Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

macOS keychain sanity test #5885

Merged
merged 5 commits into from
Oct 17, 2019
Merged

macOS keychain sanity test #5885

merged 5 commits into from
Oct 17, 2019

Conversation

willnewton
Copy link
Contributor

This adds a sanity test for the macOS keychain table. Running this test exposed an issue which was causing a number of blank rows to be returned at the end of the table. An additional patch avoids this issue by adding some more error checking to the keychain APIs used and allows the test to pass.

This PR is intended to close issue #5021

@willnewton
Make macOS keychain handling more robust
f6c2bb7 
When requesting kSecClassIdentity items from the keychain sometimes
invalid items are returned. These cause errSecInvalidItemRef to
be returned from SecKeychainItemCopyAttributesAndData and result
in an empty row in the table. Catch the error and avoid returning
empty rows.
@willnewton
tests: Add sanity test for keychain items
1a1f75a 
Add a simple sanity test for macOS keychain items.

Closes: osquery#5021
@willnewton willnewton force-pushed the macos-keychain-tests branch from e105018 to 1a1f75a Compare October 14, 2019 20:16
directionless
directionless requested changes Oct 15, 2019
View reviewed changes
Copy link
Member

@directionless directionless left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

General diff looks fine. Small request for an assert. (See the other test code for an example)

sharvilshah
sharvilshah reviewed Oct 15, 2019
View reviewed changes
osquery/tables/system/darwin/keychain_items.cpp
// This attr does not exist, skip it.
continue;
} else if (status != errSecSuccess) {
// If this keychain item is not valid then don't add it to results.
Copy link
Member

@sharvilshah sharvilshah Oct 15, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we will have to free attr_list here with SecKeychainItemFreeAttributesAndData(...) before returning.
Something along the lines of:

if (attr_list != null) {
  SecKeychainItemFreeAttributesAndData(attr_list, nullptr);
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can tell we only get a non-NULL attr_list when the call succeeded (status == errSecSuccess) so I don't think we have anything to deallocate in the error case.

@willnewton
keychain_items.cpp: Rename variable
a616f84 
Rename variable from status to os_status following review.
@willnewton
tests: Add assert to keychain items sanity test
5f9c67e 
Add an assert for number of rows to the macOS keychain items test
following review.
theopolis
theopolis previously approved these changes Oct 16, 2019
View reviewed changes
muffins
muffins previously approved these changes Oct 16, 2019
View reviewed changes
Copy link
Contributor

@muffins muffins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM. @sharvilshah are you ok with the response? @willnewton any chance you're participating in Hacktoberfest? Happy to tag if that's the case, thanks!

@sharvilshah
Copy link
Member

This LGTM. @sharvilshah are you ok with the response? @willnewton any chance you're participating in Hacktoberfest? Happy to tag if that's the case, thanks!

Yes, this looks good. I had a cursory look and these APIs are a bit different than iOKit one. Thanks @willnewton

@muffins
Copy link
Contributor

muffins commented Oct 16, 2019

@directionless looks like this is just on your review, mind taking another quick glance and then stamping if you're all set?

directionless
directionless previously requested changes Oct 16, 2019
View reviewed changes
Copy link
Member

@directionless directionless left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry to bounce this back -- I think you need to ensure you have a result to test. At least, that's the pattern we seem to use elsewhere in the tests.

@willnewton
Copy link
Contributor Author

This LGTM. @sharvilshah are you ok with the response? @willnewton any chance you're participating in Hacktoberfest? Happy to tag if that's the case, thanks!

Yes, if you could tag for Hacktoberfest that would be great.

@willnewton
tests: Fix macOS keychain test assert
19d3537 
The assert should be checking for greater than zero rows, not greater
than or equal to zero.
@willnewton willnewton dismissed stale reviews from muffins and theopolis via 19d3537 October 17, 2019 08:22
@theopolis theopolis merged commit 599e9d6 into osquery:master Oct 17, 2019
@directionless
Copy link
Member

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sharvilshah sharvilshah sharvilshah left review comments

@theopolis theopolis theopolis approved these changes

@directionless directionless directionless left review comments

@muffins muffins muffins left review comments

Assignees
No one assigned
Labels
Hacktoberfest macOS test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@willnewton @sharvilshah @muffins @directionless @theopolis