2 * Copyright (c) 2000 - 2015 Samsung Electronics Co.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
17 * @author Maciej Karpiuk (m.karpiuk2@samsung.com)
20 #include <dpl/test/test_runner.h>
21 #include <dpl/test/test_runner_child.h>
22 #include <tests_common.h>
23 #include <ckm-common.h>
24 #include <ckm/ckm-control.h>
25 #include <ckmc/ckmc-manager.h>
26 #include <ckmc/ckmc-type.h>
27 #include <access_provider2.h>
29 #include <sys/types.h>
33 const uid_t USER_SERVICE = 0;
34 const uid_t USER_SERVICE_2 = 1234;
35 const uid_t GROUP_SERVICE_2 = 1234;
36 const uid_t USER_SERVICE_MAX = 4999;
37 const uid_t GROUP_SERVICE_MAX = 4999;
38 const uid_t USER_SERVICE_FAIL = 5000;
39 const uid_t GROUP_SERVICE_FAIL = 5000;
40 const uid_t USER_APP = 5050;
41 const uid_t GROUP_APP = 5050;
42 const char* APP_PASS = "user-pass";
44 const char* TEST_ALIAS = "test-alias";
45 const char* SYSTEM_LABEL = ckmc_owner_id_system;
46 const char* INVALID_LABEL = "coco-jumbo";
47 std::string TEST_SYSTEM_ALIAS = aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS);
48 std::string TEST_SYSTEM_ALIAS_2 = aliasWithLabel(SYSTEM_LABEL, "test-alias-2");
49 const char* TEST_LABEL = "test-label";
50 const char* TEST_LABEL_2 = "test-label-2";
52 const char* TEST_DATA =
53 "Lorem Ipsum. At vero eos et accusamus et iusto odio dignissimos ducimus "
54 "qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores "
55 "et quas molestias excepturi sint occaecati cupiditate non provident, "
56 "similique sunt in culpa qui officia deserunt mollitia animi, id est "
57 "laborum et dolorum fuga. ";
61 RUNNER_TEST_GROUP_INIT(T50_SYSTEM_DB);
63 RUNNER_TEST(T5010_CLIENT_APP_LOCKED_PRIVATE_DB)
65 RUNNER_IGNORED_MSG("This test is turn off because fix "
66 "from tizen 2.4 that unlock db with empty password");
68 // start as system service
69 // add resource to the system DB
70 // add permission to the resource to a user app
72 // switch to user app, leave DB locked
73 // try to access system DB item - expect success
76 remove_user_data(USER_APP);
77 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
78 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
82 ScopedAccessProvider ap(TEST_LABEL);
83 ap.allowAPI("key-manager::api-storage", "rw");
84 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
86 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
90 RUNNER_TEST(T5020_CLIENT_APP_ADD_TO_PRIVATE_DB)
93 // switch to user app, unlock DB
94 // when accessing private DB - owner==me
95 // try to write to private DB - expect success
96 // try to get item from private DB - expect success
100 remove_user_data(USER_APP);
101 ScopedDBUnlock unlock(USER_APP, APP_PASS);
102 ScopedAccessProvider ap(TEST_LABEL);
103 ap.allowAPI("key-manager::api-storage", "rw");
104 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
106 ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
107 check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
111 RUNNER_TEST(T5030_CLIENT_APP_TRY_ADDING_SYSTEM_ITEM, RemoveDataEnv<0, USER_APP>)
114 // switch to user app, unlock DB
115 // try to add item to system DB - expect fail
119 ScopedDBUnlock unlock(USER_APP, APP_PASS);
120 ScopedAccessProvider ap(TEST_LABEL);
121 ap.allowAPI("key-manager::api-storage", "rw");
122 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
124 save_data(aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS).c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
125 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
129 RUNNER_TEST(T5031_CLIENT_APP_ACCESS_WITH_PERMISSION, RemoveDataEnv<0, USER_APP>)
132 // start as system service
133 // add resource to the system DB
134 // add permission to the resource to a user app
136 // switch to user app, unlock DB
137 // try to access the system item - expect success
139 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
140 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
144 ScopedDBUnlock unlock(USER_APP, APP_PASS);
145 ScopedAccessProvider ap(TEST_LABEL);
146 ap.allowAPI("key-manager::api-storage", "rw");
147 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
149 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
153 RUNNER_TEST(T5032_CLIENT_APP_ACCESS_NO_PERMISSION, RemoveDataEnv<0, USER_APP>)
156 // start as system service
157 // add resource to the system DB
159 // switch to user app, unlock DB
160 // try to access the system item - expect fail
163 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
167 ScopedDBUnlock unlock(USER_APP, APP_PASS);
168 ScopedAccessProvider ap(TEST_LABEL);
169 ap.allowAPI("key-manager::api-storage", "rw");
170 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
172 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
176 RUNNER_TEST(T5033_CLIENT_APP_PERMISSION_REMOVAL, RemoveDataEnv<0, USER_APP>)
