def run_once(self): username = '' with chrome.Chrome() as cr: username = cr.username if not cryptohome.is_vault_mounted(user=username, allow_fail=False): raise error.TestFail('Expected to find a mounted vault.') if cryptohome.is_vault_mounted(user=username, allow_fail=True): raise error.TestFail('Expected to not find a mounted vault.') # Remove our vault, mount another vault, create a test file # in the other vault, and ensure that the file no longer exists # after we log back in. cryptohome.remove_vault(username) cryptohome.mount_vault(TEST_USER, TEST_PASS, create=True) test_file = os.path.join(cryptohome.user_path(TEST_USER), 'hello') open(test_file, 'w').close() cryptohome.unmount_vault(TEST_USER) with chrome.Chrome(): if not cryptohome.is_vault_mounted(user=username, allow_fail=False): raise error.TestFail('Expected to find user\'s mounted vault.') if os.path.exists(test_file): raise error.TestFail('Expected to not find the test file.')
def vault_mounted(user, password): cryptohome.mount_vault(user, password, create=True) yield try: cryptohome.unmount_vault(user) except: pass
def run_once(self): test_user = '******' test_password = '******' # Remove the test user account (if it exists), create it and # mount it cryptohome.ensure_clean_cryptohome_for(test_user, test_password) # Unmount the vault and ensure it's not there cryptohome.unmount_vault(test_user) # Make sure that an incorrect password fails incorrect_password = '******' try: cryptohome.mount_vault(test_user, incorrect_password) except: pass else: raise error.TestFail('Cryptohome mounted with a bad password') # Ensure that the user directory is not mounted if cryptohome.is_permanent_vault_mounted(test_user, allow_fail=True): raise error.TestFail('Cryptohome mounted even though mount failed') # Remove the test user account cryptohome.remove_vault(test_user)
def require_mount_fail(self, user): try: cryptohome.mount_vault(user, 'test', create=True) except: pass else: raise error.TestFail('Mount succeeded for %s' % user)
def test_mount_single(self): """ Tests mounting a single not-already-existing cryptohome. Ensures that the infrastructure for multiple mounts is present and active. """ user = utils.random_username() cryptohome.mount_vault(user, 'test', create=True) cryptohome.unmount_vault(user)
def require_mount_fail(self, user): """ Raise an error if the mount succeeded. @param user: A random user created in run_once. """ try: cryptohome.mount_vault(user, 'test', create=True) except: pass else: raise error.TestFail('Mount unexpectedly succeeded for %s' % user)
def run_once(self, runtime, disk_configs, script=None, sysctls_list=None): """ Create a 300MB file in tmpfs/encrypted/unencrypted location and run fio tesst. @param disk_configs: list of keys from DISK_CONFIG_KEYS. @param script: fio script to run @param sysctls_list: list of dictionary of sysctls to alter. """ if not set(disk_configs).issubset(set(self.DISK_CONFIG_KEYS)): raise error.TestFail('Unknown keys in disk config') for config in disk_configs: for sysctls in sysctls_list or [{}]: graph_descr = '' for key, val in sysctls.iteritems(): utils.sysctl(key, val) graph_descr += '-'.join([os.path.basename(key), str(val)]) # Mount a test cryptohome vault. if config == self.USE_CRYPTO: cryptohome.mount_vault(TEST_USER, TEST_PASSWORD, create=True) tmpdir = cryptohome.user_path(TEST_USER) elif config == self.USE_TMPFS: tmpdir = None else: tmpdir = self.tmpdir self.__work_dir = tempfile.mkdtemp(dir=tmpdir) results = {} # TODO make these parameters to run_once & check disk for space. self.__filesize = '300m' self.__runtime = str(runtime) env_vars = ' '.join([ 'FILENAME=' + os.path.join(self.__work_dir, script), 'FILESIZE=' + self.__filesize, 'RUN_TIME=' + self.__runtime ]) job_file = os.path.join(self.bindir, script) results.update( fio_util.fio_runner(self, job_file, env_vars, name_prefix=graph_descr + config)) self.write_perf_keyval(results) logging.info('Finished with FS stress, cleaning up.') if config == self.USE_CRYPTO: cryptohome.unmount_vault(TEST_USER) cryptohome.remove_vault(TEST_USER) else: shutil.rmtree(self.__work_dir)
