1*9c5db199SXin Li# Lint as: python2, python3 2*9c5db199SXin Li# Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 3*9c5db199SXin Li# Use of this source code is governed by a BSD-style license that can be 4*9c5db199SXin Li# found in the LICENSE file. 5*9c5db199SXin Li 6*9c5db199SXin Lifrom __future__ import absolute_import 7*9c5db199SXin Lifrom __future__ import division 8*9c5db199SXin Lifrom __future__ import print_function 9*9c5db199SXin Li 10*9c5db199SXin Liimport logging, os, random, re, shutil, string, time 11*9c5db199SXin Li 12*9c5db199SXin Liimport common 13*9c5db199SXin Li 14*9c5db199SXin Lifrom autotest_lib.client.cros import constants 15*9c5db199SXin Lifrom autotest_lib.client.bin import utils 16*9c5db199SXin Lifrom autotest_lib.client.common_lib import error 17*9c5db199SXin Lifrom autotest_lib.client.common_lib.cros import tpm_utils 18*9c5db199SXin Lifrom autotest_lib.client.cros.tpm import * 19*9c5db199SXin Li 20*9c5db199SXin LiATTESTATION_CMD = '/usr/bin/attestation_client' 21*9c5db199SXin LiCRYPTOHOME_CMD = '/usr/sbin/cryptohome' 22*9c5db199SXin LiTPM_MANAGER_CMD = '/usr/bin/tpm_manager_client' 23*9c5db199SXin LiGUEST_USER_NAME = '$guest' 24*9c5db199SXin LiUNAVAILABLE_ACTION = 'Unknown action or no action given.' 25*9c5db199SXin LiMOUNT_RETRY_COUNT = 20 26*9c5db199SXin LiTEMP_MOUNT_PATTERN = '/home/.shadow/%s/temporary_mount' 27*9c5db199SXin LiVAULT_PATH_PATTERN = '/home/.shadow/%s/vault' 28*9c5db199SXin Li 29*9c5db199SXin LiDBUS_PROTOS_DEP = 'dbus_protos' 30*9c5db199SXin Li 31*9c5db199SXin LiLEC_KEY = 'low_entropy_credentials_supported' 32*9c5db199SXin Li 33*9c5db199SXin Li 34*9c5db199SXin Lidef get_user_hash(user): 35*9c5db199SXin Li """Get the user hash for the given user.""" 36*9c5db199SXin Li return utils.system_output(['cryptohome', '--action=obfuscate_user', 37*9c5db199SXin Li '--user=%s' % user]) 38*9c5db199SXin Li 39*9c5db199SXin Li 40*9c5db199SXin Lidef user_path(user): 41*9c5db199SXin Li """Get the user mount point for the given user.""" 42*9c5db199SXin Li return utils.system_output(['cryptohome-path', 'user', user]) 43*9c5db199SXin Li 44*9c5db199SXin Li 45*9c5db199SXin Lidef system_path(user): 46*9c5db199SXin Li """Get the system mount point for the given user.""" 47*9c5db199SXin Li return utils.system_output(['cryptohome-path', 'system', user]) 48*9c5db199SXin Li 49*9c5db199SXin Li 50*9c5db199SXin Lidef temporary_mount_path(user): 51*9c5db199SXin Li """Get the vault mount path used during crypto-migration for the user. 52*9c5db199SXin Li 53*9c5db199SXin Li @param user: user the temporary mount should be for 54*9c5db199SXin Li """ 55*9c5db199SXin Li return TEMP_MOUNT_PATTERN % (get_user_hash(user)) 56*9c5db199SXin Li 57*9c5db199SXin Li 58*9c5db199SXin Lidef vault_path(user): 59*9c5db199SXin Li """ Get the vault path for the given user. 60*9c5db199SXin Li 61*9c5db199SXin Li @param user: The user who's vault path should be returned. 62*9c5db199SXin Li """ 63*9c5db199SXin Li return VAULT_PATH_PATTERN % (get_user_hash(user)) 64*9c5db199SXin Li 65*9c5db199SXin Li 66*9c5db199SXin Lidef ensure_clean_cryptohome_for(user, password=None): 67*9c5db199SXin Li """Ensure a fresh cryptohome exists for user. 68*9c5db199SXin Li 69*9c5db199SXin Li @param user: user who needs a shiny new cryptohome. 70*9c5db199SXin Li @param password: if unset, a random password will be used. 71*9c5db199SXin Li """ 72*9c5db199SXin Li if not password: 73*9c5db199SXin Li password = ''.join(random.sample(string.ascii_lowercase, 6)) 74*9c5db199SXin Li unmount_vault(user) 75*9c5db199SXin Li remove_vault(user) 76*9c5db199SXin Li mount_vault(user, password, create=True) 77*9c5db199SXin Li 78*9c5db199SXin Li 79*9c5db199SXin Lidef get_tpm_password(): 80*9c5db199SXin Li """Get the TPM password. 