179 // start as system service
180 // add resource to the system DB
181 // add permission to the resource to a user app
183 // switch to user app, unlock DB
184 // try to access the system item - expect success
186 // as system service, remove the item (expecting to remove permission)
187 // add item again, do not add permission
189 // switch to user app, unlock DB
190 // try to access the system item - expect fail
193 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
194 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
198 ScopedDBUnlock unlock(USER_APP, APP_PASS);
199 ScopedAccessProvider ap(TEST_LABEL);
200 ap.allowAPI("key-manager::api-storage", "rw");
201 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
203 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
207 check_remove_allowed(TEST_SYSTEM_ALIAS.c_str());
211 ScopedDBUnlock unlock(USER_APP, APP_PASS);
212 ScopedAccessProvider ap(TEST_LABEL);
213 ap.allowAPI("key-manager::api-storage", "rw");
214 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
216 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
220 RUNNER_TEST(T5034_CLIENT_APP_SET_READ_ACCESS, RemoveDataEnv<0, USER_APP>)
223 // switch to user app, unlock DB
224 // try to write to private DB - expect success
225 // try to write to system DB - expect fail
229 ScopedDBUnlock unlock(USER_APP, APP_PASS);
230 ScopedAccessProvider ap(TEST_LABEL);
231 ap.allowAPI("key-manager::api-storage", "rw");
232 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
234 ScopedSaveData ssdsystem_user(TEST_ALIAS, TEST_DATA);
235 ScopedSaveData ssdsystem_system(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
236 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
240 RUNNER_TEST(T5035_CLIENT_APP_TRY_REMOVING_SYSTEM_ITEM, RemoveDataEnv<0, USER_APP>)
243 // start as system service
244 // add resource to the system DB
245 // add permission to the resource to a user app
247 // switch to user app, unlock DB
248 // try to remove item from system DB - expect fail
251 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
252 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
256 ScopedDBUnlock unlock(USER_APP, APP_PASS);
257 ScopedAccessProvider ap(TEST_LABEL);
258 ap.allowAPI("key-manager::api-storage", "rw");
259 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
261 check_remove_denied(TEST_SYSTEM_ALIAS.c_str());
265 RUNNER_TEST(T5036_CLIENT_LIST_ACCESSIBLE_ITEMS, RemoveDataEnv<0, USER_APP>)
268 // start as system service
269 // add data A to the system DB
270 // add data B to the system DB
271 // add permission to data A to a user app
273 // system service list items - expect both items to appear
275 // switch to user app, unlock DB
277 // user lists items - expect system item A and private item
280 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
281 save_data(TEST_SYSTEM_ALIAS_2.c_str(), TEST_DATA);
282 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
285 check_alias_list({TEST_SYSTEM_ALIAS.c_str(), TEST_SYSTEM_ALIAS_2.c_str()});
289 ScopedDBUnlock unlock(USER_APP, APP_PASS);
290 ScopedAccessProvider ap(TEST_LABEL);
291 ap.allowAPI("key-manager::api-storage", "rw");
292 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
293 ScopedSaveData user_data(TEST_ALIAS, TEST_DATA);
295 check_alias_list({TEST_SYSTEM_ALIAS.c_str(),
296 aliasWithLabel(TEST_LABEL, TEST_ALIAS)});
300 RUNNER_TEST(T5037_CLIENT_APP_TRY_GENERATE_KEY_IN_SYSTEM_DB, RemoveDataEnv<USER_APP>)
303 // switch to user app, unlock DB
304 // try to generate a key in system DB - expect fail
308 ScopedDBUnlock unlock(USER_APP, APP_PASS);
309 ScopedAccessProvider ap(TEST_LABEL);
310 ap.allowAPI("key-manager::api-storage", "rw");
311 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
313 std::string private_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-priv");
314 std::string public_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-pub");
315 ckmc_policy_s policy_private_key;
316 ckmc_policy_s policy_public_key;
317 policy_private_key.password = NULL;
318 policy_private_key.extractable = 1;
319 policy_public_key.password = NULL;
320 policy_public_key.extractable = 1;
323 CKMC_ERROR_PERMISSION_DENIED ==
324 (temp = ckmc_create_key_pair_rsa(1024,
325 private_key_alias.c_str(),
326 public_key_alias.c_str(),
329 CKMCReadableError(temp));
333 RUNNER_TEST(T5038_CLIENT_SERVER_CREATE_VERIFY_SYSTEM_DB, RemoveDataEnv<0,USER_APP>)
336 // start as system service
337 // generate RSA key in system DB
339 // try to create and verify signature in system DB - expect success
341 // switch to user app, unlock DB
342 // try to create signature in system DB - expect fail
345 std::string private_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-priv");
346 std::string public_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-pub");
