4 #include <dpl/test/test_runner.h>
5 #include <dpl/test/test_runner_child.h>
7 #include <tests_common.h>
8 #include <ckm-common.h>
9 #include <access_provider2.h>
11 #include <ckmc/ckmc-manager.h>
12 #include <ckmc/ckmc-control.h>
13 #include <ckmc/ckmc-type.h>
14 #include <ckmc/ckmc-error.h>
16 #include <ckm/ckm-type.h>
20 const uid_t USER_ROOT = 0;
21 const char* APP_PASS = "user-pass";
22 const char* ROOT_PASS = "test-pass";
24 const char* NO_ALIAS = "definitely-non-existent-alias";
25 const char* NO_OWNER = "definitely-non-existent-owner";
27 const char* TEST_ALIAS = "test-alias";
28 const char* TEST_ALIAS2 = "test-alias2";
29 const char* TEST_ALIAS3 = "test-alias3";
31 const char* TEST_LABEL = "test-label";
32 const char* TEST_LABEL2 = "test-label2";
33 const char* TEST_LABEL3 = "test-label3";
34 const char* TEST_LABEL4 = "test-label4";
36 const char* TEST_DATA = "dsflsdkghkslhglrtghierhgilrehgidsafasdffsgfdgdgfdgfdgfdgfdggf";
38 void save_data(const char* alias, const char *data)
40 ckmc_raw_buffer_s buffer;
41 buffer.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data));
42 buffer.size = strlen(data);
44 policy.password = NULL;
45 policy.extractable = true;
47 int ret = ckmc_save_data(alias, buffer, policy);
48 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Saving data failed. Error: " << ret);
51 void save_data(const char* alias)
53 save_data(alias, TEST_DATA);
56 void check_remove_allowed(const char* alias)
58 int ret = ckmc_remove_alias(alias);
59 // remove, but ignore non existing
60 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret || CKMC_ERROR_DB_ALIAS_UNKNOWN,
61 "Removing data failed: " << CKMCErrorToString(ret));
64 void check_remove_denied(const char* alias)
66 int ret = ckmc_remove_alias(alias);
68 CKMC_ERROR_PERMISSION_DENIED == ret,
69 "App with different label shouldn't have rights to remove this data. Error: " << ret);
72 void check_remove_not_visible(const char* alias)
74 int ret = ckmc_remove_alias(alias);
76 CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
77 "App with different label shouldn't have rights to see this data. Error: " << ret);
80 void check_read(const char* alias, const char *label, const char *test_data, int expected_code = CKMC_ERROR_NONE)
82 ckmc_raw_buffer_s* buffer = NULL;
83 int ret = ckmc_get_data(aliasWithLabel(label, alias).c_str(), NULL, &buffer);
84 RUNNER_ASSERT_MSG(expected_code == ret, "Getting data failed. Expected code: " << expected_code << ", while result: " << CKMCErrorToString(ret));
86 if(expected_code == CKMC_ERROR_NONE)
88 // compare data with expected
90 buffer->size == strlen(test_data),
91 "Extracted data length do not match expected data length (encrypted?).");
94 memcmp(const_cast<const char*>(reinterpret_cast<char*>(buffer->data)), test_data, buffer->size) == 0,
95 "Extracted data do not match expected data (encrypted?).");
97 ckmc_buffer_free(buffer);
101 void check_read_allowed(const char* alias, const char *data)
103 // try to read previously saved data - label taken implicitly
104 check_read(alias, 0, data);
106 void check_read_allowed(const char* alias)
108 check_read_allowed(alias, TEST_DATA);
111 void check_read_not_visible(const char* alias)
113 // try to read previously saved data - label taken implicitly
115 ckmc_raw_buffer_s* buffer = NULL;
116 int ret = ckmc_get_data(alias, NULL, &buffer);
117 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
118 "App with different label shouldn't have rights to see this data." << CKMCErrorToString(ret));
119 ckmc_buffer_free(buffer);
123 void allow_access_deprecated(const char* alias, const char* accessor, ckmc_access_right_e accessRights)
125 int ret = ckmc_allow_access(alias, accessor, accessRights);
126 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << CKMCErrorToString(ret));
129 void allow_access(const char* alias, const char* accessor, int permissionMask)
131 // data removal should revoke this access
132 int ret = ckmc_set_permission(alias, accessor, permissionMask);
133 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << CKMCErrorToString(ret));
