rust-keyutils icon indicating copy to clipboard operation
rust-keyutils copied to clipboard

Published 20 hours ago verified publisher icon mathstuf

Accessing UserSession keyring

Open Nemo157 opened this issue 4 years ago • 2 comments

I may be confused about what Keyring::attach is for, but it seems like using it to access the UserSession keyring fails

let mut session_keyring  = Keyring::attach(SpecialKeyring::UserSession)?;
let mut key = session_keyring.add_key::<User, _, _>(AUTH_TOKEN_KEY, auth_token.expose_secret().as_bytes())?;

gives back Permission denied at the add_key call, but if I access directly through the special keyring id it works fine

let mut session_keyring  = unsafe { Keyring::new(SpecialKeyring::UserSession.serial()) };
let mut key = session_keyring.add_key::<User, _, _>(AUTH_TOKEN_KEY, auth_token.expose_secret().as_bytes())?;

(same happens with session_keyring.search_for_key)

Nemo157 avatar Dec 31 '20 12:12 Nemo157

The "attach" APIs are also not used much myself either. They are used in the top-level tests/ directory tests because there is some weird per-process logic going on there and they can't be done with in-crate tests. The keyctl_get_keyring_ID(3) manpage is the backing call for this that I would research if you're interested in digging in more yourself.

mathstuf avatar Dec 31 '20 20:12 mathstuf

One quite large API change I just thought of would be dropping the SpecialKeyring enum and making those just instances of Keyring:

impl Keyring {
    pub const USER_SESSION: Self = Self::new(KEY_SPEC_USER_SESSION_KEYRING);
}

The only API I see that relies on SpecialKeyring specifically is Keyring::{attach, attach_or_create}, but this could be changed like

impl Keyring {
  /// Map this keyring to the actual keyring representing it currently if it is a special
  /// keyring, failing if it does not already exist. No-op for valid non-special keyrings
  pub fn attach(self) -> Result<Self>;

  /// Map this keyring to the actual keyring representing it currently if it is a special
  /// keyring, creating it if it does not exist. No-op for valid non-special keyrings.
  pub fn attach_or_create(self) -> Result<Self>;

as the keyctl_get_keyring_ID say:

If a valid keyring ID is passed in, then this will simply be returned if the key exists; an error will be issued if it doesn't exist.

And overall this would make the API simpler to use, my example above would become

let mut key = Keyring::USER_SESSION.add_key::<User, _, _>(AUTH_TOKEN_KEY, auth_token.expose_secret().as_bytes())?;

TargetKeyring could be dropped, and #58 wouldn't be necessary.

Nemo157 avatar Jan 01 '21 11:01 Nemo157