347 ckmc_policy_s policy_private_key;
348 ckmc_policy_s policy_public_key;
349 policy_private_key.password = NULL;
350 policy_private_key.extractable = 1;
351 policy_public_key.password = NULL;
352 policy_public_key.extractable = 1;
356 (temp = ckmc_create_key_pair_rsa(1024,
357 private_key_alias.c_str(),
358 public_key_alias.c_str(),
361 CKMCReadableError(temp));
365 ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
366 ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
367 ckmc_raw_buffer_s *signature;
368 ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test");
371 CKMC_ERROR_NONE == (temp = ckmc_create_signature(
372 private_key_alias.c_str(),
378 CKMCReadableError(temp));
381 CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
382 public_key_alias.c_str(),
388 CKMCReadableError(temp));
393 ScopedDBUnlock unlock(USER_APP, APP_PASS);
394 ScopedAccessProvider ap(TEST_LABEL);
395 ap.allowAPI("key-manager::api-storage", "rw");
396 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
398 ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
399 ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
400 ckmc_raw_buffer_s *signature;
401 ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test");
404 CKMC_ERROR_DB_ALIAS_UNKNOWN == (temp = ckmc_create_signature(
405 private_key_alias.c_str(),
411 CKMCReadableError(temp));
415 RUNNER_TEST(T5039_SYSTEM_APP_SET_REMOVE_ACCESS, RemoveDataEnv<0>)
418 // start as system service
419 // add resource to the system DB
421 // add remove permission to a user app - expect fail
424 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
427 allow_access_negative(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_REMOVE, CKMC_ERROR_INVALID_PARAMETER);
430 RUNNER_TEST(T5040_SYSTEM_SVC_ACCESS_DB, RemoveDataEnv<0>)
433 // start as system service
434 // add resource to the system DB
436 // try to access the item - expect success
439 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
442 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
445 RUNNER_TEST(T5041_SYSTEM_SVC_1234_ACCESS_DB, RemoveDataEnv<0>)
448 // start as system service
449 // add resource to the system DB
451 // switch to another system service
452 // try to access the item - expect success
455 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
459 ScopedAccessProvider ap(TEST_LABEL_2);
460 ap.allowAPI("key-manager::api-storage", "rw");
461 ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2);
463 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
467 RUNNER_TEST(T5042_SYSTEM_SVC_1234_ADD_ITEM_TO_DB)
470 // start as system service 1234
471 // add resource to the system DB
473 // switch to another system service
474 // try to access the item - expect success
478 ScopedAccessProvider ap(TEST_LABEL_2);
479 ap.allowAPI("key-manager::api-storage", "rw");
480 ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2);
483 ScopedSaveData ssd(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
484 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
488 RUNNER_TEST(T5043_SYSTEM_SVC_4999_ACCESS_DB, RemoveDataEnv<0>)
491 // start as system service
492 // add resource to the system DB
494 // switch to system service having uid maximum for system svcs
495 // try to access the item - expect success
498 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
502 ScopedAccessProvider ap(TEST_LABEL_2);
503 ap.allowAPI("key-manager::api-storage", "rw");
504 ap.applyAndSwithToUser(USER_SERVICE_MAX, GROUP_SERVICE_MAX);
506 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
510 RUNNER_TEST(T5044_SYSTEM_SVC_5000_ACCESS_DB, RemoveDataEnv<0>)
512 RUNNER_IGNORED_MSG("This test is turn off because fix "
513 "from tizen 2.4 that unlock db with empty password");
515 // start as system service
516 // add resource to the system DB
518 // switch to another, faulty system service with user-land uid==5000
519 // try to access the item - expect fail (no system service)
522 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
526 ScopedAccessProvider ap(TEST_LABEL_2);
527 ap.allowAPI("key-manager::api-storage", "rw");
528 ap.applyAndSwithToUser(USER_SERVICE_FAIL, GROUP_SERVICE_FAIL);
530 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
534 RUNNER_TEST(T5045_SYSTEM_DB_ADD_WITH_INVALID_LABEL, RemoveDataEnv<0>)
537 // start as system service
539 // try to add item to system DB using wrong label - expect fail
540 // try to add item using explicit system label - expect success
543 save_data(aliasWithLabel(INVALID_LABEL, TEST_ALIAS).c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
544 check_read(TEST_ALIAS, INVALID_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
546 save_data(aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS).c_str(), TEST_DATA);
547 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);