cmd/fscrypt: Check that keyrings are setup

Chaning the --user flag to (optionally) check for a proper keyring setup
allows us to fail early in cases where we need a working keyring.

1 files changed, 14 insertions, 7 deletions

diff --git a/cmd/fscrypt/flags.go b/cmd/fscrypt/flags.go
index e883a6d..af03ad2 100644
--- a/cmd/fscrypt/flags.go
+++ b/cmd/fscrypt/flags.go
@@ -33,6 +33,7 @@ import (
 	"github.com/urfave/cli"
 
 	"github.com/google/fscrypt/actions"
+	"github.com/google/fscrypt/security"
 	"github.com/google/fscrypt/util"
 )
 
@@ -283,17 +284,23 @@ func getPolicyFromFlag(flagValue string, target *user.User) (*actions.Policy, er
 
 // parseUserFlag returns the user specified by userFlag or the current effective
 // user if the flag value is missing. If the effective user is root, however, a
-// user must specified in the flag.
-func parseUserFlag() (*user.User, error) {
+// user must specified in the flag. If checkKeyring is true, we also make sure
+// there are no problems accessing the user keyring.
+func parseUserFlag(checkKeyring bool) (targetUser *user.User, err error) {
 	if userFlag.Value != "" {
-		return user.Lookup(userFlag.Value)
+		targetUser, err = user.Lookup(userFlag.Value)
+	} else {
+		if util.IsUserRoot() {
+			return nil, ErrSpecifyUser
+		}
+		targetUser, err = util.EffectiveUser()
 	}
-	effectiveUser, err := util.EffectiveUser()
 	if err != nil {
 		return nil, err
 	}
-	if util.IsUserRoot() {
-		return nil, ErrSpecifyUser
+
+	if checkKeyring {
+		_, err = security.UserKeyringID(targetUser)
 	}
-	return effectiveUser, nil
+	return targetUser, err
 }