Get key provisioning working better

This commit is contained in:
Ana Hobden 2022-11-01 15:31:31 -07:00
parent 7c4f3206f9
commit 997364ad41
3 changed files with 46 additions and 12 deletions

View file

@ -79,13 +79,15 @@ impl CreateApfsVolume {
None
};
let name_with_qoutes = format!("\"{name}\"");
let mount_command = if encrypt {
vec![
"/bin/sh",
"-c",
"/usr/bin/security find-generic-password",
"/usr/bin/security",
"find-generic-password",
"-s",
"{name}",
name_with_qoutes.as_str(),
"-w",
"|",
"/usr/sbin/diskutil",

View file

@ -60,8 +60,7 @@ impl Action for EnableOwnership {
.args(["info", "-plist"])
.arg(&path),
)
.await
.unwrap()
.await?
.stdout;
let the_plist: DiskUtilOutput = plist::from_reader(Cursor::new(buf)).unwrap();

View file

@ -75,12 +75,14 @@ impl Action for EncryptVolume {
let disk_str = disk.to_str().expect("Could not turn disk into string"); /* Should not reasonably ever fail */
execute_command(Command::new("/usr/sbin/diskutil").arg("mount").arg(&name)).await?;
// Add the password to the user keychain so they can unlock it later.
let _password_output = execute_command(
execute_command(
Command::new("/usr/bin/security").args([
"add-generic-password",
"-a",
disk_str,
name.as_str(),
"-s",
name.as_str(),
"-l",
@ -109,7 +111,7 @@ impl Action for EncryptVolume {
execute_command(Command::new("/usr/sbin/diskutil").args([
"apfs",
"encryptVolume",
disk_str,
name.as_str(),
"-user",
"disk",
"-passphrase",
@ -117,6 +119,14 @@ impl Action for EncryptVolume {
]))
.await?;
execute_command(
Command::new("/usr/sbin/diskutil")
.arg("unmount")
.arg("force")
.arg(&name),
)
.await?;
tracing::trace!("Encrypted volume");
*action_state = ActionState::Completed;
Ok(())
@ -135,17 +145,40 @@ impl Action for EncryptVolume {
))]
async fn revert(&mut self) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
let Self {
disk: _,
name: _,
disk,
name,
action_state,
} = self;
if *action_state == ActionState::Uncompleted {
tracing::trace!("Already reverted: Unencrypted volume (noop)");
tracing::trace!("Already reverted: Unencrypted volume");
return Ok(());
}
tracing::debug!("Unencrypted volume (noop)");
tracing::debug!("Unencrypted volume");
tracing::trace!("Unencrypted volume (noop)");
let disk_str = disk.to_str().expect("Could not turn disk into string"); /* Should not reasonably ever fail */
// TODO: This seems very rough and unsafe
execute_command(
Command::new("/usr/bin/security").args([
"delete-generic-password",
"-a",
name.as_str(),
"-s",
name.as_str(),
"-l",
format!("{} encryption password", disk_str).as_str(),
"-D",
"Encrypted volume password",
"-j",
format!(
"Added automatically by the Nix installer for use by {NIX_VOLUME_MOUNTD_DEST}"
)
.as_str(),
]),
)
.await?;
tracing::trace!("Unencrypted volume");
*action_state = ActionState::Completed;
Ok(())
}