#include <ckm/ckm-type.h>
namespace {
+const int USER_ROOT = 0;
+const int APP_1 = 6000;
+const int GROUP_1 = 6000;
+const int APP_2 = 6200;
+const int GROUP_2 = 6200;
+const char * const APP_PASS_1 = "app-pass-1";
+const char * const APP_PASS_2 = "app-pass-2";
+const char* APP_LABEL_1 = "APP_LABEL_1";
+const char* APP_LABEL_2 = "APP_LABEL_2";
+const char* APP_LABEL_3 = "APP_LABEL_3";
+const char* APP_LABEL_4 = "APP_LABEL_4";
-const uid_t USER_ROOT = 0;
-const char* APP_PASS = "user-pass";
-const char* ROOT_PASS = "test-pass";
const char* NO_ALIAS = "definitely-non-existent-alias";
const char* NO_OWNER = "definitely-non-existent-owner";
const char* TEST_ALIAS2 = "test-alias2";
const char* TEST_ALIAS3 = "test-alias3";
-const char* TEST_LABEL = "test-label";
-const char* TEST_LABEL2 = "test-label2";
-const char* TEST_LABEL3 = "test-label3";
-const char* TEST_LABEL4 = "test-label4";
-
const char* TEST_DATA = "dsflsdkghkslhglrtghierhgilrehgidsafasdffsgfdgdgfdgfdgfdgfdggf";
-void save_data(const char* alias, const char *data)
-{
- ckmc_raw_buffer_s buffer;
- buffer.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data));
- buffer.size = strlen(data);
- ckmc_policy_s policy;
- policy.password = NULL;
- policy.extractable = true;
-
- int ret = ckmc_save_data(alias, buffer, policy);
- RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Saving data failed. Error: " << ret);
-}
-
-void save_data(const char* alias)
-{
- save_data(alias, TEST_DATA);
-}
-
-void check_remove_allowed(const char* alias)
-{
- int ret = ckmc_remove_alias(alias);
- // remove, but ignore non existing
- RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret || CKMC_ERROR_DB_ALIAS_UNKNOWN,
- "Removing data failed: " << CKMCErrorToString(ret));
-}
-
-void check_remove_denied(const char* alias)
-{
- int ret = ckmc_remove_alias(alias);
- RUNNER_ASSERT_MSG(
- CKMC_ERROR_PERMISSION_DENIED == ret,
- "App with different label shouldn't have rights to remove this data. Error: " << ret);
-}
-
-void check_remove_not_visible(const char* alias)
-{
- int ret = ckmc_remove_alias(alias);
- RUNNER_ASSERT_MSG(
- CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
- "App with different label shouldn't have rights to see this data. Error: " << ret);
-}
-
-void check_read(const char* alias, const char *label, const char *test_data, int expected_code = CKMC_ERROR_NONE)
-{
- ckmc_raw_buffer_s* buffer = NULL;
- int ret = ckmc_get_data(aliasWithLabel(label, alias).c_str(), NULL, &buffer);
- RUNNER_ASSERT_MSG(expected_code == ret, "Getting data failed. Expected code: " << expected_code << ", while result: " << CKMCErrorToString(ret));
-
- if(expected_code == CKMC_ERROR_NONE)
- {
- // compare data with expected
- RUNNER_ASSERT_MSG(
- buffer->size == strlen(test_data),
- "Extracted data length do not match expected data length (encrypted?).");
-
- RUNNER_ASSERT_MSG(
- memcmp(const_cast<const char*>(reinterpret_cast<char*>(buffer->data)), test_data, buffer->size) == 0,
- "Extracted data do not match expected data (encrypted?).");
-
- ckmc_buffer_free(buffer);
- }
-}
-
-void check_read_allowed(const char* alias, const char *data)
-{
- // try to read previously saved data - label taken implicitly
- check_read(alias, 0, data);
-}
-void check_read_allowed(const char* alias)
-{
- check_read_allowed(alias, TEST_DATA);
-}
-
-void check_read_not_visible(const char* alias)
-{
- // try to read previously saved data - label taken implicitly
- {
- ckmc_raw_buffer_s* buffer = NULL;
- int ret = ckmc_get_data(alias, NULL, &buffer);
- RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
- "App with different label shouldn't have rights to see this data." << CKMCErrorToString(ret));
- ckmc_buffer_free(buffer);
- }
-}
-
void allow_access_deprecated(const char* alias, const char* accessor, ckmc_access_right_e accessRights)
{
int ret = ckmc_allow_access(alias, accessor, accessRights);
RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << CKMCErrorToString(ret));
}
