attempt to also make luks_add_key work with passphrases containing

newlines
ansible-collections · Feb 1, 2025 · 28d39c7 · 28d39c7
1 parent d71678c
commit 28d39c7
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 5 deletions.
diff --git a/plugins/modules/luks_device.py b/plugins/modules/luks_device.py
@@ -70,9 +70,6 @@
   passphrase_encoding:
     description:
       - Determine how passphrases are provided to parameters such as O(passphrase), O(new_passphrase), and O(remove_passphrase).
-      - Please note that binary passphrases cannot always contain all possible binary octets. When adding a new key to an existing
-        container, a newline (0x0A) cannot be used since it indicates that the passphrase is over. If you want to use arbitrary
-        binary data, you must use keyfiles.
     type: str
     default: text
     choices:
@@ -708,11 +705,15 @@ def run_luks_add_key(self, device, keyfile, passphrase, new_keyfile,
         if keyfile:
             args.extend(['--key-file', keyfile])
         else:
+            args.extend(['--key-file', '-', '--keyfile-size', len(passphrase)])
             data.append(passphrase)
 
         if new_keyfile:
             args.append(new_keyfile)
         else:
+            args.extend(['--new-keyfile', '-'])
+            if not keyfile:
+                args.extend(['--new-keyfile-offset', len(passphrase)])
             data.extend([new_passphrase, new_passphrase])
 
         result = self._run_command(args, data=b'\n'.join(data) or None)

diff --git a/tests/integration/targets/luks_device/tasks/tests/keyfile_binary_nocopy.yml b/tests/integration/targets/luks_device/tasks/tests/keyfile_binary_nocopy.yml
@@ -35,7 +35,6 @@
   luks_device:
     device: "{{ cryptfile_device }}"
     state: opened
-    # Encode passphrase with Base64 to test passphrase_encoding
     passphrase: "{{ keyfile3 }}"
     passphrase_encoding: base64
   become: true
@@ -62,13 +61,23 @@
     that:
     - open_try is failed
 
+- name: Give access to passphrase1
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: closed
+    passphrase: "{{ keyfile3 }}"
+    passphrase_encoding: base64
+    new_passphrase: "{{ cryptfile_passphrase1 | b64encode }}"
+    pbkdf:
+      iteration_time: 0.1
+  become: true
+
 - name: Remove access for keyfile3
   luks_device:
     device: "{{ cryptfile_device }}"
     state: closed
     remove_passphrase: "{{ keyfile3 }}"
     passphrase_encoding: base64
-    force_remove_last_key: true
   become: true
 
 - name: Try to open with keyfile3
@@ -82,3 +91,15 @@
 - assert:
     that:
     - open_try is failed
+
+- name: Open with passphrase1
+  luks_device:
+    device: "{{ cryptfile_device }}"
+    state: opened
+    passphrase: "{{ cryptfile_passphrase1 }}"
+  become: true
+  ignore_errors: true
+  register: open_try
+- assert:
+    that:
+    - open_try is not failed