Blame SOURCES/0009-Introduce-y-assume-yes-argument-to-clevis-luks-bind.patch

3700a9
From 7b1639b2194a8bfbb0daedf1cbdfc4ebef5f6b31 Mon Sep 17 00:00:00 2001
3700a9
From: Sergio Correia <scorreia@redhat.com>
3700a9
Date: Mon, 18 May 2020 08:36:17 -0300
3700a9
Subject: [PATCH] Introduce -y (assume yes) argument to clevis luks bind
3700a9
3700a9
In order to simplify automated operations with e.g. ansible,
3700a9
it would be helpful to have a way to automate the creation of
3700a9
bindings with clevis.
3700a9
3700a9
In simple scenarios, it's possible to download the advertisement
3700a9
from a tang server and pass it in the binding configuration, to
3700a9
do the binding offline, in the following way:
3700a9
3700a9
curl -sfg http://tang.server/adv -o adv.jws
3700a9
3700a9
clevis luks bind -d /dev/sda2 tang '{"url":"http://tang.server", "adv":"adv.jws}'
3700a9
3700a9
However, for more complex scenarios using multiple servers with
3700a9
the sss pin, it becomes a lot more complicated to do the same
3700a9
thing and do the binding in an automated fashion. An alternative
3700a9
would be to use expect (tcl), but it can also be complicated.
3700a9
3700a9
In this commit we introduce -y as a parameter to clevis luks bind,
3700a9
meanining _assume yes_. Essentially, this would make it so that
3700a9
the user would not have to manually trust tang key(s) by typing
3700a9
y/yes.
3700a9
3700a9
Security-wise, it would be similar to downloading the advertisement
3700a9
manually and passing it to tang as the "adv" configuration option,
3700a9
something already supported.
3700a9
3700a9
We already have a -f parameter, so we picked something different,
3700a9
not to change existing behavior and possibly break existing scripts.
3700a9
---
3700a9
 src/luks/clevis-luks-bind.1.adoc         |  7 +-
3700a9
 src/luks/clevis-luks-bind.in             | 11 +++-
3700a9
 src/luks/clevis-luks-regen               |  4 +-
3700a9
 src/luks/tests/assume-yes-luks1          | 81 ++++++++++++++++++++++++
3700a9
 src/luks/tests/assume-yes-luks2          | 81 ++++++++++++++++++++++++
3700a9
 src/luks/tests/meson.build               |  2 +
3700a9
 src/pins/sss/clevis-encrypt-sss.1.adoc   | 14 +++-
3700a9
 src/pins/sss/clevis-encrypt-sss.c        | 30 ++++++---
3700a9
 src/pins/tang/clevis-encrypt-tang        | 35 ++++++----
3700a9
 src/pins/tang/clevis-encrypt-tang.1.adoc | 11 +++-
3700a9
 10 files changed, 246 insertions(+), 30 deletions(-)
3700a9
 create mode 100755 src/luks/tests/assume-yes-luks1
3700a9
 create mode 100755 src/luks/tests/assume-yes-luks2
3700a9
3700a9
diff --git a/src/luks/clevis-luks-bind.1.adoc b/src/luks/clevis-luks-bind.1.adoc
3700a9
index 336c0f4..438e517 100644
3700a9
--- a/src/luks/clevis-luks-bind.1.adoc
3700a9
+++ b/src/luks/clevis-luks-bind.1.adoc
3700a9
@@ -9,7 +9,7 @@ clevis-luks-bind - Bind a LUKS device using the specified policy
3700a9
 
3700a9
 == SYNOPSIS
3700a9
 
3700a9
-*clevis luks bind* [-f] -d DEV [-s SLT] [-k KEY] PIN CFG
3700a9
+*clevis luks bind* [-f] [-y] -d DEV [-s SLT] [-k KEY] PIN CFG
3700a9
 
3700a9
 == OVERVIEW
3700a9
 
3700a9
@@ -34,6 +34,11 @@ Clevis LUKS unlockers. See link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlock
3700a9
 * *-f* :
3700a9
   Do not prompt for LUKSMeta initialization
3700a9
 
