From 90ad841a457111cc2463ebeb1416e306cb3ddcc9 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Fri, 16 Sep 2022 14:00:53 +0200
Subject: [PATCH] Add cryptsetup token unassign action.

Allows removing token binding on specific keyslot.
---
 man/common_options.adoc     |  6 ++++++
 man/cryptsetup-token.8.adoc |  5 ++++-
 src/cryptsetup.c            | 32 +++++++++++++++++++++++++++++++-
 tests/compat-test2          | 12 ++++++++++++
 4 files changed, 53 insertions(+), 2 deletions(-)

diff --git a/man/common_options.adoc b/man/common_options.adoc
index bfcf8ee0..1aa6a2ac 100644
--- a/man/common_options.adoc
+++ b/man/common_options.adoc
@@ -755,9 +755,15 @@ endif::[]
 
 ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME,ACTION_TOKEN[]
 *--token-id*::
+ifndef::ACTION_TOKEN[]
 Specify what token to use. If omitted, all available tokens will be checked
 before proceeding further with passphrase prompt.
 endif::[]
+ifdef::ACTION_TOKEN[]
+Specify token number. If omitted, first unused token id is used when adding or importing
+new token.
+endif::[]
+endif::[]
 
 ifdef::ACTION_OPEN,ACTION_RESIZE,ACTION_LUKSRESUME[]
 *--token-only*::
diff --git a/man/cryptsetup-token.8.adoc b/man/cryptsetup-token.8.adoc
index 663418f9..7a3a0694 100644
--- a/man/cryptsetup-token.8.adoc
+++ b/man/cryptsetup-token.8.adoc
@@ -12,7 +12,7 @@ cryptsetup-token - manage LUKS2 tokens
 
 == SYNOPSIS
 
-*cryptsetup _token_ <add|remove|import|export> [<options>] <device>*
+*cryptsetup _token_ <add|remove|import|export|unassign> [<options>] <device>*
 
 == DESCRIPTION
 
@@ -40,6 +40,9 @@ also assigned to the key slot.
 Action _export_ writes requested token JSON to a file passed with
 --json-file or to standard output.
 
+Action _unassign_ removes token binding to specified keyslot. Both token
+and keyslot must be specified by --token-id and --key-slot parameters.
+
 If --token-id is used with action _add_ or action _import_ and a token
 with that ID already exists, option --token-replace can be used to
 replace the existing token.
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 743d03f2..ca355ad7 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -2640,6 +2640,26 @@ static int _token_export(struct crypt_device *cd)
 	return tools_write_json_file(ARG_STR(OPT_JSON_FILE_ID), json);
 }
 
+static int _token_unassign(struct crypt_device *cd)
+{
+	int r = crypt_token_is_assigned(cd, ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
+
+	if (r < 0) {
+		if (r == -ENOENT)
+			log_err(_("Token %d is not assigned to keyslot %d."), ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
+		else
+			log_err(_("Failed to unassign token %d from keyslot %d."), ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
+
+		return r;
+	}
+
+	r = crypt_token_unassign_keyslot(cd, ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
+	if (r < 0)
+		log_err(_("Failed to unassign token %d from keyslot %d."), ARG_INT32(OPT_TOKEN_ID_ID), ARG_INT32(OPT_KEY_SLOT_ID));
+
+	return r;
+}
+
 static int action_token(void)
 {
 	int r;
@@ -2668,6 +2688,8 @@ static int action_token(void)
 		tools_token_msg(r, CREATED);
 	} else if (!strcmp(action_argv[0], "export"))
 		r = _token_export(cd);
+	else if (!strcmp(action_argv[0], "unassign"))
+		r = _token_unassign(cd);
 
 	crypt_free(cd);
 
@@ -2818,7 +2840,8 @@ static const char *verify_token(void)
 	if (strcmp(action_argv[0], "add") &&
 	    strcmp(action_argv[0], "remove") &&
 	    strcmp(action_argv[0], "import") &&
-	    strcmp(action_argv[0], "export"))
+	    strcmp(action_argv[0], "export") &&
+	    strcmp(action_argv[0], "unassign"))
 		return _("Invalid token action.");
 
 	if (!ARG_SET(OPT_KEY_DESCRIPTION_ID) && !strcmp(action_argv[0], "add"))
@@ -2835,6 +2858,13 @@ static const char *verify_token(void)
 			return _("Options --key-slot and --unbound cannot be combined.");
 	}
 
+	if (!strcmp(action_argv[0], "unassign")) {
+		if (!ARG_SET(OPT_KEY_SLOT_ID))
+			return _("Action requires specific keyslot. Use --key-slot parameter.");
+		if (!ARG_SET(OPT_TOKEN_ID_ID))
+			return _("Action requires specific token. Use --token-id parameter.");
+	}
+
 	return NULL;
 }
 
diff --git a/tests/compat-test2 b/tests/compat-test2
index f187fd72..4e4c0b59 100755
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -908,6 +908,18 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
 	# test we can add unassigned token
 	$CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN0 --unbound --token-id 0 || fail
 	$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $LOOPDEV && fail
+	$CRYPTSETUP token remove --token-id 0 $LOOPDEV || fail
+
+	# test token unassign works
+	$CRYPTSETUP token add $LOOPDEV --key-description $TEST_TOKEN0 -S0 --token-id 0 || fail
+	$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $LOOPDEV || fail
+	$CRYPTSETUP token unassign --token-id 0 $LOOPDEV 2>/dev/null && fail
+	$CRYPTSETUP token unassign -S0 $LOOPDEV 2>/dev/null && fail
+	$CRYPTSETUP token unassign --token-id 0 -S0 $LOOPDEV || fail
+	$CRYPTSETUP open --token-only --token-id 0 --test-passphrase $LOOPDEV && fail
+	$CRYPTSETUP token unassign --token-id 0 -S0 $LOOPDEV 2>/dev/null && fail
+	$CRYPTSETUP token unassign --token-id 0 -S44 $LOOPDEV 2>/dev/null && fail
+	$CRYPTSETUP token unassign --token-id 44 -S0 $LOOPDEV 2>/dev/null && fail
 fi
 echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 10 || fail
 echo -n "$IMPORT_TOKEN" | $CRYPTSETUP token import $LOOPDEV --token-id 11 --json-file - || fail