4 #include <dpl/test/test_runner.h>
5 #include <dpl/test/test_runner_child.h>
7 #include <tests_common.h>
8 #include <ckm-common.h>
9 #include <access_provider2.h>
11 #include <ckmc/ckmc-manager.h>
12 #include <ckmc/ckmc-control.h>
13 #include <ckmc/ckmc-type.h>
14 #include <ckmc/ckmc-error.h>
16 #include <ckm/ckm-type.h>
20 const uid_t USER_ROOT = 0;
21 const char* APP_PASS = "user-pass";
22 const char* ROOT_PASS = "test-pass";
24 const char* NO_ALIAS = "definitely-non-existent-alias";
25 const char* NO_OWNER = "definitely-non-existent-owner";
27 const char* TEST_ALIAS = "test-alias";
28 const char* TEST_ALIAS2 = "test-alias2";
29 const char* TEST_ALIAS3 = "test-alias3";
31 const char* TEST_LABEL = "test-label";
32 const char* TEST_LABEL2 = "test-label2";
33 const char* TEST_LABEL3 = "test-label3";
34 const char* TEST_LABEL4 = "test-label4";
36 const char* TEST_DATA = "dsflsdkghkslhglrtghierhgilrehgidsafasdffsgfdgdgfdgfdgfdgfdggf";
38 void save_data(const char* alias, const char *data)
40 ckmc_raw_buffer_s buffer;
41 buffer.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data));
42 buffer.size = strlen(data);
44 policy.password = NULL;
45 policy.extractable = true;
47 int ret = ckmc_save_data(alias, buffer, policy);
48 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Saving data failed. Error: " << ret);
51 void save_data(const char* alias)
53 save_data(alias, TEST_DATA);
56 void check_remove_allowed(const char* alias)
58 int ret = ckmc_remove_alias(alias);
59 // remove, but ignore non existing
60 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret || CKMC_ERROR_DB_ALIAS_UNKNOWN,
61 "Removing data failed: " << ret);
64 void check_remove_denied(const char* alias)
66 int ret = ckmc_remove_alias(alias);
68 CKMC_ERROR_PERMISSION_DENIED == ret,
69 "App with different label shouldn't have rights to remove this data. Error: " << ret);
72 void check_remove_not_visible(const char* alias)
74 int ret = ckmc_remove_alias(alias);
76 CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
77 "App with different label shouldn't have rights to see this data. Error: " << ret);
80 void check_read(const char* alias, const char *label, const char *test_data, int expected_code = CKMC_ERROR_NONE)
82 ckmc_raw_buffer_s* buffer = NULL;
83 int ret = ckmc_get_data(aliasWithLabel(label, alias).c_str(), NULL, &buffer);
84 RUNNER_ASSERT_MSG(expected_code == ret, "Getting data failed. Expected code: " << expected_code << ", while result code: " << ret);
86 if(expected_code == CKMC_ERROR_NONE)
88 // compare data with expected
90 buffer->size == strlen(test_data),
91 "Extracted data length do not match expected data length (encrypted?).");
94 memcmp(const_cast<const char*>(reinterpret_cast<char*>(buffer->data)), test_data, buffer->size) == 0,
95 "Extracted data do not match expected data (encrypted?).");
97 ckmc_buffer_free(buffer);
101 void check_read_allowed(const char* alias, const char *data)
103 // try to read previously saved data - label taken implicitly
104 check_read(alias, 0, data);
106 void check_read_allowed(const char* alias)
108 check_read_allowed(alias, TEST_DATA);
111 void check_read_denied(const char* alias)
113 // try to read previously saved data - label taken implicitly
115 ckmc_raw_buffer_s* buffer = NULL;
116 int ret = ckmc_get_data(alias, NULL, &buffer);
117 RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
118 "App with different label shouldn't have rights to read this data. Error: " << ret);
119 ckmc_buffer_free(buffer);
123 void check_read_not_visible(const char* alias)
125 // try to read previously saved data - label taken implicitly
127 ckmc_raw_buffer_s* buffer = NULL;
128 int ret = ckmc_get_data(alias, NULL, &buffer);
129 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
130 "App with different label shouldn't have rights to see this data. Error: " << ret);
131 ckmc_buffer_free(buffer);
135 void allow_access_deprecated(const char* alias, const char* accessor, ckmc_access_right_e accessRights)
137 int ret = ckmc_allow_access(alias, accessor, accessRights);
