From 73e428cf3fbfa51b31e030786404cd63162c7557 Mon Sep 17 00:00:00 2001
From: James Prestwood <prestwoj@gmail.com>
Date: Tue, 15 Feb 2022 13:41:34 -0800
Subject: [PATCH] auto-t: add test for encrypted profiles

---
 .../testEncryptedProfiles/connection_test.py  | 154 ++++++++++++++++++
 autotests/testEncryptedProfiles/hw.conf       |   6 +
 autotests/testEncryptedProfiles/iwd-secret    |   1 +
 autotests/testEncryptedProfiles/main.conf     |   2 +
 autotests/testEncryptedProfiles/ssidCCMP.conf |  10 ++
 autotests/testEncryptedProfiles/ssidCCMP.psk  |   2 +
 6 files changed, 175 insertions(+)
 create mode 100644 autotests/testEncryptedProfiles/connection_test.py
 create mode 100644 autotests/testEncryptedProfiles/hw.conf
 create mode 100644 autotests/testEncryptedProfiles/iwd-secret
 create mode 100644 autotests/testEncryptedProfiles/main.conf
 create mode 100644 autotests/testEncryptedProfiles/ssidCCMP.conf
 create mode 100644 autotests/testEncryptedProfiles/ssidCCMP.psk

diff --git a/autotests/testEncryptedProfiles/connection_test.py b/autotests/testEncryptedProfiles/connection_test.py
new file mode 100644
index 00000000..dd4892ca
--- /dev/null
+++ b/autotests/testEncryptedProfiles/connection_test.py
@@ -0,0 +1,154 @@
+#!/usr/bin/python3
+
+import unittest
+import sys
+
+sys.path.append('../util')
+import iwd
+import os
+from iwd import IWD
+from iwd import NetworkType
+from iwd import PSKAgent
+
+class Test(unittest.TestCase):
+    def profile_is_encrypted(self, profile):
+        with open('/tmp/iwd/' + profile) as f:
+            contents = f.read()
+
+        if 'Passphrase' in contents:
+            return False
+
+        return True
+
+    def validate(self, wd):
+        devices = wd.list_devices(1)
+        device = devices[0]
+
+        ordered_network = device.get_ordered_network('ssidCCMP')
+
+        self.assertEqual(ordered_network.type, NetworkType.psk)
+
+        condition = 'not obj.connected'
+        wd.wait_for_object_condition(ordered_network.network_object, condition)
+
+        ordered_network.network_object.connect()
+
+        condition = 'obj.state == DeviceState.connected'
+        wd.wait_for_object_condition(device, condition)
+
+        device.disconnect()
+
+        condition = 'not obj.connected'
+        wd.wait_for_object_condition(ordered_network.network_object, condition)
+
+    # Tests that an existing plaintext profile gets encrypted
+    def test_new_profile(self):
+        IWD.copy_to_storage('ssidCCMP.psk')
+
+        mtime = os.path.getmtime('/tmp/iwd/' + 'ssidCCMP.psk')
+        self.assertFalse(self.profile_is_encrypted('ssidCCMP.psk'))
+
+        wd = IWD(True)
+
+        # Make sure profile was accepted
+        condition = 'len(obj.list_known_networks()) == 1'
+        wd.wait_for_object_condition(wd, condition)
+
+        # Check the file was modified (should be encrypted now)
+        self.assertNotEqual(mtime, os.path.getmtime('/tmp/iwd/' + 'ssidCCMP.psk'))
+
+        self.validate(wd)
+
+        self.assertTrue(self.profile_is_encrypted('ssidCCMP.psk'))
+
+    # Tests that a new connection with agent gets written to an encrypted profile
+    def test_agent_profile(self):
+        wd = IWD(True)
+
+        psk_agent = PSKAgent("secret123")
+        wd.register_psk_agent(psk_agent)
+
+        with self.assertRaises(FileNotFoundError):
+            self.profile_is_encrypted('ssidCCMP.psk')
+
+        self.validate(wd)
+
+        self.assertTrue(self.profile_is_encrypted('ssidCCMP.psk'))
+
+        wd.unregister_psk_agent(psk_agent)
+
+    # Tests that an invalid profile gets re-written after an agent request
