fix(veracrypt): Insert password flags before positional arguments

gdellis · gdellis · commit db7f0df700a1 · 2026-05-06T18:03:59.000-06:00
VeraCrypt CLI expects: veracrypt -t -p &lt;password&gt; --non-interactive [Volume path] [Mount point]
The provisioner was appending flags AFTER positional args, causing 'Unexpected parameter' error.

Fix: Insert -p &lt;password&gt; --non-interactive before first positional argument (arg not starting with '-').
diff --git a/plugins/veracrypt/volume_password.go b/plugins/veracrypt/volume_password.go
@@ -54,7 +54,23 @@ func (p volumePasswordProv) Provision(ctx context.Context, in sdk.ProvisionInput
 		out.CommandLine = []string{}
 		return
 	}
-	out.AddArgs("-p", password, "--non-interactive")
+	args := []string{"-p", password, "--non-interactive"}
+	if len(out.CommandLine) == 0 {
+		out.CommandLine = args
+		return
+	}
+	insertAt := len(out.CommandLine)
+	for i, arg := range out.CommandLine {
+		if len(arg) > 0 && arg[0] != '-' {
+			insertAt = i
+			break
+		}
+	}
+	newCmd := make([]string, 0, len(out.CommandLine)+len(args))
+	newCmd = append(newCmd, out.CommandLine[:insertAt]...)
+	newCmd = append(newCmd, args...)
+	newCmd = append(newCmd, out.CommandLine[insertAt:]...)
+	out.CommandLine = newCmd
 }
 
 func (p volumePasswordProv) Deprovision(ctx context.Context, in sdk.DeprovisionInput, out *sdk.DeprovisionOutput) {
diff --git a/plugins/veracrypt/volume_password_test.go b/plugins/veracrypt/volume_password_test.go
@@ -10,20 +10,22 @@ import (
 
 func TestVolumePasswordProvisioner(t *testing.T) {
 	plugintest.TestProvisioner(t, VolumePassword().DefaultProvisioner, map[string]plugintest.ProvisionCase{
-		"password flag injection": {
+		"password flag inserted before positional args": {
 			ItemFields: map[sdk.FieldName]string{
 				fieldname.Password: "TestPassword123!",
 			},
+			CommandLine: []string{"-t", "--mount", "/tmp/vol", "/mnt/point"},
 			ExpectedOutput: sdk.ProvisionOutput{
-				CommandLine: []string{"-p", "TestPassword123!", "--non-interactive"},
+				CommandLine: []string{"-t", "--mount", "-p", "TestPassword123!", "--non-interactive", "/tmp/vol", "/mnt/point"},
 			},
 		},
-		"includes non-interactive flag": {
+		"flags inserted before mount point": {
 			ItemFields: map[sdk.FieldName]string{
 				fieldname.Password: "Secret456!",
 			},
+			CommandLine: []string{"--dismount", "/mnt/point"},
 			ExpectedOutput: sdk.ProvisionOutput{
-				CommandLine: []string{"-p", "Secret456!", "--non-interactive"},
+				CommandLine: []string{"--dismount", "-p", "Secret456!", "--non-interactive", "/mnt/point"},
 			},
 		},
 		"empty password returns error": {
@@ -44,8 +46,17 @@ func TestVolumePasswordProvisioner(t *testing.T) {
 				fieldname.Password: "VolumePass789!",
 				"Volume":           "/path/to/volume.tc",
 			},
+			CommandLine: []string{"-t", "--mount"},
 			ExpectedOutput: sdk.ProvisionOutput{
-				CommandLine: []string{"-p", "VolumePass789!", "--non-interactive"},
+				CommandLine: []string{"-t", "--mount", "-p", "VolumePass789!", "--non-interactive"},
+			},
+		},
+		"no command line uses flags as provided": {
+			ItemFields: map[sdk.FieldName]string{
+				fieldname.Password: "MySecret123!",
+			},
+			ExpectedOutput: sdk.ProvisionOutput{
+				CommandLine: []string{"-p", "MySecret123!", "--non-interactive"},
 			},
 		},
 	})