def bad_password(self): user = utils.random_username() old_pass = '******' new_pass = '******' cryptohome.mount_vault(user, old_pass, create=True) cryptohome.unmount_vault(user) try: cryptohome.change_password(user, 'bad', new_pass) except: pass else: raise error.TestFail('Migrated with bad password.') cryptohome.remove_vault(user)
def run_once(self): test_user = '******' test_password = '******' user_hash = cryptohome.get_user_hash(test_user) # Ensure that the user directory is unmounted and does not exist. cryptohome.unmount_vault(test_user) cryptohome.remove_vault(test_user) if os.path.exists(os.path.join(constants.SHADOW_ROOT, user_hash)): raise error.TestFail('Could not remove the test user.') # Mount the test user account, which ensures that the vault is # created, and that the mount succeeds. cryptohome.mount_vault(test_user, test_password, create=True) # Test credentials when the user's directory is mounted if not cryptohome.test_auth(test_user, test_password): raise error.TestFail('Valid credentials should authenticate ' 'while mounted.') # Make sure that an incorrect password fails if cryptohome.test_auth(test_user, 'badpass'): raise error.TestFail('Invalid credentials should not authenticate ' 'while mounted.') # Unmount the directory cryptohome.unmount_vault(test_user) # Ensure that the user directory is not mounted if cryptohome.is_vault_mounted(user=test_user, allow_fail=True): raise error.TestFail('Cryptohome did not unmount the user.') # Test valid credentials when the user's directory is not mounted if not cryptohome.test_auth(test_user, test_password): raise error.TestFail('Valid credentials should authenticate ' ' while mounted.') # Test invalid credentials fails while not mounted. if cryptohome.test_auth(test_user, 'badpass'): raise error.TestFail('Invalid credentials should not authenticate ' 'when unmounted.') # Re-mount existing test user vault, verifying that the mount succeeds. cryptohome.mount_vault(test_user, test_password) # Finally, unmount and destroy the vault again. cryptohome.unmount_vault(test_user) cryptohome.remove_vault(test_user) if os.path.exists(os.path.join(constants.SHADOW_ROOT, user_hash)): raise error.TestFail('Could not destroy the vault.')
def initialize(self): super(login_OwnershipApi, self).initialize() self._bus_loop = DBusGMainLoop(set_as_default=True) # Clear existing ownership and inject known keys. cros_ui.stop() ownership.clear_ownership_files_no_restart() # Make device already owned by ownership.TESTUSER. cryptohome.mount_vault(ownership.TESTUSER, ownership.TESTPASS, create=True) ownership.use_known_ownerkeys(ownership.TESTUSER) self._tempdir = autotemp.tempdir(unique_id=self.__class__.__name__) cros_ui.start()
def run_once(self): # Make sure that the tpm is owned. status = cryptohome.get_tpm_status() if not status['Owned']: cryptohome.take_tpm_ownership() self.user = '******' password = '******' cryptohome.ensure_clean_cryptohome_for(self.user, password) # First we inject 30 tokens into chaps. This forces the cryptohome # key to get evicted. for i in range(30): pkcs11.inject_and_test_key() # Then we get a user to remount his cryptohome. This process uses # the cryptohome key, and if the user was able to login, the # cryptohome key was correctly reloaded. cryptohome.unmount_vault(self.user) cryptohome.mount_vault(self.user, password, create=True)
def run_once(self): test_user = '******' test_password = '******' # Remove any old test user account cryptohome.remove_vault(test_user) # Create a fresh test user account cryptohome.mount_vault(test_user, test_password, create=True) cryptohome.unmount_vault(test_user) # Try to migrate the password new_password = '******' cryptohome.change_password(test_user, test_password, new_password) # Mount the test user account with the new password cryptohome.mount_vault(test_user, new_password) cryptohome.unmount_vault(test_user) # Ensure the old password doesn't work try: cryptohome.mount_vault(test_user, test_password) except cryptohome.ChromiumOSError: pass else: raise error.TestFail("Mount with old password worked") # Remove the test user account cryptohome.remove_vault(test_user)
