]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/test/test-creds.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
creds-util: add a concept of "user-scoped" credentials
[thirdparty/systemd.git] / src / test / test-creds.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include "creds-util.h"
4 #include "fileio.h"
5 #include "format-util.h"
6 #include "hexdecoct.h"
7 #include "id128-util.h"
8 #include "iovec-util.h"
9 #include "path-util.h"
10 #include "rm-rf.h"
11 #include "tests.h"
12 #include "tmpfile-util.h"
13 #include "tpm2-util.h"
14 #include "user-util.h"
15
16 TEST(read_credential_strings) {
17 _cleanup_free_ char *x = NULL, *y = NULL, *saved = NULL, *p = NULL;
18 _cleanup_(rm_rf_physical_and_freep) char *tmp = NULL;
19 _cleanup_fclose_ FILE *f = NULL;
20
21 const char *e = getenv("CREDENTIALS_DIRECTORY");
22 if (e)
23 assert_se(saved = strdup(e));
24
25 assert_se(read_credential_strings_many("foo", &x, "bar", &y) == 0);
26 assert_se(x == NULL);
27 assert_se(y == NULL);
28
29 assert_se(mkdtemp_malloc(NULL, &tmp) >= 0);
30
31 assert_se(setenv("CREDENTIALS_DIRECTORY", tmp, /* override= */ true) >= 0);
32
33 assert_se(read_credential_strings_many("foo", &x, "bar", &y) == 0);
34 assert_se(x == NULL);
35 assert_se(y == NULL);
36
37 assert_se(p = path_join(tmp, "bar"));
38 assert_se(write_string_file(p, "piff", WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_AVOID_NEWLINE) >= 0);
39
40 assert_se(read_credential_strings_many("foo", &x, "bar", &y) == 0);
41 assert_se(x == NULL);
42 assert_se(streq(y, "piff"));
43
44 assert_se(write_string_file(p, "paff", WRITE_STRING_FILE_TRUNCATE|WRITE_STRING_FILE_AVOID_NEWLINE) >= 0);
45
46 assert_se(read_credential_strings_many("foo", &x, "bar", &y) == 0);
47 assert_se(x == NULL);
48 assert_se(streq(y, "paff"));
49
50 p = mfree(p);
51 assert_se(p = path_join(tmp, "foo"));
52 assert_se(write_string_file(p, "knurz", WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_AVOID_NEWLINE) >= 0);
53
54 assert_se(read_credential_strings_many("foo", &x, "bar", &y) >= 0);
55 assert_se(streq(x, "knurz"));
56 assert_se(streq(y, "paff"));
57
58 p = mfree(p);
59 assert_se(p = path_join(tmp, "bazz"));
60 assert_se(f = fopen(p, "w"));
61 assert_se(fwrite("x\0y", 1, 3, f) == 3); /* embedded NUL byte should result in EBADMSG when reading back with read_credential_strings_many() */
62 f = safe_fclose(f);
63
64 y = mfree(y);
65
66 assert_se(read_credential_strings_many("bazz", &x, "bar", &y) == -EBADMSG);
67 assert_se(streq(x, "knurz"));
68 assert_se(streq(y, "paff"));
69
70 if (saved)
71 assert_se(setenv("CREDENTIALS_DIRECTORY", saved, /* override= */ 1) >= 0);
72 else
73 assert_se(unsetenv("CREDENTIALS_DIRECTORY") >= 0);
74 }
75
76 TEST(credential_name_valid) {
77 char buf[NAME_MAX+2];
78
79 assert_se(!credential_name_valid(NULL));
80 assert_se(!credential_name_valid(""));
81 assert_se(!credential_name_valid("."));
82 assert_se(!credential_name_valid(".."));
83 assert_se(!credential_name_valid("foo/bar"));
84 assert_se(credential_name_valid("foo"));
85
86 memset(buf, 'x', sizeof(buf)-1);
87 buf[sizeof(buf)-1] = 0;
88 assert_se(!credential_name_valid(buf));
89
90 buf[sizeof(buf)-2] = 0;
91 assert_se(credential_name_valid(buf));
92 }
93
94 TEST(credential_glob_valid) {
95 char buf[NAME_MAX+2];
96
97 assert_se(!credential_glob_valid(NULL));
98 assert_se(!credential_glob_valid(""));
99 assert_se(!credential_glob_valid("."));
100 assert_se(!credential_glob_valid(".."));
101 assert_se(!credential_glob_valid("foo/bar"));
102 assert_se(credential_glob_valid("foo"));
103 assert_se(credential_glob_valid("foo*"));
104 assert_se(credential_glob_valid("x*"));
105 assert_se(credential_glob_valid("*"));
106 assert_se(!credential_glob_valid("?"));
107 assert_se(!credential_glob_valid("*a"));
108 assert_se(!credential_glob_valid("a?"));
109 assert_se(!credential_glob_valid("a[abc]"));
110 assert_se(!credential_glob_valid("a[abc]"));
111
112 memset(buf, 'x', sizeof(buf)-1);
113 buf[sizeof(buf)-1] = 0;
114 assert_se(!credential_glob_valid(buf));
115
116 buf[sizeof(buf)-2] = 0;
117 assert_se(credential_glob_valid(buf));
118
119 buf[sizeof(buf)-2] = '*';
120 assert_se(credential_glob_valid(buf));
121 }
122
123 static void test_encrypt_decrypt_with(sd_id128_t mode, uid_t uid) {
124 static const struct iovec plaintext = CONST_IOVEC_MAKE_STRING("this is a super secret string");
125 int r;
126
127 if (uid_is_valid(uid))
128 log_notice("Running encryption/decryption test with mode " SD_ID128_FORMAT_STR " for UID " UID_FMT ".", SD_ID128_FORMAT_VAL(mode), uid);
