2 * Copyright (c) 2000 - 2015 Samsung Electronics Co.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
17 * @author Maciej Karpiuk (m.karpiuk2@samsung.com)
20 #include <dpl/test/test_runner.h>
21 #include <dpl/test/test_runner_child.h>
22 #include <tests_common.h>
23 #include <ckm-common.h>
24 #include <ckm/ckm-control.h>
25 #include <ckmc/ckmc-manager.h>
26 #include <ckmc/ckmc-type.h>
27 #include <access_provider2.h>
29 #include <sys/types.h>
33 const uid_t USER_SERVICE = 0;
34 const uid_t USER_SERVICE_2 = 1234;
35 const uid_t GROUP_SERVICE_2 = 1234;
36 const uid_t USER_SERVICE_MAX = 4999;
37 const uid_t GROUP_SERVICE_MAX = 4999;
38 const uid_t USER_SERVICE_FAIL = 5000;
39 const uid_t GROUP_SERVICE_FAIL = 5000;
40 const uid_t USER_APP = 5050;
41 const uid_t GROUP_APP = 5050;
42 const char* APP_PASS = "user-pass";
44 const char* TEST_ALIAS = "test-alias";
45 const char* SYSTEM_LABEL = ckmc_label_shared_owner;
46 const char* INVALID_LABEL = "coco-jumbo";
47 std::string TEST_SYSTEM_ALIAS = aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS);
48 std::string TEST_SYSTEM_ALIAS_2 = aliasWithLabel(SYSTEM_LABEL, "test-alias-2");
49 const char* TEST_LABEL = "test-label";
50 const char* TEST_LABEL_2 = "test-label-2";
52 const char* TEST_DATA =
53 "Lorem Ipsum. At vero eos et accusamus et iusto odio dignissimos ducimus "
54 "qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores "
55 "et quas molestias excepturi sint occaecati cupiditate non provident, "
56 "similique sunt in culpa qui officia deserunt mollitia animi, id est "
57 "laborum et dolorum fuga. ";
61 RUNNER_TEST_GROUP_INIT(T50_SYSTEM_DB);
63 RUNNER_TEST(T5010_CLIENT_APP_LOCKED_PRIVATE_DB)
65 RUNNER_IGNORED_MSG("This test is turn off because fix "
66 "from tizen 2.4 that unlock db with empty password");
68 // start as system service
69 // add resource to the system DB
70 // add permission to the resource to a user app
72 // switch to user app, leave DB locked
73 // try to access system DB item - expect success
76 remove_user_data(USER_APP);
78 gc.save(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
79 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
83 ScopedAccessProvider ap(TEST_LABEL);
84 ap.allowAPI("key-manager::api-storage", "rw");
85 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
87 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
91 RUNNER_TEST(T5020_CLIENT_APP_ADD_TO_PRIVATE_DB)
94 // switch to user app, unlock DB
95 // when accessing private DB - owner==me
96 // try to write to private DB - expect success
97 // try to get item from private DB - expect success
101 remove_user_data(USER_APP);
102 ScopedDBUnlock unlock(USER_APP, APP_PASS);
103 ScopedAccessProvider ap(TEST_LABEL);
104 ap.allowAPI("key-manager::api-storage", "rw");
105 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
107 ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
108 check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
112 RUNNER_TEST(T5030_CLIENT_APP_TRY_ADDING_SYSTEM_ITEM)
115 // switch to user app, unlock DB
116 // try to add item to system DB - expect fail
119 remove_user_data(USER_APP);
123 ScopedDBUnlock unlock(USER_APP, APP_PASS);
124 ScopedAccessProvider ap(TEST_LABEL);
125 ap.allowAPI("key-manager::api-storage", "rw");
126 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
128 save_data(aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS).c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
129 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
133 RUNNER_TEST(T5031_CLIENT_APP_ACCESS_WITH_PERMISSION)
136 // start as system service
137 // add resource to the system DB
138 // add permission to the resource to a user app
140 // switch to user app, unlock DB
141 // try to access the system item - expect success
144 remove_user_data(USER_APP);
146 gc.save(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
147 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
151 ScopedDBUnlock unlock(USER_APP, APP_PASS);
152 ScopedAccessProvider ap(TEST_LABEL);
153 ap.allowAPI("key-manager::api-storage", "rw");
154 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
156 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
160 RUNNER_TEST(T5032_CLIENT_APP_ACCESS_NO_PERMISSION)
163 // start as system service
164 // add resource to the system DB
166 // switch to user app, unlock DB
167 // try to access the system item - expect fail
170 remove_user_data(USER_APP);
172 gc.save(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
176 ScopedDBUnlock unlock(USER_APP, APP_PASS);
177 ScopedAccessProvider ap(TEST_LABEL);
178 ap.allowAPI("key-manager::api-storage", "rw");
179 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
181 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
185 RUNNER_TEST(T5033_CLIENT_APP_PERMISSION_REMOVAL)
188 // start as system service
