• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright 2018 The Chromium OS Authors. All rights reserved.
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
5
6import logging
7import time
8
9from autotest_lib.client.bin import test, utils
10from autotest_lib.client.cros import cryptohome
11from autotest_lib.client.common_lib import error
12
13
14class platform_CryptohomeLECredentialManager(test.test):
15    """Tests the le_credential_manager functionality of cryptohome.
16    """
17
18    version = 1
19
20    USER = 'testing@gmail.com'
21    USER2 = 'testing2@gmail.com'
22    KEY_LABEL = 'lecred0'
23    KEY_LABEL2 = 'lecred2'
24    GOOD_PIN = '123456'
25    BAD_PIN = '000000'
26    TEST_PASSWORD = '~'
27
28    def get_known_le_credentials(self):
29        """ Returns the set of LE credentials present on the device.
30        """
31        list_result = utils.run('ls /home/.shadow/low_entropy_creds')
32        labels_str = list_result.stdout
33        return set(labels_str.split())
34
35    def run_once(self, pre_reboot=None):
36        """Runs the platform_CryptohomeLECredentialManager test.
37        """
38        supported_policies = cryptohome.get_supported_key_policies()
39        if (not supported_policies or
40                not supported_policies.get('low_entropy_credentials', False)):
41            raise error.TestNAError(
42                'Low-entropy credentials are not supported.')
43
44        if pre_reboot is None or pre_reboot == True:
45            logging.info('Performing cleanup!')
46            utils.run('stop cryptohomed')
47            utils.run('rm -rf /home/.shadow/low_entropy_creds')
48            try:
49                cryptohome.remove_vault(self.USER)
50                cryptohome.remove_vault(self.USER2)
51            except cryptohome.ChromiumOSError:
52                pass
53            utils.run('start cryptohomed')
54
55            logging.info('Waiting on cryptohomed to startup!')
56            time.sleep(3)
57            # Cleanup any existing mounts
58
59            cryptohome.unmount_vault()
60
61            logging.info('Setting up LE credential!')
62            # The following operations shall all succeed:
63            cryptohome.mount_vault(user=self.USER, password=self.TEST_PASSWORD,
64                                   create=True, key_label='default')
65            cryptohome.add_le_key(
66                user=self.USER, password=self.TEST_PASSWORD,
67                new_key_label=self.KEY_LABEL, new_password=self.GOOD_PIN)
68            cryptohome.unmount_vault()
69
70        logging.info('Testing authentication!')
71        # The following operations shall all succeed:
72        cryptohome.mount_vault(user=self.USER, password=self.GOOD_PIN,
73                               key_label=self.KEY_LABEL)
74        cryptohome.unmount_vault()
75
76        logging.info('Testing lockout!')
77        # The following operations fail, as they attempt to use the wrong PIN 5
78        # times and then good PIN also stops working until reset:
79        for i in range(5):
80            try:
81                cryptohome.mount_vault(user=self.USER, password=self.BAD_PIN,
82                                       key_label=self.KEY_LABEL)
83                raise cryptohome.ChromiumOSError(
84                    'Mount succeeded where it should have failed (try %d)' % i)
85            except cryptohome.ChromiumOSError:
86                pass
87        try:
88            cryptohome.mount_vault(user=self.USER, password=self.GOOD_PIN,
89                                   key_label=self.KEY_LABEL)
90            raise cryptohome.ChromiumOSError(
91                'Mount succeeded where it should have failed')
92        except cryptohome.ChromiumOSError:
93            pass
94
95        logging.info('Testing reset!')
96        # The following operations shall all succeed:
97        cryptohome.mount_vault(user=self.USER, password=self.TEST_PASSWORD,
98                               key_label='default')
99        cryptohome.unmount_vault()
100        cryptohome.mount_vault(user=self.USER, password=self.GOOD_PIN,
101                               key_label=self.KEY_LABEL)
102        cryptohome.unmount_vault()
103
104        logging.info('Testing LE cred removal on user removal!')
105
106        # Create a new user to test removal.
107        cryptohome.mount_vault(user=self.USER2, password=self.TEST_PASSWORD,
108                               create=True, key_label='default')
109        lecreds_before_add = self.get_known_le_credentials()
110
111        cryptohome.add_le_key(
112            user=self.USER2, password=self.TEST_PASSWORD,
113            new_key_label=self.KEY_LABEL, new_password=self.GOOD_PIN)
114        cryptohome.add_le_key(
115            user=self.USER2, password=self.TEST_PASSWORD,
116            new_key_label=self.KEY_LABEL2, new_password=self.GOOD_PIN)
117        cryptohome.unmount_vault()
118        lecreds_after_add = self.get_known_le_credentials()
119
120        cryptohome.remove_vault(self.USER2)
121        lecreds_after_remove = self.get_known_le_credentials()
122
123        if lecreds_after_add == lecreds_before_add:
124            raise cryptohome.ChromiumOSError(
125                'LE creds not added successfully')
126
127        if lecreds_after_remove != lecreds_before_add:
128            raise cryptohome.ChromiumOSError(
129                'LE creds not deleted succesfully on user deletion!')
130
131        if pre_reboot is None or pre_reboot == False:
132            logging.info('Testing remove credential!')
133            #The following operations shall all succeed:
134            cryptohome.remove_key(user=self.USER, password=self.TEST_PASSWORD,
135                                  remove_key_label=self.KEY_LABEL)
136            logging.info('Cleanup of test user!')
137            cryptohome.remove_vault(self.USER)
138
139        logging.info('Tests passed!')
140