3700a9
+* *-y* :
3700a9
+  Automatically answer yes for all questions. When using _tang_, it
3700a9
+  causes the advertisement trust check to be skipped, which can be
3700a9
+  useful in automated deployments
3700a9
+
3700a9
 * *-d* _DEV_ :
3700a9
   The LUKS device on which to perform binding
3700a9
 
3700a9
diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
3700a9
index 89a5e22..8b8b5ee 100755
3700a9
--- a/src/luks/clevis-luks-bind.in
3700a9
+++ b/src/luks/clevis-luks-bind.in
3700a9
@@ -33,12 +33,14 @@ function luks2_supported() {
3700a9
 function usage() {
3700a9
     exec >&2
3700a9
     echo
3700a9
-    echo "Usage: clevis luks bind [-f] [-s SLT] [-k KEY] -d DEV PIN CFG"
3700a9
+    echo "Usage: clevis luks bind [-f] [-y] [-s SLT] [-k KEY] -d DEV PIN CFG"
3700a9
     echo
3700a9
     echo "$SUMMARY":
3700a9
     echo
3700a9
     echo "  -f      Do not prompt for LUKSMeta initialization"
3700a9
     echo
3700a9
+    echo "  -y      Automatically answer yes for all questions"
3700a9
+    echo
3700a9
     echo "  -d DEV  The LUKS device on which to perform binding"
3700a9
     echo
3700a9
     echo "  -s SLT  The LUKS slot to use"
3700a9
@@ -55,12 +57,15 @@ if [ $# -eq 1 ] && [ "$1" == "--summary" ]; then
3700a9
 fi
3700a9
 
3700a9
 FRC=()
3700a9
-while getopts ":hfd:s:k:" o; do
3700a9
+YES=()
3700a9
+while getopts ":fyd:s:k:" o; do
3700a9
     case "$o" in
3700a9
     f) FRC+=(-f);;
3700a9
     d) DEV="$OPTARG";;
3700a9
     s) SLT="$OPTARG";;
3700a9
     k) KEY="$OPTARG";;
3700a9
+    y) FRC+=(-f)
3700a9
+       YES+=(-y);;
3700a9
     *) usage;;
3700a9
     esac
3700a9
 done
3700a9
@@ -139,7 +144,7 @@ cryptsetup luksDump "$DEV" \
3700a9
 )")"
3700a9
 
3700a9
 # Encrypt the new key
3700a9
-jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG")"
3700a9
+jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"
3700a9
 
3700a9
 # If necessary, initialize the LUKS volume
3700a9
 if [ "$luks_type" == "luks1" ] && ! luksmeta test -d "$DEV"; then
3700a9
diff --git a/src/luks/clevis-luks-regen b/src/luks/clevis-luks-regen
3700a9
index 44fd673..6071d85 100755
3700a9
--- a/src/luks/clevis-luks-regen
3700a9
+++ b/src/luks/clevis-luks-regen
3700a9
@@ -110,7 +110,7 @@ if ! new_passphrase=$(generate_key "${DEV}"); then
3700a9
 fi
3700a9
 