+    def test_invalid_profile_rewritten(self):
+        bad_config = '[Security]\nPassphrase=incorrect\n'
+        os.system('echo "%s" > /tmp/iwd/ssidCCMP.psk' % bad_config)
+
+        wd = IWD(True)
+
+        condition = 'len(obj.list_known_networks()) == 1'
+        wd.wait_for_object_condition(wd, condition)
+
+        # IWD should still encrypt the profile automatically
+        self.assertTrue(self.profile_is_encrypted('ssidCCMP.psk'))
+
+        # This should fail
+        with self.assertRaises(iwd.FailedEx):
+            self.validate(wd)
+
+        psk_agent = PSKAgent("secret123")
+        wd.register_psk_agent(psk_agent)
+
+        self.validate(wd)
+
+        self.assertTrue(self.profile_is_encrypted('ssidCCMP.psk'))
+
+    # Tests that a profile that doesn't decrypt wont become a known network
+    def test_decryption_failure(self):
+        bad_config = \
+'''
+[Security]
+EncryptedSalt=000102030405060708090a0b0c0d0e0f
+EncryptedSecurity=aabbccddeeff00112233445566778899
+'''
+        os.system('echo "%s" > /tmp/iwd/ssidCCMP.psk' % bad_config)
+
+        wd = IWD(True)
+
+        self.assertEqual(wd.list_known_networks(), [])
+
+    def test_runtime_profile(self):
+        wd = IWD(True)
+
+        self.assertEqual(wd.list_known_networks(), [])
+
+        # Add profile after IWD starts
+        IWD.copy_to_storage('ssidCCMP.psk')
+
+        self.validate(wd)
+
+        # Should now be encrypted
+        self.assertTrue(self.profile_is_encrypted('ssidCCMP.psk'))
+
+        with open('/tmp/iwd/ssidCCMP.psk') as f:
+            profile = f.read()
+
+        # Edit the profile, corrupting it
+        profile.replace('EncryptedSecurity=', 'EncryptedSecurity=00')
+
+        devices = wd.list_devices(1)
+        device = devices[0]
+        condition = 'obj.state == DeviceState.disconnected'
+        wd.wait_for_object_condition(device, condition)
+
+    def tearDown(self):
+        IWD.clear_storage()
+
+    @classmethod
+    def setUpClass(cls):
+        os.environ['CREDENTIALS_DIRECTORY'] = '/tmp'
+
+    @classmethod
+    def tearDownClass(cls):
+        IWD.clear_storage()
+
+if __name__ == '__main__':
+    unittest.main(exit=True)
diff --git a/autotests/testEncryptedProfiles/hw.conf b/autotests/testEncryptedProfiles/hw.conf
new file mode 100644
index 00000000..de81e1e2
--- /dev/null
+++ b/autotests/testEncryptedProfiles/hw.conf
@@ -0,0 +1,6 @@
+[SETUP]
+num_radios=2
+start_iwd=0
+
+[HOSTAPD]
+rad0=ssidCCMP.conf
diff --git a/autotests/testEncryptedProfiles/iwd-secret b/autotests/testEncryptedProfiles/iwd-secret
new file mode 100644
index 00000000..c2afca48
--- /dev/null
+++ b/autotests/testEncryptedProfiles/iwd-secret
@@ -0,0 +1 @@
+secret123
diff --git a/autotests/testEncryptedProfiles/main.conf b/autotests/testEncryptedProfiles/main.conf
new file mode 100644
index 00000000..35d40c5e
--- /dev/null
+++ b/autotests/testEncryptedProfiles/main.conf
@@ -0,0 +1,2 @@
+[General]
+SystemdEncrypt=iwd-secret
diff --git a/autotests/testEncryptedProfiles/ssidCCMP.conf b/autotests/testEncryptedProfiles/ssidCCMP.conf
new file mode 100644
index 00000000..c79f5e55
--- /dev/null
+++ b/autotests/testEncryptedProfiles/ssidCCMP.conf
@@ -0,0 +1,10 @@
+hw_mode=g
+channel=1
+ssid=ssidCCMP
+
+wpa=2
+wpa_pairwise=CCMP
+wpa_passphrase=secret123
+
+ieee80211w=2
+wpa_key_mgmt=WPA-PSK-SHA256
diff --git a/autotests/testEncryptedProfiles/ssidCCMP.psk b/autotests/testEncryptedProfiles/ssidCCMP.psk
new file mode 100644
index 00000000..abafdb66
--- /dev/null
+++ b/autotests/testEncryptedProfiles/ssidCCMP.psk
@@ -0,0 +1,2 @@
+[Security]
+Passphrase=secret123