1 #include "internal/include/fb_generated.h"
2 #include "internal/naive_policy_checker.hpp"
3 #include "internal/policy.hpp"
4 #include "internal/serializer.hpp"
5 #include "internal/storage_backend_serialized.hpp"
6 #include "internal/storage_backend_xml.hpp"
7 #include "internal/tslog.hpp"
8 #include <dbuspolicy1/libdbuspolicy1.h>
13 using namespace ldp_xml_parser;
14 using namespace ldp_serialized;
17 Decision expected_result;
23 const char* DEFAULT_LABEL = "User::Shell";
24 const char* PRIVILEGED_LABEL = "System::Privileged";
26 std::map<Decision, const char*> DECISIONS {
27 {Decision::ANY, "ANY"},
28 {Decision::ALLOW, "ALLOW"},
29 {Decision::DENY, "DENY"},
30 {Decision::CHECK, "CHECK"}};
33 const std::vector<AccessTest> default_allow_tests = {
34 {Decision::ALLOW, 0, 0, PRIVILEGED_LABEL},
35 {Decision::ALLOW, 2, 20, DEFAULT_LABEL}, //deny user, allow group
36 {Decision::ALLOW, 3, 30, DEFAULT_LABEL}, //deny group, allow user
37 {Decision::DENY, 4, 30, DEFAULT_LABEL}, //deny group, no user rule
38 {Decision::ALLOW, 5, 5, DEFAULT_LABEL}, //no rules
39 {Decision::DENY, 6, 6, DEFAULT_LABEL}, //deny user (mandatory)
40 {Decision::DENY, 7, 7, DEFAULT_LABEL}, //allow user (def), deny user (mandatory)
41 {Decision::ALLOW, 8, 8, DEFAULT_LABEL}, //deny user (def), allow user (mandatory)
42 {Decision::CHECK, 9991, 9991, DEFAULT_LABEL}, //check-user=allow (def)
43 {Decision::CHECK, 9992, 9992, DEFAULT_LABEL}, //check-user=allow (def), check-group=deny (mandatory)
44 {Decision::CHECK, 9993, 9993, DEFAULT_LABEL}, //check-user=allow (def, mandatory)
45 {Decision::CHECK, 888, 888, PRIVILEGED_LABEL} //check-user=allow (def) (label)
48 const std::vector<AccessTest> default_deny_tests = {
49 {Decision::DENY, 0, 0, PRIVILEGED_LABEL},
50 {Decision::ALLOW, 2, 20, DEFAULT_LABEL},
51 {Decision::ALLOW, 3, 30, DEFAULT_LABEL},
52 {Decision::DENY, 4, 30, DEFAULT_LABEL},
53 {Decision::DENY, 5, 5, DEFAULT_LABEL}, // no rules, so denied by default
54 {Decision::DENY, 6, 6, DEFAULT_LABEL},
55 {Decision::DENY, 7, 7, DEFAULT_LABEL},
56 {Decision::ALLOW, 8, 8, DEFAULT_LABEL},
57 {Decision::CHECK, 9991, 9991, DEFAULT_LABEL},
58 {Decision::CHECK, 9992, 9992, DEFAULT_LABEL},
59 {Decision::CHECK, 9993, 9993, DEFAULT_LABEL},
60 {Decision::CHECK, 888, 888, PRIVILEGED_LABEL}
63 const uid_t bus_owner = 500;
65 const std::vector<AccessTest> session_tests = {
66 {Decision::ALLOW, 500, 500, DEFAULT_LABEL}, // allowed implicitly as the bus owner
67 {Decision::ANY, 400, 500, DEFAULT_LABEL},
68 {Decision::ANY, 0, 0, PRIVILEGED_LABEL},
69 {Decision::ANY, 900, 900, DEFAULT_LABEL},
70 {Decision::ALLOW, 600, 600, DEFAULT_LABEL}, // allowed explicitly in policy (user)
71 {Decision::ALLOW, 700, 700, DEFAULT_LABEL}, // allowed explicitly in policy (group)
72 {Decision::DENY, 800, 700, DEFAULT_LABEL} // allow group, deny user
75 typedef std::pair<std::string, std::vector<AccessTest>> TestBusSetup;
77 const std::vector<std::pair<TestBusSetup, TestBusSetup>> access_tests{
78 {{"tests/default_deny/system.conf", default_allow_tests}, {"tests/default_deny/session.conf", session_tests}},
79 {{"tests/default_deny/system-au.conf", default_allow_tests}, {}},