136 void allow_access_negative(const char* alias, const char* accessor, int permissionMask, int expectedCode)
138 // data removal should revoke this access
139 int ret = ckmc_set_permission(alias, accessor, permissionMask);
140 RUNNER_ASSERT_MSG(expectedCode == ret, "Trying to allow access returned " << CKMCErrorToString(ret) << ", while expected: " << CKMCErrorToString(expectedCode));
143 void deny_access(const char* alias, const char* accessor)
145 int ret = ckmc_set_permission(alias, accessor, CKMC_PERMISSION_NONE);
146 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Denying access failed. Error: " << CKMCErrorToString(ret));
149 void deny_access_negative(const char* alias, const char* accessor, int expectedCode)
151 int ret = ckmc_set_permission(alias, accessor, CKMC_PERMISSION_NONE);
152 RUNNER_ASSERT_MSG(expectedCode == ret, "Denying access failed. " << CKMCErrorToString(ret) << ", while expected: " << CKMCErrorToString(expectedCode));
155 void allow_access_deprecated_by_adm(const char* alias, const char* accessor, ckmc_access_right_e accessRights)
157 // data removal should revoke this access
158 int ret = ckmc_allow_access_by_adm(USER_ROOT, get_label().get(), alias, accessor, accessRights);
159 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << CKMCErrorToString(ret));
162 void allow_access_by_adm(const char* alias, const char* accessor, int permissionMask)
164 // data removal should revoke this access
165 int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(get_label().get(), alias).c_str(), accessor, permissionMask);
166 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << CKMCErrorToString(ret));
169 void deny_access_by_adm(const char* alias, const char* accessor)
171 int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(get_label().get(), alias).c_str(), accessor, CKMC_PERMISSION_NONE);
172 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Denying access failed. " << CKMCErrorToString(ret));
177 ckmc_alias_list_s *aliasList = NULL;
178 int ret = ckmc_get_data_alias_list(&aliasList);
179 if (ret == CKMC_ERROR_DB_ALIAS_UNKNOWN)
182 RUNNER_ASSERT_MSG(ret == 0, "Failed to get the list of data aliases. " << CKMCErrorToString(ret));
184 ckmc_alias_list_s *plist = aliasList;
191 ckmc_alias_list_all_free(aliasList);
195 void check_alias_count(int expected)
197 int count = count_aliases();
198 RUNNER_ASSERT_MSG(count == expected, "Expected " << expected << " aliases, got " << count);
201 // saves data upon construction and deletes it upon destruction
205 ScopedSaveData(const char* alias) : m_alias(alias)
209 ScopedSaveData(const char* alias, const char *data) : m_alias(alias)
211 save_data(alias, data);
217 * Let it throw. If we can't remove data then remaining tests results will be
220 check_remove_allowed(m_alias);
226 } // namespace anonymous
228 RUNNER_TEST_GROUP_INIT (T300_CKMC_ACCESS_CONTROL_C_API);
231 /////////////////////////////////////////////////////////////////////////////
233 RUNNER_TEST(T3000_init)
236 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_unlock_user_key(APP_UID, APP_PASS)), CKMCErrorToString(temp));
237 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(APP_UID)), CKMCErrorToString(temp));
238 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_unlock_user_key(USER_ROOT, ROOT_PASS)), CKMCErrorToString(temp));
239 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(USER_ROOT)), CKMCErrorToString(temp));
243 // invalid arguments check
244 RUNNER_TEST(T3001_manager_allow_access_invalid)
247 CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission(NULL, "accessor", CKMC_PERMISSION_READ));
249 CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission("alias", NULL, CKMC_PERMISSION_READ));
252 // invalid arguments check
253 RUNNER_TEST(T3002_manager_deny_access_invalid)
255 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission(NULL, "accessor", CKMC_PERMISSION_NONE));
256 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission("alias", NULL, CKMC_PERMISSION_NONE));
259 // tries to allow access for non existing alias
260 RUNNER_CHILD_TEST(T3003_manager_allow_access_non_existing)
262 switch_to_storage_user(TEST_LABEL);