-void allow_access(const char* alias, const char* accessor, int permissionMask)
-{
- // data removal should revoke this access
- int ret = ckmc_set_permission(alias, accessor, permissionMask);
- RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << CKMCErrorToString(ret));
-}
-
-void allow_access_negative(const char* alias, const char* accessor, int permissionMask, int expectedCode)
-{
- // data removal should revoke this access
- int ret = ckmc_set_permission(alias, accessor, permissionMask);
- RUNNER_ASSERT_MSG(expectedCode == ret, "Trying to allow access returned " << CKMCErrorToString(ret) << ", while expected: " << CKMCErrorToString(expectedCode));
-}
-
-void deny_access(const char* alias, const char* accessor)
-{
- int ret = ckmc_set_permission(alias, accessor, CKMC_PERMISSION_NONE);
- RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Denying access failed. Error: " << CKMCErrorToString(ret));
-}
-
-void deny_access_negative(const char* alias, const char* accessor, int expectedCode)
-{
- int ret = ckmc_set_permission(alias, accessor, CKMC_PERMISSION_NONE);
- RUNNER_ASSERT_MSG(expectedCode == ret, "Denying access failed. " << CKMCErrorToString(ret) << ", while expected: " << CKMCErrorToString(expectedCode));
-}
-
-void allow_access_deprecated_by_adm(const char* alias, const char* accessor, ckmc_access_right_e accessRights)
+void allow_access_deprecated_by_adm(uid_t uid, const char *label, const char* alias, const char* accessor, ckmc_access_right_e accessRights)
{
// data removal should revoke this access
- int ret = ckmc_allow_access_by_adm(USER_ROOT, get_label().get(), alias, accessor, accessRights);
+ int ret = ckmc_allow_access_by_adm(uid, label, alias, accessor, accessRights);
RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << CKMCErrorToString(ret));
}
-void allow_access_by_adm(const char* alias, const char* accessor, int permissionMask)
+void allow_access_by_adm(uid_t uid, const char *label, const char* alias, const char* accessor, int permissionMask)
{
// data removal should revoke this access
- int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(get_label().get(), alias).c_str(), accessor, permissionMask);
+ int ret = ckmc_set_permission_by_adm(uid, aliasWithLabel(label, alias).c_str(), accessor, permissionMask);
RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << CKMCErrorToString(ret));
}
-void deny_access_by_adm(const char* alias, const char* accessor)
+void deny_access_by_adm(uid_t uid, const char *label, const char* alias, const char* accessor)
{
- int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(get_label().get(), alias).c_str(), accessor, CKMC_PERMISSION_NONE);
+ int ret = ckmc_set_permission_by_adm(uid, aliasWithLabel(label, alias).c_str(), accessor, CKMC_PERMISSION_NONE);
RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Denying access failed. " << CKMCErrorToString(ret));
}
-int count_aliases()
-{
- ckmc_alias_list_s *aliasList = NULL;
- int ret = ckmc_get_data_alias_list(&aliasList);
- if (ret == CKMC_ERROR_DB_ALIAS_UNKNOWN)
- return 0;
-
- RUNNER_ASSERT_MSG(ret == 0, "Failed to get the list of data aliases. " << CKMCErrorToString(ret));
-
- ckmc_alias_list_s *plist = aliasList;
- int count = 0;
- while(plist)
- {
- plist = plist->next;
- count++;
- }
- ckmc_alias_list_all_free(aliasList);
- return count;
-}
-
-void check_alias_count(int expected)
+void check_alias_count(size_t expected)
{
- int count = count_aliases();
+ size_t count = count_aliases(ALIAS_DATA);
RUNNER_ASSERT_MSG(count == expected, "Expected " << expected << " aliases, got " << count);
}
-// saves data upon construction and deletes it upon destruction
-class ScopedSaveData
-{
-public:
- ScopedSaveData(const char* alias) : m_alias(alias)
- {
- save_data(alias);
- }
- ScopedSaveData(const char* alias, const char *data) : m_alias(alias)
- {
- save_data(alias, data);
- }
-
- ~ScopedSaveData()
- {
- /*
- * Let it throw. If we can't remove data then remaining tests results will be
- * unreliable anyway.