80 {{"tests/default_deny/system-ag.conf", default_allow_tests}, {}},
81 {{"tests/default_deny/system-du.conf", default_deny_tests}, {}},
82 {{"tests/default_deny/system-dg.conf", default_deny_tests}, {}}
85 void print_test(const struct AccessTest* t, bool result) {
86 printf("uid = %lu, gid = %lu, label = %s, expected = %d, result = %d",
87 (unsigned long)t->user, (unsigned long)t->group, t->label, (int)t->expected_result, (int)result);
90 template <typename DB>
91 bool run_tests_for_bus(const DB &db, NaivePolicyChecker &checker, const std::vector<AccessTest>& test_setup, int& i, bool& passed) {
92 for (const auto& test : test_setup) {
93 checker.updateGroupDb(test.user, test.group);
95 const auto &gids = *checker.getGroups<MatchItemAccess>(test.user, test.group);
96 auto m_item = MatchItemAccess(test.user, gids);
97 auto decision = db.getDecisionItemContextMandatory(m_item).getDecision();
98 if (decision == Decision::ANY)
99 decision = db.getDecisionItemContextDefault(m_item).getDecision();
100 if (decision == Decision::ANY) {
101 if (bus_owner == test.user)
102 decision = Decision::ALLOW;
105 bool res = decision == test.expected_result;
107 printf("[ERROR][%d] access test failed: %s %s ", i, DECISIONS[test.expected_result],
108 DECISIONS[decision]);
109 print_test(&test, res);
118 bool run_policy_db(const std::pair<TestBusSetup, TestBusSetup> access_test) {
121 const auto& system_bus_setup = access_test.first;
122 const auto& session_bus_setup = access_test.second;
124 auto &checker_system = policy_checker_system();
125 auto &checker_session = policy_checker_session();
127 checker_system.initDb(system_bus_setup.first.c_str());
128 if (session_bus_setup.first != "") {
129 checker_session.initDb(session_bus_setup.first.c_str());
132 printf("POLICY_DB:\n");
133 return run_tests_for_bus(checker_system.getPolicyDb(), checker_system, system_bus_setup.second, i, passed) &&
134 run_tests_for_bus(checker_session.getPolicyDb(), checker_session, session_bus_setup.second, i, passed);
137 bool run_fb(const std::pair<TestBusSetup, TestBusSetup> access_test) {
140 Serializer serializer;
142 const auto& system_bus_setup = access_test.first;
143 const auto& session_bus_setup = access_test.second;
147 uint8_t *buff_sys = nullptr, *buff_ses = nullptr;
148 buff_sys = serializer.serialize(system_bus_setup.first.c_str(), size);
149 if (session_bus_setup.first == "")
150 buff_ses = serializer.serialize(session_bus_setup.first.c_str(), size);
152 StorageBackendSerialized storage_sys, storage_ses;
154 printf("FLATBUFFERS:\n");
156 storage_sys.initFromData(buff_sys);
157 bool res = run_tests_for_bus(storage_sys, policy_checker_system(), system_bus_setup.second, i, passed);
160 storage_ses.initFromData(buff_ses);
161 res &= run_tests_for_bus(storage_ses, policy_checker_session(), session_bus_setup.second, i, passed);
166 bool run_xml(const std::pair<TestBusSetup, TestBusSetup> access_test) {
173 for (const auto& access_test : access_tests) {
174 printf("f: %s s: %s\n", access_test.first.first.c_str(), access_test.second.first.c_str());
175 passed &= run_policy_db(access_test);
176 passed &= run_fb(access_test);
177 passed &= run_xml(access_test);