81*9c5db199SXin Li 82*9c5db199SXin Li Returns: 83*9c5db199SXin Li A TPM password 84*9c5db199SXin Li """ 85*9c5db199SXin Li out = run_cmd(TPM_MANAGER_CMD + ' status') 86*9c5db199SXin Li match = re.search('owner_password: (\w*)', out) 87*9c5db199SXin Li password = '' 88*9c5db199SXin Li if match: 89*9c5db199SXin Li hex_pass = match.group(1) 90*9c5db199SXin Li password = ''.join( 91*9c5db199SXin Li chr(int(hex_pass[i:i + 2], 16)) 92*9c5db199SXin Li for i in range(0, len(hex_pass), 2)) 93*9c5db199SXin Li return password 94*9c5db199SXin Li 95*9c5db199SXin Li 96*9c5db199SXin Lidef get_fwmp(cleared_fwmp=False): 97*9c5db199SXin Li """Get the firmware management parameters. 98*9c5db199SXin Li 99*9c5db199SXin Li Args: 100*9c5db199SXin Li cleared_fwmp: True if the space should not exist. 101*9c5db199SXin Li 102*9c5db199SXin Li Returns: 103*9c5db199SXin Li The dictionary with the FWMP contents, for example: 104*9c5db199SXin Li { 'flags': 0xbb41, 105*9c5db199SXin Li 'developer_key_hash': 106*9c5db199SXin Li "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\ 107*9c5db199SXin Li 000\000\000\000\000\000\000\000\000\000\000", 108*9c5db199SXin Li } 109*9c5db199SXin Li or a dictionary with the Error if the FWMP doesn't exist and 110*9c5db199SXin Li cleared_fwmp is True 111*9c5db199SXin Li { 'error': 'CRYPTOHOME_ERROR_FIRMWARE_MANAGEMENT_PARAMETERS_INVALID' } 112*9c5db199SXin Li 113*9c5db199SXin Li Raises: 114*9c5db199SXin Li ChromiumOSError if any expected field is not found in the cryptohome 115*9c5db199SXin Li output. This would typically happen when FWMP state does not match 116*9c5db199SXin Li 'cleared_fwmp' 117*9c5db199SXin Li """ 118*9c5db199SXin Li out = run_cmd(CRYPTOHOME_CMD + 119*9c5db199SXin Li ' --action=get_firmware_management_parameters') 120*9c5db199SXin Li 121*9c5db199SXin Li if cleared_fwmp: 122*9c5db199SXin Li if tpm_utils.FwmpIsAllZero(out): 123*9c5db199SXin Li return {} 124*9c5db199SXin Li fields = ['error'] 125*9c5db199SXin Li else: 126*9c5db199SXin Li fields = ['flags', 'developer_key_hash'] 127*9c5db199SXin Li 128*9c5db199SXin Li status = {} 129*9c5db199SXin Li for field in fields: 130*9c5db199SXin Li match = re.search('%s: (\S+)\s' % field, out) 131*9c5db199SXin Li if not match: 132*9c5db199SXin Li raise ChromiumOSError('Invalid FWMP field %s: "%s".' % 133*9c5db199SXin Li (field, out)) 134*9c5db199SXin Li status[field] = match.group(1).strip() 135*9c5db199SXin Li return status 136*9c5db199SXin Li 137*9c5db199SXin Li 138*9c5db199SXin Lidef set_fwmp(flags, developer_key_hash=None): 139*9c5db199SXin Li """Set the firmware management parameter contents. 140*9c5db199SXin Li 141*9c5db199SXin Li Args: 142*9c5db199SXin Li developer_key_hash: a string with the developer key hash 143*9c5db199SXin Li 144*9c5db199SXin Li Raises: 145*9c5db199SXin Li ChromiumOSError cryptohome cannot set the FWMP contents 146*9c5db199SXin Li """ 147*9c5db199SXin Li cmd = (CRYPTOHOME_CMD + 148*9c5db199SXin Li ' --action=set_firmware_management_parameters ' 149*9c5db199SXin Li '--flags=' + flags) 150*9c5db199SXin Li if developer_key_hash: 151*9c5db199SXin Li cmd += ' --developer_key_hash=' + developer_key_hash 152*9c5db199SXin Li 153*9c5db199SXin Li out = run_cmd(cmd) 154*9c5db199SXin Li if 'SetFirmwareManagementParameters success' not in out: 155*9c5db199SXin Li raise ChromiumOSError('failed to set FWMP: %s' % out) 156*9c5db199SXin Li 157*9c5db199SXin Li 158*9c5db199SXin Lidef is_tpm_lockout_in_effect(): 159*9c5db199SXin Li """Returns true if the TPM lockout is in effect; false otherwise.""" 160*9c5db199SXin Li status = get_tpm_da_info() 161*9c5db199SXin Li return status.get('dictionary_attack_lockout_in_effect', None) 162*9c5db199SXin Li 163*9c5db199SXin Li 164*9c5db199SXin Lidef get_login_status(): 165*9c5db199SXin Li """Query the login status 166*9c5db199SXin Li 167*9c5db199SXin Li Returns: 168*9c5db199SXin Li A login status dictionary containing: 169*9c5db199SXin Li { 'owner_user_exists': True|False } 170*9c5db199SXin Li """ 171*9c5db199SXin Li out = run_cmd(CRYPTOHOME_CMD + ' --action=get_login_status') 172*9c5db199SXin Li status = {} 173*9c5db199SXin Li for field in ['owner_user_exists']: 174*9c5db199SXin Li match = re.search('%s: (true|false)' % field, out) 175*9c5db199SXin Li if not match: 176*9c5db199SXin Li raise ChromiumOSError('Invalid login status: "%s".' % out) 177*9c5db199SXin Li status[field] = match.group(1) == 'true' 178*9c5db199SXin Li return status 179*9c5db199SXin Li 180*9c5db199SXin Li 181*9c5db199SXin Lidef get_install_attribute_status(): 182*9c5db199SXin Li """Query the install attribute status 183*9c5db199SXin Li 184*9c5db199SXin Li Returns: 185*9c5db199SXin Li A status string, which could be: 186*9c5db199SXin Li "UNKNOWN" 187*9c5db199SXin Li "TPM_NOT_OWNED" 188*9c5db199SXin Li "FIRST_INSTALL" 189*9c5db199SXin Li "VALID" 190*9c5db199SXin Li "INVALID" 191*9c5db199SXin Li """ 192*9c5db199SXin Li out = run_cmd(CRYPTOHOME_CMD + ' --action=install_attributes_get_status') 193*9c5db199SXin Li return out.strip() 194*9c5db199SXin Li 195*9c5db199SXin Li 196*9c5db199SXin Lidef lock_install_attributes(attrs): 197*9c5db199SXin Li """Set and lock install attributes for the device. 198*9c5db199SXin Li 199*9c5db199SXin Li @param attrs: dict of install attributes. 200*9c5db199SXin Li """ 201*9c5db199SXin Li 202*9c5db199SXin Li take_tpm_ownership() 203*9c5db199SXin Li wait_for_install_attributes_ready() 204*9c5db199SXin Li for name, value in attrs.items(): 205*9c5db199SXin Li args = [ 206*9c5db199SXin Li CRYPTOHOME_CMD, '--action=install_attributes_set', 207*9c5db199SXin Li '--name="%s"' % name, 208*9c5db199SXin Li '--value="%s"' % value 209*9c5db199SXin Li ] 210*9c5db199SXin Li cmd = ' '.join(args) 211*9c5db199SXin Li if (utils.system(cmd, ignore_status=True) != 0): 212*9c5db199SXin Li return False 213*9c5db199SXin Li 214*9c5db199SXin Li out = run_cmd(CRYPTOHOME_CMD + ' --action=install_attributes_finalize') 215*9c5db199SXin Li return (out.strip() == 'InstallAttributesFinalize(): 1') 216*9c5db199SXin Li 217*9c5db199SXin Li 218*9c5db199SXin Lidef wait_for_install_attributes_ready(): 219*9c5db199SXin Li """Wait until install attributes are ready. 220*9c5db199SXin Li """ 221*9c5db199SXin Li cmd = CRYPTOHOME_CMD + ' --action=install_attributes_is_ready' 222*9c5db199SXin Li utils.poll_for_condition( 223*9c5db199SXin Li lambda: run_cmd(cmd).strip() == 'InstallAttributesIsReady(): 1', 224*9c5db199SXin Li timeout=300, 225*9c5db199SXin Li exception=error.TestError( 226*9c5db199SXin Li 'Timeout waiting for install attributes to be ready')) 227*9c5db199SXin Li 228*9c5db199SXin Li 229*9c5db199SXin Lidef get_tpm_attestation_status(): 230*9c5db199SXin Li """Get the TPM attestation status. Works similar to get_tpm_status(). 231*9c5db199SXin Li """ 232*9c5db199SXin Li out = run_cmd(ATTESTATION_CMD + ' status') 233*9c5db199SXin Li status = {} 234*9c5db199SXin Li for field in ['prepared_for_enrollment', 'enrolled']: 235*9c5db199SXin Li match = re.search('%s: (true|false)' % field, out) 236*9c5db199SXin Li if not match: 237*9c5db199SXin Li raise ChromiumOSError('Invalid attestation status: "%s".' % out) 238*9c5db199SXin Li status[field] = match.group(1) == 'true' 239*9c5db199SXin Li return status 240*9c5db199SXin Li 241*9c5db199SXin Li 242*9c5db199SXin Lidef take_tpm_ownership(wait_for_ownership=True): 243*9c5db199SXin Li """Take TPM ownership. 244*9c5db199SXin Li 245*9c5db199SXin Li Args: 246*9c5db199SXin Li wait_for_ownership: block until TPM is owned if true 247*9c5db199SXin Li """ 248*9c5db199SXin Li run_cmd(CRYPTOHOME_CMD + ' --action=tpm_take_ownership') 249*9c5db199SXin Li if wait_for_ownership: 250*9c5db199SXin Li # Note that waiting for the 'Ready' flag is more correct than waiting 251*9c5db199SXin Li # for the 'Owned' flag, as the latter is set by cryptohomed before some 252*9c5db199SXin Li # of the ownership tasks are completed. 253*9c5db199SXin Li utils.poll_for_condition( 254*9c5db199SXin Li lambda: get_tpm_status()['Ready'], 255*9c5db199SXin Li timeout=300, 256*9c5db199SXin Li exception=error.TestError('Timeout waiting for TPM ownership')) 257*9c5db199SXin Li 258*9c5db199SXin Li 259*9c5db199SXin Lidef verify_ek(): 260*9c5db199SXin Li """Verify the TPM endorsement key. 261*9c5db199SXin Li 262*9c5db199SXin Li Returns true if EK is valid. 