#include <tests_common.h>
#include <ckm-common.h>
+#include <access_provider2.h>
#include <ckmc/ckmc-manager.h>
#include <ckmc/ckmc-control.h>
const char* TEST_LABEL = "test-label";
const char* TEST_LABEL2 = "test-label2";
+const char* TEST_LABEL3 = "test-label3";
+const char* TEST_LABEL4 = "test-label4";
const char* TEST_DATA = "dsflsdkghkslhglrtghierhgilrehgidsafasdffsgfdgdgfdgfdgfdgfdggf";
-
-void save_data(const char* alias)
+void save_data(const char* alias, const char *data)
{
ckmc_raw_buffer_s buffer;
- buffer.data = reinterpret_cast<unsigned char*>(const_cast<char*>(TEST_DATA));
- buffer.size = strlen(TEST_DATA);
+ buffer.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data));
+ buffer.size = strlen(data);
ckmc_policy_s policy;
policy.password = NULL;
policy.extractable = true;
RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Saving data failed. Error: " << ret);
}
+void save_data(const char* alias)
+{
+ save_data(alias, TEST_DATA);
+}
+
void check_remove_allowed(const char* alias)
{
- int ret = ckmc_remove_data(alias);
+ int ret = ckmc_remove_alias(alias);
// remove, but ignore non existing
RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret || CKMC_ERROR_DB_ALIAS_UNKNOWN,
"Removing data failed: " << ret);
void check_remove_denied(const char* alias)
{
- int ret = ckmc_remove_data(alias);
+ int ret = ckmc_remove_alias(alias);
RUNNER_ASSERT_MSG(
CKMC_ERROR_PERMISSION_DENIED == ret,
"App with different label shouldn't have rights to remove this data. Error: " << ret);
}
-void check_read_allowed(const char* alias)
+void check_remove_not_visible(const char* alias)
+{
+ int ret = ckmc_remove_alias(alias);
+ RUNNER_ASSERT_MSG(
+ CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
+ "App with different label shouldn't have rights to see this data. Error: " << ret);
+}
+
+void check_read(const char* alias, const char *label, const char *test_data, int expected_code = CKMC_ERROR_NONE)
{
- // try to read previously saved data
ckmc_raw_buffer_s* buffer = NULL;
- int ret = ckmc_get_data(alias, NULL, &buffer);
- RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Getting data failed. Error: " << ret);
+ int ret = ckmc_get_data(aliasWithLabel(label, alias).c_str(), NULL, &buffer);
+ RUNNER_ASSERT_MSG(expected_code == ret, "Getting data failed. Expected code: " << expected_code << ", while result code: " << ret);
- // compare data with expected
- RUNNER_ASSERT_MSG(
- buffer->size == strlen(TEST_DATA),
- "Extracted data length do not match expected data length (encrypted?).");
+ if(expected_code == CKMC_ERROR_NONE)
+ {
+ // compare data with expected
+ RUNNER_ASSERT_MSG(
+ buffer->size == strlen(test_data),
+ "Extracted data length do not match expected data length (encrypted?).");
- RUNNER_ASSERT_MSG(
- memcmp(const_cast<const char*>(reinterpret_cast<char*>(buffer->data)), TEST_DATA, buffer->size) == 0,
- "Extracted data do not match expected data (encrypted?).");
- ckmc_buffer_free(buffer);
+ RUNNER_ASSERT_MSG(
+ memcmp(const_cast<const char*>(reinterpret_cast<char*>(buffer->data)), test_data, buffer->size) == 0,
+ "Extracted data do not match expected data (encrypted?).");
+
+ ckmc_buffer_free(buffer);
+ }
+}
+
+void check_read_allowed(const char* alias, const char *data)
+{
+ // try to read previously saved data - label taken implicitly
+ check_read(alias, 0, data);
+}
+void check_read_allowed(const char* alias)
+{
+ check_read_allowed(alias, TEST_DATA);
}
void check_read_denied(const char* alias)
{
- // try to read previously saved data
- ckmc_raw_buffer_s* buffer = NULL;
- int ret = ckmc_get_data(alias, NULL, &buffer);
- RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
- "App with different label shouldn't have rights to read this data. Error: "
- << ret);
- ckmc_buffer_free(buffer);
