All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v7 8/8] auto-t: add test for encrypted profiles
@ 2022-02-10 22:58 James Prestwood
  0 siblings, 0 replies; only message in thread
From: James Prestwood @ 2022-02-10 22:58 UTC (permalink / raw)
  To: iwd

[-- Attachment #1: Type: text/plain, Size: 7253 bytes --]

---
 .../testEncryptedProfiles/connection_test.py  | 154 ++++++++++++++++++
 autotests/testEncryptedProfiles/hw.conf       |   6 +
 autotests/testEncryptedProfiles/iwd-secret    |   1 +
 autotests/testEncryptedProfiles/main.conf     |   2 +
 autotests/testEncryptedProfiles/ssidCCMP.conf |  10 ++
 autotests/testEncryptedProfiles/ssidCCMP.psk  |   2 +
 6 files changed, 175 insertions(+)
 create mode 100644 autotests/testEncryptedProfiles/connection_test.py
 create mode 100644 autotests/testEncryptedProfiles/hw.conf
 create mode 100644 autotests/testEncryptedProfiles/iwd-secret
 create mode 100644 autotests/testEncryptedProfiles/main.conf
 create mode 100644 autotests/testEncryptedProfiles/ssidCCMP.conf
 create mode 100644 autotests/testEncryptedProfiles/ssidCCMP.psk

