cli-tests: add t_encrypt

Add general tests for 'fscrypt encrypt'. For protector-specific tests, see t_encrypt_custom, t_encrypt_login, and t_encrypt_raw_key.
author: Eric Biggers <ebiggers@google.com> 2020-05-09 14:04:47 -0700
committer: Eric Biggers <ebiggers@google.com> 2020-05-09 14:04:47 -0700
commit: 3d0151289ecf45407a1ec049b46bba8647d08f2b (patch)
tree: 5f14939c7a0cd93811c4132808b35dd40027d6a0 /cli-tests
parent: 93e8c0616359635c8116ceff5a5c5ff26be59576 (diff)
2 files changed, 118 insertions, 0 deletions
diff --git a/cli-tests/t_encrypt.out b/cli-tests/t_encrypt.out
new file mode 100644
index 0000000..af38299
--- /dev/null
+++ b/cli-tests/t_encrypt.out
@@ -0,0 +1,67 @@
+
+# Try to encrypt a nonexistent directory
+[ERROR] fscrypt encrypt: no such file or directory
+ext4 filesystem "MNT" has 0 protectors and 0 policies
+
+[ERROR] fscrypt status: get encryption policy MNT/dir: file
+                        or directory not encrypted
+
+# Try to encrypt a nonempty directory
+[ERROR] fscrypt encrypt: MNT/dir: not an empty directory
+
+Encryption can only be setup on empty directories; files cannot be encrypted
+in-place. Instead, encrypt an empty directory, copy the files into that
+encrypted directory, and securely delete the originals with "shred".
+ext4 filesystem "MNT" has 0 protectors and 0 policies
+
+[ERROR] fscrypt status: get encryption policy MNT/dir: file
+                        or directory not encrypted
+
+# Encrypt a directory as non-root user
+ext4 filesystem "MNT" has 1 protector and 1 policy
+
+PROTECTOR         LINKED  DESCRIPTION
+desc1  No      custom protector "prot"
+
+POLICY                            UNLOCKED  PROTECTORS
+desc2  Yes       desc1
+"MNT/dir" is encrypted with fscrypt.
+
+Policy:   desc2
+Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2 
+Unlocked: Yes
+
+Protected with 1 protector:
+PROTECTOR         LINKED  DESCRIPTION
+desc1  No      custom protector "prot"
+ext4 filesystem "MNT" has 1 protector and 1 policy
+
+PROTECTOR         LINKED  DESCRIPTION
+desc1  No      custom protector "prot"
+
+POLICY                            UNLOCKED  PROTECTORS
+desc2  Yes       desc1
+"MNT/dir" is encrypted with fscrypt.
+
+Policy:   desc2
+Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2 
+Unlocked: Yes
+
+Protected with 1 protector:
+PROTECTOR         LINKED  DESCRIPTION
+desc1  No      custom protector "prot"
+
+# Try to encrypt an already-encrypted directory
+[ERROR] fscrypt encrypt: MNT/dir: file or directory already
+                         encrypted
+
+# Try to encrypt another user's directory as a non-root user
+[ERROR] fscrypt encrypt: MNT/dir: you do not own this
+                         directory
+
+Encryption can only be setup on directories you own, even if you have write
+permission for the directory.
+ext4 filesystem "MNT" has 0 protectors and 0 policies
+
+[ERROR] fscrypt status: get encryption policy MNT/dir: file
+                        or directory not encrypted
diff --git a/cli-tests/t_encrypt.sh b/cli-tests/t_encrypt.sh
new file mode 100755
index 0000000..9f19f5d
--- /dev/null
+++ b/cli-tests/t_encrypt.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# General tests for 'fscrypt encrypt'.  For protector-specific tests, see
+# t_encrypt_custom, t_encrypt_login, and t_encrypt_raw_key.
+
+cd "$(dirname "$0")"
+. common.sh
+
+dir="$MNT/dir"
+
+begin()
+{
+	_reset_filesystems
+	mkdir "$dir"
+	_print_header "$@"
+}
+
+show_status()
+{
+	local encrypted=$1
+
+	fscrypt status "$MNT"
+	if $encrypted; then
+		fscrypt status "$dir"
+	else
+		_expect_failure "fscrypt status '$dir'"
+	fi
+}
+
+begin "Try to encrypt a nonexistent directory"
+_expect_failure "echo hunter2 | fscrypt encrypt --quiet '$MNT/nonexistent'"
+show_status false
+
+begin "Try to encrypt a nonempty directory"
+touch "$dir/file"
+_expect_failure "echo hunter2 | fscrypt encrypt --quiet '$dir'"
+show_status false
+
+begin "Encrypt a directory as non-root user"
+chown "$TEST_USER" "$dir"
+_user_do "echo hunter2 | fscrypt encrypt --quiet --name=prot '$dir'"
+show_status true
+_user_do "fscrypt status '$MNT'"
+_user_do "fscrypt status '$dir'"
+
+_print_header "Try to encrypt an already-encrypted directory"
+_user_do_and_expect_failure "echo hunter2 | fscrypt encrypt --quiet --name=prot '$dir'"
+
+begin "Try to encrypt another user's directory as a non-root user"
+_user_do_and_expect_failure "echo hunter2 | fscrypt encrypt --quiet --name=prot '$dir'"
+show_status false
author	Eric Biggers <ebiggers@google.com>	2020-05-09 14:04:47 -0700
committer	Eric Biggers <ebiggers@google.com>	2020-05-09 14:04:47 -0700
commit	3d0151289ecf45407a1ec049b46bba8647d08f2b (patch)
tree	5f14939c7a0cd93811c4132808b35dd40027d6a0 /cli-tests
parent	93e8c0616359635c8116ceff5a5c5ff26be59576 (diff)