+ // try to read previously saved data - label taken implicitly
+ {
+ ckmc_raw_buffer_s* buffer = NULL;
+ int ret = ckmc_get_data(alias, NULL, &buffer);
+ RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
+ "App with different label shouldn't have rights to read this data. Error: " << ret);
+ ckmc_buffer_free(buffer);
+ }
}
-void allow_access(const char* alias, const char* accessor, ckmc_access_right_e rights)
+void check_read_not_visible(const char* alias)
+{
+ // try to read previously saved data - label taken implicitly
+ {
+ ckmc_raw_buffer_s* buffer = NULL;
+ int ret = ckmc_get_data(alias, NULL, &buffer);
+ RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
+ "App with different label shouldn't have rights to see this data. Error: " << ret);
+ ckmc_buffer_free(buffer);
+ }
+}
+
+void allow_access(const char* alias, const char* accessor, int permissionMask)
{
// data removal should revoke this access
- int ret = ckmc_allow_access(alias, accessor, rights);
+ int ret = ckmc_set_permission(alias, accessor, permissionMask);
RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << ret);
}
+void allow_access_negative(const char* alias, const char* accessor, int permissionMask, int expectedCode)
+{
+ // data removal should revoke this access
+ int ret = ckmc_set_permission(alias, accessor, permissionMask);
+ RUNNER_ASSERT_MSG(expectedCode == ret, "Trying to allow access returned: " << ret << ", while expected: " << expectedCode);
+}
+
void deny_access(const char* alias, const char* accessor)
{
int ret = ckmc_deny_access(alias, accessor);
RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Denying access failed. Error: " << ret);
}
-void allow_access_by_adm(const char* alias, const char* accessor, ckmc_access_right_e rights)
+void deny_access_negative(const char* alias, const char* accessor, int expectedCode)
+{
+ int ret = ckmc_set_permission(alias, accessor, CKMC_PERMISSION_NONE);
+ RUNNER_ASSERT_MSG(expectedCode == ret, "Denying access failed. Error: " << ret << ", while expected: " << expectedCode);
+}
+
+void allow_access_by_adm(const char* alias, const char* accessor, int permissionMask)
{
// data removal should revoke this access
- CharPtr label = get_label();
- int ret = ckmc_allow_access_by_adm(USER_ROOT, label.get(), alias, accessor, rights);
+ int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(get_label().get(), alias).c_str(), accessor, permissionMask);
RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << ret);
}
void deny_access_by_adm(const char* alias, const char* accessor)
{
- CharPtr label = get_label();
- int ret = ckmc_deny_access_by_adm(USER_ROOT, label.get(), alias, accessor);
+ int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(get_label().get(), alias).c_str(), accessor, CKMC_PERMISSION_NONE);
RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Denying access failed. Error: " << ret);
}
{
save_data(alias);
}
+ ScopedSaveData(const char* alias, const char *data) : m_alias(alias)
+ {
+ save_data(alias, data);
+ }
~ScopedSaveData()
{
// invalid arguments check
RUNNER_TEST(T3001_manager_allow_access_invalid)
{
- RUNNER_ASSERT_BT(
- CKMC_ERROR_INVALID_PARAMETER == ckmc_allow_access(NULL, "accessor", CKMC_AR_READ));
- RUNNER_ASSERT_BT(
- CKMC_ERROR_INVALID_PARAMETER == ckmc_allow_access("alias", NULL, CKMC_AR_READ));
+ RUNNER_ASSERT(
+ CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission(NULL, "accessor", CKMC_PERMISSION_READ));
+ RUNNER_ASSERT(
+ CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission("alias", NULL, CKMC_PERMISSION_READ));
}
// invalid arguments check
RUNNER_TEST(T3002_manager_deny_access_invalid)
{
- RUNNER_ASSERT_BT(CKMC_ERROR_INVALID_PARAMETER == ckmc_deny_access(NULL, "accessor"));
- RUNNER_ASSERT_BT(CKMC_ERROR_INVALID_PARAMETER == ckmc_deny_access("alias", NULL));
+ RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission(NULL, "accessor", CKMC_PERMISSION_NONE));
+ RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission("alias", NULL, CKMC_PERMISSION_NONE));
}
// tries to allow access for non existing alias
RUNNER_CHILD_TEST(T3003_manager_allow_access_non_existing)
{
- switch_to_app(TEST_LABEL);
+ switch_to_storage_user(TEST_LABEL);
- int ret = ckmc_allow_access(NO_ALIAS, "label", CKMC_AR_READ);
+ int ret = ckmc_set_permission(NO_ALIAS, "label", CKMC_PERMISSION_READ);
RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
"Allowing access for non existing alias returned " << ret);
}
// tries to deny access for non existing alias
RUNNER_CHILD_TEST(T3004_manager_deny_access_non_existing)
{
- switch_to_app(TEST_LABEL);
+ switch_to_storage_user(TEST_LABEL);
- int ret = ckmc_deny_access(NO_ALIAS, "label");
+ int ret = ckmc_set_permission(NO_ALIAS, "label", CKMC_PERMISSION_NONE);
RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
"Denying access for non existing alias returned " << ret);
}
// tries to deny access that does not exist in database
RUNNER_CHILD_TEST(T3005_manager_deny_access_non_existing_access)
{
- switch_to_app(TEST_LABEL);
+ switch_to_storage_user(TEST_LABEL);
ScopedSaveData ssd(TEST_ALIAS);
// deny non existing access to existing alias
- int ret = ckmc_deny_access(TEST_ALIAS, "label");
+ int ret = ckmc_set_permission(TEST_ALIAS, "label", CKMC_PERMISSION_NONE);
RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
"Denying non existing access returned: " << ret);
}
// tries to allow access to application own data
RUNNER_CHILD_TEST(T3006_manager_allow_access_to_myself)
{
- switch_to_app(TEST_LABEL);
+ switch_to_storage_user(TEST_LABEL);
ScopedSaveData ssd(TEST_ALIAS);
CharPtr label = get_label();
- int ret = ckmc_allow_access(TEST_ALIAS, label.get(), CKMC_AR_READ);
+ int ret = ckmc_set_permission(TEST_ALIAS, label.get(), CKMC_PERMISSION_READ);
RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
"Trying to allow myself returned: " << ret);
}
+// verifies that alias can not contain forbidden characters
+RUNNER_CHILD_TEST(T3007_manager_check_alias_valid)
+{
+ switch_to_storage_user(TEST_LABEL);
+ ScopedSaveData ssd(TEST_ALIAS);
+
+ std::string test_alias_playground = std::string("AAA BBB CCC");
+ check_read(test_alias_playground.c_str(), 0, TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
+
+ // control: expect success
+ check_read(TEST_ALIAS, 0, TEST_DATA);
+ check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
+}
+
+// verifies that label can not contain forbidden characters
+RUNNER_CHILD_TEST(T3008_manager_check_label_valid)
+{
+ switch_to_storage_user(TEST_LABEL);
+ ScopedSaveData ssd(TEST_ALIAS);
+
+ // basic test
+ std::string test_label_playground = std::string("AAA BBB CCC");
+ check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
+
+ // insert part of the separator in the middle
+ test_label_playground = std::string(TEST_LABEL);
+ test_label_playground.insert(test_label_playground.size()/2, ckmc_label_name_separator);
+ check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
+
+ // prepend separator
+ test_label_playground = std::string(TEST_LABEL);
+ test_label_playground.insert(0, ckmc_label_name_separator);
+ check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
+
+ // append separator
+ test_label_playground = std::string(TEST_LABEL);
+ test_label_playground.append(ckmc_label_name_separator);
+ check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
+
+ // control: expect success
+ check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
+}
+
// tries to access other application data without permission
RUNNER_TEST(T3020_manager_access_not_allowed)
{
+ CharPtr top_label = get_label();
+
ScopedSaveData ssd(TEST_ALIAS);
{
ScopedLabel sl(TEST_LABEL2);
