Skip to content

Commit

Permalink
keyring: for test
Browse files Browse the repository at this point in the history
Signed-off-by: Bin Tang <[email protected]>
  • Loading branch information
sctb512 committed Aug 3, 2023
1 parent ce775ee commit 18c6dd7
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 17 deletions.
6 changes: 3 additions & 3 deletions pkg/auth/cache.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,10 +63,10 @@ func (c *Cache) GetAuth(imageHost string) (string, error) {
return data, err
}

func (c *Cache) GetKeyChain(ImageID string) (*PassKeyChain, error) {
image, err := registry.ParseImage(ImageID)
func (c *Cache) GetKeyChain(imageID string) (*PassKeyChain, error) {
image, err := registry.ParseImage(imageID)
if err != nil {
return nil, errors.Wrapf(err, "parse image %s", ImageID)
return nil, errors.Wrapf(err, "parse image %s", imageID)
}

cachedAuth, err := c.GetAuth(image.Host)
Expand Down
38 changes: 25 additions & 13 deletions pkg/auth/keyring.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
package auth

import (
"os"
"strconv"
"strings"
"sync"
Expand All @@ -28,7 +29,7 @@ var (
type KeyRing struct {
sessKeyID int
keyLock sync.RWMutex
avaliable bool
available bool
}

func GetSessionID() (int, error) {
Expand All @@ -51,13 +52,10 @@ func GetSessionID() (int, error) {
log.L.Infof("added search permission for session keyring %s", defaultSessionName)

globalKeyRing.sessKeyID = sessKeyID
globalKeyRing.avaliable = true
globalKeyRing.available = true
},
)
if joinSessionErr != nil {
return 0, errors.Wrapf(joinSessionErr, "join session keyring %s.", defaultSessionName)
}
if !globalKeyRing.avaliable {
if !globalKeyRing.available || joinSessionErr != nil {
return 0, unix.EINVAL
}

Expand All @@ -69,13 +67,24 @@ func AddKeyring(id, value string) (int, error) {
if err != nil {
return 0, err
}
log.L.Infof("[abin]session ID: %d", sessKeyID)

globalKeyRing.keyLock.Lock()
defer globalKeyRing.keyLock.Unlock()

permFull, _, err := checkPermission(sessKeyID, 0)
if err != nil {
return 0, errors.Wrap(err, "check permission before adding key")
}
log.L.Infof("[abin] keyring permission: %b, uid: %d, gid: %d", permFull, os.Getuid(), os.Getgid())

keyID, err := unix.AddKey("user", id, []byte(value), sessKeyID)
if err != nil {
return 0, err
if errors.Is(err, unix.EACCES) {
log.L.Infof("[abin] error unix.EACCES: %d", err)
return 0, unix.EINVAL
}
return 0, errors.Wrapf(err, "add key %s", id)
}

return keyID, nil
Expand Down Expand Up @@ -105,7 +114,7 @@ func checkPermission(ringID int, targetMask uint32) (uint32, bool, error) {

permFull := uint32(perm64) & mask

return permFull, (permFull & targetMask) != 0, nil
return permFull, (permFull&targetMask)^targetMask == 0, nil
}

func addSearchPermission(ringID int) error {
Expand All @@ -130,10 +139,10 @@ func addSearchPermission(ringID int) error {
*
* Refer to https://man7.org/linux/man-pages/man7/keyrings.7.html
*/
var searchPermissionBits uint32 = 0x80000
var allUserPermissionBits uint32 = 0x3f0000

// Check if the search right for user already exists.
permFull, hasPermission, err := checkPermission(ringID, searchPermissionBits)
permFull, hasPermission, err := checkPermission(ringID, allUserPermissionBits)
if err != nil {
return errors.Wrap(err, "check permission")
}
Expand All @@ -142,17 +151,20 @@ func addSearchPermission(ringID int) error {
}

// Add search right for user.
if err := unix.KeyctlSetperm(ringID, permFull|searchPermissionBits); err != nil {
if err := unix.KeyctlSetperm(ringID, permFull|allUserPermissionBits); err != nil {
return errors.Wrap(err, "set permission")
}

permFull, hasPermission, err = checkPermission(ringID, searchPermissionBits)
permFull, hasPermission, err = checkPermission(ringID, allUserPermissionBits)
if err != nil {
return errors.Wrap(err, "check permission after add search permission")
}
if !hasPermission {
return errors.Errorf("add search permission failed, current permission: %b", permFull)
return unix.EINVAL
}

log.L.Infof("[abin] keyring permission: %b", permFull)

return nil
}

Expand Down
12 changes: 11 additions & 1 deletion pkg/auth/keyring_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"testing"

"github.com/stretchr/testify/assert"
"golang.org/x/sys/unix"
)

func TestKeyRing_Add(t *testing.T) {
Expand All @@ -18,6 +19,9 @@ func TestKeyRing_Add(t *testing.T) {
testKey := "test"
testValue := "value"
keyID, err := AddKeyring(testKey, testValue)
if err != nil && err == unix.EINVAL {
return
}
A.NoError(err)

value, err := getData(keyID)
Expand All @@ -35,6 +39,9 @@ func TestKeyRing_Search(t *testing.T) {
testKey := "test"
testValue := "value"
_, err := AddKeyring(testKey, testValue)
if err != nil && err == unix.EINVAL {
return
}
A.NoError(err)

value, err := SearchKeyring(testKey)
Expand Down Expand Up @@ -78,7 +85,10 @@ func TestKeyRing_getData(t *testing.T) {
testValue = append(testValue, 'A')
}

keyID, err := AddKeyring(testKey, string(testValue[:]))
keyID, err := AddKeyring(testKey, string(testValue))
if err != nil && err == unix.EINVAL {
return
}
A.NoError(err)

value, err := getData(keyID)
Expand Down

0 comments on commit 18c6dd7

Please sign in to comment.