| // Copyright 2020 The ChromiumOS Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| // Unit tests for AuthSession. |
| |
| #include "cryptohome/auth_session.h" |
| |
| #include <map> |
| #include <memory> |
| #include <optional> |
| #include <string> |
| #include <utility> |
| #include <vector> |
| |
| #include <base/functional/callback_helpers.h> |
| #include <base/run_loop.h> |
| #include <base/task/sequenced_task_runner.h> |
| #include <base/test/bind.h> |
| #include <base/test/task_environment.h> |
| #include <base/test/test_future.h> |
| #include <base/threading/sequenced_task_runner_handle.h> |
| #include <base/timer/mock_timer.h> |
| #include <base/unguessable_token.h> |
| #include <brillo/cryptohome.h> |
| #include <brillo/secure_blob.h> |
| #include <cryptohome/proto_bindings/auth_factor.pb.h> |
| #include <cryptohome/proto_bindings/UserDataAuth.pb.h> |
| #include <gmock/gmock-matchers.h> |
| #include <gmock/gmock.h> |
| #include <gtest/gtest.h> |
| #include <libhwsec/frontend/cryptohome/mock_frontend.h> |
| #include <libhwsec/frontend/pinweaver/mock_frontend.h> |
| #include <libhwsec-foundation/crypto/aes.h> |
| #include <libhwsec-foundation/error/testing_helper.h> |
| |
| #include "cryptohome/auth_blocks/auth_block_utility_impl.h" |
| #include "cryptohome/auth_blocks/mock_auth_block_utility.h" |
| #include "cryptohome/auth_factor/auth_factor.h" |
| #include "cryptohome/auth_factor/auth_factor_manager.h" |
| #include "cryptohome/auth_factor/auth_factor_metadata.h" |
| #include "cryptohome/auth_factor/auth_factor_storage_type.h" |
| #include "cryptohome/auth_factor/auth_factor_type.h" |
| #include "cryptohome/auth_session_manager.h" |
| #include "cryptohome/challenge_credentials/mock_challenge_credentials_helper.h" |
| #include "cryptohome/credential_verifier_test_utils.h" |
| #include "cryptohome/crypto_error.h" |
| #include "cryptohome/error/cryptohome_error.h" |
| #include "cryptohome/flatbuffer_schemas/auth_block_state.h" |
| #include "cryptohome/key_objects.h" |
| #include "cryptohome/mock_credential_verifier.h" |
| #include "cryptohome/mock_cryptohome_keys_manager.h" |
| #include "cryptohome/mock_key_challenge_service_factory.h" |
| #include "cryptohome/mock_keyset_management.h" |
| #include "cryptohome/mock_platform.h" |
| #include "cryptohome/pkcs11/mock_pkcs11_token_factory.h" |
| #include "cryptohome/scrypt_verifier.h" |
| #include "cryptohome/smart_card_verifier.h" |
| #include "cryptohome/storage/homedirs.h" |
| #include "cryptohome/storage/mock_mount.h" |
| #include "cryptohome/user_secret_stash.h" |
| #include "cryptohome/user_secret_stash_storage.h" |
| #include "cryptohome/user_session/mock_user_session.h" |
| #include "cryptohome/user_session/real_user_session.h" |
| #include "cryptohome/user_session/user_session_map.h" |
| #include "cryptohome/username.h" |
| |
| namespace cryptohome { |
| namespace { |
| |
| using base::test::TestFuture; |
| using brillo::cryptohome::home::SanitizeUserName; |
| using cryptohome::error::CryptohomeCryptoError; |
| using cryptohome::error::CryptohomeError; |
| using cryptohome::error::CryptohomeMountError; |
| using hwsec_foundation::error::testing::IsOk; |
| using hwsec_foundation::error::testing::NotOk; |
| using hwsec_foundation::error::testing::ReturnError; |
| using hwsec_foundation::error::testing::ReturnOk; |
| using hwsec_foundation::error::testing::ReturnValue; |
| using hwsec_foundation::status::MakeStatus; |
| using hwsec_foundation::status::OkStatus; |
| using hwsec_foundation::status::StatusChain; |
| using ::testing::_; |
| using ::testing::ByMove; |
| using ::testing::DoAll; |
| using ::testing::ElementsAre; |
| using ::testing::Eq; |
| using ::testing::Field; |
| using ::testing::IsEmpty; |
| using ::testing::IsNull; |
| using ::testing::Matcher; |
| using ::testing::NiceMock; |
| using ::testing::NotNull; |
| using ::testing::Optional; |
| using ::testing::Pair; |
| using ::testing::Return; |
| using ::testing::UnorderedElementsAre; |
| using ::testing::VariantWith; |
| |
| // Fake labels to be in used in this test suite. |
| constexpr char kFakeLabel[] = "test_label"; |
| constexpr char kFakeOtherLabel[] = "test_other_label"; |
| constexpr char kFakePinLabel[] = "test_pin_label"; |
| constexpr char kLegacyLabel[] = "legacy-0"; |
| constexpr char kRecoveryLabel[] = "recovery"; |
| |
| // Fake passwords to be in used in this test suite. |
| constexpr char kFakePass[] = "test_pass"; |
| constexpr char kFakePin[] = "123456"; |
| constexpr char kFakeOtherPass[] = "test_other_pass"; |
| constexpr char kFakeRecoverySecret[] = "test_recovery_secret"; |
| |
| // Set to match the 5 minute timer and a 1 minute extension in AuthSession. |
| constexpr int kAuthSessionExtensionDuration = 60; |
| constexpr auto kAuthSessionTimeout = base::Minutes(5); |
| constexpr auto kAuthSessionExtension = |
| base::Seconds(kAuthSessionExtensionDuration); |
| |
| // Returns a blob "derived" from provided blob to generate fake vkk_key from |
| // user secret in tests. |
| brillo::SecureBlob GetFakeDerivedSecret(const brillo::SecureBlob& blob) { |
| return brillo::SecureBlob::Combine(blob, |
| brillo::SecureBlob(" derived secret")); |
| } |
| |
| // A matcher that checks if an auth block state has a particular type. |
| template <typename StateType> |
| Matcher<const AuthBlockState&> AuthBlockStateTypeIs() { |
| return Field(&AuthBlockState::state, VariantWith<StateType>(_)); |
| } |
| |
| std::unique_ptr<VaultKeyset> CreatePasswordVaultKeyset( |
| const std::string& label) { |
| SerializedVaultKeyset serialized_vk; |
| serialized_vk.set_flags(SerializedVaultKeyset::TPM_WRAPPED | |
| SerializedVaultKeyset::SCRYPT_DERIVED | |
| SerializedVaultKeyset::PCR_BOUND | |
| SerializedVaultKeyset::ECC); |
| serialized_vk.set_password_rounds(1); |
| serialized_vk.set_tpm_key("tpm-key"); |
| serialized_vk.set_extended_tpm_key("tpm-extended-key"); |
| serialized_vk.set_vkk_iv("iv"); |
| serialized_vk.mutable_key_data()->set_type(KeyData::KEY_TYPE_PASSWORD); |
| serialized_vk.mutable_key_data()->set_label(label); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->InitializeFromSerialized(serialized_vk); |
| return vk; |
| } |
| |
| std::unique_ptr<VaultKeyset> CreateBackupVaultKeyset(const std::string& label) { |
| auto backup_vk = CreatePasswordVaultKeyset(label); |
| backup_vk->set_backup_vk_for_testing(true); |
| backup_vk->SetResetSeed(brillo::SecureBlob(32, 'A')); |
| backup_vk->SetWrappedResetSeed(brillo::SecureBlob(32, 'B')); |
| return backup_vk; |
| } |
| |
| // Create an auth factor map with a single password factor. Takes as a template |
| // parameter the type of auth block state that the factor should have, or void |
| // for no state. |
| template <typename StateType> |
| AuthFactorMap FactorMapWithPassword(std::string label) { |
| AuthBlockState auth_block_state; |
| if constexpr (!std::is_void_v<StateType>) { |
| auth_block_state.state = StateType(); |
| } |
| AuthFactorMap map; |
| map.Add( |
| std::make_unique<AuthFactor>(AuthFactorType::kPassword, std::move(label), |
| AuthFactorMetadata(), auth_block_state), |
| AuthFactorStorageType::kVaultKeyset); |
| return map; |
| } |
| |
| // Create an auth factor map with a single PIN factor. |
| AuthFactorMap FactorMapWithPin(std::string label) { |
| AuthBlockState auth_block_state; |
| auth_block_state.state = PinWeaverAuthBlockState(); |
| AuthFactorMap map; |
| map.Add(std::make_unique<AuthFactor>(AuthFactorType::kPin, std::move(label), |
| AuthFactorMetadata(), auth_block_state), |
| AuthFactorStorageType::kVaultKeyset); |
| return map; |
| } |
| |
| } // namespace |
| |
| class AuthSessionTest : public ::testing::Test { |
| public: |
| void SetUp() override { |
| EXPECT_CALL(hwsec_, IsEnabled()).WillRepeatedly(ReturnValue(true)); |
| EXPECT_CALL(hwsec_, IsReady()).WillRepeatedly(ReturnValue(true)); |
| EXPECT_CALL(hwsec_, IsSealingSupported()).WillRepeatedly(ReturnValue(true)); |
| EXPECT_CALL(hwsec_, GetManufacturer()) |
| .WillRepeatedly(ReturnValue(0x43524f53)); |
| EXPECT_CALL(hwsec_, GetAuthValue(_, _)) |
| .WillRepeatedly(ReturnValue(brillo::SecureBlob())); |
| EXPECT_CALL(hwsec_, SealWithCurrentUser(_, _, _)) |
| .WillRepeatedly(ReturnValue(brillo::Blob())); |
| EXPECT_CALL(hwsec_, GetPubkeyHash(_)) |
| .WillRepeatedly(ReturnValue(brillo::Blob())); |
| EXPECT_CALL(pinweaver_, IsEnabled()).WillRepeatedly(ReturnValue(true)); |
| crypto_.Init(); |
| |
| EXPECT_CALL(auth_block_utility_, CreateCredentialVerifier(_, _, _)) |
| .WillRepeatedly( |
| [](AuthFactorType type, const std::string& label, |
| const AuthInput& input) -> std::unique_ptr<CredentialVerifier> { |
| if (type == AuthFactorType::kPassword) { |
| return ScryptVerifier::Create( |
| label, brillo::SecureBlob(*input.user_input)); |
| } |
| return nullptr; |
| }); |
| } |
| |
| protected: |
| // Fake username to be used in this test suite. |
| const Username kFakeUsername{"test_username"}; |
| |
| user_data_auth::CryptohomeErrorCode AuthenticateAuthFactorVK( |
| const std::string& label, |
| const std::string& passkey, |
| AuthSession& auth_session) { |
| // Used to mock out keyset factories with something that returns a |
| // vanilla keyset with the supplied label. |
| auto make_vk_with_label = [label](auto...) { |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyDataLabel(label); |
| return vk; |
| }; |
| |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, label)) |
| .WillRepeatedly(make_vk_with_label); |
| |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockStateFromVaultKeyset(label, _, _)) |
| .WillRepeatedly(Return(true)); |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockTypeFromState(_)) |
| .WillRepeatedly(Return(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(keyset_management_, GetValidKeysetWithKeyBlobs(_, _, _)) |
| .WillRepeatedly(make_vk_with_label); |
| |
| EXPECT_CALL(keyset_management_, ShouldReSaveKeyset(_)) |
| .WillRepeatedly(Return(false)); |
| EXPECT_CALL(keyset_management_, AddResetSeedIfMissing(_)) |
| .WillRepeatedly(Return(false)); |
| |
| EXPECT_CALL(auth_block_utility_, |
| DeriveKeyBlobsWithAuthBlockAsync(_, _, _, _)) |
| .WillRepeatedly([](AuthBlockType auth_block_type, |
| const AuthInput& auth_input, |
| const AuthBlockState& auth_state, |
| AuthBlock::DeriveCallback derive_callback) { |
| std::move(derive_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), |
| std::make_unique<KeyBlobs>()); |
| }); |
| |
| std::string auth_factor_labels[] = {label}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_password_input()->set_secret(passkey); |
| |
| TestFuture<CryptohomeStatus> authenticate_future; |
| auth_session.AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| if (authenticate_future.Get().ok()) { |
| return user_data_auth::CRYPTOHOME_ERROR_NOT_SET; |
| } |
| return authenticate_future.Get()->local_legacy_error().value(); |
| } |
| |
| // Get a UserSession for the given user, creating a minimal stub one if |
| // necessary. |
| UserSession* FindOrCreateUserSession(const Username& username) { |
| if (UserSession* session = user_session_map_.Find(username)) { |
| return session; |
| } |
| user_session_map_.Add( |
| username, std::make_unique<RealUserSession>( |
| username, &homedirs_, &keyset_management_, |
| &user_activity_timestamp_manager_, &pkcs11_token_factory_, |
| new NiceMock<MockMount>())); |
| return user_session_map_.Find(username); |
| } |
| |
| base::test::SingleThreadTaskEnvironment task_environment_{ |
| base::test::TaskEnvironment::TimeSource::MOCK_TIME}; |
| scoped_refptr<base::SequencedTaskRunner> task_runner_ = |
| base::SequencedTaskRunnerHandle::Get(); |
| |
| // Mocks and fakes for the test AuthSessions to use. |
| NiceMock<hwsec::MockCryptohomeFrontend> hwsec_; |
| NiceMock<hwsec::MockPinWeaverFrontend> pinweaver_; |
| NiceMock<MockCryptohomeKeysManager> cryptohome_keys_manager_; |
| Crypto crypto_{&hwsec_, &pinweaver_, &cryptohome_keys_manager_, nullptr}; |
| NiceMock<MockPlatform> platform_; |
| UserSessionMap user_session_map_; |
| NiceMock<MockKeysetManagement> keyset_management_; |
| NiceMock<MockAuthBlockUtility> auth_block_utility_; |
| AuthBlockUtilityImpl auth_block_utility_impl_{ |
| &keyset_management_, &crypto_, &platform_, |
| FingerprintAuthBlockService::MakeNullService()}; |
| AuthFactorManager auth_factor_manager_{&platform_}; |
| UserSecretStashStorage user_secret_stash_storage_{&platform_}; |
| AuthSession::BackingApis backing_apis_{&crypto_, |
| &platform_, |
| &user_session_map_, |
| &keyset_management_, |
| &auth_block_utility_, |
| &auth_factor_manager_, |
| &user_secret_stash_storage_}; |
| |
| // An AuthSession manager for testing managed creation. |
| AuthSessionManager auth_session_manager_{&crypto_, |
| &platform_, |
| &user_session_map_, |
| &keyset_management_, |
| &auth_block_utility_, |
| &auth_factor_manager_, |
| &user_secret_stash_storage_}; |
| |
| // Mocks needed for challenge credential tests. |
| NiceMock<MockChallengeCredentialsHelper> challenge_credentials_helper_; |
| NiceMock<MockKeyChallengeServiceFactory> key_challenge_service_factory_; |
| |
| // Mocks and fakes for UserSession to use. |
| HomeDirs homedirs_{&platform_, |
| std::make_unique<policy::PolicyProvider>(nullptr), |
| HomeDirs::RemoveCallback(), |
| /*vault_factory=*/nullptr}; |
| UserOldestActivityTimestampManager user_activity_timestamp_manager_{ |
| &platform_}; |
| NiceMock<MockPkcs11TokenFactory> pkcs11_token_factory_; |
| }; |
| |
| const CryptohomeError::ErrorLocationPair kErrorLocationForTestingAuthSession = |
| CryptohomeError::ErrorLocationPair( |
| static_cast<::cryptohome::error::CryptohomeError::ErrorLocation>(1), |
| std::string("MockErrorLocationAuthSession")); |
| |
| TEST_F(AuthSessionTest, InitiallyNotAuthenticated) { |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, |
| user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| EXPECT_EQ(auth_session->status(), |
| AuthStatus::kAuthStatusFurtherFactorRequired); |
| EXPECT_THAT(auth_session->authorized_intents(), IsEmpty()); |
| } |
| |
| TEST_F(AuthSessionTest, InitiallyNotAuthenticatedForExistingUser) { |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, |
| user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| EXPECT_EQ(auth_session->status(), |
| AuthStatus::kAuthStatusFurtherFactorRequired); |
| EXPECT_THAT(auth_session->authorized_intents(), IsEmpty()); |
| } |
| |
| TEST_F(AuthSessionTest, Username) { |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, |
| user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| EXPECT_EQ(auth_session->username(), kFakeUsername); |
| EXPECT_EQ(auth_session->obfuscated_username(), |
| SanitizeUserName(kFakeUsername)); |
| } |
| |
| TEST_F(AuthSessionTest, DecryptionIntent) { |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, |
| user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| EXPECT_EQ(auth_session->auth_intent(), AuthIntent::kDecrypt); |
| } |
| |
| TEST_F(AuthSessionTest, VerfyIntent) { |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, |
| user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kVerifyOnly); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| EXPECT_EQ(auth_session->auth_intent(), AuthIntent::kVerifyOnly); |
| } |
| |
| TEST_F(AuthSessionTest, WebAuthnIntent) { |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, |
| user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kWebAuthn); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| EXPECT_EQ(auth_session->auth_intent(), AuthIntent::kWebAuthn); |
| } |
| |
| TEST_F(AuthSessionTest, TimeoutTest) { |
| TestFuture<base::UnguessableToken> timeout_future; |
| // AuthSession must be constructed without using AuthSessionManager, |
| // because during cleanup the AuthSession must stay valid after |
| // timing out for verification. |
| AuthSession auth_session( |
| {.username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kDecrypt, |
| .on_timeout = |
| timeout_future.GetCallback<const base::UnguessableToken&>(), |
| .user_exists = false, |
| .auth_factor_map = AuthFactorMap(), |
| .migrate_to_user_secret_stash = false}, |
| backing_apis_); |
| EXPECT_EQ(auth_session.status(), |
| AuthStatus::kAuthStatusFurtherFactorRequired); |
| auth_session.SetAuthSessionAsAuthenticated(kAuthorizedIntentsForFullAuth); |
| |
| ASSERT_TRUE(auth_session.timeout_timer_.IsRunning()); |
| auth_session.timeout_timer_.FireNow(); |
| EXPECT_EQ(auth_session.status(), AuthStatus::kAuthStatusTimedOut); |
| EXPECT_THAT(auth_session.authorized_intents(), IsEmpty()); |
| EXPECT_TRUE(timeout_future.IsReady()); |
| EXPECT_EQ(timeout_future.Get(), auth_session.token()); |
| } |
| |
| // Test the scenario when `kCrOSLateBootMigrateToUserSecretStash` feature cannot |
| // be checked due to the feature lib unavailability. AuthSession should fall |
| // back to the default value (and not crash). |
| TEST_F(AuthSessionTest, UssMigrationFlagCheckFailure) { |
| // AuthSession must be constructed without using AuthSessionManager, |
| // as we need to have a nullptr for feature_lib. |
| auto auth_session = AuthSession::Create( |
| kFakeUsername, user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kDecrypt, base::DoNothing(), |
| /*feature_lib=*/nullptr, backing_apis_); |
| |
| // Verify. |
| ASSERT_THAT(auth_session, NotNull()); |
| EXPECT_FALSE(auth_session->migrate_to_user_secret_stash_); |
| } |
| |
| TEST_F(AuthSessionTest, SerializedStringFromNullToken) { |
| base::UnguessableToken token = base::UnguessableToken::Null(); |
| std::optional<std::string> serialized_token = |
| AuthSession::GetSerializedStringFromToken(token); |
| EXPECT_FALSE(serialized_token.has_value()); |
| } |
| |
| TEST_F(AuthSessionTest, TokenFromEmptyString) { |
| std::string serialized_string = ""; |
| std::optional<base::UnguessableToken> unguessable_token = |
| AuthSession::GetTokenFromSerializedString(serialized_string); |
| EXPECT_FALSE(unguessable_token.has_value()); |
| } |
| |
| TEST_F(AuthSessionTest, TokenFromUnexpectedSize) { |
| std::string serialized_string = "unexpected_sized_string"; |
| std::optional<base::UnguessableToken> unguessable_token = |
| AuthSession::GetTokenFromSerializedString(serialized_string); |
| EXPECT_FALSE(unguessable_token.has_value()); |
| } |
| |
| TEST_F(AuthSessionTest, TokenFromString) { |
| base::UnguessableToken original_token = platform_.CreateUnguessableToken(); |
| std::optional<std::string> serialized_token = |
| AuthSession::GetSerializedStringFromToken(original_token); |
| EXPECT_TRUE(serialized_token.has_value()); |
| std::optional<base::UnguessableToken> deserialized_token = |
| AuthSession::GetTokenFromSerializedString(serialized_token.value()); |
| EXPECT_TRUE(deserialized_token.has_value()); |
| EXPECT_EQ(deserialized_token.value(), original_token); |
| } |
| |
| // Test that `GetSerializedStringFromToken()` refuses a string containing only |
| // zero bytes (but doesn't crash). Note: such a string would've corresponded to |