264 int ret = ckmc_set_permission(NO_ALIAS, "label", CKMC_PERMISSION_READ);
265 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
266 "Allowing access for non existing alias returned " << CKMCErrorToString(ret));
269 // tries to deny access for non existing alias
270 RUNNER_CHILD_TEST(T3004_manager_deny_access_non_existing)
272 switch_to_storage_user(TEST_LABEL);
274 int ret = ckmc_set_permission(NO_ALIAS, "label", CKMC_PERMISSION_NONE);
275 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
276 "Denying access for non existing alias returned " << CKMCErrorToString(ret));
279 // tries to deny access that does not exist in database
280 RUNNER_CHILD_TEST(T3005_manager_deny_access_non_existing_access)
282 switch_to_storage_user(TEST_LABEL);
284 ScopedSaveData ssd(TEST_ALIAS);
286 // deny non existing access to existing alias
287 int ret = ckmc_set_permission(TEST_ALIAS, "label", CKMC_PERMISSION_NONE);
288 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
289 "Denying non existing access returned: " << CKMCErrorToString(ret));
292 // tries to allow access to application own data
293 RUNNER_CHILD_TEST(T3006_manager_allow_access_to_myself)
295 switch_to_storage_user(TEST_LABEL);
297 ScopedSaveData ssd(TEST_ALIAS);
299 CharPtr label = get_label();
300 int ret = ckmc_set_permission(TEST_ALIAS, label.get(), CKMC_PERMISSION_READ);
301 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
302 "Trying to allow myself returned: " << CKMCErrorToString(ret));
305 // verifies that alias can not contain forbidden characters
306 RUNNER_CHILD_TEST(T3007_manager_check_alias_valid)
308 switch_to_storage_user(TEST_LABEL);
309 ScopedSaveData ssd(TEST_ALIAS);
311 std::string test_alias_playground = std::string("AAA BBB CCC");
312 check_read(test_alias_playground.c_str(), 0, TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
314 // control: expect success
315 check_read(TEST_ALIAS, 0, TEST_DATA);
316 check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
319 // verifies that label can not contain forbidden characters
320 RUNNER_CHILD_TEST(T3008_manager_check_label_valid)
322 switch_to_storage_user(TEST_LABEL);
323 ScopedSaveData ssd(TEST_ALIAS);
326 std::string test_label_playground = std::string("AAA BBB CCC");
327 check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
329 // insert part of the separator in the middle
330 test_label_playground = std::string(TEST_LABEL);
331 test_label_playground.insert(test_label_playground.size()/2, ckmc_label_name_separator);
332 check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
335 test_label_playground = std::string(TEST_LABEL);
336 test_label_playground.insert(0, ckmc_label_name_separator);
337 check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
340 test_label_playground = std::string(TEST_LABEL);
341 test_label_playground.append(ckmc_label_name_separator);
342 check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
344 // control: expect success
345 check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
348 // tries to access other application data without permission
349 RUNNER_TEST(T3020_manager_access_not_allowed)
351 CharPtr top_label = get_label();
353 ScopedSaveData ssd(TEST_ALIAS);
355 ScopedLabel sl(TEST_LABEL2);
357 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
358 check_read_not_visible(TEST_ALIAS_adr.c_str());
359 check_remove_not_visible(TEST_ALIAS_adr.c_str());
363 // tries to access other application data with permission
364 RUNNER_TEST(T3021_manager_access_allowed)
366 CharPtr top_label = get_label();
367 ScopedSaveData ssd(TEST_ALIAS);
369 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
371 ScopedLabel sl(TEST_LABEL2);
373 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
377 // tries to read other application data with permission for read/remove
378 RUNNER_TEST(T3022_manager_access_allowed_with_remove)
380 CharPtr top_label = get_label();
381 ScopedSaveData ssd(TEST_ALIAS);
383 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
385 ScopedLabel sl(TEST_LABEL2);
387 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
391 // tries to remove other application data with permission for reading only