- */
- check_remove_allowed(m_alias);
- }
-private:
- const char* m_alias;
-};
-
} // namespace anonymous
-RUNNER_TEST_GROUP_INIT (T300_CKMC_ACCESS_CONTROL_C_API);
+RUNNER_TEST_GROUP_INIT (T300_CKMC_ACCESS_CONTROL_USER_C_API);
/////////////////////////////////////////////////////////////////////////////
// Manager
RUNNER_TEST(T3000_init)
{
- int temp;
- RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(APP_UID)), CKMCErrorToString(temp));
- RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_unlock_user_key(APP_UID, APP_PASS)), CKMCErrorToString(temp));
- RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(USER_ROOT)), CKMCErrorToString(temp));
- RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_unlock_user_key(USER_ROOT, ROOT_PASS)), CKMCErrorToString(temp));
+ reset_user_data(APP_1, APP_PASS_1);
+ reset_user_data(APP_2, APP_PASS_2);
}
// invalid arguments check
RUNNER_TEST(T3001_manager_allow_access_invalid)
{
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+
RUNNER_ASSERT(
CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission(NULL, "accessor", CKMC_PERMISSION_READ));
RUNNER_ASSERT(
// invalid arguments check
RUNNER_TEST(T3002_manager_deny_access_invalid)
{
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+
RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission(NULL, "accessor", CKMC_PERMISSION_NONE));
RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission("alias", NULL, CKMC_PERMISSION_NONE));
}
// tries to allow access for non existing alias
RUNNER_CHILD_TEST(T3003_manager_allow_access_non_existing)
{
- switch_to_storage_user(TEST_LABEL);
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
int ret = ckmc_set_permission(NO_ALIAS, "label", CKMC_PERMISSION_READ);
RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
// tries to deny access for non existing alias
RUNNER_CHILD_TEST(T3004_manager_deny_access_non_existing)
{
- switch_to_storage_user(TEST_LABEL);
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
int ret = ckmc_set_permission(NO_ALIAS, "label", CKMC_PERMISSION_NONE);
RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
// tries to deny access that does not exist in database
RUNNER_CHILD_TEST(T3005_manager_deny_access_non_existing_access)
{
- switch_to_storage_user(TEST_LABEL);
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
- ScopedSaveData ssd(TEST_ALIAS);
+ ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
// deny non existing access to existing alias
int ret = ckmc_set_permission(TEST_ALIAS, "label", CKMC_PERMISSION_NONE);
// tries to allow access to application own data
RUNNER_CHILD_TEST(T3006_manager_allow_access_to_myself)
{
- switch_to_storage_user(TEST_LABEL);
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
- ScopedSaveData ssd(TEST_ALIAS);
+ ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
CharPtr label = get_label();
int ret = ckmc_set_permission(TEST_ALIAS, label.get(), CKMC_PERMISSION_READ);
// verifies that alias can not contain forbidden characters
RUNNER_CHILD_TEST(T3007_manager_check_alias_valid)
{
- switch_to_storage_user(TEST_LABEL);
- ScopedSaveData ssd(TEST_ALIAS);
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+
+ ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
std::string test_alias_playground = std::string("AAA BBB CCC");
check_read(test_alias_playground.c_str(), 0, TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
// control: expect success
check_read(TEST_ALIAS, 0, TEST_DATA);
- check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
+ check_read(TEST_ALIAS, APP_LABEL_1, TEST_DATA);
}
// verifies that label can not contain forbidden characters
RUNNER_CHILD_TEST(T3008_manager_check_label_valid)
{
- switch_to_storage_user(TEST_LABEL);
- ScopedSaveData ssd(TEST_ALIAS);
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+
+ ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
// basic test
- std::string test_label_playground = std::string("AAA BBB CCC");
- check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
+ std::string APP_LABEL_1_playground = std::string("AAA BBB CCC");
+ check_read(TEST_ALIAS, APP_LABEL_1_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
// insert part of the separator in the middle
- test_label_playground = std::string(TEST_LABEL);
- test_label_playground.insert(test_label_playground.size()/2, ckmc_label_name_separator);
- check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
+ APP_LABEL_1_playground = std::string(APP_LABEL_1);
+ APP_LABEL_1_playground.insert(APP_LABEL_1_playground.size()/2, ckmc_label_name_separator);
+ check_read(TEST_ALIAS, APP_LABEL_1_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
// prepend separator
- test_label_playground = std::string(TEST_LABEL);
- test_label_playground.insert(0, ckmc_label_name_separator);
- check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
+ APP_LABEL_1_playground = std::string(APP_LABEL_1);
+ APP_LABEL_1_playground.insert(0, ckmc_label_name_separator);
+ check_read(TEST_ALIAS, APP_LABEL_1_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
// append separator
- test_label_playground = std::string(TEST_LABEL);
