def run_once(self):
username = ''
with chrome.Chrome() as cr:
username = cr.username
if not cryptohome.is_vault_mounted(user=username,
allow_fail=False):
raise error.TestFail('Expected to find a mounted vault.')
if cryptohome.is_vault_mounted(user=username, allow_fail=True):
raise error.TestFail('Expected to not find a mounted vault.')
# Remove our vault, mount another vault, create a test file
# in the other vault, and ensure that the file no longer exists
# after we log back in.
cryptohome.remove_vault(username)
cryptohome.mount_vault(TEST_USER, TEST_PASS, create=True)
test_file = os.path.join(cryptohome.user_path(TEST_USER), 'hello')
open(test_file, 'w').close()
cryptohome.unmount_vault(TEST_USER)
with chrome.Chrome():
if not cryptohome.is_vault_mounted(user=username,
allow_fail=False):
raise error.TestFail('Expected to find user\'s mounted vault.')
if os.path.exists(test_file):
raise error.TestFail('Expected to not find the test file.')
def vault_mounted(user, password):
cryptohome.mount_vault(user, password, create=True)
yield
try:
cryptohome.unmount_vault(user)
except:
pass
def run_once(self):
test_user = '******'
test_password = '******'
# Remove the test user account (if it exists), create it and
# mount it
cryptohome.ensure_clean_cryptohome_for(test_user, test_password)
# Unmount the vault and ensure it's not there
cryptohome.unmount_vault(test_user)
# Make sure that an incorrect password fails
incorrect_password = '******'
try:
cryptohome.mount_vault(test_user, incorrect_password)
except:
pass
else:
raise error.TestFail('Cryptohome mounted with a bad password')
# Ensure that the user directory is not mounted
if cryptohome.is_permanent_vault_mounted(test_user, allow_fail=True):
raise error.TestFail('Cryptohome mounted even though mount failed')
# Remove the test user account
cryptohome.remove_vault(test_user)
def require_mount_fail(self, user):
try:
cryptohome.mount_vault(user, 'test', create=True)
except:
pass
else:
raise error.TestFail('Mount succeeded for %s' % user)
def test_mount_single(self):
"""
Tests mounting a single not-already-existing cryptohome. Ensures that
the infrastructure for multiple mounts is present and active.
"""
user = utils.random_username()
cryptohome.mount_vault(user, 'test', create=True)
cryptohome.unmount_vault(user)
def require_mount_fail(self, user):
"""
Raise an error if the mount succeeded.
@param user: A random user created in run_once.
"""
try:
cryptohome.mount_vault(user, 'test', create=True)
except:
pass
else:
raise error.TestFail('Mount unexpectedly succeeded for %s' % user)
def run_once(self, runtime, disk_configs, script=None, sysctls_list=None):
"""
Create a 300MB file in tmpfs/encrypted/unencrypted location
and run fio tesst.
@param disk_configs: list of keys from DISK_CONFIG_KEYS.
@param script: fio script to run
@param sysctls_list: list of dictionary of sysctls to alter.
"""
if not set(disk_configs).issubset(set(self.DISK_CONFIG_KEYS)):
raise error.TestFail('Unknown keys in disk config')
for config in disk_configs:
for sysctls in sysctls_list or [{}]:
graph_descr = ''
for key, val in sysctls.iteritems():
utils.sysctl(key, val)
graph_descr += '-'.join([os.path.basename(key), str(val)])
# Mount a test cryptohome vault.
if config == self.USE_CRYPTO:
cryptohome.mount_vault(TEST_USER,
TEST_PASSWORD,
create=True)
tmpdir = cryptohome.user_path(TEST_USER)
elif config == self.USE_TMPFS:
tmpdir = None
else:
tmpdir = self.tmpdir
self.__work_dir = tempfile.mkdtemp(dir=tmpdir)
results = {}
# TODO make these parameters to run_once & check disk for space.
self.__filesize = '300m'
self.__runtime = str(runtime)
env_vars = ' '.join([
'FILENAME=' + os.path.join(self.__work_dir, script),
'FILESIZE=' + self.__filesize, 'RUN_TIME=' + self.__runtime
])
job_file = os.path.join(self.bindir, script)
results.update(
fio_util.fio_runner(self,
job_file,
env_vars,
name_prefix=graph_descr + config))
self.write_perf_keyval(results)
logging.info('Finished with FS stress, cleaning up.')
