From a3b21998973b9f424651e0440132b695be06784f Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Fri, 16 Aug 2024 15:41:36 +0300 Subject: [PATCH 01/17] fix minor errors in documentation Signed-off-by: Mikko Ylinen --- src/key.rs | 2 +- src/keyring.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/key.rs b/src/key.rs index 1dbeb25..347701a 100644 --- a/src/key.rs +++ b/src/key.rs @@ -120,7 +120,7 @@ impl Key { /// Change the permissions of the key with the ID provided /// /// If the caller doesn't have the CAP_SYS_ADMIN capability, it can change - /// permissions only only for the keys it owns. (More precisely: the caller's + /// permissions only for the keys it owns. (More precisely: the caller's /// filesystem UID must match the UID of the key.) pub fn set_perms(&self, perm: KeyPermissions) -> Result<(), KeyError> { _ = ffi::keyctl!( diff --git a/src/keyring.rs b/src/keyring.rs index c7951be..8ecd4f5 100644 --- a/src/keyring.rs +++ b/src/keyring.rs @@ -11,7 +11,7 @@ pub struct KeyRing { } impl KeyRing { - /// Initialize a new [Key] object from the provided ID + /// Initialize a new [KeyRing] object from the provided ID pub(crate) fn from_id(id: KeySerialId) -> Self { Self { id } } From 43bde396832a7137eae7887237445139b2b6975d Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Tue, 20 Aug 2024 15:05:25 +0300 Subject: [PATCH 02/17] chore(deps): bump dependencies to their latest versions Signed-off-by: Mikko Ylinen --- Cargo.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 6b58bb7..39f9bb2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -22,9 +22,9 @@ name = "keyctl" required-features = ["std"] [dependencies] -libc = {version = "0.2.132", default-features = false} -bitflags = {version = "2.4", default-features = false} +libc = {version = "0.2.158", default-features = false} +bitflags = {version = "2.6", default-features = false} [dev-dependencies] -zeroize = "1.5.7" -clap = {version = "4.4.11", default-features = false, features = ["std", "derive"]} +zeroize = "1.8.1" +clap = {version = "4.5.16", default-features = false, features = ["std", "derive"]} From d42c4ba016d9452d32da1f2f53148342ef64d230 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Fri, 16 Aug 2024 15:40:28 +0300 Subject: [PATCH 03/17] keyring: add request_key the rustdoc content is based on 'man request_key'. Signed-off-by: Mikko Ylinen --- src/ffi/functions.rs | 59 ++++++++++++++++++++++++++++++++++++++++++++ src/ffi/mod.rs | 2 +- src/keyring.rs | 45 +++++++++++++++++++++++++++++++++ 3 files changed, 105 insertions(+), 1 deletion(-) diff --git a/src/ffi/functions.rs b/src/ffi/functions.rs index 91801d9..ae041ea 100644 --- a/src/ffi/functions.rs +++ b/src/ffi/functions.rs @@ -56,6 +56,65 @@ pub(crate) fn add_key( )) } +/// request_key() attempts to find a key of the given type with a description that +/// matches the specified description. If such a key could not be found, then +/// the key is optionally created. +/// +/// If the key is found or created, request_key() attaches it to the keyring +/// and returns the key's serial number. +/// +/// request_key() first recursively searches for a matching key in all of the keyrings +/// attached to the calling process. The keyrings are searched in the order: +/// thread-specific keyring, process-specific keyring, and then session keyring. +/// +/// If request_key() is called from a program invoked by request_key() on behalf +/// of some other process to generate a key, then the keyrings of that other process +/// will be searched next, using that other process's user ID, group ID, supplementary +/// group IDs, and security context to determine access. +/// +/// The search of the keyring tree is breadth-first: the keys in each keyring searched +/// are checked for a match before any child keyrings are recursed into. Only keys for +/// which the caller has search permission be found, and only keyrings for which the +/// caller has search permission may be searched. +/// +/// If the key is not found and callout info is empty then the call fails with the +/// error ENOKEY. +/// +/// If the key is not found and callout info is not empty, then the kernel attempts +/// to invoke a user-space program to instantiate the key. +pub(crate) fn request_key( + ktype: KeyType, + keyring: libc::c_ulong, + description: &str, + info: Option<&str>, +) -> Result { + // Perform conversion into a c string + let description = CString::new(description).or(Err(KeyError::InvalidDescription))?; + let callout = CString::new(info.unwrap_or("")).or(Err(KeyError::InvalidDescription))?; + + // Perform the actual system call. By setting callout to NULL the kernel will + // not invoke /sbin/request-key + let res = unsafe { + libc::syscall( + libc::SYS_request_key, + Into::<&'static CStr>::into(ktype).as_ptr(), + description.as_ptr(), + info.map_or_else(core::ptr::null, |_| callout.as_ptr()), + keyring as u32, + ) + }; + + // Return the underlying error + if res < 0 { + return Err(KeyError::from_errno()); + } + + // Otherwise return the ID + Ok(KeySerialId::new( + res.try_into().or(Err(KeyError::InvalidIdentifier))?, + )) +} + /// keyctl() allows user-space programs to perform key manipulation. /// /// The operation performed by keyctl() is determined by the value of the operation argument. diff --git a/src/ffi/mod.rs b/src/ffi/mod.rs index e80da1e..12caea7 100644 --- a/src/ffi/mod.rs +++ b/src/ffi/mod.rs @@ -21,7 +21,7 @@ macro_rules! keyctl { pub use types::*; #[allow(unused_imports)] -pub(crate) use functions::{add_key, keyctl_impl}; +pub(crate) use functions::{add_key, keyctl_impl, request_key}; // Export the macro for use pub(crate) use keyctl; diff --git a/src/keyring.rs b/src/keyring.rs index 8ecd4f5..56f7dd0 100644 --- a/src/keyring.rs +++ b/src/keyring.rs @@ -95,6 +95,33 @@ impl KeyRing { Ok(Key::from_id(id)) } + /// Attempts to find a key of the given type with a description that + /// matches the specified description. If such a key could not be found, + /// then the key is optionally created. + /// + /// If the key is found or created, it is attached it to the keyring + /// and returns the key's serial number. + /// + /// If the key is not found and callout info is empty then the call + /// fails with the error ENOKEY. + /// + /// If the key is not found and callout info is not empty, then the + /// kernel attempts to invoke a user-space program to instantiate the + /// key. + pub fn request_key + ?Sized, C: AsRef + ?Sized>( + &self, + description: &D, + callout: Option<&C>, + ) -> Result { + let id = ffi::request_key( + KeyType::User, + self.id.as_raw_id() as libc::c_ulong, + description.as_ref(), + callout.map(|c| c.as_ref()), + )?; + Ok(Key::from_id(id)) + } + /// Search for a key in the keyring tree, starting with this keyring as the head, /// returning its ID. /// @@ -269,10 +296,28 @@ mod test { // Assert that the ID is the same assert_eq!(key.get_id(), result.get_id()); + // Request should also succeed + let result = ring.request_key("test_search", None::<&str>).unwrap(); + + // Assert that the ID is the same + assert_eq!(key.get_id(), result.get_id()); + // Invalidate the key key.invalidate().unwrap(); } + #[test] + fn test_request_non_existing_key() { + // Test that a keyring that normally doesn't exist by default is + // created when called. + let ring = KeyRing::from_special_id(KeyRingIdentifier::Session, false).unwrap(); + + let result = ring.request_key("test_request_no_exist", None::<&str>); + + assert!(result.is_err()); + assert_eq!