3700a9
 # Reencrypt the new password.
3700a9
-if ! jwe=$(clevis encrypt "${PIN}" "${CFG}" <<< "${new_passphrase}"); then
3700a9
+if ! jwe="$(clevis encrypt "${PIN}" "${CFG}" <<< "${new_passphrase}")"; then
3700a9
     echo "Error using pin '${PIN}' with config '${CFG}'" >&2
3700a9
     exit 1
3700a9
 fi
3700a9
@@ -176,7 +176,7 @@ fi
3700a9
 # Now make sure that we can unlock this device after the change.
3700a9
 # If we can't, undo the changes.
3700a9
 if ! cryptsetup open --test-passphrase --key-slot "${SLT}" "${DEV}" 2>/dev/null \
3700a9
-        <<< $(clevis luks pass -d "${DEV}" -s "${SLT}" 2>/dev/null); then
3700a9
+        <<< "$(clevis luks pass -d "${DEV}" -s "${SLT}" 2>/dev/null)"; then
3700a9
     echo "Invalid configuration detected after rebinding. Reverting changes."
3700a9
     restore_device "${DEV}" "${TMP}"
3700a9
     exit 1
3700a9
diff --git a/src/luks/tests/assume-yes-luks1 b/src/luks/tests/assume-yes-luks1
3700a9
new file mode 100755
3700a9
index 0000000..ad9dea4
3700a9
--- /dev/null
3700a9
+++ b/src/luks/tests/assume-yes-luks1
3700a9
@@ -0,0 +1,81 @@
3700a9
+#!/bin/bash -ex
3700a9
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
3700a9
+#
3700a9
+# Copyright (c) 2020 Red Hat, Inc.
3700a9
+# Author: Sergio Correia <scorreia@redhat.com>
3700a9
+#
3700a9
+# This program is free software: you can redistribute it and/or modify
3700a9
+# it under the terms of the GNU General Public License as published by
3700a9
+# the Free Software Foundation, either version 3 of the License, or
3700a9
+# (at your option) any later version.
3700a9
+#
3700a9
+# This program is distributed in the hope that it will be useful,
3700a9
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
3700a9
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
3700a9
+# GNU General Public License for more details.
3700a9
+#
3700a9
+# You should have received a copy of the GNU General Public License
3700a9
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
3700a9
+
3700a9
+TEST=$(basename "${0}")
3700a9
+. tests-common-functions
3700a9
+
3700a9
+. clevis-luks-common-functions
3700a9
+
3700a9
+on_exit() {
3700a9
+    local d
3700a9
+    for d in "${TMP}" "${TMP2}"; do
3700a9
+        [ ! -d "${d}" ] && continue
3700a9
+        tang_stop "${d}"
3700a9
+        rm -rf "${d}"
3700a9
+    done
3700a9
+}
3700a9
+
3700a9
+trap 'on_exit' EXIT
3700a9
+trap 'on_exit' ERR
3700a9
+
3700a9
+TMP="$(mktemp -d)"
3700a9
+
3700a9
+port=$(get_random_port)
3700a9
+tang_run "${TMP}" "${port}" &
3700a9
+tang_wait_until_ready "${port}"
3700a9
+
3700a9
+url="http://${TANG_HOST}:${port}"
3700a9
+
3700a9
+cfg=$(printf '{"url":"%s"}' "$url")
3700a9
+
3700a9
+# LUKS1.
3700a9
+DEV="${TMP}/luks1-device"
3700a9
+new_device "luks1" "${DEV}"
3700a9
+
3700a9
+if ! clevis luks bind -y -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
3700a9
+    error "${TEST}: Bind should have succeeded."
3700a9
+fi
3700a9
+
3700a9
+if ! clevis_luks_unlock_device "${DEV}"; then
3700a9
+    error "${TEST}: we were unable to unlock ${DEV}."
3700a9
+fi
3700a9
+
3700a9
+# Let's use a second tang server to test the sss pin.
3700a9
+TMP2="$(mktemp -d)"
3700a9
+
3700a9
+port2=$(get_random_port)
3700a9
+tang_run "${TMP2}" "${port2}" &
3700a9
+tang_wait_until_ready "${port2}"
3700a9
+
3700a9
+url2="http://${TANG_HOST}:${port2}"
3700a9
+
3700a9
+cfg2=$(printf '{"t":1,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \
3700a9
+       "${url1}" "${url2}")
3700a9
+
3700a9
+# LUKS1.
3700a9
+new_device "luks1" "${DEV}"
3700a9
+# Now let's test the sss pin with the two test tang servers we deployed.
3700a9