diff --git a/autotests/testEncryptedProfiles/connection_test.py b/autotests/testEncryptedProfiles/connection_test.py
new file mode 100644
index 00000000..dd4892ca
--- /dev/null
+++ b/autotests/testEncryptedProfiles/connection_test.py
@@ -0,0 +1,154 @@
+#!/usr/bin/python3
+
+import unittest
+import sys
+
+sys.path.append('../util')
+import iwd
+import os
+from iwd import IWD
+from iwd import NetworkType
+from iwd import PSKAgent
+
+class Test(unittest.TestCase):
+    def profile_is_encrypted(self, profile):
+        with open('/tmp/iwd/' + profile) as f:
+            contents = f.read()
+
+        if 'Passphrase' in contents:
+            return False
+
+        return True
+
+    def validate(self, wd):
+        devices = wd.list_devices(1)
+        device = devices[0]
+
+        ordered_network = device.get_ordered_network('ssidCCMP')
+
+        self.assertEqual(ordered_network.type, NetworkType.psk)
+
+        condition = 'not obj.connected'
+        wd.wait_for_object_condition(ordered_network.network_object, condition)
+
+        ordered_network.network_object.connect()
+
+        condition = 'obj.state == DeviceState.connected'
+        wd.wait_for_object_condition(device, condition)
+
+        device.disconnect()
+
+        condition = 'not obj.connected'
+        wd.wait_for_object_condition(ordered_network.network_object, condition)
+
+    # Tests that an existing plaintext profile gets encrypted
+    def test_new_profile(self):
+        IWD.copy_to_storage('ssidCCMP.psk')
+
+        mtime = os.path.getmtime('/tmp/iwd/' + 'ssidCCMP.psk')
+        self.assertFalse(self.profile_is_encrypted('ssidCCMP.psk'))
+
+        wd = IWD(True)
+
+        # Make sure profile was accepted
+        condition = 'len(obj.list_known_networks()) == 1'
+        wd.wait_for_object_condition(wd, condition)
+
+        # Check the file was modified (should be encrypted now)
+        self.assertNotEqual(mtime, os.path.getmtime('/tmp/iwd/' + 'ssidCCMP.psk'))
+
+        self.validate(wd)
+
+        self.assertTrue(self.profile_is_encrypted('ssidCCMP.psk'))
+
+    # Tests that a new connection with agent gets written to an encrypted profile
+    def test_agent_profile(self):
+        wd = IWD(True)
+
+        psk_agent = PSKAgent("secret123")
+        wd.register_psk_agent(psk_agent)
+
+        with self.assertRaises(FileNotFoundError):
+            self.profile_is_encrypted('ssidCCMP.psk')
+
+        self.validate(wd)
+
+        self.assertTrue(self.profile_is_encrypted('ssidCCMP.psk'))
+
+        wd.unregister_psk_agent(psk_agent)
+
+    # Tests that an invalid profile gets re-written after an agent request
+    def test_invalid_profile_rewritten(self):
+        bad_config = '[Security]\nPassphrase=incorrect\n'
+        os.system('echo "%s" > /tmp/iwd/ssidCCMP.psk' % bad_config)
+
+        wd = IWD(True)
+
+        condition = 'len(obj.list_known_networks()) == 1'
+        wd.wait_for_object_condition(wd, condition)
+
+        # IWD should still encrypt the profile automatically
+        self.assertTrue(self.profile_is_encrypted('ssidCCMP.psk'))
+
+        # This should fail
+        with self.assertRaises(iwd.FailedEx):
+            self.validate(wd)
+
+        psk_agent = PSKAgent("secret123")
+        wd.register_psk_agent(psk_agent)
+
+        self.validate(wd)
+
+        self.assertTrue(self.profile_is_encrypted('ssidCCMP.psk'))
+
+    # Tests that a profile that doesn't decrypt wont become a known network
+    def test_decryption_failure(self):
+        bad_config = \
+'''
+[Security]
+EncryptedSalt=000102030405060708090a0b0c0d0e0f
+EncryptedSecurity=aabbccddeeff00112233445566778899
+'''
+        os.system('echo "%s" > /tmp/iwd/ssidCCMP.psk' % bad_config)
+
+        wd = IWD(True)
+
+        self.assertEqual(wd.list_known_networks(), [])
+
+    def test_runtime_profile(self):
+        wd = IWD(True)
+
+        self.assertEqual(wd.list_known_networks(), [])
+
+        # Add profile after IWD starts
+        IWD.copy_to_storage('ssidCCMP.psk')
+
+        self.validate(wd)
+
+        # Should now be encrypted
+        self.assertTrue(self.profile_is_encrypted('ssidCCMP.psk'))
+
+        with open('/tmp/iwd/ssidCCMP.psk') as f:
+            profile = f.read()
+
+        # Edit the profile, corrupting it
+        profile.replace('EncryptedSecurity=', 'EncryptedSecurity=00')
+
+        devices = wd.list_devices(1)
+        device = devices[0]
+        condition = 'obj.state == DeviceState.disconnected'
+        wd.wait_for_object_condition(device, condition)
+
+    def tearDown(self):
+        IWD.clear_storage()
+
+    @classmethod
+    def setUpClass(cls):
+        os.environ['CREDENTIALS_DIRECTORY'] = '/tmp'
+
+    @classmethod
+    def tearDownClass(cls):
+        IWD.clear_storage()
+
+if __name__ == '__main__':
+    unittest.main(exit=True)
diff --git a/autotests/testEncryptedProfiles/hw.conf b/autotests/testEncryptedProfiles/hw.conf
new file mode 100644
index 00000000..de81e1e2
--- /dev/null
+++ b/autotests/testEncryptedProfiles/hw.conf
@@ -0,0 +1,6 @@
+[SETUP]
+num_radios=2
+start_iwd=0
+
+[HOSTAPD]
+rad0=ssidCCMP.conf
diff --git a/autotests/testEncryptedProfiles/iwd-secret b/autotests/testEncryptedProfiles/iwd-secret
new file mode 100644
index 00000000..c2afca48
--- /dev/null
+++ b/autotests/testEncryptedProfiles/iwd-secret
@@ -0,0 +1 @@
+secret123
diff --git a/autotests/testEncryptedProfiles/main.conf b/autotests/testEncryptedProfiles/main.conf
new file mode 100644
index 00000000..35d40c5e
--- /dev/null
+++ b/autotests/testEncryptedProfiles/main.conf
@@ -0,0 +1,2 @@
+[General]
+SystemdEncrypt=iwd-secret
diff --git a/autotests/testEncryptedProfiles/ssidCCMP.conf b/autotests/testEncryptedProfiles/ssidCCMP.conf
new file mode 100644
index 00000000..c79f5e55
--- /dev/null
+++ b/autotests/testEncryptedProfiles/ssidCCMP.conf
@@ -0,0 +1,10 @@
+hw_mode=g
+channel=1
+ssid=ssidCCMP
+
+wpa=2
+wpa_pairwise=CCMP
+wpa_passphrase=secret123
+
+ieee80211w=2
+wpa_key_mgmt=WPA-PSK-SHA256
diff --git a/autotests/testEncryptedProfiles/ssidCCMP.psk b/autotests/testEncryptedProfiles/ssidCCMP.psk
new file mode 100644
index 00000000..abafdb66
--- /dev/null
+++ b/autotests/testEncryptedProfiles/ssidCCMP.psk
@@ -0,0 +1,2 @@
+[Security]
+Passphrase=secret123
-- 
2.34.1

^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2022-02-10 22:58 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-10 22:58 [PATCH v7 8/8] auto-t: add test for encrypted profiles James Prestwood

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.