| // `base::UnguessableToken::Null()` if the latter would be allowed. |
| TEST_F(AuthSessionTest, TokenFromAllZeroesString) { |
| // Setup. To avoid hardcoding the length of the string in the test, first |
| // serialize an arbitrary token and then replace its contents with zeroes. |
| const base::UnguessableToken some_token = base::UnguessableToken::Create(); |
| const std::optional<std::string> serialized_some_token = |
| AuthSession::GetSerializedStringFromToken(some_token); |
| ASSERT_TRUE(serialized_some_token.has_value()); |
| const std::string all_zeroes_token(serialized_some_token->length(), '\0'); |
| |
| // Test. |
| std::optional<base::UnguessableToken> deserialized_token = |
| AuthSession::GetTokenFromSerializedString(all_zeroes_token); |
| |
| // Verify. |
| EXPECT_EQ(deserialized_token, std::nullopt); |
| } |
| |
| // Test that AuthenticateAuthFactor succeeds and doesn't use the credential |
| // verifier in the `AuthIntent::kDecrypt` scenario. |
| TEST_F(AuthSessionTest, NoLightweightAuthForDecryption) { |
| // Add the user session. It will have no verifiers. |
| auto user_session = std::make_unique<MockUserSession>(); |
| EXPECT_TRUE(user_session_map_.Add(kFakeUsername, std::move(user_session))); |
| |
| // Create an AuthSession with a fake factor. |
| AuthSession auth_session( |
| {.username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kDecrypt, |
| .on_timeout = base::DoNothing(), |
| .user_exists = true, |
| .auth_factor_map = FactorMapWithPassword<void>(kFakeLabel), |
| .migrate_to_user_secret_stash = false}, |
| backing_apis_); |
| SetUserSecretStashExperimentForTesting(/*enabled=*/false); |
| |
| // Set up VaultKeyset authentication mock. |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, kFakeLabel)) |
| .WillOnce(Return(ByMove(std::make_unique<VaultKeyset>()))); |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockStateFromVaultKeyset(_, _, _)) |
| .WillOnce(Return(true)); |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockTypeFromState(_)) |
| .WillRepeatedly(Return(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(auth_block_utility_, DeriveKeyBlobsWithAuthBlockAsync(_, _, _, _)) |
| .WillOnce([](AuthBlockType, const AuthInput&, const AuthBlockState&, |
| AuthBlock::DeriveCallback derive_callback) { |
| std::move(derive_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), |
| std::make_unique<KeyBlobs>()); |
| }); |
| EXPECT_CALL(keyset_management_, GetValidKeysetWithKeyBlobs(_, _, _)) |
| .WillOnce([](const ObfuscatedUsername&, KeyBlobs, |
| const std::optional<std::string>& label) { |
| KeyData key_data; |
| key_data.set_label(*label); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(std::move(key_data)); |
| return vk; |
| }); |
| |
| // Test. |
| std::string auth_factor_labels[] = {kFakeLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_password_input()->set_secret(kFakePass); |
| TestFuture<CryptohomeStatus> authenticate_future; |
| auth_session.AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(authenticate_future.Get(), IsOk()); |
| EXPECT_THAT( |
| auth_session.authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| } |
| |
| // Test if AuthSession reports the correct attributes on an already-existing |
| // ephemeral user. |
| TEST_F(AuthSessionTest, ExistingEphemeralUser) { |
| // Setup. |
| int flags = |
| user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_EPHEMERAL_USER; |
| |
| // Setting the expectation that there is no persistent user but there is an |
| // active ephemeral one. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| auto user_session = std::make_unique<MockUserSession>(); |
| EXPECT_CALL(*user_session, IsActive()).WillRepeatedly(Return(true)); |
| user_session_map_.Add(kFakeUsername, std::move(user_session)); |
| |
| // Test. |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| // Verify. |
| EXPECT_TRUE(auth_session->user_exists()); |
| } |
| |
| // Test that the UserSecretStash isn't created by default when a new user is |
| // created. |
| TEST_F(AuthSessionTest, NoUssByDefault) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| // Test. |
| EXPECT_FALSE(auth_session->has_user_secret_stash()); |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| |
| // Verify. |
| EXPECT_FALSE(auth_session->has_user_secret_stash()); |
| } |
| |
| // Test if AuthenticateAuthFactor authenticates existing credentials for a |
| // user with VK. |
| TEST_F(AuthSessionTest, AuthenticateAuthFactorExistingVKUserNoResave) { |
| // Setup AuthSession. |
| AuthSession auth_session( |
| {.username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kDecrypt, |
| .on_timeout = base::DoNothing(), |
| .user_exists = true, |
| .auth_factor_map = |
| FactorMapWithPassword<TpmBoundToPcrAuthBlockState>(kFakeLabel), |
| .migrate_to_user_secret_stash = false}, |
| backing_apis_); |
| EXPECT_THAT(AuthStatus::kAuthStatusFurtherFactorRequired, |
| auth_session.status()); |
| EXPECT_TRUE(auth_session.user_exists()); |
| |
| // Test |
| // Calling AuthenticateAuthFactor. |
| EXPECT_EQ(AuthenticateAuthFactorVK(kFakeLabel, kFakePass, auth_session), |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| EXPECT_EQ(auth_session.status(), AuthStatus::kAuthStatusAuthenticated); |
| EXPECT_THAT( |
| auth_session.authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| // Test if AuthenticateAuthFactor authenticates existing credentials for a |
| // user with VK and resaves it. |
| TEST_F(AuthSessionTest, |
| AuthenticateAuthFactorExistingVKUserAndResaveForUpdate) { |
| // Setup AuthSession. |
| AuthSession auth_session( |
| {.username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kDecrypt, |
| .on_timeout = base::DoNothing(), |
| .user_exists = true, |
| .auth_factor_map = |
| FactorMapWithPassword<ScryptAuthBlockState>(kFakeLabel), |
| .migrate_to_user_secret_stash = false}, |
| backing_apis_); |
| EXPECT_THAT(AuthStatus::kAuthStatusFurtherFactorRequired, |
| auth_session.status()); |
| EXPECT_TRUE(auth_session.user_exists()); |
| |
| // Test |
| |
| // Called within the converter_.PopulateKeyDataForVK() |
| KeyData key_data; |
| key_data.set_label(kFakeLabel); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(key_data); |
| |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, kFakeLabel)) |
| .WillOnce(Return(ByMove(std::move(vk)))); |
| |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockStateFromVaultKeyset(_, _, _)) |
| .WillOnce(Return(true)); |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockTypeFromState(_)) |
| .WillRepeatedly(Return(AuthBlockType::kScrypt)); |
| EXPECT_CALL(keyset_management_, GetValidKeysetWithKeyBlobs(_, _, _)) |
| .WillOnce([](const ObfuscatedUsername&, KeyBlobs, |
| const std::optional<std::string>& label) { |
| KeyData key_data; |
| key_data.set_label(*label); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(std::move(key_data)); |
| return vk; |
| }); |
| |
| EXPECT_CALL(keyset_management_, ShouldReSaveKeyset(_)).WillOnce(Return(true)); |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockTypeForCreation(_, _, _)) |
| .WillOnce(ReturnValue(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(keyset_management_, ReSaveKeysetWithKeyBlobs(_, _, _)); |
| |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| auto auth_block_state2 = std::make_unique<AuthBlockState>(); |
| EXPECT_CALL(auth_block_utility_, CreateKeyBlobsWithAuthBlockAsync(_, _, _)) |
| .WillOnce([&key_blobs, &auth_block_state2]( |
| AuthBlockType auth_block_type, const AuthInput& auth_input, |
| AuthBlock::CreateCallback create_callback) { |
| std::move(create_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs), |
| std::move(auth_block_state2)); |
| }); |
| |
| auto key_blobs2 = std::make_unique<KeyBlobs>(); |
| EXPECT_CALL(auth_block_utility_, DeriveKeyBlobsWithAuthBlockAsync(_, _, _, _)) |
| .WillOnce([&key_blobs2](AuthBlockType auth_block_type, |
| const AuthInput& auth_input, |
| const AuthBlockState& auth_state, |
| AuthBlock::DeriveCallback derive_callback) { |
| std::move(derive_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs2)); |
| }); |
| |
| // Calling AuthenticateAuthFactor. |
| TestFuture<CryptohomeStatus> authenticate_future; |
| std::string auth_factor_labels[] = {kFakeLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_password_input()->set_secret(kFakePass); |
| auth_session.AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(authenticate_future.Get(), IsOk()); |
| EXPECT_EQ(auth_session.status(), AuthStatus::kAuthStatusAuthenticated); |
| EXPECT_THAT( |
| auth_session.authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| // Test if AuthenticateAuthFactor authenticates existing credentials for a |
| // user with VK and resaves it. |
| TEST_F(AuthSessionTest, |
| AuthenticateAuthFactorExistingVKUserAndResaveForResetSeed) { |
| // Setup AuthSession. |
| AuthSession auth_session( |
| {.username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kDecrypt, |
| .on_timeout = base::DoNothing(), |
| .user_exists = true, |
| .auth_factor_map = |
| FactorMapWithPassword<ScryptAuthBlockState>(kFakeLabel), |
| .migrate_to_user_secret_stash = false}, |
| backing_apis_); |
| EXPECT_THAT(AuthStatus::kAuthStatusFurtherFactorRequired, |
| auth_session.status()); |
| EXPECT_TRUE(auth_session.user_exists()); |
| |
| // Test |
| |
| // Called within the converter_.PopulateKeyDataForVK() |
| KeyData key_data; |
| key_data.set_label(kFakeLabel); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(key_data); |
| |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, kFakeLabel)) |
| .WillOnce(Return(ByMove(std::move(vk)))); |
| |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockStateFromVaultKeyset(_, _, _)) |
| .WillOnce(Return(true)); |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockTypeFromState(_)) |
| .WillRepeatedly(Return(AuthBlockType::kScrypt)); |
| EXPECT_CALL(keyset_management_, GetValidKeysetWithKeyBlobs(_, _, _)) |
| .WillOnce([](const ObfuscatedUsername&, KeyBlobs, |
| const std::optional<std::string>& label) { |
| KeyData key_data; |
| key_data.set_label(*label); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(std::move(key_data)); |
| return vk; |
| }); |
| |
| EXPECT_CALL(keyset_management_, ShouldReSaveKeyset(_)) |
| .WillOnce(Return(false)); |
| EXPECT_CALL(keyset_management_, AddResetSeedIfMissing(_)) |
| .WillOnce(Return(true)); |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockTypeForCreation(_, _, _)) |
| .WillOnce(ReturnValue(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(keyset_management_, ReSaveKeysetWithKeyBlobs(_, _, _)); |
| |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| auto auth_block_state2 = std::make_unique<AuthBlockState>(); |
| EXPECT_CALL(auth_block_utility_, CreateKeyBlobsWithAuthBlockAsync(_, _, _)) |
| .WillOnce([&key_blobs, &auth_block_state2]( |
| AuthBlockType auth_block_type, const AuthInput& auth_input, |
| AuthBlock::CreateCallback create_callback) { |
| std::move(create_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs), |
| std::move(auth_block_state2)); |
| }); |
| |
| auto key_blobs2 = std::make_unique<KeyBlobs>(); |
| EXPECT_CALL(auth_block_utility_, DeriveKeyBlobsWithAuthBlockAsync(_, _, _, _)) |
| .WillOnce([&key_blobs2](AuthBlockType auth_block_type, |
| const AuthInput& auth_input, |
| const AuthBlockState& auth_state, |
| AuthBlock::DeriveCallback derive_callback) { |
| std::move(derive_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs2)); |
| }); |
| |
| // Calling AuthenticateAuthFactor. |
| TestFuture<CryptohomeStatus> authenticate_future; |
| std::string auth_factor_labels[] = {kFakeLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_password_input()->set_secret(kFakePass); |
| auth_session.AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(authenticate_future.Get(), IsOk()); |
| EXPECT_EQ(auth_session.status(), AuthStatus::kAuthStatusAuthenticated); |
| EXPECT_THAT( |
| auth_session.authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| // Test that AuthenticateAuthFactor doesn't add reset seed to LECredentials. |
| TEST_F(AuthSessionTest, |
| AuthenticateAuthFactorNotAddingResetSeedToPINVaultKeyset) { |
| // Setup AuthSession. |
| AuthSession auth_session( |
| {.username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kDecrypt, |
| .on_timeout = base::DoNothing(), |
| .user_exists = true, |
| .auth_factor_map = FactorMapWithPin(kFakePinLabel), |
| .migrate_to_user_secret_stash = false}, |
| backing_apis_); |
| EXPECT_THAT(AuthStatus::kAuthStatusFurtherFactorRequired, |
| auth_session.status()); |
| EXPECT_TRUE(auth_session.user_exists()); |
| |
| // Test |
| |
| // Called within the converter_.PopulateKeyDataForVK() |
| KeyData key_data; |
| key_data.set_label(kFakePinLabel); |
| key_data.mutable_policy()->set_low_entropy_credential(true); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(key_data); |
| |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, kFakePinLabel)) |
| .WillOnce(Return(ByMove(std::move(vk)))); |
| |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockStateFromVaultKeyset(_, _, _)) |
| .WillOnce(Return(true)); |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockTypeFromState(_)) |
| .WillRepeatedly(Return(AuthBlockType::kPinWeaver)); |
| EXPECT_CALL(keyset_management_, GetValidKeysetWithKeyBlobs(_, _, _)) |
| .WillOnce([](const ObfuscatedUsername&, KeyBlobs, |
| const std::optional<std::string>& label) { |
| KeyData key_data; |
| key_data.set_label(*label); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(std::move(key_data)); |
| return vk; |
| }); |
| |
| EXPECT_CALL(keyset_management_, ShouldReSaveKeyset(_)) |
| .WillOnce(Return(false)); |
| EXPECT_CALL(keyset_management_, AddResetSeedIfMissing(_)) |
| .WillOnce(Return(false)); |
| |
| auto key_blobs2 = std::make_unique<KeyBlobs>(); |
| EXPECT_CALL(auth_block_utility_, DeriveKeyBlobsWithAuthBlockAsync(_, _, _, _)) |
| .WillOnce([&key_blobs2](AuthBlockType auth_block_type, |
| const AuthInput& auth_input, |
| const AuthBlockState& auth_state, |
| AuthBlock::DeriveCallback derive_callback) { |
| std::move(derive_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs2)); |
| }); |
| |
| // Calling AuthenticateAuthFactor. |
| TestFuture<CryptohomeStatus> authenticate_future; |
| std::string auth_factor_labels[] = {kFakePinLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_pin_input()->set_secret(kFakePin); |
| auth_session.AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(authenticate_future.Get(), IsOk()); |
| EXPECT_EQ(auth_session.status(), AuthStatus::kAuthStatusAuthenticated); |
| EXPECT_THAT( |
| auth_session.authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| } |
| |
| // Test that AuthenticateAuthFactor returns an error when supplied label and |
| // type mismatch. |
| TEST_F(AuthSessionTest, AuthenticateAuthFactorMismatchLabelAndType) { |
| // Setup AuthSession. |
| AuthSession auth_session( |
| {.username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kDecrypt, |
| .on_timeout = base::DoNothing(), |
| .user_exists = true, |
| .auth_factor_map = FactorMapWithPin(kFakePinLabel), |
| .migrate_to_user_secret_stash = false}, |
| backing_apis_); |
| EXPECT_THAT(AuthStatus::kAuthStatusFurtherFactorRequired, |
| auth_session.status()); |
| EXPECT_TRUE(auth_session.user_exists()); |
| |
| // Test |
| // Calling AuthenticateAuthFactor. |
| TestFuture<CryptohomeStatus> authenticate_future; |
| std::string auth_factor_labels[] = {kFakePinLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_password_input()->set_secret(kFakePin); |
| auth_session.AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(authenticate_future.Get(), NotOk()); |
| EXPECT_EQ(authenticate_future.Get()->local_legacy_error(), |
| user_data_auth::CRYPTOHOME_ERROR_INVALID_ARGUMENT); |
| EXPECT_EQ(auth_session.status(), |
| AuthStatus::kAuthStatusFurtherFactorRequired); |
| } |
| |
| // Test if AddAuthFactor correctly adds initial VaultKeyset password AuthFactor |
| // for a new user. |
| TEST_F(AuthSessionTest, AddAuthFactorNewUser) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| |
| // Use this new auth_session_manager to make the AuthSession, need a to use |
| // |auth_block_utility_impl_|. |
| AuthSessionManager auth_session_manager_impl_{&crypto_, |
| &platform_, |
| &user_session_map_, |
| &keyset_management_, |
| &auth_block_utility_impl_, |
| &auth_factor_manager_, |
| &user_secret_stash_storage_}; |
| |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_impl_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| // Setting the expectation that the user does not exist. |
| EXPECT_EQ(auth_session->status(), |
| AuthStatus::kAuthStatusFurtherFactorRequired); |
| EXPECT_FALSE(auth_session->user_exists()); |
| |
| // Creating the user. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| EXPECT_EQ(auth_session->status(), AuthStatus::kAuthStatusAuthenticated); |
| EXPECT_THAT( |
| auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| EXPECT_TRUE(auth_session->user_exists()); |
| |
| user_data_auth::AddAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request.mutable_auth_factor()->set_label(kFakeLabel); |
| request.mutable_auth_factor()->mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret(kFakePass); |
| |
| EXPECT_CALL(keyset_management_, |
| AddInitialKeysetWithKeyBlobs(_, _, _, _, _, _, _)) |
| .WillOnce( |
| [](auto, auto, const KeyData& key_data, auto, auto, auto, auto) { |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(key_data); |
| return vk; |
| }); |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, kFakeLabel)) |
| .WillOnce([](const ObfuscatedUsername&, const std::string&) { |
| return CreatePasswordVaultKeyset(kFakeLabel); |
| }); |
| |
| // Test. |
| TestFuture<CryptohomeStatus> add_future; |
| auth_session->AddAuthFactor(request, add_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(add_future.Get(), IsOk()); |
| |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| // Test that AddAuthFactor can add multiple VaultKeyset-AuthFactor. The first |
| // one is added as initial factor, the second is added as the second password |
| // factor, and the third one as added as a PIN factor. |
| TEST_F(AuthSessionTest, AddMultipleAuthFactor) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| // Setting the expectation that the user does not exist. |
| EXPECT_EQ(auth_session->status(), |
| AuthStatus::kAuthStatusFurtherFactorRequired); |
| EXPECT_FALSE(auth_session->user_exists()); |
| |
| // Creating the user. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| EXPECT_EQ(auth_session->status(), AuthStatus::kAuthStatusAuthenticated); |
| EXPECT_THAT( |
| auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| EXPECT_TRUE(auth_session->user_exists()); |
| |
| user_data_auth::AddAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request.mutable_auth_factor()->set_label(kFakeLabel); |
| request.mutable_auth_factor()->mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret(kFakePass); |