138 RUNNER_ASSERT_MSG_BT(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << ret);
141 void allow_access(const char* alias, const char* accessor, int permissionMask)
143 // data removal should revoke this access
144 int ret = ckmc_set_permission(alias, accessor, permissionMask);
145 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << ret);
148 void allow_access_negative(const char* alias, const char* accessor, int permissionMask, int expectedCode)
150 // data removal should revoke this access
151 int ret = ckmc_set_permission(alias, accessor, permissionMask);
152 RUNNER_ASSERT_MSG(expectedCode == ret, "Trying to allow access returned: " << ret << ", while expected: " << expectedCode);
155 void deny_access(const char* alias, const char* accessor)
157 int ret = ckmc_deny_access(alias, accessor);
158 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Denying access failed. Error: " << ret);
161 void deny_access_negative(const char* alias, const char* accessor, int expectedCode)
163 int ret = ckmc_set_permission(alias, accessor, CKMC_PERMISSION_NONE);
164 RUNNER_ASSERT_MSG(expectedCode == ret, "Denying access failed. Error: " << ret << ", while expected: " << expectedCode);
167 void allow_access_deprecated_by_adm(const char* alias, const char* accessor, ckmc_access_right_e accessRights)
169 // data removal should revoke this access
170 int ret = ckmc_allow_access_by_adm(USER_ROOT, get_label().get(), alias, accessor, accessRights);
171 RUNNER_ASSERT_MSG_BT(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << ret);
174 void allow_access_by_adm(const char* alias, const char* accessor, int permissionMask)
176 // data removal should revoke this access
177 int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(get_label().get(), alias).c_str(), accessor, permissionMask);
178 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << ret);
181 void deny_access_by_adm(const char* alias, const char* accessor)
183 int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(get_label().get(), alias).c_str(), accessor, CKMC_PERMISSION_NONE);
184 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Denying access failed. Error: " << ret);
189 ckmc_alias_list_s *aliasList = NULL;
190 int ret = ckmc_get_data_alias_list(&aliasList);
191 if (ret == CKMC_ERROR_DB_ALIAS_UNKNOWN)
194 RUNNER_ASSERT_MSG(ret == 0, "Failed to get the list of data aliases. Error: " << ret);
196 ckmc_alias_list_s *plist = aliasList;
203 ckmc_alias_list_all_free(aliasList);
207 void check_alias_count(int expected)
209 int count = count_aliases();
210 RUNNER_ASSERT_MSG(count == expected, "Expected " << expected << " aliases, got " << count);
213 // saves data upon construction and deletes it upon destruction
217 ScopedSaveData(const char* alias) : m_alias(alias)
221 ScopedSaveData(const char* alias, const char *data) : m_alias(alias)
223 save_data(alias, data);
229 * Let it throw. If we can't remove data then remaining tests results will be
232 check_remove_allowed(m_alias);
238 } // namespace anonymous
240 RUNNER_TEST_GROUP_INIT (T300_CKMC_ACCESS_CONTROL_C_API);
243 /////////////////////////////////////////////////////////////////////////////
245 RUNNER_TEST(T3000_init)
248 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_unlock_user_key(APP_UID, APP_PASS)),
250 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(APP_UID)),
252 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_unlock_user_key(USER_ROOT, ROOT_PASS)),
254 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(USER_ROOT)),
259 // invalid arguments check
260 RUNNER_TEST(T3001_manager_allow_access_invalid)
263 CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission(NULL, "accessor", CKMC_PERMISSION_READ));
265 CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission("alias", NULL, CKMC_PERMISSION_READ));
268 // invalid arguments check
269 RUNNER_TEST(T3002_manager_deny_access_invalid)
271 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission(NULL, "accessor", CKMC_PERMISSION_NONE));
272 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission("alias", NULL, CKMC_PERMISSION_NONE));
