src/security-manager-tests/test_cases_privacy_manager.cpp

   1 /*
   2  * Copyright (c) 2016-2018 Samsung Electronics Co., Ltd All Rights Reserved
   3  *
   4  *    Licensed under the Apache License, Version 2.0 (the "License");
   5  *    you may not use this file except in compliance with the License.
   6  *    You may obtain a copy of the License at
   7  *
   8  *        http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  *    Unless required by applicable law or agreed to in writing, software
  11  *    distributed under the License is distributed on an "AS IS" BASIS,
  12  *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  *    See the License for the specific language governing permissions and
  14  *    limitations under the License.
  15  */
  16
  17 #include <algorithm>
  18 #include <cstdlib>
  19 #include <map>
  20 #include <string>
  21 #include <sys/types.h>
  22 #include <unistd.h>
  23 #include <unordered_set>
  24 #include <utility>
  25 #include <vector>
  26
  27 #include <app_install_helper.h>
  28 #include <cynara_test_admin.h>
  29 #include <dpl/test/test_runner.h>
  30 #include <dpl/test/test_runner_child.h>
  31 #include <pkg_privacy_privileges.h>
  32 #include <policy_configuration.h>
  33 #include <scoped_installer.h>
  34 #include <sm_api.h>
  35 #include <sm_commons.h>
  36 #include <sm_policy_request.h>
  37 #include <sm_request.h>
  38 #include <synchronization_pipe.h>
  39 #include <temp_test_user.h>
  40 #include <tests_common.h>
  41
  42 using namespace SecurityManagerTest;
  43 namespace {
  44 struct UserInfo {
  45     std::string userName;
  46     GumUserType userType;
  47 };
  48
  49 // Privileges required for having permission to self/admin get/set policies.
  50 const std::string SELF_PRIVILEGE = "http://tizen.org/privilege/notexist";
  51 const std::string ADMIN_PRIVILEGE = "http://tizen.org/privilege/internal/usermanagement";
  52
  53 typedef std::vector<std::string> Privileges;
  54 const std::vector<Privileges> TEST_PRIVILEGES = {
  55     {
  56         "http://tizen.org/privilege/internet",
  57         "http://tizen.org/privilege/display"
  58     },
  59     {
  60         "http://tizen.org/privilege/telephony",
  61         "http://tizen.org/privilege/datasharing"
  62     },
  63     {
  64         "http://tizen.org/privilege/content.write",
  65         "http://tizen.org/privilege/led",
  66         "http://tizen.org/privilege/email"
  67     },
  68     {
  69         "http://tizen.org/privilege/led",
  70         "http://tizen.org/privilege/email",
  71         "http://tizen.org/privilege/telephony",
  72         "http://tizen.org/privilege/datasharing"
  73     },
  74     {
  75         "http://tizen.org/privilege/internet",
  76         "http://tizen.org/privilege/display",
  77         "http://tizen.org/privilege/led",
  78         "http://tizen.org/privilege/email"
  79     }
  80 };
  81
  82 const PrivilegeVector TEST_PRIVACY_PRIVILEGES[] = {
  83     {
  84         Privilege("http://tizen.org/privilege/telephony"),
  85         Privilege("http://tizen.org/privilege/led"),
  86         Privilege("http://tizen.org/privilege/callhistory.read", Privilege::PRIVACY),
  87         Privilege("http://tizen.org/privilege/account.read", Privilege::PRIVACY),
  88         Privilege("http://tizen.org/privilege/healthinfo", Privilege::PRIVACY),
  89     },
  90     {
  91         Privilege("http://tizen.org/privilege/telephony"),
  92         Privilege("http://tizen.org/privilege/led"),
  93         Privilege("http://tizen.org/privilege/callhistory.read", Privilege::PRIVACY),
  94     }
  95 };
  96
  97 }
  98
  99 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PRIVACY_MANAGER)
 100
 101 RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
 102 {
 103     TemporaryTestUser tmpUser("sm_test_10_user_name", GUM_USERTYPE_NORMAL, false);
 104     tmpUser.create();
 105
 106     unsigned expectedPolicyCount = 0;
 107     std::map<std::string, AppInstallHelper> appIdToAIH;
 108     for (unsigned i = 0; i < TEST_PRIVILEGES.size(); i++) {
 109         AppInstallHelper app("sm_test_10_" + std::to_string(i), tmpUser.getUid());
 110         app.addPrivileges(TEST_PRIVILEGES[i]);
 111         expectedPolicyCount += app.getPrivileges().size();
 112         appIdToAIH.emplace(app.getAppId(), std::move(app));
 113     }
 114
 115     AppInstallHelper privManager("sm_test_10_privilege_manager", tmpUser.getUid());
 116     std::string privManagerAppId = privManager.getAppId();
 117     privManager.addPrivilege(SELF_PRIVILEGE);
 118     expectedPolicyCount += privManager.getPrivileges().size();
 119     appIdToAIH.emplace(privManager.getAppId(), std::move(privManager));
 120
 121     std::vector<ScopedInstaller> scopedInstallations;
 122     for (const auto &appIdAIH : appIdToAIH) {
 123         scopedInstallations.emplace_back(ScopedInstaller(appIdAIH.second));
 124     }
 125
 126     pid_t pid = fork();
 127     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
 128     if (pid != 0) { //parent process
 129         waitPid(pid);
 130     } else { //child process
 131         Api::setProcessLabel(privManagerAppId);
 132         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
 133                                 "drop_root_privileges failed");
 134
 135         std::vector<PolicyEntry> policyEntries;
 136         Api::getPolicy(PolicyEntry(), policyEntries);
 137
 138         RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
 139         RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
 140                           "Number of policies doesn't match - should be: " << expectedPolicyCount
 141                           << " and is " << policyEntries.size());
 142
 143         for (const auto &policyEntry : policyEntries) {
 144             std::string user = policyEntry.getUser();
 145             std::string app = policyEntry.getAppId();
 146             std::string privilege = policyEntry.getPrivilege();
 147
 148             RUNNER_ASSERT_MSG(user == tmpUser.getUidString(), "Unexpected user: " << user);
