lix-installer/src/action/darwin/encrypt_volume.rs

use crate::{
    action::{darwin::NIX_VOLUME_MOUNTD_DEST, Action, ActionDescription, ActionState},
    execute_command,
};
use rand::Rng;
use std::path::{Path, PathBuf};
use tokio::process::Command;

#[derive(Debug, serde::Deserialize, serde::Serialize, Clone)]
pub struct EncryptVolume {
    disk: PathBuf,
    name: String,
    action_state: ActionState,
}

impl EncryptVolume {
    #[tracing::instrument(skip_all)]
    pub async fn plan(
        disk: impl AsRef<Path>,
        name: impl AsRef<str>,
    ) -> Result<Self, Box<dyn std::error::Error + Send + Sync>> {
        let name = name.as_ref().to_owned();
        Ok(Self {
            name,
            disk: disk.as_ref().to_path_buf(),
            action_state: ActionState::Uncompleted,
        })
    }
}

#[async_trait::async_trait]
#[typetag::serde(name = "encrypt_volume")]
impl Action for EncryptVolume {
    fn describe_execute(&self) -> Vec<ActionDescription> {
        if self.action_state == ActionState::Completed {
            vec![]
        } else {
            vec![ActionDescription::new(
                format!("Encrypt volume `{}`", self.disk.display()),
                vec![],
            )]
        }
    }

    #[tracing::instrument(skip_all, fields(
        disk = %self.disk.display(),
    ))]
    async fn execute(&mut self) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
        let Self {
            disk,
            name,
            action_state,
        } = self;
        if *action_state == ActionState::Completed {
            tracing::trace!("Already completed: Encrypting volume");
            return Ok(());
        }
        tracing::debug!("Encrypting volume");

        // Generate a random password.
        let password: String = {
            const CHARSET: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZ\
                                abcdefghijklmnopqrstuvwxyz\
                                    0123456789)(*&^%$#@!~";
            const PASSWORD_LEN: usize = 32;
            let mut rng = rand::thread_rng();

            (0..PASSWORD_LEN)
                .map(|_| {
                    let idx = rng.gen_range(0..CHARSET.len());
                    CHARSET[idx] as char
                })
                .collect()
        };

        let disk_str = disk.to_str().expect("Could not turn disk into string"); /* Should not reasonably ever fail */

        execute_command(Command::new("/usr/sbin/diskutil").arg("mount").arg(&name)).await?;

        // Add the password to the user keychain so they can unlock it later.
        execute_command(
            Command::new("/usr/bin/security").args([
                "add-generic-password",
                "-a",
                name.as_str(),
                "-s",
                name.as_str(),
                "-l",
                format!("{} encryption password", disk_str).as_str(),
                "-D",
                "Encrypted volume password",
                "-j",
                format!(
                    "Added automatically by the Nix installer for use by {NIX_VOLUME_MOUNTD_DEST}"
                )
                .as_str(),
                "-w",
                password.as_str(),
                "-T",
                "/System/Library/CoreServices/APFSUserAgent",
                "-T",
                "/System/Library/CoreServices/CSUserAgent",
                "-T",
                "/usr/bin/security",
                "/Library/Keychains/System.keychain",
            ]),
        )
        .await?;

        // Encrypt the mounted volume
        execute_command(Command::new("/usr/sbin/diskutil").args([
            "apfs",
            "encryptVolume",
            name.as_str(),
            "-user",
            "disk",
            "-passphrase",
            password.as_str(),
        ]))
        .await?;

        execute_command(
            Command::new("/usr/sbin/diskutil")
                .arg("unmount")
                .arg("force")
                .arg(&name),
        )
        .await?;

        tracing::trace!("Encrypted volume");
        *action_state = ActionState::Completed;
        Ok(())
    }

    fn describe_revert(&self) -> Vec<ActionDescription> {
        if self.action_state == ActionState::Uncompleted {
            vec![]
        } else {
            vec![]
        }
    }

    #[tracing::instrument(skip_all, fields(
        disk = %self.disk.display(),
    ))]
    async fn revert(&mut self) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
        let Self {
            disk,
            name,
            action_state,
        } = self;
        if *action_state == ActionState::Uncompleted {
            tracing::trace!("Already reverted: Unencrypted volume");
            return Ok(());
        }
        tracing::debug!("Unencrypted volume");

        let disk_str = disk.to_str().expect("Could not turn disk into string"); /* Should not reasonably ever fail */

