2 * Copyright (c) 2000 - 2015 Samsung Electronics Co.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
17 * @author Maciej Karpiuk (m.karpiuk2@samsung.com)
20 #include <dpl/test/test_runner.h>
21 #include <dpl/test/test_runner_child.h>
22 #include <dpl/log/log.h>
23 #include <tests_common.h>
24 #include <ckm-common.h>
25 #include <ckm/ckm-control.h>
26 #include <ckmc/ckmc-manager.h>
27 #include <ckmc/ckmc-type.h>
28 #include <access_provider2.h>
30 #include <sys/types.h>
34 const uid_t USER_SERVICE = 0;
35 const uid_t USER_SERVICE_2 = 1234;
36 const uid_t GROUP_SERVICE_2 = 1234;
37 const uid_t USER_SERVICE_MAX = 4999;
38 const uid_t GROUP_SERVICE_MAX = 4999;
39 const uid_t USER_SERVICE_FAIL = 5000;
40 const uid_t GROUP_SERVICE_FAIL = 5000;
41 const uid_t USER_APP = 5050;
42 const uid_t GROUP_APP = 5050;
43 const char* APP_PASS = "user-pass";
45 const char* TEST_ALIAS = "test-alias";
46 const char* SYSTEM_LABEL = "/";
47 const char* TEST_SYSTEM_ALIAS = "/ test-alias";
48 const char* TEST_SYSTEM_ALIAS_2 = "/ test-alias-2";
49 const char* TEST_LABEL = "test-label";
50 const char* TEST_LABEL_2 = "test-label-2";
52 const char* TEST_DATA =
53 "Lorem Ipsum. At vero eos et accusamus et iusto odio dignissimos ducimus "
54 "qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores "
55 "et quas molestias excepturi sint occaecati cupiditate non provident, "
56 "similique sunt in culpa qui officia deserunt mollitia animi, id est "
57 "laborum et dolorum fuga. ";
61 RUNNER_TEST_GROUP_INIT(T50_SYSTEM_DB);
63 RUNNER_TEST(T5010_CLIENT_APP_LOCKED_PRIVATE_DB)
66 // start as system service
67 // add resource to the system DB
68 // add permission to the resource to a user app
70 // switch to user app, leave DB locked
71 // try to access system DB item - expect fail
75 gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
76 allow_access(TEST_SYSTEM_ALIAS, TEST_LABEL, CKMC_PERMISSION_READ);
80 ScopedAccessProvider ap(TEST_LABEL);
81 ap.allowAPI("key-manager::api-storage", "rw");
82 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
84 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
88 RUNNER_TEST(T5020_CLIENT_APP_ADD_TO_PRIVATE_DB)
91 // switch to user app, unlock DB
92 // when accessing private DB - owner==me
93 // try to write to private DB - expect success
94 // try to get item from private DB - expect success
98 ScopedAccessProvider ap(TEST_LABEL);
99 ap.allowAPI("key-manager::api-storage", "rw");
100 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
101 ScopedDBUnlock unlock(USER_APP, APP_PASS);
103 ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
104 check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
108 RUNNER_TEST(T5031_CLIENT_APP_ACCESS_WITH_PERMISSION)
111 // start as system service
112 // add resource to the system DB
113 // add permission to the resource to a user app
115 // switch to user app, unlock DB
116 // try to access the system item - expect success
120 gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
121 allow_access(TEST_SYSTEM_ALIAS, TEST_LABEL, CKMC_PERMISSION_READ);
125 ScopedAccessProvider ap(TEST_LABEL);
126 ap.allowAPI("key-manager::api-storage", "rw");
127 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
128 ScopedDBUnlock unlock(USER_APP, APP_PASS);
130 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
134 RUNNER_TEST(T5032_CLIENT_APP_ACCESS_NO_PERMISSION)
137 // start as system service
138 // add resource to the system DB
140 // switch to user app, unlock DB
141 // try to access the system item - expect fail
145 gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
149 ScopedAccessProvider ap(TEST_LABEL);
150 ap.allowAPI("key-manager::api-storage", "rw");
151 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
152 ScopedDBUnlock unlock(USER_APP, APP_PASS);
154 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
158 RUNNER_TEST(T5033_CLIENT_APP_PERMISSION_REMOVAL)
161 // start as system service
162 // add resource to the system DB
163 // add permission to the resource to a user app
165 // switch to user app, unlock DB