 149
 150             auto appIt = appIdToAIH.find(app);
 151             RUNNER_ASSERT_MSG(appIt != appIdToAIH.end(), "Policy returned unexpected app: " << app);
 152
 153             AppInstallHelper &aih = appIt->second;
 154             auto appPrivileges = aih.getPrivilegesNames();
 155             auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
 156             RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
 157                               "Unexpected privilege " << privilege << " for app " << app);
 158         }
 159         exit(0);
 160     }
 161 }
 162
 163 RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
 164 {
 165     const std::string normalNameToSwitch = "sm_test_11_user_name_normal";
 166     const std::vector<UserInfo> userInfos = {{normalNameToSwitch, GUM_USERTYPE_NORMAL},
 167                                              {"sm_test_11_user_name_admin", GUM_USERTYPE_ADMIN}};
 168
 169     std::map<std::string, TemporaryTestUser> usernameToTTU;
 170     // uid + app_id -> AppInstallHelper (different users can have same app_id installed)
 171     std::map<std::pair<uid_t,std::string>, AppInstallHelper> userAppIdToAIH;
 172     unsigned expectedPolicyCount = 0;
 173
 174     for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
 175         TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
 176         user.create();
 177
 178         for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
 179             AppInstallHelper app("sm_test_11_" + std::to_string(p_i), user.getUid());
 180             app.addPrivileges(TEST_PRIVILEGES[p_i]);
 181             if (user.getUserName() == normalNameToSwitch) // Only entries for this user should be fetched
 182                 expectedPolicyCount += app.getPrivileges().size();
 183             userAppIdToAIH.emplace(std::make_pair(user.getUid(), app.getAppId()), std::move(app));
 184         };
 185
 186         usernameToTTU.emplace(userInfos[u_i].userName, std::move(user));
 187     };
 188
 189     TemporaryTestUser &normalUserToSwitch = usernameToTTU.at(normalNameToSwitch);
 190
 191     AppInstallHelper privManager("sm_test_11_priv_manager", normalUserToSwitch.getUid());
 192     std::string privManagerAppId = privManager.getAppId();
 193     privManager.addPrivilege(SELF_PRIVILEGE);
 194     expectedPolicyCount += privManager.getPrivileges().size();
 195     userAppIdToAIH.emplace(std::make_pair(normalUserToSwitch.getUid(), privManager.getAppId()),
 196                            std::move(privManager));
 197
 198     std::vector<ScopedInstaller> scopedInstallations;
 199     for (const auto &userAppIdAIH : userAppIdToAIH) {
 200         scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second));
 201     }
 202
 203     pid_t pid = fork();
 204     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
 205     if (pid != 0) { //parent process
 206         waitPid(pid);
 207     } else { //child process
 208         Api::setProcessLabel(privManagerAppId);
 209         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUserToSwitch.getUid(),
 210                                                      normalUserToSwitch.getGid()) == 0,
 211                                 "drop_root_privileges failed");
 212
 213         std::vector<PolicyEntry> policyEntries;
 214         Api::getPolicy(PolicyEntry(), policyEntries);
 215
 216         RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
 217         RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
 218                           "Number of policies doesn't match - should be: " << expectedPolicyCount
 219                           << " and is " << policyEntries.size());
 220
 221         for (const auto &policyEntry : policyEntries) {
 222             // Expect policy only for current process user
 223             std::string user = policyEntry.getUser();
 224             std::string app = policyEntry.getAppId();
 225             std::string privilege = policyEntry.getPrivilege();
 226
 227             RUNNER_ASSERT_MSG(normalUserToSwitch.getUidString() == user, "Unexpected user: " << user);
 228             auto userAppIdToAIHIt = userAppIdToAIH.find(std::make_pair(static_cast<uid_t>(std::stoi(user)), app));
 229             RUNNER_ASSERT_MSG(userAppIdToAIHIt != userAppIdToAIH.end(),
 230                               "Unknown app " << app << " for user " << user);
 231
 232             AppInstallHelper &aih = userAppIdToAIHIt->second;
 233             auto privs = aih.getPrivileges();
 234
 235             auto appPrivileges = aih.getPrivilegesNames();
 236             auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
 237             RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
 238                               "Unexpected privilege " << privilege << " for app " << app);
 239         }
 240         exit(0);
 241     }
 242 }
 243
 244 RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
 245 {
 246     std::vector<PolicyEntry> oldPolicyVec;
 247     Api::getPolicy(PolicyEntry(), oldPolicyVec);
 248     std::unordered_set<PolicyEntry> oldPolicySet(oldPolicyVec.begin(), oldPolicyVec.end());
 249
 250     std::string adminNameToSwitch = "sm_test_12_user_name_admin";
 251     const std::vector<UserInfo> userInfos = {{"sm_test_12_user_name_normal",GUM_USERTYPE_NORMAL},
 252                                              {adminNameToSwitch, GUM_USERTYPE_ADMIN}};
 253
 254     std::map<std::string, TemporaryTestUser> usernameToTTU;
 255     std::vector<std::string> uidStrings;
 256     // uidstring + app_id -> AppInstallHelper
 257     std::map<std::pair<uid_t, std::string>, AppInstallHelper> userAppIdToAIH;
 258     unsigned expectedPolicyCount = oldPolicyVec.size();
 259
 260     for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
 261         TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
 262         user.create();
 263         uidStrings.push_back(user.getUidString());
 264
 265         for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