392 RUNNER_TEST(T3023_manager_access_allowed_remove_denied)
394 CharPtr top_label = get_label();
395 ScopedSaveData ssd(TEST_ALIAS);
397 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
399 ScopedLabel sl(TEST_LABEL2);
401 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
402 check_remove_denied(TEST_ALIAS_adr.c_str());
403 check_read_allowed(TEST_ALIAS_adr.c_str());
407 // tries to remove other application data with permission
408 RUNNER_TEST(T3025_manager_remove_allowed)
410 CharPtr top_label = get_label();
411 ScopedSaveData ssd(TEST_ALIAS);
413 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
415 ScopedLabel sl(TEST_LABEL2);
417 check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
421 // tries to access other application data after allow function was called twice with different
423 RUNNER_TEST(T3026_manager_double_allow)
425 CharPtr top_label = get_label();
426 ScopedSaveData ssd(TEST_ALIAS);
428 // access should be overwritten
429 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
430 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
432 ScopedLabel sl(TEST_LABEL2);
434 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
435 check_remove_denied(TEST_ALIAS_adr.c_str());
436 check_read_allowed(TEST_ALIAS_adr.c_str());
440 // tries to access application data with permission and after permission has been revoked
441 RUNNER_TEST(T3027_manager_allow_deny)
443 CharPtr top_label = get_label();
444 ScopedSaveData ssd(TEST_ALIAS);
446 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
448 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
450 ScopedLabel sl(TEST_LABEL2);
452 check_remove_denied(TEST_ALIAS_adr.c_str());
453 check_read_allowed(TEST_ALIAS_adr.c_str());
456 deny_access(TEST_ALIAS, TEST_LABEL2);
458 ScopedLabel sl(TEST_LABEL2);
460 check_remove_not_visible(TEST_ALIAS_adr.c_str());
461 check_read_not_visible(TEST_ALIAS_adr.c_str());
465 RUNNER_TEST(T3028_manager_access_by_label)
467 CharPtr top_label = get_label();
468 const char *additional_data = "label-2-data";
469 ScopedSaveData ssd(TEST_ALIAS);
471 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
473 ScopedLabel sl(TEST_LABEL2);
474 ScopedSaveData ssd(TEST_ALIAS, additional_data);
475 allow_access(TEST_ALIAS, top_label.get(), CKMC_PERMISSION_READ);
477 // test if accessing valid alias (of label2 domain)
478 check_read_allowed(TEST_ALIAS, additional_data);
480 // this has to be done here - in the scope, otherwise
481 // scope destructor will remove the TEST_LABEL2::TEST_ALIAS
483 ScopedLabel sl(top_label.get());
485 // test if can access label2 alias from label1 domain - should succeed
486 check_read_allowed(aliasWithLabel(TEST_LABEL2, TEST_ALIAS).c_str(), additional_data);
490 // test if accessing valid alias (of label1 domain)
491 check_read_allowed(TEST_ALIAS);
493 // access should not be possible - already left the LABEL2 scope, object should be removed
494 check_read_not_visible(aliasWithLabel(TEST_LABEL2, TEST_ALIAS).c_str());
497 // tries to modify another label's permission
498 RUNNER_TEST(T3029_manager_access_modification_by_foreign_label)
500 ScopedLabel sl(TEST_LABEL);
501 ScopedSaveData ssd(TEST_ALIAS);
502 allow_access(TEST_ALIAS, TEST_LABEL3, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
504 ScopedLabel sl(TEST_LABEL2);
506 allow_access_negative(aliasWithLabel(TEST_LABEL, TEST_ALIAS).c_str(), TEST_LABEL4, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE, CKMC_ERROR_PERMISSION_DENIED);
507 deny_access_negative (aliasWithLabel(TEST_LABEL, TEST_ALIAS).c_str(), TEST_LABEL4, CKMC_ERROR_PERMISSION_DENIED);
511 // checks if only aliases readable by given app are returned
512 RUNNER_TEST(T3030_manager_get_all_aliases)
514 ScopedSaveData ssd1(TEST_ALIAS);
515 ScopedSaveData ssd2(TEST_ALIAS2);
517 int count = count_aliases();
519 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
521 ScopedLabel sl(TEST_LABEL2);
523 // check that app can access other aliases when it has permission
524 check_alias_count(count - 1);
526 ScopedSaveData ssd3(TEST_ALIAS3);
528 // check that app can access its own aliases
