lix-installer/src/action/darwin/encrypt_apfs_volume.rs

use crate::{
    action::{
        darwin::NIX_VOLUME_MOUNTD_DEST, Action, ActionDescription, ActionError, StatefulAction,
    },
    execute_command,
};
use rand::Rng;
use std::path::{Path, PathBuf};
use tokio::process::Command;
use tracing::{span, Span};

/**
Encrypt an APFS volume
 */
#[derive(Debug, serde::Deserialize, serde::Serialize, Clone)]
pub struct EncryptApfsVolume {
    disk: PathBuf,
    name: String,
}

impl EncryptApfsVolume {
    #[tracing::instrument(level = "debug", skip_all)]
    pub async fn plan(
        disk: impl AsRef<Path>,
        name: impl AsRef<str>,
    ) -> Result<StatefulAction<Self>, ActionError> {
        let name = name.as_ref().to_owned();
        Ok(Self {
            name,
            disk: disk.as_ref().to_path_buf(),
        }
        .into())
    }
}

#[async_trait::async_trait]
#[typetag::serde(name = "encrypt_volume")]
impl Action for EncryptApfsVolume {
    fn tracing_synopsis(&self) -> String {
        format!(
            "Encrypt volume `{}` on disk `{}`",
            self.name,
            self.disk.display()
        )
    }

    fn tracing_span(&self) -> Span {
        span!(
            tracing::Level::DEBUG,
            "encrypt_volume",
            disk = tracing::field::display(self.disk.display()),
        )
    }

    fn execute_description(&self) -> Vec<ActionDescription> {
        vec![ActionDescription::new(self.tracing_synopsis(), vec![])]
    }

    #[tracing::instrument(level = "debug", skip_all, fields(
        disk = %self.disk.display(),
    ))]
    async fn execute(&mut self) -> Result<(), ActionError> {
        let Self { disk, name } = self;

        // Generate a random password.
        let password: String = {
            const CHARSET: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZ\
                                abcdefghijklmnopqrstuvwxyz\
                                    0123456789)(*&^%$#@!~";
            const PASSWORD_LEN: usize = 32;
            let mut rng = rand::thread_rng();

            (0..PASSWORD_LEN)
                .map(|_| {
                    let idx = rng.gen_range(0..CHARSET.len());
                    CHARSET[idx] as char
                })
                .collect()
        };

        let disk_str = disk.to_str().expect("Could not turn disk into string"); /* Should not reasonably ever fail */

        execute_command(Command::new("/usr/sbin/diskutil").arg("mount").arg(&name))
            .await
            .map_err(ActionError::Command)?;

        // Add the password to the user keychain so they can unlock it later.
        execute_command(
            Command::new("/usr/bin/security").process_group(0).args([
                "add-generic-password",
                "-a",
                name.as_str(),
                "-s",
                name.as_str(),
                "-l",
                format!("{} encryption password", disk_str).as_str(),
                "-D",
                "Encrypted volume password",
                "-j",
                format!(
                    "Added automatically by the Nix installer for use by {NIX_VOLUME_MOUNTD_DEST}"
                )
                .as_str(),
                "-w",
                password.as_str(),
                "-T",
                "/System/Library/CoreServices/APFSUserAgent",
                "-T",
                "/System/Library/CoreServices/CSUserAgent",
                "-T",
                "/usr/bin/security",
                "/Library/Keychains/System.keychain",
            ]),
        )
        .await
        .map_err(ActionError::Command)?;

        // Encrypt the mounted volume
        execute_command(Command::new("/usr/sbin/diskutil").process_group(0).args([
            "apfs",
            "encryptVolume",
            name.as_str(),
            "-user",
            "disk",
            "-passphrase",
            password.as_str(),
        ]))
        .await
        .map_err(ActionError::Command)?;

        execute_command(
            Command::new("/usr/sbin/diskutil")
                .process_group(0)
                .arg("unmount")
                .arg("force")
                .arg(&name),
        )
        .await
        .map_err(ActionError::Command)?;

        Ok(())
    }

    fn revert_description(&self) -> Vec<ActionDescription> {
        vec![ActionDescription::new(
            format!(
                "Remove encryption keys for volume `{}`",
                self.disk.display()
            ),
            vec![],
        )]
    }

    #[tracing::instrument(level = "debug", skip_all, fields(
        disk = %self.disk.display(),
    ))]
    async fn revert(&mut self) -> Result<(), ActionError> {
        let Self { disk, name } = self;

        let disk_str = disk.to_str().expect("Could not turn disk into string"); /* Should not reasonably ever fail */

