3 # Use of this source code is governed by a BSD-style license that can be
34 def get_user_hash(user):  argument
35     """Get the user hash for the given user."""
36     return utils.system_output(['cryptohome', '--action=obfuscate_user',
37                                 '--user=%s' % user])
40 def user_path(user):  argument
41     """Get the user mount point for the given user."""
42     return utils.system_output(['cryptohome-path', 'user', user])
45 def system_path(user):  argument
46     """Get the system mount point for the given user."""
47     return utils.system_output(['cryptohome-path', 'system', user])
50 def temporary_mount_path(user):  argument
51     """Get the vault mount path used during crypto-migration for the user.
53     @param user: user the temporary mount should be for
55     return TEMP_MOUNT_PATTERN % (get_user_hash(user))
58 def vault_path(user):  argument
59     """ Get the vault path for the given user.
61     @param user: The user who's vault path should be returned.
63     return VAULT_PATH_PATTERN % (get_user_hash(user))
66 def ensure_clean_cryptohome_for(user, password=None):  argument
67     """Ensure a fresh cryptohome exists for user.
69     @param user: user who needs a shiny new cryptohome.
74     unmount_vault(user)
75     remove_vault(user)
76     mount_vault(user, password, create=True)
119                     ' --action=get_firmware_management_parameters')
148           ' --action=set_firmware_management_parameters '
149           '--flags=' + flags)
151         cmd += ' --developer_key_hash=' + developer_key_hash
171     out = run_cmd(CRYPTOHOME_CMD + ' --action=get_login_status')
192     out = run_cmd(CRYPTOHOME_CMD + ' --action=install_attributes_get_status')
206                 CRYPTOHOME_CMD, '--action=install_attributes_set',
207                 '--name="%s"' % name,
208                 '--value="%s"' % value
214     out = run_cmd(CRYPTOHOME_CMD + ' --action=install_attributes_finalize')
221     cmd = CRYPTOHOME_CMD + ' --action=install_attributes_is_ready'
248     run_cmd(CRYPTOHOME_CMD + ' --action=tpm_take_ownership')
264     cmd = CRYPTOHOME_CMD + ' --action=tpm_verify_ek'
268 def remove_vault(user):  argument
269     """Remove the given user's vault from the shadow directory."""
270     logging.debug('user is %s', user)
271     user_hash = get_user_hash(user)
272     logging.debug('Removing vault for user %s with hash %s', user, user_hash)
273     cmd = CRYPTOHOME_CMD + ' --action=remove --force --user=%s' % user
277         raise ChromiumOSError('Cryptohome could not remove the user\'s vault.')
288             logging.debug('Removing vault for user with hash %s', item)
292 def mount_vault(user, password, create=False, key_label=None):  argument
293     """Mount the given user's vault. Mounts should be created by calling this
298     args = [CRYPTOHOME_CMD, '--action=mount_ex', '--user=%s' % user,
299             '--password=%s' % password, '--async']
301         args += ['--create']
305         args += ['--key_label=%s' % key_label]
308     user_hash = get_user_hash(user)
316             # TODO: Remove this additional call to get_user_hash(user) when
318             user_hash = get_user_hash(user)
325     if not is_permanent_vault_mounted(user=user, allow_fail=True):
331     args = [CRYPTOHOME_CMD, '--action=mount_guest_ex']
338 def test_auth(user, password):  argument
340     cmd = [CRYPTOHOME_CMD, '--action=check_key_ex', '--user=%s' % user,
341            '--password=%s' % password, '--async']
347 def add_le_key(user, password, new_password, new_key_label):  argument
349     args = [CRYPTOHOME_CMD, '--action=add_key_ex', '--key_policy=le',
350             '--user=%s' % user, '--password=%s' % password,
351             '--new_key_label=%s' % new_key_label,
352             '--new_password=%s' % new_password]
356 def remove_key(user, password, remove_key_label):  argument
358     args = [CRYPTOHOME_CMD, '--action=remove_key_ex', '--user=%s' % user,
359             '--password=%s' % password,
360             '--remove_key_label=%s' % remove_key_label]
366     args = [CRYPTOHOME_CMD, '--action=get_supported_key_policies']
386 def unmount_vault(user=None):  argument
387     """Unmount the given user's vault.
389     Once unmounting for a specific user is supported, the user parameter will
390     name the target user. See crosbug.com/20778.
392     run_cmd(CRYPTOHOME_CMD + ' --action=unmount')
394     if user is not None and is_vault_mounted(user, allow_fail=True):
395         raise ChromiumOSError('Cryptohome did not unmount the user.')
401     # 'cryptohome-namespace-mounter' is currently only used for Guest sessions.
402     mounter_exe = 'cryptohome-namespace-mounter'
403     mounter_pid = 'pgrep -o -f %s' % mounter_exe
419                                   'mount-point.'
432                               'through %s. See logs for complete mount-point.'
437 def __get_user_mount_info(user, allow_fail=False):  argument
438     """Get information about the active mounts for a given user.
440     Returns the active mounts at the user's user and system mount points. If no
441     user is given, the active mount at the shared mount point is returned
442     (regular users have a bind-mount at this mount point for backwards
443     compatibility; the guest user has a mount at this mount point only).
445     return [__get_mount_info(mount_point=user_path(user),
447             __get_mount_info(mount_point=system_path(user),
451 def is_vault_mounted(user, regexes=None, allow_fail=False):  argument
452     """Check whether a vault is mounted for the given user.
454     user: If no user is given, the shared mount point is checked, determining
455       whether a vault is mounted for any user.
457       The mount filesystem for the user's user and system mounts point must
468     user_mount_info = __get_user_mount_info(user=user, allow_fail=allow_fail)
471         # user user/system mount (/home/user/.... /home/root/...)
496     """Check whether a vault is mounted for the guest user.
501             user=GUEST_USER_NAME,
513 def is_permanent_vault_mounted(user, allow_fail=False):  argument
514     """Check if user is mounted over ecryptfs or ext4 crypto. """
516             user=user,
526 def get_mounted_vault_path(user, allow_fail=False):  argument
527     """Get the path where the decrypted data for the user is located."""
528     return os.path.join(constants.SHADOW_ROOT, get_user_hash(user), 'mount')
562     utils.system('kill -ABRT %d' % pid)
564     utils.system('kill -CONT %d' % pid)
566         lambda: utils.system('ps -p %d' % pid,
573 def create_ecryptfs_homedir(user, password):  argument
576     If a home directory for the user exists already, it will be removed.
579     @param user: Username to create the home directory for.
582     unmount_vault(user)
583     remove_vault(user)
586             '--action=mount_ex',
587             '--user=%s' % user,
588             '--password=%s' % password,
589             '--key_label=foo',
590             '--ecryptfs',
591             '--create']
594             user,
603 def do_dircrypto_migration(user, password, timeout=600):  argument
604     """Start dircrypto migration for the user.
606     @param user: The user to migrate.
611     unmount_vault(user)
614             '--action=mount_ex',
615             '--to_migrate_from_ecryptfs',
616             '--user=%s' % user,
617             '--password=%s' % password]
619     if not __get_mount_info(temporary_mount_path(user), allow_fail=True):
621     args = [CRYPTOHOME_CMD, '--action=migrate_to_dircrypto', '--user=%s' % user]
625                 temporary_mount_path(user), allow_fail=True),
631 def change_password(user, password, new_password):  argument
632     """Change user password."""
635             '--action=migrate_key_ex',
636             '--user=%s' % user,
637             '--old_password=%s' % password,
638             '--password=%s' % new_password]