Ejemplo n.º 1
0
    def testRevoke(self):
        desc = b"dummy"
        session = keyutils.join_session_keyring()
        self.assertEqual(
            keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc), None)
        keyutils.revoke(session)
        try:
            keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc)
        except keyutils.Error as err:
            self.assertEqual(err.args[0], keyutils.EKEYREVOKED)
        else:
            self.fail("Expected keyutils.Error")

        # It is convenient to use this test to verify that session_to_parent()
        # is functional because at this point it is known that there is
        # no session keyring available.

        childpid = os.fork()
        if childpid:
            pid, exitcode = os.waitpid(childpid, 0)
            self.assertEqual(childpid, pid)
            self.assertTrue(
                os.WIFEXITED(exitcode) and os.WEXITSTATUS(exitcode) == 0,
                exitcode)
        else:
            rc = 1
            try:
                keyutils.join_session_keyring()
                keyutils.session_to_parent()
                rc = 0
            finally:
                os._exit(rc)

        self.assertEqual(
            keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc), None)
Ejemplo n.º 2
0
def _setupSession():
    """
    Link the user keyring into the session keyring. pam_keyinit.so normally
    does this by default, but do it again in case someone made a new session or
    the session was revoked.

    We want to add keys to the user keyring so that they are reachable across
    sessions, and continue to work after the session is revoked due to e.g.
    detaching from screen and closing SSH. But keys are created with
    permissions that require "possession" to read them, where possession means
    the key is reachable via the session keyring. If the session keyring is
    empty, adding a key to any other keyring means that key is not under
    possession and thus not readable even though we own it.

    The fix is to ensure the user keyring is always linked under the session
    keyring so that keys in the user keyring are reachable via the session
    keyring.
    """
    global _keyring
    try:
        _keyutils.link(_keyutils.KEY_SPEC_USER_KEYRING, _keyutils.KEY_SPEC_SESSION_KEYRING)
    except AttributeError:
        # Old keyutils. Downgrade to just using the session keyring directly,
        # because there's no way to look in the user keyring.
        _keyring = _keyutils.KEY_SPEC_SESSION_KEYRING
        return
    except _keyutils.Error as err:
        if err.args[0] != _keyutils.EKEYREVOKED:
            raise
        # Session key was revoked. Make a new session and try again.
        _keyutils.join_session_keyring()
        _keyutils.link(_keyutils.KEY_SPEC_USER_KEYRING, _keyutils.KEY_SPEC_SESSION_KEYRING)
Ejemplo n.º 3
0
def _setupSession():
    """
    Link the user keyring into the session keyring. pam_keyinit.so normally
    does this by default, but do it again in case someone made a new session or
    the session was revoked.

    We want to add keys to the user keyring so that they are reachable across
    sessions, and continue to work after the session is revoked due to e.g.
    detaching from screen and closing SSH. But keys are created with
    permissions that require "possession" to read them, where possession means
    the key is reachable via the session keyring. If the session keyring is
    empty, adding a key to any other keyring means that key is not under
    possession and thus not readable even though we own it.

    The fix is to ensure the user keyring is always linked under the session
    keyring so that keys in the user keyring are reachable via the session
    keyring.
    """
    global _keyring
    try:
        _keyutils.link(_keyutils.KEY_SPEC_USER_KEYRING,
                       _keyutils.KEY_SPEC_SESSION_KEYRING)
    except AttributeError:
        # Old keyutils. Downgrade to just using the session keyring directly,
        # because there's no way to look in the user keyring.
        _keyring = _keyutils.KEY_SPEC_SESSION_KEYRING
        return
    except _keyutils.Error as err:
        if err.args[0] != _keyutils.EKEYREVOKED:
            raise
        # Session key was revoked. Make a new session and try again.
        _keyutils.join_session_keyring()
        _keyutils.link(_keyutils.KEY_SPEC_USER_KEYRING,
                       _keyutils.KEY_SPEC_SESSION_KEYRING)
Ejemplo n.º 4
0
 def testSession(self):
     desc = "test:key:02"
     val = "asdfasdfasdf"
     session = keyutils.join_session_keyring()
     keyId = keyutils.add_key(desc, val, session)
     self.assertEqual(keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc), keyId)
     keyutils.join_session_keyring()
     self.assertEqual(keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc), None)
Ejemplo n.º 5
0
 def testSession(self):
     desc = b"test:key:02"
     val = b"asdfasdfasdf"
     session = keyutils.join_session_keyring()
     keyId = keyutils.add_key(desc, val, session)
     self.assertEqual(keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING,
         desc), keyId)
     keyutils.join_session_keyring()
     self.assertEqual(keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING,
         desc), None)
Ejemplo n.º 6
0
 def testRevoke(self):
     desc = "dummy"
     session = keyutils.join_session_keyring()
     self.assertEqual(keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc), None)
     keyutils.revoke(session)
     try:
         keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc)
     except keyutils.Error as err:
         self.assertEqual(err.args[0], keyutils.EKEYREVOKED)
     else:
         self.fail("Expected keyutils.Error")
     keyutils.join_session_keyring()
Ejemplo n.º 7
0
 def testRevoke(self):
     desc = b"dummy"
     session = keyutils.join_session_keyring()
     self.assertEqual(keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING,
         desc), None)
     keyutils.revoke(session)
     try:
         keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc)
     except keyutils.Error as err:
         self.assertEqual(err.args[0], keyutils.EKEYREVOKED)
     else:
         self.fail("Expected keyutils.Error")
     keyutils.join_session_keyring()
Ejemplo n.º 8
0
def keyring():
    """ This fixture creates a new anonymous session keyring and subscribes the
    process to it. The id of this keyring is returned. On cleanup, the keyring
    will be cleared. """
    keyring_id = keyutils.join_session_keyring()
    yield keyring_id
    keyutils.clear(keyring_id)
Ejemplo n.º 9
0
    def __init__(self, owner, name, salt, keepalive=None):

        assert isinstance(owner, basestring), type(owner)
        assert isinstance(name, basestring), type(name)

        if not owner:
            raise ValueError(owner)

        if not name:
            raise ValueError(name)

        self.__crypt = cryptography.fernet.Fernet(
            base64.urlsafe_b64encode(
                PBKDF2HMAC(algorithm=hashes.SHA256(),
                           length=32,
                           salt=('' if salt is None else salt),
                           iterations=100000,
                           backend=default_backend()).derive(name)))

        self.__keepalive = (12 * 60 * 60 if keepalive is None else keepalive *
                            60 if keepalive else None)

        self.__owner = owner
        self.__name = name

        self.__keyName = '{}:{}'.format(self.__owner, self.__name)
        self.__keyId = False

        # if the session keyring does not already exist, create one
        # now. There is an inherent race here because multiple processes
        # can attempt to create the session keyring, and each will
        # end up with its own.

        try:
            keyutils.describe_key(self._KeyRing.SESSION)
        except keyutils.Error:
            keyutils.join_session_keyring()
            keyutils.session_to_parent()

        keyutils.describe_key(self._KeyRing.SESSION)