- test_label_playground.append(ckmc_label_name_separator);
- check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
+ APP_LABEL_1_playground = std::string(APP_LABEL_1);
+ APP_LABEL_1_playground.append(ckmc_label_name_separator);
+ check_read(TEST_ALIAS, APP_LABEL_1_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
// control: expect success
- check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
+ check_read(TEST_ALIAS, APP_LABEL_1, TEST_DATA);
}
+
// tries to access other application data without permission
RUNNER_TEST(T3020_manager_access_not_allowed)
{
- CharPtr top_label = get_label();
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ }
- ScopedSaveData ssd(TEST_ALIAS);
+ // test accessibility from another label
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
- std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
+ std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
check_read_not_visible(TEST_ALIAS_adr.c_str());
check_remove_not_visible(TEST_ALIAS_adr.c_str());
}
// tries to access other application data with permission
RUNNER_TEST(T3021_manager_access_allowed)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
-
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
+ // prepare: add data
+ GarbageCollector gc;
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
+ }
- check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+ // test accessibility from another label
+ {
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
+ check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
}
}
// tries to read other application data with permission for read/remove
RUNNER_TEST(T3022_manager_access_allowed_with_remove)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
-
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
+ // prepare: add data
+ GarbageCollector gc;
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
+ }
- check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+ // test accessibility from another label
+ {
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
+ check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
}
}
// tries to remove other application data with permission for reading only
RUNNER_TEST(T3023_manager_access_allowed_remove_denied)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
-
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
+ // prepare: add data
+ GarbageCollector gc;
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
+ }
- std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
+ // test accessibility from another label
+ {
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
+ std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
check_remove_denied(TEST_ALIAS_adr.c_str());
- check_read_allowed(TEST_ALIAS_adr.c_str());
+ check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
}
}
// tries to remove other application data with permission
RUNNER_TEST(T3025_manager_remove_allowed)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
-
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
+ // prepare: add data
+ GarbageCollector gc;
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
+ }
- check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+ // test accessibility from another label
+ {
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
+ check_remove_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
}
}
// rights
RUNNER_TEST(T3026_manager_double_allow)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
- // access should be overwritten
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
+ // access should be overwritten
+ allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
+ allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
+ }
+
+ // test accessibility from another label
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
- std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
+ std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
check_remove_denied(TEST_ALIAS_adr.c_str());
- check_read_allowed(TEST_ALIAS_adr.c_str());
+ check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
}
}
// tries to access application data with permission and after permission has been revoked
RUNNER_TEST(T3027_manager_allow_deny)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
- std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
+ allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
+ }
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
+ // test accessibility from another label
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
check_remove_denied(TEST_ALIAS_adr.c_str());
- check_read_allowed(TEST_ALIAS_adr.c_str());
+ check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
+ }
+
+ // remove permission
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+
+ deny_access(TEST_ALIAS, APP_LABEL_2);
}
- deny_access(TEST_ALIAS, TEST_LABEL2);
+ // test accessibility from another label
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
check_remove_not_visible(TEST_ALIAS_adr.c_str());
check_read_not_visible(TEST_ALIAS_adr.c_str());
