1#!/bin/ksh -p
2#
3# CDDL HEADER START
4#
5# This file and its contents are supplied under the terms of the
6# Common Development and Distribution License ("CDDL"), version 1.0.
7# You may only use this file in accordance with the terms of version
8# 1.0 of the CDDL.
9#
10# A full copy of the text of the CDDL should have accompanied this
11# source.  A copy of the CDDL is also available via the Internet at
12# http://www.illumos.org/license/CDDL.
13#
14# CDDL HEADER END
15#
16
17#
18# Copyright (c) 2017 Datto, Inc. All rights reserved.
19#
20
21. $STF_SUITE/include/libtest.shlib
22
23#
24# DESCRIPTION:
25# ZFS should receive to an encrypted child dataset.
26#
27# STRATEGY:
28#  1. Snapshot the default dataset
29#  2. Create an encrypted dataset
30#  3. Attempt to receive a stream to an encrypted child
31#  4. Unload the key
32#  5. Attempt to receive an incremental stream to an encrypted child (must fail)
33#  6. Attempt to receive a stream with properties to an unencrypted child
34#  7. Attempt to receive an incremental stream to an unencrypted child
35#  8. Attempt to receive with -o encryption=off to an unencrypted child
36#  9. Attempt to receive a replication stream to an unencrypted child
37# 10. Attempt to receive a snapshot stream to an encrypted child (must fail)
38#
39
40verify_runnable "both"
41
42function cleanup
43{
44	datasetexists $TESTPOOL/encrypted && \
45		destroy_dataset $TESTPOOL/encrypted -r
46
47	snapexists $snap && destroy_dataset $snap -f
48	snapexists $snap2 && destroy_dataset $snap2 -f
49
50	datasetexists $TESTPOOL/$TESTFS1 && \
51		destroy_dataset $TESTPOOL/$TESTFS1 -r
52}
53
54log_onexit cleanup
55
56log_assert "ZFS should receive encrypted filesystems into child dataset"
57
58typeset passphrase="password"
59typeset snap="$TESTPOOL/$TESTFS@snap"
60typeset snap2="$TESTPOOL/$TESTFS@snap2"
61typeset testfile="testfile"
62
63log_must zfs snapshot $snap
64log_must zfs snapshot $snap2
65
66log_must eval "echo $passphrase | zfs create -o encryption=on" \
67	"-o keyformat=passphrase $TESTPOOL/$TESTFS1"
68
69log_note "Verifying ZFS will receive to an encrypted child"
70log_must eval "zfs send $snap | zfs receive -u $TESTPOOL/$TESTFS1/c1"
71log_must test "$(get_prop 'encryption' $TESTPOOL/$TESTFS1/c1)" != "off"
72
73# Unload the key, the following tests won't require it and we will test
74# the receive checks as well.
75log_must zfs unmount $TESTPOOL/$TESTFS1
76log_must zfs unload-key $TESTPOOL/$TESTFS1
77
78log_note "Verifying ZFS will not receive an incremental into an encrypted" \
79	 "dataset when the key is unloaded"
80log_mustnot eval "zfs send -i $snap $snap2 | zfs receive $TESTPOOL/$TESTFS1/c1"
81
82log_note "Verifying 'send -p' will receive to an unencrypted child"
83log_must eval "zfs send -p $snap | zfs receive -u $TESTPOOL/$TESTFS1/c2"
84log_must test "$(get_prop 'encryption' $TESTPOOL/$TESTFS1/c2)" == "off"
85
86log_note "Verifying 'send -i' will receive to an unencrypted child"
87log_must eval "zfs send -i $snap $snap2 | zfs receive $TESTPOOL/$TESTFS1/c2"
88
89# For completeness add the property override case.
90log_note "Verifying recv -o encyption=off' will receive to an unencrypted child"
91log_must eval "zfs send $snap | \
92	zfs receive -o encryption=off $TESTPOOL/$TESTFS1/c2o"
93log_must test "$(get_prop 'encryption' $TESTPOOL/$TESTFS1/c2o)" == "off"
94
95log_note "Verifying 'send -R' will receive to an unencrypted child"
96log_must eval "zfs send -R $snap | zfs receive $TESTPOOL/$TESTFS1/c3"
97log_must test "$(get_prop 'encryption' $TESTPOOL/$TESTFS1/c3)" == "off"
98
99log_note "Verifying ZFS will not receive to an encrypted child when the" \
100	"parent key is unloaded"
101log_mustnot eval "zfs send $snap | zfs receive $TESTPOOL/$TESTFS1/c4"
102
103# Verify that replication can override encryption properties
104log_note "Verifying replication can override encryption properties for plain dataset"
105typeset key_location="/$TESTPOOL/pkey1"
106log_must eval "echo $passphrase > $key_location"
107log_must eval "zfs send -R $snap2 | zfs recv -s -F -o encryption=on" \
108	"-o keyformat=passphrase -o keylocation=file://$key_location" \
109	"-o mountpoint=none $TESTPOOL/encrypted"
110log_must test "$(get_prop 'encryption' $TESTPOOL/encrypted)" != "off"
111log_must test "$(get_prop 'keyformat' $TESTPOOL/encrypted)" == "passphrase"
112log_must test "$(get_prop 'keylocation' $TESTPOOL/encrypted)" == "file://$key_location"
113
114log_pass "ZFS can receive encrypted filesystems into child dataset"
115