275 // tries to allow access for non existing alias
276 RUNNER_CHILD_TEST(T3003_manager_allow_access_non_existing)
278 switch_to_storage_user(TEST_LABEL);
280 int ret = ckmc_set_permission(NO_ALIAS, "label", CKMC_PERMISSION_READ);
281 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
282 "Allowing access for non existing alias returned " << ret);
285 // tries to deny access for non existing alias
286 RUNNER_CHILD_TEST(T3004_manager_deny_access_non_existing)
288 switch_to_storage_user(TEST_LABEL);
290 int ret = ckmc_set_permission(NO_ALIAS, "label", CKMC_PERMISSION_NONE);
291 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
292 "Denying access for non existing alias returned " << ret);
295 // tries to deny access that does not exist in database
296 RUNNER_CHILD_TEST(T3005_manager_deny_access_non_existing_access)
298 switch_to_storage_user(TEST_LABEL);
300 ScopedSaveData ssd(TEST_ALIAS);
302 // deny non existing access to existing alias
303 int ret = ckmc_set_permission(TEST_ALIAS, "label", CKMC_PERMISSION_NONE);
304 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
305 "Denying non existing access returned: " << ret);
308 // tries to allow access to application own data
309 RUNNER_CHILD_TEST(T3006_manager_allow_access_to_myself)
311 switch_to_storage_user(TEST_LABEL);
313 ScopedSaveData ssd(TEST_ALIAS);
315 CharPtr label = get_label();
316 int ret = ckmc_set_permission(TEST_ALIAS, label.get(), CKMC_PERMISSION_READ);
317 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
318 "Trying to allow myself returned: " << ret);
321 // verifies that alias can not contain forbidden characters
322 RUNNER_CHILD_TEST(T3007_manager_check_alias_valid)
324 switch_to_storage_user(TEST_LABEL);
325 ScopedSaveData ssd(TEST_ALIAS);
327 std::string test_alias_playground = std::string("AAA BBB CCC");
328 check_read(test_alias_playground.c_str(), 0, TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
330 // control: expect success
331 check_read(TEST_ALIAS, 0, TEST_DATA);
332 check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
335 // verifies that label can not contain forbidden characters
336 RUNNER_CHILD_TEST(T3008_manager_check_label_valid)
338 switch_to_storage_user(TEST_LABEL);
339 ScopedSaveData ssd(TEST_ALIAS);
342 std::string test_label_playground = std::string("AAA BBB CCC");
343 check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
345 // insert part of the separator in the middle
346 test_label_playground = std::string(TEST_LABEL);
347 test_label_playground.insert(test_label_playground.size()/2, ckmc_label_name_separator);
348 check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
351 test_label_playground = std::string(TEST_LABEL);
352 test_label_playground.insert(0, ckmc_label_name_separator);
353 check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
356 test_label_playground = std::string(TEST_LABEL);
357 test_label_playground.append(ckmc_label_name_separator);
358 check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
360 // control: expect success
361 check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
364 // tries to access other application data without permission
365 RUNNER_TEST(T3020_manager_access_not_allowed)
367 CharPtr top_label = get_label();
369 ScopedSaveData ssd(TEST_ALIAS);
371 ScopedLabel sl(TEST_LABEL2);
373 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
374 check_read_not_visible(TEST_ALIAS_adr.c_str());
375 check_remove_not_visible(TEST_ALIAS_adr.c_str());
379 // tries to access other application data with permission
380 RUNNER_TEST(T3021_manager_access_allowed)
382 CharPtr top_label = get_label();
383 ScopedSaveData ssd(TEST_ALIAS);
385 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
387 ScopedLabel sl(TEST_LABEL2);
389 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
393 // tries to read other application data with permission for read/remove
394 RUNNER_TEST(T3022_manager_access_allowed_with_remove)
396 CharPtr top_label = get_label();
397 ScopedSaveData ssd(TEST_ALIAS);
399 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
401 ScopedLabel sl(TEST_LABEL2);