- check_read_denied(TEST_ALIAS);
-
- check_remove_denied(TEST_ALIAS);
+ std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
+ check_read_not_visible(TEST_ALIAS_adr.c_str());
+ check_remove_not_visible(TEST_ALIAS_adr.c_str());
}
}
// tries to access other application data with permission
RUNNER_TEST(T3021_manager_access_allowed)
{
+ CharPtr top_label = get_label();
ScopedSaveData ssd(TEST_ALIAS);
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
+ allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
{
ScopedLabel sl(TEST_LABEL2);
- check_read_allowed(TEST_ALIAS);
+ check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
}
}
// tries to read other application data with permission for read/remove
RUNNER_TEST(T3022_manager_access_allowed_with_remove)
{
+ CharPtr top_label = get_label();
ScopedSaveData ssd(TEST_ALIAS);
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
+ allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
{
ScopedLabel sl(TEST_LABEL2);
- check_read_allowed(TEST_ALIAS);
+ check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
}
}
// tries to remove other application data with permission for reading only
RUNNER_TEST(T3023_manager_access_allowed_remove_denied)
{
+ CharPtr top_label = get_label();
ScopedSaveData ssd(TEST_ALIAS);
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
+ allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
{
ScopedLabel sl(TEST_LABEL2);
- check_remove_denied(TEST_ALIAS);
-
- check_read_allowed(TEST_ALIAS);
+ std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
+ check_remove_denied(TEST_ALIAS_adr.c_str());
+ check_read_allowed(TEST_ALIAS_adr.c_str());
}
}
// tries to remove other application data with permission
RUNNER_TEST(T3025_manager_remove_allowed)
{
+ CharPtr top_label = get_label();
ScopedSaveData ssd(TEST_ALIAS);
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
+ allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
{
ScopedLabel sl(TEST_LABEL2);
- check_remove_allowed(TEST_ALIAS);
+ check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
}
}
-// tries to access other application data after allow funciton was called twice with different
+// tries to access other application data after allow function was called twice with different
// rights
RUNNER_TEST(T3026_manager_double_allow)
{
+ CharPtr top_label = get_label();
ScopedSaveData ssd(TEST_ALIAS);
// access should be overwritten
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
+ allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
+ allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
{
ScopedLabel sl(TEST_LABEL2);
- check_remove_denied(TEST_ALIAS);
-
- check_read_allowed(TEST_ALIAS);
+ std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
+ check_remove_denied(TEST_ALIAS_adr.c_str());
+ check_read_allowed(TEST_ALIAS_adr.c_str());
}
}
// tries to access application data with permission and after permission has been revoked
RUNNER_TEST(T3027_manager_allow_deny)
{
+ CharPtr top_label = get_label();
ScopedSaveData ssd(TEST_ALIAS);
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
+ std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
+
+ allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
{
ScopedLabel sl(TEST_LABEL2);
- check_remove_denied(TEST_ALIAS);
-
- check_read_allowed(TEST_ALIAS);
+ check_remove_denied(TEST_ALIAS_adr.c_str());
+ check_read_allowed(TEST_ALIAS_adr.c_str());
}
deny_access(TEST_ALIAS, TEST_LABEL2);
{
ScopedLabel sl(TEST_LABEL2);
- check_remove_denied(TEST_ALIAS);
+ check_remove_not_visible(TEST_ALIAS_adr.c_str());
+ check_read_not_visible(TEST_ALIAS_adr.c_str());
+ }
+}
+
+RUNNER_TEST(T3028_manager_access_by_label)
+{
+ CharPtr top_label = get_label();
+ const char *additional_data = "label-2-data";
+ ScopedSaveData ssd(TEST_ALIAS);
+
+ allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
+ {
+ ScopedLabel sl(TEST_LABEL2);
+ ScopedSaveData ssd(TEST_ALIAS, additional_data);
+ allow_access(TEST_ALIAS, top_label.get(), CKMC_PERMISSION_READ);
+
+ // test if accessing valid alias (of label2 domain)
+ check_read_allowed(TEST_ALIAS, additional_data);
- check_read_denied(TEST_ALIAS);
+ // this has to be done here - in the scope, otherwise
+ // scope destructor will remove the TEST_LABEL2::TEST_ALIAS
+ {
+ ScopedLabel sl(top_label.get());
+
+ // test if can access label2 alias from label1 domain - should succeed
+ check_read_allowed(aliasWithLabel(TEST_LABEL2, TEST_ALIAS).c_str(), additional_data);
+ }
}
+
+ // test if accessing valid alias (of label1 domain)
+ check_read_allowed(TEST_ALIAS);
+
+ // access should not be possible - already left the LABEL2 scope, object should be removed
+ check_read_not_visible(aliasWithLabel(TEST_LABEL2, TEST_ALIAS).c_str());
}
+// tries to modify another label's permission
+RUNNER_TEST(T3029_manager_access_modification_by_foreign_label)
+{
+ ScopedLabel sl(TEST_LABEL);
+ ScopedSaveData ssd(TEST_ALIAS);
+ allow_access(TEST_ALIAS, TEST_LABEL3, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
+ {
+ ScopedLabel sl(TEST_LABEL2);
+
+ allow_access_negative(aliasWithLabel(TEST_LABEL, TEST_ALIAS).c_str(), TEST_LABEL4, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE, CKMC_ERROR_PERMISSION_DENIED);
+ deny_access_negative (aliasWithLabel(TEST_LABEL, TEST_ALIAS).c_str(), TEST_LABEL4, CKMC_ERROR_PERMISSION_DENIED);
+ }
+}
// checks if only aliases readable by given app are returned
RUNNER_TEST(T3030_manager_get_all_aliases)
int count = count_aliases();
- allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
+ allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
{
ScopedLabel sl(TEST_LABEL2);
}
}
+RUNNER_TEST(T3031_manager_test_decrypt_from_another_label)
+{
+ int temp;
+ CharPtr top_label = get_label();
+ ScopedSaveData ssd(TEST_ALIAS);
+
+ allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
+ {
+ ScopedLabel sl(TEST_LABEL2);
+
+ check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+
+ // remove the DKEK key - so that on read it must be added again
+ RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_lock_user_key(0)),
+ "Error=" << temp);
+
+ // on this read, DKEK key will be added again
+ check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
+ }
+}
+
+
/////////////////////////////////////////////////////////////////////////////
// Control
RUNNER_TEST(T3101_control_allow_access_invalid)
{
int ret;
- ret = ckmc_allow_access_by_adm(USER_ROOT, NULL, "alias", "accessor", CKMC_AR_READ);
- RUNNER_ASSERT_BT(CKMC_ERROR_INVALID_PARAMETER == ret);
- ret = ckmc_allow_access_by_adm(USER_ROOT, "owner", NULL, "accessor", CKMC_AR_READ);
- RUNNER_ASSERT_BT(CKMC_ERROR_INVALID_PARAMETER == ret);
- ret = ckmc_allow_access_by_adm(USER_ROOT, "owner", "alias", NULL, CKMC_AR_READ);
- RUNNER_ASSERT_BT(CKMC_ERROR_INVALID_PARAMETER == ret);
+ ret = ckmc_set_permission_by_adm(USER_ROOT, "alias", "accessor", CKMC_PERMISSION_READ);
+ RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
+ ret = ckmc_set_permission_by_adm(USER_ROOT, "owner alias", NULL, CKMC_PERMISSION_READ);
+ RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
+
+ // double owner
+ std::string aliasLabel = aliasWithLabel(get_label().get(), TEST_ALIAS);
+ ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("another-owner", aliasLabel.c_str()).c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
+ RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
}
// invalid argument check
RUNNER_TEST(T3102_control_deny_access_invalid)
{
- RUNNER_ASSERT_BT(CKMC_ERROR_INVALID_PARAMETER ==
- ckmc_deny_access_by_adm(USER_ROOT, NULL, "alias", "accessor"));
- RUNNER_ASSERT_BT(CKMC_ERROR_INVALID_PARAMETER ==
