Secrets app PIN-based encryption - tests and CLI update

szszszsz commented 1 year ago

This PR adds test for the PIN based encryption in the Secrets app:

https://github.com/Nitrokey/trussed-secrets-app/pull/41

Built upon #328

Changes

[x] update tests
[x] CLI API change
[x] health check - show warning on no PIN attempts left, or unset PIN

Checklist

[x] tested with Python3.10
[x] run make check or make fix for the formatting check
[x] signed commits
[x] updated documentation (e.g. parameter description, inline doc, docs.nitrokey)
[x] added labels

UI Changes

sz@stumpy ~/w/solo-python (otp-pin-based-encryption) [2]> ./venv/bin/nitropy nk3 otp register aaaa4 AAAAAAAA --kind HOTP --experimental
Command line tool to interact with Nitrokey devices 0.4.33
Health check notes:
- All attempts on the PIN counter are used. Call factory reset to use the device again.
Authentication failed with error: "PIN not available to use"
Aborted!
sz@stumpy ~/w/solo-python (otp-pin-based-encryption) [1]> ./venv/bin/nitropy nk3 otp status
Command line tool to interact with Nitrokey devices 0.4.33
Nitrokey Secrets
        Version: 4.7.0
        PIN attempt counter: 0
Health check notes:
- All attempts on the PIN counter are used. Call factory reset to use the device again.
sz@stumpy ~/w/solo-python (otp-pin-based-encryption)> ./venv/bin/nitropy nk3 otp reset
Command line tool to interact with Nitrokey devices 0.4.33
Do you want to continue? [y/N]: y
Operation executed
sz@stumpy ~/w/solo-python (otp-pin-based-encryption)> ./venv/bin/nitropy nk3 otp status
Command line tool to interact with Nitrokey devices 0.4.33
Nitrokey Secrets
        Version: 4.7.0
        PIN attempt counter: None
Health check notes:
- Application does not have a PIN. Set PIN before the first use.
sz@stumpy ~/w/solo-python (otp-pin-based-encryption)> ./venv/bin/nitropy nk3 otp
Command line tool to interact with Nitrokey devices 0.4.33
Usage: nitropy nk3 otp [OPTIONS] COMMAND [ARGS]...

  Manage OTP secrets on the device. Use NITROPY_OTP_PASSWORD to pass password
  for the scripted execution.

Options:
  --help  Show this message and exit.

Commands:
  get           Generate OTP code from registered credential.
  register      Register OTP credential.
  remove        Remove OTP credential.
  reset         Remove all OTP credentials from the device.
  set-password  Set the passphrase used to authenticate to other commands.
  show          List registered OTP credentials.
  status        Show OTP status
  verify        Proceed with the incoming OTP code verification (aka...
sz@stumpy ~/w/solo-python (otp-pin-based-encryption)> ./venv/bin/nitropy nk3 otp set-password --experimental
Command line tool to interact with Nitrokey devices 0.4.33
Password:
Repeat for confirmation:
Password set
sz@stumpy ~/w/solo-python (otp-pin-based-encryption)> ./venv/bin/nitropy nk3 otp status
Command line tool to interact with Nitrokey devices 0.4.33
Nitrokey Secrets
        Version: 4.7.0
        PIN attempt counter: 8
sz@stumpy ~/w/solo-python (otp-pin-based-encryption)> ./venv/bin/nitropy nk3 otp register aaaa4 AAAAAAAA --kind HOTP --experimental
Command line tool to interact with Nitrokey devices 0.4.33
Current Password (8 attempts left):
sz@stumpy ~/w/solo-python (otp-pin-based-encryption)> ./venv/bin/nitropy nk3 otp get aaaa4
Command line tool to interact with Nitrokey devices 0.4.33

This feature is experimental, which means it was not tested thoroughly.
Note: data stored with it can be lost in the next firmware update.
Please pass --experimental switch to force running it anyway.

Aborted!
sz@stumpy ~/w/solo-python (otp-pin-based-encryption) [1]> ./venv/bin/nitropy nk3 otp get aaaa4 --experimental
Command line tool to interact with Nitrokey devices 0.4.33
Current Password (8 attempts left):
Timestamp: 2023-03-08T18:28:56 (1678296536), period: 30
328482
sz@stumpy ~/w/solo-python (otp-pin-based-encryption)>

szszszsz commented 1 year ago

make check fails within nethsm:

sz@stumpy ~/w/solo-python (otp-pin-based-encryption)> make check
venv/bin/python3 -m flake8 --extend-exclude pynitrokey/nethsm/client pynitrokey/nethsm pynitrokey/cli/nk3 pynitrokey/nk3
venv/bin/python3 -m mypy pynitrokey
Traceback (most recent call last):
  File "/usr/lib64/python3.10/runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib64/python3.10/runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "/home/sz/work/solo-python/venv/lib64/python3.10/site-packages/mypy/__main__.py", line 37, in <module>
    console_entry()
  File "/home/sz/work/solo-python/venv/lib64/python3.10/site-packages/mypy/__main__.py", line 15, in console_entry
    main()
  File "mypy/main.py", line 95, in main
  File "mypy/main.py", line 174, in run_build
  File "mypy/build.py", line 194, in build
  File "mypy/build.py", line 277, in _build
  File "mypy/build.py", line 2923, in dispatch
  File "mypy/build.py", line 3313, in process_graph
  File "mypy/build.py", line 3394, in process_fresh_modules
  File "mypy/build.py", line 2120, in fix_cross_refs
  File "mypy/fixup.py", line 53, in fixup_module
  File "mypy/fixup.py", line 115, in visit_symbol_table
  File "mypy/lookup.py", line 49, in lookup_fully_qualified
AssertionError: Cannot find component 'TypedDict' for 'pynitrokey.nethsm.client.apis.tag_to_api.TypedDict'
make: *** [Makefile:52: lint] Error 1
sz@stumpy ~/w/solo-python (otp-pin-based-encryption) [2]>

szszszsz commented 1 year ago

Fixing conflict first

szszszsz commented 1 year ago

Ready for review @sosthene-nitrokey @robin-nitrokey

robin-nitrokey commented 1 year ago

make check fails within nethsm:

You should be able to fix this issue by deleting the .mypy_cache folder.

szszszsz commented 1 year ago

You should be able to fix this issue by deleting the .mypy_cache folder.

Yes, this helps. I will add required fixes in the next commit.

Nitrokey / pynitrokey