166 // try to access the system item - expect success
168 // as system service, remove the item (expecting to remove permission)
169 // add item again, do not add permission
171 // switch to user app, unlock DB
172 // try to access the system item - expect fail
176 gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
177 allow_access(TEST_SYSTEM_ALIAS, TEST_LABEL, CKMC_PERMISSION_READ);
181 ScopedAccessProvider ap(TEST_LABEL);
182 ap.allowAPI("key-manager::api-storage", "rw");
183 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
184 ScopedDBUnlock unlock(USER_APP, APP_PASS);
186 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
190 check_remove_allowed(TEST_SYSTEM_ALIAS);
194 ScopedAccessProvider ap(TEST_LABEL);
195 ap.allowAPI("key-manager::api-storage", "rw");
196 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
197 ScopedDBUnlock unlock(USER_APP, APP_PASS);
199 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
203 RUNNER_TEST(T5034_CLIENT_APP_SET_READ_ACCESS)
206 // switch to user app, unlock DB
207 // try to write to private DB - expect success
208 // try to write to system DB - expect fail
212 ScopedAccessProvider ap(TEST_LABEL);
213 ap.allowAPI("key-manager::api-storage", "rw");
214 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
215 ScopedDBUnlock unlock(USER_APP, APP_PASS);
217 ScopedSaveData ssdsystem_user(TEST_ALIAS, TEST_DATA);
218 ScopedSaveData ssdsystem_system(TEST_SYSTEM_ALIAS, TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
219 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
223 RUNNER_TEST(T5035_CLIENT_APP_TRY_REMOVING_SYSTEM_ITEM)
226 // start as system service
227 // add resource to the system DB
228 // add permission to the resource to a user app
230 // switch to user app, unlock DB
231 // try to remove item from system DB - expect fail
235 gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
236 allow_access(TEST_SYSTEM_ALIAS, TEST_LABEL, CKMC_PERMISSION_READ);
240 ScopedAccessProvider ap(TEST_LABEL);
241 ap.allowAPI("key-manager::api-storage", "rw");
242 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
243 ScopedDBUnlock unlock(USER_APP, APP_PASS);
245 check_remove_denied(TEST_SYSTEM_ALIAS);
249 RUNNER_TEST(T5036_CLIENT_LIST_ACCESSIBLE_ITEMS)
252 // start as system service
253 // add data A to the system DB
254 // add data B to the system DB
255 // add permission to data A to a user app
257 // system service list items - expect both items to appear
259 // switch to user app, unlock DB
261 // user lists items - expect system item A and private item
265 gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
266 gc.save(TEST_SYSTEM_ALIAS_2, TEST_DATA);
267 allow_access(TEST_SYSTEM_ALIAS, TEST_LABEL, CKMC_PERMISSION_READ);
270 check_alias_list({TEST_SYSTEM_ALIAS, TEST_SYSTEM_ALIAS_2});
274 ScopedAccessProvider ap(TEST_LABEL);
275 ap.allowAPI("key-manager::api-storage", "rw");
276 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
277 ScopedDBUnlock unlock(USER_APP, APP_PASS);
278 ScopedSaveData user_data(TEST_ALIAS, TEST_DATA);
280 check_alias_list({TEST_SYSTEM_ALIAS,
281 aliasWithLabel(TEST_LABEL, TEST_ALIAS)});
285 RUNNER_TEST(T5037_CLIENT_APP_TRY_GENERATE_KEY_IN_SYSTEM_DB)
288 // switch to user app, unlock DB
289 // try to generate a key in system DB - expect fail
293 ScopedAccessProvider ap(TEST_LABEL);
294 ap.allowAPI("key-manager::api-storage", "rw");
295 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
296 ScopedDBUnlock unlock(USER_APP, APP_PASS);
298 const char *private_key_alias = "/ sys-db-priv";
299 const char *public_key_alias = "/ sys-db-pub";
300 ckmc_policy_s policy_private_key;
301 ckmc_policy_s policy_public_key;
302 policy_private_key.password = NULL;
303 policy_private_key.extractable = 1;
304 policy_public_key.password = NULL;
305 policy_public_key.extractable = 1;
308 CKMC_ERROR_PERMISSION_DENIED ==
309 (temp = ckmc_create_key_pair_rsa(1024,
314 CKMCReadableError(temp));
318 RUNNER_TEST(T5038_CLIENT_SERVER_CREATE_VERIFY_SYSTEM_DB)
321 // start as system service
322 // generate RSA key in system DB
