Return an error if there is no unlock method

It is not logically necessary for an unlock method to be discoverable, the LUKS metadata may have been tampered with in such a way that it is still clear that the LUKS device is a Stratis device but neither a key nor a Clevis configuration can be obtained. Signed-off-by: mulhern <[email protected]>
stratis-storage · May 25, 2023 · 1c04b1b · 1c04b1b
1 parent c006291
commit 1c04b1b
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/src/engine/strat_engine/backstore/crypt/shared.rs b/src/engine/strat_engine/backstore/crypt/shared.rs
@@ -402,8 +402,15 @@ pub fn load_crypt_metadata(
     };
     let clevis_info = clevis_info_from_metadata(device)?;
 
-    let encryption_info = EncryptionInfo::from_options((key_description, clevis_info))
-        .expect("Must have at least one unlock method");
+    let encryption_info =
+        if let Some(info) = EncryptionInfo::from_options((key_description, clevis_info)) {
+            info
+        } else {
+            return Err(StratisError::Msg(format!(
+                "No valid encryption method that can be used to unlock device {} found",
+                physical_path.display()
+            )));
+        };
 
     let path = vec![DEVICEMAPPER_PATH, &activation_name.to_string()]
         .into_iter()