Security server test cases fix

[Issue#]       SSDWSSP-604
[Bug/Feature]  Two test cases in security_server_test_server.cpp
               (tc_ask_for_privilege_with_default_cookie_normal[...]
               - now tc_cookie_check_groups_privilege_positive
               and tc05_check_API_middleware_allow) were failing
               when connecting to a device via SDB.
[Cause]        SDB has different enviroment configuration than SSH.
               Launching an application via SSH makes it belong to
               3 groups ("audio" is one of them), while SDB doesn't.
               These two test cases assume that the process belongs
               to "audio" group, so launching them via SDB causes
               they fail.
[Solution]     Add "audio" group to the test's process before
               running the test cases (see add_process_group and
               remove_process_group).
[Verification] Build, install and run security server tests. The following
               test cases, affected by this commit, should pass:
               tc_cookie_check_groups_privilege_negative
               tc_cookie_check_groups_privilege_positive
               tc_ask_for_privilege_with_default_cookie_case_with_wrong_cookie
               tc05_check_API_middleware_allow
               tc06_check_API_middleware_denied
               tc05_check_API_middleware_allow_nosmack

Change-Id: I47a0f4a3715ade527ea9db048f98a1206aefd51a

diff --git a/tests/security-server-tests/security_server_tests_server.cpp b/tests/security-server-tests/security_server_tests_server.cpp
index 9a94372..fe29da7 100644 (file)
--- a/tests/security-server-tests/security_server_tests_server.cpp
+++ b/tests/security-server-tests/security_server_tests_server.cpp
@@ -22,6 +22,7 @@
 #include <sys/stat.h>
 #include <sys/smack.h>
 #include <sys/wait.h>
+#include <grp.h>
 #include "security-server.h"
 #include "security_server_clean_env.h"
 #include <dpl/test/test_runner.h>
@@ -56,12 +57,14 @@ const char *TEST12_SUBJECT = "subject_sstest12";
 #define API_PASSWD_SET        "security-server::api-password-set"
 #define API_PASSWD_CHECK      "security-server::api-password-check"
 #define API_DATA_SHARE        "security-server::api-data-share"
-#define API_MIDDLEWARE        "security-server::api-middleware"
 #define API_PRIVILEGE_BY_NAME "security-server::api-app-privilege-by-name"
 
 #define API_FREE_ACCESS   "*"
 #define API_RULE_REQUIRED "w"
 
+// we assume that the group 'audio' exists in the system
+const char* PROC_AUDIO_GROUP_NAME = "audio";
+
 
 /* Message */
 typedef struct
@@ -353,6 +356,63 @@ int clear_password(char ** /*error*/)
     return -1;
 }
 
+/*
+ * Add a new group to the current process groups.
+ */
+void add_process_group(const char* group_name)
+{
+    // get group ID by gtoup name
+    group *gr = getgrnam(group_name);
+    RUNNER_ASSERT_MSG(gr != NULL, "Group '" << group_name << "' does not exist.");
+    const gid_t new_group_id = gr->gr_gid;
+
+    // get number of groups that the current process belongs to
+    int ngroups = getgroups(0, NULL);
+
+    //allocate groups table + space for new group entry
+    std::vector<gid_t> groups(ngroups + 1);
+    getgroups(ngroups, groups.data());
+
+    // check if the process already belongs to the group
+    for (int i = 0; i < ngroups; ++i)
+        if (groups[i] == new_group_id)
+            return;
+
+    // add new group & apply change
+    groups[ngroups] = new_group_id;
+    int ret = setgroups(ngroups + 1, groups.data());
+    RUNNER_ASSERT_MSG(ret == 0, "setgroups failed. ret = " << ret);
+}
+
+/*
+ * Remove specific group from the current process groups.
+ */
+void remove_process_group(const char* group_name)
+{
+    // get group ID by gtoup name
+    group *gr = getgrnam(group_name);
+    RUNNER_ASSERT_MSG(gr != NULL, "Group '" << group_name << "' does not exist.");
+    const gid_t new_group_id = gr->gr_gid;
+
+    // get number of groups that the current process belongs to
+    int ngroups = getgroups(0, NULL);
+
+    //allocate groups table + space for new group entry
+    std::vector<gid_t> groups(ngroups);
+    getgroups(ngroups, groups.data());
+
+    // check if the process already belongs to the group
+    for (int i = 0; i < ngroups; ++i)
+        if (groups[i] == new_group_id) {
+            groups[i] = groups[ngroups-1]; // replace with last
+
+            // apply change
+            int ret = setgroups(ngroups - 1, groups.data());
+            RUNNER_ASSERT_MSG(ret == 0, "setgroups failed. ret = " << ret);
+            return;
+        }
+}
+
 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_SERVER);
 
 RUNNER_TEST(tc_getting_default_cookie)
@@ -376,23 +436,36 @@ RUNNER_TEST(tc_security_server_get_gid_wrong_object_name_teltel)
     RUNNER_ASSERT(security_server_get_gid("teltel") == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT);
 }
 