324 // try to create and verify signature in system DB - expect success
326 // switch to user app, unlock DB
327 // try to create signature in system DB - expect fail
330 const char *private_key_alias = "/ sys-db-priv";
331 const char *public_key_alias = "/ sys-db-pub";
332 ckmc_policy_s policy_private_key;
333 ckmc_policy_s policy_public_key;
334 policy_private_key.password = NULL;
335 policy_private_key.extractable = 1;
336 policy_public_key.password = NULL;
337 policy_public_key.extractable = 1;
341 (temp = ckmc_create_key_pair_rsa(1024,
346 CKMCReadableError(temp));
350 ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
351 ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
352 ckmc_raw_buffer_s *signature;
353 ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test");
356 CKMC_ERROR_NONE == (temp = ckmc_create_signature(
363 CKMCReadableError(temp));
366 CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
373 CKMCReadableError(temp));
378 ScopedAccessProvider ap(TEST_LABEL);
379 ap.allowAPI("key-manager::api-storage", "rw");
380 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
381 ScopedDBUnlock unlock(USER_APP, APP_PASS);
383 ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
384 ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
385 ckmc_raw_buffer_s *signature;
386 ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test");
389 CKMC_ERROR_DB_ALIAS_UNKNOWN == (temp = ckmc_create_signature(
396 CKMCReadableError(temp));
400 RUNNER_TEST(T5039_SYSTEM_APP_SET_REMOVE_ACCESS)
403 // start as system service
404 // add resource to the system DB
406 // add remove permission to a user app - expect fail
410 gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
413 allow_access_negative(TEST_SYSTEM_ALIAS, TEST_LABEL, CKMC_PERMISSION_REMOVE, CKMC_ERROR_INVALID_PARAMETER);
416 RUNNER_TEST(T5040_SYSTEM_SVC_ACCESS_DB)
419 // start as system service
420 // add resource to the system DB
422 // try to access the item - expect success
426 gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
429 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
432 RUNNER_TEST(T5041_SYSTEM_SVC_1234_ACCESS_DB)
435 // start as system service
436 // add resource to the system DB
438 // switch to another system service
439 // try to access the item - expect success
443 gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
447 ScopedAccessProvider ap(TEST_LABEL_2);
448 ap.allowAPI("key-manager::api-storage", "rw");
449 ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2);
451 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
455 RUNNER_TEST(T5042_SYSTEM_SVC_1234_ADD_ITEM_TO_DB)
458 // start as system service 1234
459 // add resource to the system DB
461 // switch to another system service
462 // try to access the item - expect success
466 ScopedAccessProvider ap(TEST_LABEL_2);
467 ap.allowAPI("key-manager::api-storage", "rw");
468 ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2);
471 ScopedSaveData ssd(TEST_SYSTEM_ALIAS, TEST_DATA);
472 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
476 RUNNER_TEST(T5043_SYSTEM_SVC_4999_ACCESS_DB)
479 // start as system service
480 // add resource to the system DB
482 // switch to system service having uid maximum for system svcs
483 // try to access the item - expect success
487 gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
491 ScopedAccessProvider ap(TEST_LABEL_2);
492 ap.allowAPI("key-manager::api-storage", "rw");
493 ap.applyAndSwithToUser(USER_SERVICE_MAX, GROUP_SERVICE_MAX);
495 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
499 RUNNER_TEST(T5044_SYSTEM_SVC_5000_ACCESS_DB)
502 // start as system service
503 // add resource to the system DB
505 // switch to another, faulty system service with user-land uid==5000
506 // try to access the item - expect fail (no system service)
510 gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
514 ScopedAccessProvider ap(TEST_LABEL_2);
515 ap.allowAPI("key-manager::api-storage", "rw");
516 ap.applyAndSwithToUser(USER_SERVICE_FAIL, GROUP_SERVICE_FAIL);
518 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);