4 #include <dpl/test/test_runner.h>
5 #include <dpl/test/test_runner_child.h>
7 #include <tests_common.h>
8 #include <ckm-common.h>
9 #include <access_provider2.h>
11 #include <ckmc/ckmc-manager.h>
12 #include <ckmc/ckmc-control.h>
13 #include <ckmc/ckmc-type.h>
14 #include <ckmc/ckmc-error.h>
16 #include <ckm/ckm-type.h>
19 const int USER_ROOT = 0;
20 const int APP_1 = 6000;
21 const int GROUP_1 = 6000;
22 const int APP_2 = 6200;
23 const int GROUP_2 = 6200;
24 const char * const APP_PASS_1 = "app-pass-1";
25 const char * const APP_PASS_2 = "app-pass-2";
26 const char* APP_LABEL_1 = TEST_LABEL;
27 const char* APP_LABEL_2 = TEST_LABEL_2;
28 const char* APP_LABEL_3 = TEST_LABEL_3;
29 const char* APP_LABEL_4 = TEST_LABEL_4;
32 const char* NO_ALIAS = "definitely-non-existent-alias";
33 const char* NO_OWNER = "definitely-non-existent-owner";
35 const char* TEST_ALIAS = "test-alias";
36 const char* TEST_ALIAS2 = "test-alias2";
37 const char* TEST_ALIAS3 = "test-alias3";
39 const char* TEST_DATA = "dsflsdkghkslhglrtghierhgilrehgidsafasdffsgfdgdgfdgfdgfdgfdggf";
40 const char* RSA_PUB_KEY_PEM =
41 "-----BEGIN PUBLIC KEY-----\n"
42 "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2b1bXDa+S8/MGWnMkru4\n"
43 "T4tUddtZNi0NVjQn9RFH1NMa220GsRhRO56F77FlSVFKfSfVZKIiWg6C+DVCkcLf\n"
44 "zXJ/Z0pvwOQYBAqVMFjV6efQGN0JzJ1Unu7pPRiZl7RKGEI+cyzzrcDyrLLrQ2W7\n"
45 "0ZySkNEOv6Frx9JgC5NExuYY4lk2fQQa38JXiZkfyzif2em0px7mXbyf5LjccsKq\n"
46 "v1e+XLtMsL0ZefRcqsP++NzQAI8fKX7WBT+qK0HJDLiHrKOTWYzx6CwJ66LD/vvf\n"
47 "j55xtsKDLVDbsotvf8/m6VLMab+vqKk11TP4tq6yo0mwyTADvgl1zowQEO9I1W6o\n"
49 "-----END PUBLIC KEY-----";
51 void allow_access_deprecated(const char* alias, const char* accessor, ckmc_access_right_e accessRights)
53 int ret = ckmc_allow_access(alias, accessor, accessRights);
54 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << CKMCErrorToString(ret));
57 void allow_access_deprecated_by_adm(uid_t uid, const char *label, const char* alias, const char* accessor, ckmc_access_right_e accessRights)
59 // data removal should revoke this access
60 int ret = ckmc_allow_access_by_adm(uid, label, alias, accessor, accessRights);
61 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << CKMCErrorToString(ret));
64 void allow_access_by_adm(uid_t uid, const char *label, const char* alias, const char* accessor, int permissionMask)
66 // data removal should revoke this access
67 int ret = ckmc_set_permission_by_adm(uid, aliasWithLabel(label, alias).c_str(), accessor, permissionMask);
68 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << CKMCErrorToString(ret));
71 void deny_access_by_adm(uid_t uid, const char *label, const char* alias, const char* accessor)
73 int ret = ckmc_set_permission_by_adm(uid, aliasWithLabel(label, alias).c_str(), accessor, CKMC_PERMISSION_NONE);
74 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Denying access failed. " << CKMCErrorToString(ret));
77 void check_alias_count(size_t expected)
79 size_t count = count_aliases(ALIAS_DATA);
80 RUNNER_ASSERT_MSG(count == expected, "Expected " << expected << " aliases, got " << count);
83 } // namespace anonymous
85 RUNNER_TEST_GROUP_INIT (T300_CKMC_ACCESS_CONTROL_USER_C_API);
88 /////////////////////////////////////////////////////////////////////////////
90 RUNNER_TEST(T3000_init)
92 reset_user_data(APP_1, APP_PASS_1);
93 reset_user_data(APP_2, APP_PASS_2);
96 // invalid arguments check
97 RUNNER_TEST(T3001_manager_allow_access_invalid)
99 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
102 CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission(NULL, "accessor", CKMC_PERMISSION_READ));
104 CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission("alias", NULL, CKMC_PERMISSION_READ));
107 // invalid arguments check
108 RUNNER_TEST(T3002_manager_deny_access_invalid)
110 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
112 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission(NULL, "accessor", CKMC_PERMISSION_NONE));
113 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ckmc_set_permission("alias", NULL, CKMC_PERMISSION_NONE));
116 // tries to allow access for non existing alias
117 RUNNER_CHILD_TEST(T3003_manager_allow_access_non_existing)
119 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
121 int ret = ckmc_set_permission(NO_ALIAS, "label", CKMC_PERMISSION_READ);
122 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
123 "Allowing access for non existing alias returned " << CKMCErrorToString(ret));
126 // tries to deny access for non existing alias
127 RUNNER_CHILD_TEST(T3004_manager_deny_access_non_existing)
129 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
131 int ret = ckmc_set_permission(NO_ALIAS, "label", CKMC_PERMISSION_NONE);
