Lines
100 %
Functions
Branches
use oo7::dbus;
use super::*;
use crate::tests::{TestServiceSetup, gnome_prompter_test, plasma_prompter_test};
#[tokio::test]
async fn open_session_plain() -> Result<(), Box<dyn std::error::Error>> {
let setup = TestServiceSetup::plain_session(true).await?;
assert!(
setup.aes_key.is_none(),
"Plain session should not have AES key"
);
// Should have 2 collections: default + session
assert_eq!(
setup.collections.len(),
2,
"Expected default and session collections"
Ok(())
}
async fn open_session_encrypted() -> Result<(), Box<dyn std::error::Error>> {
let setup = TestServiceSetup::encrypted_session(false).await?;
setup.server_public_key.is_some(),
"Encrypted session should have server public key"
let key = setup.aes_key.unwrap().clone();
assert_eq!((*key).as_ref().len(), 16, "AES key should be 16 bytes");
async fn session_collection_only() -> Result<(), Box<dyn std::error::Error>> {
let setup = TestServiceSetup::plain_session(false).await?;
// Should have only session collection (no default)
1,
"Should have exactly one collection"
async fn search_items() -> Result<(), Box<dyn std::error::Error>> {
// Search for items (should return empty initially)
let (unlocked, locked) = setup
.service_api
.search_items(&[("application", "test-app")])
.await?;
unlocked.is_empty(),
"Should have no unlocked items initially"
assert!(locked.is_empty(), "Should have no locked items initially");
// Search with empty attributes - edge case
let attributes: HashMap<&str, &str> = HashMap::default();
let (unlocked, locked) = setup.service_api.search_items(&attributes).await?;
locked.is_empty(),
"Should have no locked items with empty search"
"Should have no unlocked items with empty search"
// Test with both locked and unlocked items
// Create items in default collection (unlocked)
let secret1 = Secret::text("password1");
let dbus_secret1 = dbus::api::DBusSecret::new(Arc::clone(&setup.session), secret1);
setup.collections[0]
.create_item(
"Unlocked Item",
&[("app", "testapp")],
&dbus_secret1,
false,
None,
)
// Create item in default collection and lock it
let secret2 = Secret::text("password2");
let dbus_secret2 = dbus::api::DBusSecret::new(Arc::clone(&setup.session), secret2);
let locked_item = setup.collections[0]
"Locked Item",
&dbus_secret2,
// Lock just this item (not the whole collection)
let collection = setup
.server
.collection_from_path(setup.collections[0].inner().path())
.await
.expect("Collection should exist");
let keyring = collection.keyring.read().await;
let unlocked_keyring = keyring.as_ref().unwrap().as_unlocked();
let locked_item = collection
.item_from_path(locked_item.inner().path())
.unwrap();
locked_item.set_locked(true, unlocked_keyring).await?;
// Search for items with the shared attribute
.search_items(&[("app", "testapp")])
assert_eq!(unlocked.len(), 1, "Should find 1 unlocked item");
assert_eq!(locked.len(), 1, "Should find 1 locked item");
async fn get_secrets() -> Result<(), Box<dyn std::error::Error>> {
// Test with empty items list - edge case
let secrets = setup.service_api.secrets(&vec![], &setup.session).await?;
secrets.is_empty(),
"Should return empty secrets for empty items list"
// Create two items with different secrets
let dbus_secret1 = dbus::api::DBusSecret::new(Arc::clone(&setup.session), secret1.clone());
let item1 = setup.collections[0]
.create_item("Item 1", &[("app", "test1")], &dbus_secret1, false, None)
let dbus_secret2 = dbus::api::DBusSecret::new(Arc::clone(&setup.session), secret2.clone());
let item2 = setup.collections[0]
.create_item("Item 2", &[("app", "test2")], &dbus_secret2, false, None)
// Get secrets for both items
let item_paths = vec![item1.clone(), item2.clone()];
let secrets = setup
.secrets(&item_paths, &setup.session)
// Should have both secrets
assert_eq!(secrets.len(), 2, "Should retrieve both secrets");
// Verify first secret
let retrieved_secret1 = secrets.get(&item1).unwrap();