 266             AppInstallHelper app("sm_test_12_" + std::to_string(p_i), user.getUid());
 267             // Shift privileges, so same app_id for different users doesn't have same privileges
 268             app.addPrivileges(TEST_PRIVILEGES.at((p_i + u_i) % TEST_PRIVILEGES.size()));
 269             expectedPolicyCount += app.getPrivileges().size();
 270             userAppIdToAIH.emplace(std::make_pair(user.getUid(), app.getAppId()), std::move(app));
 271         };
 272         usernameToTTU.emplace(user.getUserName(), std::move(user));
 273     };
 274
 275     TemporaryTestUser &adminUserToSwitch = usernameToTTU.at(adminNameToSwitch);
 276
 277     AppInstallHelper privManager("sm_test_12_priv_manager", adminUserToSwitch.getUid());
 278     std::string privManagerAppId = privManager.getAppId();
 279     privManager.addPrivilege(SELF_PRIVILEGE);
 280     privManager.addPrivilege(ADMIN_PRIVILEGE);
 281     expectedPolicyCount += privManager.getPrivileges().size();
 282
 283     userAppIdToAIH.emplace(std::make_pair(adminUserToSwitch.getUid(), privManager.getAppId()),
 284                            std::move(privManager));
 285
 286     std::vector<ScopedInstaller> scopedInstallations;
 287     for (const auto &userAppIdAIH : userAppIdToAIH) {
 288         scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second));
 289     }
 290
 291     pid_t pid = fork();
 292     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
 293     if (pid != 0) { //parent process
 294         waitPid(pid);
 295     } else { //child process
 296         Api::setProcessLabel(privManagerAppId);
 297         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(),
 298                                                      adminUserToSwitch.getGid()) == 0,
 299                                 "drop_root_privileges failed");
 300
 301         std::vector<PolicyEntry> policyEntries;
 302         Api::getPolicy(PolicyEntry(), policyEntries);
 303         RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
 304         RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
 305                           "Number of policies doesn't match - should be: " << expectedPolicyCount
 306                           << " and is " << policyEntries.size());
 307
 308         for (const auto &policyEntry : policyEntries) {
 309             // Expect policy for all users to be returned
 310             if (oldPolicySet.count(policyEntry))
 311                 continue;
 312             std::string user = policyEntry.getUser();
 313             std::string app = policyEntry.getAppId();
 314             std::string privilege = policyEntry.getPrivilege();
 315
 316             auto uidStringIt = std::find(uidStrings.begin(), uidStrings.end(), user);
 317             RUNNER_ASSERT_MSG(uidStringIt != uidStrings.end(), "Unexpected user: " << user);
 318
 319             auto userAppIdToAIHIt = userAppIdToAIH.find(
 320                     std::make_pair(static_cast<uid_t>(std::stoi(user)), app));
 321             RUNNER_ASSERT_MSG(userAppIdToAIHIt != userAppIdToAIH.end(),
 322                               "Unknown app " << app << " for user " << user);
 323
 324             AppInstallHelper &aih = userAppIdToAIHIt->second;
 325             auto privs = aih.getPrivileges();
 326
 327             auto appPrivileges = aih.getPrivilegesNames();
 328             auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
 329             RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
 330                               "Unexpected privilege " << privilege << " for app " << app);
 331         };
 332         exit(0);
 333     };
 334 }
 335
 336 RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
 337 {
 338     std::string normalName = "sm_test_13_user_name_normal";
 339     std::string adminName = "sm_test_13_user_name_admin";
 340     const std::vector<UserInfo> userInfos = {{normalName,GUM_USERTYPE_NORMAL},
 341                                              {adminName, GUM_USERTYPE_ADMIN}};
 342
 343     std::map<std::string, TemporaryTestUser> usernameToTTU;
 344     std::map<uid_t, std::vector<AppInstallHelper>> uidToAIHs;
 345     unsigned expectedPolicyCount = 0;
 346     std::string privManagerAppId;
 347
 348     for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
 349         //Only entries for one of the users will be listed
 350         TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
 351         user.create();
 352
 353         for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
 354             AppInstallHelper app("sm_test_13_" + std::to_string(p_i), user.getUid());
 355             // Shift privileges, so same app_id for different user doesn't have same privileges
 356             app.addPrivileges(TEST_PRIVILEGES.at((p_i + u_i) % TEST_PRIVILEGES.size()));
 357             expectedPolicyCount += app.getPrivileges().size();
 358             uidToAIHs[user.getUid()].emplace_back(std::move(app));
 359         };
 360         AppInstallHelper privManager("sm_test_13_priv_manager", user.getUid());
 361         privManagerAppId = privManager.getAppId();
 362         privManager.addPrivilege(SELF_PRIVILEGE);
 363         expectedPolicyCount += privManager.getPrivileges().size();
 364         uidToAIHs[user.getUid()].emplace_back(std::move(privManager));
 365
 366         usernameToTTU.emplace(user.getUserName(), std::move(user));
 367     };
 368
 369     std::vector<ScopedInstaller> scopedInstallations;
 370     for (const auto &userAIHs : uidToAIHs) {
 371         for (const auto &aih : userAIHs.second)
 372         scopedInstallations.emplace_back(ScopedInstaller(aih));
 373     }
 374
 375     TemporaryTestUser &adminUser = usernameToTTU.at(adminName);
 376     TemporaryTestUser &normalUser = usernameToTTU.at(normalName);
 377
 378     pid_t pid = fork();
 379     RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed");
 380     if (pid == 0) { //child #1 process
 381         Api::setProcessLabel(privManagerAppId);
 382         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUser.getUid(), normalUser.getGid()) == 0,