529 check_alias_count(count - 1 + 1);
532 deny_access(TEST_ALIAS, TEST_LABEL2);
534 ScopedLabel sl(TEST_LABEL2);
536 // check that app can't access other aliases for which permission has been revoked
537 check_alias_count(count - 2);
541 RUNNER_TEST(T3031_manager_test_decrypt_from_another_label)
544 CharPtr top_label = get_label();
545 ScopedSaveData ssd(TEST_ALIAS);
547 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
549 ScopedLabel sl(TEST_LABEL2);
551 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
553 // remove the DKEK key - so that on read it must be added again
554 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_lock_user_key(0)), CKMCErrorToString(temp));
556 // on this read, DKEK key will be added again
557 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
561 // tries to access other application data with permission
562 RUNNER_TEST(T3032_manager_deprecated_access_allowed)
564 CharPtr top_label = get_label();
565 ScopedSaveData ssd(TEST_ALIAS);
567 allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
569 ScopedLabel sl(TEST_LABEL2);
571 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
575 // tries to read other application data with permission for read/remove
576 RUNNER_TEST(T3033_manager_deprecated_access_allowed_with_remove)
578 CharPtr top_label = get_label();
579 ScopedSaveData ssd(TEST_ALIAS);
581 allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
583 ScopedLabel sl(TEST_LABEL2);
585 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
589 // tries to remove other application data with permission for reading only
590 RUNNER_TEST(T3034_manager_deprecated_access_allowed_remove_denied)
592 CharPtr top_label = get_label();
593 ScopedSaveData ssd(TEST_ALIAS);
595 allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
597 ScopedLabel sl(TEST_LABEL2);
599 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
600 check_remove_denied(TEST_ALIAS_adr.c_str());
601 check_read_allowed(TEST_ALIAS_adr.c_str());
605 // tries to remove other application data with permission
606 RUNNER_TEST(T3035_manager_deprecated_remove_allowed)
608 CharPtr top_label = get_label();
609 ScopedSaveData ssd(TEST_ALIAS);
611 allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
613 ScopedLabel sl(TEST_LABEL2);
615 check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
620 /////////////////////////////////////////////////////////////////////////////
623 // invalid argument check
624 RUNNER_TEST(T3101_control_allow_access_invalid)
627 ret = ckmc_set_permission_by_adm(USER_ROOT, "alias", "accessor", CKMC_PERMISSION_READ);
628 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
629 ret = ckmc_set_permission_by_adm(USER_ROOT, "owner alias", NULL, CKMC_PERMISSION_READ);
630 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
633 std::string aliasLabel = aliasWithLabel(get_label().get(), TEST_ALIAS);
634 ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("another-owner", aliasLabel.c_str()).c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
635 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
638 // invalid argument check
639 RUNNER_TEST(T3102_control_deny_access_invalid)
641 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
642 ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(NULL, "alias").c_str(), "accessor", CKMC_PERMISSION_NONE));
643 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
644 ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("owner", "alias").c_str(), NULL, CKMC_PERMISSION_NONE));
647 std::string aliasLabel = aliasWithLabel(get_label().get(), TEST_ALIAS);
648 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
649 ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("another-owner", aliasLabel.c_str()).c_str(), TEST_LABEL, CKMC_PERMISSION_NONE));
652 // tries to allow access for non existing alias
653 RUNNER_TEST(T3103_control_allow_access_non_existing)
655 int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(NO_OWNER, NO_ALIAS).c_str(), "label", CKMC_PERMISSION_READ);
656 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
657 "Allowing access for non existing alias returned " << CKMCErrorToString(ret));
