4 #include <dpl/test/test_runner.h>
5 #include <dpl/test/test_runner_child.h>
7 #include <tests_common.h>
8 #include <ckm-common.h>
9 #include <access_provider2.h>
11 #include <ckmc/ckmc-manager.h>
12 #include <ckmc/ckmc-control.h>
13 #include <ckmc/ckmc-type.h>
14 #include <ckmc/ckmc-error.h>
16 #include <ckm/ckm-type.h>
19 const int USER_ROOT = 0;
20 const int APP_1 = 6000;
21 const int GROUP_1 = 6000;
22 const int APP_2 = 6200;
23 const int GROUP_2 = 6200;
24 const char * const APP_PASS_1 = "app-pass-1";
25 const char * const APP_PASS_2 = "app-pass-2";
26 const char* APP_LABEL_1 = TEST_LABEL;
27 const char* APP_LABEL_2 = TEST_LABEL_2;
28 const char* APP_LABEL_3 = TEST_LABEL_3;
29 const char* APP_LABEL_4 = TEST_LABEL_4;
32 const char* NO_ALIAS = "definitely-non-existent-alias";
33 const char* NO_OWNER = "definitely-non-existent-owner";
35 const char* TEST_ALIAS = "test-alias";
36 const char* TEST_ALIAS2 = "test-alias2";
37 const char* TEST_ALIAS3 = "test-alias3";
39 const char* TEST_DATA = "dsflsdkghkslhglrtghierhgilrehgidsafasdffsgfdgdgfdgfdgfdgfdggf";
41 void allow_access_deprecated(const char* alias, const char* accessor, ckmc_access_right_e accessRights)
43 int ret = ckmc_allow_access(alias, accessor, accessRights);
44 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << CKMCErrorToString(ret));
47 void allow_access_deprecated_by_adm(uid_t uid, const char *label, const char* alias, const char* accessor, ckmc_access_right_e accessRights)
49 // data removal should revoke this access
50 int ret = ckmc_allow_access_by_adm(uid, label, alias, accessor, accessRights);
51 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << CKMCErrorToString(ret));
54 void allow_access_by_adm(uid_t uid, const char *label, const char* alias, const char* accessor, int permissionMask)
56 // data removal should revoke this access
57 int ret = ckmc_set_permission_by_adm(uid, aliasWithLabel(label, alias).c_str(), accessor, permissionMask);
58 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << CKMCErrorToString(ret));
61 void deny_access_by_adm(uid_t uid, const char *label, const char* alias, const char* accessor)
63 int ret = ckmc_set_permission_by_adm(uid, aliasWithLabel(label, alias).c_str(), accessor, CKMC_PERMISSION_NONE);
64 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Denying access failed. " << CKMCErrorToString(ret));
67 void check_alias_count(size_t expected)
69 size_t count = count_aliases(ALIAS_DATA);
70 RUNNER_ASSERT_MSG(count == expected, "Expected " << expected << " aliases, got " << count);
73 } // namespace anonymous
75 RUNNER_TEST_GROUP_INIT (T300_CKMC_ACCESS_CONTROL_USER_C_API);
78 /////////////////////////////////////////////////////////////////////////////
80 RUNNER_TEST(T3000_init)
82 reset_user_data(APP_1, APP_PASS_1);
83 reset_user_data(APP_2, APP_PASS_2);
86 // invalid arguments check
87 RUNNER_TEST(T3001_manager_allow_access_invalid)
89 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
92 CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission(NULL, "accessor", CKMC_PERMISSION_READ));
94 CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission("alias", NULL, CKMC_PERMISSION_READ));
97 // invalid arguments check
98 RUNNER_TEST(T3002_manager_deny_access_invalid)
100 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
102 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission(NULL, "accessor", CKMC_PERMISSION_NONE));
103 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission("alias", NULL, CKMC_PERMISSION_NONE));
106 // tries to allow access for non existing alias
107 RUNNER_CHILD_TEST(T3003_manager_allow_access_non_existing)
109 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
111 int ret = ckmc_set_permission(NO_ALIAS, "label", CKMC_PERMISSION_READ);
112 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
113 "Allowing access for non existing alias returned " << CKMCErrorToString(ret));
116 // tries to deny access for non existing alias
117 RUNNER_CHILD_TEST(T3004_manager_deny_access_non_existing)
119 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
121 int ret = ckmc_set_permission(NO_ALIAS, "label", CKMC_PERMISSION_NONE);
122 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
123 "Denying access for non existing alias returned " << CKMCErrorToString(ret));
126 // tries to deny access that does not exist in database
127 RUNNER_CHILD_TEST(T3005_manager_deny_access_non_existing_access)
129 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
131 ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
133 // deny non existing access to existing alias
134 int ret = ckmc_set_permission(TEST_ALIAS, "label", CKMC_PERMISSION_NONE);
135 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
136 "Denying non existing access returned: " << CKMCErrorToString(ret));
139 // tries to allow access to application own data
140 RUNNER_CHILD_TEST(T3006_manager_allow_access_to_myself)
142 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
144 ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
146 std::string ownerId = getOwnerIdFromSelf();
147 int ret = ckmc_set_permission(TEST_ALIAS, ownerId.c_str(), CKMC_PERMISSION_READ);
148 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
149 "Trying to allow myself returned: " << CKMCErrorToString(ret));
152 // verifies that alias can not contain forbidden characters
153 RUNNER_CHILD_TEST(T3007_manager_check_alias_valid)