        // TODO: This seems very rough and unsafe
        execute_command(
            Command::new("/usr/bin/security").process_group(0).args([
                "delete-generic-password",
                "-a",
                name.as_str(),
                "-s",
                name.as_str(),
                "-l",
                format!("{} encryption password", disk_str).as_str(),
                "-D",
                "Encrypted volume password",
                "-j",
                format!(
                    "Added automatically by the Nix installer for use by {NIX_VOLUME_MOUNTD_DEST}"
                )
                .as_str(),
            ]),
        )
        .await
        .map_err(ActionError::Command)?;

        Ok(())
    }
}
Scaffold 2022-11-01 18:33:54 +00:00			`use crate::{`
Create ActionError (#79) * wip * Fixes * Fix a comment 2022-12-05 16:55:30 +00:00			`action::{`
			`darwin::NIX_VOLUME_MOUNTD_DEST, Action, ActionDescription, ActionError, StatefulAction,`
			`},`
Scaffold 2022-11-01 18:33:54 +00:00			`execute_command,`
			`};`
			`use rand::Rng;`
More fleshing out 2022-10-19 20:32:15 +00:00			`use std::path::{Path, PathBuf};`
Scaffold 2022-11-01 18:33:54 +00:00			`use tokio::process::Command;`
Add action & Tune Tracing (#119) * Add action * Checkout so we have actions.yml * yaml poking * Handle GITHUB_TOKEN * Don't ask github to do templating, use directives for logging * Missing changes * Fix build error * Fix yaml even more * Add shell command * Add a wait on the socket again * Print some debugging * Use more correct env vars * Correct install url logic * Use different style for inputs * Fix yaml errror * Tweak around local-root * provision nix-install.sh as well * Use nix-install.sh path directory in NIX_INSTALL_URL * Tweak variables to hopefully work * Call it BINARY_ROOT instead * Add exec output * Set no-confirm * no echo * Add token to workflow * Set no-confirm properly * Add no-confirm back for uninstall * Correct some env and vars * CreateDirectory respects existing symlink * Add a few more checks to the CI * pass valid yaml... * Slightly more aggressive cleanup of /nix * Ensure steam-deck cleans /home/nix * Add steam-deck check for persistence * Canonicalize steam-deck persistence * Ensure absolute path * Inverted logic sad * python3 on mac * Add readme info and fix a extra-conf mistype * Add unsaved changes * More fine grained trace logging * Restore spans we lost in refactor * BuiltinPlanner can accept settings * Reflect feedback * Push actually working code hopefully this time * Speeling 2022-12-16 18:55:28 +00:00			`use tracing::{span, Span};`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00
Flesh out docs and tidy up public API substantially (#67) * Make plans versioned * Delint * speeeeeeeeling * remove file that was dead * Flesh out docs and improve public API * Speeling * Fixups * Fix doctests * Do a better job with actionstate * Add some more docs * Fix doctest * Make CLI stuff optional * Touchup * Speeling 2022-11-28 22:57:35 +00:00			`/**`
			`Encrypt an APFS volume`
			`*/`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`#[derive(Debug, serde::Deserialize, serde::Serialize, Clone)]`
Flesh out docs and tidy up public API substantially (#67) * Make plans versioned * Delint * speeeeeeeeling * remove file that was dead * Flesh out docs and improve public API * Speeling * Fixups * Fix doctests * Do a better job with actionstate * Add some more docs * Fix doctest * Make CLI stuff optional * Touchup * Speeling 2022-11-28 22:57:35 +00:00			`pub struct EncryptApfsVolume {`
More fleshing out 2022-10-19 20:32:15 +00:00			`disk: PathBuf,`
Scaffold 2022-11-01 18:33:54 +00:00			`name: String,`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`}`