263*9c5db199SXin Li """ 264*9c5db199SXin Li cmd = CRYPTOHOME_CMD + ' --action=tpm_verify_ek' 265*9c5db199SXin Li return (utils.system(cmd, ignore_status=True) == 0) 266*9c5db199SXin Li 267*9c5db199SXin Li 268*9c5db199SXin Lidef remove_vault(user): 269*9c5db199SXin Li """Remove the given user's vault from the shadow directory.""" 270*9c5db199SXin Li logging.debug('user is %s', user) 271*9c5db199SXin Li user_hash = get_user_hash(user) 272*9c5db199SXin Li logging.debug('Removing vault for user %s with hash %s', user, user_hash) 273*9c5db199SXin Li cmd = CRYPTOHOME_CMD + ' --action=remove --force --user=%s' % user 274*9c5db199SXin Li run_cmd(cmd) 275*9c5db199SXin Li # Ensure that the vault does not exist. 276*9c5db199SXin Li if os.path.exists(os.path.join(constants.SHADOW_ROOT, user_hash)): 277*9c5db199SXin Li raise ChromiumOSError('Cryptohome could not remove the user\'s vault.') 278*9c5db199SXin Li 279*9c5db199SXin Li 280*9c5db199SXin Lidef remove_all_vaults(): 281*9c5db199SXin Li """Remove any existing vaults from the shadow directory. 282*9c5db199SXin Li 283*9c5db199SXin Li This function must be run with root privileges. 284*9c5db199SXin Li """ 285*9c5db199SXin Li for item in os.listdir(constants.SHADOW_ROOT): 286*9c5db199SXin Li abs_item = os.path.join(constants.SHADOW_ROOT, item) 287*9c5db199SXin Li if os.path.isdir(os.path.join(abs_item, 'vault')): 288*9c5db199SXin Li logging.debug('Removing vault for user with hash %s', item) 289*9c5db199SXin Li shutil.rmtree(abs_item) 290*9c5db199SXin Li 291*9c5db199SXin Li 292*9c5db199SXin Lidef mount_vault(user, password, create=False, key_label=None): 293*9c5db199SXin Li """Mount the given user's vault. Mounts should be created by calling this 294*9c5db199SXin Li function with create=True, and can be used afterwards with create=False. 295*9c5db199SXin Li Only try to mount existing vaults created with this function. 296*9c5db199SXin Li 297*9c5db199SXin Li """ 298*9c5db199SXin Li args = [CRYPTOHOME_CMD, '--action=mount_ex', '--user=%s' % user, 299*9c5db199SXin Li '--password=%s' % password, '--async'] 300*9c5db199SXin Li if create: 301*9c5db199SXin Li args += ['--create'] 302*9c5db199SXin Li if key_label is None: 303*9c5db199SXin Li key_label = 'bar' 304*9c5db199SXin Li if key_label is not None: 305*9c5db199SXin Li args += ['--key_label=%s' % key_label] 306*9c5db199SXin Li logging.info(run_cmd(' '.join(args))) 307*9c5db199SXin Li # Ensure that the vault exists in the shadow directory. 308*9c5db199SXin Li user_hash = get_user_hash(user) 309*9c5db199SXin Li if not os.path.exists(os.path.join(constants.SHADOW_ROOT, user_hash)): 310*9c5db199SXin Li retry = 0 311*9c5db199SXin Li mounted = False 312*9c5db199SXin Li while retry < MOUNT_RETRY_COUNT and not mounted: 313*9c5db199SXin Li time.sleep(1) 314*9c5db199SXin Li logging.info("Retry %s", str(retry + 1)) 315*9c5db199SXin Li run_cmd(' '.join(args)) 316*9c5db199SXin Li # TODO: Remove this additional call to get_user_hash(user) when 317*9c5db199SXin Li # crbug.com/690994 is fixed 318*9c5db199SXin Li user_hash = get_user_hash(user) 319*9c5db199SXin Li if os.path.exists(os.path.join(constants.SHADOW_ROOT, user_hash)): 320*9c5db199SXin Li mounted = True 321*9c5db199SXin Li retry += 1 322*9c5db199SXin Li if not mounted: 323*9c5db199SXin Li raise ChromiumOSError('Cryptohome vault not found after mount.') 324*9c5db199SXin Li # Ensure that the vault is mounted. 325*9c5db199SXin Li if not is_permanent_vault_mounted(user=user, allow_fail=True): 326*9c5db199SXin Li raise ChromiumOSError('Cryptohome created a vault but did not mount.') 327*9c5db199SXin Li 328*9c5db199SXin Li 329*9c5db199SXin Lidef mount_guest(): 330*9c5db199SXin Li """Mount the guest vault.""" 331*9c5db199SXin Li args = [CRYPTOHOME_CMD, '--action=mount_guest_ex'] 332*9c5db199SXin Li logging.info(run_cmd(' '.join(args))) 333*9c5db199SXin Li # Ensure that the guest vault is mounted. 