assert_eq!(retrieved_secret1.value(), secret1.as_bytes());
// Verify second secret
let retrieved_secret2 = secrets.get(&item2).unwrap();
assert_eq!(retrieved_secret2.value(), secret2.as_bytes());
async fn get_secrets_multiple_collections() -> Result<(), Box<dyn std::error::Error>> {
// Should have 2 collections: default (Login) and session
assert_eq!(setup.collections.len(), 2);
// Create item in default collection (index 0)
let secret1 = Secret::text("default-password");
"Default Item",
&[("app", "default-app")],
// Create item in session collection (index 1)
let secret2 = Secret::text("session-password");
let item2 = setup.collections[1]
"Session Item",
&[("app", "session-app")],
// Get secrets for both items from different collections
secrets.len(),
"Should retrieve secrets from both collections"
// Verify default collection secret
// Verify session collection secret
async fn read_alias() -> Result<(), Box<dyn std::error::Error>> {
// Default collection should have "default" alias
let default_collection = setup.service_api.read_alias("default").await?;
default_collection.is_some(),
"Default alias should return a collection"
// Verify it's the Login collection by checking its label
let label = default_collection.as_ref().unwrap().label().await?;
label, "Login",
"Default alias should point to Login collection"
// Non-existent alias should return None
let nonexistent = setup.service_api.read_alias("nonexistent").await?;
nonexistent.is_none(),
"Non-existent alias should return None"
async fn set_alias() -> Result<(), Box<dyn std::error::Error>> {
// Set alias for session collection
setup
.set_alias("my-alias", &setup.collections[1])
// Read the alias back
let alias_collection = setup.service_api.read_alias("my-alias").await?;
alias_collection.is_some(),
"Alias should return a collection"
alias_collection.unwrap().inner().path(),
setup.collections[1].inner().path(),
"Alias should point to session collection"
async fn search_items_with_results() -> Result<(), Box<dyn std::error::Error>> {
// Create items in default collection
"Firefox Login",
&[("application", "firefox"), ("type", "login")],
"Chrome Login",
&[("application", "chrome"), ("type", "login")],
// Create item in session collection
let secret3 = Secret::text("password3");
let dbus_secret3 = dbus::api::DBusSecret::new(Arc::clone(&setup.session), secret3);
setup.collections[1]
&[("application", "firefox"), ("type", "session")],
&dbus_secret3,
// Search for all firefox items
.search_items(&[("application", "firefox")])
assert_eq!(unlocked.len(), 2, "Should find 2 firefox items");
assert!(locked.is_empty(), "Should have no locked items");
// Search for login type items
let (unlocked, locked) = setup.service_api.search_items(&[("type", "login")]).await?;
assert_eq!(unlocked.len(), 2, "Should find 2 login items");
// Search for chrome items
.search_items(&[("application", "chrome")])
assert_eq!(unlocked.len(), 1, "Should find 1 chrome item");
// Search for non-existent
.search_items(&[("application", "nonexistent")])
assert!(unlocked.is_empty(), "Should find no items");
async fn get_secrets_invalid_session() -> Result<(), Box<dyn std::error::Error>> {
// Create an item
let secret = Secret::text("test-password");
let dbus_secret = dbus::api::DBusSecret::new(Arc::clone(&setup.session), secret);
let item = setup.collections[0]
.create_item("Test Item", &[("app", "test")], &dbus_secret, false, None)
// Try to get secrets with invalid session path
let invalid_session =
dbus::api::Session::new(&setup.client_conn, "/invalid/session/path").await?;
let result = setup.service_api.secrets(&[item], &invalid_session).await;
matches!(
result,
Err(oo7::dbus::Error::Service(
oo7::dbus::ServiceError::NoSession(_)
))
),
"Should be NoSession error"
async fn set_alias_invalid_collection() -> Result<(), Box<dyn std::error::Error>> {
// Try to set alias for non-existent collection