- ckmc_deny_access_by_adm(USER_ROOT, "owner", NULL, "accessor"));
- RUNNER_ASSERT_BT(CKMC_ERROR_INVALID_PARAMETER ==
- ckmc_deny_access_by_adm(USER_ROOT, "owner", "alias", NULL));
+ RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
+ ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(NULL, "alias").c_str(), "accessor", CKMC_PERMISSION_NONE));
+ RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
+ ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("owner", "alias").c_str(), NULL, CKMC_PERMISSION_NONE));
+
+ // double owner
+ std::string aliasLabel = aliasWithLabel(get_label().get(), TEST_ALIAS);
+ RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
+ ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("another-owner", aliasLabel.c_str()).c_str(), TEST_LABEL, CKMC_PERMISSION_NONE));
}
// tries to allow access for non existing alias
RUNNER_TEST(T3103_control_allow_access_non_existing)
{
- int ret = ckmc_allow_access_by_adm(USER_ROOT, NO_OWNER, NO_ALIAS, "label", CKMC_AR_READ);
+ int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(NO_OWNER, NO_ALIAS).c_str(), "label", CKMC_PERMISSION_READ);
RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
"Allowing access for non existing alias returned " << ret);
}
// tries to deny access for non existing alias
RUNNER_TEST(T3104_control_deny_access_non_existing)
{
- int ret = ckmc_deny_access_by_adm(USER_ROOT, NO_OWNER, NO_ALIAS, "label");
+ int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(NO_OWNER, NO_ALIAS).c_str(), "label", CKMC_PERMISSION_NONE);
RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
"Denying access for non existing alias returned " << ret);
}
CharPtr label = get_label();
// deny non existing access to existing alias
- int ret = ckmc_deny_access_by_adm(USER_ROOT, label.get(), TEST_ALIAS, "label");
+ int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel(get_label().get(), TEST_ALIAS).c_str(), "label", CKMC_PERMISSION_NONE);
RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
"Denying non existing access returned: " << ret);
}
ScopedSaveData ssd(TEST_ALIAS);
CharPtr label = get_label();
- int ret = ckmc_allow_access(TEST_ALIAS, label.get(), CKMC_AR_READ);
+ int ret = ckmc_set_permission(TEST_ALIAS, label.get(), CKMC_PERMISSION_READ);
RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
"Trying to allow myself returned: " << ret);
}
// tries to use admin API as a user
RUNNER_CHILD_TEST(T3110_control_allow_access_as_user)
{
- switch_to_app(TEST_LABEL);
- int ret = ckmc_allow_access_by_adm(USER_ROOT, "owner", "alias", "accessor", CKMC_AR_READ);
+ switch_to_storage_user(TEST_LABEL);
+ int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("owner", "alias").c_str(), "accessor", CKMC_PERMISSION_READ);
RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
"Ordinary user should not be able to use control API. Error " << ret);
}
// tries to use admin API as a user
RUNNER_CHILD_TEST(T3111_control_allow_access_as_user)
{
- switch_to_app(TEST_LABEL);
- int ret = ckmc_deny_access_by_adm(USER_ROOT, "owner", "alias", "accessor");
+ switch_to_storage_user(TEST_LABEL);
+ int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("owner", "alias").c_str(), "accessor", CKMC_PERMISSION_NONE);
RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
"Ordinary user should not be able to use control API. Error " << ret);
}
// tries to read other application data with permission
RUNNER_TEST(T3121_control_access_allowed)
{
+ CharPtr top_label = get_label();
ScopedSaveData ssd(TEST_ALIAS);
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
+ allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
{
ScopedLabel sl(TEST_LABEL2);
- check_read_allowed(TEST_ALIAS);
+ check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
}
}