132 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
133 "Denying access for non existing alias returned " << CKMCErrorToString(ret));
136 // tries to deny access that does not exist in database
137 RUNNER_CHILD_TEST(T3005_manager_deny_access_non_existing_access)
139 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
141 ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
143 // deny non existing access to existing alias
144 int ret = ckmc_set_permission(TEST_ALIAS, "label", CKMC_PERMISSION_NONE);
145 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret,
146 "Denying non existing access returned: " << CKMCErrorToString(ret));
149 // tries to allow access to application own data
150 RUNNER_CHILD_TEST(T3006_manager_allow_access_to_myself)
152 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
154 ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
156 std::string ownerId = getOwnerIdFromSelf();
157 int ret = ckmc_set_permission(TEST_ALIAS, ownerId.c_str(), CKMC_PERMISSION_READ);
158 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
159 "Trying to allow myself returned: " << CKMCErrorToString(ret));
162 // verifies that alias can not contain forbidden characters
163 RUNNER_CHILD_TEST(T3007_manager_check_alias_valid)
165 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
167 ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
169 std::string test_alias_playground = std::string("AAA BBB CCC");
170 check_read(test_alias_playground.c_str(), 0, TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
172 // control: expect success
173 check_read(TEST_ALIAS, 0, TEST_DATA);
174 check_read(TEST_ALIAS, APP_LABEL_1, TEST_DATA);
177 // verifies that label can not contain forbidden characters
178 RUNNER_CHILD_TEST(T3008_manager_check_label_valid)
180 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
182 ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
185 std::string APP_LABEL_1_playground = std::string("AAA BBB CCC");
186 check_read(TEST_ALIAS, APP_LABEL_1_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
188 // insert part of the separator in the middle
189 APP_LABEL_1_playground = std::string(APP_LABEL_1);
190 APP_LABEL_1_playground.insert(APP_LABEL_1_playground.size()/2, ckmc_label_name_separator);
191 check_read(TEST_ALIAS, APP_LABEL_1_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
194 APP_LABEL_1_playground = std::string(APP_LABEL_1);
195 APP_LABEL_1_playground.insert(0, ckmc_label_name_separator);
196 check_read(TEST_ALIAS, APP_LABEL_1_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
199 APP_LABEL_1_playground = std::string(APP_LABEL_1);
200 APP_LABEL_1_playground.append(ckmc_label_name_separator);
201 check_read(TEST_ALIAS, APP_LABEL_1_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
203 // control: expect success
204 check_read(TEST_ALIAS, APP_LABEL_1, TEST_DATA);
208 // tries to access other application data without permission
209 RUNNER_TEST(T3020_manager_access_not_allowed, RemoveDataEnv<APP_1>)
213 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
214 save_data(TEST_ALIAS, TEST_DATA);
217 // test accessibility from another label
219 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
221 std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
222 check_read_not_visible(TEST_ALIAS_adr.c_str());
223 check_remove_not_visible(TEST_ALIAS_adr.c_str());
227 // tries to access other application data with permission
228 RUNNER_TEST(T3021_manager_access_allowed, RemoveDataEnv<APP_1>)
232 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
233 save_data(TEST_ALIAS, TEST_DATA);
234 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
237 // test accessibility from another label
239 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
240 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
244 // tries to read other application data with permission for read/remove
245 RUNNER_TEST(T3022_manager_access_allowed_with_remove, RemoveDataEnv<APP_1>)
249 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
250 save_data(TEST_ALIAS, TEST_DATA);
251 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
254 // test accessibility from another label
256 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
257 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
261 // tries to remove other application data with permission for reading only
262 RUNNER_TEST(T3023_manager_access_allowed_remove_denied, RemoveDataEnv<APP_1>)
266 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
267 save_data(TEST_ALIAS, TEST_DATA);
268 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
271 // test accessibility from another label
273 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