| |
| // GetauthBlockTypeForCreation() and CreateKeyBlobsWithAuthBlockAsync() are |
| // called for each of the key addition operations below. |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockTypeForCreation(_, _, _)) |
| .WillRepeatedly(ReturnValue(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(auth_block_utility_, CreateKeyBlobsWithAuthBlockAsync(_, _, _)) |
| .WillRepeatedly([](AuthBlockType auth_block_type, |
| const AuthInput& auth_input, |
| AuthBlock::CreateCallback create_callback) { |
| std::move(create_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), |
| std::make_unique<KeyBlobs>(), |
| std::make_unique<AuthBlockState>()); |
| }); |
| EXPECT_CALL(keyset_management_, |
| AddInitialKeysetWithKeyBlobs(_, _, _, _, _, _, _)) |
| .WillOnce( |
| [](auto, auto, const KeyData& key_data, auto, auto, auto, auto) { |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(key_data); |
| return vk; |
| }); |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, _)) |
| .WillRepeatedly([](const ObfuscatedUsername&, const std::string& label) { |
| return CreatePasswordVaultKeyset(label); |
| }); |
| |
| // Test. |
| TestFuture<CryptohomeStatus> add_future; |
| auth_session->AddAuthFactor(request, add_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(add_future.Get(), IsOk()); |
| |
| // Test adding new password AuthFactor |
| user_data_auth::AddAuthFactorRequest request2; |
| request2.set_auth_session_id(auth_session->serialized_token()); |
| request2.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request2.mutable_auth_factor()->set_label(kFakeOtherLabel); |
| request2.mutable_auth_factor()->mutable_password_metadata(); |
| request2.mutable_auth_input()->mutable_password_input()->set_secret( |
| kFakeOtherPass); |
| |
| EXPECT_CALL(keyset_management_, |
| AddKeysetWithKeyBlobs(_, _, _, _, _, _, _, _)); |
| |
| // Test. |
| TestFuture<CryptohomeStatus> add_future2; |
| auth_session->AddAuthFactor(request2, add_future2.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(add_future2.Get(), IsOk()); |
| // There should be credential verifiers for both passwords. |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT( |
| user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass), |
| IsVerifierPtrWithLabelAndPassword(kFakeOtherLabel, kFakeOtherPass))); |
| |
| // TODO(b:223222440) Add test to for adding a PIN after reset secret |
| // generation function is updated. |
| } |
| |
| // Test that AddAuthFactor succeeds for an ephemeral user and creates a |
| // credential verifier. |
| TEST_F(AuthSessionTest, AddPasswordFactorToEphemeral) { |
| // Setup. |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, user_data_auth::AUTH_SESSION_FLAGS_EPHEMERAL_USER, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| EXPECT_THAT(auth_session->OnUserCreated(), IsOk()); |
| EXPECT_THAT( |
| auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| |
| // Test. |
| user_data_auth::AddAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| user_data_auth::AuthFactor& request_factor = *request.mutable_auth_factor(); |
| request_factor.set_type(user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request_factor.set_label(kFakeLabel); |
| request_factor.mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret(kFakePass); |
| |
| TestFuture<CryptohomeStatus> add_future; |
| auth_session->AddAuthFactor(request, add_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(add_future.Get(), IsOk()); |
| |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| // Test that AddAuthFactor fails for an ephemeral user when PIN is added. |
| TEST_F(AuthSessionTest, AddPinFactorToEphemeralFails) { |
| // Setup. |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, user_data_auth::AUTH_SESSION_FLAGS_EPHEMERAL_USER, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| EXPECT_THAT(auth_session->OnUserCreated(), IsOk()); |
| EXPECT_THAT( |
| auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| |
| // Test. |
| user_data_auth::AddAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| user_data_auth::AuthFactor& request_factor = *request.mutable_auth_factor(); |
| request_factor.set_type(user_data_auth::AUTH_FACTOR_TYPE_PIN); |
| request_factor.set_label(kFakePinLabel); |
| request_factor.mutable_pin_metadata(); |
| request.mutable_auth_input()->mutable_pin_input()->set_secret(kFakePin); |
| |
| TestFuture<CryptohomeStatus> add_future; |
| auth_session->AddAuthFactor(request, add_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(add_future.Get(), NotOk()); |
| EXPECT_EQ(add_future.Get()->local_legacy_error(), |
| user_data_auth::CRYPTOHOME_ERROR_BACKING_STORE_FAILURE); |
| |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), IsEmpty()); |
| } |
| |
| TEST_F(AuthSessionTest, AddSecondPasswordFactorToEphemeral) { |
| // Setup. |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, user_data_auth::AUTH_SESSION_FLAGS_EPHEMERAL_USER, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| EXPECT_THAT(auth_session->OnUserCreated(), IsOk()); |
| EXPECT_THAT( |
| auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| // Add the first password. |
| user_data_auth::AddAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| user_data_auth::AuthFactor& request_factor = *request.mutable_auth_factor(); |
| request_factor.set_type(user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request_factor.set_label(kFakeLabel); |
| request_factor.mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret(kFakePass); |
| TestFuture<CryptohomeStatus> first_add_future; |
| auth_session->AddAuthFactor(request, first_add_future.GetCallback()); |
| EXPECT_THAT(first_add_future.Get(), IsOk()); |
| |
| // Test. |
| request_factor.set_label(kFakeOtherLabel); |
| request.mutable_auth_input()->mutable_password_input()->set_secret( |
| kFakeOtherPass); |
| TestFuture<CryptohomeStatus> second_add_future; |
| auth_session->AddAuthFactor(request, second_add_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(second_add_future.Get(), IsOk()); |
| // There should be two verifiers. |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT( |
| user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass), |
| IsVerifierPtrWithLabelAndPassword(kFakeOtherLabel, kFakeOtherPass))); |
| } |
| |
| // UpdateAuthFactor request success when updating authenticated password VK. |
| TEST_F(AuthSessionTest, UpdateAuthFactorSucceedsForPasswordVK) { |
| // Setup. |
| AuthSession auth_session( |
| {.username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kDecrypt, |
| .on_timeout = base::DoNothing(), |
| .user_exists = true, |
| .auth_factor_map = |
| FactorMapWithPassword<TpmBoundToPcrAuthBlockState>(kFakeLabel), |
| .migrate_to_user_secret_stash = false}, |
| backing_apis_); |
| AuthBlockState auth_block_state = auth_session.auth_factor_map() |
| .Find(kFakeLabel) |
| ->auth_factor() |
| .auth_block_state(); |
| EXPECT_THAT(AuthStatus::kAuthStatusFurtherFactorRequired, |
| auth_session.status()); |
| EXPECT_TRUE(auth_session.user_exists()); |
| |
| // Creating the user. |
| EXPECT_TRUE(auth_session.OnUserCreated().ok()); |
| EXPECT_EQ(auth_session.status(), AuthStatus::kAuthStatusAuthenticated); |
| EXPECT_TRUE(auth_session.user_exists()); |
| |
| // GetAuthBlockTypeForCreation() and CreateKeyBlobsWithAuthBlockAsync() are |
| // called for the key update operations below. |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockTypeForCreation(_, _, _)) |
| .WillRepeatedly(ReturnValue(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(auth_block_utility_, CreateKeyBlobsWithAuthBlockAsync(_, _, _)) |
| .WillRepeatedly([&](AuthBlockType auth_block_type, |
| const AuthInput& auth_input, |
| AuthBlock::CreateCallback create_callback) { |
| std::move(create_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), |
| std::make_unique<KeyBlobs>(), |
| std::make_unique<AuthBlockState>(auth_block_state)); |
| }); |
| EXPECT_CALL(keyset_management_, UpdateKeysetWithKeyBlobs(_, _, _, _, _, _)); |
| |
| // Set a valid |vault_keyset_| to update. |
| KeyData key_data; |
| key_data.set_label(kFakeLabel); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->Initialize(&platform_, &crypto_); |
| vk->SetKeyData(key_data); |
| vk->CreateFromFileSystemKeyset(FileSystemKeyset::CreateRandom()); |
| vk->SetAuthBlockState(auth_block_state); |
| auth_session.set_vault_keyset_for_testing(std::move(vk)); |
| |
| user_data_auth::UpdateAuthFactorRequest request; |
| request.set_auth_session_id(auth_session.serialized_token()); |
| request.set_auth_factor_label(kFakeLabel); |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request.mutable_auth_factor()->set_label(kFakeLabel); |
| request.mutable_auth_factor()->mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret(kFakePass); |
| |
| TestFuture<CryptohomeStatus> update_future; |
| auth_session.UpdateAuthFactor(request, update_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(update_future.Get(), IsOk()); |
| |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| // UpdateAuthFactor fails if label doesn't exist. |
| TEST_F(AuthSessionTest, UpdateAuthFactorFailsLabelNotMatchForVK) { |
| // Setup. |
| AuthSession auth_session( |
| {.username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kDecrypt, |
| .on_timeout = base::DoNothing(), |
| .user_exists = true, |
| .auth_factor_map = |
| FactorMapWithPassword<TpmBoundToPcrAuthBlockState>(kFakeLabel), |
| .migrate_to_user_secret_stash = false}, |
| backing_apis_); |
| EXPECT_THAT(AuthStatus::kAuthStatusFurtherFactorRequired, |
| auth_session.status()); |
| EXPECT_TRUE(auth_session.user_exists()); |
| |
| // Creating the user. |
| EXPECT_TRUE(auth_session.OnUserCreated().ok()); |
| EXPECT_EQ(auth_session.status(), AuthStatus::kAuthStatusAuthenticated); |
| EXPECT_TRUE(auth_session.user_exists()); |
| |
| user_data_auth::UpdateAuthFactorRequest request; |
| request.set_auth_session_id(auth_session.serialized_token()); |
| request.set_auth_factor_label(kFakeLabel); |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request.mutable_auth_factor()->set_label(kFakeOtherLabel); |
| request.mutable_auth_factor()->mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret( |
| kFakeOtherPass); |
| |
| TestFuture<CryptohomeStatus> update_future; |
| auth_session.UpdateAuthFactor(request, update_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(update_future.Get(), NotOk()); |
| // Verify that the credential_verifier is not updated on failure. |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), IsEmpty()); |
| } |
| |
| // UpdateAuthFactor fails if label doesn't exist in the existing keysets. |
| TEST_F(AuthSessionTest, UpdateAuthFactorFailsLabelNotFoundForVK) { |
| // Setup. |
| AuthSession auth_session( |
| {.username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kDecrypt, |
| .on_timeout = base::DoNothing(), |
| .user_exists = true, |
| .auth_factor_map = |
| FactorMapWithPassword<TpmBoundToPcrAuthBlockState>(kFakeLabel), |
| .migrate_to_user_secret_stash = false}, |
| backing_apis_); |
| EXPECT_THAT(AuthStatus::kAuthStatusFurtherFactorRequired, |
| auth_session.status()); |
| EXPECT_TRUE(auth_session.user_exists()); |
| |
| // Creating the user. |
| EXPECT_TRUE(auth_session.OnUserCreated().ok()); |
| EXPECT_EQ(auth_session.status(), AuthStatus::kAuthStatusAuthenticated); |
| EXPECT_TRUE(auth_session.user_exists()); |
| |
| user_data_auth::UpdateAuthFactorRequest request; |
| request.set_auth_session_id(auth_session.serialized_token()); |
| request.set_auth_factor_label(kFakeOtherLabel); |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request.mutable_auth_factor()->set_label(kFakeOtherLabel); |
| request.mutable_auth_factor()->mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret( |
| kFakeOtherPass); |
| |
| TestFuture<CryptohomeStatus> update_future; |
| auth_session.UpdateAuthFactor(request, update_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(update_future.Get(), NotOk()); |
| // Verify that the credential_verifier is not updated on failure. |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), IsEmpty()); |
| } |
| |
| TEST_F(AuthSessionTest, ExtensionTest) { |
| // AuthSession must be constructed without using AuthSessionManager, |
| // because during cleanup the AuthSession must stay valid after |
| // timing out for verification. |
| AuthSession auth_session( |
| {.username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kDecrypt, |
| .on_timeout = base::DoNothing(), |
| .user_exists = false, |
| .auth_factor_map = AuthFactorMap(), |
| .migrate_to_user_secret_stash = false}, |
| backing_apis_); |
| EXPECT_EQ(auth_session.status(), |
| AuthStatus::kAuthStatusFurtherFactorRequired); |
| auth_session.SetAuthSessionAsAuthenticated(kAuthorizedIntentsForFullAuth); |
| |
| ASSERT_TRUE(auth_session.timeout_timer_.IsRunning()); |
| |
| EXPECT_TRUE(auth_session.ExtendTimeoutTimer(kAuthSessionExtension).ok()); |
| |
| // Verify that timer has changed, within a resaonsable degree of error. |
| auto requested_delay = kAuthSessionTimeout + kAuthSessionExtension; |
| EXPECT_EQ(auth_session.timeout_timer_.GetCurrentDelay(), requested_delay); |
| |
| auth_session.timeout_timer_.FireNow(); |
| EXPECT_EQ(auth_session.status(), AuthStatus::kAuthStatusTimedOut); |
| EXPECT_THAT(auth_session.authorized_intents(), IsEmpty()); |
| } |
| |
| // Test that AuthenticateAuthFactor succeeds in the `AuthIntent::kWebAuthn` |
| // scenario. |
| TEST_F(AuthSessionTest, AuthenticateAuthFactorWebAuthnIntent) { |
| // Setup. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Add the user session. Expect that no verification calls are made. |
| auto user_session = std::make_unique<MockUserSession>(); |
| EXPECT_CALL(*user_session, PrepareWebAuthnSecret(_, _)); |
| EXPECT_TRUE(user_session_map_.Add(kFakeUsername, std::move(user_session))); |
| // Create an AuthSession with a fake factor. |
| AuthSession auth_session( |
| {.username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kWebAuthn, |
| .on_timeout = base::DoNothing(), |
| .user_exists = true, |
| .auth_factor_map = FactorMapWithPassword<void>(kFakeLabel), |
| .migrate_to_user_secret_stash = false}, |
| backing_apis_); |
| // Set up VaultKeyset authentication mock. |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, kFakeLabel)) |
| .WillOnce(Return(ByMove(std::make_unique<VaultKeyset>()))); |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockStateFromVaultKeyset(_, _, _)) |
| .WillOnce(Return(true)); |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockTypeFromState(_)) |
| .WillRepeatedly(Return(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(auth_block_utility_, DeriveKeyBlobsWithAuthBlockAsync(_, _, _, _)) |
| .WillOnce([](AuthBlockType, const AuthInput&, const AuthBlockState&, |
| AuthBlock::DeriveCallback derive_callback) { |
| std::move(derive_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), |
| std::make_unique<KeyBlobs>()); |
| }); |
| EXPECT_CALL(keyset_management_, GetValidKeysetWithKeyBlobs(_, _, _)) |
| .WillOnce([](const ObfuscatedUsername&, KeyBlobs, |
| const std::optional<std::string>& label) { |
| KeyData key_data; |
| key_data.set_label(*label); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(std::move(key_data)); |
| return vk; |
| }); |
| |
| // Test. |
| TestFuture<CryptohomeStatus> authenticate_future; |
| std::string auth_factor_labels[] = {kFakeLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_password_input()->set_secret(kFakePass); |
| auth_session.AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(authenticate_future.Get(), IsOk()); |
| EXPECT_THAT( |
| auth_session.authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly, |
| AuthIntent::kWebAuthn)); |
| } |
| |
| // Test that AuthFactor map is updated after successful RemoveAuthFactor and |
| // not updated after unsuccessful RemoveAuthFactor. |
| TEST_F(AuthSessionTest, RemoveAuthFactorUpdatesAuthFactorMap) { |
| // Setup. |
| |
| // Prepare the AuthFactor. |
| AuthBlockState auth_block_state; |
| auth_block_state.state = TpmBoundToPcrAuthBlockState(); |
| AuthFactorMap auth_factor_map; |
| auth_factor_map.Add( |
| std::make_unique<AuthFactor>(AuthFactorType::kPassword, kFakeLabel, |
| AuthFactorMetadata(), auth_block_state), |
| AuthFactorStorageType::kVaultKeyset); |
| auth_factor_map.Add( |
| std::make_unique<AuthFactor>(AuthFactorType::kPassword, kFakeOtherLabel, |
| AuthFactorMetadata(), auth_block_state), |
| AuthFactorStorageType::kVaultKeyset); |
| |
| // Create AuthSession. |
| AuthSession auth_session( |
| {.username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kDecrypt, |
| .on_timeout = base::DoNothing(), |
| .user_exists = true, |
| .auth_factor_map = std::move(auth_factor_map), |
| .migrate_to_user_secret_stash = false}, |
| backing_apis_); |
| EXPECT_EQ(auth_session.status(), |
| AuthStatus::kAuthStatusFurtherFactorRequired); |
| EXPECT_TRUE(auth_session.user_exists()); |
| |
| EXPECT_EQ(AuthenticateAuthFactorVK(kFakeLabel, kFakePass, auth_session), |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| EXPECT_EQ(auth_session.status(), AuthStatus::kAuthStatusAuthenticated); |
| |
| // Test that RemoveAuthFactor success removes the factor from the map. |
| user_data_auth::RemoveAuthFactorRequest remove_request; |
| remove_request.set_auth_session_id(auth_session.serialized_token()); |
| remove_request.set_auth_factor_label(kFakeOtherLabel); |
| // RemoveauthFactor loads the VK to remove. |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, kFakeOtherLabel)) |
| .WillOnce(Return(ByMove(std::make_unique<VaultKeyset>()))); |
| TestFuture<CryptohomeStatus> remove_future; |
| auth_session.RemoveAuthFactor(remove_request, remove_future.GetCallback()); |
| |
| // Verify that AuthFactor is removed and the Authentication doesn't succeed |
| // with the removed factor. |
| ASSERT_THAT(remove_future.Get(), IsOk()); |
| EXPECT_EQ(AuthenticateAuthFactorVK(kFakeOtherLabel, kFakePass, auth_session), |
| user_data_auth::CRYPTOHOME_ERROR_KEY_NOT_FOUND); |
| EXPECT_EQ(auth_session.status(), AuthStatus::kAuthStatusAuthenticated); |
| |
| // Test that RemoveAuthFactor failure doesn't remove the factor from the map. |
| user_data_auth::RemoveAuthFactorRequest remove_request2; |
| remove_request2.set_auth_session_id(auth_session.serialized_token()); |
| remove_request2.set_auth_factor_label(kFakeLabel); |
| |
| TestFuture<CryptohomeStatus> remove_future2; |
| auth_session.RemoveAuthFactor(remove_request2, remove_future2.GetCallback()); |
| |
| // Verify that AuthFactor is not removed and the Authentication doesn't |
| // succeed with the removed factor. |
| ASSERT_THAT(remove_future2.Get(), NotOk()); |
| EXPECT_EQ(remove_future2.Get()->local_legacy_error().value(), |
| user_data_auth::CRYPTOHOME_REMOVE_CREDENTIALS_FAILED); |
| EXPECT_EQ(AuthenticateAuthFactorVK(kFakeLabel, kFakePass, auth_session), |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| EXPECT_EQ(auth_session.status(), AuthStatus::kAuthStatusAuthenticated); |