403 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
407 // tries to remove other application data with permission for reading only
408 RUNNER_TEST(T3023_manager_access_allowed_remove_denied)
410 CharPtr top_label = get_label();
411 ScopedSaveData ssd(TEST_ALIAS);
413 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
415 ScopedLabel sl(TEST_LABEL2);
417 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
418 check_remove_denied(TEST_ALIAS_adr.c_str());
419 check_read_allowed(TEST_ALIAS_adr.c_str());
423 // tries to remove other application data with permission
424 RUNNER_TEST(T3025_manager_remove_allowed)
426 CharPtr top_label = get_label();
427 ScopedSaveData ssd(TEST_ALIAS);
429 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
431 ScopedLabel sl(TEST_LABEL2);
433 check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
437 // tries to access other application data after allow function was called twice with different
439 RUNNER_TEST(T3026_manager_double_allow)
441 CharPtr top_label = get_label();
442 ScopedSaveData ssd(TEST_ALIAS);
444 // access should be overwritten
445 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
446 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
448 ScopedLabel sl(TEST_LABEL2);
450 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
451 check_remove_denied(TEST_ALIAS_adr.c_str());
452 check_read_allowed(TEST_ALIAS_adr.c_str());
456 // tries to access application data with permission and after permission has been revoked
457 RUNNER_TEST(T3027_manager_allow_deny)
459 CharPtr top_label = get_label();
460 ScopedSaveData ssd(TEST_ALIAS);
462 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
464 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
466 ScopedLabel sl(TEST_LABEL2);
468 check_remove_denied(TEST_ALIAS_adr.c_str());
469 check_read_allowed(TEST_ALIAS_adr.c_str());
472 deny_access(TEST_ALIAS, TEST_LABEL2);
474 ScopedLabel sl(TEST_LABEL2);
476 check_remove_not_visible(TEST_ALIAS_adr.c_str());
477 check_read_not_visible(TEST_ALIAS_adr.c_str());
481 RUNNER_TEST(T3028_manager_access_by_label)
483 CharPtr top_label = get_label();
484 const char *additional_data = "label-2-data";
485 ScopedSaveData ssd(TEST_ALIAS);
487 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
489 ScopedLabel sl(TEST_LABEL2);
490 ScopedSaveData ssd(TEST_ALIAS, additional_data);
491 allow_access(TEST_ALIAS, top_label.get(), CKMC_PERMISSION_READ);
493 // test if accessing valid alias (of label2 domain)
494 check_read_allowed(TEST_ALIAS, additional_data);
496 // this has to be done here - in the scope, otherwise
497 // scope destructor will remove the TEST_LABEL2::TEST_ALIAS
499 ScopedLabel sl(top_label.get());
501 // test if can access label2 alias from label1 domain - should succeed
502 check_read_allowed(aliasWithLabel(TEST_LABEL2, TEST_ALIAS).c_str(), additional_data);
506 // test if accessing valid alias (of label1 domain)
507 check_read_allowed(TEST_ALIAS);
509 // access should not be possible - already left the LABEL2 scope, object should be removed
510 check_read_not_visible(aliasWithLabel(TEST_LABEL2, TEST_ALIAS).c_str());
513 // tries to modify another label's permission
514 RUNNER_TEST(T3029_manager_access_modification_by_foreign_label)
516 ScopedLabel sl(TEST_LABEL);
517 ScopedSaveData ssd(TEST_ALIAS);
518 allow_access(TEST_ALIAS, TEST_LABEL3, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
520 ScopedLabel sl(TEST_LABEL2);
522 allow_access_negative(aliasWithLabel(TEST_LABEL, TEST_ALIAS).c_str(), TEST_LABEL4, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE, CKMC_ERROR_PERMISSION_DENIED);
523 deny_access_negative (aliasWithLabel(TEST_LABEL, TEST_ALIAS).c_str(), TEST_LABEL4, CKMC_ERROR_PERMISSION_DENIED);
527 // checks if only aliases readable by given app are returned
528 RUNNER_TEST(T3030_manager_get_all_aliases)
530 ScopedSaveData ssd1(TEST_ALIAS);
531 ScopedSaveData ssd2(TEST_ALIAS2);
533 int count = count_aliases();
535 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
537 ScopedLabel sl(TEST_LABEL2);
539 // check that app can access other aliases when it has permission
