[platform/core/test/security-tests.git] / src / security-manager-tests / test_cases_app_policy.cpp

/*
 * Copyright (c) 2016-2018 Samsung Electronics Co., Ltd All Rights Reserved
 *
 *    Licensed under the Apache License, Version 2.0 (the "License");
 *    you may not use this file except in compliance with the License.
 *    You may obtain a copy of the License at
 *
 *        http://www.apache.org/licenses/LICENSE-2.0
 *
 *    Unless required by applicable law or agreed to in writing, software
 *    distributed under the License is distributed on an "AS IS" BASIS,
 *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *    See the License for the specific language governing permissions and
 *    limitations under the License.
 */

#include <string>
#include <vector>

#include <app_install_helper.h>
#include <pkg_privacy_privileges.h>
#include <scoped_installer.h>
#include <sm_api.h>
#include <sm_commons.h>
#include <temp_test_user.h>
#include <tests_common.h>

#include <dpl/test/test_runner.h>
#include <dpl/test/test_runner_child.h>

const PrivilegeVector TEST_PRIVACY_PRIVILEGES = {
    Privilege("http://tizen.org/privilege/callhistory.read", Privilege::PRIVACY),
    Privilege("http://tizen.org/privilege/account.read", Privilege::PRIVACY),
    Privilege("http://tizen.org/privilege/healthinfo", Privilege::PRIVACY) };

using namespace SecurityManagerTest;

RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_APP_POLICY)

RUNNER_CHILD_TEST(security_manager_ap1_app_policy_fetch_for_self) {
    TemporaryTestUser tmpUser("sm_test_ap1_user_name", GUM_USERTYPE_NORMAL, false);
    tmpUser.create();

    AppInstallHelper app("sm_test_ap1", tmpUser.getUid());
    app.addPrivileges(TEST_PRIVACY_PRIVILEGES);

    unsigned expectedPolicyCount = countPrivacyPrivileges(app.getPrivileges());

    // If askuser is disabled there will be no privacy policy to expect
    RUNNER_ASSERT_MSG(isAskuserDisabled() || expectedPolicyCount > 0,
            "Application won't be installed with any privacy privileges, fix test");

    PkgPrivacyPrivileges setupPrivacyPrivs(app);
    ScopedInstaller appInstall(app);

    pid_t pid = fork();
    RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
    if (pid != 0) { //parent process
        waitPid(pid);
    } else { //child process
        Api::setProcessLabel(app.getAppId());
        RUNNER_ASSERT_ERRNO_MSG(
                drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
                "drop_root_privileges failed");

        std::string uidStr = tmpUser.getUidString();
        for (const auto &appPrivilege : app.getPrivileges()) {
            PolicyEntry filter(app.getAppId(), uidStr, appPrivilege);

            std::vector<PolicyEntry> policyEntries;
            Api::getPolicyForSelf(filter, policyEntries);
            if (isAskuserDisabled()) {
                //further checks do not make sense, but we've checked if app has permission to perform policy fetch
                continue;
            }

            RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
            RUNNER_ASSERT_MSG(policyEntries.size() == 1,
                    "Number of policies doesn't match - should be: " << expectedPolicyCount << " and is " << policyEntries.size());

            for (const auto &policyEntry : policyEntries) {
                std::string user = policyEntry.getUser();
                std::string appId = policyEntry.getAppId();
                std::string privilege = policyEntry.getPrivilege();

                RUNNER_ASSERT_MSG(appId == app.getAppId(),
                        "Policy returned for wrong appId," " expected : " << app.getAppId() << ", got : " << appId);
                RUNNER_ASSERT_MSG(user == uidStr,
                        "Policy returned for wrong user," " expected : " << uidStr << ", got : " << user);
                RUNNER_ASSERT_MSG(privilege == appPrivilege.getName(),
                        "Policy returned for wrong privilege," " expected : " << appPrivilege << ", got : " << privilege);