+if ! clevis luks bind -y -d "${DEV}" sss "${cfg2}" <<< "${DEFAULT_PASS}"; then
3700a9
+    error "${TEST}: Bind should have succeeded."
3700a9
+fi
3700a9
+
3700a9
+# Unlock should still work now.
3700a9
+if ! clevis_luks_unlock_device "${DEV}"; then
3700a9
+    error "${TEST}: we should still be able to unlock ${DEV}"
3700a9
+fi
3700a9
diff --git a/src/luks/tests/assume-yes-luks2 b/src/luks/tests/assume-yes-luks2
3700a9
new file mode 100755
3700a9
index 0000000..5c0edc3
3700a9
--- /dev/null
3700a9
+++ b/src/luks/tests/assume-yes-luks2
3700a9
@@ -0,0 +1,81 @@
3700a9
+#!/bin/bash -ex
3700a9
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
3700a9
+#
3700a9
+# Copyright (c) 2020 Red Hat, Inc.
3700a9
+# Author: Sergio Correia <scorreia@redhat.com>
3700a9
+#
3700a9
+# This program is free software: you can redistribute it and/or modify
3700a9
+# it under the terms of the GNU General Public License as published by
3700a9
+# the Free Software Foundation, either version 3 of the License, or
3700a9
+# (at your option) any later version.
3700a9
+#
3700a9
+# This program is distributed in the hope that it will be useful,
3700a9
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
3700a9
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
3700a9
+# GNU General Public License for more details.
3700a9
+#
3700a9
+# You should have received a copy of the GNU General Public License
3700a9
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
3700a9
+
3700a9
+TEST=$(basename "${0}")
3700a9
+. tests-common-functions
3700a9
+
3700a9
+. clevis-luks-common-functions
3700a9
+
3700a9
+on_exit() {
3700a9
+    local d
3700a9
+    for d in "${TMP}" "${TMP2}"; do
3700a9
+        [ ! -d "${d}" ] && continue
3700a9
+        tang_stop "${d}"
3700a9
+        rm -rf "${d}"
3700a9
+    done
3700a9
+}
3700a9
+
3700a9
+trap 'on_exit' EXIT
3700a9
+trap 'on_exit' ERR
3700a9
+
3700a9
+TMP="$(mktemp -d)"
3700a9
+
3700a9
+port=$(get_random_port)
3700a9
+tang_run "${TMP}" "${port}" &
3700a9
+tang_wait_until_ready "${port}"
3700a9
+
3700a9
+url="http://${TANG_HOST}:${port}"
3700a9
+
3700a9
+cfg=$(printf '{"url":"%s"}' "$url")
3700a9
+
3700a9
+# LUKS2.
3700a9
+DEV="${TMP}/luks2-device"
3700a9
+new_device "luks2" "${DEV}"
3700a9
+
3700a9
+if ! clevis luks bind -y -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
3700a9
+    error "${TEST}: Bind should have succeeded."
3700a9
+fi
3700a9
+
3700a9
+if ! clevis_luks_unlock_device "${DEV}"; then
3700a9
+    error "${TEST}: we were unable to unlock ${DEV}."
3700a9
+fi
3700a9
+
3700a9
+# Let's use a second tang server to test the sss pin.
3700a9
+TMP2="$(mktemp -d)"
3700a9
+
3700a9
+port2=$(get_random_port)
3700a9
+tang_run "${TMP2}" "${port2}" &
3700a9
+tang_wait_until_ready "${port2}"
3700a9
+
3700a9
+url2="http://${TANG_HOST}:${port2}"
3700a9
+
3700a9
+cfg2=$(printf '{"t":1,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \
3700a9
+       "${url1}" "${url2}")
3700a9
+
3700a9
+# LUKS2.
3700a9
+new_device "luks2" "${DEV}"
3700a9
+# Now let's test the sss pin with the two test tang servers we deployed.
3700a9
+if ! clevis luks bind -y -d "${DEV}" sss "${cfg2}" <<< "${DEFAULT_PASS}"; then
3700a9
+    error "${TEST}: Bind should have succeeded."
3700a9
+fi
3700a9
+
3700a9
+# Unlock should still work now.
3700a9
+if ! clevis_luks_unlock_device "${DEV}"; then
3700a9
+    error "${TEST}: we should still be able to unlock ${DEV}"
3700a9
+fi
3700a9
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
3700a9
index dbef9bf..4795488 100644
3700a9
--- a/src/luks/tests/meson.build
3700a9
+++ b/src/luks/tests/meson.build
3700a9
@@ -85,6 +85,7 @@ endif
3700a9
 