155 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
157 ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
159 std::string test_alias_playground = std::string("AAA BBB CCC");
160 check_read(test_alias_playground.c_str(), 0, TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
162 // control: expect success
163 check_read(TEST_ALIAS, 0, TEST_DATA);
164 check_read(TEST_ALIAS, APP_LABEL_1, TEST_DATA);
167 // verifies that label can not contain forbidden characters
168 RUNNER_CHILD_TEST(T3008_manager_check_label_valid)
170 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
172 ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
175 std::string APP_LABEL_1_playground = std::string("AAA BBB CCC");
176 check_read(TEST_ALIAS, APP_LABEL_1_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
178 // insert part of the separator in the middle
179 APP_LABEL_1_playground = std::string(APP_LABEL_1);
180 APP_LABEL_1_playground.insert(APP_LABEL_1_playground.size()/2, ckmc_label_name_separator);
181 check_read(TEST_ALIAS, APP_LABEL_1_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
184 APP_LABEL_1_playground = std::string(APP_LABEL_1);
185 APP_LABEL_1_playground.insert(0, ckmc_label_name_separator);
186 check_read(TEST_ALIAS, APP_LABEL_1_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
189 APP_LABEL_1_playground = std::string(APP_LABEL_1);
190 APP_LABEL_1_playground.append(ckmc_label_name_separator);
191 check_read(TEST_ALIAS, APP_LABEL_1_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
193 // control: expect success
194 check_read(TEST_ALIAS, APP_LABEL_1, TEST_DATA);
198 // tries to access other application data without permission
199 RUNNER_TEST(T3020_manager_access_not_allowed, RemoveDataEnv<APP_1>)
203 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
204 save_data(TEST_ALIAS, TEST_DATA);
207 // test accessibility from another label
209 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
211 std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
212 check_read_not_visible(TEST_ALIAS_adr.c_str());
213 check_remove_not_visible(TEST_ALIAS_adr.c_str());
217 // tries to access other application data with permission
218 RUNNER_TEST(T3021_manager_access_allowed, RemoveDataEnv<APP_1>)
222 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
223 save_data(TEST_ALIAS, TEST_DATA);
224 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
227 // test accessibility from another label
229 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
230 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
234 // tries to read other application data with permission for read/remove
235 RUNNER_TEST(T3022_manager_access_allowed_with_remove, RemoveDataEnv<APP_1>)
239 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
240 save_data(TEST_ALIAS, TEST_DATA);
241 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
244 // test accessibility from another label
246 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
247 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
251 // tries to remove other application data with permission for reading only
252 RUNNER_TEST(T3023_manager_access_allowed_remove_denied, RemoveDataEnv<APP_1>)
256 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
257 save_data(TEST_ALIAS, TEST_DATA);
258 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
261 // test accessibility from another label
263 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
264 std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
265 check_remove_denied(TEST_ALIAS_adr.c_str());
266 check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
270 // tries to remove other application data with permission
271 RUNNER_TEST(T3025_manager_remove_allowed, RemoveDataEnv<APP_1>)
275 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
276 save_data(TEST_ALIAS, TEST_DATA);
277 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
280 // test accessibility from another label
282 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
283 check_remove_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
287 // tries to access other application data after allow function was called twice with different
289 RUNNER_TEST(T3026_manager_double_allow, RemoveDataEnv<APP_1>)
293 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
294 save_data(TEST_ALIAS, TEST_DATA);
296 // access should be overwritten
297 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
298 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
301 // test accessibility from another label
303 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
305 std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
306 check_remove_denied(TEST_ALIAS_adr.c_str());
307 check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
311 // tries to access application data with permission and after permission has been revoked
312 RUNNER_TEST(T3027_manager_allow_deny, RemoveDataEnv<APP_1>)
315 std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
317 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
318 save_data(TEST_ALIAS, TEST_DATA);
320 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
323 // test accessibility from another label
325 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
327 check_remove_denied(TEST_ALIAS_adr.c_str());
328 check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
333 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
335 deny_access(TEST_ALIAS, APP_LABEL_2);