def good(self): user = utils.random_username() old_pass = '******' new_pass = '******' cryptohome.mount_vault(user, old_pass, create=True) cryptohome.unmount_vault(user) cryptohome.change_password(user, old_pass, new_pass) try: cryptohome.mount_vault(user, old_pass) except: pass else: raise error.TestFail('Old password still works.') cryptohome.mount_vault(user, new_pass) cryptohome.unmount_vault(user) cryptohome.remove_vault(user)
def run_once(self, pre_reboot=None): """Runs the platform_CryptohomeLECredentialManager test. """ supported_policies = cryptohome.get_supported_key_policies() if (not supported_policies or not supported_policies.get('low_entropy_credentials', False)): raise error.TestNAError( 'Low-entropy credentials are not supported.') if pre_reboot is None or pre_reboot == True: logging.info('Performing cleanup!') utils.run('stop cryptohomed') utils.run('rm -rf /home/.shadow/low_entropy_creds') try: cryptohome.remove_vault(self.USER) cryptohome.remove_vault(self.USER2) except cryptohome.ChromiumOSError: pass utils.run('start cryptohomed') logging.info('Waiting on cryptohomed to startup!') time.sleep(3) # Cleanup any existing mounts cryptohome.unmount_vault() logging.info('Setting up LE credential!') # The following operations shall all succeed: cryptohome.mount_vault(user=self.USER, password=self.TEST_PASSWORD, create=True, key_label='default') cryptohome.add_le_key( user=self.USER, password=self.TEST_PASSWORD, new_key_label=self.KEY_LABEL, new_password=self.GOOD_PIN) cryptohome.unmount_vault() logging.info('Testing authentication!') # The following operations shall all succeed: cryptohome.mount_vault(user=self.USER, password=self.GOOD_PIN, key_label=self.KEY_LABEL) cryptohome.unmount_vault() logging.info('Testing lockout!') # The following operations fail, as they attempt to use the wrong PIN 5 # times and then good PIN also stops working until reset: for i in range(5): try: cryptohome.mount_vault(user=self.USER, password=self.BAD_PIN, key_label=self.KEY_LABEL) raise cryptohome.ChromiumOSError( 'Mount succeeded where it should have failed (try %d)' % i) except cryptohome.ChromiumOSError: pass try: cryptohome.mount_vault(user=self.USER, password=self.GOOD_PIN, key_label=self.KEY_LABEL) raise cryptohome.ChromiumOSError( 'Mount succeeded where it should have failed') except cryptohome.ChromiumOSError: pass logging.info('Testing reset!') # The following operations shall all succeed: cryptohome.mount_vault(user=self.USER, password=self.TEST_PASSWORD, key_label='default') cryptohome.unmount_vault() cryptohome.mount_vault(user=self.USER, password=self.GOOD_PIN, key_label=self.KEY_LABEL) cryptohome.unmount_vault() logging.info('Testing LE cred removal on user removal!') # Create a new user to test removal. cryptohome.mount_vault(user=self.USER2, password=self.TEST_PASSWORD, create=True, key_label='default') lecreds_before_add = self.get_known_le_credentials() cryptohome.add_le_key( user=self.USER2, password=self.TEST_PASSWORD, new_key_label=self.KEY_LABEL, new_password=self.GOOD_PIN) cryptohome.add_le_key( user=self.USER2, password=self.TEST_PASSWORD, new_key_label=self.KEY_LABEL2, new_password=self.GOOD_PIN) cryptohome.unmount_vault() lecreds_after_add = self.get_known_le_credentials() cryptohome.remove_vault(self.USER2) lecreds_after_remove = self.get_known_le_credentials() if lecreds_after_add == lecreds_before_add: raise cryptohome.ChromiumOSError( 'LE creds not added successfully') if lecreds_after_remove != lecreds_before_add: raise cryptohome.ChromiumOSError( 'LE creds not deleted succesfully on user deletion!') if pre_reboot is None or pre_reboot == False: logging.info('Testing remove credential!') #The following operations shall all succeed: cryptohome.remove_key(user=self.USER, password=self.TEST_PASSWORD, remove_key_label=self.KEY_LABEL) logging.info('Cleanup of test user!') cryptohome.remove_vault(self.USER) logging.info('Tests passed!')