Some tests that call smack_revoke_subject should run with smack

[Bug/Feature]   Some tests calling smack_revoke_subject fails when run without
                smack
[Cause]         Tests need smack to run properly
[Solution]      Run those test only when smack is enabled. Moreover, if
                it was possible, added similar nosmack versions
                of these tests.
[Verification]  Build, install and run tests, i.e.:
                security-tests.sh ss-server --runignored --output=text

Change-Id: I1319c64581cce3739e1168a9d3dc45a1878892a8
Signed-off-by: Sebastian Grabowski <s.grabowski@partner.samsung.com>

diff --git a/tests/security-server-tests/cookie_api.cpp b/tests/security-server-tests/cookie_api.cpp
index f321be0..35a135f 100644 (file)
--- a/tests/security-server-tests/cookie_api.cpp
+++ b/tests/security-server-tests/cookie_api.cpp
@@ -474,7 +474,7 @@ RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_app_user_cookie_API_access_allow)
 }
 
 // disable access and drop privileges
-RUNNER_CHILD_TEST(tc_unit_09_02_app_user_cookie_API_access_deny)
+RUNNER_CHILD_TEST_SMACK(tc_unit_09_02_app_user_cookie_API_access_deny)
 {
     RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
     SecurityServer::AccessProvider provider("subject_1d414140");

diff --git a/tests/security-server-tests/server.cpp b/tests/security-server-tests/server.cpp
index 189f052..0899f1b 100644 (file)
--- a/tests/security-server-tests/server.cpp
+++ b/tests/security-server-tests/server.cpp
@@ -89,6 +89,56 @@ int clear_password(char ** /*error*/)
     return -1;
 }
 
+void check_API_passwd(bool smack) {
+    int ret = -1;
+    int err, err_is_pwd_valid;
+    unsigned int attempt, max_attempt, expire_sec;
+
+    err = smack ? SECURITY_SERVER_API_ERROR_ACCESS_DENIED : SECURITY_SERVER_API_SUCCESS;
+    err_is_pwd_valid = smack ? SECURITY_SERVER_API_ERROR_ACCESS_DENIED : SECURITY_SERVER_API_ERROR_PASSWORD_EXIST;
+    attempt = max_attempt = expire_sec = 0;
+
+    if (smack) {
+        SecurityServer::AccessProvider privider(TEST04_SUBJECT);
+        privider.applyAndSwithToUser(APP_UID, APP_GID);
+    } else {
+        RUNNER_ASSERT_MSG_BT((ret = drop_root_privileges()) == 0,
+                "Failed to drop root privileges. Result: " << ret << "uid = " << getuid());
+    }
+
+    ret = security_server_set_pwd_validity(APP_UID);
+    RUNNER_ASSERT_MSG_BT(ret == err,
+            "security_server_set_pwd_validity has failed,"
+            " ret: " << ret);
+
+    ret = security_server_set_pwd_max_challenge(5);
+    RUNNER_ASSERT_MSG_BT(ret == err,
+            "security_server_set_pwd_max_challenge has failed,"
+            " ret: " << ret);
+
+    ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
+    RUNNER_ASSERT_MSG_BT(ret == err_is_pwd_valid,
+            "security_server_is_pwd_valid should return password exist,"
+            " ret: " << ret);
+
+    usleep(PASSWORD_RETRY_TIMEOUT_US);
+    ret = security_server_set_pwd("12345", "12346", 0, 0);
+    RUNNER_ASSERT_MSG_BT(ret == err,
+            "security_server_set_pwd has failed, ret: " << ret);
+
+    ret = security_server_reset_pwd("12346",0, 0);
+    RUNNER_ASSERT_MSG_BT(ret == err,
+            "security_server_reset_pwd has failed, ret: " << ret);
+    usleep(PASSWORD_RETRY_TIMEOUT_US);
+    ret = security_server_chk_pwd("12346", &attempt, &max_attempt, &expire_sec);
+    RUNNER_ASSERT_MSG_BT(ret == err,
+            "security_server_chk_pwd has failed, ret: " << ret);
+
+    ret = security_server_set_pwd_history(10);
+    RUNNER_ASSERT_MSG_BT(ret == err,
+            "security_server_set_pwd_history has failed, ret: " << ret);
+}
+
 RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_SERVER);
 
 RUNNER_TEST(tc_security_server_get_gid_normal_case_trying_to_get_gid_of_tel_gprs)
@@ -224,69 +274,15 @@ RUNNER_CHILD_TEST_SMACK(tc03_check_API_passwd_allow)
     RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret);
 }
 
-RUNNER_CHILD_TEST(tc04_check_API_passwd_denied)
+RUNNER_CHILD_TEST_SMACK(tc04_check_API_passwd_denied)
 {
     RUNNER_IGNORED_MSG("Security-server sockets are not labeled.");
-    int ret = -1;
-    unsigned int attempt, max_attempt, expire_sec;
-
-    attempt = max_attempt = expire_sec = 0;
-
-    SecurityServer::AccessProvider privider(TEST04_SUBJECT);
-    privider.applyAndSwithToUser(APP_UID, APP_GID);
-
-    /*
-     * now SS should return error
-     * at the moment SS doesn't check return code from
-     * authorize_SS_API_caller_socket() so it should give access
-     * you can check in logs if it's working properly
-     * has access result = 1
-     * no access result = 0
-     * D/SECURITY_SERVER( 2510): security-server-main.c: authorize_SS_API_caller_socket(205) >
-     *                          [SECURE_LOG] SS_SMACK: caller_pid=5278, subject=subject_allow,
-     *                          object=security-server::api-password-check, access=w, result=1,
-     *                          caller_path=/usr/bin/security-server-tests-server
-     * E/SECURITY_SERVER( 2510): security-server-main.c: authorize_SS_API_caller_socket(207) >
-     *                          [SECURE_LOG] SS_SMACK: caller_pid=5278, subject=subject_allow,
-     *                          object=security-server::api-password-check, access=w, result=0,
-     *                          caller_path=/usr/bin/security-server-tests-server
-     */
-
-    ret = security_server_set_pwd_validity(10);
-    RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
-            "security_server_set_pwd_validity should return access denied,"
-            " ret: " << ret);
-
-    ret = security_server_set_pwd_max_challenge(5);
-    RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
-            "security_server_set_pwd_max_challenge should return access denied,"
-            " ret: " << ret);
-
-    ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec);
-    RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
-            "security_server_is_pwd_valid should return access denied,"
-            " ret: " << ret);
-
-    usleep(PASSWORD_RETRY_TIMEOUT_US);
-    ret = security_server_set_pwd("12345", "12346", 0, 0);
-    RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
-            "security_server_set_pwd should return access denied,"
-            " ret: " << ret);
-
-    ret = security_server_reset_pwd("12346",0, 0);
-    RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
-            "security_server_reset_pwd should return access denied,"
-            " ret: " << ret);
-    usleep(PASSWORD_RETRY_TIMEOUT_US);
-    ret = security_server_chk_pwd("12346", &attempt, &max_attempt, &expire_sec);
-    RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
-            "security_server_chk_pwd should return access denied,"
-            " ret: " << ret);
+    check_API_passwd(true);
+}
 
-    ret = security_server_set_pwd_history(10);
-    RUNNER_ASSERT_MSG_BT(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED,
-            "security_server_set_pwd_history should return access denied,"
-            " ret: " << ret);
+RUNNER_CHILD_TEST_NOSMACK(tc04_check_API_app_user_passwd_allow_nosmack)
+{
+    check_API_passwd(false);
 }
 
 RUNNER_CHILD_TEST_SMACK(tc07_check_API_data_share_allow)