274 std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
275 check_remove_denied(TEST_ALIAS_adr.c_str());
276 check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
280 // tries to remove other application data with permission
281 RUNNER_TEST(T3025_manager_remove_allowed, RemoveDataEnv<APP_1>)
285 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
286 save_data(TEST_ALIAS, TEST_DATA);
287 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
290 // test accessibility from another label
292 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
293 check_remove_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
297 // tries to access other application data after allow function was called twice with different
299 RUNNER_TEST(T3026_manager_double_allow, RemoveDataEnv<APP_1>)
303 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
304 save_data(TEST_ALIAS, TEST_DATA);
306 // access should be overwritten
307 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
308 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
311 // test accessibility from another label
313 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
315 std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
316 check_remove_denied(TEST_ALIAS_adr.c_str());
317 check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
321 // tries to access application data with permission and after permission has been revoked
322 RUNNER_TEST(T3027_manager_allow_deny, RemoveDataEnv<APP_1>)
325 std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
327 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
328 save_data(TEST_ALIAS, TEST_DATA);
330 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
333 // test accessibility from another label
335 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
337 check_remove_denied(TEST_ALIAS_adr.c_str());
338 check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
343 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
345 deny_access(TEST_ALIAS, APP_LABEL_2);
348 // test accessibility from another label
350 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
352 check_remove_not_visible(TEST_ALIAS_adr.c_str());
353 check_read_not_visible(TEST_ALIAS_adr.c_str());
357 RUNNER_TEST(T3028_manager_access_by_label, RemoveDataEnv<APP_1>)
360 const char *additional_data = "label-2-data";
362 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
363 save_data(TEST_ALIAS, TEST_DATA);
365 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
370 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
371 save_data(TEST_ALIAS, additional_data);
373 allow_access(TEST_ALIAS, APP_LABEL_1, CKMC_PERMISSION_READ);
375 // test if accessing valid alias (of label2 domain)
376 check_read_allowed(TEST_ALIAS, additional_data);
379 // test accessibility to app 2 from app 1
381 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
383 // test if can access label2 alias from label1 domain - should succeed
384 check_read_allowed(aliasWithLabel(APP_LABEL_2, TEST_ALIAS).c_str(), additional_data);
388 // tries to modify another label's permission
389 RUNNER_TEST(T3029_manager_access_modification_by_foreign_label, RemoveDataEnv<APP_1>)
393 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
394 save_data(TEST_ALIAS, TEST_DATA);
396 allow_access(TEST_ALIAS, APP_LABEL_3, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
399 // test accessibility from another label
401 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
403 allow_access_negative(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_4, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE, CKMC_ERROR_PERMISSION_DENIED);
404 deny_access_negative (aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_4, CKMC_ERROR_PERMISSION_DENIED);
408 // checks if only aliases readable by given app are returned
409 RUNNER_TEST(T3030_manager_get_all_aliases, RemoveDataEnv<APP_1>)
414 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
415 save_data(TEST_ALIAS, TEST_DATA);
416 save_data(TEST_ALIAS2, TEST_DATA);
418 count = count_aliases(ALIAS_DATA);
419 allow_access(TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
422 // test accessibility from another label
424 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
426 // check that app can access other aliases when it has permission
427 check_alias_count(count - 1);
429 ScopedSaveData ssd3(TEST_ALIAS3, TEST_DATA);
431 // check that app can access its own aliases
432 check_alias_count(count - 1 + 1);
437 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
438 deny_access(TEST_ALIAS, APP_LABEL_2);
441 // test accessibility from another label
443 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