338 // test accessibility from another label
340 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
342 check_remove_not_visible(TEST_ALIAS_adr.c_str());
343 check_read_not_visible(TEST_ALIAS_adr.c_str());
347 RUNNER_TEST(T3028_manager_access_by_label, RemoveDataEnv<APP_1>)
350 const char *additional_data = "label-2-data";
352 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
353 save_data(TEST_ALIAS, TEST_DATA);
355 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
360 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
361 save_data(TEST_ALIAS, additional_data);
363 allow_access(TEST_ALIAS, APP_LABEL_1, CKMC_PERMISSION_READ);
365 // test if accessing valid alias (of label2 domain)
366 check_read_allowed(TEST_ALIAS, additional_data);
369 // test accessibility to app 2 from app 1
371 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
373 // test if can access label2 alias from label1 domain - should succeed
374 check_read_allowed(aliasWithLabel(APP_LABEL_2, TEST_ALIAS).c_str(), additional_data);
378 // tries to modify another label's permission
379 RUNNER_TEST(T3029_manager_access_modification_by_foreign_label, RemoveDataEnv<APP_1>)
383 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
384 save_data(TEST_ALIAS, TEST_DATA);
386 allow_access(TEST_ALIAS, APP_LABEL_3, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
389 // test accessibility from another label
391 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
393 allow_access_negative(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_4, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE, CKMC_ERROR_PERMISSION_DENIED);
394 deny_access_negative (aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_4, CKMC_ERROR_PERMISSION_DENIED);
398 // checks if only aliases readable by given app are returned
399 RUNNER_TEST(T3030_manager_get_all_aliases, RemoveDataEnv<APP_1>)
404 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
405 save_data(TEST_ALIAS, TEST_DATA);
406 save_data(TEST_ALIAS2, TEST_DATA);
408 count = count_aliases(ALIAS_DATA);
409 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
412 // test accessibility from another label
414 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
416 // check that app can access other aliases when it has permission
417 check_alias_count(count - 1);
419 ScopedSaveData ssd3(TEST_ALIAS3, TEST_DATA);
421 // check that app can access its own aliases
422 check_alias_count(count - 1 + 1);
427 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
428 deny_access(TEST_ALIAS, APP_LABEL_2);
431 // test accessibility from another label
433 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
435 // check that app can't access other aliases for which permission has been revoked
436 check_alias_count(count - 2);
440 // tries to access other application data with permission
441 RUNNER_TEST(T3031_manager_deprecated_access_allowed, RemoveDataEnv<APP_1>)
445 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
446 save_data(TEST_ALIAS, TEST_DATA);
448 allow_access_deprecated(TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ);
451 // test accessibility from another label
453 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
455 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
459 // tries to read other application data with permission for read/remove
460 RUNNER_TEST(T3032_manager_deprecated_access_allowed_with_remove, RemoveDataEnv<APP_1>)
464 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
465 save_data(TEST_ALIAS, TEST_DATA);
467 allow_access_deprecated(TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ_REMOVE);
470 // test accessibility from another label
472 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
474 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
478 // tries to remove other application data with permission for reading only
479 RUNNER_TEST(T3033_manager_deprecated_access_allowed_remove_denied, RemoveDataEnv<APP_1>)
483 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
484 save_data(TEST_ALIAS, TEST_DATA);
486 allow_access_deprecated(TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ);
489 // test accessibility from another label
491 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
493 std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
494 check_remove_denied(TEST_ALIAS_adr.c_str());
495 check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
499 // tries to remove other application data with permission
500 RUNNER_TEST(T3034_manager_deprecated_remove_allowed, RemoveDataEnv<APP_1>)
504 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
505 save_data(TEST_ALIAS, TEST_DATA);
507 allow_access_deprecated(TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ_REMOVE);
510 // test accessibility from another label
512 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
514 check_remove_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
518 /////////////////////////////////////////////////////////////////////////////
521 RUNNER_TEST_GROUP_INIT (T310_CKMC_ACCESS_CONTROL_ROOT_C_API);
523 RUNNER_TEST(T3100_init)
525 reset_user_data(APP_1, APP_PASS_1);
526 reset_user_data(APP_2, APP_PASS_2);
529 // invalid argument check
530 RUNNER_TEST(T3101_control_allow_access_invalid, RemoveDataEnv<APP_1>)
534 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
535 save_data(TEST_ALIAS, TEST_DATA);
539 ret = ckmc_set_permission_by_adm(APP_1, TEST_ALIAS, "accessor", CKMC_PERMISSION_READ);
