github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/libkb/secret_store_secretservice_test.go (about)

     1  // Copyright 2019 Keybase, Inc. All rights reserved. Use of
     2  // this source code is governed by the included BSD license.
     3  
     4  //go:build linux && !skipkeyringtests
     5  // +build linux,!skipkeyringtests
     6  
     7  // nolint:unused
     8  package libkb
     9  
    10  import (
    11  	"fmt"
    12  	"os"
    13  	"testing"
    14  
    15  	secsrv "github.com/keybase/go-keychain/secretservice"
    16  	"github.com/stretchr/testify/require"
    17  )
    18  
    19  func secret() LKSecFullSecret {
    20  	sec, err := newLKSecFullSecretFromBytes([]byte("YELLOW_SUBMARINEYELLOW_SUBMARINE"))
    21  	if err != nil {
    22  		panic(err)
    23  	}
    24  	return sec
    25  }
    26  
    27  func requireError(t *testing.T, err error, msg string) {
    28  	require.Error(t, err)
    29  	require.Contains(t, err.Error(), msg)
    30  }
    31  
    32  var alice = NewNormalizedUsername("alice")
    33  var bob = NewNormalizedUsername("bob")
    34  var charlie = NewNormalizedUsername("charlie")
    35  
    36  func TestSSSSBasic(t *testing.T) {
    37  	t.Skip("Skipping secret service test while Linux CI AMI is being upgraded to include keyring")
    38  
    39  	tc := SetupTest(t, "secret_store_secretservice", 0)
    40  	defer tc.Cleanup()
    41  	mctx := NewMetaContextForTest(tc)
    42  
    43  	sec := secret()
    44  
    45  	s := NewSecretStoreRevokableSecretService()
    46  	err := s.StoreSecret(mctx, alice, sec)
    47  	require.NoError(t, err)
    48  
    49  	gotSec, err := s.RetrieveSecret(mctx, alice)
    50  	require.NoError(t, err)
    51  	require.Equal(t, sec, gotSec)
    52  
    53  	err = s.ClearSecret(mctx, alice)
    54  	require.NoError(t, err)
    55  
    56  	_, err = s.RetrieveSecret(mctx, alice)
    57  	requireError(t, err.(UnboxError), "no such file")
    58  
    59  	err = s.StoreSecret(mctx, alice, sec)
    60  	require.NoError(t, err)
    61  	err = s.StoreSecret(mctx, bob, sec)
    62  	require.NoError(t, err)
    63  	err = s.StoreSecret(mctx, charlie, sec)
    64  	require.NoError(t, err)
    65  	gotSec, err = s.RetrieveSecret(mctx, charlie)
    66  	require.NoError(t, err)
    67  	require.Equal(t, sec, gotSec)
    68  
    69  	users, err := s.GetUsersWithStoredSecrets(mctx)
    70  	require.NoError(t, err)
    71  	require.Equal(t, []string{"alice", "bob", "charlie"}, users)
    72  
    73  	err = s.ClearSecret(mctx, alice)
    74  	require.NoError(t, err)
    75  	err = s.ClearSecret(mctx, bob)
    76  	require.NoError(t, err)
    77  	err = s.ClearSecret(mctx, charlie)
    78  	require.NoError(t, err)
    79  }
    80  
    81  func TestSSSSCorruptKeystore(t *testing.T) {
    82  	t.Skip("Skipping secret service test while Linux CI AMI is being upgraded to include keyring")
    83  
    84  	tc := SetupTest(t, "secret_store_secretservice", 0)
    85  	defer tc.Cleanup()
    86  	mctx := NewMetaContextForTest(tc)
    87  
    88  	s := NewSecretStoreRevokableSecretService()
    89  	err := s.StoreSecret(mctx, alice, secret())
    90  	require.NoError(t, err)
    91  
    92  	keystore := s.keystore(mctx, "alice", nil)
    93  	keypath := keystore.(*FileErasableKVStore).filepath(s.keystoreKey())
    94  	file, err := os.OpenFile(keypath, os.O_RDWR, 0755)