| } |
| |
| // A variant of the auth session test that has the UserSecretStash experiment |
| // enabled. |
| class AuthSessionWithUssExperimentTest : public AuthSessionTest { |
| protected: |
| AuthSessionWithUssExperimentTest() { |
| SetUserSecretStashExperimentForTesting(/*enabled=*/true); |
| } |
| |
| ~AuthSessionWithUssExperimentTest() override { |
| // Reset this global variable to avoid affecting unrelated test cases. |
| SetUserSecretStashExperimentForTesting(/*enabled=*/std::nullopt); |
| } |
| |
| struct ReplyToVerifyKey { |
| void operator()(const Username& account_id, |
| const structure::ChallengePublicKeyInfo& public_key_info, |
| std::unique_ptr<KeyChallengeService> key_challenge_service, |
| ChallengeCredentialsHelper::VerifyKeyCallback callback) { |
| if (is_key_valid) { |
| std::move(callback).Run(OkStatus<error::CryptohomeTPMError>()); |
| } else { |
| const error::CryptohomeError::ErrorLocationPair |
| kErrorLocationPlaceholder = |
| error::CryptohomeError::ErrorLocationPair( |
| static_cast< |
| ::cryptohome::error::CryptohomeError::ErrorLocation>(1), |
| "Testing1"); |
| |
| std::move(callback).Run(MakeStatus<error::CryptohomeTPMError>( |
| kErrorLocationPlaceholder, |
| error::ErrorActionSet({error::ErrorAction::kIncorrectAuth}), |
| hwsec::TPMRetryAction::kUserAuth)); |
| } |
| } |
| |
| bool is_key_valid = false; |
| }; |
| |
| user_data_auth::CryptohomeErrorCode AddRecoveryAuthFactor( |
| const std::string& label, |
| const std::string& secret, |
| AuthSession& auth_session) { |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeForCreation(false, true, false)) |
| .WillRepeatedly(ReturnValue(AuthBlockType::kCryptohomeRecovery)); |
| EXPECT_CALL(auth_block_utility_, |
| CreateKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kCryptohomeRecovery, _, _)) |
| .WillOnce([&secret](auto auth_block_type, auto auth_input, |
| auto create_callback) { |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = brillo::SecureBlob(secret); |
| auto auth_block_state = std::make_unique<AuthBlockState>(); |
| auth_block_state->state = CryptohomeRecoveryAuthBlockState(); |
| std::move(create_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs), |
| std::move(auth_block_state)); |
| }); |
| // Prepare recovery add request. |
| user_data_auth::AddAuthFactorRequest request; |
| request.set_auth_session_id(auth_session.serialized_token()); |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_CRYPTOHOME_RECOVERY); |
| request.mutable_auth_factor()->set_label(label); |
| request.mutable_auth_factor()->mutable_cryptohome_recovery_metadata(); |
| request.mutable_auth_input() |
| ->mutable_cryptohome_recovery_input() |
| ->set_mediator_pub_key("mediator pub key"); |
| // Add recovery AuthFactor. |
| TestFuture<CryptohomeStatus> add_future; |
| auth_session.AddAuthFactor(request, add_future.GetCallback()); |
| |
| if (add_future.Get().ok() || |
| !add_future.Get()->local_legacy_error().has_value()) { |
| return user_data_auth::CRYPTOHOME_ERROR_NOT_SET; |
| } |
| |
| return add_future.Get()->local_legacy_error().value(); |
| } |
| |
| user_data_auth::CryptohomeErrorCode AddPasswordAuthFactor( |
| const std::string& label, |
| const std::string& password, |
| bool first_factor, |
| AuthSession& auth_session) { |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeForCreation(false, false, false)) |
| .WillRepeatedly(ReturnValue(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(auth_block_utility_, CreateKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kTpmBoundToPcr, _, _)) |
| .WillOnce([](AuthBlockType auth_block_type, const AuthInput& auth_input, |
| AuthBlock::CreateCallback create_callback) { |
| // Make an arbitrary auth block state type can be used in this test. |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = |
| GetFakeDerivedSecret(auth_input.user_input.value()); |
| auto auth_block_state = std::make_unique<AuthBlockState>(); |
| auth_block_state->state = TpmBoundToPcrAuthBlockState(); |
| std::move(create_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs), |
| std::move(auth_block_state)); |
| }); |
| // Setting the expectation that a backup VaultKeyset will be created. |
| if (first_factor) { |
| EXPECT_CALL(keyset_management_, |
| AddInitialKeysetWithKeyBlobs(_, _, _, _, _, _, _)) |
| .WillOnce( |
| [](auto, auto, const KeyData& key_data, auto, auto, auto, auto) { |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(key_data); |
| return vk; |
| }); |
| } |
| user_data_auth::AddAuthFactorRequest request; |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request.mutable_auth_factor()->set_label(label); |
| request.mutable_auth_factor()->mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret( |
| password); |
| request.set_auth_session_id(auth_session.serialized_token()); |
| |
| TestFuture<CryptohomeStatus> add_future; |
| auth_session.AddAuthFactor(request, add_future.GetCallback()); |
| |
| if (add_future.Get().ok() || |
| !add_future.Get()->local_legacy_error().has_value()) { |
| return user_data_auth::CRYPTOHOME_ERROR_NOT_SET; |
| } |
| |
| return add_future.Get()->local_legacy_error().value(); |
| } |
| |
| user_data_auth::CryptohomeErrorCode AuthenticateRecoveryAuthFactor( |
| const std::string& auth_factor_label, |
| const std::string& secret, |
| AuthSession& auth_session) { |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeFromState( |
| AuthBlockStateTypeIs<CryptohomeRecoveryAuthBlockState>())) |
| .WillRepeatedly(Return(AuthBlockType::kCryptohomeRecovery)); |
| EXPECT_CALL(auth_block_utility_, |
| DeriveKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kCryptohomeRecovery, _, _, _)) |
| .WillOnce([&secret](auto auth_block_type, auto auth_input, |
| auto auth_state, auto derive_callback) { |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = brillo::SecureBlob(secret); |
| std::move(derive_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs)); |
| }); |
| // Prepare recovery authentication request. |
| std::string auth_factor_labels[] = {auth_factor_label}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_cryptohome_recovery_input() |
| ->mutable_recovery_response(); |
| TestFuture<CryptohomeStatus> authenticate_future; |
| // Authenticate using recovery. |
| auth_session.AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| // Verify. |
| if (authenticate_future.Get().ok() || |
| !authenticate_future.Get()->local_legacy_error().has_value()) { |
| return user_data_auth::CRYPTOHOME_ERROR_NOT_SET; |
| } |
| return authenticate_future.Get()->local_legacy_error().value(); |
| } |
| |
| user_data_auth::CryptohomeErrorCode AuthenticatePasswordAuthFactor( |
| const std::string& password, AuthSession& auth_session) { |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeFromState( |
| AuthBlockStateTypeIs<TpmBoundToPcrAuthBlockState>())) |
| .WillRepeatedly(Return(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(auth_block_utility_, |
| DeriveKeyBlobsWithAuthBlockAsync(AuthBlockType::kTpmBoundToPcr, |
| _, _, _)) |
| .WillOnce([](AuthBlockType auth_block_type, const AuthInput& auth_input, |
| const AuthBlockState& auth_state, |
| AuthBlock::DeriveCallback derive_callback) { |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = |
| GetFakeDerivedSecret(auth_input.user_input.value()); |
| std::move(derive_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs)); |
| }); |
| // Setting the expectation that backup password VaultKeyset is decrypted. |
| EXPECT_CALL(keyset_management_, GetValidKeysetWithKeyBlobs(_, _, _)) |
| .WillOnce([](const ObfuscatedUsername&, KeyBlobs, |
| const std::optional<std::string>& label) { |
| KeyData key_data; |
| key_data.set_label(*label); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(std::move(key_data)); |
| return vk; |
| }); |
| |
| TestFuture<CryptohomeStatus> authenticate_future; |
| std::string auth_factor_labels[] = {kFakeLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_password_input()->set_secret(password); |
| auth_session.AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| if (authenticate_future.Get().ok() || |
| !authenticate_future.Get()->local_legacy_error().has_value()) { |
| return user_data_auth::CRYPTOHOME_ERROR_NOT_SET; |
| } |
| return authenticate_future.Get()->local_legacy_error().value(); |
| } |
| |
| user_data_auth::CryptohomeErrorCode UpdatePasswordAuthFactor( |
| const std::string& new_password, AuthSession& auth_session) { |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeForCreation(false, false, false)) |
| .WillRepeatedly(ReturnValue(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(auth_block_utility_, CreateKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kTpmBoundToPcr, _, _)) |
| .WillOnce([](AuthBlockType auth_block_type, const AuthInput& auth_input, |
| AuthBlock::CreateCallback create_callback) { |
| // Make an arbitrary auth block state type can be used in this test. |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = |
| GetFakeDerivedSecret(auth_input.user_input.value()); |
| auto auth_block_state = std::make_unique<AuthBlockState>(); |
| auth_block_state->state = TpmBoundToPcrAuthBlockState(); |
| std::move(create_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs), |
| std::move(auth_block_state)); |
| }); |
| |
| user_data_auth::UpdateAuthFactorRequest request; |
| request.set_auth_session_id(auth_session.serialized_token()); |
| request.set_auth_factor_label(kFakeLabel); |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request.mutable_auth_factor()->set_label(kFakeLabel); |
| request.mutable_auth_factor()->mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret( |
| new_password); |
| |
| TestFuture<CryptohomeStatus> update_future; |
| auth_session.UpdateAuthFactor(request, update_future.GetCallback()); |
| |
| if (update_future.Get().ok() || |
| !update_future.Get()->local_legacy_error().has_value()) { |
| return user_data_auth::CRYPTOHOME_ERROR_NOT_SET; |
| } |
| |
| return update_future.Get()->local_legacy_error().value(); |
| } |
| |
| user_data_auth::CryptohomeErrorCode AddPinAuthFactor( |
| bool backup_keyset_enabled, |
| const std::string& pin, |
| AuthSession& auth_session) { |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeForCreation(true, false, false)) |
| .WillRepeatedly(ReturnValue(AuthBlockType::kPinWeaver)); |
| EXPECT_CALL(auth_block_utility_, CreateKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kPinWeaver, _, _)) |
| .WillOnce([](AuthBlockType auth_block_type, const AuthInput& auth_input, |
| AuthBlock::CreateCallback create_callback) { |
| // Make an arbitrary auth block state type can be used in this test. |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = |
| GetFakeDerivedSecret(auth_input.user_input.value()); |
| auto auth_block_state = std::make_unique<AuthBlockState>(); |
| auth_block_state->state = PinWeaverAuthBlockState(); |
| std::move(create_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs), |
| std::move(auth_block_state)); |
| }); |
| // Setting the expectation that a backup VaultKeyset will be created if it |
| // is not explicitly disabled by adding a USS-only factor. |
| if (backup_keyset_enabled) { |
| EXPECT_CALL(keyset_management_, |
| AddKeysetWithKeyBlobs(_, _, _, _, _, _, _, _)); |
| } |
| // Calling AddAuthFactor. |
| user_data_auth::AddAuthFactorRequest add_pin_request; |
| add_pin_request.set_auth_session_id(auth_session.serialized_token()); |
| add_pin_request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PIN); |
| add_pin_request.mutable_auth_factor()->set_label(kFakePinLabel); |
| add_pin_request.mutable_auth_factor()->mutable_pin_metadata(); |
| add_pin_request.mutable_auth_input()->mutable_pin_input()->set_secret(pin); |
| TestFuture<CryptohomeStatus> add_future; |
| auth_session.AddAuthFactor(add_pin_request, add_future.GetCallback()); |
| |
| if (add_future.Get().ok() || |
| !add_future.Get()->local_legacy_error().has_value()) { |
| return user_data_auth::CRYPTOHOME_ERROR_NOT_SET; |
| } |
| |
| return add_future.Get()->local_legacy_error().value(); |
| } |
| }; |
| |
| // Test that the UserSecretStash is created on the user creation, in case the |
| // UserSecretStash experiment is on. |
| TEST_F(AuthSessionWithUssExperimentTest, UssCreation) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| // Test. |
| EXPECT_FALSE(auth_session->has_user_secret_stash()); |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| |
| // Verify. |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), IsEmpty()); |
| } |
| |
| // Test that no UserSecretStash is created for an ephemeral user. |
| TEST_F(AuthSessionWithUssExperimentTest, NoUssForEphemeral) { |
| // Setup. |
| int flags = |
| user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_EPHEMERAL_USER; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| // Test. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| |
| // Verify. |
| EXPECT_FALSE(auth_session->has_user_secret_stash()); |
| } |
| |
| // Test that a new auth factor can be added to the newly created user, in case |
| // the UserSecretStash experiment is on. |
| TEST_F(AuthSessionWithUssExperimentTest, AddPasswordAuthFactorViaUss) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| // Creating the user. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| |
| // Test. |
| // Setting the expectation that the auth block utility will create key blobs. |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeForCreation(false, false, false)) |
| .WillRepeatedly(ReturnValue(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(auth_block_utility_, CreateKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kTpmBoundToPcr, _, _)) |
| .WillOnce([](AuthBlockType auth_block_type, const AuthInput& auth_input, |
| AuthBlock::CreateCallback create_callback) { |
| // Make an arbitrary auth block state type can be used in this test. |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = brillo::SecureBlob("fake vkk key"); |
| auto auth_block_state = std::make_unique<AuthBlockState>(); |
| auth_block_state->state = TpmBoundToPcrAuthBlockState(); |
| std::move(create_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs), |
| std::move(auth_block_state)); |
| }); |
| // Setting the expectation that a backup VaultKeyset will be created. |
| EXPECT_CALL(keyset_management_, |
| AddInitialKeysetWithKeyBlobs(_, _, _, _, _, _, _)) |
| .WillOnce( |
| [](auto, auto, const KeyData& key_data, auto, auto, auto, auto) { |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(key_data); |
| return vk; |
| }); |
| // Calling AddAuthFactor. |
| user_data_auth::AddAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request.mutable_auth_factor()->set_label(kFakeLabel); |
| request.mutable_auth_factor()->mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret(kFakePass); |
| |
| TestFuture<CryptohomeStatus> add_future; |
| auth_session->AddAuthFactor(request, add_future.GetCallback()); |
| |
| // Verify |
| EXPECT_THAT(add_future.Get(), IsOk()); |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| |
| std::map<std::string, AuthFactorType> stored_factors = |
| auth_factor_manager_.ListAuthFactors(SanitizeUserName(kFakeUsername)); |
| EXPECT_THAT(stored_factors, |
| ElementsAre(Pair(kFakeLabel, AuthFactorType::kPassword))); |
| EXPECT_THAT(auth_session->auth_factor_map().Find(kFakeLabel), Optional(_)); |
| } |
| |
| // Test that a new auth factor can be added to the newly created user using |
| // asynchronous key creation. |
| TEST_F(AuthSessionWithUssExperimentTest, AddPasswordAuthFactorViaAsyncUss) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| // Creating the user. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| |
| // Test. |
| // Setting the expectation that the auth block utility will create key blobs. |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeForCreation(false, false, false)) |
| .WillRepeatedly(ReturnValue(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(auth_block_utility_, CreateKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kTpmBoundToPcr, _, _)) |
| .WillOnce([this](AuthBlockType, const AuthInput&, |
| AuthBlock::CreateCallback create_callback) { |
| // Make an arbitrary auth block state, but schedule it to run later to |
| // simulate an proper async key creation. |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = brillo::SecureBlob("fake vkk key"); |
| auto auth_block_state = std::make_unique<AuthBlockState>(); |
| auth_block_state->state = TpmBoundToPcrAuthBlockState(); |
| task_runner_->PostTask( |
| FROM_HERE, |
| base::BindOnce(std::move(create_callback), |
| OkStatus<CryptohomeCryptoError>(), |
| std::move(key_blobs), std::move(auth_block_state))); |
| }); |
| // Setting the expectation that a backup VaultKeyset will be created. |
| EXPECT_CALL(keyset_management_, |
| AddInitialKeysetWithKeyBlobs(_, _, _, _, _, _, _)) |
| .WillOnce( |
| [](auto, auto, const KeyData& key_data, auto, auto, auto, auto) { |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(key_data); |
| return vk; |
| }); |
| // Calling AddAuthFactor. |
| user_data_auth::AddAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request.mutable_auth_factor()->set_label(kFakeLabel); |
| request.mutable_auth_factor()->mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret(kFakePass); |
| |
| TestFuture<CryptohomeStatus> add_future; |
| auth_session->AddAuthFactor(request, add_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(add_future.Get(), IsOk()); |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| |
| std::map<std::string, AuthFactorType> stored_factors = |
| auth_factor_manager_.ListAuthFactors(SanitizeUserName(kFakeUsername)); |
| EXPECT_THAT(stored_factors, |
| ElementsAre(Pair(kFakeLabel, AuthFactorType::kPassword))); |
| EXPECT_THAT(auth_session->auth_factor_map().Find(kFakeLabel), Optional(_)); |
| } |
| |
| // Test the new auth factor failure path when asynchronous key creation fails. |
| TEST_F(AuthSessionWithUssExperimentTest, |
| AddPasswordAuthFactorViaAsyncUssFails) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| // Creating the user. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| |
| // Test. |
| // Setting the expectation that the auth block utility will be called an that |
| // key blob creation will fail. |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeForCreation(false, false, false)) |
| .WillRepeatedly(ReturnValue(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(auth_block_utility_, CreateKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kTpmBoundToPcr, _, _)) |
| .WillOnce([this](AuthBlockType, const AuthInput&, |
| AuthBlock::CreateCallback create_callback) { |
| // Have the creation callback report an error. |
| task_runner_->PostTask( |
| FROM_HERE, |
| base::BindOnce( |
| std::move(create_callback), |
| MakeStatus<CryptohomeCryptoError>( |
| kErrorLocationForTestingAuthSession, |
| error::ErrorActionSet( |