660 // tries to deny access for non existing alias
661 RUNNER_TEST(T3104_control_deny_access_non_existing)
663 int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(NO_OWNER, NO_ALIAS).c_str(), "label", CKMC_PERMISSION_NONE);
664 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
665 "Denying access for non existing alias returned " << CKMCErrorToString(ret));
668 // tries to deny non existing access
669 RUNNER_TEST(T3105_control_deny_access_non_existing_access)
671 ScopedSaveData ssd(TEST_ALIAS);
673 CharPtr label = get_label();
675 // deny non existing access to existing alias
676 int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(get_label().get(), TEST_ALIAS).c_str(), "label", CKMC_PERMISSION_NONE);
677 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
678 "Denying non existing access returned: " << CKMCErrorToString(ret));
681 // tries to allow application to access its own data
682 RUNNER_TEST(T3106_control_allow_access_to_myself)
684 ScopedSaveData ssd(TEST_ALIAS);
686 CharPtr label = get_label();
687 int ret = ckmc_set_permission(TEST_ALIAS, label.get(), CKMC_PERMISSION_READ);
688 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
689 "Trying to allow myself returned: " << CKMCErrorToString(ret));
692 // tries to use admin API as a user
693 RUNNER_CHILD_TEST(T3110_control_allow_access_as_user)
695 switch_to_storage_user(TEST_LABEL);
696 int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("owner", "alias").c_str(), "accessor", CKMC_PERMISSION_READ);
697 RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
698 "Ordinary user should not be able to use control API. Error " << CKMCErrorToString(ret));
701 // tries to use admin API as a user
702 RUNNER_CHILD_TEST(T3111_control_allow_access_as_user)
704 switch_to_storage_user(TEST_LABEL);
705 int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("owner", "alias").c_str(), "accessor", CKMC_PERMISSION_NONE);
706 RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
707 "Ordinary user should not be able to use control API. Error " << CKMCErrorToString(ret));
710 // tries to read other application data with permission
711 RUNNER_TEST(T3121_control_access_allowed)
713 CharPtr top_label = get_label();
714 ScopedSaveData ssd(TEST_ALIAS);
716 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
718 ScopedLabel sl(TEST_LABEL2);
720 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
724 // tries to read other application data with permission to read/remove
725 RUNNER_TEST(T3122_control_access_allowed_with_remove)
727 CharPtr top_label = get_label();
728 ScopedSaveData ssd(TEST_ALIAS);
730 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
732 ScopedLabel sl(TEST_LABEL2);
734 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
738 // tries to remove other application data with permission to read
739 RUNNER_TEST(T3122_control_access_allowed_remove_denied)
741 CharPtr top_label = get_label();
742 ScopedSaveData ssd(TEST_ALIAS);
744 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
746 ScopedLabel sl(TEST_LABEL2);
748 check_remove_denied(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
752 // tries to remove other application data with permission
753 RUNNER_TEST(T3125_control_remove_allowed)
755 CharPtr top_label = get_label();
756 ScopedSaveData ssd(TEST_ALIAS);
758 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
760 ScopedLabel sl(TEST_LABEL2);
762 check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
766 // tries to access other application data after allow function has been called twice with different
768 RUNNER_TEST(T3126_control_double_allow)
770 CharPtr top_label = get_label();
771 ScopedSaveData ssd(TEST_ALIAS);
773 // access should be overwritten
774 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
775 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
777 ScopedLabel sl(TEST_LABEL2);
779 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
780 check_remove_denied(TEST_ALIAS_adr.c_str());
781 check_read_allowed(TEST_ALIAS_adr.c_str());
785 // tries to access other application data with permission and after permission has been revoked
