From 9b8ba07965343bf6b4024fdecce78e36e3a3fab9 Mon Sep 17 00:00:00 2001 From: "Maciej J. Karpiuk" Date: Mon, 2 Feb 2015 10:44:31 +0100 Subject: [PATCH 1/1] Add tests for deprecated access control API. [Issue#] N/A [Feature/Bug] bug discovered in the key-manager. This commit verifies bug resolution. [Problem] deprecated access control API incorrectly mapped values into permissions. [Solution] fix to key-manager plus appropriate tests in the security-tests. [Verification] all T300_CKMC_ACCESS_CONTROL_C_API should pass. Change-Id: I9bc52b0e493bb7dbde14b5793d18d5b924806648 --- tests/ckm/capi-access_control.cpp | 127 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 127 insertions(+) diff --git a/tests/ckm/capi-access_control.cpp b/tests/ckm/capi-access_control.cpp index 14fccff..9295a07 100644 --- a/tests/ckm/capi-access_control.cpp +++ b/tests/ckm/capi-access_control.cpp @@ -132,6 +132,12 @@ void check_read_not_visible(const char* alias) } } +void allow_access_deprecated(const char* alias, const char* accessor, ckmc_access_right_e accessRights) +{ + int ret = ckmc_allow_access(alias, accessor, accessRights); + RUNNER_ASSERT_MSG_BT(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << ret); +} + void allow_access(const char* alias, const char* accessor, int permissionMask) { // data removal should revoke this access @@ -158,6 +164,13 @@ void deny_access_negative(const char* alias, const char* accessor, int expectedC RUNNER_ASSERT_MSG(expectedCode == ret, "Denying access failed. Error: " << ret << ", while expected: " << expectedCode); } +void allow_access_deprecated_by_adm(const char* alias, const char* accessor, ckmc_access_right_e accessRights) +{ + // data removal should revoke this access + int ret = ckmc_allow_access_by_adm(USER_ROOT, get_label().get(), alias, accessor, accessRights); + RUNNER_ASSERT_MSG_BT(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << ret); +} + void allow_access_by_adm(const char* alias, const char* accessor, int permissionMask) { // data removal should revoke this access @@ -562,6 +575,64 @@ RUNNER_TEST(T3031_manager_test_decrypt_from_another_label) } } +// tries to access other application data with permission +RUNNER_TEST(T3032_manager_deprecated_access_allowed) +{ + CharPtr top_label = get_label(); + ScopedSaveData ssd(TEST_ALIAS); + + allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ); + { + ScopedLabel sl(TEST_LABEL2); + + check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str()); + } +} + +// tries to read other application data with permission for read/remove +RUNNER_TEST(T3033_manager_deprecated_access_allowed_with_remove) +{ + CharPtr top_label = get_label(); + ScopedSaveData ssd(TEST_ALIAS); + + allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE); + { + ScopedLabel sl(TEST_LABEL2); + + check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str()); + } +} + +// tries to remove other application data with permission for reading only +RUNNER_TEST(T3034_manager_deprecated_access_allowed_remove_denied) +{ + CharPtr top_label = get_label(); + ScopedSaveData ssd(TEST_ALIAS); + + allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ); + { + ScopedLabel sl(TEST_LABEL2); + + std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS); + check_remove_denied(TEST_ALIAS_adr.c_str()); + check_read_allowed(TEST_ALIAS_adr.c_str()); + } +} + +// tries to remove other application data with permission +RUNNER_TEST(T3035_manager_deprecated_remove_allowed) +{ + CharPtr top_label = get_label(); + ScopedSaveData ssd(TEST_ALIAS); + + allow_access_deprecated(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE); + { + ScopedLabel sl(TEST_LABEL2); + + check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str()); + } +} + ///////////////////////////////////////////////////////////////////////////// // Control @@ -804,6 +875,62 @@ RUNNER_TEST(T3141_control_deny_invalid_user) "Trying to deny access to invalid user returned: " << ret); } +// tries to read other application data with permission +RUNNER_TEST(T3142_control_deprecated_access_allowed) +{ + CharPtr top_label = get_label(); + ScopedSaveData ssd(TEST_ALIAS); + + allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ); + { + ScopedLabel sl(TEST_LABEL2); + + check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str()); + } +} + +// tries to read other application data with permission to read/remove +RUNNER_TEST(T3143_control_deprecated_access_allowed_with_remove) +{ + CharPtr top_label = get_label(); + ScopedSaveData ssd(TEST_ALIAS); + + allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE); + { + ScopedLabel sl(TEST_LABEL2); + + check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str()); + } +} + +// tries to remove other application data with permission to read +RUNNER_TEST(T3144_control_deprecated_access_allowed_remove_denied) +{ + CharPtr top_label = get_label(); + ScopedSaveData ssd(TEST_ALIAS); + + allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ); + { + ScopedLabel sl(TEST_LABEL2); + + check_remove_denied(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str()); + } +} + +// tries to remove other application data with permission +RUNNER_TEST(T3145_control_deprecated_remove_allowed) +{ + CharPtr top_label = get_label(); + ScopedSaveData ssd(TEST_ALIAS); + + allow_access_deprecated_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE); + { + ScopedLabel sl(TEST_LABEL2); + + check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str()); + } +} + RUNNER_TEST(T3999_deinit) { -- 2.7.4