 383                                 "drop_root_privileges failed");
 384         auto &app1 = uidToAIHs[normalUser.getUid()][0];
 385         auto &app2 = uidToAIHs[normalUser.getUid()][0];
 386         PolicyRequest policyRequest;
 387         PolicyEntry policyEntry(
 388                 app1.getAppId(),
 389                 normalUser.getUidString(),
 390                 app1.getPrivileges()[0]
 391                 );
 392         policyEntry.setLevel(PolicyEntry::LEVEL_DENY);
 393
 394         policyRequest.addEntry(policyEntry);
 395         policyEntry = PolicyEntry(
 396                 app2.getAppId(),
 397                 normalUser.getUidString(),
 398                 app1.getPrivileges()[1]
 399                 );
 400         policyEntry.setLevel(PolicyEntry::LEVEL_DENY);
 401         policyRequest.addEntry(policyEntry);
 402         Api::sendPolicy(policyRequest);
 403
 404         exit(0);
 405     } else {
 406         waitPid(pid);
 407         pid = fork();
 408         RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed");
 409         if (pid == 0) { //child #2 process
 410             Api::setProcessLabel(privManagerAppId);
 411             // Admin user, but in context of app, which doesn't have usermanagement privilege
 412             RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
 413                               "drop_root_privileges failed");
 414
 415             PolicyEntry filter = PolicyEntry(
 416                         SECURITY_MANAGER_ANY,
 417                         normalUser.getUidString(),
 418                         SECURITY_MANAGER_ANY
 419                         );
 420             std::vector<PolicyEntry> policyEntries;
 421             //U2 requests contents of U1 privacy manager - should fail
 422             Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
 423             RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
 424                               << policyEntries.size() << " entries");
 425
 426             filter = PolicyEntry(
 427                         SECURITY_MANAGER_ANY,
 428                         SECURITY_MANAGER_ANY,
 429                         SECURITY_MANAGER_ANY
 430                         );
 431
 432             policyEntries.clear();
 433
 434             //U2 requests contents of ADMIN bucket - should fail
 435             Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
 436             RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
 437                               << policyEntries.size() << " entries");
 438             exit(0);
 439         } else {
 440             waitPid(pid);
 441         }
 442     }
 443 }
 444
 445 RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
 446 {
 447     TemporaryTestUser adminUserToSwitch("sm_test_14_user_name_admin", GUM_USERTYPE_ADMIN);
 448     adminUserToSwitch.create();
 449
 450     AppInstallHelper privManager("sm_test_14_priv_manager", adminUserToSwitch.getUid());
 451     privManager.addPrivilege(ADMIN_PRIVILEGE);
 452
 453     ScopedInstaller privManagerInstall(privManager);
 454
 455     pid_t pid = fork();
 456     if (pid != 0) {
 457         waitPid(pid);
 458     } else { //child process
 459         Api::setProcessLabel(privManager.getAppId());
 460         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(),
 461                                                      adminUserToSwitch.getGid()) == 0,
 462                                 "drop_root_privileges failed");
 463
 464         PolicyRequest setPolicyRequest;
 465         std::vector<PolicyEntry> policyEntries;
 466
 467         const std::string internetPriv = "http://tizen.org/privilege/internet";
 468         const std::string displayPriv = "http://tizen.org/privilege/display";
 469
 470         PolicyEntry internetPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, internetPriv);
 471         internetPolicyEntry.setMaxLevel(PolicyEntry::LEVEL_DENY);
 472         setPolicyRequest.addEntry(internetPolicyEntry);
 473
 474         PolicyEntry displayPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, displayPriv);
 475         displayPolicyEntry.setMaxLevel(PolicyEntry::LEVEL_DENY);
 476         setPolicyRequest.addEntry(displayPolicyEntry);
 477
 478         Api::sendPolicy(setPolicyRequest);
 479
 480         Api::getPolicyForAdmin(PolicyEntry(), policyEntries);
 481         RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2"
 482                                                      " and is " << policyEntries.size());
 483
 484         PolicyRequest delPolicyRequest;
 485
 486         internetPolicyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
 487         delPolicyRequest.addEntry(internetPolicyEntry);
 488
 489         displayPolicyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
 490         delPolicyRequest.addEntry(displayPolicyEntry);
 491
 492         Api::sendPolicy(delPolicyRequest);
 493
 494         policyEntries.clear();
 495         Api::getPolicyForAdmin(PolicyEntry(), policyEntries);
 496         RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0"
 497                                                      " and is " << policyEntries.size());
 498         exit(0);
 499     };
 500 }
 501
 502 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
 503 {
 504     const std::string updatePriv = "http://tizen.org/privilege/led";
 505
 506     TemporaryTestUser adminUser("sm_test_15_username", GUM_USERTYPE_ADMIN);
 507     adminUser.create();
 508
 509     AppInstallHelper updatedApp("security_manager_15_update");
 510     ScopedInstaller updatedAppInstall(updatedApp);
 511
 512     AppInstallHelper privManager("security_manager_15_priv_manager", adminUser.getUid());
 513     privManager.addPrivilege(ADMIN_PRIVILEGE);
 514     ScopedInstaller privManagerInstall(privManager);
 515
 516     pid_t pid = fork();
 517     RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
 518     if (pid != 0) { //parent process
 519         waitPid(pid);