RUNNER_TEST(T3028_manager_access_by_label)
{
- CharPtr top_label = get_label();
+ // prepare: add data
+ GarbageCollector gc;
const char *additional_data = "label-2-data";
- ScopedSaveData ssd(TEST_ALIAS);
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
+ allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
+ }
+
+ // add data as app 2
{
- ScopedLabel sl(TEST_LABEL2);
- ScopedSaveData ssd(TEST_ALIAS, additional_data);
- allow_access(TEST_ALIAS, top_label.get(), CKMC_PERMISSION_READ);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
+ save_data(TEST_ALIAS, additional_data);
+
+ allow_access(TEST_ALIAS, APP_LABEL_1, CKMC_PERMISSION_READ);
// test if accessing valid alias (of label2 domain)
check_read_allowed(TEST_ALIAS, additional_data);
-
- // this has to be done here - in the scope, otherwise
- // scope destructor will remove the TEST_LABEL2::TEST_ALIAS
- {
- ScopedLabel sl(top_label.get());
-
- // test if can access label2 alias from label1 domain - should succeed
- check_read_allowed(aliasWithLabel(TEST_LABEL2, TEST_ALIAS).c_str(), additional_data);
- }
}
- // test if accessing valid alias (of label1 domain)
- check_read_allowed(TEST_ALIAS);
+ // test accessibility to app 2 from app 1
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
- // access should not be possible - already left the LABEL2 scope, object should be removed
- check_read_not_visible(aliasWithLabel(TEST_LABEL2, TEST_ALIAS).c_str());
+ // test if can access label2 alias from label1 domain - should succeed
+ check_read_allowed(aliasWithLabel(APP_LABEL_2, TEST_ALIAS).c_str(), additional_data);
+ }
}
// tries to modify another label's permission
RUNNER_TEST(T3029_manager_access_modification_by_foreign_label)
{
- ScopedLabel sl(TEST_LABEL);
- ScopedSaveData ssd(TEST_ALIAS);
- allow_access(TEST_ALIAS, TEST_LABEL3, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+
+ allow_access(TEST_ALIAS, APP_LABEL_3, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
+ }
+
+ // test accessibility from another label
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
- allow_access_negative(aliasWithLabel(TEST_LABEL, TEST_ALIAS).c_str(), TEST_LABEL4, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE, CKMC_ERROR_PERMISSION_DENIED);
- deny_access_negative (aliasWithLabel(TEST_LABEL, TEST_ALIAS).c_str(), TEST_LABEL4, CKMC_ERROR_PERMISSION_DENIED);
+ allow_access_negative(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_4, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE, CKMC_ERROR_PERMISSION_DENIED);
+ deny_access_negative (aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_4, CKMC_ERROR_PERMISSION_DENIED);
}
}
// checks if only aliases readable by given app are returned
RUNNER_TEST(T3030_manager_get_all_aliases)
{
- ScopedSaveData ssd1(TEST_ALIAS);
- ScopedSaveData ssd2(TEST_ALIAS2);
+ // prepare: add data
+ GarbageCollector gc;
+ size_t count;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ gc.save(TEST_ALIAS2, TEST_DATA);
- int count = count_aliases();
+ count = count_aliases(ALIAS_DATA);
+ allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
+ }
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
+ // test accessibility from another label
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
// check that app can access other aliases when it has permission
check_alias_count(count - 1);
- ScopedSaveData ssd3(TEST_ALIAS3);
+ ScopedSaveData ssd3(TEST_ALIAS3, TEST_DATA);
// check that app can access its own aliases
check_alias_count(count - 1 + 1);
}
- deny_access(TEST_ALIAS, TEST_LABEL2);
+ // remove permission
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ deny_access(TEST_ALIAS, APP_LABEL_2);
+ }
+
+ // test accessibility from another label
+ {
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
// check that app can't access other aliases for which permission has been revoked
check_alias_count(count - 2);
// tries to access other application data with permission
RUNNER_TEST(T3031_manager_deprecated_access_allowed)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
- allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
+ allow_access_deprecated(TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ);
+ }
+
+ // test accessibility from another label
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
- check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+ check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
}
}
// tries to read other application data with permission for read/remove
RUNNER_TEST(T3032_manager_deprecated_access_allowed_with_remove)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
- allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
+ allow_access_deprecated(TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ_REMOVE);
+ }
+
+ // test accessibility from another label
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
- check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+ check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
}
}
// tries to remove other application data with permission for reading only
RUNNER_TEST(T3033_manager_deprecated_access_allowed_remove_denied)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
- allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
+ allow_access_deprecated(TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ);
+ }
+
+ // test accessibility from another label
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
- std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
+ std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
check_remove_denied(TEST_ALIAS_adr.c_str());
- check_read_allowed(TEST_ALIAS_adr.c_str());
+ check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
}
}
// tries to remove other application data with permission
RUNNER_TEST(T3034_manager_deprecated_remove_allowed)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+
+ allow_access_deprecated(TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ_REMOVE);
+ }
- allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
+ // test accessibility from another label
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
- check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+ check_remove_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
}
}
-
/////////////////////////////////////////////////////////////////////////////
// Control
+RUNNER_TEST_GROUP_INIT (T310_CKMC_ACCESS_CONTROL_ROOT_C_API);
+
+RUNNER_TEST(T3100_init)
+{
+ reset_user_data(APP_1, APP_PASS_1);
+ reset_user_data(APP_2, APP_PASS_2);
+}
+
// invalid argument check
RUNNER_TEST(T3101_control_allow_access_invalid)
{
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ }
+
int ret;
- ret = ckmc_set_permission_by_adm(USER_ROOT, "alias", "accessor", CKMC_PERMISSION_READ);
+ ret = ckmc_set_permission_by_adm(APP_1, TEST_ALIAS, "accessor", CKMC_PERMISSION_READ);
RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
- ret = ckmc_set_permission_by_adm(USER_ROOT, "owner alias", NULL, CKMC_PERMISSION_READ);
+ ret = ckmc_set_permission_by_adm(APP_1, "owner alias", NULL, CKMC_PERMISSION_READ);
RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
// double owner
std::string aliasLabel = aliasWithLabel(get_label().get(), TEST_ALIAS);
- ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("another-owner", aliasLabel.c_str()).c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
+ ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel("another-owner", aliasLabel.c_str()).c_str(), APP_LABEL_1, CKMC_PERMISSION_READ);
RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
}
// invalid argument check
RUNNER_TEST(T3102_control_deny_access_invalid)
{
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ }
+
RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
- ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(NULL, "alias").c_str(), "accessor", CKMC_PERMISSION_NONE));
+ ckmc_set_permission_by_adm(APP_1, aliasWithLabel(NULL, TEST_ALIAS).c_str(), "accessor", CKMC_PERMISSION_NONE));
RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
- ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("owner", "alias").c_str(), NULL, CKMC_PERMISSION_NONE));
+ ckmc_set_permission_by_adm(APP_1, aliasWithLabel("owner", TEST_ALIAS).c_str(), NULL, CKMC_PERMISSION_NONE));
// double owner
std::string aliasLabel = aliasWithLabel(get_label().get(), TEST_ALIAS);
RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
- ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("another-owner", aliasLabel.c_str()).c_str(), TEST_LABEL, CKMC_PERMISSION_NONE));
+ ckmc_set_permission_by_adm(APP_1, aliasWithLabel("another-owner", aliasLabel.c_str()).c_str(), APP_LABEL_1, CKMC_PERMISSION_NONE));
}
// tries to allow access for non existing alias
RUNNER_TEST(T3103_control_allow_access_non_existing)
{
- int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(NO_OWNER, NO_ALIAS).c_str(), "label", CKMC_PERMISSION_READ);
+ int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(NO_OWNER, NO_ALIAS).c_str(), "label", CKMC_PERMISSION_READ);
RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
"Allowing access for non existing alias returned " << CKMCErrorToString(ret));
}
// tries to deny access for non existing alias
RUNNER_TEST(T3104_control_deny_access_non_existing)
{
- int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(NO_OWNER, NO_ALIAS).c_str(), "label", CKMC_PERMISSION_NONE);
+ int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(NO_OWNER, NO_ALIAS).c_str(), "label", CKMC_PERMISSION_NONE);
RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
"Denying access for non existing alias returned " << CKMCErrorToString(ret));
}
// tries to deny non existing access
RUNNER_TEST(T3105_control_deny_access_non_existing_access)
{
- ScopedSaveData ssd(TEST_ALIAS);
-
- CharPtr label = get_label();
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ }
- // deny non existing access to existing alias
- int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(get_label().get(), TEST_ALIAS).c_str(), "label", CKMC_PERMISSION_NONE);
+ int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_NONE);
RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
- "Denying non existing access returned: " << CKMCErrorToString(ret));