let invalid_collection = dbus::api::Collection::new(
&setup.client_conn,
"/org/freedesktop/secrets/collection/nonexistent",
let result = setup
.set_alias("test-alias", &invalid_collection)
.await;
oo7::dbus::ServiceError::NoSuchObject(_)
"Should be NoSuchObject error"
async fn get_secrets_with_non_existent_items() -> Result<(), Box<dyn std::error::Error>> {
// Create one real item
let secret = Secret::text("password1");
let dbus_secret = dbus::api::DBusSecret::new(Arc::clone(&setup.session), secret.clone());
.create_item("Item 1", &[("app", "test")], &dbus_secret, false, None)
// Create a fake item path that doesn't exist
let fake_item = dbus::api::Item::new(
"/org/freedesktop/secrets/collection/Login/999",
// Request secrets for both real and fake items
let item_paths = vec![item1.clone(), fake_item];
// Should only get the secret for the real item
"Should only retrieve secret for existing item"
assert!(secrets.contains_key(&item1), "Should have item1 secret");
async fn search_items_across_collections() -> Result<(), Box<dyn std::error::Error>> {
let collections = setup.service_api.collections().await?;
assert_eq!(collections.len(), 2, "Should have 2 collections");
// Create item in first collection
collections[0]
&[("shared", "attr")],
// Create item in second collection with same attributes
collections[1]
// Search should find items from both collections
.search_items(&[("shared", "attr")])
assert_eq!(unlocked.len(), 2, "Should find items from both collections");
async fn unlock_edge_cases() -> Result<(), Box<dyn std::error::Error>> {
// Test 1: Empty object list
let items: Vec<ObjectPath<'_>> = vec![];
let unlocked = setup.service_api.unlock(&items, None).await?;
assert!(unlocked.is_empty(), "Should return empty for empty input");
// Test 2: Non-existent objects
let fake_collection = dbus::api::Collection::new(
"/org/freedesktop/secrets/collection/NonExistent",
let unlocked = setup
.unlock(
&[fake_collection.inner().path(), fake_item.inner().path()],
"Should have no unlocked objects for non-existent paths"
// Test 3: Already unlocked objects
// Verify item is unlocked
assert!(!item.is_locked().await?, "Item should be unlocked");
// Try to unlock already unlocked item
.unlock(&[item.inner().path()], None)
assert_eq!(unlocked.len(), 1, "Should return the already-unlocked item");
unlocked[0].as_str(),
item.inner().path().as_str(),
"Should return the same item path"
// Also test with collection (starts unlocked by default)
!setup.collections[0].is_locked().await?,
"Collection should be unlocked"
.unlock(&[setup.collections[0].inner().path()], None)
unlocked.len(),
"Should return the already-unlocked collection"
async fn lock_non_existent_objects() -> Result<(), Box<dyn std::error::Error>> {
let setup = TestServiceSetup::encrypted_session(true).await?;
// Test with empty object list
let locked = setup.service_api.lock(&items, None).await?;
assert!(locked.is_empty(), "Should return empty for empty input");
// Test locking non-existent objects
let locked = setup
.lock(
"Should have no locked objects for non-existent paths"
gnome_prompter_test!(unlock_collection_prompt_gnome, unlock_collection_prompt);
plasma_prompter_test!(unlock_collection_prompt_plasma, unlock_collection_prompt);
async fn unlock_collection_prompt() -> Result<(), Box<dyn std::error::Error>> {
// Lock the collection using server-side API
collection
.set_locked(true, setup.keyring_secret.clone())
setup.collections[0].is_locked().await?,
"Collection should be locked"
// Test 1: Unlock with accept
assert_eq!(unlocked.len(), 1, "Should have unlocked 1 collection");
setup.collections[0].inner().path().as_str(),
"Should return the collection path"
"Collection should be unlocked after accepting prompt"
// Lock the collection again for dismiss test
"Collection should be locked again"
// Test 2: Unlock with dismiss
setup.set_password_accept(false).await;
matches!(result, Err(oo7::dbus::Error::Dismissed)),