Flesh out docs and tidy up public API substantially (#67) * Make plans versioned * Delint * speeeeeeeeling * remove file that was dead * Flesh out docs and improve public API * Speeling * Fixups * Fix doctests * Do a better job with actionstate * Add some more docs * Fix doctest * Make CLI stuff optional * Touchup * Speeling 2022-11-28 22:57:35 +00:00			`impl EncryptApfsVolume {`
Tidy UX, make --logger param (#108) * Tidy UX, make --logger param * Include cargo change 2022-12-09 19:15:54 +00:00			`#[tracing::instrument(level = "debug", skip_all)]`
More fleshing out 2022-10-19 20:32:15 +00:00			`pub async fn plan(`
			`disk: impl AsRef<Path>,`
Scaffold 2022-11-01 18:33:54 +00:00			`name: impl AsRef<str>,`
Create ActionError (#79) * wip * Fixes * Fix a comment 2022-12-05 16:55:30 +00:00			`) -> Result<StatefulAction<Self>, ActionError> {`
Scaffold 2022-11-01 18:33:54 +00:00			`let name = name.as_ref().to_owned();`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`Ok(Self {`
Scaffold 2022-11-01 18:33:54 +00:00			`name,`
More fleshing out 2022-10-19 20:32:15 +00:00			`disk: disk.as_ref().to_path_buf(),`
Flesh out docs and tidy up public API substantially (#67) * Make plans versioned * Delint * speeeeeeeeling * remove file that was dead * Flesh out docs and improve public API * Speeling * Fixups * Fix doctests * Do a better job with actionstate * Add some more docs * Fix doctest * Make CLI stuff optional * Touchup * Speeling 2022-11-28 22:57:35 +00:00			`}`
			`.into())`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`}`
			`}`

			`#[async_trait::async_trait]`
Improve planner and plan output 2022-10-28 19:44:07 +00:00			`#[typetag::serde(name = "encrypt_volume")]`
Flesh out docs and tidy up public API substantially (#67) * Make plans versioned * Delint * speeeeeeeeling * remove file that was dead * Flesh out docs and improve public API * Speeling * Fixups * Fix doctests * Do a better job with actionstate * Add some more docs * Fix doctest * Make CLI stuff optional * Touchup * Speeling 2022-11-28 22:57:35 +00:00			`impl Action for EncryptApfsVolume {`
Tidy tracing (#57) * Tidy tracing * Forgot a few changes * Remove more boilerplate * Repair Plan::describe_revert * More valid default settings * fmt * Use correct execute/revert calls * Split up Linux Daemon disable and stop * Detect state and act on it * Fixup pathes * Add a missing step to the mac bits * Unload instead of disable * Prune out again * Squelch some stdout * Clean lint * Better log for no-delete-directory case * Even more verbose messages on CreateDirectory * Less broken code * Use try_execute where it should be used * Final tweaks * Add some docs 2022-11-23 17:18:38 +00:00			`fn tracing_synopsis(&self) -> String {`
			`format!(`
			"Encrypt volume `{}` on disk `{}`",
			`self.name,`
			`self.disk.display()`
			`)`
			`}`

Add action & Tune Tracing (#119) * Add action * Checkout so we have actions.yml * yaml poking * Handle GITHUB_TOKEN * Don't ask github to do templating, use directives for logging * Missing changes * Fix build error * Fix yaml even more * Add shell command * Add a wait on the socket again * Print some debugging * Use more correct env vars * Correct install url logic * Use different style for inputs * Fix yaml errror * Tweak around local-root * provision nix-install.sh as well * Use nix-install.sh path directory in NIX_INSTALL_URL * Tweak variables to hopefully work * Call it BINARY_ROOT instead * Add exec output * Set no-confirm * no echo * Add token to workflow * Set no-confirm properly * Add no-confirm back for uninstall * Correct some env and vars * CreateDirectory respects existing symlink * Add a few more checks to the CI * pass valid yaml... * Slightly more aggressive cleanup of /nix * Ensure steam-deck cleans /home/nix * Add steam-deck check for persistence * Canonicalize steam-deck persistence * Ensure absolute path * Inverted logic sad * python3 on mac * Add readme info and fix a extra-conf mistype * Add unsaved changes * More fine grained trace logging * Restore spans we lost in refactor * BuiltinPlanner can accept settings * Reflect feedback * Push actually working code hopefully this time * Speeling 2022-12-16 18:55:28 +00:00			`fn tracing_span(&self) -> Span {`
			`span!(`
			`tracing::Level::DEBUG,`
			`"encrypt_volume",`
			`disk = tracing::field::display(self.disk.display()),`
			`)`
			`}`

