[platform/core/test/security-tests.git] / src / ckm / privileged / system-db.cpp

/*
 *  Copyright (c) 2000 - 2020 Samsung Electronics Co.
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License
 *
 * @file       system-db.cpp
 * @author     Maciej Karpiuk (m.karpiuk2@samsung.com)
 * @version    1.0
 */
#include <dpl/test/test_runner.h>
#include <tests_common.h>
#include <ckm-common.h>
#include <ckm-privileged-common.h>
#include <ckm/ckm-control.h>
#include <ckmc/ckmc-manager.h>
#include <ckmc/ckmc-type.h>
#include <scoped-app-context.h>
#include <unistd.h>
#include <sys/types.h>

namespace
{
const uid_t USER_SERVICE        = 0;
const uid_t USER_SERVICE_2      = 1234;
const uid_t GROUP_SERVICE_2     = 1234;
const uid_t USER_SERVICE_MAX    = 4999;
const uid_t GROUP_SERVICE_MAX   = 4999;
const uid_t USER_SERVICE_FAIL   = 5000;
const uid_t GROUP_SERVICE_FAIL  = 5000;
const uid_t USER_APP            = 5050;
const uid_t GROUP_APP           = 5050;
const char* APP_PASS            = "user-pass";

const char* TEST_ALIAS          = "test-alias";
const char* INVALID_LABEL       = "coco-jumbo";
const char* TEST_PASSWORD       = "ckm-password";
std::string TEST_SYSTEM_ALIAS   = sharedDatabase(TEST_ALIAS);
std::string TEST_SYSTEM_ALIAS_2 = sharedDatabase("test-alias-2");

const char* TEST_DATA =
        "Lorem Ipsum. At vero eos et accusamus et iusto odio dignissimos ducimus "
        "qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores "
        "et quas molestias excepturi sint occaecati cupiditate non provident, "
        "similique sunt in culpa qui officia deserunt mollitia animi, id est "
        "laborum et dolorum fuga. ";
}


RUNNER_TEST_GROUP_INIT(T50_SYSTEM_DB);

RUNNER_TEST(T5010_CLIENT_APP_LOCKED_PRIVATE_DB)
{
    RUNNER_IGNORED_MSG("This test is turn off because fix "
        "from tizen 2.4 that unlock db with empty password");
    // [prepare]
    // start as system service
    // add resource to the system DB
    // add permission to the resource to a user app
    // [test]
    // switch to user app, leave DB locked
    // try to access system DB item - expect success

    // [prepare]
    remove_user_data(USER_APP);
    save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
    allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);

    // [test]
    {
        ScopedAppContext ctx(TEST_LABEL, USER_APP, GROUP_APP);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
    }
}

RUNNER_TEST(T5020_CLIENT_APP_ADD_TO_PRIVATE_DB)
{
    // [test]
    // switch to user app, unlock DB
    // when accessing private DB - owner==me
    // try to write to private DB - expect success
    // try to get item from private DB - expect success

    // [test]
    {
        remove_user_data(USER_APP);
        ScopedDBUnlock unlock(USER_APP, APP_PASS);
        ScopedAppContext ctx(TEST_LABEL, USER_APP, GROUP_APP);

        ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
        check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
    }
}

RUNNER_TEST(T5030_CLIENT_APP_TRY_ADDING_SYSTEM_ITEM, RemoveDataEnv<0, USER_APP>)
{
    // [test]
    // switch to user app, unlock DB
    // try to add item to system DB  - expect fail

    // [test]
    {
        ScopedDBUnlock unlock(USER_APP, APP_PASS);
        ScopedAppContext ctx(TEST_LABEL, USER_APP, GROUP_APP);

        save_data(aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS).c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
    }
}

RUNNER_TEST(T5031_CLIENT_APP_ACCESS_WITH_PERMISSION, RemoveDataEnv<0, USER_APP>)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // add permission to the resource to a user app
    // [test]
    // switch to user app, unlock DB
    // try to access the system item - expect success

    save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
    allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);

    // [test]
    {
        ScopedDBUnlock unlock(USER_APP, APP_PASS);
        ScopedAppContext ctx(TEST_LABEL, USER_APP, GROUP_APP);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
    }
}