"Should return Dismissed error when prompt dismissed"
"Collection should still be locked after dismissing prompt"
gnome_prompter_test!(unlock_item_prompt_gnome, unlock_item_prompt);
plasma_prompter_test!(unlock_item_prompt_plasma, unlock_item_prompt);
async fn unlock_item_prompt() -> Result<(), Box<dyn std::error::Error>> {
let default_collection = setup.service_api.read_alias("default").await?.unwrap();
let item = default_collection
// Lock the collection (which locks the item)
.collection_from_path(default_collection.inner().path())
item.is_locked().await?,
"Item should be locked when collection is locked"
assert_eq!(unlocked.len(), 1, "Should have unlocked 1 item");
"Should return the item path"
!item.is_locked().await?,
"Item should be unlocked after accepting prompt"
// Lock the item again for dismiss test
assert!(item.is_locked().await?, "Item should be locked again");
let result = setup.service_api.unlock(&[item.inner().path()], None).await;
"Item should still be locked after dismissing prompt"
async fn lock_item_in_unlocked_collection() -> Result<(), Box<dyn std::error::Error>> {
// Create an item (starts unlocked)
assert!(!item.is_locked().await?, "Item should start unlocked");
// When collection is unlocked, locking an item should happen directly without a
// prompt
let locked = setup.service_api.lock(&[item.inner().path()], None).await?;
assert_eq!(locked.len(), 1, "Should have locked 1 item");
locked[0].as_str(),
assert!(item.is_locked().await?, "Item should be locked directly");
// Unlock the item again (using service API to unlock just the item)
assert!(!item.is_locked().await?, "Item should be unlocked again");
// Locking again should work the same way (no prompt)
assert_eq!(locked.len(), 1, "Should have locked 1 item again");
async fn lock_collection_no_prompt() -> Result<(), Box<dyn std::error::Error>> {
// Collection starts unlocked
"Collection should start unlocked"
// Lock the collection
.lock(&[setup.collections[0].inner().path()], None)
assert_eq!(locked.len(), 1, "Should have locked 1 collection");
"Collection should be locked instantly"
// Unlock the collection
.set_locked(false, setup.keyring_secret.clone())
// Lock again to verify it works multiple times
assert_eq!(locked.len(), 1, "Should have locked 1 collection again");
gnome_prompter_test!(
create_collection_basic_gnome,
create_collection_basic,
serial_test::serial(xdg_env)
plasma_prompter_test!(
create_collection_basic_plasma,
async fn create_collection_basic() -> Result<(), Box<dyn std::error::Error>> {
// Get initial collection count
let initial_collections = setup.service_api.collections().await?;
let initial_count = initial_collections.len();
// Create a new collection
.create_collection("MyNewKeyring", Some("my-custom-alias"), None)
// Verify collection appears in collections list
collections.len(),
initial_count + 1,
"Should have one more collection"
// Verify the collection label
let label = collection.label().await?;
label, "MyNewKeyring",
"Collection should have correct label"
// Verify the keyring file exists on disk
let server_collection = setup
.collection_from_path(collection.inner().path())
.expect("Collection should exist on server");
let keyring_guard = server_collection.keyring.read().await;
let keyring_path = keyring_guard.as_ref().unwrap().path().unwrap();
keyring_path.exists(),
"Keyring file should exist on disk at {:?}",
keyring_path
// Verify the alias was set
let alias_collection = setup.service_api.read_alias("my-custom-alias").await?;
"Should be able to read collection by alias"
collection.inner().path(),
"Alias should point to the new collection"
tokio::fs::remove_file(keyring_path).await?;
create_collection_signal_gnome,
create_collection_signal,
create_collection_signal_plasma,
async fn create_collection_signal() -> Result<(), Box<dyn std::error::Error>> {
// Subscribe to CollectionCreated signal