445 // check that app can't access other aliases for which permission has been revoked
446 check_alias_count(count - 2);
450 // tries to access other application data with permission
451 RUNNER_TEST(T3031_manager_deprecated_access_allowed, RemoveDataEnv<APP_1>)
455 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
456 save_data(TEST_ALIAS, TEST_DATA);
458 allow_access_deprecated(TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ);
461 // test accessibility from another label
463 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
465 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
469 // tries to read other application data with permission for read/remove
470 RUNNER_TEST(T3032_manager_deprecated_access_allowed_with_remove, RemoveDataEnv<APP_1>)
474 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
475 save_data(TEST_ALIAS, TEST_DATA);
477 allow_access_deprecated(TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ_REMOVE);
480 // test accessibility from another label
482 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
484 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
488 // tries to remove other application data with permission for reading only
489 RUNNER_TEST(T3033_manager_deprecated_access_allowed_remove_denied, RemoveDataEnv<APP_1>)
493 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
494 save_data(TEST_ALIAS, TEST_DATA);
496 allow_access_deprecated(TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ);
499 // test accessibility from another label
501 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
503 std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
504 check_remove_denied(TEST_ALIAS_adr.c_str());
505 check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
509 // tries to remove other application data with permission
510 RUNNER_TEST(T3034_manager_deprecated_remove_allowed, RemoveDataEnv<APP_1>)
514 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
515 save_data(TEST_ALIAS, TEST_DATA);
517 allow_access_deprecated(TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ_REMOVE);
520 // test accessibility from another label
522 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
524 check_remove_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
528 /////////////////////////////////////////////////////////////////////////////
531 RUNNER_TEST_GROUP_INIT (T310_CKMC_ACCESS_CONTROL_ROOT_C_API);
533 RUNNER_TEST(T3100_init)
535 reset_user_data(APP_1, APP_PASS_1);
536 reset_user_data(APP_2, APP_PASS_2);
539 // invalid argument check
540 RUNNER_TEST(T3101_control_allow_access_invalid, RemoveDataEnv<APP_1>)
544 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
545 save_data(TEST_ALIAS, TEST_DATA);
549 ret = ckmc_set_permission_by_adm(APP_1, TEST_ALIAS, "accessor", CKMC_PERMISSION_READ);
550 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
551 ret = ckmc_set_permission_by_adm(APP_1, "owner alias", NULL, CKMC_PERMISSION_READ);
552 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
555 std::string aliasLabel = aliasWithLabel(getOwnerIdFromSelf().c_str(), TEST_ALIAS);
556 ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel("another-owner", aliasLabel.c_str()).c_str(), APP_LABEL_1, CKMC_PERMISSION_READ);
557 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
560 // invalid argument check
561 RUNNER_TEST(T3102_control_deny_access_invalid, RemoveDataEnv<APP_1>)
565 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
566 save_data(TEST_ALIAS, TEST_DATA);
569 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
570 ckmc_set_permission_by_adm(APP_1, aliasWithLabel(NULL, TEST_ALIAS).c_str(), "accessor", CKMC_PERMISSION_NONE));
571 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
572 ckmc_set_permission_by_adm(APP_1, aliasWithLabel("owner", TEST_ALIAS).c_str(), NULL, CKMC_PERMISSION_NONE));
575 std::string aliasLabel = aliasWithLabel(getOwnerIdFromSelf().c_str(), TEST_ALIAS);
576 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
577 ckmc_set_permission_by_adm(APP_1, aliasWithLabel("another-owner", aliasLabel.c_str()).c_str(), APP_LABEL_1, CKMC_PERMISSION_NONE));
580 // tries to allow access for non existing alias
581 RUNNER_TEST(T3103_control_allow_access_non_existing)
583 reset_user_data(APP_1, APP_PASS_1);
584 int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(NO_OWNER, NO_ALIAS).c_str(), "label", CKMC_PERMISSION_READ);
585 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
586 "Allowing access for non existing alias returned " << CKMCErrorToString(ret));
589 // tries to deny access for non existing alias
590 RUNNER_TEST(T3104_control_deny_access_non_existing)
592 reset_user_data(APP_1, APP_PASS_1);