540 check_alias_count(count - 1);
542 ScopedSaveData ssd3(TEST_ALIAS3);
544 // check that app can access its own aliases
545 check_alias_count(count - 1 + 1);
548 deny_access(TEST_ALIAS, TEST_LABEL2);
550 ScopedLabel sl(TEST_LABEL2);
552 // check that app can't access other aliases for which permission has been revoked
553 check_alias_count(count - 2);
557 RUNNER_TEST(T3031_manager_test_decrypt_from_another_label)
560 CharPtr top_label = get_label();
561 ScopedSaveData ssd(TEST_ALIAS);
563 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
565 ScopedLabel sl(TEST_LABEL2);
567 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
569 // remove the DKEK key - so that on read it must be added again
570 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_lock_user_key(0)),
573 // on this read, DKEK key will be added again
574 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
578 // tries to access other application data with permission
579 RUNNER_TEST(T3032_manager_deprecated_access_allowed)
581 CharPtr top_label = get_label();
582 ScopedSaveData ssd(TEST_ALIAS);
584 allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
586 ScopedLabel sl(TEST_LABEL2);
588 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
592 // tries to read other application data with permission for read/remove
593 RUNNER_TEST(T3033_manager_deprecated_access_allowed_with_remove)
595 CharPtr top_label = get_label();
596 ScopedSaveData ssd(TEST_ALIAS);
598 allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
600 ScopedLabel sl(TEST_LABEL2);
602 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
606 // tries to remove other application data with permission for reading only
607 RUNNER_TEST(T3034_manager_deprecated_access_allowed_remove_denied)
609 CharPtr top_label = get_label();
610 ScopedSaveData ssd(TEST_ALIAS);
612 allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
614 ScopedLabel sl(TEST_LABEL2);
616 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
617 check_remove_denied(TEST_ALIAS_adr.c_str());
618 check_read_allowed(TEST_ALIAS_adr.c_str());
622 // tries to remove other application data with permission
623 RUNNER_TEST(T3035_manager_deprecated_remove_allowed)
625 CharPtr top_label = get_label();
626 ScopedSaveData ssd(TEST_ALIAS);
628 allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
630 ScopedLabel sl(TEST_LABEL2);
632 check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
637 /////////////////////////////////////////////////////////////////////////////
640 // invalid argument check
641 RUNNER_TEST(T3101_control_allow_access_invalid)
644 ret = ckmc_set_permission_by_adm(USER_ROOT, "alias", "accessor", CKMC_PERMISSION_READ);
645 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
646 ret = ckmc_set_permission_by_adm(USER_ROOT, "owner alias", NULL, CKMC_PERMISSION_READ);
647 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
650 std::string aliasLabel = aliasWithLabel(get_label().get(), TEST_ALIAS);
651 ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("another-owner", aliasLabel.c_str()).c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
652 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
655 // invalid argument check
656 RUNNER_TEST(T3102_control_deny_access_invalid)
658 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
659 ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(NULL, "alias").c_str(), "accessor", CKMC_PERMISSION_NONE));
660 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
661 ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("owner", "alias").c_str(), NULL, CKMC_PERMISSION_NONE));
664 std::string aliasLabel = aliasWithLabel(get_label().get(), TEST_ALIAS);
665 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
666 ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("another-owner", aliasLabel.c_str()).c_str(), TEST_LABEL, CKMC_PERMISSION_NONE));
669 // tries to allow access for non existing alias
670 RUNNER_TEST(T3103_control_allow_access_non_existing)
672 int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(NO_OWNER, NO_ALIAS).c_str(), "label", CKMC_PERMISSION_READ);