// tries to read other application data with permission to read/remove
RUNNER_TEST(T3122_control_access_allowed_with_remove)
{
+ CharPtr top_label = get_label();
ScopedSaveData ssd(TEST_ALIAS);
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
+ allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
{
ScopedLabel sl(TEST_LABEL2);
- check_read_allowed(TEST_ALIAS);
+ check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
}
}
// tries to remove other application data with permission to read
RUNNER_TEST(T3122_control_access_allowed_remove_denied)
{
+ CharPtr top_label = get_label();
ScopedSaveData ssd(TEST_ALIAS);
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
+ allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
{
ScopedLabel sl(TEST_LABEL2);
- check_remove_denied(TEST_ALIAS);
+ check_remove_denied(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
}
}
// tries to remove other application data with permission
RUNNER_TEST(T3125_control_remove_allowed)
{
+ CharPtr top_label = get_label();
ScopedSaveData ssd(TEST_ALIAS);
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
+ allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
{
ScopedLabel sl(TEST_LABEL2);
- check_remove_allowed(TEST_ALIAS);
+ check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
}
}
// rights
RUNNER_TEST(T3126_control_double_allow)
{
+ CharPtr top_label = get_label();
ScopedSaveData ssd(TEST_ALIAS);
// access should be overwritten
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
+ allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
+ allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
{
ScopedLabel sl(TEST_LABEL2);
- check_remove_denied(TEST_ALIAS);
-
- check_read_allowed(TEST_ALIAS);
+ std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
+ check_remove_denied(TEST_ALIAS_adr.c_str());
+ check_read_allowed(TEST_ALIAS_adr.c_str());
}
}
// tries to access other application data with permission and after permission has been revoked
RUNNER_TEST(T3127_control_allow_deny)
{
+ CharPtr top_label = get_label();
ScopedSaveData ssd(TEST_ALIAS);
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
+ std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
+
+ allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
{
ScopedLabel sl(TEST_LABEL2);
- check_remove_denied(TEST_ALIAS);
-
- check_read_allowed(TEST_ALIAS);
+ check_remove_denied(TEST_ALIAS_adr.c_str());
+ check_read_allowed(TEST_ALIAS_adr.c_str());
}
CharPtr label = get_label();
deny_access_by_adm(TEST_ALIAS, TEST_LABEL2);
{
ScopedLabel sl(TEST_LABEL2);
- check_remove_denied(TEST_ALIAS);
-
- check_read_denied(TEST_ALIAS);
+ check_remove_not_visible(TEST_ALIAS_adr.c_str());
+ check_read_not_visible(TEST_ALIAS_adr.c_str());
}
}
int count = count_aliases();
- allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
+ allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_PERMISSION_READ);
{
ScopedLabel sl(TEST_LABEL2);
{
ScopedSaveData ssd(TEST_ALIAS);
- CharPtr label = get_label();
- int ret = ckmc_allow_access_by_adm(
- APP_UID, label.get(), TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
+ int ret = ckmc_set_permission_by_adm(
+ APP_UID, aliasWithLabel(get_label().get(), TEST_ALIAS).c_str(), TEST_LABEL2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
"Trying to allow access to invalid user returned: " << ret);
}
{
ScopedSaveData ssd(TEST_ALIAS);
- CharPtr label = get_label();
- int ret = ckmc_deny_access_by_adm(APP_UID, label.get(), TEST_ALIAS, TEST_LABEL2);
+ int ret = ckmc_set_permission_by_adm(APP_UID, aliasWithLabel(get_label().get(), TEST_ALIAS).c_str(), TEST_LABEL2, CKMC_PERMISSION_NONE);
RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
"Trying to deny access to invalid user returned: " << ret);
}
projects / platform / core / test / security-tests.git / blobdiff