RUNNER_TEST(T5032_CLIENT_APP_ACCESS_NO_PERMISSION, RemoveDataEnv<0, USER_APP>)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // [test]
    // switch to user app, unlock DB
    // try to access the system item - expect fail

    // [prepare]
    save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);

    // [test]
    {
        ScopedDBUnlock unlock(USER_APP, APP_PASS);
        ScopedAppContext ctx(TEST_LABEL, USER_APP, GROUP_APP);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
    }
}

RUNNER_TEST(T5033_CLIENT_APP_PERMISSION_REMOVAL, RemoveDataEnv<0, USER_APP>)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // add permission to the resource to a user app
    // [test]
    // switch to user app, unlock DB
    // try to access the system item - expect success
    // [prepare2]
    // as system service, remove the item (expecting to remove permission)
    // add item again, do not add permission
    // [test2]
    // switch to user app, unlock DB
    // try to access the system item - expect fail

    // [prepare]
    save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
    allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);

    // [test]
    {
        ScopedDBUnlock unlock(USER_APP, APP_PASS);
        ScopedAppContext ctx(TEST_LABEL, USER_APP, GROUP_APP);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
    }

    // [prepare2]
    check_remove_allowed(TEST_SYSTEM_ALIAS.c_str());

    // [test2]
    {
        ScopedDBUnlock unlock(USER_APP, APP_PASS);
        ScopedAppContext ctx(TEST_LABEL, USER_APP, GROUP_APP);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
    }
}

RUNNER_TEST(T5034_CLIENT_APP_SET_READ_ACCESS, RemoveDataEnv<0, USER_APP>)
{
    // [test]
    // switch to user app, unlock DB
    // try to write to private DB - expect success
    // try to write to system DB  - expect fail

    // [test]
    {
        ScopedDBUnlock unlock(USER_APP, APP_PASS);
        ScopedAppContext ctx(TEST_LABEL, USER_APP, GROUP_APP);

        ScopedSaveData ssdsystem_user(TEST_ALIAS, TEST_DATA);
        ScopedSaveData ssdsystem_system(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
    }
}

RUNNER_TEST(T5035_CLIENT_APP_TRY_REMOVING_SYSTEM_ITEM, RemoveDataEnv<0, USER_APP>)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // add permission to the resource to a user app
    // [test]
    // switch to user app, unlock DB
    // try to remove item from system DB  - expect fail

    // [prepare]
    save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
    allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);

    // [test]
    {
        ScopedDBUnlock unlock(USER_APP, APP_PASS);
        ScopedAppContext ctx(TEST_LABEL, USER_APP, GROUP_APP);

        check_remove_denied(TEST_SYSTEM_ALIAS.c_str());
    }
}

RUNNER_TEST(T5036_CLIENT_LIST_ACCESSIBLE_ITEMS, RemoveDataEnv<0, USER_APP>)
{
    // [prepare]
    // start as system service
    // add data A to the system DB
    // add data B to the system DB
    // add permission to data A to a user app
    // [test]
    // system service list items - expect both items to appear
    // [test2]
    // switch to user app, unlock DB
    // add data as user
    // user lists items - expect system item A and private item

    // [prepare]
    save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
    save_data(TEST_SYSTEM_ALIAS_2.c_str(), TEST_DATA);
    allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);

    // [test]
    check_alias_list({TEST_SYSTEM_ALIAS.c_str(), TEST_SYSTEM_ALIAS_2.c_str()});

    // [test2]
    {
        ScopedDBUnlock unlock(USER_APP, APP_PASS);
        ScopedAppContext ctx(TEST_LABEL, USER_APP, GROUP_APP);
        ScopedSaveData user_data(TEST_ALIAS, TEST_DATA);

        check_alias_list({TEST_SYSTEM_ALIAS.c_str(),
                          aliasWithLabel(TEST_LABEL, TEST_ALIAS)});
    }
}

RUNNER_TEST(T5037_CLIENT_APP_TRY_GENERATE_KEY_IN_SYSTEM_DB, RemoveDataEnv<USER_APP>)
{
    // [test]
    // switch to user app, unlock DB
    // try to generate a key in system DB  - expect fail