673 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
674 "Allowing access for non existing alias returned " << ret);
677 // tries to deny access for non existing alias
678 RUNNER_TEST(T3104_control_deny_access_non_existing)
680 int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(NO_OWNER, NO_ALIAS).c_str(), "label", CKMC_PERMISSION_NONE);
681 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
682 "Denying access for non existing alias returned " << ret);
685 // tries to deny non existing access
686 RUNNER_TEST(T3105_control_deny_access_non_existing_access)
688 ScopedSaveData ssd(TEST_ALIAS);
690 CharPtr label = get_label();
692 // deny non existing access to existing alias
693 int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(get_label().get(), TEST_ALIAS).c_str(), "label", CKMC_PERMISSION_NONE);
694 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
695 "Denying non existing access returned: " << ret);
698 // tries to allow application to access its own data
699 RUNNER_TEST(T3106_control_allow_access_to_myself)
701 ScopedSaveData ssd(TEST_ALIAS);
703 CharPtr label = get_label();
704 int ret = ckmc_set_permission(TEST_ALIAS, label.get(), CKMC_PERMISSION_READ);
705 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
706 "Trying to allow myself returned: " << ret);
709 // tries to use admin API as a user
710 RUNNER_CHILD_TEST(T3110_control_allow_access_as_user)
712 switch_to_storage_user(TEST_LABEL);
713 int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("owner", "alias").c_str(), "accessor", CKMC_PERMISSION_READ);
714 RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
715 "Ordinary user should not be able to use control API. Error " << ret);
718 // tries to use admin API as a user
719 RUNNER_CHILD_TEST(T3111_control_allow_access_as_user)
721 switch_to_storage_user(TEST_LABEL);
722 int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("owner", "alias").c_str(), "accessor", CKMC_PERMISSION_NONE);
723 RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
724 "Ordinary user should not be able to use control API. Error " << ret);
727 // tries to read other application data with permission
728 RUNNER_TEST(T3121_control_access_allowed)
730 CharPtr top_label = get_label();
731 ScopedSaveData ssd(TEST_ALIAS);
733 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
735 ScopedLabel sl(TEST_LABEL2);
737 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
741 // tries to read other application data with permission to read/remove
742 RUNNER_TEST(T3122_control_access_allowed_with_remove)
744 CharPtr top_label = get_label();
745 ScopedSaveData ssd(TEST_ALIAS);
747 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
749 ScopedLabel sl(TEST_LABEL2);
751 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
755 // tries to remove other application data with permission to read
756 RUNNER_TEST(T3122_control_access_allowed_remove_denied)
758 CharPtr top_label = get_label();
759 ScopedSaveData ssd(TEST_ALIAS);
761 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
763 ScopedLabel sl(TEST_LABEL2);
765 check_remove_denied(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
769 // tries to remove other application data with permission
770 RUNNER_TEST(T3125_control_remove_allowed)
772 CharPtr top_label = get_label();
773 ScopedSaveData ssd(TEST_ALIAS);
775 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
777 ScopedLabel sl(TEST_LABEL2);
779 check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
783 // tries to access other application data after allow function has been called twice with different
785 RUNNER_TEST(T3126_control_double_allow)
787 CharPtr top_label = get_label();
788 ScopedSaveData ssd(TEST_ALIAS);
790 // access should be overwritten
791 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
792 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
794 ScopedLabel sl(TEST_LABEL2);
796 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
797 check_remove_denied(TEST_ALIAS_adr.c_str());
798 check_read_allowed(TEST_ALIAS_adr.c_str());
