projects / platform / core / test / security-tests.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Spring cleaning
[platform/core/test/security-tests.git] / src / security-manager-tests / common / app_install_helper_ext.cpp
diff --git a/src/security-manager-tests/common/app_install_helper_ext.cpp b/src/security-manager-tests/common/app_install_helper_ext.cpp
index cec5434..878dfc1 100644 (file)
--- a/src/security-manager-tests/common/app_install_helper_ext.cpp
+++ b/src/security-manager-tests/common/app_install_helper_ext.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2020 Samsung Electronics Co., Ltd. All rights reserved
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -101,7 +101,7 @@ void AppInstallHelperExt::checkPrivileges(const PrivilegeVector &allowedPrivs,
     int result;
 
     for (auto &priv : allowedPrivs) {
-        ctc.check(smackLabel.c_str(), "", user, priv.getName().c_str(), CYNARA_API_ACCESS_ALLOWED);
+        ctc.check(smackLabel, "", user, priv.getName(), CYNARA_API_ACCESS_ALLOWED);
 
         Api::appHasPrivilege(m_appName, priv, m_uidGid, result);
         RUNNER_ASSERT_MSG(result == 1,
@@ -109,7 +109,7 @@ void AppInstallHelperExt::checkPrivileges(const PrivilegeVector &allowedPrivs,
     }
 
     for (auto &priv : deniedPrivs) {
-        ctc.check(smackLabel.c_str(), "", user, priv.getName().c_str(), CYNARA_API_ACCESS_DENIED);
+        ctc.check(smackLabel, "", user, priv.getName(), CYNARA_API_ACCESS_DENIED);
 
         Api::appHasPrivilege(m_appName, priv, m_uidGid, result);
         RUNNER_ASSERT_MSG(result == 0,
@@ -122,22 +122,50 @@ void AppInstallHelperExt::checkDeniedPrivileges(const PrivilegeVector &deniedPri
     checkPrivileges({}, deniedPrivs);
 }
 
-void AppInstallHelperExt::checkPrivilegeGroups(const PrivilegeVector &allowedPrivs) const
+void AppInstallHelperExt::checkGroupPrivileges(const PrivilegeVector &expectedPrivs) const
 {
     static PolicyConfiguration policy;
-    const auto allowed_groups = policy.privToGroup(allowedPrivs);
-    RUNNER_ASSERT_MSG(allowed_groups.size() == allowedPrivs.size(),
+
+    // get expected groups
+    auto expectedGids = policy.groupToGid(policy.privToGroup(expectedPrivs));
+    RUNNER_ASSERT_MSG(expectedGids.size() == expectedPrivs.size(),
                       "Some privileges given were not found in the policy");
+    std::sort(expectedGids.begin(), expectedGids.end());
 
-    std::vector<gid_t> allowed_gids;
-    for (const auto &groupName : allowed_groups) {
-        errno = 0;
-        struct group* grp = getgrnam(groupName.c_str());
-        RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
-        allowed_gids.push_back(grp->gr_gid);
-    }
+    // get current process groups
+    int ret = getgroups(0, nullptr);
+    RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
 
-    checkGids(allowed_gids);
+    std::vector<gid_t> actualGids(ret);
+    ret = getgroups(ret, actualGids.data());
+    RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
+
+    // remove groups unrelated to privileges
+    const auto allPrivGids = policy.getGid();
+    auto notPrivGid = [&](gid_t gid){
+        return std::find(allPrivGids.begin(), allPrivGids.end(), gid) == allPrivGids.end();
+    };
+    actualGids.erase(std::remove_if(actualGids.begin(), actualGids.end(), notPrivGid),
+                     actualGids.end());
+    std::sort(actualGids.begin(), actualGids.end());
+
+    // expected but not allowed
+    std::vector<gid_t> notAllowedGids;
+    std::set_difference(expectedGids.begin(), expectedGids.end(),
+                        actualGids.begin(), actualGids.end(),
+                        std::back_inserter(notAllowedGids));
+
+    RUNNER_ASSERT_MSG(notAllowedGids.empty(),
+                      notAllowedGids.size() << " expected groups were not assigned");
+
+    // allowed but not expected
+    std::vector<gid_t> notDeniedGids;
+    std::set_difference(actualGids.begin(), actualGids.end(),
+                        expectedGids.begin(), expectedGids.end(),
+                        std::back_inserter(notDeniedGids));
+
+    RUNNER_ASSERT_MSG(notDeniedGids.empty(),
+                      notDeniedGids.size() << " unexpected groups were assigned");
 }
 
 void AppInstallHelperExt:: checkSmackPrivileges(const PrivilegeVector &allowedPrivs,
@@ -257,31 +285,4 @@ void AppInstallHelperExt::checkAppIdExistence(bool expected) const
     }
 }
 
-void AppInstallHelperExt::checkGids(const std::vector<gid_t> &allowedGids) const
-{
-    int ret;
-    std::unordered_set<gid_t> referenceGids(allowedGids.begin(), allowedGids.end());
-
-    // Reset supplementary groups
-    ret = setgroups(0, NULL);
-    RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
-
-    Api::setProcessGroups(m_appName);
-
-    ret = getgroups(0, nullptr);
-    RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
-
-    std::vector<gid_t> actualGids(ret);
-    ret = getgroups(ret, actualGids.data());
-    RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
-
-    for (const auto &gid : actualGids) {
-        RUNNER_ASSERT_MSG(referenceGids.count(gid) > 0,
-                          "Application shouldn't get access to group " << gid);
-        referenceGids.erase(gid);
-    }
-
-    RUNNER_ASSERT_MSG(referenceGids.empty(), "Application didn't get access to some groups");
-}
-
 } // namespace SecurityManagerTest
Domain: Security / Uncategorized;