    95  	defer func() {
    96  		err := file.Close()
    97  		require.NoError(t, err)
    98  	}()
    99  	require.NoError(t, err)
   100  	_, err = file.Write([]byte("YELLOW_SUBMARINE"))
   101  	require.NoError(t, err)
   102  
   103  	_, err = s.RetrieveSecret(mctx, alice)
   104  	require.Error(t, err)
   105  	requireError(t, err.(UnboxError), "msgpack decode error")
   106  
   107  	err = s.ClearSecret(mctx, alice)
   108  	require.NoError(t, err)
   109  }
   110  
   111  func TestSSSSCorruptNoise(t *testing.T) {
   112  	t.Skip("Skipping secret service test while Linux CI AMI is being upgraded to include keyring")
   113  
   114  	tc := SetupTest(t, "secret_store_secretservice", 0)
   115  	defer tc.Cleanup()
   116  	mctx := NewMetaContextForTest(tc)
   117  
   118  	s := NewSecretStoreRevokableSecretService()
   119  	err := s.StoreSecret(mctx, alice, secret())
   120  	require.NoError(t, err)
   121  
   122  	keystore := s.keystore(mctx, "alice", nil)
   123  	fileKeystore := keystore.(*FileErasableKVStore)
   124  	keypath := fileKeystore.filepath(fileKeystore.noiseKey(s.keystoreKey()))
   125  	file, err := os.OpenFile(keypath, os.O_RDWR, 0755)
   126  	defer func() {
   127  		err := file.Close()
   128  		require.NoError(t, err)
   129  	}()
   130  	require.NoError(t, err)
   131  	_, err = file.Write([]byte("YELLOW_SUBMARINE"))
   132  	require.NoError(t, err)
   133  
   134  	_, err = s.RetrieveSecret(mctx, alice)
   135  	require.Error(t, err)
   136  	require.Equal(t, err.(UnboxError).Info(), "noise hashes do not match")
   137  
   138  	err = s.ClearSecret(mctx, alice)
   139  	require.NoError(t, err)
   140  }
   141  
   142  func TestSSSSCorruptKeyring(t *testing.T) {
   143  	t.Skip("Skipping secret service test while Linux CI AMI is being upgraded to include keyring")
   144  
   145  	tc := SetupTest(t, "secret_store_secretservice", 0)
   146  	defer tc.Cleanup()
   147  	mctx := NewMetaContextForTest(tc)
   148  
   149  	s := NewSecretStoreRevokableSecretService()
   150  
   151  	err := s.StoreSecret(mctx, alice, secret())
   152  	require.NoError(t, err)
   153  
   154  	srv, err := secsrv.NewService()
   155  	require.NoError(t, err)
   156  	session, err := srv.OpenSession(secsrv.AuthenticationDHAES)
   157  	require.NoError(t, err)
   158  	defer srv.CloseSession(session)
   159  	identifierKeystore := s.identifierKeystore(mctx)
   160  	var instanceIdentifier []byte
   161  	err = identifierKeystore.Get(mctx, s.identifierKeystoreKey("alice"), &instanceIdentifier)
   162  	require.NoError(t, err)
   163  	label := fmt.Sprintf("%s@%s", "alice", mctx.G().Env.GetStoredSecretServiceName())
   164  	properties := secsrv.NewSecretProperties(label, s.makeAttributes(mctx, "alice", instanceIdentifier))
   165  	srvSecret, err := session.NewSecret([]byte("NOT_THE_REAL_SECRET"))
   166  	require.NoError(t, err)
   167  	_, err = srv.CreateItem(secsrv.DefaultCollection, properties, srvSecret, secsrv.ReplaceBehaviorReplace)
   168  	require.NoError(t, err)
   169  
   170  	_, err = s.RetrieveSecret(mctx, alice)
   171  	require.Error(t, err)
   172  	require.Equal(t, err.(UnboxError).Info(), "noise hashes match")
   173  	// (i.e., issue is something else - likely a MAC mismatch, but secretbox.Open doesn't give a more specific error)
   174  
   175  	err = s.ClearSecret(mctx, alice)
   176  	require.NoError(t, err)
   177  }