def _auth_sudo(): # type: () -> Result
cmd_sudo_check = sh.sudo_run(['-n'])
if not cmd_sudo_check:
print(WARN("If prompted, authenticate with sudo ... "))
cmd_auth = sh.sudo_run(['ls'])
if not cmd_auth:
print(WARN("WARNING"), "sudo authentication failed")
return cmd_auth
else:
return cmd_sudo_check
def test_sudo_run_simple(self):
"""
- ensure true returns 0
- ensure false returns non-zero
"""
cmd_true = sh.sudo_run(['/usr/bin/true'])
log.debug(cmd_true)
self.assertTrue(cmd_true)
self.assertEqual(0, cmd_true.code)
cmd_false = sh.sudo_run(['/usr/bin/false'])
log.debug(cmd_false)
self.assertFalse(cmd_false)
self.assertNotEqual(0, cmd_false.code)
def test_sudo_run_simple(self):
"""
- ensure true returns 0
- ensure false returns non-zero
"""
cmd_true = sh.sudo_run(['/usr/bin/true'])
log.debug(cmd_true)
self.assertTrue(cmd_true)
self.assertEqual(0, cmd_true.code)
cmd_false = sh.sudo_run(['/usr/bin/false'])
log.debug(cmd_false)
self.assertFalse(cmd_false)
self.assertNotEqual(0, cmd_false.code)
def trust_identity(identity, keydb): # type: (str) -> Result
fd, tmpfile = tempfile.mkstemp()
fh = os.fdopen(fd, 'w')
log.debug("Temp filename: %s", tmpfile)
sec_extract = run(['security', 'find-certificate', '-p',
'-c', identity, keydb])
if not sec_extract:
log.debug(sec_extract)
return Failure(sec_extract)
fh.write(sec_extract.stdout)
fh.close()
sec_add = sudo_run(['security', 'add-trusted-cert', '-d',
'-p', 'basic', '-p', 'codeSign', tmpfile])
if not sec_add:
os.unlink(tmpfile)
return Failure("Failed to add cert:\n{}".format(sec_extract.stdout))
res_valid = find_identity(identity, keydb, valid=True)
if not res_valid:
return Failure("Invalid identity.")
sec_sign = run(['codesign', '--keychain', keydb, '-s', identity, tmpfile])
os.unlink(tmpfile)
if not sec_sign:
return Failure("Codesigning failed: {}".format(sec_sign.stderr))
return Success(identity)
def import_identity(keydb, key_pass, identity, id_file, id_pass):
# type: (str, str, str, str, str) -> Result
log.debug('import_identity({!r}, {!r}, {!r}, {!r})'.format(
keydb, identity, id_file, '********'))
# ensure keychain exists
if not os.path.exists(id_file):
return Failure('Identity file {!r} not found'.format(id_file))
sec_add = add_to_search_list(keydb)
if not sec_add:
return Failure(sec_add)
res_find_id = identity_installed(identity, keydb)
if res_find_id:
return Failure("Identity exists: {!r}".format(res_find_id.value))
# import identity to keychain
cmd_import = run(['security', 'import', id_file,
'-k', keydb, '-f', 'pkcs12',
'-P', id_pass, '-T', '/usr/bin/codesign'])
if not cmd_import:
return Failure(cmd_import.stderr)
sec_part = sudo_run(['security', 'set-key-partition-list',
'-S', 'apple', '-k', key_pass, keydb])
if not sec_part:
return Failure("Failed to authorize identity: {}".
format(sec_part.stderr))
return Success("Imported identity {} from {}".format(identity, id_file))
def trust_identity(identity, keydb): # type: (str) -> Result
fd, tmpfile = tempfile.mkstemp()
fh = os.fdopen(fd, 'w')
log.debug("Temp filename: %s", tmpfile)
sec_extract = run(
['security', 'find-certificate', '-p', '-c', identity, keydb])
if not sec_extract:
log.debug(sec_extract)
return Failure(sec_extract)
fh.write(sec_extract.stdout)
fh.close()
sec_add = sudo_run([
'security', 'add-trusted-cert', '-d', '-p', 'basic', '-p', 'codeSign',
tmpfile
])
if not sec_add:
os.unlink(tmpfile)
return Failure("Failed to add cert:\n{}".format(sec_extract.stdout))
res_valid = find_identity(identity, keydb, valid=True)
if not res_valid:
return Failure("Invalid identity.")