Tidy tracing (#57) * Tidy tracing * Forgot a few changes * Remove more boilerplate * Repair Plan::describe_revert * More valid default settings * fmt * Use correct execute/revert calls * Split up Linux Daemon disable and stop * Detect state and act on it * Fixup pathes * Add a missing step to the mac bits * Unload instead of disable * Prune out again * Squelch some stdout * Clean lint * Better log for no-delete-directory case * Even more verbose messages on CreateDirectory * Less broken code * Use try_execute where it should be used * Final tweaks * Add some docs 2022-11-23 17:18:38 +00:00			`fn execute_description(&self) -> Vec<ActionDescription> {`
			`vec![ActionDescription::new(self.tracing_synopsis(), vec![])]`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`}`

Tidy UX, make --logger param (#108) * Tidy UX, make --logger param * Include cargo change 2022-12-09 19:15:54 +00:00			`#[tracing::instrument(level = "debug", skip_all, fields(`
More fleshing out 2022-10-19 20:32:15 +00:00			`disk = %self.disk.display(),`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`))]`
Create ActionError (#79) * wip * Fixes * Fix a comment 2022-12-05 16:55:30 +00:00			`async fn execute(&mut self) -> Result<(), ActionError> {`
Flesh out docs and tidy up public API substantially (#67) * Make plans versioned * Delint * speeeeeeeeling * remove file that was dead * Flesh out docs and improve public API * Speeling * Fixups * Fix doctests * Do a better job with actionstate * Add some more docs * Fix doctest * Make CLI stuff optional * Touchup * Speeling 2022-11-28 22:57:35 +00:00			`let Self { disk, name } = self;`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00
Scaffold 2022-11-01 18:33:54 +00:00			`// Generate a random password.`
			`let password: String = {`
			`const CHARSET: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZ\`
			`abcdefghijklmnopqrstuvwxyz\`
			`0123456789)(*&^%$#@!~";`
			`const PASSWORD_LEN: usize = 32;`
			`let mut rng = rand::thread_rng();`

			`(0..PASSWORD_LEN)`
			`.map(\|_\| {`
			`let idx = rng.gen_range(0..CHARSET.len());`
			`CHARSET[idx] as char`
			`})`
			`.collect()`
			`};`

			`let disk_str = disk.to_str().expect("Could not turn disk into string"); /* Should not reasonably ever fail */`

Create ActionError (#79) * wip * Fixes * Fix a comment 2022-12-05 16:55:30 +00:00			`execute_command(Command::new("/usr/sbin/diskutil").arg("mount").arg(&name))`
			`.await`
			`.map_err(ActionError::Command)?;`
Get key provisioning working better 2022-11-01 22:31:31 +00:00
Scaffold 2022-11-01 18:33:54 +00:00			`// Add the password to the user keychain so they can unlock it later.`
Get key provisioning working better 2022-11-01 22:31:31 +00:00			`execute_command(`
Use process groups with tokio (also crate bump) (#63) * Use process groups with tokio (also flake/crate bump) * Use pgid0 * Maybe this checkout has a non-broken curl on mac * Don't update flake at all 2022-11-25 16:02:00 +00:00			`Command::new("/usr/bin/security").process_group(0).args([`
Scaffold 2022-11-01 18:33:54 +00:00			`"add-generic-password",`
			`"-a",`
Get key provisioning working better 2022-11-01 22:31:31 +00:00			`name.as_str(),`
Scaffold 2022-11-01 18:33:54 +00:00			`"-s",`
			`name.as_str(),`
			`"-l",`
			`format!("{} encryption password", disk_str).as_str(),`
			`"-D",`
			`"Encrypted volume password",`
			`"-j",`
			`format!(`
			`"Added automatically by the Nix installer for use by {NIX_VOLUME_MOUNTD_DEST}"`
			`)`
			`.as_str(),`
			`"-w",`
			`password.as_str(),`
			`"-T",`
			`"/System/Library/CoreServices/APFSUserAgent",`
			`"-T",`
			`"/System/Library/CoreServices/CSUserAgent",`
			`"-T",`
			`"/usr/bin/security",`
			`"/Library/Keychains/System.keychain",`
			`]),`
			`)`
Create ActionError (#79) * wip * Fixes * Fix a comment 2022-12-05 16:55:30 +00:00			`.await`
			`.map_err(ActionError::Command)?;`
Scaffold 2022-11-01 18:33:54 +00:00
			`// Encrypt the mounted volume`
Use process groups with tokio (also crate bump) (#63) * Use process groups with tokio (also flake/crate bump) * Use pgid0 * Maybe this checkout has a non-broken curl on mac * Don't update flake at all 2022-11-25 16:02:00 +00:00			`execute_command(Command::new("/usr/sbin/diskutil").process_group(0).args([`
Scaffold 2022-11-01 18:33:54 +00:00			`"apfs",`
			`"encryptVolume",`
Get key provisioning working better 2022-11-01 22:31:31 +00:00			`name.as_str(),`
Scaffold 2022-11-01 18:33:54 +00:00			`"-user",`
			`"disk",`
			`"-passphrase",`
			`password.as_str(),`
			`]))`
Create ActionError (#79) * wip * Fixes * Fix a comment 2022-12-05 16:55:30 +00:00			`.await`
			`.map_err(ActionError::Command)?;`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00
Get key provisioning working better 2022-11-01 22:31:31 +00:00			`execute_command(`
			`Command::new("/usr/sbin/diskutil")`
Use process groups with tokio (also crate bump) (#63) * Use process groups with tokio (also flake/crate bump) * Use pgid0 * Maybe this checkout has a non-broken curl on mac * Don't update flake at all 2022-11-25 16:02:00 +00:00			`.process_group(0)`
Get key provisioning working better 2022-11-01 22:31:31 +00:00			`.arg("unmount")`
			`.arg("force")`
			`.arg(&name),`
			`)`
Create ActionError (#79) * wip * Fixes * Fix a comment 2022-12-05 16:55:30 +00:00			`.await`
			`.map_err(ActionError::Command)?;`
Get key provisioning working better 2022-11-01 22:31:31 +00:00
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`Ok(())`
			`}`

