CKM: add tests for system-db.

[platform/core/test/security-tests.git] / src / ckm / system-db.cpp

/*
 *  Copyright (c) 2000 - 2015 Samsung Electronics Co.
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License
 *
 * @file       system-db.cpp
 * @author     Maciej Karpiuk (m.karpiuk2@samsung.com)
 * @version    1.0
 */
#include <dpl/test/test_runner.h>
#include <dpl/test/test_runner_child.h>
#include <dpl/log/log.h>
#include <tests_common.h>
#include <ckm-common.h>
#include <ckm/ckm-control.h>
#include <ckmc/ckmc-manager.h>
#include <ckmc/ckmc-type.h>
#include <access_provider2.h>
#include <unistd.h>
#include <sys/types.h>

namespace
{
const uid_t USER_SERVICE        = 0;
const uid_t USER_SERVICE_2      = 1234;
const uid_t GROUP_SERVICE_2     = 1234;
const uid_t USER_SERVICE_MAX    = 4999;
const uid_t GROUP_SERVICE_MAX   = 4999;
const uid_t USER_SERVICE_FAIL   = 5000;
const uid_t GROUP_SERVICE_FAIL  = 5000;
const uid_t USER_APP            = 5050;
const uid_t GROUP_APP           = 5050;
const char* APP_PASS            = "user-pass";

const char* TEST_ALIAS          = "test-alias";
const char* SYSTEM_LABEL        = "/";
const char* TEST_SYSTEM_ALIAS   = "/ test-alias";
const char* TEST_SYSTEM_ALIAS_2 = "/ test-alias-2";
const char* TEST_LABEL          = "test-label";
const char* TEST_LABEL_2        = "test-label-2";

const char* TEST_DATA =
        "Lorem Ipsum. At vero eos et accusamus et iusto odio dignissimos ducimus "
        "qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores "
        "et quas molestias excepturi sint occaecati cupiditate non provident, "
        "similique sunt in culpa qui officia deserunt mollitia animi, id est "
        "laborum et dolorum fuga. ";
}


RUNNER_TEST_GROUP_INIT(T50_SYSTEM_DB);

RUNNER_TEST(T5010_CLIENT_APP_LOCKED_PRIVATE_DB)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // add permission to the resource to a user app
    // [test]
    // switch to user app, leave DB locked
    // try to access system DB item - expect fail

    // [prepare]
    GarbageCollector gc;
    gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
    allow_access(TEST_SYSTEM_ALIAS, TEST_LABEL, CKMC_PERMISSION_READ);

    // [test]
    {
        ScopedAccessProvider ap(TEST_LABEL);
        ap.allowAPI("key-manager::api-storage", "rw");
        ap.applyAndSwithToUser(USER_APP, GROUP_APP);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
    }
}

RUNNER_TEST(T5020_CLIENT_APP_ADD_TO_PRIVATE_DB)
{
    // [test]
    // switch to user app, unlock DB
    // when accessing private DB - owner==me
    // try to write to private DB - expect success
    // try to get item from private DB - expect success

    // [test]
    {
        ScopedAccessProvider ap(TEST_LABEL);
        ap.allowAPI("key-manager::api-storage", "rw");
        ap.applyAndSwithToUser(USER_APP, GROUP_APP);
        ScopedDBUnlock unlock(USER_APP, APP_PASS);

        ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
        check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
    }
}

RUNNER_TEST(T5031_CLIENT_APP_ACCESS_WITH_PERMISSION)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // add permission to the resource to a user app
    // [test]
    // switch to user app, unlock DB
    // try to access the system item - expect success

    // [prepare]
    GarbageCollector gc;
    gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
    allow_access(TEST_SYSTEM_ALIAS, TEST_LABEL, CKMC_PERMISSION_READ);

    // [test]
    {
        ScopedAccessProvider ap(TEST_LABEL);
        ap.allowAPI("key-manager::api-storage", "rw");
        ap.applyAndSwithToUser(USER_APP, GROUP_APP);
        ScopedDBUnlock unlock(USER_APP, APP_PASS);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
    }
}

RUNNER_TEST(T5032_CLIENT_APP_ACCESS_NO_PERMISSION)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // [test]
    // switch to user app, unlock DB
    // try to access the system item - expect fail

    // [prepare]
    GarbageCollector gc;
    gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);

    // [test]
    {
        ScopedAccessProvider ap(TEST_LABEL);
        ap.allowAPI("key-manager::api-storage", "rw");
        ap.applyAndSwithToUser(USER_APP, GROUP_APP);
        ScopedDBUnlock unlock(USER_APP, APP_PASS);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
    }
}

RUNNER_TEST(T5033_CLIENT_APP_PERMISSION_REMOVAL)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // add permission to the resource to a user app
    // [test]
    // switch to user app, unlock DB
    // try to access the system item - expect success
    // [prepare2]
    // as system service, remove the item (expecting to remove permission)
    // add item again, do not add permission
    // [test2]
    // switch to user app, unlock DB
    // try to access the system item - expect fail