if config == self.USE_CRYPTO:
cryptohome.unmount_vault(TEST_USER)
cryptohome.remove_vault(TEST_USER)
else:
shutil.rmtree(self.__work_dir)
def bad_password(self):
user = utils.random_username()
old_pass = '******'
new_pass = '******'
cryptohome.mount_vault(user, old_pass, create=True)
cryptohome.unmount_vault(user)
try:
cryptohome.change_password(user, 'bad', new_pass)
except:
pass
else:
raise error.TestFail('Migrated with bad password.')
cryptohome.remove_vault(user)
def run_once(self):
test_user = '******'
test_password = '******'
user_hash = cryptohome.get_user_hash(test_user)
# Ensure that the user directory is unmounted and does not exist.
cryptohome.unmount_vault(test_user)
cryptohome.remove_vault(test_user)
if os.path.exists(os.path.join(constants.SHADOW_ROOT, user_hash)):
raise error.TestFail('Could not remove the test user.')
# Mount the test user account, which ensures that the vault is
# created, and that the mount succeeds.
cryptohome.mount_vault(test_user, test_password, create=True)
# Test credentials when the user's directory is mounted
if not cryptohome.test_auth(test_user, test_password):
raise error.TestFail('Valid credentials should authenticate '
'while mounted.')
# Make sure that an incorrect password fails
if cryptohome.test_auth(test_user, 'badpass'):
raise error.TestFail('Invalid credentials should not authenticate '
'while mounted.')
# Unmount the directory
cryptohome.unmount_vault(test_user)
# Ensure that the user directory is not mounted
if cryptohome.is_vault_mounted(user=test_user, allow_fail=True):
raise error.TestFail('Cryptohome did not unmount the user.')
# Test valid credentials when the user's directory is not mounted
if not cryptohome.test_auth(test_user, test_password):
raise error.TestFail('Valid credentials should authenticate '
' while mounted.')
# Test invalid credentials fails while not mounted.
if cryptohome.test_auth(test_user, 'badpass'):
raise error.TestFail('Invalid credentials should not authenticate '
'when unmounted.')
# Re-mount existing test user vault, verifying that the mount succeeds.
cryptohome.mount_vault(test_user, test_password)
# Finally, unmount and destroy the vault again.
cryptohome.unmount_vault(test_user)
cryptohome.remove_vault(test_user)
if os.path.exists(os.path.join(constants.SHADOW_ROOT, user_hash)):
raise error.TestFail('Could not destroy the vault.')
def initialize(self):
super(login_OwnershipApi, self).initialize()
self._bus_loop = DBusGMainLoop(set_as_default=True)
# Clear existing ownership and inject known keys.
cros_ui.stop()
ownership.clear_ownership_files_no_restart()
# Make device already owned by ownership.TESTUSER.
cryptohome.mount_vault(ownership.TESTUSER,
ownership.TESTPASS,
create=True)
ownership.use_known_ownerkeys(ownership.TESTUSER)
self._tempdir = autotemp.tempdir(unique_id=self.__class__.__name__)
cros_ui.start()
def run_once(self):
# Make sure that the tpm is owned.
status = cryptohome.get_tpm_status()
if not status['Owned']:
cryptohome.take_tpm_ownership()
self.user = '******'
password = '******'
cryptohome.ensure_clean_cryptohome_for(self.user, password)
# First we inject 30 tokens into chaps. This forces the cryptohome
# key to get evicted.
for i in range(30):
pkcs11.inject_and_test_key()
# Then we get a user to remount his cryptohome. This process uses
# the cryptohome key, and if the user was able to login, the
# cryptohome key was correctly reloaded.
cryptohome.unmount_vault(self.user)
cryptohome.mount_vault(self.user, password, create=True)
def run_once(self):
test_user = '******'
test_password = '******'
# Remove any old test user account
cryptohome.remove_vault(test_user)
# Create a fresh test user account
cryptohome.mount_vault(test_user, test_password, create=True)
cryptohome.unmount_vault(test_user)
# Try to migrate the password
new_password = '******'
cryptohome.change_password(test_user, test_password, new_password)
# Mount the test user account with the new password
cryptohome.mount_vault(test_user, new_password)
cryptohome.unmount_vault(test_user)
# Ensure the old password doesn't work
try:
cryptohome.mount_vault(test_user, test_password)
except cryptohome.ChromiumOSError:
pass
else:
raise error.TestFail("Mount with old password worked")
# Remove the test user account
cryptohome.remove_vault(test_user)
def good(self):
user = utils.random_username()
old_pass = '******'
new_pass = '******'
cryptohome.mount_vault(user, old_pass, create=True)
cryptohome.unmount_vault(user)
cryptohome.change_password(user, old_pass, new_pass)
try:
cryptohome.mount_vault(user, old_pass)
except:
pass
else:
raise error.TestFail('Old password still works.')
cryptohome.mount_vault(user, new_pass)
cryptohome.unmount_vault(user)
cryptohome.remove_vault(user)
def run_once(self, pre_reboot=None):
"""Runs the platform_CryptohomeLECredentialManager test.