334*9c5db199SXin Li if not is_guest_vault_mounted(allow_fail=True): 335*9c5db199SXin Li raise ChromiumOSError('Cryptohome did not mount guest vault.') 336*9c5db199SXin Li 337*9c5db199SXin Li 338*9c5db199SXin Lidef test_auth(user, password): 339*9c5db199SXin Li """Test key auth.""" 340*9c5db199SXin Li cmd = [CRYPTOHOME_CMD, '--action=check_key_ex', '--user=%s' % user, 341*9c5db199SXin Li '--password=%s' % password, '--async'] 342*9c5db199SXin Li out = run_cmd(' '.join(cmd)) 343*9c5db199SXin Li logging.info(out) 344*9c5db199SXin Li return 'Key authenticated.' in out 345*9c5db199SXin Li 346*9c5db199SXin Li 347*9c5db199SXin Lidef add_le_key(user, password, new_password, new_key_label): 348*9c5db199SXin Li """Add low entropy key.""" 349*9c5db199SXin Li args = [CRYPTOHOME_CMD, '--action=add_key_ex', '--key_policy=le', 350*9c5db199SXin Li '--user=%s' % user, '--password=%s' % password, 351*9c5db199SXin Li '--new_key_label=%s' % new_key_label, 352*9c5db199SXin Li '--new_password=%s' % new_password] 353*9c5db199SXin Li logging.info(run_cmd(' '.join(args))) 354*9c5db199SXin Li 355*9c5db199SXin Li 356*9c5db199SXin Lidef remove_key(user, password, remove_key_label): 357*9c5db199SXin Li """Remove a key.""" 358*9c5db199SXin Li args = [CRYPTOHOME_CMD, '--action=remove_key_ex', '--user=%s' % user, 359*9c5db199SXin Li '--password=%s' % password, 360*9c5db199SXin Li '--remove_key_label=%s' % remove_key_label] 361*9c5db199SXin Li logging.info(run_cmd(' '.join(args))) 362*9c5db199SXin Li 363*9c5db199SXin Li 364*9c5db199SXin Lidef get_supported_key_policies(host=None): 365*9c5db199SXin Li """Get supported key policies.""" 366*9c5db199SXin Li args = [CRYPTOHOME_CMD, '--action=get_supported_key_policies'] 367*9c5db199SXin Li if host is not None: 368*9c5db199SXin Li out = host.run(args).stdout 369*9c5db199SXin Li else: 370*9c5db199SXin Li out = run_cmd(' '.join(args)) 371*9c5db199SXin Li logging.info(out) 372*9c5db199SXin Li policies = {} 373*9c5db199SXin Li for line in out.splitlines(): 374*9c5db199SXin Li match = re.search('([^:]+): (true|false)', line.strip()) 375*9c5db199SXin Li if match: 376*9c5db199SXin Li policies[match.group(1)] = match.group(2) == 'true' 377*9c5db199SXin Li return policies 378*9c5db199SXin Li 379*9c5db199SXin Li 380*9c5db199SXin Lidef is_low_entropy_credentials_supported(host=None): 381*9c5db199SXin Li """ Returns True if low entropy credentials are supported.""" 382*9c5db199SXin Li key_policies = get_supported_key_policies(host) 383*9c5db199SXin Li return LEC_KEY in key_policies and key_policies[LEC_KEY] 384*9c5db199SXin Li 385*9c5db199SXin Li 386*9c5db199SXin Lidef unmount_vault(user=None): 387*9c5db199SXin Li """Unmount the given user's vault. 388*9c5db199SXin Li 389*9c5db199SXin Li Once unmounting for a specific user is supported, the user parameter will 390*9c5db199SXin Li name the target user. See crosbug.com/20778. 391*9c5db199SXin Li """ 392*9c5db199SXin Li run_cmd(CRYPTOHOME_CMD + ' --action=unmount') 393*9c5db199SXin Li # Ensure that the vault is not mounted. 394*9c5db199SXin Li if user is not None and is_vault_mounted(user, allow_fail=True): 395*9c5db199SXin Li raise ChromiumOSError('Cryptohome did not unmount the user.') 396*9c5db199SXin Li 397*9c5db199SXin Li 398*9c5db199SXin Lidef __get_mount_info(mount_point, allow_fail=False): 399*9c5db199SXin Li """Get information about the active mount at a given mount point.""" 400*9c5db199SXin Li cryptohomed_path = '/proc/$(pgrep cryptohomed)/mounts' 401*9c5db199SXin Li # 'cryptohome-namespace-mounter' is currently only used for Guest sessions. 402*9c5db199SXin Li mounter_exe = 'cryptohome-namespace-mounter' 403*9c5db199SXin Li mounter_pid = 'pgrep -o -f %s' % mounter_exe 404*9c5db199SXin Li mounter_path = '/proc/$(%s)/mounts' % mounter_pid 405*9c5db199SXin Li 406*9c5db199SXin Li status = utils.system(mounter_pid, ignore_status=True) 407*9c5db199SXin Li # Only check for these mounts if the mounter executable is running. 