    // [prepare]
    GarbageCollector gc;
    gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
    allow_access(TEST_SYSTEM_ALIAS, TEST_LABEL, CKMC_PERMISSION_READ);

    // [test]
    {
        ScopedAccessProvider ap(TEST_LABEL);
        ap.allowAPI("key-manager::api-storage", "rw");
        ap.applyAndSwithToUser(USER_APP, GROUP_APP);
        ScopedDBUnlock unlock(USER_APP, APP_PASS);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
    }

    // [prepare2]
    check_remove_allowed(TEST_SYSTEM_ALIAS);

    // [test2]
    {
        ScopedAccessProvider ap(TEST_LABEL);
        ap.allowAPI("key-manager::api-storage", "rw");
        ap.applyAndSwithToUser(USER_APP, GROUP_APP);
        ScopedDBUnlock unlock(USER_APP, APP_PASS);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
    }
}

RUNNER_TEST(T5034_CLIENT_APP_SET_READ_ACCESS)
{
    // [test]
    // switch to user app, unlock DB
    // try to write to private DB - expect success
    // try to write to system DB  - expect fail

    // [test]
    {
        ScopedAccessProvider ap(TEST_LABEL);
        ap.allowAPI("key-manager::api-storage", "rw");
        ap.applyAndSwithToUser(USER_APP, GROUP_APP);
        ScopedDBUnlock unlock(USER_APP, APP_PASS);

        ScopedSaveData ssdsystem_user(TEST_ALIAS, TEST_DATA);
        ScopedSaveData ssdsystem_system(TEST_SYSTEM_ALIAS, TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
    }
}

RUNNER_TEST(T5035_CLIENT_APP_TRY_REMOVING_SYSTEM_ITEM)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // add permission to the resource to a user app
    // [test]
    // switch to user app, unlock DB
    // try to remove item from system DB  - expect fail

    // [prepare]
    GarbageCollector gc;
    gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
    allow_access(TEST_SYSTEM_ALIAS, TEST_LABEL, CKMC_PERMISSION_READ);

    // [test]
    {
        ScopedAccessProvider ap(TEST_LABEL);
        ap.allowAPI("key-manager::api-storage", "rw");
        ap.applyAndSwithToUser(USER_APP, GROUP_APP);
        ScopedDBUnlock unlock(USER_APP, APP_PASS);

        check_remove_denied(TEST_SYSTEM_ALIAS);
    }
}

RUNNER_TEST(T5036_CLIENT_LIST_ACCESSIBLE_ITEMS)
{
    // [prepare]
    // start as system service
    // add data A to the system DB
    // add data B to the system DB
    // add permission to data A to a user app
    // [test]
    // system service list items - expect both items to appear
    // [test2]
    // switch to user app, unlock DB
    // add data as user
    // user lists items - expect system item A and private item

    // [prepare]
    GarbageCollector gc;
    gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);
    gc.save(TEST_SYSTEM_ALIAS_2, TEST_DATA);
    allow_access(TEST_SYSTEM_ALIAS, TEST_LABEL, CKMC_PERMISSION_READ);

    // [test]
    check_alias_list({TEST_SYSTEM_ALIAS, TEST_SYSTEM_ALIAS_2});

    // [test2]
    {
        ScopedAccessProvider ap(TEST_LABEL);
        ap.allowAPI("key-manager::api-storage", "rw");
        ap.applyAndSwithToUser(USER_APP, GROUP_APP);
        ScopedDBUnlock unlock(USER_APP, APP_PASS);
        ScopedSaveData user_data(TEST_ALIAS, TEST_DATA);

        check_alias_list({TEST_SYSTEM_ALIAS,
                          aliasWithLabel(TEST_LABEL, TEST_ALIAS)});
    }
}

RUNNER_TEST(T5037_CLIENT_APP_TRY_GENERATE_KEY_IN_SYSTEM_DB)
{
    // [test]
    // switch to user app, unlock DB
    // try to generate a key in system DB  - expect fail

    // [test]
    {
        ScopedAccessProvider ap(TEST_LABEL);
        ap.allowAPI("key-manager::api-storage", "rw");
        ap.applyAndSwithToUser(USER_APP, GROUP_APP);
        ScopedDBUnlock unlock(USER_APP, APP_PASS);

        const char *private_key_alias = "/ sys-db-priv";
        const char *public_key_alias = "/ sys-db-pub";
        ckmc_policy_s policy_private_key;
        ckmc_policy_s policy_public_key;
        policy_private_key.password = NULL;
        policy_private_key.extractable = 1;
        policy_public_key.password = NULL;
        policy_public_key.extractable = 1;
        int temp;
        RUNNER_ASSERT_MSG(
                 CKMC_ERROR_PERMISSION_DENIED ==
                        (temp = ckmc_create_key_pair_rsa(1024,
                                                         private_key_alias,
                                                         public_key_alias,
                                                         policy_private_key,
                                                         policy_public_key)),
                 CKMCReadableError(temp));
    }
}