540 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
541 ret = ckmc_set_permission_by_adm(APP_1, "owner alias", NULL, CKMC_PERMISSION_READ);
542 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
545 std::string aliasLabel = aliasWithLabel(getOwnerIdFromSelf().c_str(), TEST_ALIAS);
546 ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel("another-owner", aliasLabel.c_str()).c_str(), APP_LABEL_1, CKMC_PERMISSION_READ);
547 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
550 // invalid argument check
551 RUNNER_TEST(T3102_control_deny_access_invalid, RemoveDataEnv<APP_1>)
555 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
556 save_data(TEST_ALIAS, TEST_DATA);
559 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
560 ckmc_set_permission_by_adm(APP_1, aliasWithLabel(NULL, TEST_ALIAS).c_str(), "accessor", CKMC_PERMISSION_NONE));
561 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
562 ckmc_set_permission_by_adm(APP_1, aliasWithLabel("owner", TEST_ALIAS).c_str(), NULL, CKMC_PERMISSION_NONE));
565 std::string aliasLabel = aliasWithLabel(getOwnerIdFromSelf().c_str(), TEST_ALIAS);
566 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
567 ckmc_set_permission_by_adm(APP_1, aliasWithLabel("another-owner", aliasLabel.c_str()).c_str(), APP_LABEL_1, CKMC_PERMISSION_NONE));
570 // tries to allow access for non existing alias
571 RUNNER_TEST(T3103_control_allow_access_non_existing)
573 reset_user_data(APP_1, APP_PASS_1);
574 int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(NO_OWNER, NO_ALIAS).c_str(), "label", CKMC_PERMISSION_READ);
575 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
576 "Allowing access for non existing alias returned " << CKMCErrorToString(ret));
579 // tries to deny access for non existing alias
580 RUNNER_TEST(T3104_control_deny_access_non_existing)
582 reset_user_data(APP_1, APP_PASS_1);
583 int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(NO_OWNER, NO_ALIAS).c_str(), "label", CKMC_PERMISSION_NONE);
584 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
585 "Denying access for non existing alias returned " << CKMCErrorToString(ret));
588 // tries to deny non existing access
589 RUNNER_TEST(T3105_control_deny_access_non_existing_access, RemoveDataEnv<APP_1>)
593 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
594 save_data(TEST_ALIAS, TEST_DATA);
597 int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_NONE);
598 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
599 "Denying non existing access returned: " << CKMCErrorToString(ret));
602 // tries to allow application to access its own data
603 RUNNER_TEST(T3106_control_allow_access_to_myself, RemoveDataEnv<APP_1>)
606 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
607 save_data(TEST_ALIAS, TEST_DATA);
610 int ret = ckmc_set_permission(TEST_ALIAS, APP_LABEL_1, CKMC_PERMISSION_READ);
611 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
612 "Trying to allow myself returned: " << CKMCErrorToString(ret));
615 // tries to use admin API as a user
616 RUNNER_CHILD_TEST(T3110_control_allow_access_as_user, RemoveDataEnv<APP_1>)
618 RUNNER_IGNORED_MSG("Disabled until labeled sockets not available");
621 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
622 save_data(TEST_ALIAS, TEST_DATA);
625 int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_READ);
626 RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
627 "Ordinary user should not be able to use control API. Error " << CKMCErrorToString(ret));
630 // tries to use admin API as a user
631 RUNNER_CHILD_TEST(T3111_control_deny_access_as_user, RemoveDataEnv<APP_1>)
633 RUNNER_IGNORED_MSG("Disabled until labeled sockets not available");
636 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
637 save_data(TEST_ALIAS, TEST_DATA);
640 int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_NONE);
641 RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
642 "Ordinary user should not be able to use control API. Error " << CKMCErrorToString(ret));
645 // tries to read other application data with permission
646 RUNNER_TEST(T3121_control_access_allowed, RemoveDataEnv<APP_1>)
650 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
651 save_data(TEST_ALIAS, TEST_DATA);
654 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
656 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
658 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
662 // tries to read other application data with permission to read/remove
663 RUNNER_TEST(T3122_control_access_allowed_with_remove, RemoveDataEnv<APP_1>)
667 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
668 save_data(TEST_ALIAS, TEST_DATA);
671 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
673 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
675 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
679 // tries to remove other application data with permission to read
680 RUNNER_TEST(T3122_control_access_allowed_remove_denied, RemoveDataEnv<APP_1>)
684 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
685 save_data(TEST_ALIAS, TEST_DATA);
688 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
690 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
692 check_remove_denied(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
696 // tries to remove other application data with permission
697 RUNNER_TEST(T3125_control_remove_allowed, RemoveDataEnv<APP_1>)