+ "Denying non existing access returned: " << CKMCErrorToString(ret));
}
// tries to allow application to access its own data
RUNNER_TEST(T3106_control_allow_access_to_myself)
{
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
- CharPtr label = get_label();
- int ret = ckmc_set_permission(TEST_ALIAS, label.get(), CKMC_PERMISSION_READ);
+ // test
+ int ret = ckmc_set_permission(TEST_ALIAS, APP_LABEL_1, CKMC_PERMISSION_READ);
RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
- "Trying to allow myself returned: " << CKMCErrorToString(ret));
+ "Trying to allow myself returned: " << CKMCErrorToString(ret));
}
// tries to use admin API as a user
{
RUNNER_IGNORED_MSG("Disabled until labeled sockets not available");
- switch_to_storage_user(TEST_LABEL);
- int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("owner", "alias").c_str(), "accessor", CKMC_PERMISSION_READ);
+ // prepare: add data
+ GarbageCollector gc;
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+
+ // test
+ int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_READ);
RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
- "Ordinary user should not be able to use control API. Error " << CKMCErrorToString(ret));
+ "Ordinary user should not be able to use control API. Error " << CKMCErrorToString(ret));
}
// tries to use admin API as a user
-RUNNER_CHILD_TEST(T3111_control_allow_access_as_user)
+RUNNER_CHILD_TEST(T3111_control_deny_access_as_user)
{
RUNNER_IGNORED_MSG("Disabled until labeled sockets not available");
- switch_to_storage_user(TEST_LABEL);
- int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("owner", "alias").c_str(), "accessor", CKMC_PERMISSION_NONE);
+ // prepare: add data
+ GarbageCollector gc;
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+
+ // test
+ int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_NONE);
RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
- "Ordinary user should not be able to use control API. Error " << CKMCErrorToString(ret));
+ "Ordinary user should not be able to use control API. Error " << CKMCErrorToString(ret));
}
// tries to read other application data with permission
RUNNER_TEST(T3121_control_access_allowed)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ }
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
+ allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
- check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+ check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
}
}
// tries to read other application data with permission to read/remove
RUNNER_TEST(T3122_control_access_allowed_with_remove)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ }
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
+ allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
- check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+ check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
}
}
// tries to remove other application data with permission to read
RUNNER_TEST(T3122_control_access_allowed_remove_denied)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ }
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
+ allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
- check_remove_denied(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+ check_remove_denied(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
}
}
// tries to remove other application data with permission
RUNNER_TEST(T3125_control_remove_allowed)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ }
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
+ allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
- check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+ check_remove_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
}
}
// rights
RUNNER_TEST(T3126_control_double_allow)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ }
// access should be overwritten
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
+ allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
+ allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
- std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
+ std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
check_remove_denied(TEST_ALIAS_adr.c_str());
- check_read_allowed(TEST_ALIAS_adr.c_str());
+ check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
}
}
// tries to access other application data with permission and after permission has been revoked
RUNNER_TEST(T3127_control_allow_deny)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
-
- std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ }
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
+ std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
+ allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
check_remove_denied(TEST_ALIAS_adr.c_str());
- check_read_allowed(TEST_ALIAS_adr.c_str());
+ check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
}
- CharPtr label = get_label();
- deny_access_by_adm(TEST_ALIAS, TEST_LABEL2);
+
+ deny_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2);
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
check_remove_not_visible(TEST_ALIAS_adr.c_str());
