[platform/core/system/libdbuspolicy.git] / src / test-libdbuspolicy1-access-deny-gdi.cpp

#include "internal/include/fb_generated.h"
#include "internal/naive_policy_checker.hpp"
#include "internal/policy.hpp"
#include "internal/serializer.hpp"
#include "internal/storage_backend_serialized.hpp"
#include "internal/storage_backend_xml.hpp"
#include "internal/tslog.hpp"
#include <dbuspolicy1/libdbuspolicy1.h>
#include <map>
#include <string>
#include <vector>

using namespace ldp_xml_parser;
using namespace ldp_serialized;

struct AccessTest {
        Decision expected_result;
        uid_t user;
        gid_t group;
        const char* label;
};

const char* DEFAULT_LABEL = "User::Shell";
const char* PRIVILEGED_LABEL = "System::Privileged";

std::map<Decision, const char*> DECISIONS {
                {Decision::ANY, "ANY"},
                {Decision::ALLOW, "ALLOW"},
                {Decision::DENY, "DENY"},
                {Decision::CHECK, "CHECK"}};


const std::vector<AccessTest> default_allow_tests = {
        {Decision::ALLOW, 0, 0, PRIVILEGED_LABEL},
        {Decision::ALLOW, 2, 20, DEFAULT_LABEL},        //deny user, allow group
        {Decision::ALLOW, 3, 30, DEFAULT_LABEL},        //deny group, allow user
        {Decision::DENY, 4, 30, DEFAULT_LABEL}, //deny group, no user rule
        {Decision::ALLOW, 5, 5, DEFAULT_LABEL}, //no rules
        {Decision::DENY, 6, 6, DEFAULT_LABEL},  //deny user (mandatory)
        {Decision::DENY, 7, 7, DEFAULT_LABEL},  //allow user (def), deny user (mandatory)
        {Decision::ALLOW, 8, 8, DEFAULT_LABEL}, //deny user (def), allow user (mandatory)
        {Decision::CHECK, 9991, 9991, DEFAULT_LABEL},   //check-user=allow (def)
        {Decision::CHECK, 9992, 9992, DEFAULT_LABEL},   //check-user=allow (def), check-group=deny (mandatory)
        {Decision::CHECK, 9993, 9993, DEFAULT_LABEL},   //check-user=allow (def, mandatory)
        {Decision::CHECK, 888, 888, PRIVILEGED_LABEL}   //check-user=allow (def) (label)
};

const std::vector<AccessTest> default_deny_tests = {
        {Decision::DENY, 0, 0, PRIVILEGED_LABEL},
        {Decision::ALLOW, 2, 20, DEFAULT_LABEL},
        {Decision::ALLOW, 3, 30, DEFAULT_LABEL},
        {Decision::DENY, 4, 30, DEFAULT_LABEL},
        {Decision::DENY, 5, 5, DEFAULT_LABEL},  // no rules, so denied by default
        {Decision::DENY, 6, 6, DEFAULT_LABEL},
        {Decision::DENY, 7, 7, DEFAULT_LABEL},
        {Decision::ALLOW, 8, 8, DEFAULT_LABEL},
        {Decision::CHECK, 9991, 9991, DEFAULT_LABEL},
        {Decision::CHECK, 9992, 9992, DEFAULT_LABEL},
        {Decision::CHECK, 9993, 9993, DEFAULT_LABEL},
        {Decision::CHECK, 888, 888, PRIVILEGED_LABEL}
};

const uid_t bus_owner = 500;

const std::vector<AccessTest> session_tests = {
        {Decision::ALLOW, 500, 500, DEFAULT_LABEL},     // allowed implicitly as the bus owner
        {Decision::ANY, 400, 500, DEFAULT_LABEL},
        {Decision::ANY, 0, 0, PRIVILEGED_LABEL},
        {Decision::ANY, 900, 900, DEFAULT_LABEL},
        {Decision::ALLOW, 600, 600, DEFAULT_LABEL},     // allowed explicitly in policy (user)
        {Decision::ALLOW, 700, 700, DEFAULT_LABEL},     // allowed explicitly in policy (group)
        {Decision::DENY, 800, 700, DEFAULT_LABEL}       // allow group, deny user
};

typedef std::pair<std::string, std::vector<AccessTest>> TestBusSetup;