let signal_stream = setup.service_api.receive_collection_created().await?;
tokio::pin!(signal_stream);
.create_collection("TestKeyring", None, None)
// Wait for signal with timeout
let signal_result =
tokio::time::timeout(tokio::time::Duration::from_secs(1), signal_stream.next()).await;
signal_result.is_ok(),
"Should receive CollectionCreated signal"
let signal = signal_result.unwrap();
assert!(signal.is_some(), "Signal should not be None");
let signal_collection = signal.unwrap();
signal_collection.inner().path().as_str(),
collection.inner().path().as_str(),
"Signal should contain the created collection path"
create_collection_and_add_items_gnome,
create_collection_and_add_items,
create_collection_and_add_items_plasma,
async fn create_collection_and_add_items() -> Result<(), Box<dyn std::error::Error>> {
.create_collection("ItemTestKeyring", None, None)
// Verify collection is unlocked and ready for items
!collection.is_locked().await?,
"New collection should be unlocked"
// Create an item in the new collection
let secret = oo7::Secret::text("hello-world-test");
let item = collection
"Test Item",
&[("app", "test-app")],
&dbus_secret,
// Verify item was created
let items = collection.items().await?;
assert_eq!(items.len(), 1, "Should have one item in new collection");
items[0].inner().path(),
item.inner().path(),
"Item path should match"
// Verify we can retrieve the secret
let retrieved_secret = item.secret(&setup.session).await?;
retrieved_secret.value(),
secret.as_bytes(),
"Should be able to retrieve secret from item in new collection"
tokio::fs::remove_file(&keyring_path).await?;
create_collection_dismissed_gnome,
create_collection_dismissed,
create_collection_dismissed_plasma,
async fn create_collection_dismissed() -> Result<(), Box<dyn std::error::Error>> {
// Set mock prompter to dismiss
// Try to create a collection
.create_collection("DismissedKeyring", None, None)
// Should get Dismissed error
// Verify collection was NOT created
initial_count,
"Should not have created a new collection after dismissal"
async fn complete_collection_creation_no_pending() -> Result<(), Box<dyn std::error::Error>> {
// Try to complete collection creation with a prompt path that has no pending
// collection
let fake_prompt_path = ObjectPath::try_from("/org/freedesktop/secrets/prompt/p999").unwrap();
let secret = Secret::from("test-password-long-enough");
.complete_collection_creation(&fake_prompt_path, secret)
// Should get NoSuchObject error
matches!(result, Err(ServiceError::NoSuchObject(_))),
"Should return NoSuchObject error when no pending collection exists"
#[serial_test::serial(xdg_env)]
async fn discover_v1_keyrings() -> Result<(), Box<dyn std::error::Error>> {
let service = Service::default();
// Set up a temporary data directory
let temp_dir = tempfile::tempdir()?;
unsafe { std::env::set_var("XDG_DATA_HOME", temp_dir.path()) };
// Create v1 keyrings directory
let v1_dir = temp_dir.path().join("keyrings/v1");
tokio::fs::create_dir_all(&v1_dir).await?;
// Test 1: Empty directory
let discovered = service.discover_keyrings(None).await?;
discovered.is_empty(),
"Should discover no keyrings in empty directory"
// Create multiple keyrings with different passwords
// Add items to each so password validation works
let secret1 = Secret::from("password-for-work");
let keyring1 = UnlockedKeyring::open("work", secret1.clone()).await?;
keyring1
"Work Item",
&[("type", "work")],
Secret::text("work-secret"),
keyring1.write().await?;
let secret2 = Secret::from("password-for-personal");
let keyring2 = UnlockedKeyring::open("personal", secret2.clone()).await?;
keyring2
"Personal Item",
&[("type", "personal")],
Secret::text("personal-secret"),
keyring2.write().await?;
// Create a "login" keyring which should get the default alias
let secret3 = Secret::from("password-for-login");
let keyring3 = UnlockedKeyring::open("login", secret3.clone()).await?;
keyring3
"Login Item",
&[("type", "login")],
