keystore2/test_utils/lib.rs - android_system_security - Gitiles

 // Copyright 2020, The Android Open Source Project
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 //! Implements TempDir which aids in creating an cleaning up temporary directories for testing.

 use std::fs::{create_dir, remove_dir_all};
 use std::io::ErrorKind;
 use std::path::{Path, PathBuf};
 use std::{env::temp_dir, ops::Deref};

 use android_system_keystore2::aidl::android::system::keystore2::{
     IKeystoreService::IKeystoreService,
     IKeystoreSecurityLevel::IKeystoreSecurityLevel,
 };
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
     ErrorCode::ErrorCode, IKeyMintDevice::IKeyMintDevice, SecurityLevel::SecurityLevel,
 };
 use android_security_authorization::aidl::android::security::authorization::IKeystoreAuthorization::IKeystoreAuthorization;

 pub mod authorizations;
 pub mod ffi_test_utils;
 pub mod key_generations;
 pub mod run_as;

 static KS2_SERVICE_NAME: &str = "android.system.keystore2.IKeystoreService/default";
 static AUTH_SERVICE_NAME: &str = "android.security.authorization";

 /// Represents the lifecycle of a temporary directory for testing.
 #[derive(Debug)]
 pub struct TempDir {
     path: std::path::PathBuf,
     do_drop: bool,
 }

 impl TempDir {
     /// Creates a temporary directory with a name of the form <prefix>_NNNNN where NNNNN is a zero
     /// padded random number with 5 figures. The prefix must not contain file system separators.
     /// The location of the directory cannot be chosen.
     /// The directory with all of its content is removed from the file system when the resulting
     /// object gets dropped.
     pub fn new(prefix: &str) -> std::io::Result<Self> {
         let tmp = loop {
             let mut tmp = temp_dir();
             let number: u16 = rand::random();
             tmp.push(format!("{}_{:05}", prefix, number));
             match create_dir(&tmp) {
                 Err(e) => match e.kind() {
                     ErrorKind::AlreadyExists => continue,
                     _ => return Err(e),
                 },
                 Ok(()) => break tmp,
             }
         };
         Ok(Self { path: tmp, do_drop: true })
     }

     /// Returns the absolute path of the temporary directory.
     pub fn path(&self) -> &Path {
         &self.path
     }

     /// Returns a path builder for convenient extension of the path.
     ///
     /// ## Example:
     ///
     /// ```
     /// let tdir = TempDir::new("my_test")?;
     /// let temp_foo_bar = tdir.build().push("foo").push("bar");
     /// ```
     /// `temp_foo_bar` derefs to a Path that represents "<tdir.path()>/foo/bar"
     pub fn build(&self) -> PathBuilder {
         PathBuilder(self.path.clone())
     }

     /// When a test is failing you can set this to false in order to inspect
     /// the directory structure after the test failed.
     #[allow(dead_code)]
     pub fn do_not_drop(&mut self) {
         println!("Disabled automatic cleanup for: {:?}", self.path);
         log::info!("Disabled automatic cleanup for: {:?}", self.path);
         self.do_drop = false;
     }
 }

 impl Drop for TempDir {
     fn drop(&mut self) {
         if self.do_drop {
             remove_dir_all(&self.path).expect("Cannot delete temporary dir.");
         }
     }
 }

 /// Allows for convenient building of paths from a TempDir. See TempDir.build() for more details.
 pub struct PathBuilder(PathBuf);

 impl PathBuilder {
     /// Adds another segment to the end of the path. Consumes, modifies and returns self.
     pub fn push(mut self, segment: &str) -> Self {
         self.0.push(segment);
         self
     }
 }

 impl Deref for PathBuilder {
     type Target = Path;

     fn deref(&self) -> &Self::Target {
         &self.0
     }
 }

 /// Get Keystore2 service.
 pub fn get_keystore_service() -> binder::Strong<dyn IKeystoreService> {
     binder::get_interface(KS2_SERVICE_NAME).unwrap()
 }

 /// Get Keystore auth service.
 pub fn get_keystore_auth_service() -> binder::Strong<dyn IKeystoreAuthorization> {
     binder::get_interface(AUTH_SERVICE_NAME).unwrap()
 }