            }
        }
        exit(0);
    }
}

RUNNER_CHILD_TEST(security_manager_ap2_app_policy_fetch_for_self_different_user) {
    TemporaryTestUser tmpUser("sm_test_ap2_1_user_name", GUM_USERTYPE_NORMAL, false);
    tmpUser.create();
    TemporaryTestUser tmpUser2("sm_test_ap2_2_user_name", GUM_USERTYPE_NORMAL, false);
    tmpUser2.create();

    AppInstallHelper app("sm_test_ap2", tmpUser.getUid());
    app.addPrivileges(TEST_PRIVACY_PRIVILEGES);

    PkgPrivacyPrivileges setupPrivacyPrivs(app);
    ScopedInstaller appInstall(app);

    pid_t pid = fork();
    RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
    if (pid != 0) { //parent process
        waitPid(pid);
    } else { //child process
        Api::setProcessLabel(app.getAppId());
        RUNNER_ASSERT_ERRNO_MSG(
                drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
                "drop_root_privileges failed");

        std::string wrongUidStr = tmpUser2.getUidString();
        for (const auto &appPrivilege : app.getPrivileges()) {
            PolicyEntry filter(app.getAppId(), wrongUidStr, appPrivilege);

            std::vector<PolicyEntry> policyEntries;
            Api::getPolicyForSelf(filter, policyEntries,
                    SECURITY_MANAGER_ERROR_ACCESS_DENIED);
        }
        exit(0);
    }
}

RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_user_global) {
    TemporaryTestUser tmpUser("sm_test_ap3_1_user_name", GUM_USERTYPE_NORMAL, false);
    tmpUser.create();
    TemporaryTestUser tmpUser2("sm_test_ap3_2_user_name", GUM_USERTYPE_NORMAL, false);
    tmpUser2.create();

    AppInstallHelper app("sm_test_ap3");
    app.setInstallType(SM_APP_INSTALL_GLOBAL);
    app.addPrivileges(TEST_PRIVACY_PRIVILEGES);

    PkgPrivacyPrivileges setupPrivacyPrivs(app);
    ScopedInstaller appInstall(app);

    pid_t pid = fork();
    RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
    if (pid != 0) { //parent process
        waitPid(pid);
    } else { //child process
        Api::setProcessLabel(app.getAppId());
        RUNNER_ASSERT_ERRNO_MSG(
                drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
                "drop_root_privileges failed");

        std::string wrongUidStr = tmpUser2.getUidString();
        for (const auto &appPrivilege : app.getPrivileges()) {
            PolicyEntry filter(app.getAppId(), wrongUidStr, appPrivilege);

            std::vector<PolicyEntry> policyEntries;
            Api::getPolicyForSelf(filter, policyEntries,
                    SECURITY_MANAGER_ERROR_ACCESS_DENIED);
        }
        exit(0);
    }
}

RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_app) {
    TemporaryTestUser tmpUser("sm_test_ap3_user_name", GUM_USERTYPE_NORMAL, false);
    tmpUser.create();

    AppInstallHelper app1("sm_test_ap3_1", tmpUser.getUid());
    app1.addPrivileges(TEST_PRIVACY_PRIVILEGES);

    AppInstallHelper app2("sm_test_ap3_2", tmpUser.getUid());
    app2.addPrivileges(TEST_PRIVACY_PRIVILEGES);

    PkgPrivacyPrivileges setupPrivacyPrivs1(app1);
    ScopedInstaller appInstall1(app1);

    PkgPrivacyPrivileges setupPrivacyPrivs2(app2);
    ScopedInstaller appInstall2(app2);

    pid_t pid = fork();
    RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
    if (pid != 0) { //parent process
        waitPid(pid);
    } else { //child process
        Api::setProcessLabel(app1.getAppId());
        RUNNER_ASSERT_ERRNO_MSG(
                drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
                "drop_root_privileges failed");

        std::string uidStr = tmpUser.getUidString();
        for (const auto &appPrivilege : app1.getPrivileges()) {
            PolicyEntry filter(app2.getAppId(), uidStr, appPrivilege);

            std::vector<PolicyEntry> policyEntries;
            Api::getPolicyForSelf(filter, policyEntries,
                    SECURITY_MANAGER_ERROR_ACCESS_DENIED);
        }
        exit(0);
    }
}