189 // add resource to the system DB
190 // add permission to the resource to a user app
192 // switch to user app, unlock DB
193 // try to access the system item - expect success
195 // as system service, remove the item (expecting to remove permission)
196 // add item again, do not add permission
198 // switch to user app, unlock DB
199 // try to access the system item - expect fail
202 remove_user_data(USER_APP);
204 gc.save(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
205 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
209 ScopedDBUnlock unlock(USER_APP, APP_PASS);
210 ScopedAccessProvider ap(TEST_LABEL);
211 ap.allowAPI("key-manager::api-storage", "rw");
212 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
214 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
218 check_remove_allowed(TEST_SYSTEM_ALIAS.c_str());
222 ScopedDBUnlock unlock(USER_APP, APP_PASS);
223 ScopedAccessProvider ap(TEST_LABEL);
224 ap.allowAPI("key-manager::api-storage", "rw");
225 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
227 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
231 RUNNER_TEST(T5034_CLIENT_APP_SET_READ_ACCESS)
234 // switch to user app, unlock DB
235 // try to write to private DB - expect success
236 // try to write to system DB - expect fail
240 remove_user_data(USER_APP);
241 ScopedDBUnlock unlock(USER_APP, APP_PASS);
242 ScopedAccessProvider ap(TEST_LABEL);
243 ap.allowAPI("key-manager::api-storage", "rw");
244 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
246 ScopedSaveData ssdsystem_user(TEST_ALIAS, TEST_DATA);
247 ScopedSaveData ssdsystem_system(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
248 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
252 RUNNER_TEST(T5035_CLIENT_APP_TRY_REMOVING_SYSTEM_ITEM)
255 // start as system service
256 // add resource to the system DB
257 // add permission to the resource to a user app
259 // switch to user app, unlock DB
260 // try to remove item from system DB - expect fail
263 remove_user_data(USER_APP);
265 gc.save(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
266 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
270 ScopedDBUnlock unlock(USER_APP, APP_PASS);
271 ScopedAccessProvider ap(TEST_LABEL);
272 ap.allowAPI("key-manager::api-storage", "rw");
273 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
275 check_remove_denied(TEST_SYSTEM_ALIAS.c_str());
279 RUNNER_TEST(T5036_CLIENT_LIST_ACCESSIBLE_ITEMS)
282 // start as system service
283 // add data A to the system DB
284 // add data B to the system DB
285 // add permission to data A to a user app
287 // system service list items - expect both items to appear
289 // switch to user app, unlock DB
291 // user lists items - expect system item A and private item
295 remove_user_data(USER_APP);
297 gc.save(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
298 gc.save(TEST_SYSTEM_ALIAS_2.c_str(), TEST_DATA);
299 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
302 check_alias_list({TEST_SYSTEM_ALIAS.c_str(), TEST_SYSTEM_ALIAS_2.c_str()});
306 ScopedDBUnlock unlock(USER_APP, APP_PASS);
307 ScopedAccessProvider ap(TEST_LABEL);
308 ap.allowAPI("key-manager::api-storage", "rw");
309 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
310 ScopedSaveData user_data(TEST_ALIAS, TEST_DATA);
312 check_alias_list({TEST_SYSTEM_ALIAS.c_str(),
313 aliasWithLabel(TEST_LABEL, TEST_ALIAS)});
317 RUNNER_TEST(T5037_CLIENT_APP_TRY_GENERATE_KEY_IN_SYSTEM_DB)
320 // switch to user app, unlock DB
321 // try to generate a key in system DB - expect fail
325 remove_user_data(USER_APP);
326 ScopedDBUnlock unlock(USER_APP, APP_PASS);
327 ScopedAccessProvider ap(TEST_LABEL);
328 ap.allowAPI("key-manager::api-storage", "rw");
329 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
331 std::string private_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-priv");
332 std::string public_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-pub");
333 ckmc_policy_s policy_private_key;
334 ckmc_policy_s policy_public_key;
335 policy_private_key.password = NULL;
336 policy_private_key.extractable = 1;
337 policy_public_key.password = NULL;
338 policy_public_key.extractable = 1;
341 CKMC_ERROR_PERMISSION_DENIED ==
342 (temp = ckmc_create_key_pair_rsa(1024,
343 private_key_alias.c_str(),
344 public_key_alias.c_str(),
347 CKMCReadableError(temp));
351 RUNNER_TEST(T5038_CLIENT_SERVER_CREATE_VERIFY_SYSTEM_DB)
354 // start as system service
355 // generate RSA key in system DB
357 // try to create and verify signature in system DB - expect success
359 // switch to user app, unlock DB
360 // try to create signature in system DB - expect fail
363 remove_user_data(USER_APP);
365 std::string private_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-priv");
366 std::string public_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-pub");
