xref: /external/autotest/client/site_tests/platform_CryptohomeLECredentialManager/platform_CryptohomeLECredentialManager.py

# Copyright 2018 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.


import logging
import time

from autotest_lib.client.bin import test, utils
from autotest_lib.client.cros import cryptohome
from autotest_lib.client.common_lib import error


class platform_CryptohomeLECredentialManager(test.test):
    """Tests the le_credential_manager functionality of cryptohome.
    """

    version = 1

    USER = 'testing (at] gmail.com'
    USER2 = 'testing2 (at] gmail.com'
    KEY_LABEL = 'lecred0'
    KEY_LABEL2 = 'lecred2'
    GOOD_PIN = '123456'
    BAD_PIN = '000000'
    TEST_PASSWORD = '~'

    def get_known_le_credentials(self):
        """ Returns the set of LE credentials present on the device.
        """
        list_result = utils.run('ls /home/.shadow/low_entropy_creds')
        labels_str = list_result.stdout
        return set(labels_str.split())

    def run_once(self, pre_reboot=None):
        """Runs the platform_CryptohomeLECredentialManager test.
        """
        supported_policies = cryptohome.get_supported_key_policies()
        if (not supported_policies or
                not supported_policies.get('low_entropy_credentials', False)):
            raise error.TestNAError(
                'Low-entropy credentials are not supported.')

        if pre_reboot is None or pre_reboot == True:
            logging.info('Performing cleanup!')
            utils.run('stop cryptohomed')
            utils.run('rm -rf /home/.shadow/low_entropy_creds')
            try:
                cryptohome.remove_vault(self.USER)
                cryptohome.remove_vault(self.USER2)
            except cryptohome.ChromiumOSError:
                pass
            utils.run('start cryptohomed')

            logging.info('Waiting on cryptohomed to startup!')
            time.sleep(3)
            # Cleanup any existing mounts

            cryptohome.unmount_vault()

            logging.info('Setting up LE credential!')
            # The following operations shall all succeed:
            cryptohome.mount_vault(user=self.USER, password=self.TEST_PASSWORD,
                                   create=True, key_label='default')
            cryptohome.add_le_key(
                user=self.USER, password=self.TEST_PASSWORD,
                new_key_label=self.KEY_LABEL, new_password=self.GOOD_PIN)
            cryptohome.unmount_vault()

        logging.info('Testing authentication!')
        # The following operations shall all succeed:
        cryptohome.mount_vault(user=self.USER, password=self.GOOD_PIN,
                               key_label=self.KEY_LABEL)
        cryptohome.unmount_vault()

        logging.info('Testing lockout!')
        # The following operations fail, as they attempt to use the wrong PIN 5
        # times and then good PIN also stops working until reset:
        for i in range(5):
            try:
                cryptohome.mount_vault(user=self.USER, password=self.BAD_PIN,
                                       key_label=self.KEY_LABEL)
                raise cryptohome.ChromiumOSError(
                    'Mount succeeded where it should have failed (try %d)' % i)
            except cryptohome.ChromiumOSError:
                pass
        try:
            cryptohome.mount_vault(user=self.USER, password=self.GOOD_PIN,
                                   key_label=self.KEY_LABEL)
            raise cryptohome.ChromiumOSError(
                'Mount succeeded where it should have failed')
        except cryptohome.ChromiumOSError:
            pass

        logging.info('Testing reset!')
        # The following operations shall all succeed:
        cryptohome.mount_vault(user=self.USER, password=self.TEST_PASSWORD,
                               key_label='default')
        cryptohome.unmount_vault()
        cryptohome.mount_vault(user=self.USER, password=self.GOOD_PIN,
                               key_label=self.KEY_LABEL)
        cryptohome.unmount_vault()

        logging.info('Testing LE cred removal on user removal!')

        # Create a new user to test removal.
        cryptohome.mount_vault(user=self.USER2, password=self.TEST_PASSWORD,
                               create=True, key_label='default')
        lecreds_before_add = self.get_known_le_credentials()

        cryptohome.add_le_key(
            user=self.USER2, password=self.TEST_PASSWORD,
            new_key_label=self.KEY_LABEL, new_password=self.GOOD_PIN)
        cryptohome.add_le_key(
            user=self.USER2, password=self.TEST_PASSWORD,
            new_key_label=self.KEY_LABEL2, new_password=self.GOOD_PIN)
        cryptohome.unmount_vault()
        lecreds_after_add = self.get_known_le_credentials()

        cryptohome.remove_vault(self.USER2)
        lecreds_after_remove = self.get_known_le_credentials()

        if lecreds_after_add == lecreds_before_add:
            raise cryptohome.ChromiumOSError(
                'LE creds not added successfully')

        if lecreds_after_remove != lecreds_before_add:
            raise cryptohome.ChromiumOSError(
                'LE creds not deleted succesfully on user deletion!')

        if pre_reboot is None or pre_reboot == False:
            logging.info('Testing remove credential!')
            #The following operations shall all succeed:
            cryptohome.remove_key(user=self.USER, password=self.TEST_PASSWORD,
                                  remove_key_label=self.KEY_LABEL)
            logging.info('Cleanup of test user!')
            cryptohome.remove_vault(self.USER)

        logging.info('Tests passed!')