802 // tries to access other application data with permission and after permission has been revoked
803 RUNNER_TEST(T3127_control_allow_deny)
805 CharPtr top_label = get_label();
806 ScopedSaveData ssd(TEST_ALIAS);
808 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
810 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
812 ScopedLabel sl(TEST_LABEL2);
814 check_remove_denied(TEST_ALIAS_adr.c_str());
815 check_read_allowed(TEST_ALIAS_adr.c_str());
817 CharPtr label = get_label();
818 deny_access_by_adm(TEST_ALIAS, TEST_LABEL2);
820 ScopedLabel sl(TEST_LABEL2);
822 check_remove_not_visible(TEST_ALIAS_adr.c_str());
823 check_read_not_visible(TEST_ALIAS_adr.c_str());
827 // checks if only aliases readable by given app are returned
828 RUNNER_TEST(T3130_control_get_all_aliases)
830 ScopedSaveData ssd1(TEST_ALIAS);
831 ScopedSaveData ssd2(TEST_ALIAS2);
833 int count = count_aliases();
835 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
837 ScopedLabel sl(TEST_LABEL2);
839 // check that app can access other aliases when it has permission
840 check_alias_count(count - 1);
842 ScopedSaveData ssd3(TEST_ALIAS3);
844 // check that app can access its own aliases
845 check_alias_count(count - 1 + 1);
848 deny_access_by_adm(TEST_ALIAS, TEST_LABEL2);
850 ScopedLabel sl(TEST_LABEL2);
852 // check that app can't access other aliases for which permission has been revoked
853 check_alias_count(count - 2);
857 // tries to add access to data in a database of invalid user
858 RUNNER_TEST(T3140_control_allow_invalid_user)
860 ScopedSaveData ssd(TEST_ALIAS);
862 int ret = ckmc_set_permission_by_adm(
863 APP_UID, aliasWithLabel(get_label().get(), TEST_ALIAS).c_str(), TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
864 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
865 "Trying to allow access to invalid user returned: " << ret);
868 // tries to revoke access to data in a database of invalid user
869 RUNNER_TEST(T3141_control_deny_invalid_user)
871 ScopedSaveData ssd(TEST_ALIAS);
873 int ret = ckmc_set_permission_by_adm(APP_UID, aliasWithLabel(get_label().get(), TEST_ALIAS).c_str(), TEST_LABEL2, CKMC_PERMISSION_NONE);
874 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
875 "Trying to deny access to invalid user returned: " << ret);
878 // tries to read other application data with permission
879 RUNNER_TEST(T3142_control_deprecated_access_allowed)
881 CharPtr top_label = get_label();
882 ScopedSaveData ssd(TEST_ALIAS);
884 allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
886 ScopedLabel sl(TEST_LABEL2);
888 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
892 // tries to read other application data with permission to read/remove
893 RUNNER_TEST(T3143_control_deprecated_access_allowed_with_remove)
895 CharPtr top_label = get_label();
896 ScopedSaveData ssd(TEST_ALIAS);
898 allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
900 ScopedLabel sl(TEST_LABEL2);
902 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
906 // tries to remove other application data with permission to read
907 RUNNER_TEST(T3144_control_deprecated_access_allowed_remove_denied)
909 CharPtr top_label = get_label();
910 ScopedSaveData ssd(TEST_ALIAS);
912 allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
914 ScopedLabel sl(TEST_LABEL2);
916 check_remove_denied(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
920 // tries to remove other application data with permission
921 RUNNER_TEST(T3145_control_deprecated_remove_allowed)
923 CharPtr top_label = get_label();
924 ScopedSaveData ssd(TEST_ALIAS);
926 allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
928 ScopedLabel sl(TEST_LABEL2);
930 check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
935 RUNNER_TEST(T3999_deinit)
938 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_lock_user_key(APP_UID)),
940 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(APP_UID)),
942 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_lock_user_key(USER_ROOT)),
944 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(USER_ROOT)),