_TPM2_PUBLIC] = CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK,
|
||||
[CRED_KEY_TYPE_HOST_TPM2] = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
|
||||
[CRED_KEY_TYPE_TPM2_HOST] = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
|
||||
[CRED_KEY_TYPE_HOST_TPM2_PUBLIC] = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK,
|
||||
[CRED_KEY_TYPE_TPM2_PUBLIC_HOST] = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK,
|
||||
[CRED_KEY_TYPE_NULL] = CRED_AES256_GCM_BY_NULL,
|
||||
[CRED_KEY_TYPE_ABSENT] = CRED_AES256_GCM_BY_NULL,
|
||||
};
|
||||
|
||||
static int open_credential_directory(
|
||||
bool encrypted,
|
||||
@ -849,6 +895,13 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
break;
|
||||
|
||||
case ARG_TRANSCODE:
|
||||
if (streq(optarg, "help")) {
|
||||
if (arg_legend)
|
||||
puts("Supported transcode types:");
|
||||
|
||||
return DUMP_STRING_TABLE(transcode_mode, TranscodeMode, _TRANSCODE_MAX);
|
||||
}
|
||||
|
||||
if (parse_boolean(optarg) == 0) /* If specified as "false", turn transcoding off */
|
||||
arg_transcode = TRANSCODE_OFF;
|
||||
else {
|
||||
@ -880,25 +933,22 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
break;
|
||||
|
||||
case ARG_WITH_KEY:
|
||||
if (isempty(optarg) || streq(optarg, "auto"))
|
||||
arg_with_key = _CRED_AUTO;
|
||||
else if (streq(optarg, "auto-initrd"))
|
||||
arg_with_key = _CRED_AUTO_INITRD;
|
||||
else if (streq(optarg, "host"))
|
||||
arg_with_key = CRED_AES256_GCM_BY_HOST;
|
||||
else if (streq(optarg, "tpm2"))
|
||||
arg_with_key = CRED_AES256_GCM_BY_TPM2_HMAC;
|
||||
else if (streq(optarg, "tpm2-with-public-key"))
|
||||
arg_with_key = CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK;
|
||||
else if (STR_IN_SET(optarg, "host+tpm2", "tpm2+host"))
|
||||
arg_with_key = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC;
|
||||
else if (STR_IN_SET(optarg, "host+tpm2-with-public-key", "tpm2-with-public-key+host"))
|
||||
arg_with_key = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK;
|
||||
else if (STR_IN_SET(optarg, "null", "tpm2-absent"))
|
||||
arg_with_key = CRED_AES256_GCM_BY_NULL;
|
||||
else
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown key type: %s", optarg);
|
||||
if (streq(optarg, "help")) {
|
||||
if (arg_legend)
|
||||
puts("Supported key types:");
|
||||
|
||||
return DUMP_STRING_TABLE(cred_key_type, CredKeyType, _CRED_KEY_TYPE_MAX);
|
||||
}
|
||||
|
||||
if (isempty(optarg))
|
||||
arg_with_key = _CRED_AUTO;
|
||||
else {
|
||||
CredKeyType t = cred_key_type_from_string(optarg);
|
||||
if (t < 0)
|
||||
return log_error_errno(t, "Failed to parse key type: %m");
|
||||
|
||||
arg_with_key = cred_key_id[t];
|
||||
}
|
||||
break;
|
||||
|
||||
case 'H':
|
||||
@ -911,7 +961,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
|
||||
case ARG_TPM2_DEVICE:
|
||||
if (streq(optarg, "list"))
|
||||
return tpm2_list_devices();
|
||||
return tpm2_list_devices(arg_legend, arg_quiet);
|
||||
|
||||
arg_tpm2_device = streq(optarg, "auto") ? NULL : optarg;
|
||||
break;
|
||||
|
@ -493,7 +493,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
_cleanup_free_ char *device = NULL;
|
||||
|
||||
if (streq(optarg, "list"))
|
||||
return tpm2_list_devices();
|
||||
return tpm2_list_devices(/* legend = */ true, /* quiet = */ false);
|
||||
|
||||
if (arg_enroll_type >= 0 || arg_tpm2_device)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
|
@ -295,7 +295,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
_cleanup_free_ char *device = NULL;
|
||||
|
||||
if (streq(optarg, "list"))
|
||||
return tpm2_list_devices();
|
||||
return tpm2_list_devices(/* legend = */ true, /* quiet = */ false);
|
||||
|
||||
if (!streq(optarg, "auto")) {
|
||||
device = strdup(optarg);
|
||||
|
@ -131,7 +131,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
_cleanup_free_ char *device = NULL;
|
||||
|
||||
if (streq(optarg, "list"))
|
||||
return tpm2_list_devices();
|
||||
return tpm2_list_devices(/* legend = */ true, /* quiet = */ false);
|
||||
|
||||
if (!streq(optarg, "auto")) {
|
||||
device = strdup(optarg);
|
||||
|
@ -8160,7 +8160,7 @@ static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY *
|
||||
_cleanup_free_ char *device = NULL;
|
||||
|
||||
if (streq(optarg, "list"))
|
||||
return tpm2_list_devices();
|
||||
return tpm2_list_devices(/* legend = */ true, /* quiet = */ false);
|
||||
|
||||
if (!streq(optarg, "auto")) {
|
||||
device = strdup(optarg);
|
||||
|
@ -6165,7 +6165,7 @@ int tpm2_unseal_data(
|
||||
}
|
||||
#endif /* HAVE_TPM2 */
|
||||
|
||||
int tpm2_list_devices(void) {
|
||||
int tpm2_list_devices(bool legend, bool quiet) {
|
||||
#if HAVE_TPM2
|
||||
_cleanup_(table_unrefp) Table *t = NULL;
|
||||
_cleanup_closedir_ DIR *d = NULL;
|
||||
@ -6179,6 +6179,8 @@ int tpm2_list_devices(void) {
|
||||
if (!t)
|
||||
return log_oom();
|
||||
|
||||
(void) table_set_header(t, legend);
|
||||
|
||||
d = opendir("/sys/class/tpmrm");
|
||||
if (!d) {
|
||||
log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_ERR, errno, "Failed to open /sys/class/tpmrm: %m");
|
||||
@ -6224,7 +6226,7 @@ int tpm2_list_devices(void) {
|
||||
}
|
||||
}
|
||||
|
||||
if (table_isempty(t)) {
|
||||
if (table_isempty(t) && !quiet) {
|
||||
log_info("No suitable TPM2 devices found.");
|
||||
return 0;
|
||||
}
|
||||
|
@ -385,7 +385,7 @@ static inline int tpm2_pcrlock_search_file(const char *path, FILE **ret_file, ch
|
||||
|
||||
#endif /* HAVE_TPM2 */
|
||||
|
||||
int tpm2_list_devices(void);
|
||||
int tpm2_list_devices(bool legend, bool quiet);
|
||||
int tpm2_find_device_auto(char **ret);
|
||||
|
||||
int tpm2_make_pcr_json_array(uint32_t pcr_mask, sd_json_variant **ret);
|
||||
|
@ -91,7 +91,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
|
||||
case ARG_TPM2_DEVICE:
|
||||
if (streq(optarg, "list"))
|
||||
return tpm2_list_devices();
|
||||
return tpm2_list_devices(/* legend = */ true, /* quiet = */ false);
|
||||
|
||||
if (free_and_strdup(&arg_tpm2_device, streq(optarg, "auto") ? NULL : optarg) < 0)
|
||||
return log_oom();
|
||||
|
Loading…
Reference in New Issue
Block a user