    // [test]
    {
        ScopedDBUnlock unlock(USER_APP, APP_PASS);
        ScopedAppContext ctx(TEST_LABEL, USER_APP, GROUP_APP);

        std::string private_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-priv");
        std::string public_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-pub");
        ckmc_policy_s policy_private_key;
        ckmc_policy_s policy_public_key;
        policy_private_key.password = NULL;
        policy_private_key.extractable = 1;
        policy_public_key.password = NULL;
        policy_public_key.extractable = 1;
        int temp;
        RUNNER_ASSERT_MSG(
                 CKMC_ERROR_PERMISSION_DENIED ==
                        (temp = ckmc_create_key_pair_rsa(1024,
                                                         private_key_alias.c_str(),
                                                         public_key_alias.c_str(),
                                                         policy_private_key,
                                                         policy_public_key)),
                 CKMCReadableError(temp));
    }
}

RUNNER_TEST(T5038_CLIENT_SERVER_CREATE_VERIFY_SYSTEM_DB, RemoveDataEnv<0,USER_APP>)
{
    // [prepare]
    // start as system service
    // generate RSA key in system DB
    // [test]
    // try to create and verify signature in system DB  - expect success
    // [test2]
    // switch to user app, unlock DB
    // try to create signature in system DB  - expect fail

    // [prepare]
    std::string private_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-priv");
    std::string public_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-pub");
    ckmc_policy_s policy_private_key;
    ckmc_policy_s policy_public_key;
    policy_private_key.password = NULL;
    policy_private_key.extractable = 1;
    policy_public_key.password = NULL;
    policy_public_key.extractable = 1;
    int temp;
    RUNNER_ASSERT_MSG(
            CKMC_ERROR_NONE ==
                    (temp = ckmc_create_key_pair_rsa(1024,
                                                     private_key_alias.c_str(),
                                                     public_key_alias.c_str(),
                                                     policy_private_key,
                                                     policy_public_key)),
             CKMCReadableError(temp));

    // [test]
    {
        ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
        ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
        ckmc_raw_buffer_s *signature;
        ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test");

        RUNNER_ASSERT_MSG(
                CKMC_ERROR_NONE == (temp = ckmc_create_signature(
                        private_key_alias.c_str(),
                        NULL,
                        msg_buff,
                        hash_algo,
                        pad_algo,
                        &signature)),
                CKMCReadableError(temp));

        RUNNER_ASSERT_MSG(
                CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
                        public_key_alias.c_str(),
                        NULL,
                        msg_buff,
                        *signature,
                        hash_algo,
                        pad_algo)),
                CKMCReadableError(temp));
    }

    // [test2]
    {
        ScopedDBUnlock unlock(USER_APP, APP_PASS);
        ScopedAppContext ctx(TEST_LABEL, USER_APP, GROUP_APP);

        ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
        ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
        ckmc_raw_buffer_s *signature;
        ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test");

        RUNNER_ASSERT_MSG(
                CKMC_ERROR_DB_ALIAS_UNKNOWN == (temp = ckmc_create_signature(
                        private_key_alias.c_str(),
                        NULL,
                        msg_buff,
                        hash_algo,
                        pad_algo,
                        &signature)),
                CKMCReadableError(temp));
    }
}

RUNNER_TEST(T5039_SYSTEM_APP_SET_REMOVE_ACCESS, RemoveDataEnv<0>)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // [test]
    // add remove permission to a user app - expect fail

    // [prepare]
    save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);

    // [test]
    allow_access_negative(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_REMOVE, CKMC_ERROR_INVALID_PARAMETER);
}

RUNNER_TEST(T5040_SYSTEM_SVC_ACCESS_DB, RemoveDataEnv<0>)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // [test]
    // try to access the item - expect success

    // [prepare]
    save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);

    // [test]
    check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
}

RUNNER_TEST(T5041_SYSTEM_SVC_1234_ACCESS_DB, RemoveDataEnv<0>)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // [test]
    // switch to another system service
    // try to access the item - expect success

    // [prepare]
    save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);

    // [test]
    {
        ScopedAppContext ctx(TEST_LABEL_2, USER_SERVICE_2, GROUP_SERVICE_2);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
    }
}