3700a9
 if has_tang
3700a9
   test('unlock-tang-luks1', find_program('unlock-tang-luks1'), env: env, timeout: 90)
3700a9
+  test('assume-yes-luks1', find_program('assume-yes-luks1'), env: env)
3700a9
 endif
3700a9
 test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env)
3700a9
 test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env)
3700a9
@@ -108,6 +109,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0'
3700a9
 
3700a9
   if has_tang
3700a9
     test('unlock-tang-luks2', find_program('unlock-tang-luks2'), env: env, timeout: 120)
3700a9
+    test('assume-yes-luks2', find_program('assume-yes-luks2'), env: env, timeout: 60)
3700a9
   endif
3700a9
   test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
3700a9
   test('backup-restore-luks2', find_program('backup-restore-luks2'), env:env, timeout: 90)
3700a9
diff --git a/src/pins/sss/clevis-encrypt-sss.1.adoc b/src/pins/sss/clevis-encrypt-sss.1.adoc
3700a9
index 7144e7e..7152144 100644
3700a9
--- a/src/pins/sss/clevis-encrypt-sss.1.adoc
3700a9
+++ b/src/pins/sss/clevis-encrypt-sss.1.adoc
3700a9
@@ -5,11 +5,11 @@ CLEVIS-ENCRYPT-SSS(1)
3700a9
 
3700a9
 == NAME
3700a9
 
3700a9
-clevis-encrypt-sss - Encrypts using a Shamir's Secret Sharing policy 
3700a9
+clevis-encrypt-sss - Encrypts using a Shamir's Secret Sharing policy
3700a9
 
3700a9
 == SYNOPSIS
3700a9
 
3700a9
-*clevis encrypt sss* CONFIG < PT > JWE
3700a9
+*clevis encrypt sss* CONFIG [-y] < PT > JWE
3700a9
 
3700a9
 == OVERVIEW
3700a9
 
3700a9
@@ -52,6 +52,16 @@ The format of the *pins* property is as follows:
3700a9
 When the list version of the format is used, multiple pins of that type will
3700a9
 receive key fragments.
3700a9
 
3700a9
+== OPTIONS
3700a9
+
3700a9
+* *-y* :
3700a9
+  Automatically answer yes for all questions. For the _tang_ pin, it will
3700a9
+  skip the advertisement trust check, which can be useful in automated
3700a9
+  deployments:
3700a9
+
3700a9
+    $ cfg='{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}'
3700a9
+    $ clevis encrypt sss "$cfg" -y < PT > JWE
3700a9
+
3700a9
 == SEE ALSO
3700a9
 
3700a9
 link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
3700a9
diff --git a/src/pins/sss/clevis-encrypt-sss.c b/src/pins/sss/clevis-encrypt-sss.c
3700a9
index d6f2c2c..531e918 100644
3700a9
--- a/src/pins/sss/clevis-encrypt-sss.c
3700a9
+++ b/src/pins/sss/clevis-encrypt-sss.c
3700a9
@@ -86,9 +86,9 @@ npins(json_t *pins)
3700a9
 }
3700a9
 
3700a9
 static json_t *
3700a9
-encrypt_frag(json_t *sss, const char *pin, const json_t *cfg)
3700a9
+encrypt_frag(json_t *sss, const char *pin, const json_t *cfg, int assume_yes)
3700a9
 {
3700a9
-    char *args[] = { "clevis", "encrypt", (char *) pin, NULL, NULL };
3700a9
+    char *args[] = { "clevis", "encrypt", (char *) pin, NULL, NULL, NULL };
3700a9
     json_auto_t *jwe = json_string("");
3700a9
     str_auto_t *str = NULL;
3700a9
     uint8_t *pnt = NULL;
3700a9
@@ -100,6 +100,10 @@ encrypt_frag(json_t *sss, const char *pin, const json_t *cfg)
3700a9
     if (!str)
3700a9
         return NULL;
3700a9
 