| {error::ErrorAction::kDevCheckUnexpectedState}), |
| CryptoError::CE_OTHER_CRYPTO), |
| nullptr, nullptr)); |
| }); |
| // Calling AddAuthFactor. |
| user_data_auth::AddAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request.mutable_auth_factor()->set_label(kFakeLabel); |
| request.mutable_auth_factor()->mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret(kFakePass); |
| |
| TestFuture<CryptohomeStatus> add_future; |
| auth_session->AddAuthFactor(request, add_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(add_future.Get(), NotOk()); |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), IsEmpty()); |
| ASSERT_EQ(add_future.Get()->local_legacy_error(), |
| user_data_auth::CRYPTOHOME_ADD_CREDENTIALS_FAILED); |
| std::map<std::string, AuthFactorType> stored_factors = |
| auth_factor_manager_.ListAuthFactors(SanitizeUserName(kFakeUsername)); |
| EXPECT_THAT(stored_factors, IsEmpty()); |
| } |
| |
| // Test that a new auth factor cannot be added for an unauthenticated |
| // authsession. |
| TEST_F(AuthSessionWithUssExperimentTest, AddPasswordAuthFactorUnAuthenticated) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| user_data_auth::AddAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request.mutable_auth_factor()->set_label(kFakeLabel); |
| request.mutable_auth_factor()->mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret(kFakePass); |
| |
| // Test and Verify. |
| TestFuture<CryptohomeStatus> add_future; |
| auth_session->AddAuthFactor(request, add_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(add_future.Get(), NotOk()); |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), IsEmpty()); |
| ASSERT_EQ(add_future.Get()->local_legacy_error(), |
| user_data_auth::CRYPTOHOME_ERROR_UNAUTHENTICATED_AUTH_SESSION); |
| } |
| |
| // Test that a new auth factor and a pin can be added to the newly created user, |
| // in case the UserSecretStash experiment is on. |
| TEST_F(AuthSessionWithUssExperimentTest, AddPasswordAndPinAuthFactorViaUss) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| // Creating the user. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| // Add a password first. |
| // Setting the expectation that the auth block utility will create key blobs. |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeForCreation(false, false, false)) |
| .WillRepeatedly(ReturnValue(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(auth_block_utility_, CreateKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kTpmBoundToPcr, _, _)) |
| .WillOnce([](AuthBlockType auth_block_type, const AuthInput& auth_input, |
| AuthBlock::CreateCallback create_callback) { |
| // Make an arbitrary auth block state type can be used in this test. |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = brillo::SecureBlob("fake vkk key"); |
| auto auth_block_state = std::make_unique<AuthBlockState>(); |
| auth_block_state->state = TpmBoundToPcrAuthBlockState(); |
| std::move(create_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs), |
| std::move(auth_block_state)); |
| }); |
| // Setting the expectation that a backup VaultKeyset will be created. |
| EXPECT_CALL(keyset_management_, |
| AddInitialKeysetWithKeyBlobs(_, _, _, _, _, _, _)) |
| .WillOnce( |
| [](auto, auto, const KeyData& key_data, auto, auto, auto, auto) { |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(key_data); |
| return vk; |
| }); |
| // Calling AddAuthFactor. |
| user_data_auth::AddAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request.mutable_auth_factor()->set_label(kFakeLabel); |
| request.mutable_auth_factor()->mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret(kFakePass); |
| |
| // Test and Verify. |
| TestFuture<CryptohomeStatus> add_future; |
| auth_session->AddAuthFactor(request, add_future.GetCallback()); |
| std::unique_ptr<VaultKeyset> backup_vk = CreateBackupVaultKeyset(kFakeLabel); |
| auth_session->set_vault_keyset_for_testing(std::move(backup_vk)); |
| |
| // Verify. |
| EXPECT_THAT(add_future.Get(), IsOk()); |
| |
| // Setting the expectation that the auth block utility will create key blobs. |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeForCreation(true, false, false)) |
| .WillRepeatedly(ReturnValue(AuthBlockType::kPinWeaver)); |
| EXPECT_CALL(auth_block_utility_, |
| CreateKeyBlobsWithAuthBlockAsync(AuthBlockType::kPinWeaver, _, _)) |
| .WillOnce([](AuthBlockType auth_block_type, const AuthInput& auth_input, |
| AuthBlock::CreateCallback create_callback) { |
| // Make an arbitrary auth block state type can be used in this test. |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = brillo::SecureBlob("fake vkk key"); |
| auto auth_block_state = std::make_unique<AuthBlockState>(); |
| auth_block_state->state = PinWeaverAuthBlockState(); |
| std::move(create_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs), |
| std::move(auth_block_state)); |
| }); |
| // Setting the expectation that a backup VaultKeyset will be created. |
| EXPECT_CALL(keyset_management_, |
| AddKeysetWithKeyBlobs(_, _, _, _, _, _, _, _)); |
| // Calling AddAuthFactor. |
| user_data_auth::AddAuthFactorRequest add_pin_request; |
| add_pin_request.set_auth_session_id(auth_session->serialized_token()); |
| add_pin_request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PIN); |
| add_pin_request.mutable_auth_factor()->set_label(kFakePinLabel); |
| add_pin_request.mutable_auth_factor()->mutable_pin_metadata(); |
| add_pin_request.mutable_auth_input()->mutable_pin_input()->set_secret( |
| kFakePin); |
| // Test and Verify. |
| TestFuture<CryptohomeStatus> add_pin_future; |
| auth_session->AddAuthFactor(add_pin_request, add_pin_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(add_pin_future.Get(), IsOk()); |
| std::map<std::string, AuthFactorType> stored_factors = |
| auth_factor_manager_.ListAuthFactors(SanitizeUserName(kFakeUsername)); |
| EXPECT_THAT(stored_factors, |
| ElementsAre(Pair(kFakeLabel, AuthFactorType::kPassword), |
| Pair(kFakePinLabel, AuthFactorType::kPin))); |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| // Test that an existing user with an existing password auth factor can be |
| // authenticated, in case the UserSecretStash experiment is on. |
| TEST_F(AuthSessionWithUssExperimentTest, AuthenticatePasswordAuthFactorViaUss) { |
| // Setup. |
| const ObfuscatedUsername obfuscated_username = |
| SanitizeUserName(kFakeUsername); |
| const brillo::SecureBlob kFakePerCredentialSecret("fake-vkk"); |
| // Setting the expectation that the user exists. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Generating the USS. |
| CryptohomeStatusOr<std::unique_ptr<UserSecretStash>> uss_status = |
| UserSecretStash::CreateRandom(FileSystemKeyset::CreateRandom()); |
| ASSERT_TRUE(uss_status.ok()); |
| std::unique_ptr<UserSecretStash> uss = std::move(uss_status).value(); |
| std::optional<brillo::SecureBlob> uss_main_key = |
| UserSecretStash::CreateRandomMainKey(); |
| ASSERT_TRUE(uss_main_key.has_value()); |
| // Generating the backup VK. |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, _)) |
| .WillOnce([](const ObfuscatedUsername&, const std::string& label) { |
| KeyData key_data; |
| key_data.set_label(label); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(std::move(key_data)); |
| return vk; |
| }); |
| // Creating the auth factor. An arbitrary auth block state is used in this |
| // test. |
| AuthFactor auth_factor( |
| AuthFactorType::kPassword, kFakeLabel, |
| AuthFactorMetadata{.metadata = PasswordAuthFactorMetadata()}, |
| AuthBlockState{.state = TpmBoundToPcrAuthBlockState()}); |
| EXPECT_TRUE( |
| auth_factor_manager_.SaveAuthFactor(obfuscated_username, auth_factor) |
| .ok()); |
| // Adding the auth factor into the USS and persisting the latter. |
| const KeyBlobs key_blobs = {.vkk_key = kFakePerCredentialSecret}; |
| std::optional<brillo::SecureBlob> wrapping_key = |
| key_blobs.DeriveUssCredentialSecret(); |
| ASSERT_TRUE(wrapping_key.has_value()); |
| EXPECT_TRUE(uss->AddWrappedMainKey(uss_main_key.value(), kFakeLabel, |
| wrapping_key.value()) |
| .ok()); |
| CryptohomeStatusOr<brillo::Blob> encrypted_uss = |
| uss->GetEncryptedContainer(uss_main_key.value()); |
| ASSERT_TRUE(encrypted_uss.ok()); |
| EXPECT_TRUE(user_secret_stash_storage_ |
| .Persist(encrypted_uss.value(), obfuscated_username) |
| .ok()); |
| // Creating the auth session. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| EXPECT_TRUE(auth_session->user_exists()); |
| |
| // Test. |
| // Setting the expectation that the auth block utility will derive key blobs. |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeFromState( |
| AuthBlockStateTypeIs<TpmBoundToPcrAuthBlockState>())) |
| .WillRepeatedly(Return(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(auth_block_utility_, DeriveKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kTpmBoundToPcr, _, _, _)) |
| .WillOnce([&kFakePerCredentialSecret]( |
| AuthBlockType auth_block_type, const AuthInput& auth_input, |
| const AuthBlockState& auth_state, |
| AuthBlock::DeriveCallback derive_callback) { |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = kFakePerCredentialSecret; |
| std::move(derive_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs)); |
| }); |
| // Setting the expectation that backup password VaultKeyset is decrypted. |
| EXPECT_CALL(keyset_management_, GetValidKeysetWithKeyBlobs(_, _, _)) |
| .WillOnce([](const ObfuscatedUsername&, KeyBlobs, |
| const std::optional<std::string>& label) { |
| KeyData key_data; |
| key_data.set_label(*label); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(std::move(key_data)); |
| return vk; |
| }); |
| // Calling AuthenticateAuthFactor. |
| TestFuture<CryptohomeStatus> authenticate_future; |
| std::string auth_factor_labels[] = {kFakeLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_password_input()->set_secret(kFakePass); |
| auth_session->AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(authenticate_future.Get(), IsOk()); |
| EXPECT_EQ(auth_session->status(), AuthStatus::kAuthStatusAuthenticated); |
| EXPECT_THAT( |
| auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| // Test that an existing user with an existing password auth factor can be |
| // authenticated, using asynchronous key derivation. |
| TEST_F(AuthSessionWithUssExperimentTest, |
| AuthenticatePasswordAuthFactorViaAsyncUss) { |
| // Setup. |
| const ObfuscatedUsername obfuscated_username = |
| SanitizeUserName(kFakeUsername); |
| const brillo::SecureBlob kFakePerCredentialSecret("fake-vkk"); |
| // Setting the expectation that the user exists. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Generating the USS. |
| CryptohomeStatusOr<std::unique_ptr<UserSecretStash>> uss_status = |
| UserSecretStash::CreateRandom(FileSystemKeyset::CreateRandom()); |
| ASSERT_TRUE(uss_status.ok()); |
| std::unique_ptr<UserSecretStash> uss = std::move(uss_status).value(); |
| std::optional<brillo::SecureBlob> uss_main_key = |
| UserSecretStash::CreateRandomMainKey(); |
| ASSERT_TRUE(uss_main_key.has_value()); |
| // Generating the backup VK. |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, _)) |
| .WillOnce([](const ObfuscatedUsername&, const std::string& label) { |
| KeyData key_data; |
| key_data.set_label(label); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(std::move(key_data)); |
| return vk; |
| }); |
| // Creating the auth factor. An arbitrary auth block state is used in this |
| // test. |
| AuthFactor auth_factor( |
| AuthFactorType::kPassword, kFakeLabel, |
| AuthFactorMetadata{.metadata = PasswordAuthFactorMetadata()}, |
| AuthBlockState{.state = TpmBoundToPcrAuthBlockState()}); |
| EXPECT_TRUE( |
| auth_factor_manager_.SaveAuthFactor(obfuscated_username, auth_factor) |
| .ok()); |
| // Adding the auth factor into the USS and persisting the latter. |
| const KeyBlobs key_blobs = {.vkk_key = kFakePerCredentialSecret}; |
| std::optional<brillo::SecureBlob> wrapping_key = |
| key_blobs.DeriveUssCredentialSecret(); |
| ASSERT_TRUE(wrapping_key.has_value()); |
| EXPECT_TRUE(uss->AddWrappedMainKey(uss_main_key.value(), kFakeLabel, |
| wrapping_key.value()) |
| .ok()); |
| CryptohomeStatusOr<brillo::Blob> encrypted_uss = |
| uss->GetEncryptedContainer(uss_main_key.value()); |
| ASSERT_TRUE(encrypted_uss.ok()); |
| EXPECT_TRUE(user_secret_stash_storage_ |
| .Persist(encrypted_uss.value(), obfuscated_username) |
| .ok()); |
| // Creating the auth session. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| EXPECT_TRUE(auth_session->user_exists()); |
| |
| // Test. |
| // Setting the expectation that the auth block utility will derive key blobs. |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeFromState( |
| AuthBlockStateTypeIs<TpmBoundToPcrAuthBlockState>())) |
| .WillRepeatedly(Return(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(auth_block_utility_, DeriveKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kTpmBoundToPcr, _, _, _)) |
| .WillOnce([this, &kFakePerCredentialSecret]( |
| AuthBlockType auth_block_type, const AuthInput& auth_input, |
| const AuthBlockState& auth_state, |
| AuthBlock::DeriveCallback derive_callback) { |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = kFakePerCredentialSecret; |
| task_runner_->PostTask(FROM_HERE, |
| base::BindOnce(std::move(derive_callback), |
| OkStatus<CryptohomeCryptoError>(), |
| std::move(key_blobs))); |
| }); |
| // Setting the expectation that backup password VaultKeyset is decrypted. |
| EXPECT_CALL(keyset_management_, GetValidKeysetWithKeyBlobs(_, _, _)) |
| .WillOnce([](const ObfuscatedUsername&, KeyBlobs, |
| const std::optional<std::string>& label) { |
| KeyData key_data; |
| key_data.set_label(*label); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(std::move(key_data)); |
| return vk; |
| }); |
| // Calling AuthenticateAuthFactor. |
| std::string auth_factor_labels[] = {kFakeLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_password_input()->set_secret(kFakePass); |
| TestFuture<CryptohomeStatus> authenticate_future; |
| auth_session->AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(authenticate_future.Get(), IsOk()); |
| EXPECT_EQ(auth_session->status(), AuthStatus::kAuthStatusAuthenticated); |
| EXPECT_THAT( |
| auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| // Test then failure path with an existing user with an existing password auth |
| // factor when the asynchronous derivation fails. |
| TEST_F(AuthSessionWithUssExperimentTest, |
| AuthenticatePasswordAuthFactorViaAsyncUssFails) { |
| // Setup. |
| const ObfuscatedUsername obfuscated_username = |
| SanitizeUserName(kFakeUsername); |
| const brillo::SecureBlob kFakePerCredentialSecret("fake-vkk"); |
| // Setting the expectation that the user exists. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Generating the USS. |
| CryptohomeStatusOr<std::unique_ptr<UserSecretStash>> uss_status = |
| UserSecretStash::CreateRandom(FileSystemKeyset::CreateRandom()); |
| ASSERT_TRUE(uss_status.ok()); |
| std::unique_ptr<UserSecretStash> uss = std::move(uss_status).value(); |
| std::optional<brillo::SecureBlob> uss_main_key = |
| UserSecretStash::CreateRandomMainKey(); |
| ASSERT_TRUE(uss_main_key.has_value()); |
| // Creating the auth factor. An arbitrary auth block state is used in this |
| // test. |
| AuthFactor auth_factor( |
| AuthFactorType::kPassword, kFakeLabel, |
| AuthFactorMetadata{.metadata = PasswordAuthFactorMetadata()}, |
| AuthBlockState{.state = TpmBoundToPcrAuthBlockState()}); |
| EXPECT_TRUE( |
| auth_factor_manager_.SaveAuthFactor(obfuscated_username, auth_factor) |
| .ok()); |
| // Adding the auth factor into the USS and persisting the latter. |
| const KeyBlobs key_blobs = {.vkk_key = kFakePerCredentialSecret}; |
| std::optional<brillo::SecureBlob> wrapping_key = |
| key_blobs.DeriveUssCredentialSecret(); |
| ASSERT_TRUE(wrapping_key.has_value()); |
| EXPECT_TRUE(uss->AddWrappedMainKey(uss_main_key.value(), kFakeLabel, |
| wrapping_key.value()) |
| .ok()); |
| CryptohomeStatusOr<brillo::Blob> encrypted_uss = |
| uss->GetEncryptedContainer(uss_main_key.value()); |
| ASSERT_TRUE(encrypted_uss.ok()); |
| EXPECT_TRUE(user_secret_stash_storage_ |
| .Persist(encrypted_uss.value(), obfuscated_username) |
| .ok()); |
| // Creating the auth session. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| EXPECT_TRUE(auth_session->user_exists()); |
| |
| // Test. |
| // Setting the expectation that the auth block utility will derive key blobs. |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeFromState( |
| AuthBlockStateTypeIs<TpmBoundToPcrAuthBlockState>())) |
| .WillRepeatedly(Return(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(auth_block_utility_, DeriveKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kTpmBoundToPcr, _, _, _)) |
| .WillOnce([this](AuthBlockType auth_block_type, |
| const AuthInput& auth_input, |
| const AuthBlockState& auth_state, |
| AuthBlock::DeriveCallback derive_callback) { |
| task_runner_->PostTask( |
| FROM_HERE, |
| base::BindOnce( |
| std::move(derive_callback), |
| MakeStatus<CryptohomeCryptoError>( |
| kErrorLocationForTestingAuthSession, |
| error::ErrorActionSet( |
| {error::ErrorAction::kDevCheckUnexpectedState}), |
| CryptoError::CE_OTHER_CRYPTO), |
| nullptr)); |
| }); |
| |
| // Calling AuthenticateAuthFactor. |
| std::string auth_factor_labels[] = {kFakeLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_password_input()->set_secret(kFakePass); |
| TestFuture<CryptohomeStatus> authenticate_future; |
| auth_session->AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(authenticate_future.Get(), NotOk()); |
| EXPECT_EQ(authenticate_future.Get()->local_legacy_error(), |
| user_data_auth::CRYPTOHOME_ERROR_AUTHORIZATION_KEY_FAILED); |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), IsEmpty()); |
| EXPECT_FALSE(auth_session->has_user_secret_stash()); |
| } |
| |
| // Test that an existing user with an existing pin auth factor can be |
| // authenticated, in case the UserSecretStash experiment is on. |
| TEST_F(AuthSessionWithUssExperimentTest, AuthenticatePinAuthFactorViaUss) { |
| // Setup. |
| const ObfuscatedUsername obfuscated_username = |
| SanitizeUserName(kFakeUsername); |
| const brillo::SecureBlob kFakePerCredentialSecret("fake-vkk"); |
| // Setting the expectation that the user exists. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Generating the USS. |
| CryptohomeStatusOr<std::unique_ptr<UserSecretStash>> uss_status = |
| UserSecretStash::CreateRandom(FileSystemKeyset::CreateRandom()); |
| ASSERT_TRUE(uss_status.ok()); |
| std::unique_ptr<UserSecretStash> uss = std::move(uss_status).value(); |
| std::optional<brillo::SecureBlob> uss_main_key = |
| UserSecretStash::CreateRandomMainKey(); |
| ASSERT_TRUE(uss_main_key.has_value()); |
| // Creating the auth factor. An arbitrary auth block state is used in this |
| // test. |
| AuthFactor auth_factor( |
| AuthFactorType::kPin, kFakePinLabel, |
| AuthFactorMetadata{.metadata = PinAuthFactorMetadata()}, |
