2 * Copyright (c) 2000 - 2015 Samsung Electronics Co.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
17 * @author Maciej Karpiuk (m.karpiuk2@samsung.com)
20 #include <dpl/test/test_runner.h>
21 #include <dpl/test/test_runner_child.h>
22 #include <tests_common.h>
23 #include <ckm-common.h>
24 #include <ckm/ckm-control.h>
25 #include <ckmc/ckmc-manager.h>
26 #include <ckmc/ckmc-type.h>
27 #include <access_provider2.h>
29 #include <sys/types.h>
33 const uid_t USER_SERVICE = 0;
34 const uid_t USER_SERVICE_2 = 1234;
35 const uid_t GROUP_SERVICE_2 = 1234;
36 const uid_t USER_SERVICE_MAX = 4999;
37 const uid_t GROUP_SERVICE_MAX = 4999;
38 const uid_t USER_SERVICE_FAIL = 5000;
39 const uid_t GROUP_SERVICE_FAIL = 5000;
40 const uid_t USER_APP = 5050;
41 const uid_t GROUP_APP = 5050;
42 const char* APP_PASS = "user-pass";
44 const char* TEST_ALIAS = "test-alias";
45 const char* INVALID_LABEL = "coco-jumbo";
46 std::string TEST_SYSTEM_ALIAS = aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS);
47 std::string TEST_SYSTEM_ALIAS_2 = aliasWithLabel(SYSTEM_LABEL, "test-alias-2");
49 const char* TEST_DATA =
50 "Lorem Ipsum. At vero eos et accusamus et iusto odio dignissimos ducimus "
51 "qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores "
52 "et quas molestias excepturi sint occaecati cupiditate non provident, "
53 "similique sunt in culpa qui officia deserunt mollitia animi, id est "
54 "laborum et dolorum fuga. ";
58 RUNNER_TEST_GROUP_INIT(T50_SYSTEM_DB);
60 RUNNER_TEST(T5010_CLIENT_APP_LOCKED_PRIVATE_DB)
62 RUNNER_IGNORED_MSG("This test is turn off because fix "
63 "from tizen 2.4 that unlock db with empty password");
65 // start as system service
66 // add resource to the system DB
67 // add permission to the resource to a user app
69 // switch to user app, leave DB locked
70 // try to access system DB item - expect success
73 remove_user_data(USER_APP);
74 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
75 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
79 ScopedAccessProvider ap(TEST_LABEL);
80 ap.allowAPI("key-manager::api-storage", "rw");
81 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
83 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
87 RUNNER_TEST(T5020_CLIENT_APP_ADD_TO_PRIVATE_DB)
90 // switch to user app, unlock DB
91 // when accessing private DB - owner==me
92 // try to write to private DB - expect success
93 // try to get item from private DB - expect success
97 remove_user_data(USER_APP);
98 ScopedDBUnlock unlock(USER_APP, APP_PASS);
99 ScopedAccessProvider ap(TEST_LABEL);
100 ap.allowAPI("key-manager::api-storage", "rw");
101 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
103 ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
104 check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
108 RUNNER_TEST(T5030_CLIENT_APP_TRY_ADDING_SYSTEM_ITEM, RemoveDataEnv<0, USER_APP>)
111 // switch to user app, unlock DB
112 // try to add item to system DB - expect fail
116 ScopedDBUnlock unlock(USER_APP, APP_PASS);
117 ScopedAccessProvider ap(TEST_LABEL);
118 ap.allowAPI("key-manager::api-storage", "rw");
119 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
121 save_data(aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS).c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
122 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
126 RUNNER_TEST(T5031_CLIENT_APP_ACCESS_WITH_PERMISSION, RemoveDataEnv<0, USER_APP>)
129 // start as system service
130 // add resource to the system DB
131 // add permission to the resource to a user app
133 // switch to user app, unlock DB
134 // try to access the system item - expect success
136 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
137 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
141 ScopedDBUnlock unlock(USER_APP, APP_PASS);
142 ScopedAccessProvider ap(TEST_LABEL);
143 ap.allowAPI("key-manager::api-storage", "rw");
144 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
146 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
150 RUNNER_TEST(T5032_CLIENT_APP_ACCESS_NO_PERMISSION, RemoveDataEnv<0, USER_APP>)
153 // start as system service
154 // add resource to the system DB
156 // switch to user app, unlock DB
157 // try to access the system item - expect fail
160 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
164 ScopedDBUnlock unlock(USER_APP, APP_PASS);
165 ScopedAccessProvider ap(TEST_LABEL);
166 ap.allowAPI("key-manager::api-storage", "rw");
167 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
169 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
173 RUNNER_TEST(T5033_CLIENT_APP_PERMISSION_REMOVAL, RemoveDataEnv<0, USER_APP>)
176 // start as system service
177 // add resource to the system DB
178 // add permission to the resource to a user app