(result.unwrap_err(), KeyError::KeyDoesNotExist); + } + #[test] fn test_search_non_existing_key() { // Test that a keyring that normally doesn't exist by default is From 9c794a9a5b08e1679fe2cc7b184229c3fbb92e87 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Fri, 16 Aug 2024 15:43:44 +0300 Subject: [PATCH 04/17] key: add instantiate() method Signed-off-by: Mikko Ylinen --- src/key.rs | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/src/key.rs b/src/key.rs index 347701a..b64acf2 100644 --- a/src/key.rs +++ b/src/key.rs @@ -226,6 +226,32 @@ impl Key { )?; Ok(()) } + + /// Instantiate a partially constructed key. + /// + /// To instantiate a key, the caller must have the appropriate + /// authorization key. This is automatically granted when the caller + /// is invoked by /sbin/request-key. + pub fn instantiate>( + &self, + payload: &T, + id: KeySerialId, + ) -> Result<(), KeyError> { + // When instanting keyrings the payload will be NULL + let buffer = payload.as_ref(); + let (payload, plen) = match buffer.len() { + 0 => (core::ptr::null(), 0), + _ => (buffer.as_ptr(), buffer.len()), + }; + _ = ffi::keyctl!( + KeyCtlOperation::Instantiate, + self.0.as_raw_id() as libc::c_ulong, + payload as _, + plen as _, + id.as_raw_id() as libc::c_ulong + )?; + Ok(()) + } } #[cfg(test)] From c0210a32cb991302658c0c9cd22348969813823b Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Fri, 16 Aug 2024 15:44:25 +0300 Subject: [PATCH 05/17] examples: keyctl: add a subcommand for instantiate Signed-off-by: Mikko Ylinen --- examples/keyctl.rs | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/examples/keyctl.rs b/examples/keyctl.rs index fbac329..5573f72 100644 --- a/examples/keyctl.rs +++ b/examples/keyctl.rs @@ -3,8 +3,8 @@ //! //! Demo code for the linux_keyutils crate. use clap::Parser; +use linux_keyutils::{Key, KeyRing, KeyRingIdentifier, KeySerialId}; use linux_keyutils::{KeyPermissionsBuilder, Permission}; -use linux_keyutils::{KeyRing, KeyRingIdentifier}; use std::error::Error; use zeroize::Zeroizing; @@ -51,6 +51,17 @@ enum Command { #[clap(short, long)] description: String, }, + /// Instantiate a partially constructed key + Instantiate { + #[clap(short, long)] + keyid: Option, + + #[clap(short, long)] + payload: String, + + #[clap(short, long)] + ring: Option, + }, } fn main() -> Result<(), Box> { @@ -104,6 +115,15 @@ fn main() -> Result<(), Box> { key.invalidate()?; println!("Removed key with ID {:?}", key.get_id()); } + // Instantiate a partially constructed key + Command::Instantiate { + keyid, + payload, + ring, + } => { + let key = Key::from_id(KeySerialId::new(keyid.unwrap_or(i32::MAX))); + key.instantiate(&payload, KeySerialId::new(ring.unwrap_or(i32::MAX)))?; + } }; Ok(()) From ac6f18878aa99d38d2077dfaaf0e1aa2a56e96d0 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Fri, 16 Aug 2024 15:54:45 +0300 Subject: [PATCH 06/17] keyring: add request_key callout tests Signed-off-by: Mikko Ylinen --- src/keyring.rs | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/keyring.rs b/src/keyring.rs index 56f7dd0..7a16562 100644 --- a/src/keyring.rs +++ b/src/keyring.rs @@ -318,6 +318,31 @@ mod test { assert_eq!(result.unwrap_err(), KeyError::KeyDoesNotExist); } + #[test] + #[ignore] + fn test_request_non_existing_key_callout() { + let callout = "Test Data from Callout"; + + // Test that a keyring that normally doesn't exist by default is + // created when called. + let ring = KeyRing::from_special_id(KeyRingIdentifier::Session, false).unwrap(); + + // The test expects that the key is instantiated by a program invoked by + // /sbin/request-key and that the key data is taken from the callout info + // passed here. + // + // The following examples/keyctl command in /etc/request-key.conf is known to work: + // create user test_callout * /path/to/examples/keyctl instantiate --keyid %k --payload %c --ring %S + let key = ring.request_key("test_callout", Some(callout)); + + assert!