Adjust security-manager tests

Security-manager is no longer using libprivilege-control
Tests should now use cynara to check if privileges
were granted during application installation.

Change-Id: I4a0fea8edfad31cb9265c89b9498d6fd27d47676

diff --git a/tests/security-manager-tests/CMakeLists.txt b/tests/security-manager-tests/CMakeLists.txt
index ae894b5..b4fdf6b 100644 (file)
--- a/tests/security-manager-tests/CMakeLists.txt
+++ b/tests/security-manager-tests/CMakeLists.txt
@@ -25,6 +25,7 @@ PKG_CHECK_MODULES(SEC_MGR_TESTS_DEP
     REQUIRED
     libsmack
     libprivilege-control
+    cynara-client
     security-manager
     libtzplatform-config
     sqlite3)
@@ -35,6 +36,7 @@ SET(TARGET_SEC_MGR_TESTS "security-manager-tests")
 SET(SEC_MGR_SOURCES
     ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/security_manager_tests.cpp
     ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/common/sm_db.cpp
+    ${PROJECT_SOURCE_DIR}/tests/cynara-tests/common/cynara_test_client.cpp
     ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/libprivilege-control_test_common.cpp
    )
 
@@ -42,9 +44,14 @@ INCLUDE_DIRECTORIES(SYSTEM
     ${SEC_MGR_TESTS_DEP_INCLUDE_DIRS}
    )
 
+INCLUDE_DIRECTORIES(SYSTEM
+    ${CYNARA_TARGET_DEP_INCLUDE_DIRS}
+    )
+
 INCLUDE_DIRECTORIES(
     ${PROJECT_SOURCE_DIR}/tests/common/
     ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/common/
+    ${PROJECT_SOURCE_DIR}/tests/cynara-tests/common/
     ${PROJECT_SOURCE_DIR}/tests/libprivilege-control-tests/common/
    )
 
@@ -58,26 +65,6 @@ TARGET_LINK_LIBRARIES(${TARGET_SEC_MGR_TESTS}
 
 INSTALL(TARGETS ${TARGET_SEC_MGR_TESTS} DESTINATION /usr/bin)
 
-INSTALL(FILES
-    ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/WRT_security_manager_test_rules1.smack
-    DESTINATION /usr/share/privilege-control/
-  )
-
-INSTALL(FILES
-    ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/WRT_security_manager_test_rules2.smack
-    DESTINATION /usr/share/privilege-control/
-  )
-
-INSTALL(FILES
-    ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/WRT_security_manager_test_rules2_no_r.smack
-    DESTINATION /usr/share/privilege-control/
-  )
-
-INSTALL(FILES
-    ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/WRT_security_manager_test_rules2_r.smack
-    DESTINATION /usr/share/privilege-control/
-  )
-
 INSTALL(DIRECTORY
     ${PROJECT_SOURCE_DIR}/tests/security-manager-tests/test_DIR
     DESTINATION /etc/smack/

diff --git a/tests/security-manager-tests/WRT_security_manager_test_rules1.smack b/tests/security-manager-tests/WRT_security_manager_test_rules1.smack
deleted file mode 100644 (file)
index 0dfa560..0000000
--- a/tests/security-manager-tests/WRT_security_manager_test_rules1.smack
+++ /dev/null
@@ -1,14 +0,0 @@
-~APP~ test_sm_book_1 r
-~APP~ test_sm_book_2 w
-~APP~ test_sm_book_3 x
-~APP~ test_sm_book_4 rw
-~APP~ test_sm_book_5 rx
-~APP~ test_sm_book_6 wx
-~APP~ test_sm_book_7 rwx
-test_sm_subject_1 ~APP~ r
-test_sm_subject_2 ~APP~ w
-test_sm_subject_3 ~APP~ x
-test_sm_subject_4 ~APP~ rw
-test_sm_subject_5 ~APP~ rx
-test_sm_subject_6 ~APP~ wx
-test_sm_subject_7 ~APP~ rwx

diff --git a/tests/security-manager-tests/WRT_security_manager_test_rules2.smack b/tests/security-manager-tests/WRT_security_manager_test_rules2.smack
deleted file mode 100644 (file)
index da67f85..0000000
--- a/tests/security-manager-tests/WRT_security_manager_test_rules2.smack
+++ /dev/null
@@ -1,16 +0,0 @@
-~APP~ test_sm_book_8 r
-~APP~ test_sm_book_9 w
-~APP~ test_sm_book_10 x
-~APP~ test_sm_book_11 rw
-~APP~ test_sm_book_12 rx
-~APP~ test_sm_book_13 wx
-~APP~ test_sm_book_14 rwx
-~APP~ test_sm_book_15 rwxat
-test_sm_subject_8 ~APP~ r
-test_sm_subject_9 ~APP~ w
-test_sm_subject_10 ~APP~ x
-test_sm_subject_11 ~APP~ rw
-test_sm_subject_12 ~APP~ rx
-test_sm_subject_13 ~APP~ wx
-test_sm_subject_14 ~APP~ rwx
-test_sm_subject_15 ~APP~ rwxat