-RUNNER_TEST(tc_ask_for_privilege_with_default_cookie_normal_case_to_check_audio_privilege)
+RUNNER_CHILD_TEST(tc_cookie_check_groups_privilege_negative)
 {
-    printhex(cookie, COOKIE_SIZE);
-    RUNNER_ASSERT(security_server_request_cookie((char*)cookie, COOKIE_SIZE) == SECURITY_SERVER_API_SUCCESS);
-    ret = security_server_get_gid("audio");
+    remove_process_group(PROC_AUDIO_GROUP_NAME);
+
+    RUNNER_ASSERT(security_server_request_cookie((char*)cookie, COOKIE_SIZE) ==
+                                                 SECURITY_SERVER_API_SUCCESS);
+    ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+    ret = security_server_check_privilege((char*) cookie, ret);
+    RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
+}
+
+RUNNER_CHILD_TEST(tc_cookie_check_groups_privilege_positive)
+{
+    add_process_group(PROC_AUDIO_GROUP_NAME);
+
+    RUNNER_ASSERT(security_server_request_cookie((char*)cookie, COOKIE_SIZE) ==
+                                                 SECURITY_SERVER_API_SUCCESS);
+    ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
     ret = security_server_check_privilege((char*) cookie, ret);
     RUNNER_ASSERT(ret == SECURITY_SERVER_API_SUCCESS);
 }
 
 RUNNER_TEST(tc_ask_for_privilege_with_default_cookie_case_with_wrong_cookie)
 {
-    ret = security_server_get_gid("audio");
+    ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
     srand(time(NULL));
     for (i = 0; i < COOKIE_SIZE; i++)
         wrong_cookie[i] = rand() % 255;
     ret = security_server_check_privilege((const char*) wrong_cookie, ret);
-    RUNNER_ASSERT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED);
+    RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret);
 }
 
 
@@ -401,7 +474,7 @@ RUNNER_TEST(tc_fake_security_server_get_gid)
     /* Close socket just after sending request msg.
      * This is done with fake security_server_get_gid()*/
 
-    ret = fake_get_gid("audio");
+    ret = fake_get_gid(PROC_AUDIO_GROUP_NAME);
     RUNNER_IGNORED_MSG("Watch whether security server has crashed or not.");
 }
 
@@ -634,25 +707,11 @@ RUNNER_CHILD_TEST(tc04_check_API_passwd_denied)
 RUNNER_CHILD_TEST_SMACK(tc05_check_API_middleware_allow)
 {
     int ret = -1;
-    const char *subject_allow = TEST05_SUBJECT;
     size_t cookie_size = security_server_get_cookie_size();
     char cookie[20];
     char *ss_label = NULL;
-    struct smack_accesses *handle = NULL;
 
-    /* allow subject 'subjet_allow' to security-server::api-middleware */
-    ret = smack_accesses_new(&handle);
-    RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
-    ret = smack_accesses_add(handle, subject_allow, API_MIDDLEWARE, API_RULE_REQUIRED);
-    RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-
-    ret = smack_accesses_apply(handle);
-    RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
-    smack_accesses_free(handle);
-
-    ret = smack_set_label_for_self(subject_allow);
-    RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
+    add_process_group(PROC_AUDIO_GROUP_NAME);
 
     // drop root privileges
     RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid());
@@ -660,7 +719,7 @@ RUNNER_CHILD_TEST_SMACK(tc05_check_API_middleware_allow)
     ret = security_server_request_cookie(cookie, cookie_size);
     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 
-    ret = security_server_get_gid("audio");
+    ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
     ret = security_server_check_privilege(cookie, ret);
     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 
@@ -687,6 +746,8 @@ RUNNER_CHILD_TEST(tc06_check_API_middleware_denied)
     char cookie[20];
     char *ss_label = NULL;
 
+    add_process_group(PROC_AUDIO_GROUP_NAME);
+
     ret = smack_set_label_for_self(subject_denied);
     RUNNER_ASSERT_MSG(ret == 0, "ret: " << ret);
 
@@ -1099,6 +1160,8 @@ RUNNER_CHILD_TEST_NOSMACK(tc05_check_API_middleware_allow_nosmack)
     char cookie[20];
     char* ss_label = NULL;
 
+    add_process_group(PROC_AUDIO_GROUP_NAME);
+
     // drop root privileges
     ret = drop_root_privileges();
     RUNNER_ASSERT_MSG(ret == 0,
@@ -1108,8 +1171,9 @@ RUNNER_CHILD_TEST_NOSMACK(tc05_check_API_middleware_allow_nosmack)
     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,
             "request_cookie failed. Result: " << ret);
 
-    ret = security_server_get_gid("audio");
-    RUNNER_ASSERT_MSG(ret > -1, "Failed to get \"audio\" gid. Result: " << ret);
+    ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME);
+    RUNNER_ASSERT_MSG(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME << "\" gid. Result: "
+                      << ret);
 
     ret = security_server_check_privilege(cookie, ret);
     RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS,