From b4ab3e3119f48107a43b01b61eb2875492439b88 Mon Sep 17 00:00:00 2001 From: Rafal Krypa Date: Thu, 14 Jan 2016 15:43:54 +0100 Subject: [PATCH] Drop tests related to security-server Security-server has been removed from Tizen 3.0 images. Change-Id: I6cd8349abd94b2136726a357f515308cb482bce9 Signed-off-by: Rafal Krypa --- README | 8 - packaging/security-tests.manifest | 6 - packaging/security-tests.spec | 8 - src/CMakeLists.txt | 1 - src/ckm/CMakeLists.txt | 2 - src/ckm/clean-env.cpp | 66 - src/ckm/clean-env.h | 20 - src/ckm/password-integration.cpp | 264 ---- src/security-server-tests/CMakeLists.txt | 170 --- .../WRT_sstp_test_rules1.smack | 2 - .../WRT_sstp_test_rules2.smack | 2 - .../common/security_server_tests_common.cpp | 36 - .../common/security_server_tests_common.h | 35 - src/security-server-tests/cookie_api.cpp | 558 ------- .../security_server_clean_env.cpp | 54 - .../security_server_clean_env.h | 17 - .../security_server_measurer_API_speed.cpp | 728 ---------- .../security_server_mockup.cpp | 113 -- src/security-server-tests/security_server_mockup.h | 18 - .../security_server_tests_client_smack.cpp | 548 ------- .../security_server_tests_mt.cpp | 150 -- .../security_server_tests_password.cpp | 1526 -------------------- .../security_server_tests_privilege.cpp | 125 -- .../security_server_tests_stress.cpp | 189 --- src/security-server-tests/server.cpp | 432 ------ src/security-server-tests/weird_arguments.cpp | 192 --- src/security-tests.sh | 36 - 27 files changed, 5306 deletions(-) delete mode 100644 src/ckm/clean-env.cpp delete mode 100644 src/ckm/clean-env.h delete mode 100644 src/ckm/password-integration.cpp delete mode 100644 src/security-server-tests/CMakeLists.txt delete mode 100644 src/security-server-tests/WRT_sstp_test_rules1.smack delete mode 100644 src/security-server-tests/WRT_sstp_test_rules2.smack delete mode 100644 src/security-server-tests/common/security_server_tests_common.cpp delete mode 100644 src/security-server-tests/common/security_server_tests_common.h delete mode 100644 src/security-server-tests/cookie_api.cpp delete mode 100644 src/security-server-tests/security_server_clean_env.cpp delete mode 100644 src/security-server-tests/security_server_clean_env.h delete mode 100644 src/security-server-tests/security_server_measurer_API_speed.cpp delete mode 100644 src/security-server-tests/security_server_mockup.cpp delete mode 100644 src/security-server-tests/security_server_mockup.h delete mode 100644 src/security-server-tests/security_server_tests_client_smack.cpp delete mode 100644 src/security-server-tests/security_server_tests_mt.cpp delete mode 100644 src/security-server-tests/security_server_tests_password.cpp delete mode 100644 src/security-server-tests/security_server_tests_privilege.cpp delete mode 100644 src/security-server-tests/security_server_tests_stress.cpp delete mode 100644 src/security-server-tests/server.cpp delete mode 100644 src/security-server-tests/weird_arguments.cpp diff --git a/README b/README index 83c2c05..38d9538 100644 --- a/README +++ b/README @@ -13,14 +13,6 @@ libsmack libsmack-test libprivilege-control libprivilege-control-test -security-server - security-server-tests-client-smack - security-server-tests-stress - security-server-tests-server - security-server-tests-api-speed - security-server-tests-password - security-server-tests-privilege - security-server-tests-dbus security-manager security-manager-tests cynara diff --git a/packaging/security-tests.manifest b/packaging/security-tests.manifest index dc31795..c06bf7c 100644 --- a/packaging/security-tests.manifest +++ b/packaging/security-tests.manifest @@ -9,12 +9,6 @@ - - - - - - diff --git a/packaging/security-tests.spec b/packaging/security-tests.spec index 0fadcd4..4136fdc 100644 --- a/packaging/security-tests.spec +++ b/packaging/security-tests.spec @@ -12,7 +12,6 @@ BuildRequires: libattr-devel BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libsmack) BuildRequires: pkgconfig(libprivilege-control) -BuildRequires: pkgconfig(security-server) BuildRequires: pkgconfig(security-manager) BuildRequires: pkgconfig(key-manager) BuildRequires: pkgconfig(dlog) @@ -87,17 +86,10 @@ echo "security-tests postinst done ..." /usr/bin/libsmack-test /usr/bin/smack-dbus-tests /usr/bin/libprivilege-control-test -/usr/bin/security-server-tests-client-smack -/usr/bin/security-server-tests-server -/usr/bin/security-server-tests-password -/usr/bin/security-server-tests-privilege -/usr/bin/security-server-tests-stress /etc/smack/test_smack_rules_full /etc/smack/test_smack_rules2 /etc/smack/test_smack_rules3 /etc/smack/test_smack_rules4 -/usr/bin/security-server-tests-mt -/usr/bin/security-server-tests-api-speed /usr/bin/security-manager-tests /etc/smack/test_smack_rules /etc/smack/test_smack_rules_lnk diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index a73e120..9cb349e 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -87,7 +87,6 @@ ADD_SUBDIRECTORY(ckm-integration) ADD_SUBDIRECTORY(libprivilege-control-tests) ADD_SUBDIRECTORY(libsmack-tests) ADD_SUBDIRECTORY(smack-dbus-tests) -ADD_SUBDIRECTORY(security-server-tests) ADD_SUBDIRECTORY(security-manager-tests) ADD_SUBDIRECTORY(cynara-tests) ADD_SUBDIRECTORY(libwebappenc-tests) diff --git a/src/ckm/CMakeLists.txt b/src/ckm/CMakeLists.txt index 40891fa..dfdc418 100644 --- a/src/ckm/CMakeLists.txt +++ b/src/ckm/CMakeLists.txt @@ -46,10 +46,8 @@ SET(CKM_SOURCES ${PROJECT_SOURCE_DIR}/src/ckm/async-api.cpp ${PROJECT_SOURCE_DIR}/src/ckm/ckm-common.cpp ${PROJECT_SOURCE_DIR}/src/ckm/cc-mode.cpp -# ${PROJECT_SOURCE_DIR}/src/ckm/password-integration.cpp ${PROJECT_SOURCE_DIR}/src/ckm/system-db.cpp ${PROJECT_SOURCE_DIR}/src/ckm/initial-values.cpp - ${PROJECT_SOURCE_DIR}/src/ckm/clean-env.cpp ${PROJECT_SOURCE_DIR}/src/ckm/test-certs.cpp ${PROJECT_SOURCE_DIR}/src/ckm/algo-params.cpp ${PROJECT_SOURCE_DIR}/src/ckm/encryption-decryption-env.cpp diff --git a/src/ckm/clean-env.cpp b/src/ckm/clean-env.cpp deleted file mode 100644 index 88352bd..0000000 --- a/src/ckm/clean-env.cpp +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved - */ -/* - * @file security_server_tests_clean_env.cpp - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @version 1.0 - * @brief Functions to prepare clean env for tests. - * - */ - -#include -#include - -#include - -#include -#include - -int restart_security_server() { - ServiceManager sm("security-server.service"); - sm.restartService(); - - return 0; -} - -static int nftw_rmdir_contents(const char *fpath, const struct stat * /*sb*/, - int tflag, struct FTW *ftwbuf) -{ - if (tflag == FTW_F) - unlink(fpath); - else if (tflag == FTW_DP && ftwbuf->level != 0) - rmdir(fpath); - - return 0; -} - -/** - * This function should be called at the begining of every SS test, so all the tests - * are independent of each other. - */ -int reset_security_server() -{ - const char* path = "/opt/data/security-server/"; - const int max_descriptors = 10; //max number of open file descriptors by nftw function - - // Clear /opt/data/security-server/ directory - if (access(path, F_OK) == 0) { - if (nftw(path, &nftw_rmdir_contents, max_descriptors, FTW_DEPTH) == -1) { - return 1; - } - sync(); - } - - restart_security_server(); - auto control = CKM::Control::create(); - - if (!!control) { - control->lockUserKey(5000); - control->removeUserData(5000); - control->unlockUserKey(5000, ""); - } - - return 0; -} - diff --git a/src/ckm/clean-env.h b/src/ckm/clean-env.h deleted file mode 100644 index f6f6c9e..0000000 --- a/src/ckm/clean-env.h +++ /dev/null @@ -1,20 +0,0 @@ -/* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved - */ -/* - * @file security_server_tests_clean_env.cpp - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @version 1.0 - * @brief Functions to prepare clean env for tests. - * - */ -#pragma once - -#include -#include - -#include - -int restart_security_server(); -int reset_security_server(); - diff --git a/src/ckm/password-integration.cpp b/src/ckm/password-integration.cpp deleted file mode 100644 index 3df917e..0000000 --- a/src/ckm/password-integration.cpp +++ /dev/null @@ -1,264 +0,0 @@ -/* - * Copyright (c) 2000 - 2014 Samsung Electronics Co. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - * - * @file password-integration.cpp - * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) - * @version 1.0 - */ -#include -#include -#include - -#include - -#include -#include -#include -#include - -#include - -#include -#include - -CKM::Alias CKM_ALIAS1 = "ALIAS1"; -CKM::Alias CKM_ALIAS2 = "ALIAS2"; - -CKM::RawBuffer BIN_DATA1 = {'A','B','R','A','C','A','D','A','B','R','A'}; - -const char * PASSWORD1 = "LongPassword1"; -const char * PASSWORD2 = "LongerPassword2"; - -static const int USER_APP = 5000; - -const unsigned int PASSWORD_RETRY_TIMEOUT_US = 500000; - -void dropPrivileges() { - static const std::string LABEL1 = "TestLabel1"; - static const int GROUP_APP = 5000; - - AccessProvider ap(LABEL1); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_APP, GROUP_APP); -} - -RUNNER_TEST_GROUP_INIT(T401_SECURITY_SERVER_PASSWORD_INTEGRATION); - -RUNNER_TEST(T4010_INIT) -{ - reset_security_server(); - unsigned int attempt, max_attempt, expire_sec; - - int ret = security_server_chk_pwd(NULL, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, ""); -} - -RUNNER_CHILD_TEST(T4011_ADD_DATA) -{ - dropPrivileges(); - - auto mgr = CKM::Manager::create(); - - int ret = mgr->saveData(CKM_ALIAS1, BIN_DATA1, CKM::Policy()); - RUNNER_ASSERT_MSG(ret == CKM_API_SUCCESS, ""); -} - -RUNNER_TEST(T4012_CLOSE_CKM_DB) -{ - auto ctl = CKM::Control::create(); - - int ret = ctl->lockUserKey(USER_APP); - RUNNER_ASSERT_MSG(CKM_API_SUCCESS == ret, "Error=" << CKM::ErrorToString(ret)); -} - -RUNNER_CHILD_TEST(T4013_GET_DATA) -{ - dropPrivileges(); - - auto mgr = CKM::Manager::create(); - - CKM::RawBuffer buffer; - - // CKM will automaticly unlock with empty password - int ret = mgr->getData(CKM_ALIAS1, CKM::Password(), buffer); - RUNNER_ASSERT_MSG(CKM_API_SUCCESS == ret, "Error=" << CKM::ErrorToString(ret)); -} - -RUNNER_TEST(T4014_UNLOCK_DATABASE_WITH_SECURITY_SERVER) -{ - unsigned int attempt, max_attempt, expire_sec; - - usleep(PASSWORD_RETRY_TIMEOUT_US); - - int ret = security_server_chk_pwd(NULL, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, ""); -} - -RUNNER_CHILD_TEST(T4015_GET_DATA) -{ - dropPrivileges(); - auto mgr = CKM::Manager::create(); - - CKM::RawBuffer buffer; - int ret = mgr->getData(CKM_ALIAS1, CKM::Password(), buffer); - RUNNER_ASSERT_MSG(CKM_API_SUCCESS == ret, "Error=" << CKM::ErrorToString(ret)); - - RUNNER_ASSERT_MSG(buffer == BIN_DATA1, "Data mismatch"); -} - -RUNNER_TEST_GROUP_INIT(T402_SECURITY_SERVER_PASSWORD_INTEGRATION); - -RUNNER_TEST(T4020_INIT) -{ - reset_security_server(); - - int ret = security_server_set_pwd(NULL, PASSWORD1, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, ""); -} - -RUNNER_CHILD_TEST(T4021_ADD_DATA) -{ - dropPrivileges(); - - auto mgr = CKM::Manager::create(); - - int ret = mgr->saveData(CKM_ALIAS1, BIN_DATA1, CKM::Policy()); - RUNNER_ASSERT_MSG(ret == CKM_API_SUCCESS, ""); -} - -RUNNER_TEST(T4022_CLOSE_CKM_DB) -{ - unsigned int attempt, max, expire; - - auto ctl = CKM::Control::create(); - - int ret = ctl->lockUserKey(USER_APP); - RUNNER_ASSERT_MSG(CKM_API_SUCCESS == ret, "Error=" << CKM::ErrorToString(ret)); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - - // login with current password to get rid of invalid "NULL" DKEK - ret = security_server_chk_pwd(PASSWORD1, &attempt, &max, &expire); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "Error=" << ret); - - ret = ctl->lockUserKey(USER_APP); - RUNNER_ASSERT_MSG(CKM_API_SUCCESS == ret, "Error=" << CKM::ErrorToString(ret)); -} - -RUNNER_CHILD_TEST(T4023_GET_DATA_NEGATIVE) -{ - dropPrivileges(); - - auto mgr = CKM::Manager::create(); - - CKM::RawBuffer buffer; - int ret = mgr->getData(CKM_ALIAS1, CKM::Password(), buffer); - RUNNER_ASSERT_MSG(CKM_API_ERROR_DB_LOCKED == ret, "Error=" << CKM::ErrorToString(ret)); -} - -RUNNER_TEST(T4024_UNLOCK_DATABASE_WITH_SECURITY_SERVER) -{ - unsigned int attempt, max, expire; - - usleep(PASSWORD_RETRY_TIMEOUT_US); - int ret = security_server_chk_pwd(PASSWORD1, &attempt, &max, &expire); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "Error =" << ret); -} - -RUNNER_CHILD_TEST(T4025_GET_DATA) -{ - dropPrivileges(); - - auto mgr = CKM::Manager::create(); - - CKM::RawBuffer buffer; - int ret = mgr->getData(CKM_ALIAS1, CKM::Password(), buffer); - RUNNER_ASSERT_MSG(CKM_API_SUCCESS == ret, "Error=" << CKM::ErrorToString(ret)); - - RUNNER_ASSERT_MSG(buffer == BIN_DATA1, "Data missmatch"); -} - -RUNNER_TEST_GROUP_INIT(T403_SECURITY_SERVER_PASSWORD_INTEGRATION); - -RUNNER_TEST(T4030_INIT) -{ - reset_security_server(); - - int ret = security_server_set_pwd(NULL, PASSWORD1, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, ""); -} - -RUNNER_CHILD_TEST(T4031_ADD_DATA) -{ - dropPrivileges(); - - auto mgr = CKM::Manager::create(); - - int ret = mgr->saveData(CKM_ALIAS1, BIN_DATA1, CKM::Policy()); - RUNNER_ASSERT_MSG(ret == CKM_API_SUCCESS, ""); -} - -RUNNER_TEST(T4032_CLOSE_CKM_DB) -{ - unsigned int attempt, max, expire; - - auto ctl = CKM::Control::create(); - - int ret = ctl->lockUserKey(USER_APP); - RUNNER_ASSERT_MSG(CKM_API_SUCCESS == ret, "Error=" << CKM::ErrorToString(ret)); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - - // login with current password to get rid of invalid "NULL" DKEK - ret = security_server_chk_pwd(PASSWORD1, &attempt, &max, &expire); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "Error=" << ret); - - ret = ctl->lockUserKey(USER_APP); - RUNNER_ASSERT_MSG(CKM_API_SUCCESS == ret, "Error=" << CKM::ErrorToString(ret)); -} - -RUNNER_CHILD_TEST(T4033_GET_DATA_NEGATIVE) -{ - dropPrivileges(); - - auto mgr = CKM::Manager::create(); - - CKM::RawBuffer buffer; - int ret = mgr->getData(CKM_ALIAS1, CKM::Password(), buffer); - RUNNER_ASSERT_MSG(CKM_API_ERROR_DB_LOCKED == ret, "Error=" << CKM::ErrorToString(ret)); -} - -RUNNER_TEST(T4034_UNLOCK_DATABASE_WITH_SECURITY_SERVER) -{ - usleep(PASSWORD_RETRY_TIMEOUT_US); - - int ret = security_server_set_pwd(PASSWORD1, PASSWORD2, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "Error=" << ret); -} - -RUNNER_CHILD_TEST(T4035_GET_DATA) -{ - dropPrivileges(); - - auto mgr = CKM::Manager::create(); - - CKM::RawBuffer buffer; - int ret = mgr->getData(CKM_ALIAS1, CKM::Password(), buffer); - RUNNER_ASSERT_MSG(CKM_API_SUCCESS == ret, "Error=" << CKM::ErrorToString(ret)); - - RUNNER_ASSERT_MSG(buffer == BIN_DATA1, "Data mismatch"); -} - - diff --git a/src/security-server-tests/CMakeLists.txt b/src/security-server-tests/CMakeLists.txt deleted file mode 100644 index c421753..0000000 --- a/src/security-server-tests/CMakeLists.txt +++ /dev/null @@ -1,170 +0,0 @@ -# Copyright (c) 2013-2015 Samsung Electronics Co., Ltd All Rights Reserved -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# @file CMakeLists.txt -# @author Tomasz Swierczek (t.swierczek@samsung.com) -# @author Mariusz Domanski (m.domanski@samsung.com) -# @brief -# - -INCLUDE(FindPkgConfig) - -# Dependencies -PKG_CHECK_MODULES(SEC_SRV_TESTS_DEP - libsmack - libprivilege-control - security-server - dlog - dbus-1 - REQUIRED) - -# Targets definition - -SET(TARGET_SEC_SRV_COMMON "security-server-tests-common") -SET(TARGET_SEC_SRV_CLIENT_SMACK_TESTS "security-server-tests-client-smack") -SET(TARGET_SEC_SRV_TC_SERVER_TESTS "security-server-tests-server") -SET(TARGET_SEC_SRV_PWD_TESTS "security-server-tests-password") -SET(TARGET_SEC_SRV_PRIVILEGE_TESTS "security-server-tests-privilege") -SET(TARGET_SEC_SRV_STRESS_TESTS "security-server-tests-stress") -SET(TARGET_SEC_SRV_MT_TESTS "security-server-tests-mt") -SET(TARGET_SEC_SRV_MEASURER "security-server-tests-api-speed") - - -# Sources definition - -SET(SEC_SRV_COMMON_SOURCES - ${PROJECT_SOURCE_DIR}/src/security-server-tests/common/security_server_tests_common.cpp - ) - -SET(SEC_SRV_CLIENT_SMACK_SOURCES - ${PROJECT_SOURCE_DIR}/src/security-server-tests/security_server_tests_client_smack.cpp - ${PROJECT_SOURCE_DIR}/src/security-server-tests/security_server_mockup.cpp - ) - -SET(SEC_SRV_TC_SERVER_SOURCES - ${PROJECT_SOURCE_DIR}/src/security-server-tests/server.cpp - ${PROJECT_SOURCE_DIR}/src/security-server-tests/cookie_api.cpp - ${PROJECT_SOURCE_DIR}/src/security-server-tests/weird_arguments.cpp - ${PROJECT_SOURCE_DIR}/src/security-server-tests/security_server_clean_env.cpp - ) - -SET(SEC_SRV_PWD_SOURCES - ${PROJECT_SOURCE_DIR}/src/security-server-tests/security_server_tests_password.cpp - ${PROJECT_SOURCE_DIR}/src/security-server-tests/security_server_clean_env.cpp - ) - -SET(SEC_SRV_PRIVILEGE_SOURCES - ${PROJECT_SOURCE_DIR}/src/security-server-tests/security_server_tests_privilege.cpp - ${PROJECT_SOURCE_DIR}/src/libprivilege-control-tests/libprivilege-control_test_common.cpp - ) - -SET(SEC_SRV_STRESS_SOURCES - ${PROJECT_SOURCE_DIR}/src/security-server-tests/security_server_tests_stress.cpp - ) - -SET(SEC_SRV_MT_SOURCES - ${PROJECT_SOURCE_DIR}/src/security-server-tests/security_server_tests_mt.cpp - ) - -SET(SEC_SRV_MEASURER_SOURCES - ${PROJECT_SOURCE_DIR}/src/security-server-tests/security_server_measurer_API_speed.cpp - ${PROJECT_SOURCE_DIR}/src/security-server-tests/security_server_mockup.cpp - ) - -INCLUDE_DIRECTORIES(SYSTEM - ${SEC_SRV_TESTS_DEP_INCLUDE_DIRS} - ) - -INCLUDE_DIRECTORIES( - ${PROJECT_SOURCE_DIR}/src/common/ - ${PROJECT_SOURCE_DIR}/src/security-server-tests/common/ - ${PROJECT_SOURCE_DIR}/src/libprivilege-control-tests/common/ - ) - -#LINK_DIRECTORIES(${SEC_SRV_PKGS_LIBRARY_DIRS}) - -ADD_LIBRARY(${TARGET_SEC_SRV_COMMON} STATIC ${SEC_SRV_COMMON_SOURCES}) -ADD_EXECUTABLE(${TARGET_SEC_SRV_CLIENT_SMACK_TESTS} ${SEC_SRV_CLIENT_SMACK_SOURCES}) -ADD_EXECUTABLE(${TARGET_SEC_SRV_TC_SERVER_TESTS} ${SEC_SRV_TC_SERVER_SOURCES}) -ADD_EXECUTABLE(${TARGET_SEC_SRV_PWD_TESTS} ${SEC_SRV_PWD_SOURCES}) -ADD_EXECUTABLE(${TARGET_SEC_SRV_PRIVILEGE_TESTS} ${SEC_SRV_PRIVILEGE_SOURCES}) -ADD_EXECUTABLE(${TARGET_SEC_SRV_STRESS_TESTS} ${SEC_SRV_STRESS_SOURCES}) -ADD_EXECUTABLE(${TARGET_SEC_SRV_MT_TESTS} ${SEC_SRV_MT_SOURCES}) -ADD_EXECUTABLE(${TARGET_SEC_SRV_MEASURER} ${SEC_SRV_MEASURER_SOURCES}) - - -TARGET_LINK_LIBRARIES(${TARGET_SEC_SRV_CLIENT_SMACK_TESTS} - ${SEC_SRV_TESTS_DEP_LIBRARIES} - dpl-test-framework - tests-common - ) - -TARGET_LINK_LIBRARIES(${TARGET_SEC_SRV_TC_SERVER_TESTS} - ${TARGET_SEC_SRV_COMMON} - ${SEC_SRV_TESTS_DEP_LIBRARIES} - dpl-test-framework - tests-common - ) - -TARGET_LINK_LIBRARIES(${TARGET_SEC_SRV_PWD_TESTS} - ${TARGET_SEC_SRV_COMMON} - ${SEC_SRV_TESTS_DEP_LIBRARIES} - dpl-test-framework - tests-common - ) - -TARGET_LINK_LIBRARIES(${TARGET_SEC_SRV_PRIVILEGE_TESTS} - ${SEC_SRV_TESTS_DEP_LIBRARIES} - dpl-test-framework - tests-common - ) - -TARGET_LINK_LIBRARIES(${TARGET_SEC_SRV_STRESS_TESTS} - ${SEC_SRV_TESTS_DEP_LIBRARIES} - dpl-test-framework - tests-common - ) - -TARGET_LINK_LIBRARIES(${TARGET_SEC_SRV_MT_TESTS} - ${SEC_SRV_TESTS_DEP_LIBRARIES} - dpl-test-framework - tests-common - ) - -TARGET_LINK_LIBRARIES(${TARGET_SEC_SRV_MEASURER} - ${TARGET_SEC_SRV_COMMON} - ${SEC_SRV_TESTS_DEP_LIBRARIES} - dpl-test-framework - tests-common - ) - -# Installation - -INSTALL(TARGETS ${TARGET_SEC_SRV_CLIENT_SMACK_TESTS} DESTINATION /usr/bin) -INSTALL(TARGETS ${TARGET_SEC_SRV_TC_SERVER_TESTS} DESTINATION /usr/bin) -INSTALL(TARGETS ${TARGET_SEC_SRV_PWD_TESTS} DESTINATION /usr/bin) -INSTALL(TARGETS ${TARGET_SEC_SRV_PRIVILEGE_TESTS} DESTINATION /usr/bin) -INSTALL(TARGETS ${TARGET_SEC_SRV_STRESS_TESTS} DESTINATION /usr/bin) -INSTALL(TARGETS ${TARGET_SEC_SRV_MT_TESTS} DESTINATION /usr/bin) -INSTALL(TARGETS ${TARGET_SEC_SRV_MEASURER} DESTINATION /usr/bin) - -INSTALL(FILES - ${PROJECT_SOURCE_DIR}/src/security-server-tests/WRT_sstp_test_rules1.smack - DESTINATION /usr/share/privilege-control/ -) - -INSTALL(FILES - ${PROJECT_SOURCE_DIR}/src/security-server-tests/WRT_sstp_test_rules2.smack - DESTINATION /usr/share/privilege-control/ -) diff --git a/src/security-server-tests/WRT_sstp_test_rules1.smack b/src/security-server-tests/WRT_sstp_test_rules1.smack deleted file mode 100644 index 4dece48..0000000 --- a/src/security-server-tests/WRT_sstp_test_rules1.smack +++ /dev/null @@ -1,2 +0,0 @@ -~APP~ sstp_test_book_1 rwxatl -sstp_test_subject_1 ~APP~ rwxatl diff --git a/src/security-server-tests/WRT_sstp_test_rules2.smack b/src/security-server-tests/WRT_sstp_test_rules2.smack deleted file mode 100644 index 4dece48..0000000 --- a/src/security-server-tests/WRT_sstp_test_rules2.smack +++ /dev/null @@ -1,2 +0,0 @@ -~APP~ sstp_test_book_1 rwxatl -sstp_test_subject_1 ~APP~ rwxatl diff --git a/src/security-server-tests/common/security_server_tests_common.cpp b/src/security-server-tests/common/security_server_tests_common.cpp deleted file mode 100644 index cd54523..0000000 --- a/src/security-server-tests/common/security_server_tests_common.cpp +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. -*/ - -/* - * @file security_server_tests_common.cpp - * @author Marcin Lis (m.lis@samsung.com) - * @version 1.0 - * @brief security-server tests commons - */ - -#include "security_server_tests_common.h" - -const unsigned int PASSWORD_RETRY_TIMEOUT_US = 500000; - -Cookie getCookieFromSS() { - Cookie cookie(security_server_get_cookie_size()); - - RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == - security_server_request_cookie(cookie.data(), cookie.size()), - "Error in security_server_request_cookie."); - - return cookie; -} diff --git a/src/security-server-tests/common/security_server_tests_common.h b/src/security-server-tests/common/security_server_tests_common.h deleted file mode 100644 index 3ece470..0000000 --- a/src/security-server-tests/common/security_server_tests_common.h +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. -*/ - -/* - * @file security_server_tests_common.h - * @author Marcin Lis (m.lis@samsung.com) - * @version 1.0 - * @brief security-server tests commons - */ - -#include -#include - -#ifndef SECURITY_SERVER_TESTS_COMMON_H_ -#define SECURITY_SERVER_TESTS_COMMON_H_ - -extern const unsigned int PASSWORD_RETRY_TIMEOUT_US; -typedef std::vector Cookie; - -Cookie getCookieFromSS(); - -#endif /* SECURITY_SERVER_TESTS_COMMON_H_ */ diff --git a/src/security-server-tests/cookie_api.cpp b/src/security-server-tests/cookie_api.cpp deleted file mode 100644 index adb9569..0000000 --- a/src/security-server-tests/cookie_api.cpp +++ /dev/null @@ -1,558 +0,0 @@ -/* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved - */ - -/* - * @file security_server_tests_cookie_api.cpp - * @author Pawel Polawski (p.polawski@partner.samsung.com) - * @version 1.0 - * @brief Test cases for security server cookie api - * - */ - -/* -Tested API functions in this file: - - int security_server_get_cookie_size(void); - int security_server_request_cookie(char *cookie, size_t bufferSize); - - int security_server_check_privilege(const char *cookie, gid_t privilege); - int security_server_check_privilege_by_cookie(const char *cookie, - const char *object, - const char *access_rights); - int security_server_get_cookie_pid(const char *cookie); - char *security_server_get_smacklabel_cookie(const char *cookie); - int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid); - int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid); -*/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -const char *ROOT_USER = "root"; -const char *PROC_AUDIO_GROUP_NAME = "audio"; - -const int KNOWN_COOKIE_SIZE = 20; - -RUNNER_TEST_GROUP_INIT(COOKIE_API_TESTS) - -/* - * ************************************************************************** - * Test cases fot check various functions input params cases - * ************************************************************************** - */ - -//--------------------------------------------------------------------------- -//passing nullptr as a buffer pointer -RUNNER_CHILD_TEST(tc_arguments_01_01_security_server_request_cookie) -{ - int ret = security_server_request_cookie(nullptr, KNOWN_COOKIE_SIZE); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, - "Error in security_server_request_cookie() argument checking: " << ret); -} - -//passing too small value as a buffer size -RUNNER_CHILD_TEST(tc_arguments_01_02_security_server_request_cookie) -{ - Cookie cookie(KNOWN_COOKIE_SIZE); - - int ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE - 1); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, - "Error in security_server_request_cookie() argument checking: " << ret); -} - -//--------------------------------------------------------------------------- -//passing nullptr as a cookie pointer -RUNNER_CHILD_TEST(tc_arguments_02_01_security_server_check_privilege) -{ - int ret = security_server_check_privilege(nullptr, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, - "Error in security_server_check_privilege() argument checking: " << ret); -} - -//--------------------------------------------------------------------------- -//passing nullptr as a cookie pointer -RUNNER_CHILD_TEST(tc_arguments_03_01_security_server_check_privilege_by_cookie) -{ - RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success"); - int ret = security_server_check_privilege_by_cookie(nullptr, "wiadro", "rwx"); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, - "Error in security_server_check_privilege_by_cookie() argument checking: " - << ret); -} - -//passing nullptr as an object pointer -RUNNER_CHILD_TEST(tc_arguments_03_02_security_server_check_privilege_by_cookie) -{ - RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success"); - Cookie cookie = getCookieFromSS(); - - int ret = security_server_check_privilege_by_cookie(cookie.data(), nullptr, "rwx"); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, - "Error in security_server_check_privilege_by_cookie() argument checking: " - << ret); -} - -//passing nullptr as an access pointer -RUNNER_CHILD_TEST(tc_arguments_03_03_security_server_check_privilege_by_cookie) -{ - RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success"); - Cookie cookie = getCookieFromSS(); - - int ret = security_server_check_privilege_by_cookie(cookie.data(), "wiadro", nullptr); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, - "Error in security_server_check_privilege_by_cookie() argument checking: " - << ret); -} - -//--------------------------------------------------------------------------- -//passing nullptr as a cookie pointer -RUNNER_CHILD_TEST(tc_arguments_04_01_security_server_get_cookie_pid) -{ - int ret = security_server_get_cookie_pid(nullptr); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, - "Error in security_server_get_cookie_pid() argument checking: " << ret); -} - -//getting pid of non existing cookie -RUNNER_TEST(tc_arguments_04_02_security_server_get_cookie_pid) -{ - const char wrong_cookie[KNOWN_COOKIE_SIZE] = {'w', 'a', 't', '?'}; - RUNNER_ASSERT(security_server_get_cookie_pid(wrong_cookie) == - SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE); -} - -//--------------------------------------------------------------------------- -//passing nullptr as a cookie pointer -RUNNER_CHILD_TEST(tc_arguments_05_01_security_server_get_smacklabel_cookie) -{ - char *label = nullptr; - label = security_server_get_smacklabel_cookie(nullptr); - RUNNER_ASSERT_MSG(label == nullptr, - "Error in security_server_get_smacklabel_cookie() argument checking"); -} - - - -/* - * ************************************************************************** - * Unit tests for each function from API - * ************************************************************************** - */ - -//--------------------------------------------------------------------------- -//root has access to API -RUNNER_CHILD_TEST(tc_unit_01_01_security_server_get_cookie_size) -{ - int ret = security_server_get_cookie_size(); - RUNNER_ASSERT_MSG(ret == KNOWN_COOKIE_SIZE, - "Error in security_server_get_cookie_size(): " << ret); -} - -//--------------------------------------------------------------------------- -// Get cookie size when smack is not loaded -RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_02_app_user_security_server_get_cookie_size_nosmack) -{ - int ret; - - ret = drop_root_privileges(); - RUNNER_ASSERT_MSG(ret == 0, - "Failed to drop root privileges. Result: " << ret << "uid = " << getuid()); - ret = security_server_get_cookie_size(); - RUNNER_ASSERT_MSG(ret == KNOWN_COOKIE_SIZE, "ret = " << ret); -} - -//--------------------------------------------------------------------------- -// Test setting up a cookie in normal case when smack is not loaded -RUNNER_CHILD_TEST_NOSMACK(tc_unit_01_03_app_user_security_server_request_cookie_nosmack) -{ - int ret; - int cookieSize = security_server_get_cookie_size(); - Cookie cookie(cookieSize); - - ret = drop_root_privileges(); - RUNNER_ASSERT_MSG(ret == 0, - "Failed to drop root privileges. Result: " << ret << "uid = " << getuid()); - - ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -//--------------------------------------------------------------------------- -// Test setting up a cookie when smack is not loaded but with too small -// buffer size -RUNNER_CHILD_TEST_NOSMACK(tc_init_01_04_app_user_security_server_request_cookie_too_small_buffer_size_nosmack) -{ - int ret; - int cookieSize = security_server_get_cookie_size(); - Cookie cookie(cookieSize); - - ret = drop_root_privileges(); - RUNNER_ASSERT_MSG(ret == 0, - "Failed to drop root privileges. Result: " << ret << "uid = " << getuid()); - - ret = security_server_request_cookie(cookie.data(), KNOWN_COOKIE_SIZE >> 1); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret = " << ret); -} - -//--------------------------------------------------------------------------- -// Get cookie size when smack is loaded -RUNNER_CHILD_TEST_SMACK(tc_unit_01_05_app_user_security_server_get_cookie_size) -{ - SecurityServer::AccessProvider provider("selflabel_01_05"); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - int ret = security_server_get_cookie_size(); - RUNNER_ASSERT_MSG(ret == KNOWN_COOKIE_SIZE, - "Error in security_server_get_cookie_size(): " << ret); -} - -//--------------------------------------------------------------------------- -//root has access to API -RUNNER_CHILD_TEST(tc_unit_02_01_security_server_request_cookie) -{ - int cookieSize = security_server_get_cookie_size(); - RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE, - "Error in security_server_get_cookie_size(): " << cookieSize); - - Cookie cookie(cookieSize); - int ret = security_server_request_cookie(cookie.data(), cookie.size()); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "Error in security_server_request_cookie(): " << ret); -} - -//--------------------------------------------------------------------------- -// Test setting up a cookie in normal case when smack is loaded -RUNNER_CHILD_TEST_SMACK(tc_unit_02_02_app_user_security_server_request_cookie) -{ - int cookieSize = security_server_get_cookie_size(); - RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE, - "Error in security_server_get_cookie_size(): " << cookieSize); - - SecurityServer::AccessProvider provider("selflabel_02_01"); - provider.allowSS(); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - Cookie cookie(cookieSize); - int ret = security_server_request_cookie(cookie.data(), cookie.size()); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "Error in security_server_request_cookie(): " << ret); -} - -//--------------------------------------------------------------------------- -// Test setting up a cookie when smack is loaded but with too small buffer -// size -RUNNER_CHILD_TEST_SMACK(tc_unit_02_03_app_user_security_server_request_cookie_too_small_buffer_size) -{ - int cookieSize = security_server_get_cookie_size(); - RUNNER_ASSERT_MSG(cookieSize == KNOWN_COOKIE_SIZE, - "Error in security_server_get_cookie_size(): " << cookieSize); - cookieSize >>= 1; - - SecurityServer::AccessProvider provider("selflabel_02_02"); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - Cookie cookie(cookieSize); - int ret = security_server_request_cookie(cookie.data(), cookie.size()); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, - "Error in security_server_request_cookie(): " << ret); -} - -//--------------------------------------------------------------------------- -//root has access to API -RUNNER_CHILD_TEST(tc_unit_03_01_security_server_check_privilege) -{ - Cookie cookie = getCookieFromSS(); - - int ret = security_server_check_privilege(cookie.data(), 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "Error in security_server_check_privilege(): " << ret); -} - -//privileges drop and no smack rule -RUNNER_CHILD_TEST_SMACK(tc_unit_03_02_app_user_security_server_check_privilege) -{ - Cookie cookie = getCookieFromSS(); - - SecurityServer::AccessProvider provider("selflabel_03_02"); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - int ret = security_server_check_privilege(cookie.data(), 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, - "security_server_check_privilege() should return access denied: " << ret); -} - -//privileges drop and added smack rule -RUNNER_CHILD_TEST_SMACK(tc_unit_03_03_app_user_security_server_check_privilege) -{ - Cookie cookie = getCookieFromSS(); - - SecurityServer::AccessProvider provider("selflabel_03_03"); - provider.allowSS(); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - int ret = security_server_check_privilege(cookie.data(), 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "Error in security_server_check_privilege(): " << ret); -} - -// invalid gid -RUNNER_CHILD_TEST(tc_unit_03_04_security_server_check_privilege_neg) -{ - remove_process_group(PROC_AUDIO_GROUP_NAME); - - Cookie cookie = getCookieFromSS(); - int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME); - RUNNER_ASSERT_MSG(audio_gid > -1, - "security_server_get_gid() failed. result = " << audio_gid); - - int ret = security_server_check_privilege(cookie.data(), audio_gid); - - // security_server_check_privilege fails, because the process does not belong to "audio" group - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret); -} - -// add gid -RUNNER_CHILD_TEST(tc_unit_03_05_security_server_check_privilege) -{ - add_process_group(PROC_AUDIO_GROUP_NAME); - - Cookie cookie = getCookieFromSS(); - int audio_gid = security_server_get_gid(PROC_AUDIO_GROUP_NAME); - RUNNER_ASSERT_MSG(audio_gid > -1, - "security_server_get_gid() failed. result = " << audio_gid); - - int ret = security_server_check_privilege(cookie.data(), audio_gid); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); -} - -// test invalid cookie name -RUNNER_TEST(tc_unit_03_06_security_server_check_privilege) -{ - // create invalid cookie - int size = security_server_get_cookie_size(); - RUNNER_ASSERT_MSG(size == KNOWN_COOKIE_SIZE, "Wrong cookie size. size = " << size); - - Cookie cookie(size); - cookie[0] = 'a'; - int ret = security_server_check_privilege(cookie.data(), 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret); -} - -//--------------------------------------------------------------------------- -//root has access to API -RUNNER_CHILD_TEST(tc_unit_05_01_security_server_get_cookie_pid) -{ - Cookie cookie = getCookieFromSS(); - - int ret = security_server_get_cookie_pid(cookie.data()); - RUNNER_ASSERT_MSG(ret > -1, "Error in security_server_get_cookie_pid(): " << ret); - - int pid = getpid(); - RUNNER_ASSERT_MSG(pid == ret, "No match in PID received from cookie"); -} - -//privileges drop and no smack rule -RUNNER_CHILD_TEST_SMACK(tc_unit_05_02_app_user_security_server_get_cookie_pid) -{ - Cookie cookie = getCookieFromSS(); - - SecurityServer::AccessProvider provider("selflabel_05_02"); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - int ret = security_server_get_cookie_pid(cookie.data()); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, - "security_server_get_cookie_pid() should return access denied: " << ret); -} - -//privileges drop and added smack rule -RUNNER_CHILD_TEST_SMACK(tc_unit_05_03_app_user_security_server_get_cookie_pid) -{ - Cookie cookie = getCookieFromSS(); - - SecurityServer::AccessProvider provider("selflabel_05_03"); - provider.allowSS(); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - int ret = security_server_get_cookie_pid(cookie.data()); - RUNNER_ASSERT_MSG(ret > -1, "Error in security_server_get_cookie_pid(): " << ret); - - int pid = getpid(); - RUNNER_ASSERT_MSG(pid == ret, "No match in PID received from cookie"); -} - -//--------------------------------------------------------------------------- -//root has access to API -RUNNER_CHILD_TEST_SMACK(tc_unit_06_01_security_server_get_smacklabel_cookie_smack) -{ - setLabelForSelf(__LINE__, "selflabel_06_01"); - - Cookie cookie = getCookieFromSS(); - - CStringPtr label(security_server_get_smacklabel_cookie(cookie.data())); - RUNNER_ASSERT_MSG(strcmp(label.get(), "selflabel_06_01") == 0, - "No match in smack label received from cookie, received label: " - << label.get()); -} - -//--------------------------------------------------------------------------- -//root has access to API -RUNNER_CHILD_TEST_NOSMACK(tc_unit_06_01_security_server_get_smacklabel_cookie_nosmack) -{ - Cookie cookie = getCookieFromSS(); - - char *receivedLabel = security_server_get_smacklabel_cookie(cookie.data()); - RUNNER_ASSERT_MSG(receivedLabel != nullptr, - "security_server_get_smacklabel_cookie returned nullptr"); - std::string label(receivedLabel); - free(receivedLabel); - RUNNER_ASSERT_MSG(label.empty(), - "security_server_get_smacklabel_cookie returned: " - << label); -} - -//privileges drop and no smack rule -RUNNER_CHILD_TEST_SMACK(tc_unit_06_02_app_user_security_server_get_smacklabel_cookie) -{ - Cookie cookie = getCookieFromSS(); - - SecurityServer::AccessProvider provider("selflabel_06_02"); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - CStringPtr label(security_server_get_smacklabel_cookie(cookie.data())); - RUNNER_ASSERT_MSG(label.get() == nullptr, - "nullptr should be received due to access denied, received label: " - << label.get()); -} - -//privileges drop and added smack rule -RUNNER_CHILD_TEST_SMACK(tc_unit_06_03_app_user_security_server_get_smacklabel_cookie) -{ - SecurityServer::AccessProvider provider("selflabel_06_03"); - provider.allowSS(); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - Cookie cookie = getCookieFromSS(); - - CStringPtr label(security_server_get_smacklabel_cookie(cookie.data())); - RUNNER_ASSERT_MSG(strcmp(label.get(), "selflabel_06_03") == 0, - "No match in smack label received from cookie, received label: " - << label.get()); -} - -//--------------------------------------------------------------------------- -// apply smack labels and drop privileges -RUNNER_CHILD_TEST_SMACK(tc_unit_09_01_app_user_cookie_API_access_allow) -{ - add_process_group(PROC_AUDIO_GROUP_NAME); - - SecurityServer::AccessProvider provider("subject_1d6eda7d"); - provider.allowSS(); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - Cookie cookie = getCookieFromSS(); - - int ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME); - RUNNER_ASSERT_MSG(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME - << "\" gid. Result: " << ret); - - ret = security_server_check_privilege(cookie.data(), ret); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); - - int root_gid = security_server_get_gid(ROOT_USER); - RUNNER_ASSERT_MSG(root_gid > -1, "root_gid: " << root_gid); - - ret = security_server_get_cookie_pid(cookie.data()); - RUNNER_ASSERT_MSG(ret == getpid(), "ret: " << ret); - - CStringPtr ss_label(security_server_get_smacklabel_cookie(cookie.data())); - RUNNER_ASSERT_MSG(ss_label.get() != nullptr, "ss_label: " << ss_label.get()); - - RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success"); - - ret = security_server_check_privilege_by_pid(getpid(), "_", "rx"); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); -} - -// disable access and drop privileges -RUNNER_CHILD_TEST_SMACK(tc_unit_09_02_app_user_cookie_API_access_deny) -{ - SecurityServer::AccessProvider provider("subject_1d414140"); - - Cookie cookie = getCookieFromSS(); - - provider.applyAndSwithToUser(APP_UID, APP_GID); - - int ret = security_server_check_privilege(cookie.data(), DB_ALARM_GID); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, - "security_server_check_privilege should return access denied, " - "ret: " << ret); - - ret = security_server_get_gid(ROOT_USER); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, - "security_server_get_gid should return access denied, " - "ret: " << ret); - - ret = security_server_get_cookie_pid(cookie.data()); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, - "security_server_get_cookie_pid should return access denied, " - "ret: " << ret); - - CStringPtr ss_label(security_server_get_smacklabel_cookie(cookie.data())); - RUNNER_ASSERT_MSG(ss_label.get() == nullptr, - "access should be denied so label should be nullptr: " << ss_label.get()); - - RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success"); - - ret = security_server_check_privilege_by_pid(getpid(), "_", "rx"); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, - "security_server_check_privilege_by_pid should return access denied, " - "ret: " << ret); -} - -// NOSMACK version of the test above -RUNNER_CHILD_TEST_NOSMACK(tc_unit_09_01_app_user_cookie_API_access_allow_nosmack) -{ - add_process_group(PROC_AUDIO_GROUP_NAME); - - // drop root privileges - int ret = drop_root_privileges(); - RUNNER_ASSERT_MSG(ret == 0, - "Failed to drop root privileges. Result: " << ret << "uid = " << getuid()); - - Cookie cookie = getCookieFromSS(); - - ret = security_server_get_gid(PROC_AUDIO_GROUP_NAME); - RUNNER_ASSERT_MSG(ret > -1, "Failed to get \"" << PROC_AUDIO_GROUP_NAME - << "\" gid. Result: " << ret); - - ret = security_server_check_privilege(cookie.data(), ret); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "check_privilege failed. Result: " << ret); - - ret = security_server_get_gid(ROOT_USER); - RUNNER_ASSERT_MSG(ret > -1, "Failed to get \"root\" gid. Result: " << ret); - - ret = security_server_get_cookie_pid(cookie.data()); - RUNNER_ASSERT_MSG(ret == getpid(), - "get_cookie_pid returned different pid than it should. Result: " << ret); - - CStringPtr ss_label(security_server_get_smacklabel_cookie(cookie.data())); - RUNNER_ASSERT_MSG(ss_label.get() != nullptr, "get_smacklabel_cookie failed."); - - RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success"); - - ret = security_server_check_privilege_by_pid(getpid(), "_", "rx"); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "check_privilege_by_pid failed. Result: " << ret); -} diff --git a/src/security-server-tests/security_server_clean_env.cpp b/src/security-server-tests/security_server_clean_env.cpp deleted file mode 100644 index 94833c9..0000000 --- a/src/security-server-tests/security_server_clean_env.cpp +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved - */ -/* - * @file security_server_tests_clean_env.cpp - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @version 1.0 - * @brief Functions to prepare clean env for tests. - * - */ - -#include -#include - -#include - -int restart_security_server() { - ServiceManager serviceManager("security-server.service"); - serviceManager.restartService(); - - return 0; -} - -static int nftw_rmdir_contents(const char *fpath, const struct stat * /*sb*/, - int tflag, struct FTW *ftwbuf) -{ - if (tflag == FTW_F) - unlink(fpath); - else if (tflag == FTW_DP && ftwbuf->level != 0) - rmdir(fpath); - - return 0; -} - -/** - * This function should be called at the begining of every SS test, so all the tests - * are independent of each other. - */ -int reset_security_server() -{ - const char* path = "/opt/data/security-server/"; - const int max_descriptors = 10; //max number of open file descriptors by nftw function - - // Clear /opt/data/security-server/ directory - if (access(path, F_OK) == 0) { - if (nftw(path, &nftw_rmdir_contents, max_descriptors, FTW_DEPTH) == -1) { - return 1; - } - sync(); - } - - restart_security_server(); - return 0; -} diff --git a/src/security-server-tests/security_server_clean_env.h b/src/security-server-tests/security_server_clean_env.h deleted file mode 100644 index d84740c..0000000 --- a/src/security-server-tests/security_server_clean_env.h +++ /dev/null @@ -1,17 +0,0 @@ -/* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved - */ -/* - * @file security_server_clean_env.h - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @version 1.0 - * @brief Functions definitions to prepare clean env for tests. - */ - -#ifndef SECURITY_SERVER_CLEAN_ENV_H -#define SECURITY_SERVER_CLEAN_ENV_H - -int reset_security_server(); -int restart_security_server(); - -#endif diff --git a/src/security-server-tests/security_server_measurer_API_speed.cpp b/src/security-server-tests/security_server_measurer_API_speed.cpp deleted file mode 100644 index 213f9be..0000000 --- a/src/security-server-tests/security_server_measurer_API_speed.cpp +++ /dev/null @@ -1,728 +0,0 @@ -/* - * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ - -/* - * @file security_server_measurer_API_speed.cpp - * @author Radoslaw Bartosiak (radoslaw.bartosiak@samsung.com) - * @version 1.0 - * @brief Log security server API functions average execution times and some aproximation of maximal and minimal execution time. - * @details The functions are run at least NUMBER_OF_CALLS times (time is measured at the beginning and at the end, the difference is taken as the execution time). - * @details One test case for one function of security-server. Test pass always when there was no connection error (API calls themselves may fail). - * @details Measured times are logged using DLP testing framework logging functions. Calls each API function many times to take the average. - * @details This file contains TEST_CASEs. Each TEST_CASE consist of one or more RUNs, each RUN consist of one or more function calls. - * @details Each test case contains RUNs of one function only. The time is being measured before & after each run. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "security_server_mockup.h" -#include - -IMPLEMENT_SAFE_SINGLETON(DPL::Log::LogSystem); -#include -#include - -/*Number of calls in a single test*/ -#define NUMBER_OF_CALLS (5) -#define MICROSECS_PER_SEC (1000000) -/* number of miliseconds, process will be suspended for multiplications of this quantum */ -#define QUANTUM (10000) -/*Strings used in tests*/ -/*name of existing user group on test device like "tel_gprs"*/ -#define EXISTING_GROUP_NAME "telephony_makecall" -/*below labels should not be used in the system*/ -#define M60_OBJECT_LABEL "tc060MeasurerLabel" -#define M60_SUBJECT_LABEL "tc060Subject" -#define M70_OBJECT_LABEL "tc070MeasurerLabel" -#define M70_SUBJECT_LABEL "tc070Subject" -#define M160_CUSTOMER_LABEL "my_customer_label" -#define M170_OBJECT_LABEL "myObject" - -namespace { -void securityClientEnableLogSystem(void) { - DPL::Log::LogSystemSingleton::Instance().SetTag("SEC_SRV_API_SPEED"); -} -} - -/** Store statistics from a set of function calls -*/ -struct readwrite_stats -{ - timeval current_start_time; /*of last API call*/ - timeval current_end_time; /*of last API call*/ - int number_of_calls; /*till now*/ - double total_duration; /*of all API calls*/ - double average_duration; - double minimal_duration; /*minimum of averages*/ - double maximal_duration; /*maximum of averages*/ -}; - -/*Auxiliary functions*/ - -/**Sleep for the given time - @param seconds - @param nanoseconds - @return 0 on success, -1 on error if process woken earlier -*/ -int my_nanosecsleep(long nanoseconds) { - timespec sleep_spec; - sleep_spec.tv_sec = 0; - sleep_spec.tv_nsec = nanoseconds; - return nanosleep(&sleep_spec, nullptr); -} - -/**Read from pipe descriptor to buffer; retries if less than count bytes were read. - @param fd descriptor - @param buf start of buffer - @param count number of bytes read - @return number of bytes read (count) -*/ -int my_pipe_read(int fd, void *buf, size_t count) { - ssize_t readf = 0; - ssize_t rest = count; - ssize_t s; - while (rest > 0) { - RUNNER_ASSERT_ERRNO_MSG(0 < (s = TEMP_FAILURE_RETRY(read(fd, ((char*)buf) + readf, rest))), - "Error in read from pipe"); - rest -= s; - readf += s; - } - return readf; -} - -/**Write from buffer to a pipe ; retries if less than count bytes were written. - @param fd descriptor - @param buf start of buffer - @param count number of bytes to write - @return number of bytes written (count) -*/ -int my_pipe_write(int fd, void *buf, size_t count) { - ssize_t writef = 0; - ssize_t rest = count; - ssize_t s; - while (rest > 0) { - RUNNER_ASSERT_ERRNO_MSG(0 <= (s = TEMP_FAILURE_RETRY(write(fd, ((char*)buf) + writef, rest))), - "Error in write to pipe"); - rest -= s; - writef += s; - } - return writef; -} - - -/** Check whether there was connection error during function call (Security Server API) based on exit code - @param result_code the exit code of a function - @return -1 if the function result code indicated network error, 0 otherwise -*/ -int communication_succeeded(int result_code) { - switch(result_code) - { - case SECURITY_SERVER_API_ERROR_NO_SUCH_SERVICE: - case SECURITY_SERVER_API_ERROR_SOCKET: - case SECURITY_SERVER_API_ERROR_BAD_REQUEST: - case SECURITY_SERVER_API_ERROR_BAD_RESPONSE: - return -1; - default: - return 0; - } -} - -/** Returns current system time (wrapper for standard system function) - @return current system time -*/ -timeval my_gettime() { - timeval t; - int res = gettimeofday(&t, nullptr); - RUNNER_ASSERT_ERRNO_MSG(res == 0, "gettimeofday() returned error value: " << res); - return t; -} - -/** Return a difference between two times (wrapper for standard system function) - @param time t1 - @param time t2 - @return t1 - t2 -*/ -timeval my_timersub(timeval t1, timeval t2) { - timeval result; - timersub(&t1, &t2, &result); - return result; -} - -double timeval_to_microsecs(timeval t) { - return ((double)t.tv_sec * (double)MICROSECS_PER_SEC) + ((double)t.tv_usec); -} - -/** Initialize statistics at the beginning of a TEST_CASE - @param stats [in/out] statistics to be initialized -*/ -void initialize_stats(readwrite_stats *stats) { - stats->number_of_calls = 0; - stats->total_duration = 0.0; - stats->average_duration = 0.0; - stats->minimal_duration = DBL_MAX; - stats->maximal_duration = 0.0; -} - -/** Save time at the beginning of a RUN - @param stats [in/out] statistics -*/ -void start_stats_update(readwrite_stats *stats) { - stats->current_start_time = my_gettime(); - //LogDebug("start_stats_update at: %ld.%06ld\n", stats->current_start_time.tv_sec, stats->current_start_time.tv_usec); -} - -/** Save time at the end of a RUN and updates the statistics (current_end_time, number_of_calls, total_duration, minimal_duration, maximal_duration) - @param stats [in/out] statistics -*/ -void end_stats_update(readwrite_stats *stats) { - stats->current_end_time = my_gettime(); - double current_duration = timeval_to_microsecs(my_timersub(stats->current_end_time, stats->current_start_time)); - stats->total_duration += current_duration; - stats->number_of_calls += 1; - if (current_duration < stats->minimal_duration) - (stats->minimal_duration) = current_duration; - if (current_duration > stats->maximal_duration) - (stats->maximal_duration) = current_duration; -} - -/** Updates the statistics (average_duration, number_of_new_calls, total_duration, minimal_duration, maximal_duration) - Function is used instead of start_stats_update and end_stats_update (e.g when current_duration and number_of_new_calls are reported by child process. - @param stats [in/out] statistics - @param number_of_new_calls number of function calls in the RUN - @param current_duration (total) of number_of_new calls -*/ -void stats_update(readwrite_stats *stats, int number_of_new_calls, double current_duration) { - if (number_of_new_calls > 0) { - double current_average = (double)current_duration / (double)number_of_new_calls; - stats->average_duration = (double)((stats->total_duration) / (stats->number_of_calls)); - stats->total_duration += current_duration; - stats->number_of_calls += number_of_new_calls; - if (current_average < stats->minimal_duration) - (stats->minimal_duration) = current_average; - if (current_average > stats->maximal_duration) - (stats->maximal_duration) = current_average; - } - else - LogDebug("stats_update called after zero successful function calls \n"); -} - -/** Calculate the average time and calculates statistics taken by a single function call. - Called at the end of a TEST_CASE. - @param stats [in/out] statistics - @param function_name of the function called in tests (to be printed) -*/ -void finish_stats(readwrite_stats *stats, const char* function_name) { - if ((stats->number_of_calls) > 0) { - stats->average_duration = (double)((stats->total_duration) / (stats->number_of_calls)); - printf("The approx (min, max, avg) execution times for function:\n%s are: \n---(%'.2fus, %'.2fus, %'.2fus)\n", function_name, stats->minimal_duration, stats->maximal_duration, stats->average_duration); - } - else - LogDebug("No function call succeeded\n"); -} - -/*TEST CASES*/ -RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_API_SPEED_MEASURER) - -/* - * test: Tests the tests - * expected: The minimum shall be about (QUANTUM) = 10^-2s = 10000 us, max about (NUMBER_OF_CALLS*QUANTUM) = 5*10^-2s = 50000us, avg (average) about (0.5*NUMBER_OF_CALLS+1*QUANTUM)=3*10^-2s = 30000us. Max is no more than 50% bigger than minimum. - */ -RUNNER_TEST(m000_security_server_test_the_tests) { - int ret; - readwrite_stats stats; - double expected_min_min = QUANTUM; - double expected_min_max = 1.5 * expected_min_min; - double expected_avarage_min = (((double)(NUMBER_OF_CALLS + 1)) / 2.0) * expected_min_min; - double expected_avarage_max = 1.5 * expected_avarage_min; - double expected_max_min = ((double)(NUMBER_OF_CALLS)) * expected_min_min; - double expected_max_max = 1.5 * expected_max_min; - initialize_stats(&stats); - for (int i=0; i < NUMBER_OF_CALLS; i++) { - start_stats_update(&stats); - ret = my_nanosecsleep((long) ((i+1)*QUANTUM*1000)); - RUNNER_ASSERT_MSG(ret == 0, "system sleep function returned premature wake-up; ret = " << ret); - end_stats_update(&stats); - } - finish_stats(&stats, "my_nanosecsleep"); - RUNNER_ASSERT_MSG((stats.average_duration>expected_avarage_min) && (stats.average_duration 0, "commmunication error"); - stats_update(&stats, number_of_calls, duration_of_calls); - } - /*parent*/ - } - close(pipefd[1]); /* Close parent descriptors */ - close(pipefd[0]); -} - -/* - * measurer: Fails only on connection error. - */ -RUNNER_TEST(m040_security_server_get_cookie_size) { - size_t cookie_size; - readwrite_stats stats; - initialize_stats(&stats); - for (int i = 1; i <= NUMBER_OF_CALLS; i++) { - start_stats_update(&stats); - cookie_size = security_server_get_cookie_size(); - RUNNER_ASSERT_MSG(cookie_size > 0, "cookie_size = " << cookie_size); - end_stats_update(&stats); - } - finish_stats(&stats, "security_server_get_cookie_size"); -} - -/* - * measurer: Fails only on connection error. - */ -RUNNER_TEST(m050_security_server_check_privilege) { - int ret; - readwrite_stats stats; - initialize_stats(&stats); - const char *existing_group_name = EXISTING_GROUP_NAME; - size_t cookie_size; - int call_gid; - // we use existing group name for the measurment, however this is not neccessary - call_gid = security_server_get_gid(existing_group_name); - cookie_size = security_server_get_cookie_size(); - char recved_cookie[cookie_size]; - for (int i = 1; i <= NUMBER_OF_CALLS; i++) { - start_stats_update(&stats); - ret = security_server_check_privilege(recved_cookie, (gid_t)call_gid); - RUNNER_ASSERT_MSG(communication_succeeded(ret) == 0, "commmunication error; ret = " << ret); - end_stats_update(&stats); - } - finish_stats(&stats, "security_server_check_privilege"); -} - -void testSecurityServerCheckPrivilegeByCookie(bool smack) { - const char *object_label = M60_OBJECT_LABEL; - const char *access_rights = "r"; - const char *access_rights_ext = "rw"; - const char *subject_label = M60_SUBJECT_LABEL; - int ret; - readwrite_stats stats; - initialize_stats(&stats); - - if (smack) { - SmackAccess smackAccess; - smackAccess.add(subject_label, object_label, access_rights); - smackAccess.apply(); - RUNNER_ASSERT_MSG(0 == (ret = smack_set_label_for_self(subject_label)), - "Error in smack_set_label_for_self(); ret = " << ret); - } - - Cookie cookie = getCookieFromSS(); - - for (int i = 1; i <= NUMBER_OF_CALLS; i++) { - start_stats_update(&stats); - /*odd(i) - ask for possessed privileges, even(i) ask for not possessed privileges */ - if (i%2) - ret = security_server_check_privilege_by_cookie( - cookie.data(), - object_label, - access_rights); - else - ret = security_server_check_privilege_by_cookie( - cookie.data(), - object_label, - access_rights_ext); - - RUNNER_ASSERT_MSG(communication_succeeded(ret) == 0, "commmunication error; ret = " << ret); - end_stats_update(&stats); - } - finish_stats(&stats, "security_server_check_privilege_by_cookie"); -} - -/* - * measurer: Fails only on connection error. - */ - -RUNNER_TEST_SMACK(m060_security_server_check_privilege_by_cookie_smack) { - RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success"); - testSecurityServerCheckPrivilegeByCookie(true); -} - -RUNNER_TEST_NOSMACK(m060_security_server_check_privilege_by_cookie_nosmack) { - RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success"); - testSecurityServerCheckPrivilegeByCookie(false); -} - -void testSecurityServerCheckPrivilegeBySockfd(bool smack) { - const char *object_label = M70_OBJECT_LABEL; - const char *access_rights = "r"; - const char *access_rights_ext = "rw"; - const char *subject_label = M70_SUBJECT_LABEL; - int ret; - readwrite_stats stats; - initialize_stats(&stats); - - if (smack) { - SmackAccess smackAccess; - smackAccess.add(subject_label, object_label, access_rights); - smackAccess.apply(); - } - - int pid = fork(); - RUNNER_ASSERT_ERRNO(-1 != pid); - if (0 == pid) { - // child - int sockfd = create_new_socket(); - RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed"); - - SockUniquePtr sockfd_ptr(&sockfd); - - if (smack) - RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set"); - - RUNNER_ASSERT_ERRNO_MSG(listen(sockfd, 5) >= 0, "child listen failed"); - - struct sockaddr_un client_addr; - socklen_t client_len = sizeof(client_addr); - int csockfd; - RUNNER_ASSERT_ERRNO_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, - "child accept failed"); - - close(csockfd); - exit(EXIT_SUCCESS); - //end child - } else { - //parent - sleep(2); - int sockfd = connect_to_testserver(); - RUNNER_ASSERT_MSG(sockfd >= 0, "connect_to_testserver() failed"); - - SockUniquePtr sockfd_ptr(&sockfd); - - for (int i = 1; i <= NUMBER_OF_CALLS; i++) { - start_stats_update(&stats); - /*odd(i) - ask for possessed privileges, even(i) ask for not possessed privileges */ - if (i%2) - ret = security_server_check_privilege_by_sockfd( - sockfd, - object_label, - access_rights_ext); - else - ret = security_server_check_privilege_by_sockfd( - sockfd, - object_label, - access_rights); - RUNNER_ASSERT_MSG(communication_succeeded(ret) == 0, "commmunication error; ret = " << ret); - end_stats_update(&stats); - } - - finish_stats(&stats, "check_privilege_by_sockfd"); - } -} - -/* - * measurer: Fails only on connection error. - */ - -RUNNER_MULTIPROCESS_TEST_SMACK(m070_security_server_check_privilege_by_sockfd_smack) { - RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success"); - testSecurityServerCheckPrivilegeBySockfd(true); -} - -RUNNER_MULTIPROCESS_TEST_NOSMACK(m070_security_server_check_privilege_by_sockfd_nosmack) { - RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success"); - testSecurityServerCheckPrivilegeBySockfd(false); -} - -/* - * measurer: Fails only on connection error. - */ -RUNNER_TEST(m080_security_server_get_cookie_pid) { - int ret; - size_t cookie_size; - cookie_size = security_server_get_cookie_size(); - char cookie[cookie_size]; - ret = security_server_request_cookie(cookie, cookie_size); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "security_server_request_cookie failed; ret = " << ret); - readwrite_stats stats; - initialize_stats(&stats); - for (int i = 1; i <= NUMBER_OF_CALLS; i++) { - start_stats_update(&stats); - ret = security_server_get_cookie_pid(cookie); - RUNNER_ASSERT_MSG(communication_succeeded(ret) == 0, "commmunication error; ret = " << ret); - end_stats_update(&stats); - } - finish_stats(&stats, "security_server_request_cookie"); -} - -/* - * measurer: Fails only on connection error. - */ -RUNNER_TEST(m090_security_server_is_pwd_valid) { - int ret; - unsigned int attempt, max_attempt, expire_sec; - readwrite_stats stats; - initialize_stats(&stats); - for (int i = 1; i <= NUMBER_OF_CALLS; i++) { - start_stats_update(&stats); - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(communication_succeeded(ret) == 0, "commmunication error; ret = " << ret); - end_stats_update(&stats); - } - finish_stats(&stats, "security_server_is_pwd_valid"); -} - -/* - * measurer: Fails only on connection error. - */ -RUNNER_TEST(m100_security_server_set_pwd) { - int ret; - readwrite_stats stats; - initialize_stats(&stats); - for (int i = 1; i <= NUMBER_OF_CALLS; i++) { - start_stats_update(&stats); - ret = security_server_set_pwd("this_is_current_pwd", "this_is_new_pwd", 20, 365); - RUNNER_ASSERT_MSG(communication_succeeded(ret) == 0, "commmunication error; ret = " << ret); - end_stats_update(&stats); - } - finish_stats(&stats, "security_server_set_pwd"); -} - -/* - * measurer: Fails only on connection error. - */ -RUNNER_TEST(m110_security_server_set_pwd_validity) { - int ret; - readwrite_stats stats; - initialize_stats(&stats); - for (int i = 1; i <= NUMBER_OF_CALLS; i++) { - start_stats_update(&stats); - ret = security_server_set_pwd_validity(2); - RUNNER_ASSERT_MSG(communication_succeeded(ret) == 0, "commmunication error; ret = " << ret); - end_stats_update(&stats); - } - finish_stats(&stats, "security_server_set_pwd_validity"); -} - -/* - * measurer: Fails only on connection error. - */ -RUNNER_TEST(m120_security_server_set_pwd_max_challenge) { - int ret; - readwrite_stats stats; - initialize_stats(&stats); - for (int i = 1; i <= NUMBER_OF_CALLS; i++) { - start_stats_update(&stats); - ret = security_server_set_pwd_max_challenge(3); - RUNNER_ASSERT_MSG(communication_succeeded(ret) == 0, "commmunication error; ret = " << ret); - end_stats_update(&stats); - } - finish_stats(&stats, "security_server_set_pwd_max_challenge"); -} - -/* - * measurer: Fails only on connection error. - */ -RUNNER_TEST(m130_security_server_reset_pwd) { - int ret; - readwrite_stats stats; - initialize_stats(&stats); - for (int i = 1; i <= NUMBER_OF_CALLS; i++) { - start_stats_update(&stats); - ret = security_server_reset_pwd("apud", 1, 2); - RUNNER_ASSERT_MSG(communication_succeeded(ret) == 0, "commmunication error; ret = " << ret); - end_stats_update(&stats); - } - finish_stats(&stats, "security_server_reset_pwd"); -} - -/* - * measurer: Fails only on connection error. - */ -RUNNER_TEST(m140_security_server_chk_pwd) { - int ret; - unsigned int attempt, max_attempt, expire_sec; - readwrite_stats stats; - initialize_stats(&stats); - for (int i = 1; i <= NUMBER_OF_CALLS; i++) { - start_stats_update(&stats); - ret = security_server_chk_pwd("is_this_password", &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(communication_succeeded(ret) == 0, "commmunication error; ret = " << ret); - end_stats_update(&stats); - } - finish_stats(&stats, "security_server_chk_pwd"); -} - -/* - * measurer: Fails only on connection error. - */ -RUNNER_TEST(m150_security_server_set_pwd_history) { - int ret; - readwrite_stats stats; - initialize_stats(&stats); - for (int i = 1; i <= NUMBER_OF_CALLS; i++) { - start_stats_update(&stats); - ret = security_server_set_pwd_history(100); - RUNNER_ASSERT_MSG(communication_succeeded(ret) == 0, "commmunication error; ret = " << ret); - end_stats_update(&stats); - } - finish_stats(&stats, "security_server_set_pwd_history"); -} - -/* - * measurer: Fails only on connection error. - */ -RUNNER_TEST(m160_security_server_app_give_access) { - int ret; - readwrite_stats stats; - initialize_stats(&stats); - const char* customer_label = M160_CUSTOMER_LABEL; - int customer_pid = getpid(); - for (int i = 1; i <= NUMBER_OF_CALLS; i++) { - start_stats_update(&stats); - ret = security_server_app_give_access(customer_label, customer_pid); - RUNNER_ASSERT_MSG(communication_succeeded(ret) == 0, "commmunication error; ret = " << ret); - end_stats_update(&stats); - } - finish_stats(&stats, "security_server_app_give_access"); -} - -/* - * measurer: Fails only on connection error. - */ -RUNNER_TEST(m170_security_server_check_privilege_by_pid) { - - RUNNER_IGNORED_MSG("security_server_check_privilege_by_pid is temporarily disabled: always returns success"); - int ret; - readwrite_stats stats; - initialize_stats(&stats); - int pid = getpid(); - const char *object = M170_OBJECT_LABEL; - const char *access_rights = "rw"; - for (int i = 1; i <= NUMBER_OF_CALLS; i++) { - start_stats_update(&stats); - ret = security_server_check_privilege_by_pid(pid, object, access_rights); - RUNNER_ASSERT_MSG(communication_succeeded(ret) == 0, "commmunication error; ret = " << ret); - end_stats_update(&stats); - } - finish_stats(&stats, "security_server_check_privilege_by_pid"); -} - - -int main(int argc, char *argv[]) -{ - securityClientEnableLogSystem(); - DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv); - return 0; -} diff --git a/src/security-server-tests/security_server_mockup.cpp b/src/security-server-tests/security_server_mockup.cpp deleted file mode 100644 index 4fc9811..0000000 --- a/src/security-server-tests/security_server_mockup.cpp +++ /dev/null @@ -1,113 +0,0 @@ -/* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved - */ -/* - * @file security_server_mockup.cpp - * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) - * @version 1.0 - * @brief All mockups required in security-server tests. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#define SECURITY_SERVER_TEST_SOCK_PATH "/tmp/.security_server_sock_mockup" - -/* Create a Unix domain socket and bind */ -int create_new_socket() -{ - int localsockfd = -1, flags; - struct sockaddr_un serveraddr; - mode_t sock_mode; - - if (-1 == remove(SECURITY_SERVER_TEST_SOCK_PATH)) { - LogDebug("Unable to remove " << SECURITY_SERVER_TEST_SOCK_PATH); - } - - /* Create Unix domain socket */ - if ((localsockfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) - { - localsockfd = -1; - LogDebug("Socket creation failed"); - goto error; - } - - /* Make socket as non blocking */ - if ((flags = fcntl(localsockfd, F_GETFL, 0)) < 0 || - fcntl(localsockfd, F_SETFL, flags) < 0) - { - close(localsockfd); - localsockfd = -1; - LogDebug("Cannot go to nonblocking mode"); - goto error; - } - - bzero (&serveraddr, sizeof(serveraddr)); - serveraddr.sun_family = AF_UNIX; - strncpy(serveraddr.sun_path, SECURITY_SERVER_TEST_SOCK_PATH, - strlen(SECURITY_SERVER_TEST_SOCK_PATH) + 1); - - /* Bind the socket */ - if ((bind(localsockfd, (struct sockaddr*)&serveraddr, sizeof(serveraddr))) < 0) - { - LogDebug("Cannot bind"); - close(localsockfd); - localsockfd = -1; - goto error; - } - - /* Change permission to accept all processes that has different uID/gID */ - sock_mode = (S_IRWXU | S_IRWXG | S_IRWXO); - - /* Flawfinder hits this chmod function as level 5 CRITICAL as race condition flaw * - * * Flawfinder recommends to user fchmod insted of chmod - * * But, fchmod doesn't work on socket file so there is no other choice at this point */ - if (chmod(SECURITY_SERVER_TEST_SOCK_PATH, sock_mode) < 0) /* Flawfinder: ignore */ - { - LogDebug("chmod() error"); - close(localsockfd); - localsockfd = -1; - goto error; - } -error: - return localsockfd; -} - -int connect_to_testserver() -{ - struct sockaddr_un clientaddr; - int client_len = 0, localsockfd; - - /* Create a socket */ - if ((localsockfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) - { - LogDebug("Error on socket. Errno: " << errno); - return -1; - } - - bzero(&clientaddr, sizeof(clientaddr)); - clientaddr.sun_family = AF_UNIX; - strncpy(clientaddr.sun_path, SECURITY_SERVER_TEST_SOCK_PATH, strlen(SECURITY_SERVER_TEST_SOCK_PATH)); - clientaddr.sun_path[strlen(SECURITY_SERVER_TEST_SOCK_PATH)] = 0; - client_len = sizeof(clientaddr); - if (connect(localsockfd, (struct sockaddr*)&clientaddr, client_len) < 0) - { - LogDebug("Error on connect. Errno: " << errno); - close(localsockfd); - return -1; - } - return localsockfd; -} - diff --git a/src/security-server-tests/security_server_mockup.h b/src/security-server-tests/security_server_mockup.h deleted file mode 100644 index 617e75a..0000000 --- a/src/security-server-tests/security_server_mockup.h +++ /dev/null @@ -1,18 +0,0 @@ -/* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved - */ -/* - * @file security_server_tests_client_smack.cpp - * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) - * @version 1.0 - * @brief Mockups. - */ - -#ifndef _SS_CLIENT_SERVER_ -#define _SS_CLIENT_SERVER_ - -int create_new_socket(); -int connect_to_testserver(); - -#endif - diff --git a/src/security-server-tests/security_server_tests_client_smack.cpp b/src/security-server-tests/security_server_tests_client_smack.cpp deleted file mode 100644 index fa7c13b..0000000 --- a/src/security-server-tests/security_server_tests_client_smack.cpp +++ /dev/null @@ -1,548 +0,0 @@ -/* - * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved - */ -/* - * @file security_server_tests_client_smack.cpp - * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) - * @version 1.1 - * @brief Test cases for security-server-client-smack. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include - -#include -#include -#include -#include -#include "security_server_mockup.h" - -#include -#include -#include "tests_common.h" -#include - -#define PROPER_COOKIE_SIZE 20 - - -RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_CLIENT_SMACK) - -/* - * test: tc04_security_server_get_gid - * description: Checking for security_server_get_gid - * with nonexisting gid and existing one - * expected: security_server_get_gid should return - * SECURITY_SERVER_ERROR_NO_SUCH_OBJECT with first call - * and group id with second call - */ -RUNNER_CHILD_TEST_SMACK(tc04_security_server_get_gid) -{ - SecurityServer::AccessProvider provider("tc04mylabel"); - provider.allowSS(); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - int ret = security_server_get_gid("abc123xyz_pysiaczek"); - LogDebug("ret = " << ret); - RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT == ret, "Ret: " << ret); - ret = security_server_get_gid("root"); - LogDebug("ret = " << ret); - RUNNER_ASSERT_MSG(0 == ret, "Ret: " << ret); -} - -/* - * test: tc05_check_privilege_by_cookie - * description: Function security_server_check_privilege_by_cookie should - * return status of access rights of cookie owner. In this case cookie owner - * is the same process that ask for the rights. - * expected: Function call with access rights set to "r" should return SUCCESS, - * with "rw" should return ACCESS DENIED. - */ -RUNNER_CHILD_TEST_SMACK(tc05_check_privilege_by_cookie) -{ - RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success"); - char cookie[20]; - const char *object_label = "tc05objectlabel"; - const char *access_rights = "r"; - const char *access_rights_ext = "rw"; - const char *subject_label = "tc05subjectlabel"; - - SecurityServer::AccessProvider provider(subject_label); - provider.allowSS(); - provider.addObjectRule(object_label, access_rights); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == - security_server_request_cookie(cookie,20)); - - RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == - security_server_check_privilege_by_cookie( - cookie, - object_label, - access_rights)); - - RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == - security_server_check_privilege_by_cookie( - cookie, - object_label, - access_rights_ext)); -} - -/* - * test: security_server_check_privilege_by_sockfd - * description: This test will create dummy server that will accept connection - * and die. The client will try to check access rights using connection descriptor. - * expected: Function call with access rights set to "r" should return SUCCESS, - * with "rw" should return ACCESS DENIED. - */ -RUNNER_MULTIPROCESS_TEST_SMACK(tc06_check_privilege_by_sockfd) -{ - RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success"); - const char *object_label = "tc06objectlabel"; - const char *access_rights = "r"; - const char *access_rights_ext = "rw"; - const char *subject_label = "tc06subjectlabel"; - - int result1 = -1; - int result2 = -1; - - smack_accesses *handle; - RUNNER_ASSERT(0 == smack_accesses_new(&handle)); - RUNNER_ASSERT(0 == smack_accesses_add(handle, - subject_label, - object_label, - access_rights)); - RUNNER_ASSERT(0 == smack_accesses_apply(handle)); - smack_accesses_free(handle); - - int pid = fork(); - char *label; - RUNNER_ASSERT_ERRNO(-1 != pid); - - if (0 == pid) { - // child - RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set"); - - int sockfd = create_new_socket(); - RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed"); - - SockUniquePtr sockfd_ptr(&sockfd); - - label = security_server_get_smacklabel_sockfd(sockfd); - RUNNER_ASSERT_MSG(label != nullptr, "security_server_get_smacklabel_sockfd failed"); - RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\""); - free(label); - - RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid()); - - RUNNER_ASSERT_ERRNO_MSG(listen(sockfd, 5) >= 0, "child listen failed"); - - label = security_server_get_smacklabel_sockfd(sockfd); - RUNNER_ASSERT_MSG(label != nullptr, "security_server_get_smacklabel_sockfd failed"); - RUNNER_ASSERT_MSG(strcmp(label,"") == 0, "label is \"" << label << "\""); - free(label); - - struct sockaddr_un client_addr; - socklen_t client_len = sizeof(client_addr); - int csockfd; - RUNNER_ASSERT_ERRNO_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, - "child accept failed"); - - usleep(500); - - close(csockfd); - exit(0); - } else { - // parent - sleep(1); - int sockfd = connect_to_testserver(); - RUNNER_ASSERT_MSG(sockfd >= 0, "connect_to_testserver() failed"); - - SockUniquePtr sockfd_ptr(&sockfd); - - label = security_server_get_smacklabel_sockfd(sockfd); - RUNNER_ASSERT_MSG(label != nullptr, "security_server_get_smacklabel_sockfd failed"); - RUNNER_ASSERT_MSG(strcmp(label,subject_label) == 0, "label is \"" << label << "\"" << ", subject_label is \"" << subject_label << "\"" ); - free(label); - - result1 = security_server_check_privilege_by_sockfd( - sockfd, - object_label, - access_rights); - result2 = security_server_check_privilege_by_sockfd( - sockfd, - object_label, - access_rights_ext); - } - - RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result = " << result1); - RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, "result = " << result2); -} - -/* - * test: security_server_check_privilege_by_sockfd - * description: This test will create dummy server that will accept connection - * and die. The client will try to check access rights using connection descriptor. - * Because we read a smack label not from socket directly, but from from pid of process - * on the other end of socket - that's why smack label will be updated. - * In this test client is running under root and server is not - to test the extreme case. - * expected: Function call with access rights set to "r" should return SUCCESS, - * with "rw" should return ACCESS DENIED. - */ -RUNNER_MULTIPROCESS_TEST_SMACK(tc07_check_privilege_by_sockfd) -{ - RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success"); - const char *object_label = "tc07objectlabel"; - const char *access_rights = "r"; - const char *access_rights_ext = "rw"; - const char *subject_label = "tc07subjectlabel"; - - int result1 = -1; - int result2 = -1; - - SmackAccess access; - access.add(subject_label, object_label, access_rights); - access.apply(); - - int pid = fork(); - RUNNER_ASSERT_ERRNO(-1 != pid); - - if (0 == pid) { - - pid = fork(); - RUNNER_ASSERT_ERRNO(-1 != pid); - - if (0 == pid) { - // child - int sockfd = create_new_socket(); - RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed"); - - SockUniquePtr sockfd_ptr(&sockfd); - - RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(subject_label), "child label " << subject_label << " not set"); - - RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid()); - - RUNNER_ASSERT_ERRNO_MSG(listen(sockfd, 5) >= 0, "child listen failed"); - - struct sockaddr_un client_addr; - socklen_t client_len = sizeof(client_addr); - int csockfd = TEMP_FAILURE_RETRY(accept(sockfd,(struct sockaddr*)&client_addr, &client_len)); - if (csockfd >= 0) - close(csockfd); - LogDebug("Exit!"); - exit(0); - } else { - // parent - sleep(1); - int sockfd = connect_to_testserver(); - RUNNER_ASSERT_MSG(sockfd >= 0, "connect_to_testserver() failed"); - - result1 = security_server_check_privilege_by_sockfd( - sockfd, - object_label, - access_rights); - result2 = security_server_check_privilege_by_sockfd( - sockfd, - object_label, - access_rights_ext); - - close(sockfd); - - RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1); - RUNNER_ASSERT_MSG(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == result2, " result2 = " << result2); - } - } -} - -/////////////////////////// -/////NOSMACK ENV TESTS///// -/////////////////////////// - -RUNNER_CHILD_TEST_NOSMACK(tc04_security_server_get_gid_nosmack) -{ - int ret; - - ret = drop_root_privileges(); - RUNNER_ASSERT_MSG(ret == 0, - "Failed to drop root privileges. Result: " << ret << "uid = " << getuid()); - - ret = security_server_get_gid("definitely_not_existing_object"); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret = " << ret); - ret = security_server_get_gid("root"); - RUNNER_ASSERT_MSG(ret == 0, "ret = " << ret); -} - -/* - * NOSMACK version of tc05 test. - * - * Correct behaviour of smack_accesses_apply and smack_set_label_for_self was checked by libsmack - * tests. We assume, that those tests pass. Additionally security_server_check_privilege_by_cookie - * should return SUCCESS no matter what access_rights we give to this function. - */ -RUNNER_CHILD_TEST_NOSMACK(tc05_check_privilege_by_cookie_nosmack) -{ - RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success"); - char cookie[20]; - const char* object_label = "tc05objectlabel"; - - RUNNER_ASSERT(security_server_request_cookie(cookie,20) == SECURITY_SERVER_API_SUCCESS); - - RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid()); - - RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == - security_server_check_privilege_by_cookie(cookie, object_label, "r")); - - //On NOSMACK env security server should return success on any accesses, even those that are - //incorrect. - RUNNER_ASSERT(SECURITY_SERVER_API_SUCCESS == - security_server_check_privilege_by_cookie(cookie, object_label, "rw")); -} - -/** - * NOSMACK version of tc06 test. - * - * Differences between this and SMACK version (server): - * - Skipped setting access_rights - * - Skipped setting label for server - * - get_smacklabel_sockfd is called only once for server, almost right after fork and creation - * of socket (because it should do nothing when SMACK is off) - * - After get_smacklabel_sockfd privileges are dropped and server is prepared to accept connections - * from client - * - * For client the only difference are expected results from check_privilege_by_sockfd - both should - * return SUCCESS. - */ -RUNNER_MULTIPROCESS_TEST_NOSMACK(tc06_check_privilege_by_sockfd_nosmack) -{ - RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success"); - const char* object_label = "tc06objectlabel"; - - int result1 = -1; - int result2 = -1; - - int pid = fork(); - char* label; - RUNNER_ASSERT_ERRNO(pid >= 0); - - int ret; - - if (pid == 0) { //child process - server - //create new socket - int sockfd = create_new_socket(); - RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed"); - - SockUniquePtr sockfd_ptr(&sockfd); - - //check if get_smacklabel_sockfd works correctly - label = security_server_get_smacklabel_sockfd(sockfd); - RUNNER_ASSERT_MSG(label != nullptr, "security_server_get_smacklabel_sockfd failed"); - ret = strcmp(label, ""); - free(label); - RUNNER_ASSERT_MSG(ret == 0, "label is \"" << label << "\""); - - RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid()); - - RUNNER_ASSERT_ERRNO_MSG(listen(sockfd, 5) >= 0, "child listen failed"); - - struct sockaddr_un client_addr; - socklen_t client_len = sizeof(client_addr); - - int csockfd; - RUNNER_ASSERT_ERRNO_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, - "child accept failed"); - - //wait a little bit for parent to do it's job - usleep(200); - - //if everything works, cleanup and return 0 - close(csockfd); - exit(0); - } else { - //parent - sleep(1); - int sockfd = connect_to_testserver(); - RUNNER_ASSERT_MSG(sockfd >= 0, "Failed to connect to server."); - - SockUniquePtr sockfd_ptr(&sockfd); - - label = security_server_get_smacklabel_sockfd(sockfd); - RUNNER_ASSERT_MSG(label != nullptr, "get_smacklabel_sockfd failed."); - ret = strcmp(label, ""); - free(label); - RUNNER_ASSERT_MSG(ret == 0, "label is \"" << label << "\""); - - result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r"); - result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw"); - } - - RUNNER_ASSERT_MSG(result1 == SECURITY_SERVER_API_SUCCESS, "result = " << result1); - RUNNER_ASSERT_MSG(result2 == SECURITY_SERVER_API_SUCCESS, "result = " << result2); -} - -/** - * NOSMACK version of tc07 test. - */ -RUNNER_MULTIPROCESS_TEST_NOSMACK(tc07_check_privilege_by_sockfd_nosmack) -{ - RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success"); - const char* object_label = "tc07objectlabel"; - - int result1 = -1; - int result2 = -1; - - int pid = fork(); - RUNNER_ASSERT_ERRNO(-1 != pid); - - if (pid == 0) { - - pid = fork(); - RUNNER_ASSERT_ERRNO(-1 != pid); - - if (pid == 0) { //child process - //Create socket - int sockfd = create_new_socket(); - RUNNER_ASSERT_MSG(sockfd >= 0, "create_new_socket() failed"); - - SockUniquePtr sockfd_ptr(&sockfd); - - //Drop privileges - RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid()); - - //Prepare for accepting - RUNNER_ASSERT_ERRNO_MSG(listen(sockfd, 5) >= 0, "child listen failed"); - - struct sockaddr_un client_addr; - socklen_t client_len = sizeof(client_addr); - - //Accept connections - int csockfd; - RUNNER_ASSERT_ERRNO_MSG((csockfd = accept(sockfd,(struct sockaddr*)&client_addr, &client_len)) > 0, - "child accept failed"); - - //wait a little bit for parent to do it's job - usleep(200); - - //cleanup and kill child - close(csockfd); - exit(0); - } else { //parent process - //Drop root privileges - RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid()); - - //Wait for server to set up - sleep(1); - - //Connect and check privileges - int sockfd = connect_to_testserver(); - RUNNER_ASSERT_MSG(sockfd >= 0, "Failed to create socket fd."); - - result1 = security_server_check_privilege_by_sockfd(sockfd, object_label, "r"); - result2 = security_server_check_privilege_by_sockfd(sockfd, object_label, "rw"); - - close(sockfd); - - //Both results (just like in the previous test case) should return success. - RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result1, "result1 = " << result1); - RUNNER_ASSERT_MSG(SECURITY_SERVER_API_SUCCESS == result2, "result2 = " << result2); - } - } -} - -RUNNER_TEST_SMACK(tc18_security_server_get_smacklabel_cookie) { - int res; - - char *label_smack = nullptr; - char *label_ss = nullptr; - char *cookie = nullptr; - - int cookie_size = security_server_get_cookie_size(); - RUNNER_ASSERT_MSG(PROPER_COOKIE_SIZE == cookie_size, "Wrong cookie size from security-server"); - - cookie = (char*) calloc(cookie_size, 1); - RUNNER_ASSERT_MSG(nullptr != cookie, "Memory allocation error"); - - res = security_server_request_cookie(cookie, cookie_size); - if (res != SECURITY_SERVER_API_SUCCESS) { - free(cookie); - RUNNER_ASSERT_MSG(res == SECURITY_SERVER_API_SUCCESS, "Error in requesting cookie from security-server"); - } - - label_ss = security_server_get_smacklabel_cookie(cookie); - free(cookie); - RUNNER_ASSERT_MSG(label_ss != nullptr, "Error in getting label by cookie"); - - - std::string label_cookie(label_ss); - free(label_ss); - - res = smack_new_label_from_self(&label_smack); - if (res < 0) { - free(label_smack); - RUNNER_ASSERT_MSG(res == 0, "Error in getting self SMACK label"); - } - std::string label_self(label_smack ? label_smack : ""); - free(label_smack); - - RUNNER_ASSERT_MSG(label_self == label_cookie, "No match in SMACK labels"); - - - //TODO: here could be label change using SMACK API and checking if it - //is changed using security-server API function based on the same cookie -} - -/** - * NOSMACK version of tc_security_server_get_smacklabel_cookie test. - * - * Most of this test goes exactly as the original one. The only difference are the labels: - * - We assume that libsmack tests passed and smack_new_label_from_self will return -1 and nullptr - * label - there is no need to re-check it. - * - Label acquired from security_server_get_smacklabel_cookie should be an empty string. - */ -RUNNER_TEST_NOSMACK(tc18_security_server_get_smacklabel_cookie_nosmack) { - int res; - - char* label_ss = nullptr; - char* cookie = nullptr; - - int cookie_size = security_server_get_cookie_size(); - RUNNER_ASSERT_MSG(PROPER_COOKIE_SIZE == cookie_size, - "Wrong cookie size from security-server. Size: " << cookie_size); - - cookie = (char*) calloc(cookie_size, sizeof(char)); - RUNNER_ASSERT_MSG(nullptr != cookie, "Memory allocation error"); - - //Request cookie from SS - res = security_server_request_cookie(cookie, cookie_size); - CookieUniquePtr cookie_ptr(cookie); - cookie = nullptr; - RUNNER_ASSERT_MSG(res == SECURITY_SERVER_API_SUCCESS, - "Error in requesting cookie from security-server. Result: " << res); - - label_ss = security_server_get_smacklabel_cookie(cookie_ptr.get()); - RUNNER_ASSERT_MSG(label_ss != nullptr, "Error in getting label by cookie"); - - std::string label(label_ss); - free(label_ss); - RUNNER_ASSERT_MSG(label.empty(), "label_ss is not an empty string."); - -} - -//////////////////// -/////MAIN/////////// -//////////////////// - -int main(int argc, char *argv[]) -{ - return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv); -} diff --git a/src/security-server-tests/security_server_tests_mt.cpp b/src/security-server-tests/security_server_tests_mt.cpp deleted file mode 100644 index c1da88b..0000000 --- a/src/security-server-tests/security_server_tests_mt.cpp +++ /dev/null @@ -1,150 +0,0 @@ -/* - * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/* - * @file security_server_tests_mt.cpp - * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com) - * @version 1.0 - * @brief This test creates multiple processes that connect to security - * server and perform random operations using its API. The purpose - * of this test is to check if security-server crashes when under - * heavy load. Test succeeds if all processes finish. - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -namespace { -const size_t PROC_TOTAL = 1000; // total number of processes to spawn -const size_t PROC_MAX = 10; // max number of processes working at the same time -const size_t LOOPS = 50; // number of loop repeats - -std::default_random_engine generator(std::chrono::system_clock::now().time_since_epoch().count()); - -// common function data -struct Data { - char *cookie; // not owned - - Data(char *c) : cookie(c) {} -}; - - -// test functions -void request_cookie(const Data&) -{ - char cookie[20]; - security_server_request_cookie(cookie, 20); -} - -void check_privilege(const Data &d) -{ - int ret = security_server_get_gid("audio"); - security_server_check_privilege(d.cookie, ret); -} - -void check_privilege_by_cookie(const Data &d) -{ - security_server_check_privilege_by_cookie(d.cookie, "label", "rwxat"); -} - -void get_cookie_pid(const Data &d) -{ - security_server_get_cookie_pid(d.cookie); -} - -void get_smack_label(const Data &d) -{ - char *label = security_server_get_smacklabel_cookie(d.cookie); - free(label); -} - -void random_sleep(const Data&) -{ - std::uniform_int_distribution distribution(0,100); - usleep(distribution(generator)); -} - - -// list of test functions -std::vector > functions = { - random_sleep, - request_cookie, - check_privilege, - check_privilege_by_cookie, - get_cookie_pid, - get_smack_label -}; -} // namespace - -// randomly calls test functions -void security_server_magic() -{ - char cookie[20]; - security_server_request_cookie(cookie, 20); - Data d(cookie); - - // random loop number - std::uniform_int_distribution l_dist(0,LOOPS); - size_t loops = l_dist(generator); - - // random function call - std::uniform_int_distribution distribution(0,functions.size() - 1); - auto rnd = std::bind(distribution, generator); - for (size_t i = 0; i < loops; ++i) { - functions[rnd()](d); - } -} - -int main() -{ - size_t current = 0; - size_t spawned = 0; - for (;;) { - if (current >= PROC_MAX || spawned >= PROC_TOTAL) { - int status; - int ret = wait(&status); - - // all processes spawned, no more children to wait for - if (spawned >= PROC_TOTAL && ret <= 0) - break; - - current--; - } - - // spawn predefined number of processes - if (spawned < PROC_TOTAL) { - pid_t pid = fork(); - if (pid == 0) { - LogDebug("START " << spawned); - security_server_magic(); - LogError("STOP " << spawned); - exit(0); - } - else { - //LogWarning("PID " << pid); - spawned++; - current++; - } - } - } - LogInfo("Finished"); - return 0; -} diff --git a/src/security-server-tests/security_server_tests_password.cpp b/src/security-server-tests/security_server_tests_password.cpp deleted file mode 100644 index b9f0584..0000000 --- a/src/security-server-tests/security_server_tests_password.cpp +++ /dev/null @@ -1,1526 +0,0 @@ -/* - * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved - */ -/* - * @file security_server_tests_password.cpp - * @author Bumjin Im (bj.im@samsung.com) - * @author Pawel Polawski (p.polawski@partner.samsung.com) - * @author Radoslaw Bartosiak (r.bartosiak@samsung.com) - * @author Jan Olszak (j.olszak@samsung.com) - * @version 2.0 - * @brief Test cases for security server - * - * WARNING: In this file test order is very important. They have to always be run - * in correct order. This is done by correct test case names ("tcXX_"). - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "security-server.h" -#include -#include -#include -#include "security_server_clean_env.h" -#include "security_server_tests_common.h" - - -// the maximum time (in seconds) passwords can expire in -const unsigned int PASSWORD_INFINITE_EXPIRATION_TIME = 0xFFFFFFFF; - -// test passwords -const char* TEST_PASSWORD = "IDLEPASS"; -const char* SECOND_TEST_PASSWORD = "OTHERIDLEPASS"; -const char* THIRD_TEST_PASSWORD = "THIRDPASS"; -const char* FOURTH_TEST_PASSWORD = "FOURTHPASS"; - -RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_PASSWORD); - -struct SystemClock { - SystemClock(time_t sft) - : m_original(time(0)) - , m_shift(0) - { - shift(sft); - } - - SystemClock() - : m_original(time(0)) - , m_shift(0) - {} - - void shift(time_t sft) { - m_shift += sft; - time_t shifted = m_original + m_shift; - RUNNER_ASSERT_ERRNO(0 == stime(&shifted)); - } - - ~SystemClock() { - if (std::uncaught_exception()) { - stime(&m_original); - return; - } - - RUNNER_ASSERT_ERRNO(0 == stime(&m_original)); - } -private: - time_t m_original; - time_t m_shift; -}; - - -/** - * Confirm there is no password before tests are run. - */ -RUNNER_TEST(tc01_clear_environment) -{ - int ret; - unsigned int attempt, max_attempt, expire_sec; - - if (getuid() == 0) - { - reset_security_server(); - - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - - RUNNER_ASSERT_MSG(expire_sec == 0, "expire_sec = " << expire_sec); - RUNNER_ASSERT_MSG(max_attempt == 0, "max_attempt = " << max_attempt); - RUNNER_ASSERT_MSG(attempt == 0, "attempt = " << attempt); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret); - } - else - { - SLOGD("To run the test as non root user, please remove password files (/opt/data/security-server/*) in root shell\n"); - SLOGD("If not, you will see some failures\n"); - - RUNNER_IGNORED_MSG("I'm not root"); - } -} - -/** - * Basic test of setting validity period. - */ -RUNNER_TEST(tc02_security_server_set_pwd_validity) -{ - int ret; - - // Prepare environment - reset_security_server(); - - // TESTS: - // WITHOUT password - ret = security_server_set_pwd_validity(10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret); - - ret = security_server_set_pwd_validity(11); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret); - - // WITH password - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_set_pwd_validity(10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_set_pwd_validity(11); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -/** - * Basic test of setting maximum number of password challenges. - */ -RUNNER_TEST(tc03_security_server_set_pwd_max_challenge) -{ - int ret; - - // Prepare environment - reset_security_server(); - - // TESTS: - // WITHOUT password - ret = security_server_set_pwd_max_challenge(5); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret); - - ret = security_server_set_pwd_max_challenge(6); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret); - - // WITH password - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_set_pwd_max_challenge(5); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_set_pwd_max_challenge(6); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -/** - * Test checking a too long password. - */ -RUNNER_TEST(tc04_security_server_chk_pwd_too_long_password_case) -{ - int ret; - unsigned int attempt, max_attempt, expire_sec; - - // 33 char password - ret = security_server_chk_pwd("abcdefghijklmnopqrstuvwxyz0123456", &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); -} - -/** - * Test various parameter values when checking a password. - */ -RUNNER_TEST(tc05_security_server_chk_pwd_null_input_case) -{ - int ret; - unsigned int attempt, max_attempt, expire_sec; - - ret = security_server_chk_pwd(nullptr, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); - - ret = security_server_chk_pwd("password", nullptr, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); - - ret = security_server_chk_pwd("password", &attempt, nullptr, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); - - ret = security_server_chk_pwd("password", &attempt, &max_attempt, nullptr); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); -} - -/** - * Check the given password when no password is set. - */ -RUNNER_TEST(tc06_security_server_chk_pwd_no_password_case) -{ - int ret; - unsigned int attempt, max_attempt, expire_sec; - - // Prepare environment - there is no password now! - reset_security_server(); - - // TEST - ret = security_server_chk_pwd("isthisempty", &attempt, &max_attempt, &expire_sec); - - RUNNER_ASSERT_MSG(expire_sec == 0, expire_sec); - RUNNER_ASSERT_MSG(max_attempt == 0, max_attempt); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret = " << ret); -} - -/** - * Checks various parameter values. - */ -RUNNER_TEST(tc07_security_server_set_pwd_null_input_case) -{ - int ret; - - // Prepare environment - reset_security_server(); - - // TEST - ret = security_server_set_pwd(nullptr, nullptr, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); -} - -/** - * Test setting too long password. - */ -RUNNER_TEST(tc08_security_server_set_pwd_too_long_input_param) -{ - int ret; - - // Prepare environment - reset_security_server(); - - // TEST - // 33 char password - ret = security_server_set_pwd("abcdefghijklmnopqrstuvwxyz0123456", "abcdefghijklmnopqrstuvwxyz0123456", 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); -} - -/** - * Basic password setting. - */ -RUNNER_TEST(tc09_security_server_set_pwd_current_pwd_empty) -{ - int ret; - - // Prepare environment - reset_security_server(); - - // TEST - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -/** - * Set a maximum password period. - */ -RUNNER_TEST(tc10_security_server_set_pwd_current_pwd_max_valid_period_in_days) -{ - int ret; - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - usleep(PASSWORD_RETRY_TIMEOUT_US); - // UINT_MAX will cause api error, it is to big value - ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, UINT_MAX); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); - usleep(PASSWORD_RETRY_TIMEOUT_US); - // calculate max applicable valid days that will not be rejected by ss - // ensure, that after conversion from days to seconds in ss there will be no uint overflow - unsigned int valid_days = ((UINT_MAX - time(nullptr)) / 86400) - 1; - ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, valid_days); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -/** - * Set a maximum password challenge number. - */ -RUNNER_TEST(tc11_security_server_set_pwd_current_pwd_max_max_challenge) -{ - int ret; - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, UINT_MAX, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -/** - * Set empty password. - */ -RUNNER_TEST(tc12_security_server_set_pwd_current_pwd_nonempty2zero) -{ - int ret; - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(TEST_PASSWORD, "", 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); -} - -/** - * Change password to a too long password. - */ -RUNNER_TEST(tc14_security_server_set_pwd_current_pwd_too_long_input_param) -{ - int ret; - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - usleep(PASSWORD_RETRY_TIMEOUT_US); - std::string lng_pwd(5000, 'A'); - ret = security_server_set_pwd(TEST_PASSWORD,lng_pwd.c_str(), 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); -} - -/** - * Check empty password. - */ -RUNNER_TEST(tc15_security_server_chk_pwd_empty_password) -{ - int ret; - unsigned int attempt, max_attempt, expire_sec; - - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_chk_pwd("", &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); -} - -/** - * Various validity parameter values. - */ -RUNNER_TEST(tc16_security_server_set_pwd_validity) -{ - int ret; - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - ret = security_server_set_pwd_validity(0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_set_pwd_validity(1); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - //When trying to set UINT_MAX we should get error. - ret = security_server_set_pwd_validity(UINT_MAX); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); - - ret = security_server_set_pwd_validity(2); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -/** - * Check passwords validity - */ -RUNNER_TEST(tc17_security_server_is_pwd_valid) -{ - int ret; - unsigned int attempt, max_attempt, expire_sec; - - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 2); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST: - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret); - RUNNER_ASSERT_MSG((expire_sec > 172795) && (expire_sec < 172805), "expire_sec = " << expire_sec); -} - -/** - * Various numbers of challenges. - */ -RUNNER_TEST(tc18_security_server_set_pwd_max_challenge) -{ - int ret; - // Prepare environment - reset_security_server(); - // calculate max applicable valid days that will not be rejected by ss - // ensure, that after conversion from days to seconds in ss there will be no uint overflow - unsigned int valid_days = ((UINT_MAX - time(nullptr)) / 86400) - 1; - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, valid_days); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TESTS - ret = security_server_set_pwd_max_challenge(0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_set_pwd_max_challenge(UINT_MAX); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_set_pwd_max_challenge(5); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_set_pwd_max_challenge(6); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - - -/** - * Check the max number of challenges. - */ -RUNNER_TEST(tc19_security_server_is_pwd_valid) -{ - int ret; - unsigned int attempt, max_attempt, expire_sec; - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_set_pwd_max_challenge(6); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret); - RUNNER_ASSERT_MSG(max_attempt == 6, "max_attempt = " << max_attempt); -} - -/** - * Basic password check. - */ -RUNNER_TEST(tc20_security_server_chk_pwd) -{ - int ret; - unsigned int attempt, max_attempt, expire_sec; - - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, ret); - - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret); -} - -/** - * Check an incorrect password. - */ -RUNNER_TEST(tc21_security_server_chk_incorrect_pwd) -{ - int ret; - unsigned int attempt, max_attempt, expire_sec; - - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - //TEST - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret); -} - -/** - * Check an incorrect password - */ -RUNNER_TEST(tc22_security_server_set_pwd_incorrect_current) -{ - int ret; - - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret); -} - -/** - * Change password - */ -RUNNER_TEST(tc23_security_server_set_pwd_correct_current) -{ - int ret; - - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -/** - * Check wrong password multiple times and then check a correct one. - */ -RUNNER_TEST(tc24_security_server_attempt_exceeding) -{ - int ret; - unsigned int i, attempt, max_attempt, expire_sec; - - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - printf("5 subtests started..."); - for (i = 1; i <= 5; i++) { - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret); - RUNNER_ASSERT_MSG(attempt == i, "attempt = " << attempt << ", expected " << i); - } - printf("DONE\n"); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret); - RUNNER_ASSERT_MSG(attempt == 0, "ret = " << ret); - RUNNER_ASSERT_MSG(max_attempt == 10, "ret = " << ret); -} - -/** - * Try to exceed maximum number of challenges. - */ -RUNNER_TEST(tc25_security_server_attempt_exceeding) -{ - int ret; - unsigned int i, attempt, max_attempt, expire_sec; - - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 1); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - printf("10 subtests started..."); - for (i = 1; i <= 10; i++) { - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret); - RUNNER_ASSERT_MSG(attempt == i, "attempt = " << attempt << ", expected " << i); - } - - // The check, that exceeds max number - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED, "ret = " << ret); - printf("DONE\n"); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED, "ret = " << ret); -} - -/** - * Reset password - */ -RUNNER_TEST(tc26_security_server_reset_pwd) -{ - int ret; - - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 5, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - ret = security_server_reset_pwd(TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -/** - * Check too long password. - */ -RUNNER_TEST(tc27_security_server_chk_pwd_too_long_password) -{ - int ret; - unsigned int attempt, max_attempt, expire_sec; - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 5, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - std::string lng_pwd(5000, 'A'); - ret = security_server_chk_pwd(lng_pwd.c_str(), &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); -} - -/** - * Check passwords expiration (not expired) - */ -RUNNER_TEST(tc28_security_server_check_expiration) -{ - int ret; - unsigned int attempt, max_attempt, expire_sec; - - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 5, 1); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret); - RUNNER_ASSERT_MSG((expire_sec < 86402) && (expire_sec > 86396), "expire_sec = " << ret); -} - -/** - * Use various parameter values of parameters. - */ -RUNNER_TEST(tc29_security_server_set_pwd_history) -{ - int ret; - - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 5, 1); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TESTS - ret = security_server_set_pwd_history(100); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); - - ret = security_server_set_pwd_history(51); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); - - ret = security_server_set_pwd_history(-5); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); - - ret = security_server_set_pwd_history(50); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_set_pwd_history(0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_set_pwd_history(INT_MAX); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); - - ret = security_server_set_pwd_history(INT_MIN); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); - - ret = security_server_set_pwd_history(10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - - - -int dir_filter(const struct dirent *entry) -{ - if ((strcmp(entry->d_name, ".") == 0) || - (strcmp(entry->d_name, "..") == 0) || - (strcmp(entry->d_name, "attempts") == 0) || - (strcmp(entry->d_name, "history") == 0)) - return (0); - else - return (1); -} - -void clean_password_dir(void) -{ - int ret; - int i; - struct dirent **mydirent; - - ret = scandir("/opt/data/security-server", &mydirent, &dir_filter, alphasort); - i = ret; - while (i--) - free(mydirent[i]); - free(mydirent); -} - - -/** - * Check password history. - */ -RUNNER_TEST(tc30_security_server_check_history) -{ - int ret; - int i; - char buf1[33], buf2[33]; - - // Prepare environment - reset_security_server(); - - clean_password_dir(); - - ret = security_server_set_pwd_history(9); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_reset_pwd("history0", 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - printf("11 subtests started..."); - for (i = 0; i < 11; i++) { - sprintf(buf1, "history%d", i); - sprintf(buf2, "history%d", i + 1); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(buf1, buf2, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - } - printf("DONE\n"); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd("history11", "history1", 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd("history1", "history8", 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd("history1", "history12", 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - printf("48 subtests started..."); - for (i = 12; i < 60; i++) { - usleep(PASSWORD_RETRY_TIMEOUT_US); - - sprintf(buf1, "history%d", i); - sprintf(buf2, "history%d", i + 1); - - ret = security_server_set_pwd(buf1, buf2, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - } - printf("DONE\n"); - - clean_password_dir(); -} - -/** - * Replay attack - */ -RUNNER_TEST(tc31_security_server_replay_attack) -{ - int ret; - int i = 0; - unsigned int attempt, max_attempt, expire_sec; - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_chk_pwd("quickquickquick", &attempt, &max_attempt, &expire_sec); - - while (ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER) { - i += 100000; - - ret = security_server_chk_pwd("quickquickquick", &attempt, &max_attempt, &expire_sec); - usleep(i); - } - - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret); -} - -/** - * Expired password - */ -RUNNER_TEST(tc32_security_server_challenge_on_expired_password) -{ - int ret; - unsigned int attempt, max_attempt, expire_sec; - struct timeval cur_time; - - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 4, 1); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = gettimeofday(&cur_time, nullptr); - RUNNER_ASSERT_ERRNO(ret != -1); - - cur_time.tv_sec += (expire_sec + 1); - ret = settimeofday(&cur_time, nullptr); - RUNNER_ASSERT_ERRNO(ret != -1); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXPIRED, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, "ret = " << ret); -} - -/** - * Reset password - */ -RUNNER_TEST(tc33_security_server_reset_by_null_pwd) -{ - int ret; - - // Prepare environment - reset_security_server(); - - // TEST - ret = security_server_reset_pwd(nullptr, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret = " << ret); -} - -/* - * Use this instead of security_server_chk_pwd directly to verify the function output. - * For example: - * verify_chk_pwd("password", SECURITY_SERVER_API_SUCCESS, 2, 5, "debug string") - */ -void verify_chk_pwd ( - const char* challenge, - int expected_result, - unsigned int expected_current_attempt, - unsigned int expected_max_attempt, - const std::string &info = std::string()) -{ - /* ensure that initial values differ from expected ones */ - unsigned int attempt = expected_current_attempt - 1; - unsigned int max_attempt = expected_max_attempt - 1; - unsigned int expire_sec = PASSWORD_INFINITE_EXPIRATION_TIME - 1; - - usleep(PASSWORD_RETRY_TIMEOUT_US); - int ret = security_server_chk_pwd(challenge, &attempt, &max_attempt, &expire_sec); - - // validate returned value - RUNNER_ASSERT_MSG(ret == expected_result, - info << "security_server_chk_pwd returned " - << ret << " (expected: " << expected_result << ")"); - - // validate current attempts value - RUNNER_ASSERT_MSG(attempt == expected_current_attempt, - info << "security_server_chk_pwd returned attempt = " << attempt << - " (expected: " << expected_current_attempt << ")"); - - // validate max attempt value - RUNNER_ASSERT_MSG(max_attempt == expected_max_attempt, - info << "security_server_chk_pwd returned max_attempt = " << max_attempt << - " (expected: " << expected_max_attempt << ")"); - - RUNNER_ASSERT_MSG(expire_sec == PASSWORD_INFINITE_EXPIRATION_TIME, - info << "security_server_chk_pwd returned expire_sec = " << expire_sec << - " (expected: " << PASSWORD_INFINITE_EXPIRATION_TIME << ")"); -} - -/** - * Reach last attempt few times in a row (before exceeding max_attempt). - */ -RUNNER_TEST(tc34_security_server_max_attempts) -{ - // Prepare environment - reset_security_server(); - - int ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // change max attempts number few times - std::vector max_challenge_tab = {1, 4, 2}; - - for (size_t pass = 0; pass < max_challenge_tab.size(); ++pass) { - unsigned int max_challenges = max_challenge_tab[pass]; - - ret = security_server_set_pwd_max_challenge(max_challenges); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // max_challenges-1 wrong password attempts - for (unsigned int attempt_nr = 1; attempt_nr < max_challenges; ++attempt_nr) - verify_chk_pwd(SECOND_TEST_PASSWORD, - SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, - attempt_nr, - max_challenges, - std::string("pass = ") + std::to_string(pass) + - ", attempt = " + std::to_string(attempt_nr)); - - // Check correct password finally - verify_chk_pwd(TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, - max_challenges, max_challenges); - } -} - -/** - * Decrease 'max challenge' number after several missed attempts. - */ -RUNNER_TEST(tc35_security_server_decrease_max_attempts) -{ - const unsigned int max_challenge_more = 10; - const unsigned int max_challenge_less = 5; - - // Prepare environment - reset_security_server(); - - int ret = security_server_set_pwd(nullptr, TEST_PASSWORD, max_challenge_more, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // missed attempts - for (unsigned int attempt = 1; attempt <= max_challenge_more; ++attempt) - verify_chk_pwd(SECOND_TEST_PASSWORD, - SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, - attempt, - max_challenge_more, - std::string("attempt = ") + std::to_string(attempt)); - - // lower max_challenge - ret = security_server_set_pwd_max_challenge(max_challenge_less); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // try valid password - should pass (curr attempts is reset) - verify_chk_pwd(TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, 1, max_challenge_less); - - // remove max attempts limit - ret = security_server_set_pwd_max_challenge(0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // try valid password again - should pass - verify_chk_pwd(TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, 1, 0); - - // try to change the password - should pass - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // validate new password - verify_chk_pwd(SECOND_TEST_PASSWORD, SECURITY_SERVER_API_SUCCESS, 1, 0); -} - -/** - * Change password few times and challenge previous passwords - checks if security_server_set_pwd - * works as it should. - */ -RUNNER_TEST(tc36_security_server_challenge_previous_passwords) -{ - const int history_depth = 5; - const unsigned int max_challenge = 3; - std::string prev_pass, new_pass = TEST_PASSWORD; - - // Prepare environment - reset_security_server(); - - int ret = security_server_set_pwd_history(history_depth); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_reset_pwd(TEST_PASSWORD, max_challenge, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - for (int depth = 0; depth < history_depth; ++depth) { - prev_pass = new_pass; - - //generate password name - new_pass = "history" + std::to_string(depth+1); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(prev_pass.c_str(), new_pass.c_str(), max_challenge, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // challenge initial password - verify_chk_pwd( - TEST_PASSWORD, - SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, - 1, - max_challenge, - std::string("depth = ") + std::to_string(depth)); - - // challenge previous password - verify_chk_pwd( - prev_pass.c_str(), - SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, - 2, - max_challenge, - std::string("depth = ") + std::to_string(depth)); - } -} - -/** - * Challenge correct and incorrect passwords, check security_server_chk_pwd output. - * This test simulates user's behaviour - challenges valid and invalid passwords - * in various combinations. - */ -RUNNER_TEST(tc37_security_server_challenge_mixed) -{ - // Prepare environment - reset_security_server(); - - const unsigned int max_challenge = 2; - int ret = security_server_set_pwd(nullptr, TEST_PASSWORD, max_challenge, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // 2x correct pwd - verify that 'cuurrent attempt' isn't increased - for (unsigned int i = 0; i < max_challenge; ++i) - verify_chk_pwd( - TEST_PASSWORD, - SECURITY_SERVER_API_SUCCESS, - 1, - max_challenge, - std::string("i = ") + std::to_string(i)); - - // Ensure that challenging valid password resets 'cuurrent attempt' value. - // If it didn't, the test would fail in third loop pass. - for (unsigned int i = 0; i < max_challenge + 1; ++i) { - // incorrect pwd - verify_chk_pwd( - SECOND_TEST_PASSWORD, - SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, - 1, - max_challenge, - std::string("i = ") + std::to_string(i)); - - // correct pwd - verify_chk_pwd( - TEST_PASSWORD, - SECURITY_SERVER_API_SUCCESS, - 2, - max_challenge, - std::string("i = ") + std::to_string(i)); - } - - // incorrect pwd 2x - 'cuurrent attempt' reaches max_challenge - - // any further attempts (even correct) are blocked - for (unsigned int i = 1; i <= max_challenge; ++i) - verify_chk_pwd( - SECOND_TEST_PASSWORD, - SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, - i, - max_challenge, - std::string("i = ") + std::to_string(i)); - - // correct - refused - for (unsigned int i = 1; i <= max_challenge; ++i) - verify_chk_pwd( - TEST_PASSWORD, - SECURITY_SERVER_API_ERROR_PASSWORD_MAX_ATTEMPTS_EXCEEDED, - max_challenge + i, - max_challenge, - std::string("i = ") + std::to_string(i)); -} - -/* - * Pasword change mixed with history depth change. - */ -RUNNER_TEST(tc38_security_server_history_depth_change) -{ - int ret; - const int initial_history_depth = 2; - const int decreased_history_depth = 1; - const int increased_history_depth = 3; - - // Prepare environment - reset_security_server(); - - ret = security_server_set_pwd_history(initial_history_depth); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST_PASSWORD, 2nd and 3rd remembered => 1st should be refused - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret); - - /* - * Lower history depth. At this point SS should treat THIRD_TEST_PASSWORD as current pwd, - * and SECOND_TEST_PASSWORD as a part of history. - */ - ret = security_server_set_pwd_history(decreased_history_depth); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret); - - /* - * Increase history depth to 3. At this point SS should remember TEST_PASSWORD - * and THIRD_TEST_PASSWORD only. - */ - ret = security_server_set_pwd_history(increased_history_depth); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // 3rd and TEST_PASSWORD remembered => 2nd should be accepted - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // TEST_PASSWORD, 2nd and 3rd remembered => 3rd should be refused - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret); -} - -/** - * Challenge invalid password, reset server and check if 'current attempts' is restored. - */ -RUNNER_TEST(tc39_security_server_attempts_num_check_after_reset) -{ - unsigned int attempt, max_attempt, expire_sec; - const unsigned int max_challenge = 10; - const unsigned int invalid_attempts_num = 3; - - // Prepare environment - reset_security_server(); - - int ret = security_server_set_pwd(nullptr, TEST_PASSWORD, max_challenge, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // missed attempts - for (unsigned int attempt = 1; attempt <= invalid_attempts_num; ++attempt) - verify_chk_pwd( - SECOND_TEST_PASSWORD, - SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, - attempt, - max_challenge); - - attempt = max_attempt = expire_sec = UINT_MAX; - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret); - RUNNER_ASSERT_MSG(max_attempt == max_challenge, "max_attempt = " << max_attempt); - RUNNER_ASSERT_MSG(attempt == invalid_attempts_num, "attempt = " << attempt); - RUNNER_ASSERT_MSG(expire_sec == PASSWORD_INFINITE_EXPIRATION_TIME, "expire_sec = " << - expire_sec); - - // restart server - triggers loading password data from file - restart_security_server(); - - // challenge invalid password - verify_chk_pwd( - SECOND_TEST_PASSWORD, - SECURITY_SERVER_API_ERROR_PASSWORD_MISMATCH, - invalid_attempts_num + 1, - max_challenge); - - // challenge valid password - verify_chk_pwd( - TEST_PASSWORD, - SECURITY_SERVER_API_SUCCESS, - invalid_attempts_num + 2, - max_challenge); -} - -/** - * Validate passwords history after security server reset. - */ -RUNNER_TEST(tc40_security_server_history_check_after_reset) -{ - const unsigned int history_depth = 2; - - // Prepare environment - reset_security_server(); - - int ret = security_server_set_pwd_history(history_depth); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(THIRD_TEST_PASSWORD, FOURTH_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - // restart server - triggers loading password data from file - restart_security_server(); - - // try to reuse history passwords - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(FOURTH_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(FOURTH_TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(FOURTH_TEST_PASSWORD, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -/** - * Check if SS has correct behaviour when changing history depth to 0. - */ -RUNNER_TEST(tc41_security_server_empty_history_check) -{ - const unsigned int history_depth = 2; - const unsigned int empty_history_depth = 0; - - //prepare environment - reset_security_server(); - - //set new history count - int ret = security_server_set_pwd_history(history_depth); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - //set new password and fill history - ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(SECOND_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - //make sure, that everything went OK - try setting something that would cause reuse error - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(THIRD_TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_REUSED, "ret = " << ret); - - //reset history limit to no history at all - ret = security_server_set_pwd_history(empty_history_depth); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - //make sure, that current password still exists in memory - //expected attempt 3 because our previous tries increased attempt counter - verify_chk_pwd( - THIRD_TEST_PASSWORD, - SECURITY_SERVER_API_SUCCESS, - 3, - 0); - - //make sure that it's possible to reuse old password once history limit is set to 0 - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(THIRD_TEST_PASSWORD, THIRD_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - //once again try setting earlier used passwords - now API should return success - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(THIRD_TEST_PASSWORD, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -RUNNER_TEST(tc42_security_server_set_new_pwd_with_current_empty) -{ - //prepare environment - reset_security_server(); - - //set a password - int ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - //try setting different password and giving nullptr as current once again - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(nullptr, SECOND_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret); -} - -RUNNER_TEST(tc43_security_server_no_retry_timeout_is_pwd_valid) -{ - //prepare environment - reset_security_server(); - - //set a password - int ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - //do test - unsigned int attempt, max_attempt, expire_sec; - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret); - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret); -} - -RUNNER_TEST(tc44_security_server_retry_timeout_chk_pwd) -{ - //prepare environment - reset_security_server(); - - //set a password - int ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - //do test - unsigned int attempt, max_attempt, expire_sec; - ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER, "ret = " << ret); - ret = security_server_chk_pwd(TEST_PASSWORD, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER, "ret = " << ret); -} - -RUNNER_TEST(tc45_security_server_retry_timeout_set_pwd) -{ - //prepare environment - reset_security_server(); - - //set a password - int ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - //do test - ret = security_server_set_pwd(TEST_PASSWORD, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER, "ret = " << ret); - ret = security_server_set_pwd(TEST_PASSWORD, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_RETRY_TIMER, "ret = " << ret); -} - -RUNNER_TEST(tc46_security_server_no_retry_timeout_set_pwd_validity) -{ - //prepare environment - reset_security_server(); - - //set a password - int ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - //do test - ret = security_server_set_pwd_validity(11); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - ret = security_server_set_pwd_validity(11); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -RUNNER_TEST(tc47_security_server_no_retry_timeout_reset_pwd) -{ - //prepare environment - reset_security_server(); - - //set a password - int ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - //do test - ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - ret = security_server_reset_pwd(TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -RUNNER_TEST(tc48_security_server_no_retry_timeout_pwd_history) -{ - //prepare environment - reset_security_server(); - - //set a password - int ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - //do test - ret = security_server_set_pwd_history(5); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - ret = security_server_set_pwd_history(5); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -RUNNER_TEST(tc49_security_server_no_retry_timeout_set_pwd_max_challenge) -{ - //prepare environment - reset_security_server(); - - //set a password - int ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - //do test - ret = security_server_set_pwd_max_challenge(5); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - ret = security_server_set_pwd_max_challenge(5); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); -} - -RUNNER_TEST(tc50_security_server_set_pwd_current_pwd_with_infinite_expiration_time) -{ - int ret; - unsigned int attempt, max_attempt, expire_sec; - - // Prepare environment - reset_security_server(); - ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 10, 10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - usleep(PASSWORD_RETRY_TIMEOUT_US); - - // Assert security server sets infinite expiration time - ret = security_server_set_pwd(TEST_PASSWORD, SECOND_TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - usleep(PASSWORD_RETRY_TIMEOUT_US); - - ret = security_server_chk_pwd(SECOND_TEST_PASSWORD, &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - RUNNER_ASSERT_MSG(expire_sec == PASSWORD_INFINITE_EXPIRATION_TIME, - "invalid expiration time " << expire_sec); - - clean_password_dir(); -} - -RUNNER_TEST(tc51_security_server_is_pwd_valid) -{ - reset_security_server(); - - int ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 0, 1); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - unsigned int attempt, maxAttempt, validSec; - attempt = maxAttempt = validSec = 0; - - ret = security_server_is_pwd_valid(&attempt, &maxAttempt, &validSec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret << - " atempt=" << attempt << " maxAttempt=" << maxAttempt << " validSec=" << validSec); - - - SystemClock clock(60*60*24*2); - - ret = security_server_is_pwd_valid(&attempt, &maxAttempt, &validSec); - RUNNER_ASSERT_MSG((ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST) && (validSec == 0), - "ret = " << ret << " atempt=" << attempt << " maxAttempt=" << maxAttempt - << " validSec=" << validSec); -} - -RUNNER_TEST(tc52_security_server_is_pwd_valid) -{ - reset_security_server(); - - int ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - unsigned int attempt, maxAttempt, validSec; - attempt = maxAttempt = validSec = 0; - - ret = security_server_is_pwd_valid(&attempt, &maxAttempt, &validSec); - RUNNER_ASSERT_MSG((ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST) && (validSec == 0xffffffff), "ret = " << ret << - " atempt=" << attempt << " maxAttempt=" << maxAttempt << " validSec=" << validSec); -} - -RUNNER_TEST(tc53_security_server_is_pwd_valid) -{ - reset_security_server(); - - int ret = security_server_set_pwd(nullptr, TEST_PASSWORD, 0, 3); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret = " << ret); - - unsigned int attempt, maxAttempt, validSec; - attempt = maxAttempt = validSec = 0; - - // password shoudl be valid for 3 days == (60*60*24*3) 259200 seconds - ret = security_server_is_pwd_valid(&attempt, &maxAttempt, &validSec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret); - RUNNER_ASSERT_MSG((validSec > 259000) && (validSec < 260000), "validSec = " << validSec); - - SystemClock clock; - clock.shift(-60*60*24); // one day back - - // password should be valid for 4 days == (60*60*24*4) 345600 seconds - ret = security_server_is_pwd_valid(&attempt, &maxAttempt, &validSec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret); - RUNNER_ASSERT_MSG((validSec > 345000) && (validSec < 346000), "validSec = " << validSec); - - clock.shift(-60*60*24*2); // 3 days back - - // password shoudl be valid for 6 days == (60*60*24*6) 518400 seconds - ret = security_server_is_pwd_valid(&attempt, &maxAttempt, &validSec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_PASSWORD_EXIST, "ret = " << ret); - RUNNER_ASSERT_MSG((validSec > 518000) && (validSec < 519000), "validSec = " << validSec); -} - -int main(int argc, char *argv[]) -{ - return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv); -} diff --git a/src/security-server-tests/security_server_tests_privilege.cpp b/src/security-server-tests/security_server_tests_privilege.cpp deleted file mode 100644 index c7e698f..0000000 --- a/src/security-server-tests/security_server_tests_privilege.cpp +++ /dev/null @@ -1,125 +0,0 @@ -#include - -#include - -#include -#include - -const char *SSTP_APP_ID = "sstp_test_app"; -const char *SSTP_OTHER_LABEL = "sstp_test_other_label"; - -const char *SSTP_PERMS[] = { - "sstp_test_rules1", - "sstp_test_rules2", - nullptr -}; - -const char *SSTP_PERMS1[] = { - SSTP_PERMS[0], - nullptr -}; - -const char *SSTP_PERMS2[] = { - SSTP_PERMS[1], - nullptr -}; - -void check_security_server_app_has_privilege(const char *app_label, - const char *permission, - int is_enabled_expected) -{ - int result; - int is_enabled; - - result = security_server_app_has_privilege(app_label, APP_TYPE_WGT, permission, &is_enabled); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error calling security_server_app_has_privilege. Result: " << result); - - RUNNER_ASSERT_MSG(is_enabled == is_enabled_expected, - "Result of security_server_app_has_privilege should be: " << is_enabled_expected); -} - -RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_PRIVILEGE); - -RUNNER_TEST(sstp_01_security_server_app_has_privilege) -{ - int result; - - DB_BEGIN - - result = perm_app_uninstall(SSTP_APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error uninstalling app. Result" << result); - - result = perm_app_install(SSTP_APP_ID); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error installing app. Result" << result); - - result = perm_app_disable_permissions(SSTP_APP_ID, APP_TYPE_WGT, SSTP_PERMS); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error disabling app r and no r permissions. Result: " << result); - - DB_END - - check_security_server_app_has_privilege(USER_APP_ID, SSTP_PERMS[0], 0); - check_security_server_app_has_privilege(USER_APP_ID, SSTP_PERMS[1], 0); - check_security_server_app_has_privilege(SSTP_OTHER_LABEL, SSTP_PERMS[0], 0); - check_security_server_app_has_privilege(SSTP_OTHER_LABEL, SSTP_PERMS[1], 0); - - DB_BEGIN - - result = perm_app_enable_permissions(SSTP_APP_ID, APP_TYPE_WGT, SSTP_PERMS1, false); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error registering app r permissions. Result: " << result); - - DB_END - - check_security_server_app_has_privilege(USER_APP_ID, SSTP_PERMS[0], 1); - check_security_server_app_has_privilege(USER_APP_ID, SSTP_PERMS[1], 0); - check_security_server_app_has_privilege(SSTP_OTHER_LABEL, SSTP_PERMS[0], 0); - check_security_server_app_has_privilege(SSTP_OTHER_LABEL, SSTP_PERMS[1], 0); - - DB_BEGIN - - result = perm_app_enable_permissions(SSTP_APP_ID, APP_TYPE_WGT, SSTP_PERMS2, false); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error registering app r permissions. Result: " << result); - - DB_END - - check_security_server_app_has_privilege(USER_APP_ID, SSTP_PERMS[0], 1); - check_security_server_app_has_privilege(USER_APP_ID, SSTP_PERMS[1], 1); - check_security_server_app_has_privilege(SSTP_OTHER_LABEL, SSTP_PERMS[0], 0); - check_security_server_app_has_privilege(SSTP_OTHER_LABEL, SSTP_PERMS[1], 0); - - DB_BEGIN - - result = perm_app_disable_permissions(SSTP_APP_ID, APP_TYPE_WGT, SSTP_PERMS1); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error disabling app r and no r permissions. Result: " << result); - - DB_END - - check_security_server_app_has_privilege(USER_APP_ID, SSTP_PERMS[0], 0); - check_security_server_app_has_privilege(USER_APP_ID, SSTP_PERMS[1], 1); - check_security_server_app_has_privilege(SSTP_OTHER_LABEL, SSTP_PERMS[0], 0); - check_security_server_app_has_privilege(SSTP_OTHER_LABEL, SSTP_PERMS[1], 0); - - DB_BEGIN - - result = perm_app_disable_permissions(SSTP_APP_ID, APP_TYPE_WGT, SSTP_PERMS2); - RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, - "Error disabling app r and no r permissions. Result: " << result); - - DB_END - - check_security_server_app_has_privilege(USER_APP_ID, SSTP_PERMS[0], 0); - check_security_server_app_has_privilege(USER_APP_ID, SSTP_PERMS[1], 0); - check_security_server_app_has_privilege(SSTP_OTHER_LABEL, SSTP_PERMS[0], 0); - check_security_server_app_has_privilege(SSTP_OTHER_LABEL, SSTP_PERMS[1], 0); -} - -int main(int argc, char *argv[]) -{ - return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv); -} diff --git a/src/security-server-tests/security_server_tests_stress.cpp b/src/security-server-tests/security_server_tests_stress.cpp deleted file mode 100644 index b8f7e12..0000000 --- a/src/security-server-tests/security_server_tests_stress.cpp +++ /dev/null @@ -1,189 +0,0 @@ -/* - * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved - */ -/* - * @file security_server_tests_stress.cpp - * @author Pawel Polawski (p.polawski@partner.samsung.com) - * @version 1.0 - * @brief Test cases for security server stress tests - * - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "security-server.h" -#include - -std::mutex g_mutex; -std::mutex g_msgMutex; -size_t g_successes = 0; - -//number of threads -const size_t g_threadsNumber = 5; - -//environment setup -const std::string g_subject("woda"); -const std::string g_object("wiadro"); -const std::string g_rule("rwx"); - -//for storing errors -std::string g_errors; - - -void appendError(const std::string &message) -{ - std::lock_guard lock(g_msgMutex); - g_errors += message; - g_errors += "\n"; -} - -void cookie_api_thread_function(bool isSmack) -{ - /* - Tested API functions: - - int security_server_get_cookie_size(void); - int security_server_request_cookie(char *cookie, size_t bufferSize); - int security_server_check_privilege(const char *cookie, gid_t privilege); - int security_server_check_privilege_by_cookie(const char *cookie, - const char *object, - const char *access_rights); - int security_server_get_cookie_pid(const char *cookie); - char *security_server_get_smacklabel_cookie(const char *cookie); - */ - - int ret; - size_t COOKIE_SIZE; - - //security_server_get_cookie_size() - COOKIE_SIZE = security_server_get_cookie_size(); - if (COOKIE_SIZE != 20) { - appendError("Error in security_server_get_cookie_size(): " + std::to_string(COOKIE_SIZE)); - return; - } - - //security_server_request_cookie() - std::vector cookie(COOKIE_SIZE); - ret = security_server_request_cookie(cookie.data(), COOKIE_SIZE); - if (ret < 0) { - appendError("Error in security_server_request_cookie(): " + std::to_string(ret)); - return; - } - - //security_server_check_privilege() - ret = security_server_check_privilege(cookie.data(), 0); - if (ret < 0) { - appendError("Error in security_server_check_privilege(): " + std::to_string(ret)); - return; - } - - //security_server_check_privilege_by_cookie() - ret = security_server_check_privilege_by_cookie(cookie.data(), g_object.data(), g_rule.data()); - if (ret < 0) { - appendError("Error in security_server_check_privilege_by_cookie(): " + std::to_string(ret)); - return; - } - - //security_server_get_cookie_pid - ret = security_server_get_cookie_pid(cookie.data()); - if (ret < 0) { - appendError("Error in security_server_get_cookie_pid(): " + std::to_string(ret)); - return; - } - - if (isSmack) { - //security_server_get_smacklabel_cookie() - char *tmp = security_server_get_smacklabel_cookie(cookie.data()); - std::string labelFromCookie(tmp ? tmp : ""); - free(tmp); - if (labelFromCookie.size() == 0) { - appendError("Error in security_server_get_smacklabel_cookie(): " + labelFromCookie); - return; - } - - char *labelFromSelfTmp = nullptr; - ret = smack_new_label_from_self(&labelFromSelfTmp); - if (ret < 0) { - appendError("Error in smack_new_label_from_self(): " + std::to_string(ret)); - return; - } - - std::string labelFromSelf(labelFromSelfTmp ? labelFromSelfTmp : ""); - free(labelFromSelfTmp); - if (labelFromSelf != labelFromCookie) { - appendError("Error in comparing SMACK label: " + std::to_string(ret)); - return; - } - } - - std::lock_guard lock(g_mutex); - ++g_successes; -} - -void testFunction(bool isSmack) -{ - std::vector threadsVector; - - if (isSmack) { - //preapre environment - int ret = smack_set_label_for_self(g_subject.data()); - RUNNER_ASSERT_MSG(ret == 0, "Error in smack_set_label_for_self()"); - - struct smack_accesses *rulesRaw = nullptr; - ret = smack_accesses_new(&rulesRaw); - RUNNER_ASSERT_MSG(ret == 0, "Error in smack_accesses_new()"); - SmackAccessesPtr rules(rulesRaw); - ret = smack_accesses_add(rules.get(), g_subject.data(), g_object.data(), g_rule.data()); - RUNNER_ASSERT_MSG(ret == 0, "Error in smack_accesses_add()"); - ret = smack_accesses_apply(rules.get()); - RUNNER_ASSERT_MSG(ret == 0, "Error in smack_accesses_apply()"); - } - - //spawning threads - for (size_t i = 0 ; i < g_threadsNumber; ++i) - threadsVector.push_back(std::thread(cookie_api_thread_function, isSmack)); - - //waiting for threads end - for (auto itr = threadsVector.begin(); itr != threadsVector.end(); ++itr) - itr->join(); -} - - -RUNNER_TEST_GROUP_INIT(stress_tests) - -RUNNER_CHILD_TEST_SMACK(tc_stress_cookie_api_smack) -{ - testFunction(true); - - RUNNER_ASSERT_MSG(g_successes == g_threadsNumber, - "Not all threads exit with success: " - << g_successes << "/ " << g_threadsNumber - << std::endl << "Errors:" << std::endl << g_errors); -} - -RUNNER_CHILD_TEST_NOSMACK(tc_stress_cookie_api_no_smack) -{ - testFunction(false); - - RUNNER_ASSERT_MSG(g_successes == g_threadsNumber, - "Not all threads exit with success: " - << g_successes << "/ " << g_threadsNumber - << std::endl << "Errors:" << std::endl << g_errors); -} - - - -int main (int argc, char *argv[]) -{ - return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv); -} - diff --git a/src/security-server-tests/server.cpp b/src/security-server-tests/server.cpp deleted file mode 100644 index e7d94b7..0000000 --- a/src/security-server-tests/server.cpp +++ /dev/null @@ -1,432 +0,0 @@ -/* - * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved - */ -/* - * @file security_server_tests_server.cpp - * @author Bumjin Im (bj.im@samsung.com) - * @author Mariusz Domanski (m.domanski@samsung.com) - * @version 1.0 - * @brief Test cases for security server - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "security-server.h" -#include "security_server_clean_env.h" -#include -#include -#include -#include -#include -#include "security_server_tests_common.h" -#include "tests_common.h" -#include -#include - -const char *TEST03_SUBJECT = "subject_0f09f7cc"; -const char *TEST04_SUBJECT = "subject_57dfbfc5"; -const char *TEST07_SUBJECT = "subject_cd738844"; -const char *TEST08_SUBJECT = "subject_fd84ba7f"; - -void clear_password() -{ - int ret = -1; - unsigned int attempt, max_attempt, expire_sec; - - reset_security_server(); - - attempt = max_attempt = expire_sec = UINT_MAX; - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret); - RUNNER_ASSERT(expire_sec == 0); - RUNNER_ASSERT(max_attempt == 0); - RUNNER_ASSERT(attempt == 0); - - sleep(1); -} - -void check_API_passwd(bool smack) { - int ret = -1; - int err, err_is_pwd_valid; - unsigned int attempt, max_attempt, expire_sec; - - err = smack ? SECURITY_SERVER_API_ERROR_ACCESS_DENIED : SECURITY_SERVER_API_SUCCESS; - err_is_pwd_valid = smack ? SECURITY_SERVER_API_ERROR_ACCESS_DENIED : SECURITY_SERVER_API_ERROR_PASSWORD_EXIST; - attempt = max_attempt = expire_sec = 0; - - if (smack) { - SecurityServer::AccessProvider privider(TEST04_SUBJECT); - privider.applyAndSwithToUser(APP_UID, APP_GID); - } else { - RUNNER_ASSERT_MSG((ret = drop_root_privileges()) == 0, - "Failed to drop root privileges. Result: " << ret << "uid = " << getuid()); - } - - ret = security_server_set_pwd_validity(APP_UID); - RUNNER_ASSERT_MSG(ret == err, - "security_server_set_pwd_validity has failed," - " ret: " << ret); - - ret = security_server_set_pwd_max_challenge(5); - RUNNER_ASSERT_MSG(ret == err, - "security_server_set_pwd_max_challenge has failed," - " ret: " << ret); - - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == err_is_pwd_valid, - "security_server_is_pwd_valid should return password exist," - " ret: " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd("12345", "12346", 0, 0); - RUNNER_ASSERT_MSG(ret == err, - "security_server_set_pwd has failed, ret: " << ret); - - ret = security_server_reset_pwd("12346",0, 0); - RUNNER_ASSERT_MSG(ret == err, - "security_server_reset_pwd has failed, ret: " << ret); - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_chk_pwd("12346", &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == err, - "security_server_chk_pwd has failed, ret: " << ret); - - ret = security_server_set_pwd_history(10); - RUNNER_ASSERT_MSG(ret == err, - "security_server_set_pwd_history has failed, ret: " << ret); -} - -RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_SERVER); - -RUNNER_TEST(tc_security_server_get_gid_normal_case_trying_to_get_gid_of_tel_gprs) -{ - RUNNER_ASSERT(security_server_get_gid("tel_gprs") >= 0); -} - -RUNNER_TEST(tc_security_server_get_gid_empty_object_name) -{ - RUNNER_ASSERT(security_server_get_gid("") == SECURITY_SERVER_API_ERROR_INPUT_PARAM); -} - -RUNNER_TEST(tc_security_server_get_gid_wrong_object_name_teltel) -{ - RUNNER_ASSERT(security_server_get_gid("teltel") == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT); -} - -RUNNER_CHILD_TEST_SMACK(tc01a_security_server_app_give_access) -{ - const char *subject = "abc345v34sfa"; - const char *object = "efg678x2lkjz"; - - SecurityServer::AccessProvider provider(object); - provider.allowSS(); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - security_server_app_give_access(subject, getpid()); - - RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwxat")); -} - -/* - * Currently we are NOT revoking any permissions given by - * security_server_app_give_access function - */ -/*RUNNER_TEST(tc01b_security_server_app_give_access) -{ - const char *subject = "abc345v34sfa"; - const char *object = "efg678x2lkjz"; - - // After part A thread from security-server will be notified about - // process end and revoke permissions. We need to give him some - // time. - sleep(1); - - RUNNER_ASSERT(0 == smack_have_access(subject, object, "r----")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "-w---")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "--x--")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "---a-")); - RUNNER_ASSERT(0 == smack_have_access(subject, object, "----t")); -}*/ - -RUNNER_CHILD_TEST_SMACK(tc01c_security_server_app_give_access_no_access) -{ - const char *subject = "xxx45v34sfa"; - const char *object = "yyy78x2lkjz"; - - SmackAccess smack; - smack.add(subject, object, "-----"); - smack.apply(); - - RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(object), "Error in smack_label_for_self"); - - RUNNER_ASSERT_MSG(drop_root_privileges() == 0, "uid = " << getuid()); - - RUNNER_ASSERT(SECURITY_SERVER_API_ERROR_ACCESS_DENIED == - security_server_app_give_access(subject, getpid())); - - RUNNER_ASSERT(0 == smack_have_access(subject, object, "r")); -} - -RUNNER_TEST_SMACK(tc02_check_privilege_by_pid) -{ - RUNNER_IGNORED_MSG("security_server_check_privilege_by_pid is temporarily disabled: always returns success"); - int ret; - int pid; - - pid = getpid(); - - //we checking existing rule, it should return positive - ret = security_server_check_privilege_by_pid(pid, "_", "rx"); - RUNNER_ASSERT(ret == SECURITY_SERVER_API_SUCCESS); - - //we checking rule with label that not exist - ret = security_server_check_privilege_by_pid(pid, "thislabelisnotreal", "rwxat"); - RUNNER_ASSERT(ret != SECURITY_SERVER_API_SUCCESS); -} - -RUNNER_CHILD_TEST_SMACK(tc03_check_API_passwd_allow) -{ - int ret = -1; - unsigned int attempt, max_attempt, expire_sec; - - attempt = max_attempt = expire_sec = 0; - - clear_password(); - - SecurityServer::AccessProvider provider(TEST03_SUBJECT); - provider.allowSS(); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - ret = security_server_set_pwd_validity(10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret); - - ret = security_server_set_pwd_max_challenge(5); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret); - - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, "ret: " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(nullptr, "12345", 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); - - ret = security_server_reset_pwd("12345",0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_chk_pwd("12345", &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); - - ret = security_server_set_pwd_history(10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); -} - -RUNNER_CHILD_TEST_SMACK(tc04_check_API_passwd_denied) -{ - check_API_passwd(true); -} - -RUNNER_CHILD_TEST_NOSMACK(tc04_check_API_app_user_passwd_allow_nosmack) -{ - check_API_passwd(false); -} - -RUNNER_CHILD_TEST_SMACK(tc07_check_API_data_share_allow) -{ - SecurityServer::AccessProvider provider(TEST07_SUBJECT); - provider.allowSS(); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - int ret = security_server_app_give_access(TEST07_SUBJECT, getpid()); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); -} - -RUNNER_CHILD_TEST_SMACK(tc08_check_API_data_share_denied) -{ - SecurityServer::AccessProvider provider(TEST08_SUBJECT); - provider.applyAndSwithToUser(APP_UID, APP_GID); - - int ret = security_server_app_give_access(TEST08_SUBJECT, getpid()); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, - "security_server_app_give_access should return access denied," - " ret: " << ret); -} - -////////////////////////////////////////// -/////////NOSMACK ENV TESTS//////////////// -////////////////////////////////////////// - -/** - * NOSMACK version of tc01a and tc01c tests. - * - * SMACK is turned off - that means for us, that we don't need any accesses added to our process - * in SMACK before dropping root privileges. This test drops root privileges, calls - * security_server_app_give_access and then checks if smack_have_access returns error (because - * SMACK is off). - * - * security_server_app_give_access shouldn't return anything else than success when SMACK is off, - * hence there is only one test that replaces tests tc01a and tc01c. - */ -RUNNER_CHILD_TEST_NOSMACK(tc01_security_server_app_give_access_nosmack) -{ - const char* subject = "abc345v34sfa"; - const char* object = "efg678x2lkjz"; - int result = 0; - - result = drop_root_privileges(); - RUNNER_ASSERT_MSG(result == 0, - "Failed to drop root privileges. Result: " << result << "uid = " << getuid()); - - result = security_server_app_give_access(subject, getpid()); - RUNNER_ASSERT_MSG(result == SECURITY_SERVER_API_SUCCESS, - "Error in security_server_app_give_access. Result: " << result); - - result = smack_have_access(subject, object, "rwxat"); - RUNNER_ASSERT_MSG(result == -1, - "smack_have_access should return error when SMACK is off. Result: " << result); -} - -/** - * NOSMACK version of tc02 test. - * - * check_privilege_by_pid should always return success when SMACK is off, no matter if label is - * real or not. - */ -RUNNER_TEST_NOSMACK(tc02_check_privilege_by_pid_nosmack) -{ - RUNNER_IGNORED_MSG("security_server_check_privilege_by_pid is temporarily disabled: always returns success"); - int ret; - int pid; - - pid = getpid(); - - //we checking existing rule, it should return positive - ret = security_server_check_privilege_by_pid(pid, "_", "rx"); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "check_privilege_by_pid for existing label failed. Result: " << ret); - - //we checking rule with label that not exist - ret = security_server_check_privilege_by_pid(pid, "thislabelisnotreal", "rwxat"); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "check_privilege_by_pid for nonexisting label failed. Result: " << ret); -} - -/** - * NOSMACK version of clear_password function. - * - * Compared to SMACK version of this function, this one skips adding rules and setting label. - */ -int clear_password_nosmack() -{ - int ret = -1; - unsigned int attempt, max_attempt, expire_sec; - - if (getuid() == 0) { - reset_security_server(); - - attempt = max_attempt = expire_sec = UINT_MAX; - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, - "is_pwd_faild should return no password error. Result: " << ret); - RUNNER_ASSERT_MSG(expire_sec == 0, "expire_sec = " << expire_sec << ", should be 0."); - RUNNER_ASSERT_MSG(max_attempt == 0, "max_attempt = " << max_attempt << ", should be 0."); - RUNNER_ASSERT_MSG(attempt == 0, "attempt = " << attempt << ", should be 0."); - - return 0; - } - return -1; -} - -/** - * NOSMACK version of tc03 test. - * - * Just as tc01a/tc01c NOSMACK replacement, we don't need to do anything with SMACK because most - * important functions will return errors (that is smack_accesses_apply/smack_have_access etc.). - * First clear password, then drop privileges and proceed to regular testing. - */ - -RUNNER_CHILD_TEST_NOSMACK(tc03_check_API_passwd_allow_nosmack) -{ - int ret = -1; - unsigned int attempt, max_attempt, expire_sec; - - attempt = max_attempt = expire_sec = 0; - - clear_password_nosmack(); - - // drop root privileges - ret = drop_root_privileges(); - RUNNER_ASSERT_MSG(ret == 0, - "Failed to drop root privileges. Result: " << ret << "uid = " << getuid()); - - ret = security_server_set_pwd_validity(10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, - "set_pwd_validity should return no password error. Result: " << ret); - - ret = security_server_set_pwd_max_challenge(5); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, - "set_pwd_max_challenge should return no password error. Result: " << ret); - - ret = security_server_is_pwd_valid(&attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_PASSWORD, - "is_pwd_valid should return no password error. Result: " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_set_pwd(nullptr, "12345", 0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "set_pwd failed. Result: " << ret); - - ret = security_server_reset_pwd("12345",0, 0); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "reset_pwd failed. Result: " << ret); - - usleep(PASSWORD_RETRY_TIMEOUT_US); - ret = security_server_chk_pwd("12345", &attempt, &max_attempt, &expire_sec); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "chk_pwd failed. Result: " << ret); - - ret = security_server_set_pwd_history(10); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "set_pwd_history failed. Result: " << ret); -} - -/** - * NOSMACK version of tc07 test. - * - * Similarily to previous tests - no need to set self label because SMACK is off. Just as - * tc01a/tc01c replacement, security_server_app_give_access should return only success. Hence the - * NOSMACK version of tc08 test is skipped. - */ -RUNNER_CHILD_TEST_NOSMACK(tc07_check_API_data_share_allow_nosmack) -{ - int ret = -1; - - // drop root privileges - ret = drop_root_privileges(); - RUNNER_ASSERT_MSG(ret == 0, - "Failed to drop root privileges. Result: " << ret << "uid = " << getuid()); - - ret = security_server_app_give_access(TEST07_SUBJECT, getpid()); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "app_give_access failed. Result: " << ret); -} - -int main(int argc, char *argv[]) { - if (0 != getuid()) { - printf("Error: %s must be executed by root\n", argv[0]); - exit(1); - } - return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv); -} diff --git a/src/security-server-tests/weird_arguments.cpp b/src/security-server-tests/weird_arguments.cpp deleted file mode 100644 index fab2d6a..0000000 --- a/src/security-server-tests/weird_arguments.cpp +++ /dev/null @@ -1,192 +0,0 @@ -/* - * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved - */ -/* - * @file security_server_tests_weird_arguments.cpp - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @version 1.0 - * @brief Test cases for security server - * - */ -#include "tests_common.h" -#include "security-server.h" -#include -#include - -RUNNER_TEST_GROUP_INIT(SECURITY_SERVER_TESTS_WEIRD_ARGUMENTS); - -RUNNER_TEST(tc01_security_server_get_gid_weird_input_case) -{ - int ret = 0; - char weird[] = {static_cast (0xe3), 0x79, static_cast (0x82), 0x0}; - - /* normal param case */ - ret = security_server_get_gid("tel_sim"); - RUNNER_ASSERT_MSG(ret > -1, "ret: " << ret); - - /* wrong param case */ - ret = security_server_get_gid("elephony_akecall"); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret: " << ret); - - /* weird param case */ - ret = security_server_get_gid(weird); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT, "ret: " << ret); - - /* null param case */ - ret = security_server_get_gid(nullptr); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret); - - /* param too long case */ - ret = security_server_get_gid("abcdefghijklmnopqrstuvwxyz01234"); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret); - - /* empty param case */ - ret = security_server_get_gid(""); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret); -} - -/* from security_server_tests_server.cpp */ - -RUNNER_TEST(tc03_security_server_request_cookie_weird_input_case) -{ - int ret = 0; - size_t cookie_size = security_server_get_cookie_size(); - - /* null cookie case */ - char *cookie = nullptr; - - ret = security_server_request_cookie(cookie, cookie_size); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret); - - /* buffer size too small case */ - cookie_size = 19; - char cookie2[cookie_size]; - - ret = security_server_request_cookie(cookie2, cookie_size); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL, "ret: " << ret); -} - -RUNNER_TEST(tc04_security_server_check_privilege_weird_input_case) -{ - int ret = 0; - size_t cookie_size = security_server_get_cookie_size(); - gid_t gid = DB_ALARM_GID; - - /* null cookie case */ - char *cookie = nullptr; - - ret = security_server_check_privilege(cookie, gid); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret); - - char cookie2[cookie_size]; - - ret = security_server_request_cookie(cookie2, cookie_size); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); - - /* big gid case */ - gid = 70666; - - ret = security_server_check_privilege(cookie2, gid); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_ACCESS_DENIED, "ret: " << ret); -} -RUNNER_TEST(tc05_security_server_check_privilege_by_cookie_weird_input_case) -{ - RUNNER_IGNORED_MSG("security_server_check_privilege_by_cookie is temporarily disabled: always returns success"); - int ret = 0; - size_t cookie_size = security_server_get_cookie_size();; - const char *object = "telephony_makecall"; - const char *access_rights = "r"; - - /* null cookie case */ - char *cookie = nullptr; - ret = security_server_check_privilege_by_cookie(cookie, object, access_rights); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret); - - /* null object case */ - char *object2 = nullptr; - char cookie2[cookie_size]; - - ret = security_server_request_cookie(cookie2, cookie_size); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, "ret: " << ret); - - ret = security_server_check_privilege_by_cookie(cookie2, object2, access_rights); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret); - - /* null access rights case */ - access_rights = nullptr; - ret = security_server_check_privilege_by_cookie(cookie2, object, access_rights); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret); -} - -RUNNER_TEST_SMACK(tc06_security_server_check_privilege_by_sockfd_weird_input_case) -{ - RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success"); - int ret = 0; - int sockfd = -1; - const char *object = "telephony_makecall"; - const char *access_rights = "r"; - - /* invalid sockfd case */ - ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret); - sockfd = 0; - - /* null object case */ - char *object2 = nullptr; - ret = security_server_check_privilege_by_sockfd(sockfd, object2, access_rights); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret); - - /* null access rights case */ - access_rights = nullptr; - ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM, "ret: " << ret); -} - -RUNNER_TEST(tc07_security_server_get_cookie_pid_weird_input_case) -{ - int ret = 0; - char *cookie = nullptr; - - ret = security_server_get_cookie_pid(cookie); - RUNNER_ASSERT(ret == SECURITY_SERVER_API_ERROR_INPUT_PARAM); -} - -/////////////////////////// -/////NOSMACK ENV TESTS///// -/////////////////////////// - -/** - * NOSMACK version of tc06 test. - * - * security_server_check_privilege_by_sockfd at first checks if SMACK exists and then checks if - * params are correct. Even with incorrect params we should expect SUCCESS instead of - * ERROR_INPUT_PARAM. - */ - -RUNNER_TEST_NOSMACK(tc06_security_server_check_privilege_by_sockfd_weird_input_case_nosmack) -{ - RUNNER_IGNORED_MSG("security_server_check_privilege_by_sockfd is temporarily disabled: always returns success"); - int ret = 0; - int sockfd = -1; - const char* object = "telephony_makecall"; - const char* access_rights = "r"; - - //invalid sockfd case - ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "check_privilege_by_sockfd failed. Result: " << ret); - sockfd = 0; - - //null object case - char *object2 = nullptr; - ret = security_server_check_privilege_by_sockfd(sockfd, object2, access_rights); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "check_privilege_by_sockfd failed. Result: " << ret); - - //null access rights case - access_rights = nullptr; - ret = security_server_check_privilege_by_sockfd(sockfd, object, access_rights); - RUNNER_ASSERT_MSG(ret == SECURITY_SERVER_API_SUCCESS, - "check_privilege_by_sockfd failed. Result: " << ret); -} - diff --git a/src/security-tests.sh b/src/security-tests.sh index f99127b..abb898b 100644 --- a/src/security-tests.sh +++ b/src/security-tests.sh @@ -40,42 +40,6 @@ case $1 in echo libprivilege-control-test "${@:2}" ;; -"ss-clientsmack") - echo "=========================================================================" - echo "SECURITY SERVER TEST CLIENT SMACK" - echo - security-server-tests-client-smack "${@:2}" - ;; -"ss-stress") - echo "=========================================================================" - echo "SECURITY SERVER TEST STRESS" - echo - security-server-tests-stress "${@:2}" - ;; -"ss-server") - echo "=========================================================================" - echo "SECURITY SERVER TEST SERVER" - echo - security-server-tests-server "${@:2}" - ;; -"ss-api-speed") - echo "=========================================================================" - echo "SECURITY SERVER MEASURER SERVER" - echo - security-server-tests-api-speed "${@:2}" - ;; -"ss-password") - echo "=========================================================================" - echo "SECURITY SERVER TEST PASSWORD" - echo - security-server-tests-password "${@:2}" - ;; -"ss-privilege") - echo "=========================================================================" - echo "SECURITY SERVER TEST PRIVILEGE" - echo - security-server-tests-privilege "${@:2}" - ;; "security-manager") echo "=========================================================================" echo "SECURITY MANAGER TESTS" -- 2.7.4