593 int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(NO_OWNER, NO_ALIAS).c_str(), "label", CKMC_PERMISSION_NONE);
594 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
595 "Denying access for non existing alias returned " << CKMCErrorToString(ret));
598 // tries to deny non existing access
599 RUNNER_TEST(T3105_control_remove_non_existing_access, RemoveDataEnv<APP_1>)
603 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
604 save_data(TEST_ALIAS, TEST_DATA);
607 int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_NONE);
608 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret,
609 "Denying non existing access returned: " << CKMCErrorToString(ret));
612 // tries to allow application to access its own data
613 RUNNER_TEST(T3106_control_allow_access_to_myself, RemoveDataEnv<APP_1>)
616 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
617 save_data(TEST_ALIAS, TEST_DATA);
620 int ret = ckmc_set_permission(TEST_ALIAS, APP_LABEL_1, CKMC_PERMISSION_READ);
621 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
622 "Trying to allow myself returned: " << CKMCErrorToString(ret));
625 // tries to use admin API as a user
626 RUNNER_CHILD_TEST(T3110_control_allow_access_as_user, RemoveDataEnv<APP_1>)
628 RUNNER_IGNORED_MSG("Disabled until labeled sockets not available");
631 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
632 save_data(TEST_ALIAS, TEST_DATA);
635 int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_READ);
636 RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
637 "Ordinary user should not be able to use control API. Error " << CKMCErrorToString(ret));
640 // tries to use admin API as a user
641 RUNNER_CHILD_TEST(T3111_control_deny_access_as_user, RemoveDataEnv<APP_1>)
643 RUNNER_IGNORED_MSG("Disabled until labeled sockets not available");
646 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
647 save_data(TEST_ALIAS, TEST_DATA);
650 int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_NONE);
651 RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
652 "Ordinary user should not be able to use control API. Error " << CKMCErrorToString(ret));
655 // tries to read other application data with permission
656 RUNNER_TEST(T3121_control_access_allowed, RemoveDataEnv<APP_1>)
660 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
661 save_data(TEST_ALIAS, TEST_DATA);
664 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
666 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
668 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
672 // tries to read other application data with permission to read/remove
673 RUNNER_TEST(T3122_control_access_allowed_with_remove, RemoveDataEnv<APP_1>)
677 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
678 save_data(TEST_ALIAS, TEST_DATA);
681 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
683 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
685 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
689 // tries to remove other application data with permission to read
690 RUNNER_TEST(T3122_control_access_allowed_remove_denied, RemoveDataEnv<APP_1>)
694 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
695 save_data(TEST_ALIAS, TEST_DATA);
698 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
700 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
702 check_remove_denied(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
706 // tries to remove other application data with permission
707 RUNNER_TEST(T3125_control_remove_allowed, RemoveDataEnv<APP_1>)
711 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
712 save_data(TEST_ALIAS, TEST_DATA);
715 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
717 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
719 check_remove_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
723 // tries to access other application data after allow function has been called twice with different
725 RUNNER_TEST(T3126_control_double_allow, RemoveDataEnv<APP_1>)
729 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
730 save_data(TEST_ALIAS, TEST_DATA);
733 // access should be overwritten
734 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
735 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
737 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
739 std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
740 check_remove_denied(TEST_ALIAS_adr.c_str());
741 check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
745 // tries to access other application data with permission and after permission has been revoked
746 RUNNER_TEST(T3127_control_allow_deny, RemoveDataEnv<APP_1>)
750 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
751 save_data(TEST_ALIAS, TEST_DATA);