408*9c5db199SXin Li if status == 0: 409*9c5db199SXin Li try: 410*9c5db199SXin Li logging.debug('Active %s mounts:\n' % mounter_exe + 411*9c5db199SXin Li utils.system_output('cat %s' % mounter_path)) 412*9c5db199SXin Li ns_mount_line = utils.system_output( 413*9c5db199SXin Li 'grep %s %s' % (mount_point, mounter_path), 414*9c5db199SXin Li ignore_status=allow_fail) 415*9c5db199SXin Li except Exception as e: 416*9c5db199SXin Li logging.error(e) 417*9c5db199SXin Li raise ChromiumOSError('Could not get info about cryptohome vault ' 418*9c5db199SXin Li 'through %s. See logs for complete ' 419*9c5db199SXin Li 'mount-point.' 420*9c5db199SXin Li % os.path.dirname(str(mount_point))) 421*9c5db199SXin Li return ns_mount_line.split() 422*9c5db199SXin Li 423*9c5db199SXin Li try: 424*9c5db199SXin Li logging.debug('Active cryptohome mounts:\n%s', 425*9c5db199SXin Li utils.system_output('cat %s' % cryptohomed_path)) 426*9c5db199SXin Li mount_line = utils.system_output( 427*9c5db199SXin Li 'grep %s %s' % (mount_point, cryptohomed_path), 428*9c5db199SXin Li ignore_status=allow_fail) 429*9c5db199SXin Li except Exception as e: 430*9c5db199SXin Li logging.error(e) 431*9c5db199SXin Li raise ChromiumOSError('Could not get info about cryptohome vault ' 432*9c5db199SXin Li 'through %s. See logs for complete mount-point.' 433*9c5db199SXin Li % os.path.dirname(str(mount_point))) 434*9c5db199SXin Li return mount_line.split() 435*9c5db199SXin Li 436*9c5db199SXin Li 437*9c5db199SXin Lidef __get_user_mount_info(user, allow_fail=False): 438*9c5db199SXin Li """Get information about the active mounts for a given user. 439*9c5db199SXin Li 440*9c5db199SXin Li Returns the active mounts at the user's user and system mount points. If no 441*9c5db199SXin Li user is given, the active mount at the shared mount point is returned 442*9c5db199SXin Li (regular users have a bind-mount at this mount point for backwards 443*9c5db199SXin Li compatibility; the guest user has a mount at this mount point only). 444*9c5db199SXin Li """ 445*9c5db199SXin Li return [__get_mount_info(mount_point=user_path(user), 446*9c5db199SXin Li allow_fail=allow_fail), 447*9c5db199SXin Li __get_mount_info(mount_point=system_path(user), 448*9c5db199SXin Li allow_fail=allow_fail)] 449*9c5db199SXin Li 450*9c5db199SXin Li 451*9c5db199SXin Lidef is_vault_mounted(user, regexes=None, allow_fail=False): 452*9c5db199SXin Li """Check whether a vault is mounted for the given user. 453*9c5db199SXin Li 454*9c5db199SXin Li user: If no user is given, the shared mount point is checked, determining 455*9c5db199SXin Li whether a vault is mounted for any user. 456*9c5db199SXin Li regexes: dictionary of regexes to matches against the mount information. 457*9c5db199SXin Li The mount filesystem for the user's user and system mounts point must 458*9c5db199SXin Li match one of the keys. 459*9c5db199SXin Li The mount source point must match the selected device regex. 460*9c5db199SXin Li 461*9c5db199SXin Li In addition, if mounted over ext4, we check the directory is encrypted. 462*9c5db199SXin Li """ 463*9c5db199SXin Li if regexes is None: 464*9c5db199SXin Li regexes = { 465*9c5db199SXin Li constants.CRYPTOHOME_FS_REGEX_ANY : 466*9c5db199SXin Li constants.CRYPTOHOME_DEV_REGEX_ANY 467*9c5db199SXin Li } 468*9c5db199SXin Li user_mount_info = __get_user_mount_info(user=user, allow_fail=allow_fail) 469*9c5db199SXin Li for mount_info in user_mount_info: 470*9c5db199SXin Li # Look at each /proc/../mount lines that match mount point for a given 471*9c5db199SXin Li # user user/system mount (/home/user/.... /home/root/...) 