(key.is_ok()); + + // Verify the payload + let payload = key.unwrap().read_to_vec().unwrap(); + assert_eq!(callout.as_bytes(), &payload); + key.unwrap().invalidate().unwrap(); + } + #[test] fn test_search_non_existing_key() { // Test that a keyring that normally doesn't exist by default is From 834acfdede4b05060d2a323d566e5414e5489ec8 Mon Sep 17 00:00:00 2001 From: landhb Date: Sun, 30 Mar 2025 10:58:57 -0700 Subject: [PATCH 07/17] Implement full request-key round trip. Add to CI/CD. --- .github/workflows/checks.yml | 5 +++ Cargo.toml | 6 +++- examples/keyctl.rs | 3 ++ examples/request-key.rs | 65 ++++++++++++++++++++++++++++++++++++ src/errors.rs | 11 ++++++ src/key.rs | 19 ++++++++++- src/keyring.rs | 10 +++--- 7 files changed, 112 insertions(+), 7 deletions(-) create mode 100644 examples/request-key.rs diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 9c86f7b..5efeb84 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -46,6 +46,11 @@ jobs: run: cargo build --verbose - name: Run tests run: cargo test --verbose + - name: Request/Instantiate flow + run: | + cargo build --example request-key --features std + sudo mv ./target/debug/examples/request-key /sbin/request-key + cargo test -- --ignored # Ensure clippy and formatting pass clippy: diff --git a/Cargo.toml b/Cargo.toml index 39f9bb2..082b4f9 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -21,10 +21,14 @@ std = ["bitflags/std"] name = "keyctl" required-features = ["std"] +[[example]] +name = "request-key" +required-features = ["std"] + [dependencies] libc = {version = "0.2.158", default-features = false} bitflags = {version = "2.6", default-features = false} [dev-dependencies] zeroize = "1.8.1" -clap = {version = "4.5.16", default-features = false, features = ["std", "derive"]} +clap = {version = "4.5.16", default-features = false, features = ["std", "derive", "help"]} \ No newline at end of file diff --git a/examples/keyctl.rs b/examples/keyctl.rs index 5573f72..171c3aa 100644 --- a/examples/keyctl.rs +++ b/examples/keyctl.rs @@ -10,12 +10,15 @@ use zeroize::Zeroizing; #[derive(Parser, Debug)] #[clap(author, version, about, long_about = None)] +#[command(arg_required_else_help(true))] +#[command(subcommand_required(true))] struct Args { #[clap(subcommand)] subcommand: Command, } #[derive(clap::Subcommand, Debug, PartialEq)] +#[command(arg_required_else_help(true))] enum Command { /// Create a new key Create { diff --git a/examples/request-key.rs b/examples/request-key.rs new file mode 100644 index 0000000..609d7ae --- /dev/null +++ b/examples/request-key.rs @@ -0,0 +1,65 @@ +//! Request Key Implementation (replacement for /sbin/request-key) +//! +//! https://www.kernel.org/doc/html/v4.15/security/keys/request-key.html +use clap::Parser; +use linux_keyutils::{Key, KeyRingIdentifier, KeySerialId}; +use std::error::Error; +use zeroize::Zeroizing; + +#[derive(Parser, Debug)] +#[clap(author, version, about, long_about = None)] +#[command(arg_required_else_help(true))] +#[command(subcommand_required(true))] +struct Args { + #[clap(subcommand)] + subcommand: Command, +} + +#[derive(clap::Subcommand, Debug, PartialEq)] +#[command(arg_required_else_help(true))] +enum Command { + /// Kernel invokes this program with the following parameters + /// + /// https://github.com/torvalds/linux/blob/7d06015d936c861160803e020f68f413b5c3cd9d/security/keys/request_key.c#L116 + /// + /// Path is hard coded to /sbin/request-key + Create { + key_id: i32, + uid: u32, + gid: u32, + thread_ring: i32, + process_ring: i32, + session_ring: i32, + }, +} + +fn main() -> Result<(), Box> { + let args = Args::parse(); + _ = match args.subcommand { + // Add a new key to the keyring + Command::Create { + key_id, + uid, + gid, + thread_ring: _, + process_ring: _, + session_ring, + } => { + // Assume authority over the temporary key + let key = Key::from_id(KeySerialId(key_id)); + key.assume_authority()?; + + // Ensure the ownership is correct + key.chown(Some(uid), Some(gid))?; + + // Read payload from special key KeyRingIdentifier::ReqKeyAuthKey + let reqkey = Key::from_id(KeySerialId(KeyRingIdentifier::ReqKeyAuthKey as i32)); + let mut buf = Zeroizing::new([0u8; 2048]); + let len = reqkey.read(&mut buf)?; + + // Instantiate key + key.instantiate(&buf[..len], KeySerialId(session_ring))?; + } + }; + Ok(()) +} diff --git a/src/errors.rs b/src/errors.rs index 8d9e530..50c40b9 100644 --- a/src/errors.rs +++ b/src/errors.rs @@ -54,6 +54,15 @@ pub enum KeyError { /// Write to destination failed WriteError, + // Insufficient permissions + PermissionDenied, + + // Missing file or directory (ENOENT) + // + // For request_key this could be due to a missing /sbin/request-key + // binary. I.e. keyutils utilities are not installed. + MissingFileOrDirectory, + /// Unknown - catch all, return this instead of panicing Unknown(i32), } @@ -73,6 +82,8 @@ impl KeyError { pub fn from_errno() -> KeyError { match unsafe { *libc::__errno_location() } { // Create Errors + libc::ENOENT => KeyError::MissingFileOrDirectory, + libc::EPERM => KeyError::PermissionDenied, libc::EACCES => KeyError::AccessDenied, libc::EDQUOT => KeyError::QuotaExceeded, libc::EFAULT => KeyError::BadAddress, diff --git a/src/key.rs b/src/key.rs index b64acf2..4a56711 100644 --- a/src/key.rs +++ b/src/key.rs @@ -227,12 +227,29 @@ impl Key { Ok(()) } + /// Assume the authority for the calling thread to instantiate a key. + /// + /// Authority over a key can be assumed only if the calling thread has present + /// in its keyrings the authorization key that is associated with the specified key. + /// + /// In other words, the KEYCTL_ASSUME_AUTHORITY operation is available only from + /// a request-key(8)-style program. + /// + /// The caller must have search permission on the authorization key. + pub fn assume_authority(&self) -> Result<(), KeyError> { + ffi::keyctl!( + KeyCtlOperation::AssumeAuthority, + self.0.as_raw_id() as libc::c_ulong + )?; + Ok(()) + } + /// Instantiate a partially constructed key. /// /// To instantiate a key, the caller must have the appropriate /// authorization key. This is automatically granted when the caller /// is invoked by /sbin/request-key. - pub fn instantiate>( + pub fn instantiate + ?Sized>( &self, payload: &T, id: KeySerialId, diff --git a/src/keyring.rs b/src/keyring.rs index 7a16562..b1388a5 100644 --- a/src/keyring.rs +++ b/src/keyring.rs @@ -333,14 +333,14 @@ mod test { // // The following examples/keyctl command in /etc/request-key.conf is known to work: // create user test_callout * /path/to/examples/keyctl instantiate --keyid %k --payload %c --ring %S - let key = ring.request_key("test_callout", Some(callout)); - - assert!(key.is_ok()); + let key = ring.request_key("test_callout", Some(callout)).unwrap(); // Verify the payload - let payload = key.unwrap().read_to_vec().unwrap(); + let payload = key.read_to_vec().unwrap(); assert_eq!(callout.as_bytes(), &payload); - key.unwrap().invalidate().unwrap(); + + // Invalidate the key + key.invalidate().unwrap(); } #[test] From 70adfa1ee9405bbb17900ef0fb38dc51dbfcbc8f Mon Sep 17 00:00:00 2001 From: landhb Date: Sun, 30 Mar 2025 11:01:57 -0700 Subject: [PATCH 08/17] Fix new clippy warnings. --- src/ffi/types.rs | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/ffi/types.rs b/src/ffi/types.rs index a4115e5..2a4e45f 100644 --- a/src/ffi/types.rs +++ b/src/ffi/types.rs @@ -147,13 +147,11 @@ impl KeySerialId { /// Using Rust's type system to ensure only valid strings are provided to the syscall. impl From for &'static CStr { fn from(t: KeyType) -> &'static CStr { - unsafe { - match t { - KeyType::KeyRing => CStr::from_bytes_with_nul_unchecked(b"keyring\0"), - KeyType::User => CStr::from_bytes_with_nul_unchecked(b"user\0"), - KeyType::Logon => CStr::from_bytes_with_nul_unchecked(b"logon\0"), - KeyType::BigKey => CStr::from_bytes_with_nul_unchecked(b"big_key\0"), - } + match t { + KeyType::KeyRing => c"keyring", + KeyType::User => c"user", + KeyType::Logon => c"logon", + KeyType::BigKey => c"big_key", } } } From b06275697342e5d1223165cf2dde2807507a3853 Mon Sep 17 00:00:00 2001 From: landhb Date: Sun, 30 Mar 2025 11:05:35 -0700 Subject: [PATCH 09/17] Upgrade actions. --- .github/workflows/checks.