fix: idempotence issue when binding fails to be added

tests/tasks/bind_repeatedly_single_device.yml

@@ -0,0 +1,18 @@
+---
+- name: Initialize nbde_client_failed_binding and nbde_client_test_slot for device {{ nbde_client_selected_device }}
+  set_fact:
+    nbde_client_failed_binding: false
+    nbde_client_test_slot: 0
+
+- name: Keep binding until it fails
+  include_tasks: bind_slot_with_passphrase.yml
+
+- name: Display last used slot
+  debug:
+    msg: Last used slot was "{{ nbde_client_test_slot }}" for device "{{ nbde_client_selected_device }}"
+
+- name: Verify the binding failed to be added at least once
+  assert:
+    that: nbde_client_failed_binding
+
+# vim:set ts=2 sw=2 et:

tests/tasks/bind_slot_with_passphrase.yml

@@ -0,0 +1,72 @@
+---
+- name: Bind with passphrase repeatedly until it fails or slot is 7
+  block:
+    - name: Select next slot
+      set_fact:
+        nbde_client_test_slot: "{{ nbde_client_test_slot | int + 1 }}"
+
+    - name: Display selected slot
+      debug:
+        msg: Selected slot is {{ nbde_client_test_slot }}
+
+    - name: Gather device checksum BEFORE binding operation
+      shell: >
+        set -euo pipefail;
+        sha256sum "{{ nbde_client_selected_device }}" | cut -f1 -d' '
+      changed_when: false
+      register: nbde_client_device_checksum_before
+
+    - name: Perform binding with nbde_client role
+      include_role:
+        name: linux-system-roles.nbde_client
+        public: true
+      vars:
+        nbde_client_bindings:
+          - device: "{{ nbde_client_selected_device }}"
+            slot: "{{ nbde_client_test_slot }}"
+            encryption_password: "{{ nbde_client_test_pass }}"
+            servers:
+              - http://localhost
+              - http://localhost
+              - http://localhost
+
+    - name: Attempt to unlock device
+      include_tasks: verify_unlock_device.yml
+
+    - name: Make sure the attempt to unlock succeeded
+      assert:
+        that:
+          - not nbde_client_unlock.failed
+          - not nbde_client_close.failed
+
+  rescue:
+    - name: Set nbde_client_failed_binding to indicate a binding failed to be added
+      set_fact:
+        nbde_client_failed_binding: true
+
+    - name: Gather device checksum AFTER failed binding operation
+      shell: >
+        set -euo pipefail;
+        sha256sum "{{ nbde_client_selected_device }}" | cut -f1 -d' '
+      changed_when: false
+      register: nbde_client_device_checksum_after
+
+    - name: Show checksums for comparison
+      debug:
+        msg: |
+          Checksum BEFORE: {{ nbde_client_device_checksum_before.stdout }}
+          Checksum AFTER:  {{ nbde_client_device_checksum_after.stdout }}
+
+    - name: Make sure the checksum from BEFORE and AFTER matches when binding fails
+      assert:
+        that:
+          - nbde_client_device_checksum_before.stdout == nbde_client_device_checksum_after.stdout
+
+  always:
+    - name: Include this same task if it has not failed yet and slot is less than 7
+      when:
+        - nbde_client_test_slot | int < 8
+        - not nbde_client_failed_binding
+      include_tasks: bind_slot_with_passphrase.yml
+
+# vim:set ts=2 sw=2 et:

tests/tasks/cleanup_test.yml

@@ -3,6 +3,9 @@
   file:
     path: "{{ nbde_client_test_device }}"
     state: absent
+  loop:
+    - "{{ nbde_client_test_device }}"       # LUKS2 (with modern cryptsetup).
+    - "{{ nbde_client_test_device_luks1 }}" # LUKS1.
 
 - name: Clean up test dir on controller
   file:

tests/tasks/setup_test.yml

@@ -60,14 +60,26 @@
   command: fallocate -l64m {{ nbde_client_test_device }}
   changed_when: false
 
-- name: Format test device as LUKS
+- name: Create LUKS1 device for testing
+  command: fallocate -l64m {{ nbde_client_test_device_luks1 }}
+  changed_when: false
+
+- name: Format test device as LUKS (LUKS2 with modern cryptsetup)
   shell: >-
     set -euo pipefail;
     echo -n {{ nbde_client_test_pass }} |
     cryptsetup luksFormat --pbkdf pbkdf2 --pbkdf-force-iterations 1000
     --batch-mode --force-password {{ nbde_client_test_device }}
   changed_when: false
 