check_read_not_visible(TEST_ALIAS_adr.c_str());
// checks if only aliases readable by given app are returned
RUNNER_TEST(T3130_control_get_all_aliases)
{
- ScopedSaveData ssd1(TEST_ALIAS);
- ScopedSaveData ssd2(TEST_ALIAS2);
+ // prepare: add data
+ GarbageCollector gc;
+ size_t count;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ gc.save(TEST_ALIAS2, TEST_DATA);
- int count = count_aliases();
+ count = count_aliases(ALIAS_DATA);
+ }
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
+ allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
// check that app can access other aliases when it has permission
check_alias_count(count - 1);
- ScopedSaveData ssd3(TEST_ALIAS3);
+ ScopedSaveData ssd(TEST_ALIAS3, TEST_DATA);
// check that app can access its own aliases
check_alias_count(count - 1 + 1);
}
- deny_access_by_adm(TEST_ALIAS, TEST_LABEL2);
+ deny_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2);
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
// check that app can't access other aliases for which permission has been revoked
check_alias_count(count - 2);
// tries to add access to data in a database of invalid user
RUNNER_TEST(T3140_control_allow_invalid_user)
{
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ }
- int ret = ckmc_set_permission_by_adm(
- APP_UID, aliasWithLabel(get_label().get(), TEST_ALIAS).c_str(), TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
+ int ret = ckmc_set_permission_by_adm(APP_2, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
- "Trying to allow access to invalid user returned: " << CKMCErrorToString(ret));
+ "Trying to allow access to invalid user returned: " << CKMCErrorToString(ret));
}
// tries to revoke access to data in a database of invalid user
RUNNER_TEST(T3141_control_deny_invalid_user)
{
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ }
- int ret = ckmc_set_permission_by_adm(APP_UID, aliasWithLabel(get_label().get(), TEST_ALIAS).c_str(), TEST_LABEL2, CKMC_PERMISSION_NONE);
+ int ret = ckmc_set_permission_by_adm(APP_2, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_NONE);
RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
- "Trying to deny access to invalid user returned: " << CKMCErrorToString(ret));
+ "Trying to deny access to invalid user returned: " << CKMCErrorToString(ret));
}
// tries to read other application data with permission
RUNNER_TEST(T3142_control_deprecated_access_allowed)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ }
- allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
+ allow_access_deprecated_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ);
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
- check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+ check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
}
}
// tries to read other application data with permission to read/remove
RUNNER_TEST(T3143_control_deprecated_access_allowed_with_remove)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ }
- allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
+ allow_access_deprecated_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ_REMOVE);
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
- check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+ check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
}
}
// tries to remove other application data with permission to read
RUNNER_TEST(T3144_control_deprecated_access_allowed_remove_denied)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
+ // prepare: add data
+ GarbageCollector gc;
+ {
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
+ }
- allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
+ allow_access_deprecated_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ);
{
- ScopedLabel sl(TEST_LABEL2);
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
- check_remove_denied(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+ check_remove_denied(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
}
}
// tries to remove other application data with permission
RUNNER_TEST(T3145_control_deprecated_remove_allowed)
{
- CharPtr top_label = get_label();
- ScopedSaveData ssd(TEST_ALIAS);
-
- allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
+ // prepare: add data
+ GarbageCollector gc;
{
- ScopedLabel sl(TEST_LABEL2);
-
- check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ gc.save(TEST_ALIAS, TEST_DATA);
}
-}
+ allow_access_deprecated_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ_REMOVE);
+ {
+ ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
-RUNNER_TEST(T3999_deinit)
-{
- int temp;
- RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_lock_user_key(APP_UID)), CKMCErrorToString(temp));
- RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(APP_UID)), CKMCErrorToString(temp));
- RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_lock_user_key(USER_ROOT)), CKMCErrorToString(temp));
- RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(USER_ROOT)), CKMCErrorToString(temp));
+ check_remove_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
+ }
}