472*9c5db199SXin Li 473*9c5db199SXin Li # We should have at least 3 arguments (source, mount, type of mount) 474*9c5db199SXin Li if len(mount_info) < 3: 475*9c5db199SXin Li return False 476*9c5db199SXin Li 477*9c5db199SXin Li device_regex = None 478*9c5db199SXin Li for fs_regex in regexes.keys(): 479*9c5db199SXin Li if re.match(fs_regex, mount_info[2]): 480*9c5db199SXin Li device_regex = regexes[fs_regex] 481*9c5db199SXin Li break 482*9c5db199SXin Li 483*9c5db199SXin Li if not device_regex: 484*9c5db199SXin Li # The third argument in not the expected mount point type. 485*9c5db199SXin Li return False 486*9c5db199SXin Li 487*9c5db199SXin Li # Check if the mount source match the device regex: it can be loose, 488*9c5db199SXin Li # (anything) or stricter if we expect guest filesystem. 489*9c5db199SXin Li if not re.match(device_regex, mount_info[0]): 490*9c5db199SXin Li return False 491*9c5db199SXin Li 492*9c5db199SXin Li return True 493*9c5db199SXin Li 494*9c5db199SXin Li 495*9c5db199SXin Lidef is_guest_vault_mounted(allow_fail=False): 496*9c5db199SXin Li """Check whether a vault is mounted for the guest user. 497*9c5db199SXin Li It should be a mount of an ext4 partition on a loop device 498*9c5db199SXin Li or be backed by tmpfs. 499*9c5db199SXin Li """ 500*9c5db199SXin Li return is_vault_mounted( 501*9c5db199SXin Li user=GUEST_USER_NAME, 502*9c5db199SXin Li regexes={ 503*9c5db199SXin Li # Remove tmpfs support when it becomes unnecessary as all guest 504*9c5db199SXin Li # modes will use ext4 on a loop device. 505*9c5db199SXin Li constants.CRYPTOHOME_FS_REGEX_EXT4: 506*9c5db199SXin Li constants.CRYPTOHOME_DEV_REGEX_LOOP_DEVICE, 507*9c5db199SXin Li constants.CRYPTOHOME_FS_REGEX_TMPFS: 508*9c5db199SXin Li constants.CRYPTOHOME_DEV_REGEX_GUEST, 509*9c5db199SXin Li }, 510*9c5db199SXin Li allow_fail=allow_fail) 511*9c5db199SXin Li 512*9c5db199SXin Li 513*9c5db199SXin Lidef is_permanent_vault_mounted(user, allow_fail=False): 514*9c5db199SXin Li """Check if user is mounted over ecryptfs or ext4 crypto. """ 515*9c5db199SXin Li return is_vault_mounted( 516*9c5db199SXin Li user=user, 517*9c5db199SXin Li regexes={ 518*9c5db199SXin Li constants.CRYPTOHOME_FS_REGEX_ECRYPTFS: 519*9c5db199SXin Li constants.CRYPTOHOME_DEV_REGEX_REGULAR_USER_SHADOW, 520*9c5db199SXin Li constants.CRYPTOHOME_FS_REGEX_EXT4: 521*9c5db199SXin Li constants.CRYPTOHOME_DEV_REGEX_REGULAR_USER_DEVICE, 522*9c5db199SXin Li }, 523*9c5db199SXin Li allow_fail=allow_fail) 524*9c5db199SXin Li 525*9c5db199SXin Li 526*9c5db199SXin Lidef get_mounted_vault_path(user, allow_fail=False): 527*9c5db199SXin Li """Get the path where the decrypted data for the user is located.""" 528*9c5db199SXin Li return os.path.join(constants.SHADOW_ROOT, get_user_hash(user), 'mount') 529*9c5db199SXin Li 530*9c5db199SXin Li 531*9c5db199SXin Lidef canonicalize(credential): 532*9c5db199SXin Li """Perform basic canonicalization of |email_address|. 533*9c5db199SXin Li 534*9c5db199SXin Li Perform basic canonicalization of |email_address|, taking into account that 535*9c5db199SXin Li gmail does not consider '.' or caps inside a username to matter. It also 536*9c5db199SXin Li ignores everything after a '+'. For example, 537*9c5db199SXin Li [email protected] == [email protected], per 538*9c5db199SXin Li http://mail.google.com/support/bin/answer.py?hl=en&ctx=mail&answer=10313 539*9c5db199SXin Li """ 540*9c5db199SXin Li if not credential: 541*9c5db199SXin Li return None 542*9c5db199SXin Li 543*9c5db199SXin Li parts = credential.split('@') 544*9c5db199SXin Li if len(parts) != 2: 545*9c5db199SXin Li raise error.TestError('Malformed email: ' + credential) 546*9c5db199SXin Li 547*9c5db199SXin Li (name, domain) = parts 548*9c5db199SXin Li name = name.partition('+')[0] 549*9c5db199SXin Li if (domain == constants.SPECIAL_CASE_DOMAIN): 550*9c5db199SXin Li name = name.replace('.', '') 551*9c5db199SXin Li return '@'.join([name, domain]).lower() 552*9c5db199SXin Li 553*9c5db199SXin Li 554*9c5db199SXin Lidef crash_cryptohomed(): 555*9c5db199SXin Li """Let cryptohome crash.""" 