+- name: Format another test device as LUKS1
+  shell: >-
+    set -euo pipefail;
+    echo -n {{ nbde_client_test_pass }} |
+    cryptsetup luksFormat --type luks1 --pbkdf-force-iterations 1000
+    --batch-mode --force-password {{ nbde_client_test_device_luks1 }}
+  changed_when: false
+
 - name: Create key file for test device
   copy:
     content: "{{ nbde_client_test_pass }}"

tests/tests_failed_bind.yml

@@ -0,0 +1,63 @@
+---
+- name: Test failed binding operation
+  hosts: all
+
+  tasks:
+    - name: Set up test environment
+      include_tasks: tasks/setup_test.yml
+
+    - name: Get the contents of the tang directory before adding keys
+      find:
+        path: /var/db/tang/
+        patterns: "*.jwk"
+      register: tang_dir_contents_before
+
+    # For this test we will create many tang keys, so that the metadata
+    # generated will be too large that it will not fit the LUKS header
+    # after a few binding attempts.
+    - name: Add multiple tang keys
+      command: /usr/libexec/tangd-keygen /var/db/tang/
+      changed_when: false
+      with_sequence: count=32
+
+    - name: Run the test
+      block:
+        # Now we will attempt to perform multiple binding operations, and at some
+        # point it will fail, due to the metadata being too large. We will also
+        # calculate the checksum of the device before each attempt, and, in case
+        # the binding fails, we will compare the after checksum to check whether
+        # any changes were performed, in these failed scenarios.
+        - name: Run the test for each device type
+          include_tasks: tasks/bind_repeatedly_single_device.yml
+          loop:
+            - "{{ nbde_client_test_device }}"       # LUKS2 (with modern cryptsetup).
+            - "{{ nbde_client_test_device_luks1 }}" # LUKS1.
+          loop_control:
+            loop_var: nbde_client_selected_device
+
+      always:
+        - name: Get the contents of the tang directory after adding keys
+          find:
+            path: /var/db/tang/
+            patterns: "*.jwk"
+          register: tang_dir_contents_after
+
+        - name: Remove any keys added during the test
+          file:
+            path: "{{ item }}"
+            state: absent
+          loop: "{{ tang_dir_contents_after.files | map(attribute='path') | list |
+            difference(tang_dir_contents_before.files | map(attribute='path') | list) }}"
+
+        - name: Ensure directory is same as before
+          find:
+            path: /var/db/tang/
+            patterns: "*.jwk"
+          register: tang_dir_contents_final
+          failed_when: tang_dir_contents_before.files | map(attribute='path') | list |
+            difference(tang_dir_contents_final.files | map(attribute='path') | list) | list | length > 0
+
+        - name: Clean up test environment
+          include_tasks: tasks/cleanup_test.yml
+
+# vim:set ts=2 sw=2 et:

tests/vars/main.yml

@@ -3,5 +3,6 @@
 # Put the tests internal variables here that are not distribution specific.
 
 nbde_client_test_device: /tmp/.nbde_client_dev_test
+nbde_client_test_device_luks1: /tmp/.nbde_client_dev_test_luks1
 
 # vim:set ts=2 sw=2 et:

vars/Debian.yml

@@ -3,5 +3,6 @@ __nbde_client_packages:
   - clevis
   - clevis-luks
   - clevis-systemd
+  - coreutils
 
 nbde_client_early_boot: false

vars/Fedora.yml

@@ -7,6 +7,7 @@ __nbde_client_packages:
   - clevis-dracut
   - clevis-luks
   - clevis-systemd
+  - coreutils
   - iproute
   - NetworkManager
 

vars/RedHat_10.yml

@@ -7,6 +7,7 @@ __nbde_client_packages:
   - clevis-dracut
   - clevis-luks
   - clevis-systemd
+  - coreutils
   - iproute
   - NetworkManager
 

vars/RedHat_7.yml

@@ -7,6 +7,7 @@ __nbde_client_packages:
   - clevis-dracut
   - clevis-luks
   - clevis-systemd
+  - coreutils
   - iproute
   - NetworkManager
 

vars/RedHat_8.yml

@@ -7,6 +7,7 @@ __nbde_client_packages:
   - clevis-dracut
   - clevis-luks
   - clevis-systemd
+  - coreutils
   - iproute
   - NetworkManager
 

vars/RedHat_9.yml

@@ -7,6 +7,7 @@ __nbde_client_packages:
   - clevis-dracut
   - clevis-luks
   - clevis-systemd
+  - coreutils
   - iproute
   - NetworkManager