754 std::string TEST_ALIAS_adr = aliasWithLabel(APP_LABEL_1, TEST_ALIAS);
755 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
757 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
759 check_remove_denied(TEST_ALIAS_adr.c_str());
760 check_read_allowed(TEST_ALIAS_adr.c_str(), TEST_DATA);
763 deny_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2);
765 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
767 check_remove_not_visible(TEST_ALIAS_adr.c_str());
768 check_read_not_visible(TEST_ALIAS_adr.c_str());
772 // checks if only aliases readable by given app are returned
773 RUNNER_TEST(T3130_control_get_all_aliases, RemoveDataEnv<APP_1>)
778 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
779 save_data(TEST_ALIAS, TEST_DATA);
780 save_data(TEST_ALIAS2, TEST_DATA);
782 count = count_aliases(ALIAS_DATA);
785 allow_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_PERMISSION_READ);
787 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
789 // check that app can access other aliases when it has permission
790 check_alias_count(count - 1);
792 ScopedSaveData ssd(TEST_ALIAS3, TEST_DATA);
794 // check that app can access its own aliases
795 check_alias_count(count - 1 + 1);
798 deny_access_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2);
800 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
802 // check that app can't access other aliases for which permission has been revoked
803 check_alias_count(count - 2);
807 // tries to add access to data in a database of invalid user
808 RUNNER_TEST(T3140_control_allow_invalid_user, RemoveDataEnv<APP_1>)
812 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
813 save_data(TEST_ALIAS, TEST_DATA);
816 int ret = ckmc_set_permission_by_adm(APP_2, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE);
817 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
818 "Trying to allow access to invalid user returned: " << CKMCErrorToString(ret));
821 // tries to revoke access to data in a database of invalid user
822 RUNNER_TEST(T3141_control_deny_invalid_user, RemoveDataEnv<APP_1>)
826 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
827 save_data(TEST_ALIAS, TEST_DATA);
830 int ret = ckmc_set_permission_by_adm(APP_2, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_NONE);
831 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
832 "Trying to deny access to invalid user returned: " << CKMCErrorToString(ret));
835 // tries to read other application data with permission
836 RUNNER_TEST(T3142_control_deprecated_access_allowed, RemoveDataEnv<APP_1>)
840 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
841 save_data(TEST_ALIAS, TEST_DATA);
844 allow_access_deprecated_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ);
846 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
848 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
852 // tries to read other application data with permission to read/remove
853 RUNNER_TEST(T3143_control_deprecated_access_allowed_with_remove, RemoveDataEnv<APP_1>)
857 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
858 save_data(TEST_ALIAS, TEST_DATA);
861 allow_access_deprecated_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ_REMOVE);
863 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
865 check_read_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), TEST_DATA);
869 // tries to remove other application data with permission to read
870 RUNNER_TEST(T3144_control_deprecated_access_allowed_remove_denied, RemoveDataEnv<APP_1>)
874 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
875 save_data(TEST_ALIAS, TEST_DATA);
878 allow_access_deprecated_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ);
880 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
882 check_remove_denied(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
886 // tries to remove other application data with permission
887 RUNNER_TEST(T3145_control_deprecated_remove_allowed, RemoveDataEnv<APP_1>)
891 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
892 save_data(TEST_ALIAS, TEST_DATA);
895 allow_access_deprecated_by_adm(APP_1, APP_LABEL_1, TEST_ALIAS, APP_LABEL_2, CKMC_AR_READ_REMOVE);
897 ScopedAccessProvider ap(APP_LABEL_2, APP_1, GROUP_1);
899 check_remove_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
903 RUNNER_TEST(utc_ckmc_get_key_alias_info_list_p)
905 ckmc_alias_info_list_s* ppalias_list = NULL;
907 int ret = ckmc_get_key_alias_info_list(&ppalias_list);
908 ckmc_alias_info_list_all_free(ppalias_list);
909 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_DB_ALIAS_UNKNOWN, "Expected CKMC_ERROR_DB_ALIAS_UNKNOWN, returned: " << CKMCErrorToString(ret));
912 RUNNER_TEST(utc_ckmc_get_key_alias_info_list_n)