| AuthBlockState{.state = PinWeaverAuthBlockState()}); |
| EXPECT_TRUE( |
| auth_factor_manager_.SaveAuthFactor(obfuscated_username, auth_factor) |
| .ok()); |
| // Adding the auth factor into the USS and persisting the latter. |
| const KeyBlobs key_blobs = {.vkk_key = kFakePerCredentialSecret}; |
| std::optional<brillo::SecureBlob> wrapping_key = |
| key_blobs.DeriveUssCredentialSecret(); |
| ASSERT_TRUE(wrapping_key.has_value()); |
| EXPECT_TRUE(uss->AddWrappedMainKey(uss_main_key.value(), kFakePinLabel, |
| wrapping_key.value()) |
| .ok()); |
| CryptohomeStatusOr<brillo::Blob> encrypted_uss = |
| uss->GetEncryptedContainer(uss_main_key.value()); |
| ASSERT_TRUE(encrypted_uss.ok()); |
| EXPECT_TRUE(user_secret_stash_storage_ |
| .Persist(encrypted_uss.value(), obfuscated_username) |
| .ok()); |
| // Creating the auth session. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| EXPECT_TRUE(auth_session->user_exists()); |
| |
| // Test. |
| // Setting the expectation that the auth block utility will derive key blobs. |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeFromState( |
| AuthBlockStateTypeIs<PinWeaverAuthBlockState>())) |
| .WillRepeatedly(Return(AuthBlockType::kPinWeaver)); |
| EXPECT_CALL(auth_block_utility_, DeriveKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kPinWeaver, _, _, _)) |
| .WillOnce([&kFakePerCredentialSecret]( |
| AuthBlockType auth_block_type, const AuthInput& auth_input, |
| const AuthBlockState& auth_state, |
| AuthBlock::DeriveCallback derive_callback) { |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = kFakePerCredentialSecret; |
| std::move(derive_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs)); |
| }); |
| // Calling AuthenticateAuthFactor. |
| std::string auth_factor_labels[] = {kFakePinLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_pin_input()->set_secret(kFakePin); |
| TestFuture<CryptohomeStatus> authenticate_future; |
| auth_session->AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(authenticate_future.Get(), IsOk()); |
| EXPECT_EQ(auth_session->status(), AuthStatus::kAuthStatusAuthenticated); |
| EXPECT_THAT( |
| auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| } |
| |
| TEST_F(AuthSessionWithUssExperimentTest, AddCryptohomeRecoveryAuthFactor) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| // Creating the user. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| // Setting the expectation that the auth block utility will create key blobs. |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeForCreation(false, true, false)) |
| .WillRepeatedly(ReturnValue(AuthBlockType::kCryptohomeRecovery)); |
| EXPECT_CALL(auth_block_utility_, |
| CreateKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kCryptohomeRecovery, _, _)) |
| .WillOnce([](AuthBlockType auth_block_type, const AuthInput& auth_input, |
| AuthBlock::CreateCallback create_callback) { |
| // Make an arbitrary auth block state type can be used in this test. |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = brillo::SecureBlob("fake vkk key"); |
| auto auth_block_state = std::make_unique<AuthBlockState>(); |
| auth_block_state->state = CryptohomeRecoveryAuthBlockState(); |
| std::move(create_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs), |
| std::move(auth_block_state)); |
| }); |
| // Calling AddAuthFactor. |
| user_data_auth::AddAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_CRYPTOHOME_RECOVERY); |
| request.mutable_auth_factor()->set_label(kFakeLabel); |
| request.mutable_auth_factor()->mutable_cryptohome_recovery_metadata(); |
| request.mutable_auth_input() |
| ->mutable_cryptohome_recovery_input() |
| ->set_mediator_pub_key("mediator pub key"); |
| // Test and Verify. |
| TestFuture<CryptohomeStatus> add_future; |
| auth_session->AddAuthFactor(request, add_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(add_future.Get(), IsOk()); |
| std::map<std::string, AuthFactorType> stored_factors = |
| auth_factor_manager_.ListAuthFactors(SanitizeUserName(kFakeUsername)); |
| EXPECT_THAT( |
| stored_factors, |
| ElementsAre(Pair(kFakeLabel, AuthFactorType::kCryptohomeRecovery))); |
| // There should be no verifier for the recovery factor. |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), IsEmpty()); |
| } |
| |
| TEST_F(AuthSessionWithUssExperimentTest, |
| AuthenticateCryptohomeRecoveryAuthFactor) { |
| // Setup. |
| const ObfuscatedUsername obfuscated_username = |
| SanitizeUserName(kFakeUsername); |
| const brillo::SecureBlob kFakePerCredentialSecret("fake-vkk"); |
| // Setting the expectation that the user exists. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Generating the USS. |
| CryptohomeStatusOr<std::unique_ptr<UserSecretStash>> uss_status = |
| UserSecretStash::CreateRandom(FileSystemKeyset::CreateRandom()); |
| ASSERT_TRUE(uss_status.ok()); |
| std::unique_ptr<UserSecretStash> uss = std::move(uss_status).value(); |
| std::optional<brillo::SecureBlob> uss_main_key = |
| UserSecretStash::CreateRandomMainKey(); |
| ASSERT_TRUE(uss_main_key.has_value()); |
| // Creating the auth factor. |
| AuthFactor auth_factor( |
| AuthFactorType::kCryptohomeRecovery, kFakeLabel, |
| AuthFactorMetadata{.metadata = CryptohomeRecoveryAuthFactorMetadata()}, |
| AuthBlockState{.state = CryptohomeRecoveryAuthBlockState()}); |
| EXPECT_TRUE( |
| auth_factor_manager_.SaveAuthFactor(obfuscated_username, auth_factor) |
| .ok()); |
| // Adding the auth factor into the USS and persisting the latter. |
| const KeyBlobs key_blobs = {.vkk_key = kFakePerCredentialSecret}; |
| std::optional<brillo::SecureBlob> wrapping_key = |
| key_blobs.DeriveUssCredentialSecret(); |
| ASSERT_TRUE(wrapping_key.has_value()); |
| EXPECT_TRUE(uss->AddWrappedMainKey(uss_main_key.value(), kFakeLabel, |
| wrapping_key.value()) |
| .ok()); |
| CryptohomeStatusOr<brillo::Blob> encrypted_uss = |
| uss->GetEncryptedContainer(uss_main_key.value()); |
| ASSERT_TRUE(encrypted_uss.ok()); |
| EXPECT_TRUE(user_secret_stash_storage_ |
| .Persist(encrypted_uss.value(), obfuscated_username) |
| .ok()); |
| // Creating the auth session. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| EXPECT_TRUE(auth_session->user_exists()); |
| |
| // Test. |
| // Setting the expectation that the auth block utility will generate recovery |
| // request. |
| EXPECT_CALL(auth_block_utility_, GenerateRecoveryRequest(_, _, _, _, _, _, _)) |
| .WillOnce([](const ObfuscatedUsername& obfuscated_username, |
| const cryptorecovery::RequestMetadata& request_metadata, |
| const brillo::Blob& epoch_response, |
| const CryptohomeRecoveryAuthBlockState& state, |
| hwsec::RecoveryCryptoFrontend* recovery_hwsec, |
| brillo::SecureBlob* out_recovery_request, |
| brillo::SecureBlob* out_ephemeral_pub_key) { |
| *out_ephemeral_pub_key = brillo::SecureBlob("test"); |
| return OkStatus<CryptohomeCryptoError>(); |
| }); |
| EXPECT_FALSE(auth_session->has_user_secret_stash()); |
| |
| // Calling GetRecoveryRequest. |
| user_data_auth::GetRecoveryRequestRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.set_auth_factor_label(kFakeLabel); |
| TestFuture<user_data_auth::GetRecoveryRequestReply> reply_future; |
| auth_session->GetRecoveryRequest( |
| request, |
| reply_future |
| .GetCallback<const user_data_auth::GetRecoveryRequestReply&>()); |
| |
| // Verify. |
| EXPECT_EQ(reply_future.Get().error(), |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| EXPECT_EQ(auth_session->status(), |
| AuthStatus::kAuthStatusFurtherFactorRequired); |
| EXPECT_THAT(auth_session->authorized_intents(), IsEmpty()); |
| |
| // Test. |
| // Setting the expectation that the auth block utility will derive key blobs. |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeFromState( |
| AuthBlockStateTypeIs<CryptohomeRecoveryAuthBlockState>())) |
| .WillRepeatedly(Return(AuthBlockType::kCryptohomeRecovery)); |
| EXPECT_CALL(auth_block_utility_, |
| DeriveKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kCryptohomeRecovery, _, _, _)) |
| .WillOnce([&kFakePerCredentialSecret]( |
| AuthBlockType auth_block_type, const AuthInput& auth_input, |
| const AuthBlockState& auth_state, |
| AuthBlock::DeriveCallback derive_callback) { |
| EXPECT_THAT( |
| auth_input.cryptohome_recovery_auth_input->ephemeral_pub_key, |
| Optional(brillo::SecureBlob("test"))); |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = kFakePerCredentialSecret; |
| std::move(derive_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs)); |
| }); |
| |
| // Calling AuthenticateAuthFactor. |
| std::string auth_factor_labels[] = {kFakeLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_cryptohome_recovery_input() |
| ->mutable_recovery_response(); |
| TestFuture<CryptohomeStatus> authenticate_future; |
| auth_session->AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(authenticate_future.Get(), IsOk()); |
| EXPECT_EQ(auth_session->status(), AuthStatus::kAuthStatusAuthenticated); |
| EXPECT_THAT( |
| auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| // There should be no verifier created for the recovery factor. |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), IsEmpty()); |
| } |
| |
| // Test scenario where we add a Smart Card/Challenge Response credential, |
| // and go through the authentication flow twice. On the second authentication, |
| // AuthSession should use the lightweight verify check. |
| TEST_F(AuthSessionWithUssExperimentTest, AuthenticateSmartCardAuthFactor) { |
| // Setup. |
| brillo::Blob public_key_spki_der = brillo::BlobFromString("public_key"); |
| const ObfuscatedUsername obfuscated_username = |
| SanitizeUserName(kFakeUsername); |
| const brillo::SecureBlob kFakePerCredentialSecret("fake-vkk"); |
| // Setting the expectation that the user exists. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Generating the USS. |
| CryptohomeStatusOr<std::unique_ptr<UserSecretStash>> uss_status = |
| UserSecretStash::CreateRandom(FileSystemKeyset::CreateRandom()); |
| ASSERT_TRUE(uss_status.ok()); |
| std::unique_ptr<UserSecretStash> uss = std::move(uss_status).value(); |
| std::optional<brillo::SecureBlob> uss_main_key = |
| UserSecretStash::CreateRandomMainKey(); |
| ASSERT_TRUE(uss_main_key.has_value()); |
| // Creating the auth factor. |
| AuthFactor auth_factor( |
| AuthFactorType::kSmartCard, kFakeLabel, |
| AuthFactorMetadata{ |
| .metadata = SmartCardAuthFactorMetadata{.public_key_spki_der = |
| public_key_spki_der}}, |
| AuthBlockState{.state = ChallengeCredentialAuthBlockState()}); |
| EXPECT_TRUE( |
| auth_factor_manager_.SaveAuthFactor(obfuscated_username, auth_factor) |
| .ok()); |
| // Adding the auth factor into the USS and persisting the latter. |
| const KeyBlobs key_blobs = {.vkk_key = kFakePerCredentialSecret}; |
| std::optional<brillo::SecureBlob> wrapping_key = |
| key_blobs.DeriveUssCredentialSecret(); |
| ASSERT_TRUE(wrapping_key.has_value()); |
| EXPECT_TRUE(uss->AddWrappedMainKey(uss_main_key.value(), kFakeLabel, |
| wrapping_key.value()) |
| .ok()); |
| CryptohomeStatusOr<brillo::Blob> encrypted_uss = |
| uss->GetEncryptedContainer(uss_main_key.value()); |
| ASSERT_TRUE(encrypted_uss.ok()); |
| EXPECT_TRUE(user_secret_stash_storage_ |
| .Persist(encrypted_uss.value(), obfuscated_username) |
| .ok()); |
| // Creating the auth session. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| EXPECT_TRUE(auth_session->user_exists()); |
| EXPECT_FALSE(auth_session->has_user_secret_stash()); |
| |
| // Verify. |
| EXPECT_EQ(auth_session->status(), |
| AuthStatus::kAuthStatusFurtherFactorRequired); |
| EXPECT_THAT(auth_session->authorized_intents(), IsEmpty()); |
| |
| // Test. |
| // Setting the expectation that the auth block utility will derive key blobs. |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeFromState( |
| AuthBlockStateTypeIs<ChallengeCredentialAuthBlockState>())) |
| .WillRepeatedly(Return(AuthBlockType::kChallengeCredential)); |
| EXPECT_CALL(auth_block_utility_, |
| DeriveKeyBlobsWithAuthBlockAsync( |
| AuthBlockType::kChallengeCredential, _, _, _)) |
| .WillOnce([&kFakePerCredentialSecret]( |
| AuthBlockType auth_block_type, const AuthInput& auth_input, |
| const AuthBlockState& auth_state, |
| AuthBlock::DeriveCallback derive_callback) { |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = kFakePerCredentialSecret; |
| std::move(derive_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs)); |
| }); |
| |
| EXPECT_CALL(auth_block_utility_, CreateCredentialVerifier(_, kFakeLabel, _)) |
| .WillOnce(Return(ByMove(SmartCardVerifier::Create( |
| kFakeLabel, public_key_spki_der, &challenge_credentials_helper_, |
| &key_challenge_service_factory_)))); |
| |
| // Calling AuthenticateAuthFactor. |
| std::string auth_factor_labels[] = {kFakeLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_smart_card_input()->add_signature_algorithms( |
| user_data_auth::CHALLENGE_RSASSA_PKCS1_V1_5_SHA256); |
| TestFuture<CryptohomeStatus> authenticate_future; |
| auth_session->AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(authenticate_future.Get(), IsOk()); |
| EXPECT_EQ(auth_session->status(), AuthStatus::kAuthStatusAuthenticated); |
| EXPECT_THAT( |
| auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| // There should be a verifier created for the smart card factor. |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre(IsVerifierPtrWithLabel(kFakeLabel))); |
| |
| CryptohomeStatusOr<InUseAuthSession> verify_auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kVerifyOnly); |
| EXPECT_TRUE(verify_auth_session_status.ok()); |
| AuthSession* verify_auth_session = verify_auth_session_status.value().Get(); |
| |
| // Expect that next authentication will go through lightweight |
| // verification. |
| EXPECT_CALL(auth_block_utility_, |
| IsVerifyWithAuthFactorSupported(AuthIntent::kVerifyOnly, |
| AuthFactorType::kSmartCard)) |
| .WillRepeatedly(Return(true)); |
| |
| // Simulate a successful key verification. |
| EXPECT_CALL(challenge_credentials_helper_, VerifyKey(_, _, _, _)) |
| .WillOnce(ReplyToVerifyKey{/*is_key_valid=*/true}); |
| |
| // Call AuthenticateAuthFactor again. |
| TestFuture<CryptohomeStatus> verify_authenticate_future; |
| verify_auth_session->AuthenticateAuthFactor( |
| auth_factor_labels, auth_input_proto, |
| verify_authenticate_future.GetCallback()); |
| EXPECT_THAT(verify_auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kVerifyOnly)); |
| } |
| |
| // Test that AuthenticateAuthFactor succeeds for the `AuthIntent::kVerifyOnly` |
| // scenario, using a credential verifier. |
| TEST_F(AuthSessionWithUssExperimentTest, LightweightPasswordAuthentication) { |
| // Setup. |
| // Add the user session along with a verifier that's configured to pass. |
| auto user_session = std::make_unique<MockUserSession>(); |
| EXPECT_CALL(*user_session, VerifyUser(SanitizeUserName(kFakeUsername))) |
| .WillOnce(Return(true)); |
| auto verifier = std::make_unique<MockCredentialVerifier>( |
| AuthFactorType::kPassword, kFakeLabel, |
| AuthFactorMetadata{.metadata = PasswordAuthFactorMetadata()}); |
| EXPECT_CALL(*verifier, VerifySync(_)).WillOnce(ReturnOk<CryptohomeError>()); |
| user_session->AddCredentialVerifier(std::move(verifier)); |
| EXPECT_TRUE(user_session_map_.Add(kFakeUsername, std::move(user_session))); |
| // Create an AuthSession with a fake factor. No authentication mocks are set |
| // up, because the lightweight authentication should be used in the test. |
| AuthSession auth_session( |
| {.username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kVerifyOnly, |
| .on_timeout = base::DoNothing(), |
| .user_exists = true, |
| .auth_factor_map = FactorMapWithPassword<void>(kFakeLabel), |
| .migrate_to_user_secret_stash = false}, |
| backing_apis_); |
| EXPECT_CALL(auth_block_utility_, |
| IsVerifyWithAuthFactorSupported(AuthIntent::kVerifyOnly, |
| AuthFactorType::kPassword)) |
| .WillRepeatedly(Return(true)); |
| |
| // Test. |
| std::string auth_factor_labels[] = {kFakeLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_password_input()->set_secret(kFakePass); |
| TestFuture<CryptohomeStatus> authenticate_future; |
| auth_session.AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(authenticate_future.Get(), IsOk()); |
| EXPECT_THAT(auth_session.authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kVerifyOnly)); |
| } |
| |
| // Test that AuthenticateAuthFactor succeeds for the `AuthIntent::kVerifyOnly` |
| // scenario, using the legacy fingerprint. |
| TEST_F(AuthSessionWithUssExperimentTest, LightweightFingerprintAuthentication) { |
| // Setup. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Add the user session. Configure the credential verifier mock to succeed. |
| auto user_session = std::make_unique<MockUserSession>(); |
| EXPECT_CALL(*user_session, VerifyUser(SanitizeUserName(kFakeUsername))) |
| .WillOnce(Return(true)); |
| auto verifier = std::make_unique<MockCredentialVerifier>( |
| AuthFactorType::kLegacyFingerprint, "", AuthFactorMetadata{}); |
| EXPECT_CALL(*verifier, VerifySync(_)).WillOnce(ReturnOk<CryptohomeError>()); |
| user_session->AddCredentialVerifier(std::move(verifier)); |
| EXPECT_TRUE(user_session_map_.Add(kFakeUsername, std::move(user_session))); |
| // Create an AuthSession with no factors. No authentication mocks are set |
| // up, because the lightweight authentication should be used in the test. |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, user_data_auth::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kVerifyOnly); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| EXPECT_CALL(auth_block_utility_, |
| IsVerifyWithAuthFactorSupported( |
| AuthIntent::kVerifyOnly, AuthFactorType::kLegacyFingerprint)) |
| .WillRepeatedly(Return(true)); |
| |
| // Test. |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_legacy_fingerprint_input(); |
| TestFuture<CryptohomeStatus> authenticate_future; |
| auth_session->AuthenticateAuthFactor({}, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(authenticate_future.Get(), IsOk()); |
| EXPECT_THAT(auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kVerifyOnly)); |
| } |
| |
| // Test that PrepareAuthFactor succeeds for the legacy fingerprint with the |
| // purpose of authentication. |
| TEST_F(AuthSessionWithUssExperimentTest, PrepareLegacyFingerprintAuth) { |
| // Add the user session. Configure the credential verifier mock to succeed. |
| auto user_session = std::make_unique<MockUserSession>(); |
| // Create an AuthSession and add a mock for a successful auth block prepare. |
| auto auth_session = std::make_unique<AuthSession>( |
| AuthSession::Params{ |
| .username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kVerifyOnly, |
| .on_timeout = base::DoNothing(), |
| .user_exists = true, |
| .auth_factor_map = AuthFactorMap(), |
| .migrate_to_user_secret_stash = false}, |
| backing_apis_); |
| TrackedPreparedAuthFactorToken::WasCalled token_was_called; |
| auto token = std::make_unique<TrackedPreparedAuthFactorToken>( |
| AuthFactorType::kLegacyFingerprint, OkStatus<CryptohomeError>(), |
| &token_was_called); |
| EXPECT_CALL(auth_block_utility_, |
| IsPrepareAuthFactorRequired(AuthFactorType::kLegacyFingerprint)) |
| .WillOnce(Return(true)); |
| EXPECT_CALL( |
| auth_block_utility_, |
| PrepareAuthFactorForAuth(AuthFactorType::kLegacyFingerprint, _, _)) |
| .WillOnce([&](AuthFactorType, const ObfuscatedUsername&, |
| PreparedAuthFactorToken::Consumer callback) { |
| std::move(callback).Run(std::move(token)); |
| }); |
| |
| // Test. |
| TestFuture<CryptohomeStatus> prepare_future; |
| user_data_auth::PrepareAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.set_auth_factor_type( |
| user_data_auth::AUTH_FACTOR_TYPE_LEGACY_FINGERPRINT); |
| request.set_purpose(user_data_auth::PURPOSE_AUTHENTICATE_AUTH_FACTOR); |
| auth_session->PrepareAuthFactor(request, prepare_future.GetCallback()); |
| auth_session.reset(); |
| |
| // Verify. |
| ASSERT_THAT(prepare_future.Get(), IsOk()); |
| EXPECT_TRUE(token_was_called.terminate); |
| EXPECT_TRUE(token_was_called.destructor); |
| } |
| |
| // Test that PrepareAuthFactor succeeded for password. |
| TEST_F(AuthSessionWithUssExperimentTest, PreparePasswordFailure) { |
| // Setup. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Add the user session. Configure the credential verifier mock to succeed. |
| auto user_session = std::make_unique<MockUserSession>(); |
| // Create an AuthSession |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, user_data_auth::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kVerifyOnly); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| EXPECT_CALL(auth_block_utility_, |
| IsPrepareAuthFactorRequired(AuthFactorType::kPassword)) |
| .WillOnce(Return(false)); |
| |
| // Test. |
| user_data_auth::PrepareAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.set_auth_factor_type(user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request.set_purpose(user_data_auth::PURPOSE_AUTHENTICATE_AUTH_FACTOR); |
| TestFuture<CryptohomeStatus> prepare_future; |
| auth_session->PrepareAuthFactor(request, prepare_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_EQ(prepare_future.Get()->local_legacy_error(), |
| user_data_auth::CRYPTOHOME_ERROR_INVALID_ARGUMENT); |
| } |
| |
| TEST_F(AuthSessionWithUssExperimentTest, TerminateAuthFactorBadTypeFailure) { |
| // Setup. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Add the user session. Configure the credential verifier mock to succeed. |
| auto user_session = std::make_unique<MockUserSession>(); |
| // Create an AuthSession |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, user_data_auth::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kVerifyOnly); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| EXPECT_CALL(auth_block_utility_, |
| IsPrepareAuthFactorRequired(AuthFactorType::kPassword)) |
| .WillOnce(Return(false)); |
| |
| // Test. |
| user_data_auth::TerminateAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.set_auth_factor_type(user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| TestFuture<CryptohomeStatus> terminate_future; |
| auth_session->TerminateAuthFactor(request, terminate_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_EQ(terminate_future.Get()->local_legacy_error(), |
| user_data_auth::CRYPTOHOME_ERROR_INVALID_ARGUMENT); |
| } |
| |
| TEST_F(AuthSessionWithUssExperimentTest, |
| TerminateAuthFactorInactiveFactorFailure) { |
| // Setup. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Add the user session. Configure the credential verifier mock to succeed. |
| auto user_session = std::make_unique<MockUserSession>(); |
| // Create an AuthSession |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, user_data_auth::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kVerifyOnly); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| EXPECT_CALL(auth_block_utility_, |
| IsPrepareAuthFactorRequired(AuthFactorType::kLegacyFingerprint)) |
| .WillOnce(Return(true)); |
| |
| // Test. |
| user_data_auth::TerminateAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.set_auth_factor_type( |
| user_data_auth::AUTH_FACTOR_TYPE_LEGACY_FINGERPRINT); |
| TestFuture<CryptohomeStatus> terminate_future; |
| auth_session->TerminateAuthFactor(request, terminate_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_EQ(terminate_future.Get()->local_legacy_error(), |
| user_data_auth::CRYPTOHOME_ERROR_INVALID_ARGUMENT); |
| } |
| |
| TEST_F(AuthSessionWithUssExperimentTest, |
| TerminateAuthFactorLegacyFingerprintSuccess) { |
| // Setup. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Add the user session. Configure the credential verifier mock to succeed. |
| auto user_session = std::make_unique<MockUserSession>(); |
| // Create an AuthSession |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, user_data_auth::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kVerifyOnly); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| TrackedPreparedAuthFactorToken::WasCalled token_was_called; |
| auto token = std::make_unique<TrackedPreparedAuthFactorToken>( |
| AuthFactorType::kLegacyFingerprint, OkStatus<CryptohomeError>(), |
| &token_was_called); |
| EXPECT_CALL(auth_block_utility_, |
| IsPrepareAuthFactorRequired(AuthFactorType::kLegacyFingerprint)) |
| .WillRepeatedly(Return(true)); |
| EXPECT_CALL( |
| auth_block_utility_, |
| PrepareAuthFactorForAuth(AuthFactorType::kLegacyFingerprint, _, _)) |
| .WillOnce([&](AuthFactorType, const ObfuscatedUsername&, |
| PreparedAuthFactorToken::Consumer callback) { |
| std::move(callback).Run(std::move(token)); |
| }); |
| TestFuture<CryptohomeStatus> prepare_future; |
| user_data_auth::PrepareAuthFactorRequest prepare_request; |
| prepare_request.set_auth_session_id(auth_session->serialized_token()); |
| prepare_request.set_auth_factor_type( |
| user_data_auth::AUTH_FACTOR_TYPE_LEGACY_FINGERPRINT); |
| prepare_request.set_purpose(user_data_auth::PURPOSE_AUTHENTICATE_AUTH_FACTOR); |
| auth_session->PrepareAuthFactor(prepare_request, |
| prepare_future.GetCallback()); |
| ASSERT_THAT(prepare_future.Get(), IsOk()); |
| |
| // Test. |
| user_data_auth::TerminateAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.set_auth_factor_type( |
| user_data_auth::AUTH_FACTOR_TYPE_LEGACY_FINGERPRINT); |
| TestFuture<CryptohomeStatus> terminate_future; |
| auth_session->TerminateAuthFactor(request, terminate_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(terminate_future.Get(), IsOk()); |
| EXPECT_TRUE(token_was_called.terminate); |
| EXPECT_TRUE(token_was_called.destructor); |
| } |
| |
| TEST_F(AuthSessionWithUssExperimentTest, RemoveAuthFactor) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| // Creating the user. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| |
| user_data_auth::CryptohomeErrorCode error = |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET; |
| |
| error = AddPasswordAuthFactor(kFakeLabel, kFakePass, /*first_factor=*/true, |
| *auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| std::unique_ptr<VaultKeyset> backup_vk = CreateBackupVaultKeyset(kFakeLabel); |
| auth_session->set_vault_keyset_for_testing(std::move(backup_vk)); |
| error = |
| AddPinAuthFactor(/*backup_keyset_enabled=*/true, kFakePin, *auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| |
| // Both password and pin are available. |
| std::map<std::string, AuthFactorType> stored_factors = |
| auth_factor_manager_.ListAuthFactors(SanitizeUserName(kFakeUsername)); |
| EXPECT_THAT(stored_factors, |
| ElementsAre(Pair(kFakeLabel, AuthFactorType::kPassword), |
| Pair(kFakePinLabel, AuthFactorType::kPin))); |
| EXPECT_THAT(auth_session->auth_factor_map().Find(kFakeLabel), Optional(_)); |
| EXPECT_THAT(auth_session->auth_factor_map().Find(kFakePinLabel), Optional(_)); |
| |
| // Setting the expectation that backup VaultKeyset is also removed. |
| // VaultKeyset is loaded to be removed. |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, _)) |
| .WillOnce(Return(ByMove(std::make_unique<VaultKeyset>()))); |
| |
| // Test. |
| |
| // Calling RemoveAuthFactor for pin. |
| user_data_auth::RemoveAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.set_auth_factor_label(kFakePinLabel); |
| |
| TestFuture<CryptohomeStatus> remove_future; |
| auth_session->RemoveAuthFactor(request, remove_future.GetCallback()); |
| |
| EXPECT_THAT(remove_future.Get(), IsOk()); |
| |
| // Only password is available. |
| std::map<std::string, AuthFactorType> stored_factors_1 = |
| auth_factor_manager_.ListAuthFactors(SanitizeUserName(kFakeUsername)); |
| EXPECT_THAT(stored_factors_1, |
| ElementsAre(Pair(kFakeLabel, AuthFactorType::kPassword))); |
| EXPECT_THAT(auth_session->auth_factor_map().Find(kFakeLabel), Optional(_)); |
| EXPECT_THAT(auth_session->auth_factor_map().Find(kFakePinLabel), |
| Eq(std::nullopt)); |
| |
| // Calling AuthenticateAuthFactor for password succeeds. |
| error = AuthenticatePasswordAuthFactor(kFakePass, *auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| |
| // Calling AuthenticateAuthFactor for pin fails. |
| std::string auth_factor_labels[] = {kFakePinLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_pin_input()->set_secret(kFakePin); |
| TestFuture<CryptohomeStatus> authenticate_future; |
| auth_session->AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(authenticate_future.Get(), NotOk()); |
| EXPECT_EQ(authenticate_future.Get()->local_legacy_error(), |
| user_data_auth::CRYPTOHOME_ERROR_KEY_NOT_FOUND); |
| // The verifier still uses the password. |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| TEST_F(AuthSessionWithUssExperimentTest, |
| RemoveAuthFactorRemovesCredentialVerifier) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| // Creating the user. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| |
| user_data_auth::CryptohomeErrorCode error = |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET; |
| |
| error = AddPasswordAuthFactor(kFakeLabel, kFakePass, /*first_factor=*/true, |
| *auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| error = AddPasswordAuthFactor(kFakeOtherLabel, kFakeOtherPass, |
| /*first_factor=*/false, *auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| |
| // Both passwords are available, the first one should supply a verifier. |
| std::map<std::string, AuthFactorType> stored_factors = |
| auth_factor_manager_.ListAuthFactors(SanitizeUserName(kFakeUsername)); |
| EXPECT_THAT(stored_factors, |
| ElementsAre(Pair(kFakeLabel, AuthFactorType::kPassword), |
| Pair(kFakeOtherLabel, AuthFactorType::kPassword))); |
| EXPECT_THAT(auth_session->auth_factor_map().Find(kFakeLabel), Optional(_)); |
| EXPECT_THAT(auth_session->auth_factor_map().Find(kFakeOtherLabel), |
| Optional(_)); |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT( |
| user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass), |
| IsVerifierPtrWithLabelAndPassword(kFakeOtherLabel, kFakeOtherPass))); |
| |
| // Setting the expectation that backup VaultKeyset is also removed. |
| // VaultKeyset is loaded to be removed. |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, _)) |
| .WillOnce(Return(ByMove(std::make_unique<VaultKeyset>()))); |
| |
| // Test. |
| |
| // Calling RemoveAuthFactor for the second password. |
| user_data_auth::RemoveAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.set_auth_factor_label(kFakeOtherLabel); |
| |
| TestFuture<CryptohomeStatus> remove_future; |
| auth_session->RemoveAuthFactor(request, remove_future.GetCallback()); |
| |
| EXPECT_THAT(remove_future.Get(), IsOk()); |
| |
| // Only the first password is available. |
| std::map<std::string, AuthFactorType> stored_factors_1 = |
| auth_factor_manager_.ListAuthFactors(SanitizeUserName(kFakeUsername)); |
| EXPECT_THAT(stored_factors_1, |
| ElementsAre(Pair(kFakeLabel, AuthFactorType::kPassword))); |
| EXPECT_THAT(auth_session->auth_factor_map().Find(kFakeLabel), Optional(_)); |
| EXPECT_THAT(auth_session->auth_factor_map().Find(kFakeOtherLabel), |
| Eq(std::nullopt)); |
| |
| // Calling AuthenticateAuthFactor for the first password succeeds. |
| error = AuthenticatePasswordAuthFactor(kFakePass, *auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| |
| // Calling AuthenticateAuthFactor for the second password fails. |
| std::string auth_factor_labels[] = {kFakeOtherLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_password_input()->set_secret(kFakeOtherPass); |
| TestFuture<CryptohomeStatus> authenticate_future; |
| auth_session->AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(authenticate_future.Get(), NotOk()); |
| EXPECT_EQ(authenticate_future.Get()->local_legacy_error(), |
| user_data_auth::CRYPTOHOME_ERROR_KEY_NOT_FOUND); |
| // Now only the first password verifier is available. |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| // The test adds, removes and adds the same auth factor again. |
| TEST_F(AuthSessionWithUssExperimentTest, RemoveAndReAddAuthFactor) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| // Creating the user. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| |
| user_data_auth::CryptohomeErrorCode error = |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET; |
| |
| error = AddPasswordAuthFactor(kFakeLabel, kFakePass, /*first_factor=*/true, |
| *auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| std::unique_ptr<VaultKeyset> backup_vk = CreateBackupVaultKeyset(kFakeLabel); |
| auth_session->set_vault_keyset_for_testing(std::move(backup_vk)); |
| error = |
| AddPinAuthFactor(/*backup_keyset_enabled=*/true, kFakePin, *auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| |
| // Test. |
| // Setting the expectation that backup VaultKeyset is also removed. |
| // VaultKeyset is loaded to be removed. |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, _)) |
| .WillOnce(Return(ByMove(std::make_unique<VaultKeyset>()))); |
| // Calling RemoveAuthFactor for pin. |
| user_data_auth::RemoveAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.set_auth_factor_label(kFakePinLabel); |
| |
| TestFuture<CryptohomeStatus> remove_future; |
| auth_session->RemoveAuthFactor(request, remove_future.GetCallback()); |
| |
| EXPECT_THAT(remove_future.Get(), IsOk()); |
| |
| // Add the same pin auth factor again. |
| error = |
| AddPinAuthFactor(/*backup_keyset_enabled=*/true, kFakePin, *auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| // The verifier still uses the original password. |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| TEST_F(AuthSessionWithUssExperimentTest, RemoveAuthFactorFailsForLastFactor) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| // Creating the user. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| |
| user_data_auth::CryptohomeErrorCode error = |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET; |
| |
| error = AddPasswordAuthFactor(kFakeLabel, kFakePass, /*first_factor=*/true, |
| *auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| |
| // Test. |
| |
| // Calling RemoveAuthFactor for password. |
| user_data_auth::RemoveAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.set_auth_factor_label(kFakeLabel); |
| |
| TestFuture<CryptohomeStatus> remove_future; |
| auth_session->RemoveAuthFactor(request, remove_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(remove_future.Get(), NotOk()); |
| EXPECT_EQ(remove_future.Get()->local_legacy_error(), |
| user_data_auth::CRYPTOHOME_REMOVE_CREDENTIALS_FAILED); |
| // The verifier is still set after the removal failed. |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| TEST_F(AuthSessionTest, RemoveAuthFactorFailsForUnauthenticatedAuthSession) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| // Test. |
| user_data_auth::RemoveAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.set_auth_factor_label(kFakeLabel); |
| TestFuture<CryptohomeStatus> remove_future; |
| auth_session->RemoveAuthFactor(request, remove_future.GetCallback()); |
| |
| ASSERT_THAT(remove_future.Get(), NotOk()); |
| EXPECT_EQ(remove_future.Get()->local_legacy_error(), |
| user_data_auth::CRYPTOHOME_ERROR_UNAUTHENTICATED_AUTH_SESSION); |
| } |
| |
| TEST_F(AuthSessionWithUssExperimentTest, UpdateAuthFactor) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| std::string new_pass = "update fake pass"; |
| |
| { |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)) |
| .WillRepeatedly(Return(false)); |
| // Setting the expectation that the user does not exist. |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| |
| // Creating the user. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| |
| user_data_auth::CryptohomeErrorCode error = |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET; |
| |
| // Calling AddAuthFactor. |
| error = AddPasswordAuthFactor(kFakeLabel, kFakePass, /*first_factor=*/true, |
| *auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| |
| // Test. |
| |
| // Calling UpdateAuthFactor. |
| error = UpdatePasswordAuthFactor(new_pass, *auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| |
| // Force the creation of the user session, otherwise any verifiers added |
| // will be destroyed when the session is. |
| FindOrCreateUserSession(kFakeUsername); |
| } |
| // Setting the expectation that the user exists. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Generating the backup VK. |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, _)) |
| .WillOnce([](const ObfuscatedUsername&, const std::string& label) { |
| KeyData key_data; |
| key_data.set_label(label); |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(std::move(key_data)); |
| return vk; |
| }); |
| |
| CryptohomeStatusOr<InUseAuthSession> new_auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(new_auth_session_status.ok()); |
| AuthSession* new_auth_session = new_auth_session_status.value().Get(); |
| EXPECT_EQ(new_auth_session->status(), |
| AuthStatus::kAuthStatusFurtherFactorRequired); |
| EXPECT_THAT(new_auth_session->authorized_intents(), IsEmpty()); |
| |
| // Verify. |
| // The credential verifier uses the new password. |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, new_pass))); |
| // AuthenticateAuthFactor should succeed using the new password. |
| user_data_auth::CryptohomeErrorCode error = |
| AuthenticatePasswordAuthFactor(new_pass, *new_auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| EXPECT_EQ(new_auth_session->status(), AuthStatus::kAuthStatusAuthenticated); |
| EXPECT_THAT( |
| new_auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| } |
| |
| // Test that AddauthFactor successfully adds a PIN factor on a |
| // session that was authenticated via a recovery factor. |
| TEST_F(AuthSessionWithUssExperimentTest, AddPinAfterRecoveryAuth) { |
| // Setup. |
| // Initially the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| { |
| // Obtain AuthSession for user setup. |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, user_data_auth::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kDecrypt); |
| ASSERT_THAT(auth_session_status, IsOk()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| // Create the user with password and recovery factors. |
| EXPECT_THAT(auth_session->OnUserCreated(), IsOk()); |
| EXPECT_EQ(AddPasswordAuthFactor(kFakeLabel, kFakePass, |
| /*first_factor=*/true, *auth_session), |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| EXPECT_EQ(AddRecoveryAuthFactor(kRecoveryLabel, kFakeRecoverySecret, |
| *auth_session), |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| |
| EXPECT_FALSE(auth_session->enable_create_backup_vk_with_uss_for_testing()); |
| } |
| |
| // Set up mocks for the now-existing user. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Obtain AuthSession for authentication. |
| CryptohomeStatusOr<InUseAuthSession> new_auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, user_data_auth::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kDecrypt); |
| ASSERT_THAT(new_auth_session_status, IsOk()); |
| AuthSession* new_auth_session = new_auth_session_status.value().Get(); |
| EXPECT_FALSE( |
| new_auth_session->enable_create_backup_vk_with_uss_for_testing()); |
| // Authenticate the new auth session with recovery factor. |
| EXPECT_EQ(AuthenticateRecoveryAuthFactor(kRecoveryLabel, kFakeRecoverySecret, |
| *new_auth_session), |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| EXPECT_THAT( |
| new_auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| EXPECT_TRUE(new_auth_session->has_user_secret_stash()); |
| |
| // Test adding a PIN AuthFactor. |
| user_data_auth::CryptohomeErrorCode error = AddPinAuthFactor( |
| /*backup_keyset_enabled=*/false, kFakePin, *new_auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| |
| // Verify PIN factor is added. |
| std::map<std::string, AuthFactorType> stored_factors = |
| auth_factor_manager_.ListAuthFactors(SanitizeUserName(kFakeUsername)); |
| EXPECT_THAT(stored_factors, |
| UnorderedElementsAre( |
| Pair(kFakeLabel, AuthFactorType::kPassword), |
| Pair(kRecoveryLabel, AuthFactorType::kCryptohomeRecovery), |
| Pair(kFakePinLabel, AuthFactorType::kPin))); |
| // Verify that reset secret for the pin label is added to USS. |
| EXPECT_TRUE(new_auth_session->HasResetSecretInUssForTesting(kFakePinLabel)); |
| } |
| |
| // Test that UpdateAuthFactor successfully updates a password factor on a |
| // session that was authenticated via a recovery factor. |
| TEST_F(AuthSessionWithUssExperimentTest, UpdatePasswordAfterRecoveryAuth) { |
| // Setup. |
| constexpr char kNewFakePass[] = "new fake pass"; |
| // Initially the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| { |
| // Obtain AuthSession for user setup. |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, user_data_auth::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kDecrypt); |
| ASSERT_THAT(auth_session_status, IsOk()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| // Create the user. |
| EXPECT_THAT(auth_session->OnUserCreated(), IsOk()); |
| // Add password AuthFactor. |
| EXPECT_EQ(AddPasswordAuthFactor(kFakeLabel, kFakePass, |
| /*first_factor=*/true, *auth_session), |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| // Add recovery AuthFactor. |
| EXPECT_EQ(AddRecoveryAuthFactor(kRecoveryLabel, kFakeRecoverySecret, |
| *auth_session), |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| |
| EXPECT_FALSE(auth_session->enable_create_backup_vk_with_uss_for_testing()); |
| } |
| |
| // Set up mocks for the now-existing user. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Obtain AuthSession for authentication. |
| AuthSession* new_auth_session = nullptr; |
| { |
| CryptohomeStatusOr<InUseAuthSession> new_auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, user_data_auth::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kDecrypt); |
| ASSERT_THAT(new_auth_session_status, IsOk()); |
| new_auth_session = new_auth_session_status.value().Get(); |
| EXPECT_FALSE( |
| new_auth_session->enable_create_backup_vk_with_uss_for_testing()); |
| } |
| |
| // Authenticate the new auth session with recovery factor. |
| EXPECT_EQ(AuthenticateRecoveryAuthFactor(kRecoveryLabel, kFakeRecoverySecret, |
| *new_auth_session), |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| EXPECT_THAT( |
| new_auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| EXPECT_TRUE(new_auth_session->has_user_secret_stash()); |
| EXPECT_THAT( |
| new_auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kDecrypt, AuthIntent::kVerifyOnly)); |
| |
| // Test updating existing password factor. |
| user_data_auth::CryptohomeErrorCode error = |
| UpdatePasswordAuthFactor(kNewFakePass, *new_auth_session); |
| |
| // Verify update succeeded. |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| } |
| |
| TEST_F(AuthSessionWithUssExperimentTest, UpdateAuthFactorFailsForWrongLabel) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| // Creating the user. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| |
| user_data_auth::CryptohomeErrorCode error = |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET; |
| |
| // Calling AddAuthFactor. |
| error = AddPasswordAuthFactor(kFakeLabel, kFakePass, /*first_factor=*/true, |
| *auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| |
| std::string new_pass = "update fake pass"; |
| |
| // Test. |
| |
| // Calling UpdateAuthFactor. |
| user_data_auth::UpdateAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.set_auth_factor_label(kFakeLabel); |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request.mutable_auth_factor()->set_label("different new label"); |
| request.mutable_auth_factor()->mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret(new_pass); |
| |
| TestFuture<CryptohomeStatus> update_future; |
| auth_session->UpdateAuthFactor(request, update_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(update_future.Get(), NotOk()); |
| EXPECT_EQ(update_future.Get()->local_legacy_error(), |
| user_data_auth::CRYPTOHOME_ERROR_INVALID_ARGUMENT); |
| // The verifier still uses the original password. |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| TEST_F(AuthSessionWithUssExperimentTest, UpdateAuthFactorFailsForWrongType) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| // Creating the user. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| |
| user_data_auth::CryptohomeErrorCode error = |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET; |
| |
| // Calling AddAuthFactor. |
| error = AddPasswordAuthFactor(kFakeLabel, kFakePass, /*first_factor=*/true, |
| *auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| |
| // Test. |
| |
| // Calling UpdateAuthFactor. |
| user_data_auth::UpdateAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.set_auth_factor_label(kFakeLabel); |
| request.mutable_auth_factor()->set_type(user_data_auth::AUTH_FACTOR_TYPE_PIN); |
| request.mutable_auth_factor()->set_label(kFakeLabel); |
| request.mutable_auth_factor()->mutable_pin_metadata(); |
| request.mutable_auth_input()->mutable_pin_input()->set_secret(kFakePin); |
| |
| TestFuture<CryptohomeStatus> update_future; |
| auth_session->UpdateAuthFactor(request, update_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(update_future.Get(), NotOk()); |
| EXPECT_EQ(update_future.Get()->local_legacy_error(), |
| user_data_auth::CRYPTOHOME_ERROR_INVALID_ARGUMENT); |
| // The verifier still uses the original password. |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| TEST_F(AuthSessionWithUssExperimentTest, |
| UpdateAuthFactorFailsWhenLabelDoesntExist) { |
| // Setup. |
| int flags = user_data_auth::AuthSessionFlags::AUTH_SESSION_FLAGS_NONE; |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession(kFakeUsername, flags, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| // Creating the user. |
| EXPECT_TRUE(auth_session->OnUserCreated().ok()); |
| EXPECT_TRUE(auth_session->has_user_secret_stash()); |
| |
| user_data_auth::CryptohomeErrorCode error = |
| user_data_auth::CRYPTOHOME_ERROR_NOT_SET; |
| |
| // Calling AddAuthFactor. |
| error = AddPasswordAuthFactor(kFakeLabel, kFakePass, /*first_factor=*/true, |
| *auth_session); |
| EXPECT_EQ(error, user_data_auth::CRYPTOHOME_ERROR_NOT_SET); |
| |
| // Test. |
| |
| // Calling UpdateAuthFactor. |
| user_data_auth::UpdateAuthFactorRequest request; |
| request.set_auth_session_id(auth_session->serialized_token()); |
| request.set_auth_factor_label("label doesn't exist"); |
| request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| request.mutable_auth_factor()->set_label(kFakeLabel); |
| request.mutable_auth_factor()->mutable_password_metadata(); |
| request.mutable_auth_input()->mutable_password_input()->set_secret(kFakePass); |
| |
| TestFuture<CryptohomeStatus> update_future; |
| auth_session->UpdateAuthFactor(request, update_future.GetCallback()); |
| |
| // Verify. |
| ASSERT_THAT(update_future.Get(), NotOk()); |
| EXPECT_EQ(update_future.Get()->local_legacy_error(), |
| user_data_auth::CRYPTOHOME_ERROR_KEY_NOT_FOUND); |
| // The verifier still uses the original password. |
| UserSession* user_session = FindOrCreateUserSession(kFakeUsername); |
| EXPECT_THAT(user_session->GetCredentialVerifiers(), |
| UnorderedElementsAre( |
| IsVerifierPtrWithLabelAndPassword(kFakeLabel, kFakePass))); |
| } |
| |
| // Test that `UpdateAuthFactor` fails when the auth block derivation fails (but |
| // doesn't crash). |
| TEST_F(AuthSessionTest, UpdateAuthFactorFailsInAuthBlock) { |
| // Setup. |
| // Setting the expectation that the user does not exist. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(false)); |
| // Setting the expectation that the user does not exist. |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, user_data_auth::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kDecrypt); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession& auth_session = *auth_session_status.value().Get(); |
| // Creating the user. |
| EXPECT_THAT(auth_session.OnUserCreated(), IsOk()); |
| // Adding the password VK. |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockTypeForCreation(false, false, false)) |
| .WillRepeatedly(ReturnValue(AuthBlockType::kTpmBoundToPcr)); |
| EXPECT_CALL(auth_block_utility_, CreateKeyBlobsWithAuthBlockAsync(_, _, _)) |
| .WillOnce([](auto, auto, AuthBlock::CreateCallback create_callback) { |
| // Make an arbitrary auth block state type can be used in this test. |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| auto auth_block_state = std::make_unique<AuthBlockState>(); |
| auth_block_state->state = TpmBoundToPcrAuthBlockState(); |
| std::move(create_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), std::move(key_blobs), |
| std::move(auth_block_state)); |
| }) |
| .RetiresOnSaturation(); |
| EXPECT_CALL(keyset_management_, |
| AddInitialKeysetWithKeyBlobs(_, _, _, _, _, _, _)) |
| .WillOnce( |
| [](auto, auto, const KeyData& key_data, auto, auto, auto, auto) { |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->SetKeyData(key_data); |
| return vk; |
| }); |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, kFakeLabel)) |
| .WillOnce( |
| [](auto, auto) { return CreatePasswordVaultKeyset(kFakeLabel); }); |
| user_data_auth::AddAuthFactorRequest add_request; |
| add_request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| add_request.mutable_auth_factor()->set_label(kFakeLabel); |
| add_request.mutable_auth_factor()->mutable_password_metadata(); |
| add_request.mutable_auth_input()->mutable_password_input()->set_secret( |
| kFakePass); |
| add_request.set_auth_session_id(auth_session.serialized_token()); |
| TestFuture<CryptohomeStatus> add_future; |
| auth_session.AddAuthFactor(add_request, add_future.GetCallback()); |
| EXPECT_THAT(add_future.Get(), IsOk()); |
| // Setting the expectations for the new auth block creation. The mock is set |
| // to fail. |
| EXPECT_CALL(auth_block_utility_, CreateKeyBlobsWithAuthBlockAsync(_, _, _)) |
| .WillOnce([](auto, auto, AuthBlock::CreateCallback create_callback) { |
| std::move(create_callback) |
| .Run(MakeStatus<CryptohomeCryptoError>( |
| kErrorLocationForTestingAuthSession, |
| error::ErrorActionSet( |
| {error::ErrorAction::kDevCheckUnexpectedState}), |
| CryptoError::CE_OTHER_CRYPTO), |
| nullptr, nullptr); |
| }); |
| |
| // Test. |
| // Preparing UpdateAuthFactor parameters. |
| user_data_auth::UpdateAuthFactorRequest update_request; |
| update_request.set_auth_session_id(auth_session.serialized_token()); |
| update_request.set_auth_factor_label(kFakeLabel); |
| update_request.mutable_auth_factor()->set_type( |
| user_data_auth::AUTH_FACTOR_TYPE_PASSWORD); |
| update_request.mutable_auth_factor()->set_label(kFakeLabel); |
| update_request.mutable_auth_factor()->mutable_password_metadata(); |
| update_request.mutable_auth_input()->mutable_password_input()->set_secret( |
| kFakePass); |
| // Calling UpdateAuthFactor. |
| TestFuture<CryptohomeStatus> update_future; |
| auth_session.UpdateAuthFactor(update_request, update_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(update_future.Get(), NotOk()); |
| } |
| |
| // Test that AuthenticateAuthFactor succeeds for the `AuthIntent::kWebAuthn` |
| // scenario, using the legacy fingerprint. |
| TEST_F(AuthSessionWithUssExperimentTest, FingerprintAuthenticationForWebAuthn) { |
| // Setup. |
| EXPECT_CALL(keyset_management_, UserExists(_)).WillRepeatedly(Return(true)); |
| // Add the user session. Configure the credential verifier mock to succeed. |
| auto user_session = std::make_unique<MockUserSession>(); |
| EXPECT_CALL(*user_session, VerifyUser(SanitizeUserName(kFakeUsername))) |
| .WillOnce(Return(true)); |
| auto verifier = std::make_unique<MockCredentialVerifier>( |
| AuthFactorType::kLegacyFingerprint, "", AuthFactorMetadata{}); |
| EXPECT_CALL(*verifier, VerifySync(_)).WillOnce(ReturnOk<CryptohomeError>()); |
| user_session->AddCredentialVerifier(std::move(verifier)); |
| EXPECT_TRUE(user_session_map_.Add(kFakeUsername, std::move(user_session))); |
| // Create an AuthSession and add a mock for a successful auth block verify. |
| CryptohomeStatusOr<InUseAuthSession> auth_session_status = |
| auth_session_manager_.CreateAuthSession( |
| kFakeUsername, user_data_auth::AUTH_SESSION_FLAGS_NONE, |
| AuthIntent::kWebAuthn); |
| EXPECT_TRUE(auth_session_status.ok()); |
| AuthSession* auth_session = auth_session_status.value().Get(); |
| EXPECT_CALL(auth_block_utility_, |
| IsVerifyWithAuthFactorSupported( |
| AuthIntent::kWebAuthn, AuthFactorType::kLegacyFingerprint)) |
| .WillRepeatedly(Return(true)); |
| |
| // Test. |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_legacy_fingerprint_input(); |
| TestFuture<CryptohomeStatus> authenticate_future; |
| auth_session->AuthenticateAuthFactor({}, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(authenticate_future.Get(), IsOk()); |
| EXPECT_THAT( |
| auth_session->authorized_intents(), |
| UnorderedElementsAre(AuthIntent::kVerifyOnly, AuthIntent::kWebAuthn)); |
| } |
| |
| // Test that we can authenticate a old-style kiosk VK, and migrate it to USS |
| // correctly. These old VKs show up as password VKs and so we need the |
| // authenticate to successfully convert it to a kiosk based on the input. |
| TEST_F(AuthSessionWithUssExperimentTest, AuthenticatePasswordVkToKioskUss) { |
| // Setup. |
| // Create a factor containing a password that will become a kiosk factor. |
| AuthFactorMap auth_factor_map; |
| auth_factor_map.Add( |
| std::make_unique<AuthFactor>( |
| AuthFactorType::kPassword, kLegacyLabel, |
| AuthFactorMetadata{.metadata = PasswordAuthFactorMetadata()}, |
| AuthBlockState()), |
| AuthFactorStorageType::kVaultKeyset); |
| // Start a session with this single factor and USS migration enabled. |
| AuthSession auth_session( |
| {.username = kFakeUsername, |
| .obfuscated_username = SanitizeUserName(kFakeUsername), |
| .is_ephemeral_user = false, |
| .intent = AuthIntent::kDecrypt, |
| .on_timeout = base::DoNothing(), |
| .user_exists = true, |
| .auth_factor_map = std::move(auth_factor_map), |
| .migrate_to_user_secret_stash = true}, |
| backing_apis_); |
| // Helpers to make keysets and keyblobs in the test. |
| auto make_vk = [this]() { |
| auto vk = std::make_unique<VaultKeyset>(); |
| vk->Initialize(backing_apis_.platform, backing_apis_.crypto); |
| vk->SetLegacyIndex(0); |
| return vk; |
| }; |
| auto make_key_blobs = []() { |
| auto key_blobs = std::make_unique<KeyBlobs>(); |
| key_blobs->vkk_key = brillo::SecureBlob(32, 'J'); |
| return key_blobs; |
| }; |
| // Called within the converter_.PopulateKeyDataForVK(). We return an empty VK |
| // with no KeyData, like a legacy kiosk VK would have. We also have to fake |
| // out the actual authentication calls. Since the point here is to test the |
| // migration, not the authentication itself, we just respond with "yes, all |
| // good" everywhere. |
| EXPECT_CALL(keyset_management_, GetVaultKeyset(_, kLegacyLabel)) |
| .WillRepeatedly([&](auto...) { return make_vk(); }); |
| EXPECT_CALL(auth_block_utility_, |
| GetAuthBlockStateFromVaultKeyset(kLegacyLabel, _, _)) |
| .WillRepeatedly(Return(true)); |
| EXPECT_CALL(auth_block_utility_, GetAuthBlockTypeFromState(_)) |
| .WillRepeatedly(Return(AuthBlockType::kScrypt)); |
| EXPECT_CALL(auth_block_utility_, |
| DeriveKeyBlobsWithAuthBlockAsync(AuthBlockType::kScrypt, _, _, _)) |
| .WillOnce([&](AuthBlockType auth_block_type, const AuthInput& auth_input, |
| const AuthBlockState& auth_state, |
| AuthBlock::DeriveCallback derive_callback) { |
| std::move(derive_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), make_key_blobs()); |
| }); |
| EXPECT_CALL(keyset_management_, GetValidKeysetWithKeyBlobs(_, _, _)) |
| .WillOnce([&](auto...) { return make_vk(); }); |
| // These calls will happen during the migration. |
| EXPECT_CALL(auth_block_utility_, CreateKeyBlobsWithAuthBlockAsync(_, _, _)) |
| .WillOnce([&](AuthBlockType auth_block_type, const AuthInput& auth_input, |
| AuthBlock::CreateCallback create_callback) { |
| std::move(create_callback) |
| .Run(OkStatus<CryptohomeCryptoError>(), make_key_blobs(), |
| std::make_unique<AuthBlockState>()); |
| }); |
| |
| // Test. |
| std::string auth_factor_labels[] = {kLegacyLabel}; |
| user_data_auth::AuthInput auth_input_proto; |
| auth_input_proto.mutable_kiosk_input(); |
| TestFuture<CryptohomeStatus> authenticate_future; |
| auth_session.AuthenticateAuthFactor(auth_factor_labels, auth_input_proto, |
| authenticate_future.GetCallback()); |
| |
| // Verify. |
| EXPECT_THAT(authenticate_future.Get(), IsOk()); |
| ASSERT_THAT(auth_session.auth_factor_map().size(), Eq(1)); |
| AuthFactorMap::ValueView stored_auth_factor = |
| *auth_session.auth_factor_map().begin(); |
| const AuthFactor& auth_factor = stored_auth_factor.auth_factor(); |
| EXPECT_THAT(stored_auth_factor.storage_type(), |
| Eq(AuthFactorStorageType::kUserSecretStash)); |
| EXPECT_THAT(auth_factor.type(), Eq(AuthFactorType::kKiosk)); |
| EXPECT_THAT(auth_factor.metadata().metadata, |
| VariantWith<KioskAuthFactorMetadata>(_)); |
| } |
| |
| } // namespace cryptohome |