github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/libkb/secret_store_darwin_test.go (about)

     1  //go:build darwin
     2  // +build darwin
     3  
     4  package libkb
     5  
     6  import (
     7  	"encoding/base64"
     8  	"testing"
     9  
    10  	keychain "github.com/keybase/go-keychain"
    11  	"github.com/stretchr/testify/require"
    12  )
    13  
    14  func TestSecretStoreDarwin(t *testing.T) {
    15  	tc := SetupTest(t, "secret store darwin", 1)
    16  	defer tc.Cleanup()
    17  
    18  	mctx := NewMetaContextForTest(tc)
    19  	secretStore := KeychainSecretStore{}
    20  	nu := NormalizedUsername("username")
    21  
    22  	defer func() {
    23  		err := secretStore.ClearSecret(mctx, nu)
    24  		require.NoError(tc.T, err)
    25  	}()
    26  
    27  	serviceName := secretStore.serviceName(mctx)
    28  	accessGroup := secretStore.accessGroup(mctx)
    29  
    30  	expectedSecret1 := []byte("test secret 1test secret 1test s")
    31  	expectedSecret2 := []byte("test secret 2test secret 2test s")
    32  	encodedSecret1 := base64.StdEncoding.EncodeToString(expectedSecret1)
    33  	encodedSecret2 := base64.StdEncoding.EncodeToString(expectedSecret2)
    34  	lkSec1, err := newLKSecFullSecretFromBytes(expectedSecret1)
    35  	require.NoError(t, err)
    36  
    37  	err = secretStore.StoreSecret(mctx, nu, lkSec1)
    38  	require.NoError(t, err)
    39  
    40  	secret, err := secretStore.RetrieveSecret(mctx, nu)
    41  	require.NoError(t, err)
    42  	require.Equal(t, string(expectedSecret1), string(secret.Bytes()))
    43  
    44  	t.Logf("Corrupt keychain, add new secret")
    45  	// corrupt the secret in the keychain by writing into a new slot
    46  	// forcing us to use a new keychain slot when writing the new item
    47  	account := newKeychainSlottedAccount(nu, 1)
    48  	item := keychain.NewGenericPassword(serviceName, account.String(),
    49  		"", []byte(encodedSecret2), accessGroup)
    50  	err = keychain.AddItem(item)
    51  	require.NoError(t, err)
    52  
    53  	// We now readout expectedSecret2 since it is the latest entry.
    54  	secret, err = secretStore.RetrieveSecret(mctx, nu)
    55  	require.NoError(t, err)
    56  	require.Equal(t, string(expectedSecret2), string(secret.Bytes()))
    57  
    58  	// Now write expectedSecret1 back into the store, which will overwrite secret2
    59  	err = secretStore.StoreSecret(mctx, nu, lkSec1)
    60  	require.NoError(t, err)
    61  
    62  	secret, err = secretStore.RetrieveSecret(mctx, nu)
    63  	require.NoError(t, err)
    64  	require.Equal(t, string(expectedSecret1), string(secret.Bytes()))
    65  
    66  	// verify our keychain state
    67  	for i := 0; i < 2; i++ {
    68  		account := newKeychainSlottedAccount(nu, i)
    69  		query := keychain.NewItem()
    70  		query.SetSecClass(keychain.SecClassGenericPassword)
    71  		query.SetService(serviceName)
    72  		query.SetAccount(account.String())
    73  		query.SetAccessGroup(accessGroup)
    74  		query.SetReturnData(true)
    75  		query.SetReturnAttributes(true)
    76  		results, err := keychain.QueryItem(query)
    77  		require.NoError(t, err)
    78  		require.Len(t, results, 1)
    79  		res := results[0]
    80  
    81  		require.Equal(t, secretStore.serviceName(mctx), res.Service)
    82  		require.Equal(t, account.String(), res.Account)
    83  		require.Equal(t, secretStore.accessGroup(mctx), res.AccessGroup)
    84  		require.Equal(t, "", res.Description)
    85  		require.Equal(t, encodedSecret1, string(res.Data))
    86  	}
    87  
    88  	// Although we have 3 keychain items, we technically only have one user in
    89  	// the store.
    90  	users, err := secretStore.GetUsersWithStoredSecrets(mctx)
    91  	require.NoError(t, err)
    92  	require.Len(t, users, 1)
    93  
    94  	err = secretStore.ClearSecret(mctx, nu)
    95  	require.NoError(t, err)
    96  
    97  	for i := 0; i < 2; i++ {
    98  		account := newKeychainSlottedAccount(nu, i)
    99  		query := keychain.NewItem()
   100  		query.SetSecClass(keychain.SecClassGenericPassword)
   101  		query.SetService(serviceName)
   102  		query.SetAccount(account.String())
   103  		query.SetAccessGroup(accessGroup)
   104  		query.SetReturnData(true)
   105  		query.SetReturnAttributes(true)
   106  		results, err := keychain.QueryItem(query)
   107  		require.NoError(t, err)
   108  		require.Nil(t, results)
   109  	}
   110  
   111  	users, err = secretStore.GetUsersWithStoredSecrets(mctx)
   112  	require.NoError(t, err)
   113  	require.Len(t, users, 0)
   114  }
   115  
   116  func TestPrimeSecretStoreDarwin(t *testing.T) {
   117  	tc := SetupTest(t, "secret_store_darwin", 1)
   118  	defer tc.Cleanup()
   119  	tc.G.Env.Test.SecretStorePrimingDisabled = false
   120  
   121  	mctx := NewMetaContextForTest(tc)
   122  	secretStore := KeychainSecretStore{}
   123  	err := PrimeSecretStore(mctx, secretStore)
   124  	require.NoError(t, err)
   125  }