Tidy tracing (#57) * Tidy tracing * Forgot a few changes * Remove more boilerplate * Repair Plan::describe_revert * More valid default settings * fmt * Use correct execute/revert calls * Split up Linux Daemon disable and stop * Detect state and act on it * Fixup pathes * Add a missing step to the mac bits * Unload instead of disable * Prune out again * Squelch some stdout * Clean lint * Better log for no-delete-directory case * Even more verbose messages on CreateDirectory * Less broken code * Use try_execute where it should be used * Final tweaks * Add some docs 2022-11-23 17:18:38 +00:00			`fn revert_description(&self) -> Vec<ActionDescription> {`
			`vec![ActionDescription::new(`
			`format!(`
			"Remove encryption keys for volume `{}`",
			`self.disk.display()`
			`),`
			`vec![],`
			`)]`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`}`

Tidy UX, make --logger param (#108) * Tidy UX, make --logger param * Include cargo change 2022-12-09 19:15:54 +00:00			`#[tracing::instrument(level = "debug", skip_all, fields(`
More fleshing out 2022-10-19 20:32:15 +00:00			`disk = %self.disk.display(),`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`))]`
Create ActionError (#79) * wip * Fixes * Fix a comment 2022-12-05 16:55:30 +00:00			`async fn revert(&mut self) -> Result<(), ActionError> {`
Flesh out docs and tidy up public API substantially (#67) * Make plans versioned * Delint * speeeeeeeeling * remove file that was dead * Flesh out docs and improve public API * Speeling * Fixups * Fix doctests * Do a better job with actionstate * Add some more docs * Fix doctest * Make CLI stuff optional * Touchup * Speeling 2022-11-28 22:57:35 +00:00			`let Self { disk, name } = self;`
Get key provisioning working better 2022-11-01 22:31:31 +00:00
			`let disk_str = disk.to_str().expect("Could not turn disk into string"); /* Should not reasonably ever fail */`

			`// TODO: This seems very rough and unsafe`
			`execute_command(`
Use process groups with tokio (also crate bump) (#63) * Use process groups with tokio (also flake/crate bump) * Use pgid0 * Maybe this checkout has a non-broken curl on mac * Don't update flake at all 2022-11-25 16:02:00 +00:00			`Command::new("/usr/bin/security").process_group(0).args([`
Get key provisioning working better 2022-11-01 22:31:31 +00:00			`"delete-generic-password",`
			`"-a",`
			`name.as_str(),`
			`"-s",`
			`name.as_str(),`
			`"-l",`
			`format!("{} encryption password", disk_str).as_str(),`
			`"-D",`
			`"Encrypted volume password",`
			`"-j",`
			`format!(`
			`"Added automatically by the Nix installer for use by {NIX_VOLUME_MOUNTD_DEST}"`
			`)`
			`.as_str(),`
			`]),`
			`)`
Create ActionError (#79) * wip * Fixes * Fix a comment 2022-12-05 16:55:30 +00:00			`.await`
			`.map_err(ActionError::Command)?;`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00
			`Ok(())`
			`}`
			`}`