cli-tests: add t_not_enabled

Test that fscrypt fails when the filesystem doesn't have the encrypt
feature enabled.  Then test enabling it.

2 files changed, 73 insertions, 0 deletions

diff --git a/cli-tests/t_not_enabled.out b/cli-tests/t_not_enabled.out
new file mode 100644
index 0000000..7d74bcf
--- /dev/null
+++ b/cli-tests/t_not_enabled.out
@@ -0,0 +1,39 @@
+
+# Disable encryption on DEV
+
+# Try to encrypt a directory when encryption is disabled
+[ERROR] fscrypt encrypt: get encryption policy MNT/dir:
+                         encryption not enabled
+
+Encryption is either disabled in the kernel config, or needs to be enabled for
+this filesystem. See the documentation on how to enable encryption on ext4
+systems (and the risks of doing so).
+
+# Try to unlock a directory when encryption is disabled
+[ERROR] fscrypt unlock: get encryption policy MNT/dir:
+                        encryption not enabled
+
+Encryption is either disabled in the kernel config, or needs to be enabled for
+this filesystem. See the documentation on how to enable encryption on ext4
+systems (and the risks of doing so).
+
+# Try to lock a directory when encryption is disabled
+[ERROR] fscrypt lock: get encryption policy MNT/dir:
+                      encryption not enabled
+
+Encryption is either disabled in the kernel config, or needs to be enabled for
+this filesystem. See the documentation on how to enable encryption on ext4
+systems (and the risks of doing so).
+
+# Enable encryption on DEV
+
+# Encrypt a directory when encryption was just enabled
+"MNT/dir" is encrypted with fscrypt.
+
+Policy:   desc1
+Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2 
+Unlocked: Yes
+
+Protected with 1 protector:
+PROTECTOR         LINKED  DESCRIPTION
+desc2  No      custom protector "prot"
diff --git a/cli-tests/t_not_enabled.sh b/cli-tests/t_not_enabled.sh
new file mode 100755
index 0000000..3c7d22c
--- /dev/null
+++ b/cli-tests/t_not_enabled.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+# Test that fscrypt fails when the filesystem doesn't have the encrypt feature
+# enabled.  Then test enabling it.
+
+cd "$(dirname "$0")"
+. common.sh
+
+dir="$MNT/dir"
+mkdir "$dir"
+
+_print_header "Disable encryption on $DEV"
+count_before=$(_get_enabled_fs_count)
+umount "$MNT"
+_run_noisy_command "debugfs -w -R 'feature -encrypt' '$DEV'"
+mount "$DEV" "$MNT"
+count_after=$(_get_enabled_fs_count)
+(( count_after == count_before - 1 )) || _fail "wrong enabled count"
+
+_print_header "Try to encrypt a directory when encryption is disabled"
+_expect_failure "fscrypt encrypt '$dir'"
+
+_print_header "Try to unlock a directory when encryption is disabled"
+_expect_failure "fscrypt unlock '$dir'"
+
+_print_header "Try to lock a directory when encryption is disabled"
+_expect_failure "fscrypt lock '$dir'"
+
+_print_header "Enable encryption on $DEV"
+_run_noisy_command "tune2fs -O encrypt '$DEV'"
+
+_print_header "Encrypt a directory when encryption was just enabled"
+echo hunter2 | fscrypt encrypt --quiet --source=custom_passphrase --name=prot "$dir"
+fscrypt status "$dir"