129 else
130 log_notice("Running encryption/decryption test with mode " SD_ID128_FORMAT_STR ".", SD_ID128_FORMAT_VAL(mode));
131
132 _cleanup_(iovec_done) struct iovec encrypted = {};
133 r = encrypt_credential_and_warn(
134 mode,
135 "foo",
136 /* timestamp= */ USEC_INFINITY,
137 /* not_after=*/ USEC_INFINITY,
138 /* tpm2_device= */ NULL,
139 /* tpm2_hash_pcr_mask= */ 0,
140 /* tpm2_pubkey_path= */ NULL,
141 /* tpm2_pubkey_pcr_mask= */ 0,
142 uid,
143 &plaintext,
144 CREDENTIAL_ALLOW_NULL,
145 &encrypted);
146 if (ERRNO_IS_NEG_MACHINE_ID_UNSET(r)) {
147 log_notice_errno(r, "Skipping test encryption mode " SD_ID128_FORMAT_STR ", because /etc/machine-id is not initialized.", SD_ID128_FORMAT_VAL(mode));
148 return;
149 }
150 if (ERRNO_IS_NEG_NOT_SUPPORTED(r)) {
151 log_notice_errno(r, "Skipping test encryption mode " SD_ID128_FORMAT_STR ", because encrypted credentials are not supported.", SD_ID128_FORMAT_VAL(mode));
152 return;
153 }
154
155 assert_se(r >= 0);
156
157 _cleanup_(iovec_done) struct iovec decrypted = {};
158 r = decrypt_credential_and_warn(
159 "bar",
160 /* validate_timestamp= */ USEC_INFINITY,
161 /* tpm2_device= */ NULL,
162 /* tpm2_signature_path= */ NULL,
163 uid,
164 &encrypted,
165 CREDENTIAL_ALLOW_NULL,
166 &decrypted);
167 assert_se(r == -EREMOTE); /* name didn't match */
168
169 r = decrypt_credential_and_warn(
170 "foo",
171 /* validate_timestamp= */ USEC_INFINITY,
172 /* tpm2_device= */ NULL,
173 /* tpm2_signature_path= */ NULL,
174 uid,
175 &encrypted,
176 CREDENTIAL_ALLOW_NULL,
177 &decrypted);
178 assert_se(r >= 0);
179
180 assert_se(iovec_memcmp(&plaintext, &decrypted) == 0);
181 }
182
183 static bool try_tpm2(void) {
184 #if HAVE_TPM2
185 _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL;
186 int r;
187
188 r = tpm2_context_new(/* device= */ NULL, &tpm2_context);
189 if (r < 0)
190 log_notice_errno(r, "Failed to create TPM2 context, assuming no TPM2 support or privileges: %m");
191
192 return r >= 0;
193 #else
194 return false;
195 #endif
196 }
197
198 TEST(credential_encrypt_decrypt) {
199 _cleanup_(rm_rf_physical_and_freep) char *d = NULL;
200 _cleanup_free_ char *j = NULL;
201
202 log_set_max_level(LOG_DEBUG);
203
204 test_encrypt_decrypt_with(CRED_AES256_GCM_BY_NULL, UID_INVALID);
205
206 assert_se(mkdtemp_malloc(NULL, &d) >= 0);
207 j = path_join(d, "secret");
208 assert_se(j);
209
210 const char *e = getenv("SYSTEMD_CREDENTIAL_SECRET");
211 _cleanup_free_ char *ec = NULL;
212
213 if (e)
214 assert_se(ec = strdup(e));
215
216 assert_se(setenv("SYSTEMD_CREDENTIAL_SECRET", j, true) >= 0);
217
218 test_encrypt_decrypt_with(CRED_AES256_GCM_BY_HOST, UID_INVALID);
219 test_encrypt_decrypt_with(CRED_AES256_GCM_BY_HOST_SCOPED, 0);
220
221 if (try_tpm2()) {
222 test_encrypt_decrypt_with(CRED_AES256_GCM_BY_TPM2_HMAC, UID_INVALID);
223 test_encrypt_decrypt_with(CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC, UID_INVALID);
224 test_encrypt_decrypt_with(CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_SCOPED, 0);
225 }
226
227 if (ec)
228 assert_se(setenv("SYSTEMD_CREDENTIAL_SECRET", ec, true) >= 0);
229 }
230
231 TEST(mime_type_matches) {
232
233 static const sd_id128_t tags[] = {
234 CRED_AES256_GCM_BY_HOST,
235 CRED_AES256_GCM_BY_HOST_SCOPED,
236 CRED_AES256_GCM_BY_TPM2_HMAC,
237 CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK,
238 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
239 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_SCOPED,
240 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK,
241 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK_SCOPED,
242 CRED_AES256_GCM_BY_NULL,
243 };
244
245 /* Generates the right <match/> expressions for these credentials according to the shared mime-info spec */
246 FOREACH_ARRAY(t, tags, ELEMENTSOF(tags)) {
247 _cleanup_free_ char *encoded = NULL;
248
249 assert_se(base64mem(t, sizeof(sd_id128_t), &encoded) >= 0);
250
251 /* Validate that the size matches expectations for the 4/3 factor size increase (rounding up) */
252 assert_se(strlen(encoded) == DIV_ROUND_UP((128U / 8U), 3U) * 4U);
253
254 /* Cut off rounded string where the ID ends, but now round down to get rid of characters that might contain follow-up data */
255 encoded[128 / 6] = 0;
256
257 printf("<match type=\"string\" value=\"%s\" offset=\"0\"/>\n", encoded);
258 }
259 }
260
261 DEFINE_TEST_MAIN(LOG_INFO);
Unnamed repository; edit this file 'description' to name the repository.