786 RUNNER_TEST(T3127_control_allow_deny)
788 CharPtr top_label = get_label();
789 ScopedSaveData ssd(TEST_ALIAS);
791 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
793 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
795 ScopedLabel sl(TEST_LABEL2);
797 check_remove_denied(TEST_ALIAS_adr.c_str());
798 check_read_allowed(TEST_ALIAS_adr.c_str());
800 CharPtr label = get_label();
801 deny_access_by_adm(TEST_ALIAS, TEST_LABEL2);
803 ScopedLabel sl(TEST_LABEL2);
805 check_remove_not_visible(TEST_ALIAS_adr.c_str());
806 check_read_not_visible(TEST_ALIAS_adr.c_str());
810 // checks if only aliases readable by given app are returned
811 RUNNER_TEST(T3130_control_get_all_aliases)
813 ScopedSaveData ssd1(TEST_ALIAS);
814 ScopedSaveData ssd2(TEST_ALIAS2);
816 int count = count_aliases();
818 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
820 ScopedLabel sl(TEST_LABEL2);
822 // check that app can access other aliases when it has permission
823 check_alias_count(count - 1);
825 ScopedSaveData ssd3(TEST_ALIAS3);
827 // check that app can access its own aliases
828 check_alias_count(count - 1 + 1);
831 deny_access_by_adm(TEST_ALIAS, TEST_LABEL2);
833 ScopedLabel sl(TEST_LABEL2);
835 // check that app can't access other aliases for which permission has been revoked
836 check_alias_count(count - 2);
840 // tries to add access to data in a database of invalid user
841 RUNNER_TEST(T3140_control_allow_invalid_user)
843 ScopedSaveData ssd(TEST_ALIAS);
845 int ret = ckmc_set_permission_by_adm(
846 APP_UID, aliasWithLabel(get_label().get(), TEST_ALIAS).c_str(), TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
847 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
848 "Trying to allow access to invalid user returned: " << CKMCErrorToString(ret));
851 // tries to revoke access to data in a database of invalid user
852 RUNNER_TEST(T3141_control_deny_invalid_user)
854 ScopedSaveData ssd(TEST_ALIAS);
856 int ret = ckmc_set_permission_by_adm(APP_UID, aliasWithLabel(get_label().get(), TEST_ALIAS).c_str(), TEST_LABEL2, CKMC_PERMISSION_NONE);
857 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
858 "Trying to deny access to invalid user returned: " << CKMCErrorToString(ret));
861 // tries to read other application data with permission
862 RUNNER_TEST(T3142_control_deprecated_access_allowed)
864 CharPtr top_label = get_label();
865 ScopedSaveData ssd(TEST_ALIAS);
867 allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
869 ScopedLabel sl(TEST_LABEL2);
871 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
875 // tries to read other application data with permission to read/remove
876 RUNNER_TEST(T3143_control_deprecated_access_allowed_with_remove)
878 CharPtr top_label = get_label();
879 ScopedSaveData ssd(TEST_ALIAS);
881 allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
883 ScopedLabel sl(TEST_LABEL2);
885 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
889 // tries to remove other application data with permission to read
890 RUNNER_TEST(T3144_control_deprecated_access_allowed_remove_denied)
892 CharPtr top_label = get_label();
893 ScopedSaveData ssd(TEST_ALIAS);
895 allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
897 ScopedLabel sl(TEST_LABEL2);
899 check_remove_denied(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
903 // tries to remove other application data with permission
904 RUNNER_TEST(T3145_control_deprecated_remove_allowed)
906 CharPtr top_label = get_label();
907 ScopedSaveData ssd(TEST_ALIAS);
909 allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
911 ScopedLabel sl(TEST_LABEL2);
913 check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
918 RUNNER_TEST(T3999_deinit)
921 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_lock_user_key(APP_UID)), CKMCErrorToString(temp));
922 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(APP_UID)), CKMCErrorToString(temp));
923 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_lock_user_key(USER_ROOT)), CKMCErrorToString(temp));
924 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(USER_ROOT)), CKMCErrorToString(temp));