diff --git a/tests/security-manager-tests/WRT_security_manager_test_rules2_no_r.smack b/tests/security-manager-tests/WRT_security_manager_test_rules2_no_r.smack
deleted file mode 100644 (file)
index 693a26a..0000000
--- a/tests/security-manager-tests/WRT_security_manager_test_rules2_no_r.smack
+++ /dev/null
@@ -1,14 +0,0 @@
-~APP~ test_sm_book_9 w
-~APP~ test_sm_book_10 x
-~APP~ test_sm_book_11 w
-~APP~ test_sm_book_12 x
-~APP~ test_sm_book_13 wx
-~APP~ test_sm_book_14 wx
-~APP~ test_sm_book_15 wxat
-test_sm_subject_9 ~APP~ w
-test_sm_subject_10 ~APP~ x
-test_sm_subject_11 ~APP~ w
-test_sm_subject_12 ~APP~ x
-test_sm_subject_13 ~APP~ wx
-test_sm_subject_14 ~APP~ wx
-test_sm_subject_15 ~APP~ wxat

diff --git a/tests/security-manager-tests/WRT_security_manager_test_rules2_r.smack b/tests/security-manager-tests/WRT_security_manager_test_rules2_r.smack
deleted file mode 100644 (file)
index 8d2d49b..0000000
--- a/tests/security-manager-tests/WRT_security_manager_test_rules2_r.smack
+++ /dev/null
@@ -1,10 +0,0 @@
-~APP~ test_sm_book_8 r
-~APP~ test_sm_book_11 r
-~APP~ test_sm_book_12 r
-~APP~ test_sm_book_14 r
-~APP~ test_sm_book_15 r
-test_sm_subject_8 ~APP~ r
-test_sm_subject_11 ~APP~ r
-test_sm_subject_12 ~APP~ r
-test_sm_subject_14 ~APP~ r
-test_sm_subject_15 ~APP~ r

diff --git a/tests/security-manager-tests/security_manager_tests.cpp b/tests/security-manager-tests/security_manager_tests.cpp
index 0e505af..ea9a430 100644 (file)
--- a/tests/security-manager-tests/security_manager_tests.cpp
+++ b/tests/security-manager-tests/security_manager_tests.cpp
@@ -3,6 +3,7 @@
 #include <stdio.h>
 #include <memory.h>
 #include <summary_collector.h>
+#include <string>
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -14,6 +15,7 @@
 
 #include <security-manager.h>
 #include <sm_db.h>
+#include <cynara_test_client.h>
 
 DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
 
@@ -38,48 +40,18 @@ static const privileges_t SM_DENIED_PRIVILEGES  = {
     "security_manager_test_rules2"
 };
 
-static const char *const XATTR_NAME_TIZENEXEC =  XATTR_SECURITY_PREFIX "TIZEN_EXEC_LABEL";
-
-static const rules_t SM_ALLOWED_RULES = {
-    { USER_APP_ID, "test_sm_book_8", "r" },
-    { USER_APP_ID, "test_sm_book_9", "w" },
-    { USER_APP_ID, "test_sm_book_10", "x" },
-    { USER_APP_ID, "test_sm_book_11", "rw" },
-    { USER_APP_ID, "test_sm_book_12", "rx" },
-    { USER_APP_ID, "test_sm_book_13", "wx" },
-    { USER_APP_ID, "test_sm_book_14", "rwx" },
-    { USER_APP_ID, "test_sm_book_15", "rwxat" },
-    { "test_sm_subject_8", USER_APP_ID, "r" },
-    { "test_sm_subject_9", USER_APP_ID, "w" },
-    { "test_sm_subject_10", USER_APP_ID, "x" },
-    { "test_sm_subject_11", USER_APP_ID, "rw" },
-    { "test_sm_subject_12", USER_APP_ID, "rx" },
-    { "test_sm_subject_13", USER_APP_ID, "wx" },
-    { "test_sm_subject_14", USER_APP_ID, "rwx" },
-    { "test_sm_subject_15", USER_APP_ID, "rwxat" }
-};
-static const rules_t SM_DENIED_RULES = {
-    { USER_APP_ID, "test_sm_book_1", "r" },
-    { USER_APP_ID, "test_sm_book_2", "w" },
-    { USER_APP_ID, "test_sm_book_3", "x" },
-    { USER_APP_ID, "test_sm_book_4", "rw" },
-    { USER_APP_ID, "test_sm_book_5", "rx" },
-    { USER_APP_ID, "test_sm_book_6", "wx" },
-    { USER_APP_ID, "test_sm_book_7", "rwx" },
-    { "test_sm_subject_1", USER_APP_ID, "r" },
-    { "test_sm_subject_2", USER_APP_ID, "w" },
-    { "test_sm_subject_3", USER_APP_ID, "x" },
-    { "test_sm_subject_4", USER_APP_ID, "rw" },
-    { "test_sm_subject_5", USER_APP_ID, "rx" },
-    { "test_sm_subject_6", USER_APP_ID, "wx" },
-    { "test_sm_subject_7", USER_APP_ID, "rwx" }
+static const privileges_t SM_NO_PRIVILEGES  = {
 };
 