 520         CynaraTestAdmin::Admin admin;
 521         admin.adminCheck("ADMIN", false, updatedApp.generateAppLabel().c_str(),
 522                          adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
 523                          nullptr);
 524     } else {
 525         Api::setProcessLabel(privManager.getAppId());
 526
 527         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
 528                                 "drop_root_privileges failed");
 529
 530         PolicyEntry entry(updatedApp.getAppId(), adminUser.getUidString(), updatePriv);
 531         entry.setMaxLevel(PolicyEntry::LEVEL_ALLOW);
 532         PolicyRequest addPolicyRequest;
 533         addPolicyRequest.addEntry(entry);
 534         Api::sendPolicy(addPolicyRequest);
 535         exit(0);
 536     }
 537 }
 538
 539 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
 540 {
 541     const std::string updatePriv = "http://tizen.org/privilege/led";
 542
 543     TemporaryTestUser adminUser("sm_test_15_username", GUM_USERTYPE_ADMIN);
 544     adminUser.create();
 545
 546     AppInstallHelper app("security_manager_15");
 547     ScopedInstaller appInstall(app);
 548
 549     AppInstallHelper privManager("security_manager_15_priv_manager", adminUser.getUid());
 550     privManager.addPrivilege(ADMIN_PRIVILEGE);
 551     ScopedInstaller privManagerInstall(privManager);
 552
 553     pid_t pid = fork();
 554     RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
 555     if (pid != 0) {
 556         waitPid(pid);
 557         CynaraTestAdmin::Admin admin;
 558         admin.adminCheck("ADMIN", false, app.generateAppLabel().c_str(),
 559                          adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
 560                          nullptr);
 561     } else {
 562         Api::setProcessLabel(privManager.getAppId());
 563         RUNNER_ASSERT_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
 564                           "drop_root_privileges failed");
 565
 566         PolicyEntry entry(SECURITY_MANAGER_ANY, adminUser.getUidString(), updatePriv);
 567         entry.setMaxLevel(PolicyEntry::LEVEL_ALLOW);
 568
 569         PolicyRequest addPolicyRequest;
 570         addPolicyRequest.addEntry(entry);
 571         Api::sendPolicy(addPolicyRequest);
 572         exit(0);
 573     }
 574 }
 575
 576 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
 577 {
 578     const std::string updatePriv = "http://tizen.org/privilege/led";
 579
 580     TemporaryTestUser user("sm_test_15_username", GUM_USERTYPE_NORMAL);
 581     user.create();
 582
 583     AppInstallHelper app("security_manager_15");
 584     ScopedInstaller appInstall(app);
 585
 586     AppInstallHelper privManager("security_manager_15_priv_manager", user.getUid());
 587     privManager.addPrivilege(SELF_PRIVILEGE);
 588     ScopedInstaller privManagerInstall(privManager);
 589
 590     pid_t pid = fork();
 591     RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
 592     if (pid != 0) {
 593         waitPid(pid);
 594         CynaraTestAdmin::Admin admin;
 595         admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
 596                          updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
 597     } else {
 598         Api::setProcessLabel(privManager.getAppId());
 599         RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
 600                           "drop_root_privileges failed");
 601
 602         PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
 603         entry.setLevel(PolicyEntry::LEVEL_ALLOW);
 604
 605         PolicyRequest addPolicyRequest;
 606         addPolicyRequest.addEntry(entry);
 607         Api::sendPolicy(addPolicyRequest);
 608         exit(0);
 609     }
 610 }
 611
 612 RUNNER_CHILD_TEST(security_manager_16_policy_levels_get)
 613 {
 614     TemporaryTestUser user("sm_test_16_user_name", GUM_USERTYPE_NORMAL);
 615     user.create();
 616
 617     pid_t pid = fork();
 618     RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
 619     if (pid != 0) {
 620         waitPid(pid);
 621     } else {
 622         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
 623                           "drop_root_privileges failed");
 624
 625         char** levels;
 626         size_t count;
 627         int ret = security_manager_policy_levels_get(&levels, &count);
 628         RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
 629                 "Invlid return code: " << ret);
 630         std::unique_ptr<char *, std::function<void(char**)>> descriptionsPtr(levels,
 631                 [count](char **levels) { security_manager_policy_levels_free(levels, count);});
 632
 633         RUNNER_ASSERT_MSG(count >= 2, "Invalid number of policy levels. Should be 3,"
 634                                       " instead there is: " << count);
 635
 636         std::string denyPolicy = std::string(levels[0]);
 637         std::string allowPolicy = std::string(levels[count-1]);
 638
 639         // first should always be Deny
 640         RUNNER_ASSERT_MSG(denyPolicy.compare(PolicyEntry::LEVEL_DENY) == 0,
 641                 "Invalid first policy level. Should be Deny, instead there is: " << levels[0]);
 642
 643         // last should always be Allow
 644         RUNNER_ASSERT_MSG(allowPolicy.compare(PolicyEntry::LEVEL_ALLOW) == 0,
 645                 "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
 646         exit(0);
 647     }
 648 }
 649
 650 RUNNER_CHILD_TEST(security_manager_17a_privacy_manager_delete_policy_for_self)
 651 {
 652     const std::string updatePriv = "http://tizen.org/privilege/led";
 653
 654     TemporaryTestUser user("sm_test_17a_username", GUM_USERTYPE_NORMAL);
 655     user.create();
 656
 657     AppInstallHelper app("security_manager_17a");
 658     ScopedInstaller appInstall(app);
 659
 660     SynchronizationPipe synchPipe;
 661     pid_t pid = fork();
 662     RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
 663     if (pid != 0) {
 664         synchPipe.claimParentEp();
 665
 666         synchPipe.wait();
 667         CynaraTestAdmin::Admin admin;
 668         admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
 669                          updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
 670         synchPipe.post();
 671
 672         synchPipe.wait();
 673         admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
 674                          updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
 675         waitPid(pid);
 676     } else {
 677         synchPipe.claimChildEp();
 678         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
 679                                             "drop_root_privileges failed");
 680
 681         PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
 682         entry.setLevel(PolicyEntry::LEVEL_ALLOW);
 683         PolicyRequest addPolicyRequest;
 684         addPolicyRequest.addEntry(entry);
 685         Api::sendPolicy(addPolicyRequest);
 686         synchPipe.post();
 687
 688         synchPipe.wait();
 689         PolicyEntry deleteEntry(app.getAppId(), user.getUidString(), updatePriv);
 690         deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
 691         PolicyRequest deletePolicyRequest;
 692         deletePolicyRequest.addEntry(deleteEntry);
 693         Api::sendPolicy(deletePolicyRequest);
 694         synchPipe.post();
 695
 696         exit(0);
 697     }
 698 }
 699
 700 RUNNER_CHILD_TEST(security_manager_17b_privacy_manager_delete_policy_for_self)
 701 {
 702     const std::string updatePriv = "http://tizen.org/privilege/led";
 703
 704     TemporaryTestUser user("sm_test_17b_username", GUM_USERTYPE_NORMAL);
 705     user.create();
 706
 707     AppInstallHelper app("security_manager_17b");
 708     ScopedInstaller appInstall(app);
 709
 710     AppInstallHelper privManager("security_manager_17b_priv_manager", user.getUid());
 711     privManager.addPrivilege(SELF_PRIVILEGE);
 712     ScopedInstaller privManagerInstall(privManager);
 713
 714     SynchronizationPipe synchPipe;
 715     pid_t pid = fork();
 716     RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
 717     if (pid != 0) {
 718         synchPipe.claimParentEp();
 719         synchPipe.wait();
 720         CynaraTestAdmin::Admin admin;
 721         admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
 722                          updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
 723         synchPipe.post();
 724
 725         synchPipe.wait();
 726         admin.adminCheck("", false, app.generateAppLabel().c_str(),
 727                          user.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
 728         waitPid(pid);
 729
 730     } else {
 731         synchPipe.claimChildEp();
 732         Api::setProcessLabel(privManager.getAppId());
 733         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
 734                                 "drop_root_privileges failed");
 735
 736         PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
 737         entry.setLevel(PolicyEntry::LEVEL_ALLOW);
 738         PolicyRequest addPolicyRequest;
 739         addPolicyRequest.addEntry(entry);
 740         Api::sendPolicy(addPolicyRequest);
 741         synchPipe.post();
 742
 743         synchPipe.wait();
 744         PolicyRequest deletePolicyRequest;
 745         PolicyEntry deleteEntry(app.getAppId(), user.getUidString(), updatePriv);
 746         deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
 747         deletePolicyRequest.addEntry(deleteEntry);
 748         Api::sendPolicy(deletePolicyRequest);
 749         synchPipe.post();
 750         exit(0);
 751     }
 752 }
 753
 754 RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
 755 {
 756     const std::string username("sm_test_17_user_name");
 757     std::vector<AppInstallHelper> appHelpers;
 758     std::vector<ScopedInstaller> scopedInstallations;
 759     std::map<std::string, unsigned> privToCount;
 760     unsigned policyCount = 0;
 761
 762     TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
 763     user.create();
 764
 765     for (unsigned int i = 0; i < TEST_PRIVILEGES.size(); i++) {
 766         AppInstallHelper app("sm_test_17_" + std::to_string(i), user.getUid());
 767         app.addPrivileges(TEST_PRIVILEGES[i]);
 768         policyCount += app.getPrivileges().size();
 769
 770         appHelpers.emplace_back(std::move(app));
 771         for (auto &priv: TEST_PRIVILEGES[i]) {
 772             privToCount[priv]++;
 773         }
 774     }
 775
 776     AppInstallHelper privManager("sm_test_17_priv_manager", user.getUid());
 777     std::string privManagerAppId = privManager.getAppId();
 778     privManager.addPrivilege(SELF_PRIVILEGE);
 779     privToCount[SELF_PRIVILEGE]++;
 780     policyCount += privManager.getPrivileges().size();
 781
 782     appHelpers.emplace_back(std::move(privManager));
 783     for (const auto &app : appHelpers)
 784         scopedInstallations.emplace_back(std::move(ScopedInstaller(app)));
 785
 786     pid_t pid = fork();
 787     RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
 788     if (pid != 0)//parent process
 789     {
 790         waitPid(pid);
 791     } else {
 792         Api::setProcessLabel(privManagerAppId);
 793         RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
 794                           "drop_root_privileges failed");
 795
 796         for (const auto &privCount : privToCount) {
 797             std::vector<PolicyEntry> policyEntries;
 798             PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, privCount.first);
 799             Api::getPolicy(filter, policyEntries);
 800             RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
 801             RUNNER_ASSERT_MSG(policyEntries.size() == privCount.second,
 802                               "Number of policies doesn't match - should be: " << privCount.second
 803                                << " and is " << policyEntries.size());
 804         }
 805
 806         for (const auto &app : appHelpers) {
 807             std::vector<PolicyEntry> policyEntries;
 808             PolicyEntry filter(app.getAppId(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
 809             Api::getPolicy(filter, policyEntries);
 810             RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
 811             RUNNER_ASSERT_MSG(policyEntries.size() == app.getPrivileges().size(),
 812                               "Number of policies doesn't match - should be: " << app.getPrivileges().size()
 813                               << " and is " << policyEntries.size());
 814         }
 815
 816         std::vector<PolicyEntry> policyEntries;
 817         PolicyEntry filter(SECURITY_MANAGER_ANY, user.getUidString(), SECURITY_MANAGER_ANY);
 818         Api::getPolicy(filter, policyEntries);
 819         RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
 820         RUNNER_ASSERT_MSG(policyEntries.size() == policyCount,
 821                           "Number of policies doesn't match - should be: " << policyCount
 822                           << " and is " << policyEntries.size());
 823
 824         exit(0);
 825     }
 826 }
 827
 828 RUNNER_CHILD_TEST(security_manager_18_privacy_manager_privacy_related_privileges_policy_install_remove)
 829 {
 830     TemporaryTestUser user("sm_test_18_username", GUM_USERTYPE_NORMAL);
 831     user.create();
 832
 833     AppInstallHelper app("sm_test_18", user.getUid());
 834     app.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
 835
 836     PolicyEntry filter (app.getAppId(), user.getUidString(), SECURITY_MANAGER_ANY);
 837     std::vector<PolicyEntry> policyEntries;
 838     {
 839         PkgPrivacyPrivileges setupPrivacyPrivs(app);
 840         ScopedInstaller installer(app);
 841         unsigned int privacyNum = countPrivacyPrivileges(app.getPrivileges());
 842
 843         Api::getPolicy(filter, policyEntries);
 844
 845         RUNNER_ASSERT_MSG(policyEntries.size() == app.getPrivileges().size(),
 846             "Number of policy entries doesn't match; should be " << app.getPrivileges().size()
 847             << " but is " << policyEntries.size());
 848
 849         if (PolicyConfiguration::getIsAskuserEnabled() ) {
 850             unsigned int privacyActNum = 0;
 851             for (auto &entry : policyEntries)
 852                 if (isPrivilegePrivacy(entry.getPrivilege())) {
 853                     RUNNER_ASSERT_MSG(entry.getCurrentLevel() == PolicyEntry::LEVEL_ASK_USER,
 854                                       "Invalid policy setup; policy should be \"Ask user\" but is "
 855                                       << entry.getCurrentLevel());
 856                     ++privacyActNum;
 857                 }
 858             RUNNER_ASSERT_MSG(privacyActNum == privacyNum,
 859                               "Should be " << privacyNum << " privacy privileges,"
 860                               "but is " << privacyActNum);
 861         }
 862     }
 863
 864     policyEntries.clear();
 865     Api::getPolicy(filter, policyEntries);
 866     RUNNER_ASSERT_MSG(policyEntries.size() == 0,
 867                       "After deinstallation, policy entries size should be 0,"
 868                       "but is: "  << policyEntries.size());
 869 }
 870
 871 void test_privacy_related_privileges(bool isHybrid) {
 872     TemporaryTestUser user("sm_test_19_username", GUM_USERTYPE_NORMAL);
 873     user.create();
 874
 875     const std::string pkgId = "sm_test_19_pkg_id";
 876
 877     AppInstallHelper app1("sm_test_19_app_id_1", pkgId, user.getUid());
 878     if (isHybrid)
 879         app1.setHybrid();
 880     app1.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
 881     PkgPrivacyPrivileges setupPrivacyPrivs1(app1);
 882     ScopedInstaller installer1(app1);
 883
 884     AppInstallHelper app2("sm_test_19_app_id_2", pkgId, user.getUid());
 885     if (isHybrid)
 886         app2.setHybrid();
 887     app2.addPrivileges(TEST_PRIVACY_PRIVILEGES[1]);
 888     PkgPrivacyPrivileges setupPrivacyPrivs2(app2);
 889     ScopedInstaller installer2(app2);
 890
 891     int privacyCount1, privacyCount2;
 892     if (!PolicyConfiguration::getIsAskuserEnabled()) {
 893         privacyCount1 = 0;
 894         privacyCount2 = 0;
 895     } else if (isHybrid) {
 896         privacyCount1 = countPrivacyPrivileges(app1.getPrivileges());
 897         privacyCount2 = countPrivacyPrivileges(app2.getPrivileges());
 898     } else {
 899         privacyCount1 = privacyCount2 = countPrivacyPrivileges(app2.getPrivileges());
 900     }
 901
 902     std::vector<PolicyEntry> policyEntries;
 903     PolicyEntry filter(SECURITY_MANAGER_ANY, user.getUidString(), SECURITY_MANAGER_ANY);
 904     Api::getPolicy(filter, policyEntries);
 905
 906     int privacyAct1 = 0, privacyAct2 = 0;
 907     for (auto &entry : policyEntries) {
 908         RUNNER_ASSERT_MSG(entry.getAppId() == app1.getAppId() || entry.getAppId() == app2.getAppId(),
 909                           "Invalid appId: should be either " << app1.getAppId() << " or "
 910                           << app2.getAppId() << " but is " << entry.getAppId());
 911         if (PolicyConfiguration::getIsAskuserEnabled() && isPrivilegePrivacy(entry.getPrivilege())) {
 912             RUNNER_ASSERT_MSG(entry.getCurrentLevel() == PolicyEntry::LEVEL_ASK_USER,
 913                               "Invalid policy setup; policy should be \"Ask user\" but is "
 914                               << entry.getCurrentLevel());
 915             if (entry.getAppId() == app1.getAppId())
 916                 ++privacyAct1;
 917             else
 918                 ++privacyAct2;
 919         }
 920     }
 921     RUNNER_ASSERT_MSG(privacyCount1 == privacyAct1, "Should be " << privacyCount1
 922                       << " privacy privileges, but is " << privacyAct1);
 923     RUNNER_ASSERT_MSG(privacyCount2 == privacyAct2, "Should be " << privacyCount2
 924                       << " privacy privileges, but is " << privacyAct2);
 925 }
 926
 927 RUNNER_CHILD_TEST(security_manager_19a_privacy_manager_privacy_related_privileges_policy_hybrid)
 928 {