"""
supported_policies = cryptohome.get_supported_key_policies()
if (not supported_policies or
not supported_policies.get('low_entropy_credentials', False)):
raise error.TestNAError(
'Low-entropy credentials are not supported.')
if pre_reboot is None or pre_reboot == True:
logging.info('Performing cleanup!')
utils.run('stop cryptohomed')
utils.run('rm -rf /home/.shadow/low_entropy_creds')
try:
cryptohome.remove_vault(self.USER)
cryptohome.remove_vault(self.USER2)
except cryptohome.ChromiumOSError:
pass
utils.run('start cryptohomed')
logging.info('Waiting on cryptohomed to startup!')
time.sleep(3)
# Cleanup any existing mounts
cryptohome.unmount_vault()
logging.info('Setting up LE credential!')
# The following operations shall all succeed:
cryptohome.mount_vault(user=self.USER, password=self.TEST_PASSWORD,
create=True, key_label='default')
cryptohome.add_le_key(
user=self.USER, password=self.TEST_PASSWORD,
new_key_label=self.KEY_LABEL, new_password=self.GOOD_PIN)
cryptohome.unmount_vault()
logging.info('Testing authentication!')
# The following operations shall all succeed:
cryptohome.mount_vault(user=self.USER, password=self.GOOD_PIN,
key_label=self.KEY_LABEL)
cryptohome.unmount_vault()
logging.info('Testing lockout!')
# The following operations fail, as they attempt to use the wrong PIN 5
# times and then good PIN also stops working until reset:
for i in range(5):
try:
cryptohome.mount_vault(user=self.USER, password=self.BAD_PIN,
key_label=self.KEY_LABEL)
raise cryptohome.ChromiumOSError(
'Mount succeeded where it should have failed (try %d)' % i)
except cryptohome.ChromiumOSError:
pass
try:
cryptohome.mount_vault(user=self.USER, password=self.GOOD_PIN,
key_label=self.KEY_LABEL)
raise cryptohome.ChromiumOSError(
'Mount succeeded where it should have failed')
except cryptohome.ChromiumOSError:
pass
logging.info('Testing reset!')
# The following operations shall all succeed:
cryptohome.mount_vault(user=self.USER, password=self.TEST_PASSWORD,
key_label='default')
cryptohome.unmount_vault()
cryptohome.mount_vault(user=self.USER, password=self.GOOD_PIN,
key_label=self.KEY_LABEL)
cryptohome.unmount_vault()
logging.info('Testing LE cred removal on user removal!')
# Create a new user to test removal.
cryptohome.mount_vault(user=self.USER2, password=self.TEST_PASSWORD,
create=True, key_label='default')
lecreds_before_add = self.get_known_le_credentials()
cryptohome.add_le_key(
user=self.USER2, password=self.TEST_PASSWORD,
new_key_label=self.KEY_LABEL, new_password=self.GOOD_PIN)
cryptohome.add_le_key(
user=self.USER2, password=self.TEST_PASSWORD,
new_key_label=self.KEY_LABEL2, new_password=self.GOOD_PIN)
cryptohome.unmount_vault()
lecreds_after_add = self.get_known_le_credentials()
cryptohome.remove_vault(self.USER2)
lecreds_after_remove = self.get_known_le_credentials()
if lecreds_after_add == lecreds_before_add:
raise cryptohome.ChromiumOSError(
'LE creds not added successfully')
if lecreds_after_remove != lecreds_before_add:
raise cryptohome.ChromiumOSError(
'LE creds not deleted succesfully on user deletion!')
if pre_reboot is None or pre_reboot == False:
logging.info('Testing remove credential!')
#The following operations shall all succeed:
cryptohome.remove_key(user=self.USER, password=self.TEST_PASSWORD,
remove_key_label=self.KEY_LABEL)
logging.info('Cleanup of test user!')
cryptohome.remove_vault(self.USER)
logging.info('Tests passed!')