180 // switch to user app, unlock DB
181 // try to access the system item - expect success
183 // as system service, remove the item (expecting to remove permission)
184 // add item again, do not add permission
186 // switch to user app, unlock DB
187 // try to access the system item - expect fail
190 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
191 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
195 ScopedDBUnlock unlock(USER_APP, APP_PASS);
196 ScopedAccessProvider ap(TEST_LABEL);
197 ap.allowAPI("key-manager::api-storage", "rw");
198 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
200 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
204 check_remove_allowed(TEST_SYSTEM_ALIAS.c_str());
208 ScopedDBUnlock unlock(USER_APP, APP_PASS);
209 ScopedAccessProvider ap(TEST_LABEL);
210 ap.allowAPI("key-manager::api-storage", "rw");
211 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
213 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
217 RUNNER_TEST(T5034_CLIENT_APP_SET_READ_ACCESS, RemoveDataEnv<0, USER_APP>)
220 // switch to user app, unlock DB
221 // try to write to private DB - expect success
222 // try to write to system DB - expect fail
226 ScopedDBUnlock unlock(USER_APP, APP_PASS);
227 ScopedAccessProvider ap(TEST_LABEL);
228 ap.allowAPI("key-manager::api-storage", "rw");
229 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
231 ScopedSaveData ssdsystem_user(TEST_ALIAS, TEST_DATA);
232 ScopedSaveData ssdsystem_system(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
233 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
237 RUNNER_TEST(T5035_CLIENT_APP_TRY_REMOVING_SYSTEM_ITEM, RemoveDataEnv<0, USER_APP>)
240 // start as system service
241 // add resource to the system DB
242 // add permission to the resource to a user app
244 // switch to user app, unlock DB
245 // try to remove item from system DB - expect fail
248 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
249 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
253 ScopedDBUnlock unlock(USER_APP, APP_PASS);
254 ScopedAccessProvider ap(TEST_LABEL);
255 ap.allowAPI("key-manager::api-storage", "rw");
256 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
258 check_remove_denied(TEST_SYSTEM_ALIAS.c_str());
262 RUNNER_TEST(T5036_CLIENT_LIST_ACCESSIBLE_ITEMS, RemoveDataEnv<0, USER_APP>)
265 // start as system service
266 // add data A to the system DB
267 // add data B to the system DB
268 // add permission to data A to a user app
270 // system service list items - expect both items to appear
272 // switch to user app, unlock DB
274 // user lists items - expect system item A and private item
277 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
278 save_data(TEST_SYSTEM_ALIAS_2.c_str(), TEST_DATA);
279 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
282 check_alias_list({TEST_SYSTEM_ALIAS.c_str(), TEST_SYSTEM_ALIAS_2.c_str()});
286 ScopedDBUnlock unlock(USER_APP, APP_PASS);
287 ScopedAccessProvider ap(TEST_LABEL);
288 ap.allowAPI("key-manager::api-storage", "rw");
289 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
290 ScopedSaveData user_data(TEST_ALIAS, TEST_DATA);
292 check_alias_list({TEST_SYSTEM_ALIAS.c_str(),
293 aliasWithLabel(TEST_LABEL, TEST_ALIAS)});
297 RUNNER_TEST(T5037_CLIENT_APP_TRY_GENERATE_KEY_IN_SYSTEM_DB, RemoveDataEnv<USER_APP>)
300 // switch to user app, unlock DB
301 // try to generate a key in system DB - expect fail
305 ScopedDBUnlock unlock(USER_APP, APP_PASS);
306 ScopedAccessProvider ap(TEST_LABEL);
307 ap.allowAPI("key-manager::api-storage", "rw");
308 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
310 std::string private_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-priv");
311 std::string public_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-pub");
312 ckmc_policy_s policy_private_key;
313 ckmc_policy_s policy_public_key;
314 policy_private_key.password = NULL;
315 policy_private_key.extractable = 1;
316 policy_public_key.password = NULL;
317 policy_public_key.extractable = 1;
320 CKMC_ERROR_PERMISSION_DENIED ==
321 (temp = ckmc_create_key_pair_rsa(1024,
322 private_key_alias.c_str(),
323 public_key_alias.c_str(),
326 CKMCReadableError(temp));
330 RUNNER_TEST(T5038_CLIENT_SERVER_CREATE_VERIFY_SYSTEM_DB, RemoveDataEnv<0,USER_APP>)
333 // start as system service
334 // generate RSA key in system DB
336 // try to create and verify signature in system DB - expect success
338 // switch to user app, unlock DB
339 // try to create signature in system DB - expect fail
342 std::string private_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-priv");
343 std::string public_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-pub");
344 ckmc_policy_s policy_private_key;