914 int ret = ckmc_get_key_alias_info_list(NULL);
915 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_INVALID_PARAMETER, "Expected invalid parameter error, returned: " << CKMCErrorToString(ret));
918 RUNNER_TEST(utc_ckmc_get_cert_alias_info_list_p)
920 ckmc_alias_info_list_s* ppalias_list = NULL;
922 int ret = ckmc_get_cert_alias_info_list(&ppalias_list);
923 ckmc_alias_info_list_all_free(ppalias_list);
924 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_DB_ALIAS_UNKNOWN, "Expected CKMC_ERROR_DB_ALIAS_UNKNOWN, returned: " << CKMCErrorToString(ret));
927 RUNNER_TEST(utc_ckmc_get_cert_alias_info_list_n)
929 int ret = ckmc_get_cert_alias_info_list(NULL);
930 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_INVALID_PARAMETER, "Expected invalid parameter error, returned: " << CKMCErrorToString(ret));
934 RUNNER_TEST(utc_ckmc_get_data_alias_info_list_p1)
936 ckmc_alias_info_list_s* ppalias_list = NULL;
938 int ret = ckmc_get_data_alias_info_list(&ppalias_list);
939 ckmc_alias_info_list_all_free(ppalias_list);
940 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_DB_ALIAS_UNKNOWN, "Expected CKMC_ERROR_DB_ALIAS_UNKNOWN, returned: " << CKMCErrorToString(ret));
944 RUNNER_TEST(utc_ckmc_get_data_alias_info_list_p2, RemoveDataEnv<APP_1>)
946 ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
947 save_data(TEST_ALIAS, TEST_DATA);
949 ckmc_alias_info_list_s* ppalias_list = NULL;
951 int ret = ckmc_get_data_alias_info_list(&ppalias_list);
952 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, returned: " << CKMCErrorToString(ret));
955 ret = ckmc_alias_info_get_alias(ppalias_list->info, &alias);
956 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get alias, returned: " << CKMCErrorToString(ret));
957 RUNNER_ASSERT_MSG(ppalias_list->next == NULL, "More elements returned");
958 std::string aliasOrig = std::string(APP_LABEL_1) + " " + std::string(TEST_ALIAS);
959 RUNNER_ASSERT_MSG(strcmp(alias, aliasOrig.c_str()) == 0, "Invalid aliast returned : " << alias);
961 ckmc_alias_info_list_all_free(ppalias_list);
966 RUNNER_TEST(utc_ckmc_get_data_alias_info_list_n)
968 int ret = ckmc_get_data_alias_info_list(NULL);
969 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_INVALID_PARAMETER, "Expected invalid parameter error, returned: " << CKMCErrorToString(ret));
972 RUNNER_TEST(utc_ckmc_alias_info_get_alias_p)
974 ckmc_alias_info_list_s *ppalias_list, *tmp;
976 ckmc_policy_s test_policy;
979 const char* alias = "utc_ckmc_alias_info_get_alias_p_test_alias";
980 bool foundAlias = false;
982 test_key.raw_key = (unsigned char *)RSA_PUB_KEY_PEM;
983 test_key.key_size = strlen(RSA_PUB_KEY_PEM);
984 test_key.key_type = CKMC_KEY_RSA_PUBLIC;
985 test_key.password = NULL;
987 test_policy.password = NULL;
988 test_policy.extractable = true;
990 ret = ckmc_save_key(alias, test_key, test_policy);
991 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
993 ret = ckmc_get_key_alias_info_list(&ppalias_list);
994 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
999 ret = ckmc_alias_info_get_alias(tmp->info, ¤t_alias);
1000 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
1001 if (strstr(current_alias, alias)) {
1007 ckmc_alias_info_list_all_free(ppalias_list);
1008 ckmc_remove_key(alias);
1009 RUNNER_ASSERT_MSG(foundAlias == true, "Expected to find alias, but alias not found");
1012 RUNNER_TEST(utc_ckmc_alias_info_is_password_protected_p)
1014 ckmc_alias_info_list_s *ppalias_list, *tmp;
1015 ckmc_key_s test_key;
1016 ckmc_policy_s test_policy;
1018 char* current_alias;
1019 const char* alias = "utc_ckmc_alias_info_get_alias_p_test_alias";
1020 bool foundAlias = false;
1022 test_key.raw_key = (unsigned char *)RSA_PUB_KEY_PEM;
1023 test_key.key_size = strlen(RSA_PUB_KEY_PEM);
1024 test_key.key_type = CKMC_KEY_RSA_PUBLIC;
1025 test_key.password = NULL;
1027 test_policy.password = NULL;
1028 test_policy.extractable = true;
1030 ret = ckmc_save_key(alias, test_key, test_policy);
1031 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
1033 ret = ckmc_get_key_alias_info_list(&ppalias_list);
1034 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
1039 ret = ckmc_alias_info_get_alias(tmp->info, ¤t_alias);
1040 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
1041 if (strstr(current_alias, alias)) {
1043 bool is_password_protected;
1044 ret = ckmc_alias_info_is_password_protected(tmp->info, &is_password_protected);
1045 RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
1046 RUNNER_ASSERT(is_password_protected == false);
1051 ckmc_alias_info_list_all_free(ppalias_list);
1052 ckmc_remove_key(alias);
1053 RUNNER_ASSERT(foundAlias == true);
projects / platform / core / test / security-tests.git / blob