        // TODO: This seems very rough and unsafe
        execute_command(
            Command::new("/usr/bin/security").args([
                "delete-generic-password",
                "-a",
                name.as_str(),
                "-s",
                name.as_str(),
                "-l",
                format!("{} encryption password", disk_str).as_str(),
                "-D",
                "Encrypted volume password",
                "-j",
                format!(
                    "Added automatically by the Nix installer for use by {NIX_VOLUME_MOUNTD_DEST}"
                )
                .as_str(),
            ]),
        )
        .await?;

        tracing::trace!("Unencrypted volume");
        *action_state = ActionState::Completed;
        Ok(())
    }

    fn action_state(&self) -> ActionState {
        self.action_state
    }
}

#[derive(Debug, thiserror::Error)]
pub enum EncryptVolumeError {
    #[error("Failed to execute command")]
    Command(#[source] std::io::Error),
}
Scaffold 2022-11-01 18:33:54 +00:00			`use crate::{`
			`action::{darwin::NIX_VOLUME_MOUNTD_DEST, Action, ActionDescription, ActionState},`
			`execute_command,`
			`};`
			`use rand::Rng;`
More fleshing out 2022-10-19 20:32:15 +00:00			`use std::path::{Path, PathBuf};`
Scaffold 2022-11-01 18:33:54 +00:00			`use tokio::process::Command;`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00
			`#[derive(Debug, serde::Deserialize, serde::Serialize, Clone)]`
			`pub struct EncryptVolume {`
More fleshing out 2022-10-19 20:32:15 +00:00			`disk: PathBuf,`
Scaffold 2022-11-01 18:33:54 +00:00			`name: String,`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`action_state: ActionState,`
			`}`

			`impl EncryptVolume {`
			`#[tracing::instrument(skip_all)]`
More fleshing out 2022-10-19 20:32:15 +00:00			`pub async fn plan(`
			`disk: impl AsRef<Path>,`
Scaffold 2022-11-01 18:33:54 +00:00			`name: impl AsRef<str>,`
Box up errors, dyn Actionables Signed-off-by: Ana Hobden <operator@hoverbear.org> 2022-10-26 21:14:53 +00:00			`) -> Result<Self, Box<dyn std::error::Error + Send + Sync>> {`
Scaffold 2022-11-01 18:33:54 +00:00			`let name = name.as_ref().to_owned();`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`Ok(Self {`
Scaffold 2022-11-01 18:33:54 +00:00			`name,`
More fleshing out 2022-10-19 20:32:15 +00:00			`disk: disk.as_ref().to_path_buf(),`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`action_state: ActionState::Uncompleted,`
			`})`
			`}`
			`}`

			`#[async_trait::async_trait]`
Improve planner and plan output 2022-10-28 19:44:07 +00:00			`#[typetag::serde(name = "encrypt_volume")]`
Ensure Planners and Actions can be created externally Signed-off-by: Ana Hobden <operator@hoverbear.org> 2022-10-26 22:13:42 +00:00			`impl Action for EncryptVolume {`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`fn describe_execute(&self) -> Vec<ActionDescription> {`
			`if self.action_state == ActionState::Completed {`
			`vec![]`
			`} else {`
			`vec![ActionDescription::new(`
More fleshing out 2022-10-19 20:32:15 +00:00			format!("Encrypt volume `{}`", self.disk.display()),
			`vec![],`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`)]`
			`}`
			`}`

			`#[tracing::instrument(skip_all, fields(`
More fleshing out 2022-10-19 20:32:15 +00:00			`disk = %self.disk.display(),`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`))]`
Box up errors, dyn Actionables Signed-off-by: Ana Hobden <operator@hoverbear.org> 2022-10-26 21:14:53 +00:00			`async fn execute(&mut self) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {`
More fleshing out 2022-10-19 20:32:15 +00:00			`let Self {`
Scaffold 2022-11-01 18:33:54 +00:00			`disk,`
			`name,`
More fleshing out 2022-10-19 20:32:15 +00:00			`action_state,`
			`} = self;`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`if *action_state == ActionState::Completed {`
More fleshing out 2022-10-19 20:32:15 +00:00			`tracing::trace!("Already completed: Encrypting volume");`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`return Ok(());`
			`}`
More fleshing out 2022-10-19 20:32:15 +00:00			`tracing::debug!("Encrypting volume");`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00
Scaffold 2022-11-01 18:33:54 +00:00			`// Generate a random password.`
			`let password: String = {`
			`const CHARSET: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZ\`
			`abcdefghijklmnopqrstuvwxyz\`
			`0123456789)(*&^%$#@!~";`
			`const PASSWORD_LEN: usize = 32;`
			`let mut rng = rand::thread_rng();`

			`(0..PASSWORD_LEN)`
			`.map(\|_\| {`
			`let idx = rng.gen_range(0..CHARSET.len());`
			`CHARSET[idx] as char`
			`})`
			`.collect()`
			`};`

			`let disk_str = disk.to_str().expect("Could not turn disk into string"); /* Should not reasonably ever fail */`

Get key provisioning working better 2022-11-01 22:31:31 +00:00			`execute_command(Command::new("/usr/sbin/diskutil").arg("mount").arg(&name)).await?;`