345 ckmc_policy_s policy_public_key;
346 policy_private_key.password = NULL;
347 policy_private_key.extractable = 1;
348 policy_public_key.password = NULL;
349 policy_public_key.extractable = 1;
353 (temp = ckmc_create_key_pair_rsa(1024,
354 private_key_alias.c_str(),
355 public_key_alias.c_str(),
358 CKMCReadableError(temp));
362 ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
363 ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
364 ckmc_raw_buffer_s *signature;
365 ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test");
368 CKMC_ERROR_NONE == (temp = ckmc_create_signature(
369 private_key_alias.c_str(),
375 CKMCReadableError(temp));
378 CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
379 public_key_alias.c_str(),
385 CKMCReadableError(temp));
390 ScopedDBUnlock unlock(USER_APP, APP_PASS);
391 ScopedAccessProvider ap(TEST_LABEL);
392 ap.allowAPI("key-manager::api-storage", "rw");
393 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
395 ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
396 ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
397 ckmc_raw_buffer_s *signature;
398 ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test");
401 CKMC_ERROR_DB_ALIAS_UNKNOWN == (temp = ckmc_create_signature(
402 private_key_alias.c_str(),
408 CKMCReadableError(temp));
412 RUNNER_TEST(T5039_SYSTEM_APP_SET_REMOVE_ACCESS, RemoveDataEnv<0>)
415 // start as system service
416 // add resource to the system DB
418 // add remove permission to a user app - expect fail
421 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
424 allow_access_negative(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_REMOVE, CKMC_ERROR_INVALID_PARAMETER);
427 RUNNER_TEST(T5040_SYSTEM_SVC_ACCESS_DB, RemoveDataEnv<0>)
430 // start as system service
431 // add resource to the system DB
433 // try to access the item - expect success
436 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
439 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
442 RUNNER_TEST(T5041_SYSTEM_SVC_1234_ACCESS_DB, RemoveDataEnv<0>)
445 // start as system service
446 // add resource to the system DB
448 // switch to another system service
449 // try to access the item - expect success
452 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
456 ScopedAccessProvider ap(TEST_LABEL_2);
457 ap.allowAPI("key-manager::api-storage", "rw");
458 ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2);
460 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
464 RUNNER_TEST(T5042_SYSTEM_SVC_1234_ADD_ITEM_TO_DB)
467 // start as system service 1234
468 // add resource to the system DB
470 // switch to another system service
471 // try to access the item - expect success
475 ScopedAccessProvider ap(TEST_LABEL_2);
476 ap.allowAPI("key-manager::api-storage", "rw");
477 ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2);
480 ScopedSaveData ssd(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
481 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
485 RUNNER_TEST(T5043_SYSTEM_SVC_4999_ACCESS_DB, RemoveDataEnv<0>)
488 // start as system service
489 // add resource to the system DB
491 // switch to system service having uid maximum for system svcs
492 // try to access the item - expect success
495 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
499 ScopedAccessProvider ap(TEST_LABEL_2);
500 ap.allowAPI("key-manager::api-storage", "rw");
501 ap.applyAndSwithToUser(USER_SERVICE_MAX, GROUP_SERVICE_MAX);
503 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
507 RUNNER_TEST(T5044_SYSTEM_SVC_5000_ACCESS_DB, RemoveDataEnv<0>)
509 RUNNER_IGNORED_MSG("This test is turn off because fix "
510 "from tizen 2.4 that unlock db with empty password");
512 // start as system service
513 // add resource to the system DB
515 // switch to another, faulty system service with user-land uid==5000
516 // try to access the item - expect fail (no system service)
519 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
523 ScopedAccessProvider ap(TEST_LABEL_2);
524 ap.allowAPI("key-manager::api-storage", "rw");
525 ap.applyAndSwithToUser(USER_SERVICE_FAIL, GROUP_SERVICE_FAIL);
527 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
531 RUNNER_TEST(T5045_SYSTEM_DB_ADD_WITH_INVALID_LABEL, RemoveDataEnv<0>)
534 // start as system service
536 // try to add item to system DB using wrong label - expect fail
537 // try to add item using explicit system label - expect success
540 save_data(aliasWithLabel(INVALID_LABEL, TEST_ALIAS).c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
541 check_read(TEST_ALIAS, INVALID_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
543 save_data(aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS).c_str(), TEST_DATA);
544 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);