const std::vector<std::pair<TestBusSetup, TestBusSetup>> access_tests{
        {{"tests/default_deny/system.conf", default_allow_tests}, {"tests/default_deny/session.conf", session_tests}},
        {{"tests/default_deny/system-au.conf", default_allow_tests}, {}},
        {{"tests/default_deny/system-ag.conf", default_allow_tests}, {}},
        {{"tests/default_deny/system-du.conf", default_deny_tests}, {}},
        {{"tests/default_deny/system-dg.conf", default_deny_tests}, {}}
};

void print_test(const struct AccessTest* t, bool result) {
        printf("uid = %lu, gid = %lu, label = %s, expected = %d, result = %d",
                   (unsigned long)t->user, (unsigned long)t->group, t->label, (int)t->expected_result, (int)result);
}

template <typename DB>
bool run_tests_for_bus(const DB &db, NaivePolicyChecker &checker, const std::vector<AccessTest>& test_setup, int& i, bool& passed) {
        for (const auto& test : test_setup) {
                checker.updateGroupDb(test.user, test.group);

                const auto &gids = *checker.getGroups<MatchItemAccess>(test.user, test.group);
                auto m_item = MatchItemAccess(test.user, gids);
                auto decision = db.getDecisionItemContextMandatory(m_item).getDecision();
                if (decision == Decision::ANY)
                        decision = db.getDecisionItemContextDefault(m_item).getDecision();
                if (decision == Decision::ANY) {
                        if (bus_owner == test.user)
                                decision = Decision::ALLOW;

                }
                bool res = decision == test.expected_result;
                if (!res) {
                        printf("[ERROR][%d] access test failed: %s %s ", i, DECISIONS[test.expected_result],
                                                                                                                                DECISIONS[decision]);
                        print_test(&test, res);
                        printf("\n");
                        passed = false;
                }
                i++;
        }
        return passed;
}

bool run_policy_db(const std::pair<TestBusSetup, TestBusSetup> access_test) {
        bool passed = true;
        int i = 0;
        const auto& system_bus_setup = access_test.first;
        const auto& session_bus_setup = access_test.second;

        auto &checker_system = policy_checker_system();
        auto &checker_session = policy_checker_session();

        checker_system.initDb(system_bus_setup.first.c_str());
        if (session_bus_setup.first != "") {
                checker_session.initDb(session_bus_setup.first.c_str());
        }

        printf("POLICY_DB:\n");
        return run_tests_for_bus(checker_system.getPolicyDb(), checker_system, system_bus_setup.second, i, passed) &&
                run_tests_for_bus(checker_session.getPolicyDb(), checker_session, session_bus_setup.second, i, passed);
}

bool run_fb(const std::pair<TestBusSetup, TestBusSetup> access_test) {
        bool passed = true;
        int i = 0;
        Serializer serializer;

        const auto& system_bus_setup = access_test.first;
        const auto& session_bus_setup = access_test.second;

        size_t size;

        uint8_t *buff_sys = nullptr, *buff_ses = nullptr;
        buff_sys = serializer.serialize(system_bus_setup.first.c_str(), size);
        if (session_bus_setup.first == "")
                buff_ses = serializer.serialize(session_bus_setup.first.c_str(), size);

        StorageBackendSerialized storage_sys, storage_ses;

        printf("FLATBUFFERS:\n");

        storage_sys.initFromData(buff_sys);
        bool res = run_tests_for_bus(storage_sys, policy_checker_system(), system_bus_setup.second, i, passed);

        if (buff_ses) {
                storage_ses.initFromData(buff_ses);
                res &= run_tests_for_bus(storage_ses, policy_checker_session(), session_bus_setup.second, i, passed);
        }
        return res;
}

bool run_xml(const std::pair<TestBusSetup, TestBusSetup> access_test) {
        (void)access_test;
        return true;
}

bool run_tests() {
        bool passed = true;
        for (const auto& access_test : access_tests) {
                printf("f: %s s: %s\n", access_test.first.first.c_str(), access_test.second.first.c_str());
                passed &= run_policy_db(access_test);
                passed &= run_fb(access_test);
                passed &= run_xml(access_test);
        }

        return passed;
}

int main() {
        tslog::init();
        if (!run_tests())
                return -1;
        return 0;
}