RUNNER_TEST(T5042_SYSTEM_SVC_1234_ADD_ITEM_TO_DB)
{
    // [prepare]
    // start as system service 1234
    // add resource to the system DB
    // [test]
    // switch to another system service
    // try to access the item - expect success

    // [prepare]
    {
        ScopedAppContext ctx(TEST_LABEL_2, USER_SERVICE_2, GROUP_SERVICE_2);

        // [test]
        ScopedSaveData ssd(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
    }
}

RUNNER_TEST(T5043_SYSTEM_SVC_4999_ACCESS_DB, RemoveDataEnv<0>)
{
    // [prepare]
    // start as system service
    // add resource to the system DB
    // [test]
    // switch to system service having uid maximum for system svcs
    // try to access the item - expect success

    // [prepare]
    save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);

    // [test]
    {
        ScopedAppContext ctx(TEST_LABEL_2, USER_SERVICE_MAX, GROUP_SERVICE_MAX);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
    }
}

RUNNER_TEST(T5044_SYSTEM_SVC_5000_ACCESS_DB, RemoveDataEnv<0>)
{
    RUNNER_IGNORED_MSG("This test is turn off because fix "
        "from tizen 2.4 that unlock db with empty password");
    // [prepare]
    // start as system service
    // add resource to the system DB
    // [test]
    // switch to another, faulty system service with user-land uid==5000
    // try to access the item - expect fail (no system service)

    // [prepare]
    save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);

    // [test]
    {
        ScopedAppContext ctx(TEST_LABEL_2, USER_SERVICE_FAIL, GROUP_SERVICE_FAIL);

        check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
    }
}

RUNNER_TEST(T5045_SYSTEM_DB_ADD_WITH_INVALID_LABEL, RemoveDataEnv<0>)
{
    // [prepare]
    // start as system service
    // [test]
    // try to add item to system DB using wrong label - expect fail
    // try to add item using explicit system label - expect success

    // [test]
    save_data(aliasWithLabel(INVALID_LABEL, TEST_ALIAS).c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
    check_read(TEST_ALIAS, INVALID_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);

    save_data(aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS).c_str(), TEST_DATA);
    check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
}

RUNNER_TEST(T5046_CLIENT_GET_ALIAS_STATUS_NO_PASSWORD, RemoveDataEnv<0>)
{
    // [prepare]
    // start as system service
    // add data A to the system DB
    // add data B to the system DB
    // [test]
    // system service list alias status - expect both items to have no password protection

    // [prepare]
    save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
    save_data(TEST_SYSTEM_ALIAS_2.c_str(), TEST_DATA);

    // [test]
    CKM::AliasInfoVector aliasInfoVector;
    aliasInfoVector.push_back(make_alias_info(TEST_SYSTEM_ALIAS.c_str(), false));
    aliasInfoVector.push_back(make_alias_info(TEST_SYSTEM_ALIAS_2.c_str(), false));

    check_alias_info_list(aliasInfoVector);
}

RUNNER_TEST(T5047_CLIENT_GET_ALIAS_STATUS_PASSWORD_PROTECTED, RemoveDataEnv<0>)
{
    // [prepare]
    // start as system service
    // add data A to the system DB
    // add data B with password protection to the system DB
    // add data C with password protection to the system DB
    // [test]
    // system service list alias status - expect: first alias - no password protection, second, third -
    // protected with password

    // [prepare]
    save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
    save_data(TEST_SYSTEM_ALIAS_2.c_str(), TEST_DATA, strlen(TEST_DATA), TEST_PASSWORD);
    save_data((TEST_SYSTEM_ALIAS_2 + "1").c_str(), TEST_DATA, strlen(TEST_DATA), TEST_PASSWORD);

    // [test]
    CKM::AliasInfoVector aliasInfoVector;
    aliasInfoVector.push_back(make_alias_info(TEST_SYSTEM_ALIAS.c_str(), false));
    aliasInfoVector.push_back(make_alias_info(TEST_SYSTEM_ALIAS_2.c_str(), true));
    aliasInfoVector.push_back(make_alias_info((TEST_SYSTEM_ALIAS_2 + "1").c_str(),true));

    check_alias_info_list(aliasInfoVector);
}