 /// Security level-specific data.
 pub struct SecLevel {
     /// Binder connection for the top-level service.
     pub keystore2: binder::Strong<dyn IKeystoreService>,
     /// Binder connection for the security level.
     pub binder: binder::Strong<dyn IKeystoreSecurityLevel>,
     /// Security level.
     pub level: SecurityLevel,
 }

 impl SecLevel {
     /// Return security level data for TEE.
     pub fn tee() -> Self {
         let level = SecurityLevel::TRUSTED_ENVIRONMENT;
         let keystore2 = get_keystore_service();
         let binder =
             keystore2.getSecurityLevel(level).expect("TEE security level should always be present");
         Self { keystore2, binder, level }
     }
     /// Return security level data for StrongBox, if present.
     pub fn strongbox() -> Option<Self> {
         let level = SecurityLevel::STRONGBOX;
         let keystore2 = get_keystore_service();
         match key_generations::map_ks_error(keystore2.getSecurityLevel(level)) {
             Ok(binder) => Some(Self { keystore2, binder, level }),
             Err(e) => {
                 assert_eq!(e, key_generations::Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE));
                 None
             }
         }
     }
     /// Indicate whether this security level is a KeyMint implementation (not Keymaster).
     pub fn is_keymint(&self) -> bool {
         let instance = match self.level {
             SecurityLevel::TRUSTED_ENVIRONMENT => "default",
             SecurityLevel::STRONGBOX => "strongbox",
             l => panic!("unexpected level {l:?}"),
         };
         let name = format!("android.hardware.security.keymint.IKeyMintDevice/{instance}");
         binder::is_declared(&name).expect("Could not check for declared keymint interface")
     }

     /// Indicate whether this security level is a Keymaster implementation (not KeyMint).
     pub fn is_keymaster(&self) -> bool {
         !self.is_keymint()
     }

     /// Get KeyMint version.
     /// Returns 0 if the underlying device is Keymaster not KeyMint.
     pub fn get_keymint_version(&self) -> i32 {
         let instance = match self.level {
             SecurityLevel::TRUSTED_ENVIRONMENT => "default",
             SecurityLevel::STRONGBOX => "strongbox",
             l => panic!("unexpected level {l:?}"),
         };
         let name = format!("android.hardware.security.keymint.IKeyMintDevice/{instance}");
         if binder::is_declared(&name).expect("Could not check for declared keymint interface") {
             let km: binder::Strong<dyn IKeyMintDevice> = binder::get_interface(&name).unwrap();
             km.getInterfaceVersion().unwrap()
         } else {
             0
         }
     }
 }
	// Copyright 2020, The Android Open Source Project
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	//! Implements TempDir which aids in creating an cleaning up temporary directories for testing.

	use std::fs::{create_dir, remove_dir_all};
	use std::io::ErrorKind;
	use std::path::{Path, PathBuf};
	use std::{env::temp_dir, ops::Deref};

	use android_system_keystore2::aidl::android::system::keystore2::{
	IKeystoreService::IKeystoreService,
	IKeystoreSecurityLevel::IKeystoreSecurityLevel,
	};
	use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
	ErrorCode::ErrorCode, IKeyMintDevice::IKeyMintDevice, SecurityLevel::SecurityLevel,
	};
	use android_security_authorization::aidl::android::security::authorization::IKeystoreAuthorization::IKeystoreAuthorization;

	pub mod authorizations;
	pub mod ffi_test_utils;
	pub mod key_generations;
	pub mod run_as;

	static KS2_SERVICE_NAME: &str = "android.system.keystore2.IKeystoreService/default";
	static AUTH_SERVICE_NAME: &str = "android.security.authorization";

	/// Represents the lifecycle of a temporary directory for testing.
	#[derive(Debug)]
	pub struct TempDir {
	path: std::path::PathBuf,
	do_drop: bool,
	}

	impl TempDir {
	/// Creates a temporary directory with a name of the form <prefix>_NNNNN where NNNNN is a zero
	/// padded random number with 5 figures. The prefix must not contain file system separators.
	/// The location of the directory cannot be chosen.
	/// The directory with all of its content is removed from the file system when the resulting
	/// object gets dropped.
	pub fn new(prefix: &str) -> std::io::Result<Self> {
	let tmp = loop {
	let mut tmp = temp_dir();
	let number: u16 = rand::random();
	tmp.push(format!("{}_{:05}", prefix, number));
	match create_dir(&tmp) {
	Err(e) => match e.kind() {
	ErrorKind::AlreadyExists => continue,
	_ => return Err(e),
	},
	Ok(()) => break tmp,
	}
	};
	Ok(Self { path: tmp, do_drop: true })
	}

	/// Returns the absolute path of the temporary directory.
	pub fn path(&self) -> &Path {
	&self.path
	}