Secret::text("login-secret"),
keyring3.write().await?;
// Create some non-keyring files that should be skipped
tokio::fs::write(v1_dir.join("README.txt"), b"This is a readme").await?;
tokio::fs::write(v1_dir.join("config.json"), b"{}").await?;
tokio::fs::create_dir(v1_dir.join("subdir")).await?;
// Test 2: Discover without any password, all should be locked
assert_eq!(discovered.len(), 3, "Should discover 3 keyrings");
for (_, _, keyring) in &discovered {
keyring.is_locked(),
"All keyrings should be locked without secret"
// Test 3: Discover with one password, only that keyring should be unlocked
let discovered = service.discover_keyrings(Some(secret1.clone())).await?;
let work_keyring = discovered
.iter()
.find(|(label, _, _)| label == "Work")
!work_keyring.2.is_locked(),
"Work keyring should be unlocked with correct password"
let personal_keyring = discovered
.find(|(label, _, _)| label == "Personal")
personal_keyring.2.is_locked(),
"Personal keyring should be locked with wrong password"
// Test 4: Verify login keyring gets default alias
let login_keyring = discovered
.find(|(label, _, _)| label == "Login")
login_keyring.1,
oo7::dbus::Service::DEFAULT_COLLECTION,
"Login keyring should have default alias"
login_keyring.2.is_locked(),
"Login keyring should be locked with wrong password"
// Test 5: Verify labels are properly capitalized
let labels: Vec<_> = discovered
.map(|(label, _, _)| label.as_str())
.collect();
assert!(labels.contains(&"Work"), "Should have Work with capital W");
labels.contains(&"Personal"),
"Should have Personal with capital P"
labels.contains(&"Login"),
"Should have Login with capital L"
// Clean up
unsafe { std::env::remove_var("XDG_DATA_HOME") };
async fn discover_v0_keyrings() -> Result<(), Box<dyn std::error::Error>> {
let keyrings_dir = temp_dir.path().join("keyrings");
let v1_dir = keyrings_dir.join("v1");
tokio::fs::create_dir_all(&keyrings_dir).await?;
// Copy the existing v0 keyring fixture
let v0_secret = Secret::from("test");
let fixture_path = std::path::PathBuf::from(env!("CARGO_MANIFEST_DIR"))
.parent()
.unwrap()
.join("client/fixtures/legacy.keyring");
let v0_path = keyrings_dir.join("legacy.keyring");
tokio::fs::copy(&fixture_path, &v0_path).await?;
// Create a v1 keyring for mixed scenario
let v1_secret = Secret::from("v1-password");
let v1_keyring = UnlockedKeyring::open("modern", v1_secret.clone()).await?;
v1_keyring
"V1 Item",
&[("type", "v1")],
Secret::text("v1-secret"),
v1_keyring.write().await?;
// Test 1: Discover without secret, v0 marked for migration, v1 locked
assert_eq!(discovered.len(), 1, "Should discover v1 keyring only");
assert!(discovered[0].2.is_locked(), "V1 should be locked");
let pending = service.pending_migrations.lock().await;
assert_eq!(pending.len(), 1, "V0 should be pending migration");
assert!(pending.contains_key("legacy"));
drop(pending);
// Test 2: Discover with v0 secret, v0 migrated, v1 locked
service.pending_migrations.lock().await.clear();
let discovered = service.discover_keyrings(Some(v0_secret.clone())).await?;
assert_eq!(discovered.len(), 2, "Should discover both keyrings");
let legacy = discovered.iter().find(|(l, _, _)| l == "Legacy").unwrap();
assert!(!legacy.2.is_locked(), "V0 should be migrated and unlocked");
service.pending_migrations.lock().await.len(),
0,
"No pending after successful migration"
// Verify v1 file was created
let v1_migrated = temp_dir.path().join("keyrings/v1/legacy.keyring");
assert!(v1_migrated.exists(), "V1 file should exist after migration");
// Test 3: Discover with wrong v0 secret, marked for pending migration
tokio::fs::remove_file(&v1_migrated).await?;
// Restore the v0 file for this test
let wrong_secret = Secret::from("wrong-password");
let discovered = service.discover_keyrings(Some(wrong_secret)).await?;
discovered.len(),
"Only v1 should be discovered with wrong v0 password"
"V0 should be pending with wrong password"