3700a9
+    if (assume_yes) {
3700a9
+        args[4] = "-y";
3700a9
+    }
3700a9
+
3700a9
     pnt = sss_point(sss, &pntl);
3700a9
     if (!pnt)
3700a9
         return NULL;
3700a9
@@ -137,7 +141,7 @@ encrypt_frag(json_t *sss, const char *pin, const json_t *cfg)
3700a9
 }
3700a9
 
3700a9
 static json_t *
3700a9
-encrypt_frags(json_int_t t, json_t *pins)
3700a9
+encrypt_frags(json_int_t t, json_t *pins, int assume_yes)
3700a9
 {
3700a9
     const char *pname = NULL;
3700a9
     json_auto_t *sss = NULL;
3700a9
@@ -172,7 +176,7 @@ encrypt_frags(json_int_t t, json_t *pins)
3700a9
         json_array_foreach(pcfgs, i, pcfg) {
3700a9
             json_auto_t *jwe = NULL;
3700a9
 
3700a9
-            jwe = encrypt_frag(sss, pname, pcfg);
3700a9
+            jwe = encrypt_frag(sss, pname, pcfg, assume_yes);
3700a9
             if (!jwe)
3700a9
                 return NULL;
3700a9
 
3700a9
@@ -201,14 +205,24 @@ main(int argc, char *argv[])
3700a9
     const char *iv = NULL;
3700a9
     json_t *pins = NULL;
3700a9
     json_int_t t = 1;
3700a9
+    int assume_yes = 0;
3700a9
 
3700a9
     if (argc == 2 && strcmp(argv[1], "--summary") == 0) {
3700a9
         fprintf(stdout, "%s\n", SUMMARY);
3700a9
         return EXIT_SUCCESS;
3700a9
     }
3700a9
 
3700a9
-    if (isatty(STDIN_FILENO) || argc != 2)
3700a9
-        goto usage;
3700a9
+    if (isatty(STDIN_FILENO) || argc != 2) {
3700a9
+        if (argc != 3) {
3700a9
+            goto usage;
3700a9
+        }
3700a9
+
3700a9
+        if (strcmp(argv[2], "-y") == 0) {
3700a9
+            assume_yes = 1;
3700a9
+        } else if (strlen(argv[2]) > 0) {
3700a9
+            goto usage;
3700a9
+        }
3700a9
+    }
3700a9
 
3700a9
     /* Parse configuration. */
3700a9
     cfg = json_loads(argv[1], 0, NULL);
3700a9
@@ -228,7 +242,7 @@ main(int argc, char *argv[])
3700a9
         return EXIT_FAILURE;
3700a9
     }
3700a9
 
3700a9
-    sss = encrypt_frags(t, pins);
3700a9
+    sss = encrypt_frags(t, pins, assume_yes);
3700a9
     if (!sss)
3700a9
         return EXIT_FAILURE;
3700a9
 
3700a9
@@ -287,7 +301,7 @@ main(int argc, char *argv[])
3700a9
 
3700a9
 usage:
3700a9
     fprintf(stderr, "\n");
3700a9
-    fprintf(stderr, "Usage: clevis encrypt sss CONFIG < PLAINTEXT > JWE\n");
3700a9
+    fprintf(stderr, "Usage: clevis encrypt sss CONFIG [-y] < PLAINTEXT > JWE\n");
3700a9
     fprintf(stderr, "\n");
3700a9
     fprintf(stderr, "%s\n", SUMMARY);
3700a9
     fprintf(stderr, "\n");
3700a9
diff --git a/src/pins/tang/clevis-encrypt-tang b/src/pins/tang/clevis-encrypt-tang
3700a9
index 378b25d..4a43f1f 100755
3700a9
--- a/src/pins/tang/clevis-encrypt-tang
3700a9
+++ b/src/pins/tang/clevis-encrypt-tang
3700a9
@@ -28,10 +28,14 @@ fi
3700a9
 if [ -t 0 ]; then
3700a9
     exec >&2
3700a9
     echo
3700a9
-    echo "Usage: clevis encrypt tang CONFIG < PLAINTEXT > JWE"
3700a9
+    echo "Usage: clevis encrypt tang CONFIG [-y] < PLAINTEXT > JWE"
3700a9
     echo
3700a9
     echo "$SUMMARY"
3700a9
     echo
3700a9
+    echo "  -y              Use this option for skipping the advertisement"
3700a9
+    echo "                  trust check. This can be useful in automated"
3700a9
+    echo "                  deployments"
3700a9
+    echo
3700a9
     echo "This command uses the following configuration properties:"
3700a9
     echo
3700a9
     echo "  url: <string>   The base URL of the Tang server (REQUIRED)"
3700a9
@@ -60,6 +64,9 @@ if ! cfg="$(jose fmt -j- -Oo- <<< "$1" 2>/dev/null)"; then
3700a9
     exit 1
3700a9
 fi
3700a9
 