sec_sign = run(['codesign', '--keychain', keydb, '-s', identity, tmpfile])
os.unlink(tmpfile)
if not sec_sign:
return Failure("Codesigning failed: {}".format(sec_sign.stderr))
return Success(identity)
def import_identity(keydb, key_pass, identity, id_file, id_pass):
# type: (str, str, str, str, str) -> Result
log.debug('import_identity({!r}, {!r}, {!r}, {!r})'.format(
keydb, identity, id_file, '********'))
# ensure keychain exists
if not os.path.exists(id_file):
return Failure('Identity file {!r} not found'.format(id_file))
sec_add = add_to_search_list(keydb)
if not sec_add:
return Failure(sec_add)
res_find_id = identity_installed(identity, keydb)
if res_find_id:
return Failure("Identity exists: {!r}".format(res_find_id.value))
# import identity to keychain
cmd_import = run([
'security', 'import', id_file, '-k', keydb, '-f', 'pkcs12', '-P',
id_pass, '-T', '/usr/bin/codesign'
])
if not cmd_import:
return Failure(cmd_import.stderr)
sec_part = sudo_run([
'security', 'set-key-partition-list', '-S', 'apple', '-k', key_pass,
keydb
])
if not sec_part:
return Failure("Failed to authorize identity: {}".format(
sec_part.stderr))
return Success("Imported identity {} from {}".format(identity, id_file))
def test_privilege_write(self):
"""
- read current privilege value
- write and verify new value
- restore and verify original value
- in case of failure, re-run DevToolsSecurity to ensure safe value
"""
priv = self.test_priv
test_rule = "is-admin"
# read current value
res_read = S.authdb_privilege_read(priv)
self.assertTrue(res_read)
# stash for later
orig_value = res_read.value
# write new value
res_write = S.authdb_privilege_write(priv, "is-admin")
self.assertTrue(res_write)
# read new value
res_verify = S.authdb_privilege_read(priv)
self.assertTrue(res_verify)
new_rules = S.rules_from(res_verify.value)
self.assertEqual([test_rule], new_rules)
# restore original value
cmdline = ['security', 'authorizationdb', 'write', priv]
res_restore = sh.sudo_run(cmdline, stdin=orig_value)
self.assertTrue(res_restore)
# verify restored value
res_verify2 = S.authdb_privilege_read(priv)
self.assertTrue(res_verify2)
orig_rules = S.rules_from(orig_value)
restored_rules = S.rules_from(res_verify2.value)
restored_check = orig_rules == restored_rules
self.assertEqual(
orig_rules, restored_rules,
"There was an error restoring " + priv + ". Falling back"
" to system defaults. You may need to re-run"
" DevToolsSecurity or re-init debugsign.")
if not restored_check:
cmd_dts = sh.sudo_run(['/usr/sbin/DevToolsSecurity', '-disable'])
self.assertTrue(cmd_dts, "Failed to re-run DevToolsSecurity")
def test_privilege_write(self):
"""
- read current privilege value
- write and verify new value
- restore and verify original value
- in case of failure, re-run DevToolsSecurity to ensure safe value
"""
priv = self.test_priv
test_rule = "is-admin"
# read current value
res_read = S.authdb_privilege_read(priv)
self.assertTrue(res_read)
# stash for later
orig_value = res_read.value
# write new value
res_write = S.authdb_privilege_write(priv, "is-admin")
self.assertTrue(res_write)
# read new value
res_verify = S.authdb_privilege_read(priv)
self.assertTrue(res_verify)
new_rules = S.rules_from(res_verify.value)
self.assertEqual([test_rule], new_rules)
# restore original value
cmdline = ['security', 'authorizationdb', 'write', priv]
res_restore = sh.sudo_run(cmdline, stdin=orig_value)
self.assertTrue(res_restore)
# verify restored value
res_verify2 = S.authdb_privilege_read(priv)
self.assertTrue(res_verify2)
orig_rules = S.rules_from(orig_value)
restored_rules = S.rules_from(res_verify2.value)
restored_check = orig_rules == restored_rules
self.assertEqual(orig_rules, restored_rules,
"There was an error restoring "+priv+". Falling back"
" to system defaults. You may need to re-run"
" DevToolsSecurity or re-init debugsign.")
if not restored_check:
cmd_dts = sh.sudo_run(['/usr/sbin/DevToolsSecurity', '-disable'])
self.assertTrue(cmd_dts, "Failed to re-run DevToolsSecurity")
def authdb_privilege_write(privilege, value): # type: (str, str) -> Result
log.debug('authdb_privilege_write("%s", "%s")', privilege, value)
if not os.getenv(UNSAFE_FLAG, False):
log.info("Unauthorized unsafe operation")
log.info("To enable running this command, pass the --unsafe flag or"
" set the %s environment variable.", UNSAFE_FLAG)
return Failure("Setting privileges requires --unsafe flag")
res = sudo_run(['security', 'authorizationdb', 'write', privilege, value])
if not res:
err_msg = 'Failed to set authdb privilege {} => {}'.format(
privilege, value)
log.warn(err_msg)
return Failure(err_msg)
return Success('{} => {}'.format(privilege, value))
def authdb_privilege_write(privilege, value): # type: (str, str) -> Result
log.debug('authdb_privilege_write("%s", "%s")', privilege, value)
if not os.getenv(UNSAFE_FLAG, False):
log.info("Unauthorized unsafe operation")
log.info(
"To enable running this command, pass the --unsafe flag or"
" set the %s environment variable.", UNSAFE_FLAG)
return Failure("Setting privileges requires --unsafe flag")
res = sudo_run(['security', 'authorizationdb', 'write', privilege, value])
if not res:
err_msg = 'Failed to set authdb privilege {} => {}'.format(
privilege, value)
log.warn(err_msg)
return Failure(err_msg)
return Success('{} => {}'.format(privilege, value))