556*9c5db199SXin Li # Try to kill cryptohomed so we get something to work with. 557*9c5db199SXin Li pid = run_cmd('pgrep cryptohomed') 558*9c5db199SXin Li try: 559*9c5db199SXin Li pid = int(pid) 560*9c5db199SXin Li except ValueError as e: # empty or invalid string 561*9c5db199SXin Li raise error.TestError('Cryptohomed was not running') 562*9c5db199SXin Li utils.system('kill -ABRT %d' % pid) 563*9c5db199SXin Li # CONT just in case cryptohomed had a spurious STOP. 564*9c5db199SXin Li utils.system('kill -CONT %d' % pid) 565*9c5db199SXin Li utils.poll_for_condition( 566*9c5db199SXin Li lambda: utils.system('ps -p %d' % pid, 567*9c5db199SXin Li ignore_status=True) != 0, 568*9c5db199SXin Li timeout=180, 569*9c5db199SXin Li exception=error.TestError( 570*9c5db199SXin Li 'Timeout waiting for cryptohomed to coredump')) 571*9c5db199SXin Li 572*9c5db199SXin Li 573*9c5db199SXin Lidef create_ecryptfs_homedir(user, password): 574*9c5db199SXin Li """Creates a new home directory as ecryptfs. 575*9c5db199SXin Li 576*9c5db199SXin Li If a home directory for the user exists already, it will be removed. 577*9c5db199SXin Li The resulting home directory will be mounted. 578*9c5db199SXin Li 579*9c5db199SXin Li @param user: Username to create the home directory for. 580*9c5db199SXin Li @param password: Password to use when creating the home directory. 581*9c5db199SXin Li """ 582*9c5db199SXin Li unmount_vault(user) 583*9c5db199SXin Li remove_vault(user) 584*9c5db199SXin Li args = [ 585*9c5db199SXin Li CRYPTOHOME_CMD, 586*9c5db199SXin Li '--action=mount_ex', 587*9c5db199SXin Li '--user=%s' % user, 588*9c5db199SXin Li '--password=%s' % password, 589*9c5db199SXin Li '--key_label=foo', 590*9c5db199SXin Li '--ecryptfs', 591*9c5db199SXin Li '--create'] 592*9c5db199SXin Li logging.info(run_cmd(' '.join(args))) 593*9c5db199SXin Li if not is_vault_mounted( 594*9c5db199SXin Li user, 595*9c5db199SXin Li regexes={ 596*9c5db199SXin Li constants.CRYPTOHOME_FS_REGEX_ECRYPTFS: 597*9c5db199SXin Li constants.CRYPTOHOME_DEV_REGEX_REGULAR_USER_SHADOW 598*9c5db199SXin Li }, 599*9c5db199SXin Li allow_fail=True): 600*9c5db199SXin Li raise ChromiumOSError('Ecryptfs home could not be created') 601*9c5db199SXin Li 602*9c5db199SXin Li 603*9c5db199SXin Lidef do_dircrypto_migration(user, password, timeout=600): 604*9c5db199SXin Li """Start dircrypto migration for the user. 605*9c5db199SXin Li 606*9c5db199SXin Li @param user: The user to migrate. 607*9c5db199SXin Li @param password: The password used to mount the users vault 608*9c5db199SXin Li @param timeout: How long in seconds to wait for the migration to finish 609*9c5db199SXin Li before failing. 610*9c5db199SXin Li """ 611*9c5db199SXin Li unmount_vault(user) 612*9c5db199SXin Li args = [ 613*9c5db199SXin Li CRYPTOHOME_CMD, 614*9c5db199SXin Li '--action=mount_ex', 615*9c5db199SXin Li '--to_migrate_from_ecryptfs', 616*9c5db199SXin Li '--user=%s' % user, 617*9c5db199SXin Li '--password=%s' % password] 618*9c5db199SXin Li logging.info(run_cmd(' '.join(args))) 619*9c5db199SXin Li if not __get_mount_info(temporary_mount_path(user), allow_fail=True): 620*9c5db199SXin Li raise ChromiumOSError('Failed to mount home for migration') 621*9c5db199SXin Li args = [CRYPTOHOME_CMD, '--action=migrate_to_dircrypto', '--user=%s' % user] 622*9c5db199SXin Li logging.info(run_cmd(' '.join(args))) 623*9c5db199SXin Li utils.poll_for_condition( 624*9c5db199SXin Li lambda: not __get_mount_info( 625*9c5db199SXin Li temporary_mount_path(user), allow_fail=True), 626*9c5db199SXin Li timeout=timeout, 627*9c5db199SXin Li exception=error.TestError( 628*9c5db199SXin Li 'Timeout waiting for dircrypto migration to finish')) 629*9c5db199SXin Li 630*9c5db199SXin Li 631*9c5db199SXin Lidef change_password(user, password, new_password): 632*9c5db199SXin Li """Change user password.""" 633*9c5db199SXin Li args = [ 634*9c5db199SXin Li CRYPTOHOME_CMD, 635*9c5db199SXin Li '--action=migrate_key_ex', 636*9c5db199SXin Li '--user=%s' % user, 637*9c5db199SXin Li '--old_password=%s' % password, 638*9c5db199SXin Li '--password=%s' % new_password] 639*9c5db199SXin Li out = run_cmd(' '.join(args)) 640*9c5db199SXin Li logging.info(out) 641*9c5db199SXin Li if 'Key migration succeeded.' not in out: 642*9c5db199SXin Li raise ChromiumOSError('Key migration failed.') 643