3700a9
+trust=
3700a9
+[ -n "${2}" ] && [ "${2}" == "-y" ] && trust=yes
3700a9
+
3700a9
 if ! url="$(jose fmt -j- -Og url -u- <<< "$cfg")"; then
3700a9
     echo "Missing the required 'url' property!" >&2
3700a9
     exit 1
3700a9
@@ -100,18 +107,20 @@ if ! jose jws ver -i "$jws" -k- -a <<< "$ver"; then
3700a9
 fi
3700a9
 
3700a9
 ### Check advertisement trust
3700a9
-if [ -z "$thp" ]; then
3700a9
-    echo "The advertisement contains the following signing keys:" >&2
3700a9
-    echo >&2
3700a9
-    jose jwk thp -i- <<< "$ver" >&2
3700a9
-    echo >&2
3700a9
-    read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
3700a9
-    [[ "$ans" =~ ^[yY]$ ]] || exit 1
3700a9
-
3700a9
-elif [ "$thp" != "any" ] && \
3700a9
-    ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
3700a9
-    echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
3700a9
-    exit 1
3700a9
+if [ -z "${trust}" ]; then
3700a9
+    if [ -z "$thp" ]; then
3700a9
+        echo "The advertisement contains the following signing keys:" >&2
3700a9
+        echo >&2
3700a9
+        jose jwk thp -i- <<< "$ver" >&2
3700a9
+        echo >&2
3700a9
+        read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
3700a9
+        [[ "$ans" =~ ^[yY]$ ]] || exit 1
3700a9
+
3700a9
+    elif [ "$thp" != "any" ] && \
3700a9
+        ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
3700a9
+        echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
3700a9
+        exit 1
3700a9
+    fi
3700a9
 fi
3700a9
 
3700a9
 ### Perform encryption
3700a9
diff --git a/src/pins/tang/clevis-encrypt-tang.1.adoc b/src/pins/tang/clevis-encrypt-tang.1.adoc
3700a9
index 276575f..c34d109 100644
3700a9
--- a/src/pins/tang/clevis-encrypt-tang.1.adoc
3700a9
+++ b/src/pins/tang/clevis-encrypt-tang.1.adoc
3700a9
@@ -9,7 +9,7 @@ clevis-encrypt-tang - Encrypts using a Tang binding server policy
3700a9
 
3700a9
 == SYNOPSIS
3700a9
 
3700a9
-*clevis encrypt tang* CONFIG < PT > JWE
3700a9
+*clevis encrypt tang* CONFIG [-y] < PT > JWE
3700a9
 
3700a9
 == OVERVIEW
3700a9
 
3700a9
@@ -76,6 +76,15 @@ This command uses the following configuration properties:
3700a9
 * *adv* (object) :
3700a9
   A trusted advertisement (raw JSON)
3700a9
 
3700a9
+== OPTIONS
3700a9
+
3700a9
+* *-y* :
3700a9
+  Automatically answer yes for all questions. Use this option for skipping
3700a9
+  the advertisement trust check. This can be useful in automated deployments:
3700a9
+
3700a9
+    $ clevis encrypt tang '{"url":...}' -y < PT > JWE
3700a9
+
3700a9
+
3700a9
 == SEE ALSO
3700a9
 
3700a9
 link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
3700a9
-- 
3700a9
2.18.4
3700a9