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 5efeb84..5123c99 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -24,7 +24,7 @@ jobs: repo: cross matches: ${{ matrix.platform }} token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: cross-${{ matrix.platform }} path: ${{ steps.cross.outputs.install_path }} @@ -36,7 +36,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions-rs/toolchain@v1 with: profile: minimal @@ -56,7 +56,7 @@ jobs: clippy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions-rs/toolchain@v1 with: profile: minimal @@ -76,14 +76,14 @@ jobs: runs-on: ubuntu-latest needs: install-cross steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: 'recursive' - uses: dtolnay/rust-toolchain@stable with: toolchain: stable - name: Download Cross - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: cross-linux-musl path: /tmp From 1e794eea88188bbae66c54f86c524d9b161b493e Mon Sep 17 00:00:00 2001 From: landhb Date: Sun, 30 Mar 2025 11:12:23 -0700 Subject: [PATCH 10/17] Fix coverage job. --- .github/workflows/coverage.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 643148d..0f6d13b 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Install stable toolchain uses: actions-rs/toolchain@v1 @@ -23,14 +23,19 @@ jobs: toolchain: stable override: true + - name: Install Required Packages + run: | + apt-get update && apt-get -y upgrade + apt-get install -y build-essential libssl-dev + - name: Run cargo-tarpaulin uses: actions-rs/tarpaulin@v0.1 with: - version: '0.21.0' + version: '0.32.3' args: "--lib" - name: Upload to codecov.io - uses: codecov/codecov-action@v2 + uses: codecov/codecov-action@v5 with: file: ./cobertura.xml From 61430e35110420e88b59ac90c0985b3acd7e01f1 Mon Sep 17 00:00:00 2001 From: Bradley Landherr <12598313+landhb@users.noreply.github.com> Date: Sun, 30 Mar 2025 11:19:15 -0700 Subject: [PATCH 11/17] Fix formatting in coverage.yml --- .github/workflows/coverage.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 0f6d13b..df1624b 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -25,8 +25,8 @@ jobs: - name: Install Required Packages run: | - apt-get update && apt-get -y upgrade - apt-get install -y build-essential libssl-dev + sudo apt update && apt -y upgrade + sudo apt install -y build-essential libssl-dev - name: Run cargo-tarpaulin uses: actions-rs/tarpaulin@v0.1 From e33675a4af42b8dc3dfbc38be3de3988fa143f75 Mon Sep 17 00:00:00 2001 From: Bradley Landherr <12598313+landhb@users.noreply.github.com> Date: Sun, 30 Mar 2025 11:20:43 -0700 Subject: [PATCH 12/17] Perms for coverage.yml --- .github/workflows/coverage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index df1624b..aef872a 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -25,7 +25,7 @@ jobs: - name: Install Required Packages run: | - sudo apt update && apt -y upgrade + sudo apt update && sudo apt -y upgrade sudo apt install -y build-essential libssl-dev - name: Run cargo-tarpaulin From 94ef01d46c2fd9a692cfe1d3f3b1734b42647745 Mon Sep 17 00:00:00 2001 From: landhb Date: Sun, 30 Mar 2025 11:24:45 -0700 Subject: [PATCH 13/17] Format the doc comments. --- src/key.