701 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
702 save_data(TEST_ALIAS, TEST_DATA);
705 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
707 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
709 check_remove_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
713 // tries to access other application data after allow function has been called twice with different
715 RUNNER_TEST(T3126_control_double_allow, RemoveDataEnv<APP_1>)
719 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
720 save_data(TEST_ALIAS, TEST_DATA);
723 // access should be overwritten
724 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
725 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
727 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
729 std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
730 check_remove_denied(TEST_ALIAS_adr.c_str());
731 check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
735 // tries to access other application data with permission and after permission has been revoked
736 RUNNER_TEST(T3127_control_allow_deny, RemoveDataEnv<APP_1>)
740 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
741 save_data(TEST_ALIAS, TEST_DATA);
744 std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
745 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
747 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
749 check_remove_denied(TEST_ALIAS_adr.c_str());
750 check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
753 deny_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2);
755 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
757 check_remove_not_visible(TEST_ALIAS_adr.c_str());
758 check_read_not_visible(TEST_ALIAS_adr.c_str());
762 // checks if only aliases readable by given app are returned
763 RUNNER_TEST(T3130_control_get_all_aliases, RemoveDataEnv<APP_1>)
768 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
769 save_data(TEST_ALIAS, TEST_DATA);
770 save_data(TEST_ALIAS2, TEST_DATA);
772 count = count_aliases(ALIAS_DATA);
775 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
777 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
779 // check that app can access other aliases when it has permission
780 check_alias_count(count - 1);
782 ScopedSaveData ssd(TEST_ALIAS3, TEST_DATA);
784 // check that app can access its own aliases
785 check_alias_count(count - 1 + 1);
788 deny_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2);
790 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
792 // check that app can't access other aliases for which permission has been revoked
793 check_alias_count(count - 2);
797 // tries to add access to data in a database of invalid user
798 RUNNER_TEST(T3140_control_allow_invalid_user, RemoveDataEnv<APP_1>)
802 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
803 save_data(TEST_ALIAS, TEST_DATA);
806 int ret = ckmc_set_permission_by_adm(APP_2, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
807 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
808 "Trying to allow access to invalid user returned: " << CKMCErrorToString(ret));
811 // tries to revoke access to data in a database of invalid user
812 RUNNER_TEST(T3141_control_deny_invalid_user, RemoveDataEnv<APP_1>)
816 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
817 save_data(TEST_ALIAS, TEST_DATA);
820 int ret = ckmc_set_permission_by_adm(APP_2, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_NONE);
821 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
822 "Trying to deny access to invalid user returned: " << CKMCErrorToString(ret));
825 // tries to read other application data with permission
826 RUNNER_TEST(T3142_control_deprecated_access_allowed, RemoveDataEnv<APP_1>)
830 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
831 save_data(TEST_ALIAS, TEST_DATA);
834 allow_access_deprecated_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ);
836 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
838 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
842 // tries to read other application data with permission to read/remove
843 RUNNER_TEST(T3143_control_deprecated_access_allowed_with_remove, RemoveDataEnv<APP_1>)
847 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
848 save_data(TEST_ALIAS, TEST_DATA);
851 allow_access_deprecated_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ_REMOVE);
853 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
855 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
859 // tries to remove other application data with permission to read
860 RUNNER_TEST(T3144_control_deprecated_access_allowed_remove_denied, RemoveDataEnv<APP_1>)
864 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
865 save_data(TEST_ALIAS, TEST_DATA);
868 allow_access_deprecated_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ);
870 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
872 check_remove_denied(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
876 // tries to remove other application data with permission
877 RUNNER_TEST(T3145_control_deprecated_remove_allowed, RemoveDataEnv<APP_1>)
881 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
882 save_data(TEST_ALIAS, TEST_DATA);
885 allow_access_deprecated_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ_REMOVE);
887 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
889 check_remove_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());