+static const char *const XATTR_NAME_TIZENEXEC =  XATTR_SECURITY_PREFIX "TIZEN_EXEC_LABEL";
+
 static const char *const SM_PRIVATE_PATH = "/etc/smack/test_DIR/app_dir";
 static const char *const SM_PUBLIC_PATH = "/etc/smack/test_DIR/app_dir_public";
 static const char *const SM_PUBLIC_RO_PATH = "/etc/smack/test_DIR/app_dir_public_ro";
 static const char *const SM_DENIED_PATH = "/etc/smack/test_DIR/non_app_dir";
 static const char *const SM_PRIVATE_PATH_FOR_USER_5000 = "/home/app/securitytests/test_DIR";
+static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
+
 
 
 static bool isLinkToExec(const char *fpath, const struct stat *sb)
@@ -239,40 +211,33 @@ static void check_app_path_after_install()
     RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
 }
 
-static void check_app_permissions(const char *const app_id, const char *const pkg_id,
-                                  const privileges_t &allowed_privs, const privileges_t &denied_privs,
-                                  const rules_t &allowed_rules, const rules_t &denied_rules)
-{
-    bool result;
 
-    result = check_all_accesses(smack_check(), allowed_rules);
-    RUNNER_ASSERT_MSG_BT(result, "Permissions not added.");
-    result = check_no_accesses(smack_check(), denied_rules);
-    RUNNER_ASSERT_MSG_BT(result, "Permissions added.");
+static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
+                                  const privileges_t &allowed_privs, const privileges_t &denied_privs)
+{
+    (void) app_id;
 
-    /* TODO: USER_APP_ID is hardcoded in the following checks, because libprivilege always generate
-     *       label "User" for all installed apps. Adjust it when libprivilege is upgraded. */
-    (void)app_id; // unused parameter
-    (void)pkg_id; // unused parameter
+    CynaraTestClient ctc;
 
-    for (auto it = allowed_privs.begin(); it != allowed_privs.end(); ++it)
-        check_perm_app_has_permission(USER_APP_ID, (*it).c_str(), true);
+    for (auto &priv : allowed_privs) {
+        ctc.check(pkg_id, "", user, priv.c_str(), CYNARA_API_SUCCESS);
+    }
 
-    for (auto it = denied_privs.begin(); it != denied_privs.end(); ++it)
-        check_perm_app_has_permission(USER_APP_ID, (*it).c_str(), false);
+    for (auto &priv : denied_privs) {
+        ctc.check(pkg_id, "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
+    }
 }
 
 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
-                                    const privileges_t &allowed_privs, const privileges_t &denied_privs,
-                                    const rules_t &allowed_rules, const rules_t &denied_rules)
+                                    const privileges_t &allowed_privs,
+                                    const privileges_t &denied_privs)
 {
     TestSecurityManagerDatabase dbtest;
     dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
     dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
 
-    check_app_permissions(app_id, pkg_id,
-                          allowed_privs, denied_privs,
-                          allowed_rules, denied_rules);
+    /*Privileges should be granted to all users if root installs app*/
+    check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
 }
 
 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
@@ -286,6 +251,10 @@ static void check_app_after_uninstall(const char *const app_id, const char *cons
 {
     TestSecurityManagerDatabase dbtest;
     dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
+
+
+    /*Privileges should not be granted anymore to any user*/
+    check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
 }
 
 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
@@ -428,8 +397,7 @@ RUNNER_TEST(security_manager_02_app_install_uninstall_full)
 
     /* Check records in the security-manager database */
     check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
-                            SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES,
-                            SM_ALLOWED_RULES, SM_DENIED_RULES);
+                            SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
 
     /* TODO: add parameters to this function */
     check_app_path_after_install();
@@ -566,6 +534,7 @@ RUNNER_CHILD_TEST(security_manager_05_app_install_uninstall_by_uid_5000)
 {
     int result;
     AppInstReqUniquePtr request;
+    const std::string user =  std::to_string(static_cast<unsigned int>(APP_UID));
 
 
     //switch user to non-root
@@ -591,10 +560,18 @@ RUNNER_CHILD_TEST(security_manager_05_app_install_uninstall_by_uid_5000)
     //should succeed - this time i register folder inside user's home dir
     prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER_5000);
 
+    for (auto &privilege : SM_ALLOWED_PRIVILEGES) {
+        result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str());
+        RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
+            "setting allowed permission failed. Result: " << result);
+    }
+
     result = security_manager_app_install(request.get());
     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
             "installing app failed. Result: " << result);
 
+    check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
+
     //uninstall app as non-root user
     request.reset(do_app_inst_req_new());
 
@@ -605,6 +582,8 @@ RUNNER_CHILD_TEST(security_manager_05_app_install_uninstall_by_uid_5000)
     result = security_manager_app_uninstall(request.get());
     RUNNER_ASSERT_MSG_BT((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
             "uninstalling app failed. Result: " << result);
+
+    check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
 }