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/key.rs b/src/key.rs index 4a56711..d753702 100644 --- a/src/key.rs +++ b/src/key.rs @@ -229,11 +229,11 @@ impl Key { /// Assume the authority for the calling thread to instantiate a key. /// - /// Authority over a key can be assumed only if the calling thread has present + /// Authority over a key can be assumed only if the calling thread has present /// in its keyrings the authorization key that is associated with the specified key. /// - /// In other words, the KEYCTL_ASSUME_AUTHORITY operation is available only from - /// a request-key(8)-style program. + /// In other words, the KEYCTL_ASSUME_AUTHORITY operation is available only from + /// a request-key(8)-style program. /// /// The caller must have search permission on the authorization key. pub fn assume_authority(&self) -> Result<(), KeyError> { From 7bfb7dd94eb90c23dec8c98a59e513a52262d57a Mon Sep 17 00:00:00 2001 From: landhb Date: Sun, 30 Mar 2025 11:28:27 -0700 Subject: [PATCH 14/17] Decrement tarpaulin version. --- .github/workflows/coverage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index aef872a..ec9eede 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -31,7 +31,7 @@ jobs: - name: Run cargo-tarpaulin uses: actions-rs/tarpaulin@v0.1 with: - version: '0.32.3' + version: '0.32.2' args: "--lib" - name: Upload to codecov.io From 652ddc9d8b6a14221459d192a5fcbeec85bb1e7f Mon Sep 17 00:00:00 2001 From: landhb Date: Sun, 30 Mar 2025 11:34:14 -0700 Subject: [PATCH 15/17] Try older version. --- .github/workflows/coverage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index ec9eede..f65881d 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -31,7 +31,7 @@ jobs: - name: Run cargo-tarpaulin uses: actions-rs/tarpaulin@v0.1 with: - version: '0.32.2' + version: '0.31.0' args: "--lib" - name: Upload to codecov.io From 96c97ccd98a023ff674fcde27a13dd4d44724c3f Mon Sep 17 00:00:00 2001 From: landhb Date: Sun, 30 Mar 2025 11:39:11 -0700 Subject: [PATCH 16/17] Revert version --- .github/workflows/coverage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index f65881d..d5306ca 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -31,7 +31,7 @@ jobs: - name: Run cargo-tarpaulin uses: actions-rs/tarpaulin@v0.1 with: - version: '0.31.0' + version: '0.21.0' args: "--lib" - name: Upload to codecov.io From 5811f274a9f09a0af4678465a7ce6e175925425a Mon Sep 17 00:00:00 2001 From: landhb Date: Sun, 30 Mar 2025 12:12:47 -0700 Subject: [PATCH 17/17] Refactor and run all tests at once --- .github/workflows/checks.yml | 7 +++---- .github/workflows/coverage.yml | 14 +++++++------- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 5123c99..37992c1 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -44,13 +44,12 @@ jobs: override: true - name: Build run: cargo build --verbose - - name: Run tests - run: cargo test --verbose - - name: Request/Instantiate flow + - name: Install request-key for Request/Instantiate flow run: | cargo build --example request-key --features std sudo mv ./target/debug/examples/request-key /sbin/request-key - cargo test -- --ignored + - name: Run tests + run: cargo test --verbose -- --include-ignored # Ensure clippy and formatting pass clippy: diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index d5306ca..7b1bc97 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -23,16 +23,16 @@ jobs: toolchain: stable override: true - - name: Install Required Packages + - name: Install cargo-tarpaulin + run: cargo install cargo-tarpaulin + + - name: Install request-key for Request/Instantiate flow run: | - sudo apt update && sudo apt -y upgrade - sudo apt install -y build-essential libssl-dev + cargo build --example request-key --features std + sudo mv ./target/debug/examples/request-key /sbin/request-key - name: Run cargo-tarpaulin - uses: actions-rs/tarpaulin@v0.1 - with: - version: '0.21.0' - args: "--lib" + run: cargo-tarpaulin --lib -- --include-ignored - name: Upload to codecov.io uses: codecov/codecov-action@v5