367 gc.add(private_key_alias.c_str());
368 gc.add(public_key_alias.c_str());
369 ckmc_policy_s policy_private_key;
370 ckmc_policy_s policy_public_key;
371 policy_private_key.password = NULL;
372 policy_private_key.extractable = 1;
373 policy_public_key.password = NULL;
374 policy_public_key.extractable = 1;
378 (temp = ckmc_create_key_pair_rsa(1024,
379 private_key_alias.c_str(),
380 public_key_alias.c_str(),
383 CKMCReadableError(temp));
387 ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
388 ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
389 ckmc_raw_buffer_s *signature;
390 ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test");
393 CKMC_ERROR_NONE == (temp = ckmc_create_signature(
394 private_key_alias.c_str(),
400 CKMCReadableError(temp));
403 CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
404 public_key_alias.c_str(),
410 CKMCReadableError(temp));
415 ScopedDBUnlock unlock(USER_APP, APP_PASS);
416 ScopedAccessProvider ap(TEST_LABEL);
417 ap.allowAPI("key-manager::api-storage", "rw");
418 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
420 ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
421 ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
422 ckmc_raw_buffer_s *signature;
423 ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test");
426 CKMC_ERROR_DB_ALIAS_UNKNOWN == (temp = ckmc_create_signature(
427 private_key_alias.c_str(),
433 CKMCReadableError(temp));
437 RUNNER_TEST(T5039_SYSTEM_APP_SET_REMOVE_ACCESS)
440 // start as system service
441 // add resource to the system DB
443 // add remove permission to a user app - expect fail
447 gc.save(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
450 allow_access_negative(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_REMOVE, CKMC_ERROR_INVALID_PARAMETER);
453 RUNNER_TEST(T5040_SYSTEM_SVC_ACCESS_DB)
456 // start as system service
457 // add resource to the system DB
459 // try to access the item - expect success
463 gc.save(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
466 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
469 RUNNER_TEST(T5041_SYSTEM_SVC_1234_ACCESS_DB)
472 // start as system service
473 // add resource to the system DB
475 // switch to another system service
476 // try to access the item - expect success
480 gc.save(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
484 ScopedAccessProvider ap(TEST_LABEL_2);
485 ap.allowAPI("key-manager::api-storage", "rw");
486 ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2);
488 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
492 RUNNER_TEST(T5042_SYSTEM_SVC_1234_ADD_ITEM_TO_DB)
495 // start as system service 1234
496 // add resource to the system DB
498 // switch to another system service
499 // try to access the item - expect success
503 ScopedAccessProvider ap(TEST_LABEL_2);
504 ap.allowAPI("key-manager::api-storage", "rw");
505 ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2);
508 ScopedSaveData ssd(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
509 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
513 RUNNER_TEST(T5043_SYSTEM_SVC_4999_ACCESS_DB)
516 // start as system service
517 // add resource to the system DB
519 // switch to system service having uid maximum for system svcs
520 // try to access the item - expect success
524 gc.save(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
528 ScopedAccessProvider ap(TEST_LABEL_2);
529 ap.allowAPI("key-manager::api-storage", "rw");
530 ap.applyAndSwithToUser(USER_SERVICE_MAX, GROUP_SERVICE_MAX);
532 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
536 RUNNER_TEST(T5044_SYSTEM_SVC_5000_ACCESS_DB)
538 RUNNER_IGNORED_MSG("This test is turn off because fix "
539 "from tizen 2.4 that unlock db with empty password");
541 // start as system service
542 // add resource to the system DB
544 // switch to another, faulty system service with user-land uid==5000
545 // try to access the item - expect fail (no system service)
549 gc.save(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
553 ScopedAccessProvider ap(TEST_LABEL_2);
554 ap.allowAPI("key-manager::api-storage", "rw");
555 ap.applyAndSwithToUser(USER_SERVICE_FAIL, GROUP_SERVICE_FAIL);
557 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
561 RUNNER_TEST(T5045_SYSTEM_DB_ADD_WITH_INVALID_LABEL)
564 // start as system service
566 // try to add item to system DB using wrong label - expect fail
567 // try to add item using explicit system label - expect success
570 remove_user_data(USER_APP);
573 save_data(aliasWithLabel(INVALID_LABEL, TEST_ALIAS).c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
574 check_read(TEST_ALIAS, INVALID_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
576 save_data(aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS).c_str(), TEST_DATA);
577 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);