#! /bin/bash
# SPDX-License-Identifier: GPL-2.0
# Copyright 2019 Google LLC
#
# FS QA Test No. generic/581
#
# Test non-root use of the fscrypt filesystem-level encryption keyring
# and v2 encryption policies.
#

. ./common/preamble
_begin_fstest auto quick encrypt
echo

orig_maxkeys=

# Override the default cleanup function.
_cleanup()
{
	cd /
	rm -f $tmp.*
	if [ -n "$orig_maxkeys" ]; then
		echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys
	fi
}

# Import common functions.
. ./common/filter
. ./common/encrypt

_require_user
_require_scratch_encryption -v 2

_scratch_mkfs_encrypted &>> $seqres.full
_scratch_mount

dir=$SCRATCH_MNT/dir

raw_key=""
for i in `seq 64`; do
	raw_key+="\\x$(printf "%02x" $i)"
done
keydesc="0000111122223333"
keyid="69b2f6edeee720cce0577937eb8a6751"
chmod 777 $SCRATCH_MNT

_user_do "mkdir $dir"

echo "# Setting v1 policy as regular user (should succeed)"
_user_do_set_encpolicy $dir $keydesc

echo "# Getting v1 policy as regular user (should succeed)"
_user_do_get_encpolicy $dir | _filter_scratch

echo "# Adding v1 policy key as regular user (should fail with EACCES)"
_user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc

rm -rf $dir
echo
_user_do "mkdir $dir"

echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)"
_user_do_set_encpolicy $dir $keyid |& _filter_scratch

echo "# Adding v2 policy key as regular user (should succeed)"
_user_do_add_enckey $SCRATCH_MNT "$raw_key"

echo "# Setting v2 policy as regular user with key added (should succeed)"
_user_do_set_encpolicy $dir $keyid

echo "# Getting v2 policy as regular user (should succeed)"
_user_do_get_encpolicy $dir | _filter_scratch

echo "# Creating encrypted file as regular user (should succeed)"
_user_do "echo contents > $dir/file"

echo "# Removing v2 policy key as regular user (should succeed)"
_user_do_rm_enckey $SCRATCH_MNT $keyid

_scratch_cycle_mount	# Clear all keys

# Wait for any invalidated keys to be garbage-collected.
i=0
while grep -E -q '^[0-9a-f]+ [^ ]*i[^ ]*' /proc/keys; do
	if ((++i >= 20)); then
		echo "Timed out waiting for invalidated keys to be GC'ed" >> $seqres.full
		break
	fi
	sleep 0.5
done

# Set the user key quota to the fsgqa user's current number of keys plus 5.
orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1")
: ${orig_keys:=0}
echo "orig_keys=$orig_keys" >> $seqres.full
orig_maxkeys=$(</proc/sys/kernel/keys/maxkeys)
keys_to_add=5
echo $((orig_keys + keys_to_add)) > /proc/sys/kernel/keys/maxkeys

echo
echo "# Testing user key quota"
for i in `seq $((keys_to_add + 1))`; do
	rand_raw_key=$(_generate_raw_encryption_key)
	_user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \
	    | sed 's/ with identifier .*$//'
done

# Restore the original key quota.
echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys

rm -rf $dir
echo
_user_do "mkdir $dir"
_scratch_cycle_mount	# Clear all keys

# Test multiple users adding the same key.
echo "# Adding key as root"
_add_enckey $SCRATCH_MNT "$raw_key"
echo "# Getting key status as regular user"
_user_do_enckey_status $SCRATCH_MNT $keyid
echo "# Removing key only added by another user (should fail with ENOKEY)"
_user_do_rm_enckey $SCRATCH_MNT $keyid
echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)"
_user_do_set_encpolicy $dir $keyid |& _filter_scratch
echo "# Adding second user of key"
_user_do_add_enckey $SCRATCH_MNT "$raw_key"
echo "# Getting key status as regular user"
_user_do_enckey_status $SCRATCH_MNT $keyid
echo "# Setting v2 encryption policy as regular user"
_user_do_set_encpolicy $dir $keyid
echo "# Removing this user's claim to the key"
_user_do_rm_enckey $SCRATCH_MNT $keyid
echo "# Getting key status as regular user"
_user_do_enckey_status $SCRATCH_MNT $keyid
echo "# Adding back second user of key"
_user_do_add_enckey $SCRATCH_MNT "$raw_key"
echo "# Remove key for \"all users\", as regular user (should fail with EACCES)"
_user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch
_enckey_status $SCRATCH_MNT $keyid
echo "# Remove key for \"all users\", as root"
_rm_enckey $SCRATCH_MNT $keyid -a
_enckey_status $SCRATCH_MNT $keyid

# success, all done
status=0
exit