	/// Returns a path builder for convenient extension of the path.
	///
	/// ## Example:
	///
	/// ```
	/// let tdir = TempDir::new("my_test")?;
	/// let temp_foo_bar = tdir.build().push("foo").push("bar");
	/// ```
	/// `temp_foo_bar` derefs to a Path that represents "<tdir.path()>/foo/bar"
	pub fn build(&self) -> PathBuilder {
	PathBuilder(self.path.clone())
	}

	/// When a test is failing you can set this to false in order to inspect
	/// the directory structure after the test failed.
	#[allow(dead_code)]
	pub fn do_not_drop(&mut self) {
	println!("Disabled automatic cleanup for: {:?}", self.path);
	log::info!("Disabled automatic cleanup for: {:?}", self.path);
	self.do_drop = false;
	}
	}

	impl Drop for TempDir {
	fn drop(&mut self) {
	if self.do_drop {
	remove_dir_all(&self.path).expect("Cannot delete temporary dir.");
	}
	}
	}

	/// Allows for convenient building of paths from a TempDir. See TempDir.build() for more details.
	pub struct PathBuilder(PathBuf);

	impl PathBuilder {
	/// Adds another segment to the end of the path. Consumes, modifies and returns self.
	pub fn push(mut self, segment: &str) -> Self {
	self.0.push(segment);
	self
	}
	}

	impl Deref for PathBuilder {
	type Target = Path;

	fn deref(&self) -> &Self::Target {
	&self.0
	}
	}

	/// Get Keystore2 service.
	pub fn get_keystore_service() -> binder::Strong<dyn IKeystoreService> {
	binder::get_interface(KS2_SERVICE_NAME).unwrap()
	}

	/// Get Keystore auth service.
	pub fn get_keystore_auth_service() -> binder::Strong<dyn IKeystoreAuthorization> {
	binder::get_interface(AUTH_SERVICE_NAME).unwrap()
	}

	/// Security level-specific data.
	pub struct SecLevel {
	/// Binder connection for the top-level service.
	pub keystore2: binder::Strong<dyn IKeystoreService>,
	/// Binder connection for the security level.
	pub binder: binder::Strong<dyn IKeystoreSecurityLevel>,
	/// Security level.
	pub level: SecurityLevel,
	}

	impl SecLevel {
	/// Return security level data for TEE.
	pub fn tee() -> Self {
	let level = SecurityLevel::TRUSTED_ENVIRONMENT;
	let keystore2 = get_keystore_service();
	let binder =
	keystore2.getSecurityLevel(level).expect("TEE security level should always be present");
	Self { keystore2, binder, level }
	}
	/// Return security level data for StrongBox, if present.
	pub fn strongbox() -> Option<Self> {
	let level = SecurityLevel::STRONGBOX;
	let keystore2 = get_keystore_service();
	match key_generations::map_ks_error(keystore2.getSecurityLevel(level)) {
	Ok(binder) => Some(Self { keystore2, binder, level }),
	Err(e) => {
	assert_eq!(e, key_generations::Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE));
	None
	}
	}
	}
	/// Indicate whether this security level is a KeyMint implementation (not Keymaster).
	pub fn is_keymint(&self) -> bool {
	let instance = match self.level {
	SecurityLevel::TRUSTED_ENVIRONMENT => "default",
	SecurityLevel::STRONGBOX => "strongbox",
	l => panic!("unexpected level {l:?}"),
	};
	let name = format!("android.hardware.security.keymint.IKeyMintDevice/{instance}");
	binder::is_declared(&name).expect("Could not check for declared keymint interface")
	}

	/// Indicate whether this security level is a Keymaster implementation (not KeyMint).
	pub fn is_keymaster(&self) -> bool {
	!self.is_keymint()
	}

	/// Get KeyMint version.
	/// Returns 0 if the underlying device is Keymaster not KeyMint.
	pub fn get_keymint_version(&self) -> i32 {
	let instance = match self.level {
	SecurityLevel::TRUSTED_ENVIRONMENT => "default",
	SecurityLevel::STRONGBOX => "strongbox",
	l => panic!("unexpected level {l:?}"),
	};
	let name = format!("android.hardware.security.keymint.IKeyMintDevice/{instance}");
	if binder::is_declared(&name).expect("Could not check for declared keymint interface") {
	let km: binder::Strong<dyn IKeyMintDevice> = binder::get_interface(&name).unwrap();
	km.getInterfaceVersion().unwrap()
	} else {
	0
	}
	}
	}