Scaffold 2022-11-01 18:33:54 +00:00			`// Add the password to the user keychain so they can unlock it later.`
Get key provisioning working better 2022-11-01 22:31:31 +00:00			`execute_command(`
Scaffold 2022-11-01 18:33:54 +00:00			`Command::new("/usr/bin/security").args([`
			`"add-generic-password",`
			`"-a",`
Get key provisioning working better 2022-11-01 22:31:31 +00:00			`name.as_str(),`
Scaffold 2022-11-01 18:33:54 +00:00			`"-s",`
			`name.as_str(),`
			`"-l",`
			`format!("{} encryption password", disk_str).as_str(),`
			`"-D",`
			`"Encrypted volume password",`
			`"-j",`
			`format!(`
			`"Added automatically by the Nix installer for use by {NIX_VOLUME_MOUNTD_DEST}"`
			`)`
			`.as_str(),`
			`"-w",`
			`password.as_str(),`
			`"-T",`
			`"/System/Library/CoreServices/APFSUserAgent",`
			`"-T",`
			`"/System/Library/CoreServices/CSUserAgent",`
			`"-T",`
			`"/usr/bin/security",`
			`"/Library/Keychains/System.keychain",`
			`]),`
			`)`
			`.await?;`

			`// Encrypt the mounted volume`
			`execute_command(Command::new("/usr/sbin/diskutil").args([`
			`"apfs",`
			`"encryptVolume",`
Get key provisioning working better 2022-11-01 22:31:31 +00:00			`name.as_str(),`
Scaffold 2022-11-01 18:33:54 +00:00			`"-user",`
			`"disk",`
			`"-passphrase",`
			`password.as_str(),`
			`]))`
			`.await?;`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00
Get key provisioning working better 2022-11-01 22:31:31 +00:00			`execute_command(`
			`Command::new("/usr/sbin/diskutil")`
			`.arg("unmount")`
			`.arg("force")`
			`.arg(&name),`
			`)`
			`.await?;`

More fleshing out 2022-10-19 20:32:15 +00:00			`tracing::trace!("Encrypted volume");`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`*action_state = ActionState::Completed;`
			`Ok(())`
			`}`

			`fn describe_revert(&self) -> Vec<ActionDescription> {`
			`if self.action_state == ActionState::Uncompleted {`
			`vec![]`
			`} else {`
More fleshing out 2022-10-19 20:32:15 +00:00			`vec![]`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`}`
			`}`

			`#[tracing::instrument(skip_all, fields(`
More fleshing out 2022-10-19 20:32:15 +00:00			`disk = %self.disk.display(),`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`))]`
Box up errors, dyn Actionables Signed-off-by: Ana Hobden <operator@hoverbear.org> 2022-10-26 21:14:53 +00:00			`async fn revert(&mut self) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {`
More fleshing out 2022-10-19 20:32:15 +00:00			`let Self {`
Get key provisioning working better 2022-11-01 22:31:31 +00:00			`disk,`
			`name,`
More fleshing out 2022-10-19 20:32:15 +00:00			`action_state,`
			`} = self;`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`if *action_state == ActionState::Uncompleted {`
Get key provisioning working better 2022-11-01 22:31:31 +00:00			`tracing::trace!("Already reverted: Unencrypted volume");`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`return Ok(());`
			`}`
Get key provisioning working better 2022-11-01 22:31:31 +00:00			`tracing::debug!("Unencrypted volume");`

			`let disk_str = disk.to_str().expect("Could not turn disk into string"); /* Should not reasonably ever fail */`

			`// TODO: This seems very rough and unsafe`
			`execute_command(`
			`Command::new("/usr/bin/security").args([`
			`"delete-generic-password",`
			`"-a",`
			`name.as_str(),`
			`"-s",`
			`name.as_str(),`
			`"-l",`
			`format!("{} encryption password", disk_str).as_str(),`
			`"-D",`
			`"Encrypted volume password",`
			`"-j",`
			`format!(`
			`"Added automatically by the Nix installer for use by {NIX_VOLUME_MOUNTD_DEST}"`
			`)`
			`.as_str(),`
			`]),`
			`)`
			`.await?;`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00
Get key provisioning working better 2022-11-01 22:31:31 +00:00			`tracing::trace!("Unencrypted volume");`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`*action_state = ActionState::Completed;`
			`Ok(())`
			`}`
Detect if plan already done 2022-11-08 18:18:05 +00:00
			`fn action_state(&self) -> ActionState {`
			`self.action_state`
			`}`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`}`

Ensure Planners and Actions can be created externally Signed-off-by: Ana Hobden <operator@hoverbear.org> 2022-10-26 22:13:42 +00:00			`#[derive(Debug, thiserror::Error)]`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`pub enum EncryptVolumeError {`
			`#[error("Failed to execute command")]`
Ensure Planners and Actions can be created externally Signed-off-by: Ana Hobden <operator@hoverbear.org> 2022-10-26 22:13:42 +00:00			`Command(#[source] std::io::Error),`
Find xpath crate, scaffold more 2022-10-18 18:03:19 +00:00			`}`