RUNNER_TEST(T5038_CLIENT_SERVER_CREATE_VERIFY_SYSTEM_DB)
{
    // [prepare]
    // start as system service
    // generate RSA key in system DB
    // [test]
    // try to create and verify signature in system DB  - expect success
    // [test2]
    // switch to user app, unlock DB
    // try to create signature in system DB  - expect fail

    // [prepare]
    const char *private_key_alias = "/ sys-db-priv";
    const char *public_key_alias = "/ sys-db-pub";
    ckmc_policy_s policy_private_key;
    ckmc_policy_s policy_public_key;
    policy_private_key.password = NULL;
    policy_private_key.extractable = 1;
    policy_public_key.password = NULL;
    policy_public_key.extractable = 1;
    int temp;
    RUNNER_ASSERT_MSG(
            CKMC_ERROR_NONE ==
                    (temp = ckmc_create_key_pair_rsa(1024,
                                                     private_key_alias,
                                                     public_key_alias,
                                                     policy_private_key,
                                                     policy_public_key)),
             CKMCReadableError(temp));

    // [test]
    {
        ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
        ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
        ckmc_raw_buffer_s *signature;
        ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test");

        RUNNER_ASSERT_MSG(
                CKMC_ERROR_NONE == (temp = ckmc_create_signature(
                        private_key_alias,
                        NULL,
                        msg_buff,
                        hash_algo,
                        pad_algo,
                        &signature)),
                CKMCReadableError(temp));

        RUNNER_ASSERT_MSG(
                CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
                        public_key_alias,
                        NULL,
                        msg_buff,
                        *signature,
                        hash_algo,
                        pad_algo)),
                CKMCReadableError(temp));
    }

    // [test2]
    {
        ScopedAccessProvider ap(TEST_LABEL);
        ap.allowAPI("key-manager::api-storage", "rw");
        ap.applyAndSwithToUser(USER_APP, GROUP_APP);
        ScopedDBUnlock unlock(USER_APP, APP_PASS);

        ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
        ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
        ckmc_raw_buffer_s *signature;
        ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test");

        RUNNER_ASSERT_MSG(
                CKMC_ERROR_DB_ALIAS_UNKNOWN == (temp = ckmc_create_signature(
                        private_key_alias,
                        NULL,
                        msg_buff,
                        hash_algo,
                        pad_algo,
                        &signature)),
                CKMCReadableError(temp));
    }
}

RUNNER_TEST(T5039_SYSTEM_APP_SET_REMOVE_ACCESS)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // [test]
    // add remove permission to a user app - expect fail

    // [prepare]
    GarbageCollector gc;
    gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);

    // [test]
    allow_access_negative(TEST_SYSTEM_ALIAS, TEST_LABEL, CKMC_PERMISSION_REMOVE, CKMC_ERROR_INVALID_PARAMETER);
}

RUNNER_TEST(T5040_SYSTEM_SVC_ACCESS_DB)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // [test]
    // try to access the item - expect success

    // [prepare]
    GarbageCollector gc;
    gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);

    // [test]
    check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
}

RUNNER_TEST(T5041_SYSTEM_SVC_1234_ACCESS_DB)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // [test]
    // switch to another system service
    // try to access the item - expect success

    // [prepare]
    GarbageCollector gc;
    gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);

    // [test]
    {
        ScopedAccessProvider ap(TEST_LABEL_2);
        ap.allowAPI("key-manager::api-storage", "rw");
        ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
    }
}

RUNNER_TEST(T5042_SYSTEM_SVC_1234_ADD_ITEM_TO_DB)
{
    // [prepare]
    // start as system service 1234
    // add resource to the system DB
    // [test]
    // switch to another system service
    // try to access the item - expect success

    // [prepare]
    {
        ScopedAccessProvider ap(TEST_LABEL_2);
        ap.allowAPI("key-manager::api-storage", "rw");
        ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2);

        // [test]
        ScopedSaveData ssd(TEST_SYSTEM_ALIAS, TEST_DATA);
        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
    }
}

RUNNER_TEST(T5043_SYSTEM_SVC_4999_ACCESS_DB)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // [test]
    // switch to system service having uid maximum for system svcs
    // try to access the item - expect success

    // [prepare]
    GarbageCollector gc;
    gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);

    // [test]
    {
        ScopedAccessProvider ap(TEST_LABEL_2);
        ap.allowAPI("key-manager::api-storage", "rw");
        ap.applyAndSwithToUser(USER_SERVICE_MAX, GROUP_SERVICE_MAX);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
    }
}

RUNNER_TEST(T5044_SYSTEM_SVC_5000_ACCESS_DB)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // [test]
    // switch to another, faulty system service with user-land uid==5000
    // try to access the item - expect fail (no system service)

    // [prepare]
    GarbageCollector gc;
    gc.save(TEST_SYSTEM_ALIAS, TEST_DATA);

    // [test]
    {
        ScopedAccessProvider ap(TEST_LABEL_2);
        ap.allowAPI("key-manager::api-storage", "rw");
        ap.applyAndSwithToUser(USER_SERVICE_FAIL, GROUP_SERVICE_FAIL);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
    }
}