def testRevoke(self): desc = b"dummy" session = keyutils.join_session_keyring() self.assertEqual( keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc), None) keyutils.revoke(session) try: keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc) except keyutils.Error as err: self.assertEqual(err.args[0], keyutils.EKEYREVOKED) else: self.fail("Expected keyutils.Error") # It is convenient to use this test to verify that session_to_parent() # is functional because at this point it is known that there is # no session keyring available. childpid = os.fork() if childpid: pid, exitcode = os.waitpid(childpid, 0) self.assertEqual(childpid, pid) self.assertTrue( os.WIFEXITED(exitcode) and os.WEXITSTATUS(exitcode) == 0, exitcode) else: rc = 1 try: keyutils.join_session_keyring() keyutils.session_to_parent() rc = 0 finally: os._exit(rc) self.assertEqual( keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc), None)
def _setupSession(): """ Link the user keyring into the session keyring. pam_keyinit.so normally does this by default, but do it again in case someone made a new session or the session was revoked. We want to add keys to the user keyring so that they are reachable across sessions, and continue to work after the session is revoked due to e.g. detaching from screen and closing SSH. But keys are created with permissions that require "possession" to read them, where possession means the key is reachable via the session keyring. If the session keyring is empty, adding a key to any other keyring means that key is not under possession and thus not readable even though we own it. The fix is to ensure the user keyring is always linked under the session keyring so that keys in the user keyring are reachable via the session keyring. """ global _keyring try: _keyutils.link(_keyutils.KEY_SPEC_USER_KEYRING, _keyutils.KEY_SPEC_SESSION_KEYRING) except AttributeError: # Old keyutils. Downgrade to just using the session keyring directly, # because there's no way to look in the user keyring. _keyring = _keyutils.KEY_SPEC_SESSION_KEYRING return except _keyutils.Error as err: if err.args[0] != _keyutils.EKEYREVOKED: raise # Session key was revoked. Make a new session and try again. _keyutils.join_session_keyring() _keyutils.link(_keyutils.KEY_SPEC_USER_KEYRING, _keyutils.KEY_SPEC_SESSION_KEYRING)
def testSession(self): desc = "test:key:02" val = "asdfasdfasdf" session = keyutils.join_session_keyring() keyId = keyutils.add_key(desc, val, session) self.assertEqual(keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc), keyId) keyutils.join_session_keyring() self.assertEqual(keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc), None)
def testSession(self): desc = b"test:key:02" val = b"asdfasdfasdf" session = keyutils.join_session_keyring() keyId = keyutils.add_key(desc, val, session) self.assertEqual(keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc), keyId) keyutils.join_session_keyring() self.assertEqual(keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc), None)
def testRevoke(self): desc = "dummy" session = keyutils.join_session_keyring() self.assertEqual(keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc), None) keyutils.revoke(session) try: keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc) except keyutils.Error as err: self.assertEqual(err.args[0], keyutils.EKEYREVOKED) else: self.fail("Expected keyutils.Error") keyutils.join_session_keyring()
def testRevoke(self): desc = b"dummy" session = keyutils.join_session_keyring() self.assertEqual(keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc), None) keyutils.revoke(session) try: keyutils.search(keyutils.KEY_SPEC_SESSION_KEYRING, desc) except keyutils.Error as err: self.assertEqual(err.args[0], keyutils.EKEYREVOKED) else: self.fail("Expected keyutils.Error") keyutils.join_session_keyring()
def keyring(): """ This fixture creates a new anonymous session keyring and subscribes the process to it. The id of this keyring is returned. On cleanup, the keyring will be cleared. """ keyring_id = keyutils.join_session_keyring() yield keyring_id keyutils.clear(keyring_id)
def __init__(self, owner, name, salt, keepalive=None): assert isinstance(owner, basestring), type(owner) assert isinstance(name, basestring), type(name) if not owner: raise ValueError(owner) if not name: raise ValueError(name) self.__crypt = cryptography.fernet.Fernet( base64.urlsafe_b64encode( PBKDF2HMAC(algorithm=hashes.SHA256(), length=32, salt=('' if salt is None else salt), iterations=100000, backend=default_backend()).derive(name))) self.__keepalive = (12 * 60 * 60 if keepalive is None else keepalive * 60 if keepalive else None) self.__owner = owner self.__name = name self.__keyName = '{}:{}'.format(self.__owner, self.__name) self.__keyId = False # if the session keyring does not already exist, create one # now. There is an inherent race here because multiple processes # can attempt to create the session keyring, and each will # end up with its own. try: keyutils.describe_key(self._KeyRing.SESSION) except keyutils.Error: keyutils.join_session_keyring() keyutils.session_to_parent() keyutils.describe_key(self._KeyRing.SESSION)