 929     test_privacy_related_privileges(true);
 930 }
 931
 932 RUNNER_CHILD_TEST(security_manager_19b_privacy_manager_privacy_related_privileges_policy_no_hybrid)
 933 {
 934     test_privacy_related_privileges(false);
 935 }
 936
 937 RUNNER_CHILD_TEST(security_manager_20_privacy_manager_privacy_related_privileges_policy_admin_check)
 938 {
 939     TemporaryTestUser user("sm_test_20_username", GUM_USERTYPE_NORMAL);
 940     user.create();
 941
 942     AppInstallHelper app("sm_test_20", user.getUid());
 943     app.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
 944
 945     PkgPrivacyPrivileges setupPrivacyPrivs(app);
 946     ScopedInstaller installer(app);
 947
 948     CynaraTestAdmin::Admin admin;
 949     int policyType = CYNARA_ADMIN_ALLOW;
 950     int privacyPolicyType = -1;
 951     if (PolicyConfiguration::getIsAskuserEnabled())
 952         admin.getPolicyTypeForDescription(PolicyEntry::LEVEL_ASK_USER, privacyPolicyType);
 953
 954     for (auto &priv : app.getPrivileges()) {
 955         if (PolicyConfiguration::getIsAskuserEnabled() && isPrivilegePrivacy(priv)) {
 956             admin.adminCheck("", true, app.generateAppLabel().c_str(),
 957                              user.getUidString().c_str(), priv, privacyPolicyType,
 958                              nullptr);
 959         } else {
 960             admin.adminCheck("", true, app.generateAppLabel().c_str(),
 961                              user.getUidString().c_str(), priv, policyType, nullptr);
 962         }
 963     }
 964 }
 965
 966 RUNNER_CHILD_TEST(security_manager_21_fetch_app_manifest_invalid_params)
 967 {
 968     int ret = security_manager_get_app_manifest_policy(nullptr, 0, nullptr, nullptr);
 969     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_INPUT_PARAM, "Expected invalid input param, returned " << ret);
 970 }
 971
 972
 973 RUNNER_CHILD_TEST(security_manager_22_fetch_app_manifest_no_app)
 974 {
 975     char **privileges;
 976     size_t nPrivs = 0;
 977     int ret = security_manager_get_app_manifest_policy("not_existing_app_id", 0, &privileges, &nPrivs);
 978     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT, "Expected no such object error, returned " << ret);
 979 }
 980
 981 RUNNER_CHILD_TEST(security_manager_23_fetch_app_manifest_invalid_user)
 982 {
 983     TemporaryTestUser user("sm_test_23_fetch_username", GUM_USERTYPE_NORMAL);
 984     user.create();
 985
 986     AppInstallHelper app("security_manager_23_fetch", user.getUid());
 987     app.setInstallType(SM_APP_INSTALL_LOCAL);
 988     app.addPrivileges(TEST_PRIVACY_PRIVILEGES[1]);
 989     ScopedInstaller appInstall(app);
 990
 991     char **privileges;
 992     size_t nPrivs = 0;
 993     int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), 0, &privileges, &nPrivs);
 994     // Should security-manager check if user exists?
 995     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
 996     RUNNER_ASSERT_MSG(nPrivs == 0, "Expected empty set of privileges, returned " << nPrivs);
 997 }
 998
 999 static void check_privileges_from_manifest(const AppInstallHelper &aih, char **privileges, size_t nPrivs)
1000 {
1001     std::vector<std::string> aihPrivs = aih.getPrivilegesNames();
1002     RUNNER_ASSERT_MSG(nPrivs == aihPrivs.size(), "Expected privileges number: " << aihPrivs.size() << ", got " << nPrivs);
1003     for (size_t i = 0; i < nPrivs; ++i) {
1004         RUNNER_ASSERT_MSG(std::find(aihPrivs.begin(), aihPrivs.end(), std::string(privileges[i])) != aihPrivs.end(),
1005                           "Privilege " << privileges[i] << " not found");
1006     }
1007 }
1008
1009 RUNNER_CHILD_TEST(security_manager_24_fetch_app_manifest_global_app)
1010 {
1011     TemporaryTestUser user("sm_test_24_fetch_username", GUM_USERTYPE_NORMAL);
1012     user.create();
1013
1014     AppInstallHelper app("security_manager_24_fetch");
1015     app.setInstallType(SM_APP_INSTALL_GLOBAL);
1016     app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1017     app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1018     ScopedInstaller appInstall(app);
1019
1020     char **privileges;
1021     size_t nPrivs = 0;
1022
1023     int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), 0, &privileges, &nPrivs);
1024     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1025     check_privileges_from_manifest(app, privileges, nPrivs);
1026     security_manager_privileges_free(privileges, nPrivs);
1027
1028     // since app is installed globally, also for our temporary user the returned list should be the same
1029     nPrivs = 0;
1030     ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1031     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1032     check_privileges_from_manifest(app, privileges, nPrivs);
1033     security_manager_privileges_free(privileges, nPrivs);
1034 }
1035
1036 RUNNER_CHILD_TEST(security_manager_25_fetch_app_manifest_local_app)
1037 {
1038     TemporaryTestUser user("sm_test_25_fetch_username", GUM_USERTYPE_NORMAL);
1039     user.create();
1040
1041     AppInstallHelper app("security_manager_25_fetch", user.getUid());
1042     app.setInstallType(SM_APP_INSTALL_LOCAL);
1043     app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1044     app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1045     ScopedInstaller appInstall(app);
1046
1047     char **privileges;
1048     size_t nPrivs = 0;
1049
1050     int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1051     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1052     check_privileges_from_manifest(app, privileges, nPrivs);
1053     security_manager_privileges_free(privileges, nPrivs);
1054
1055     // since app is installed locally, if we ask for other user (ie. root), we should get empty list of privileges
1056     nPrivs = 0;
1057     ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), 0, &privileges, &nPrivs);
1058     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1059     RUNNER_ASSERT_MSG(nPrivs == 0, "Expected empty set of privileges, returned " << nPrivs);
1060 }
1061
1062 RUNNER_CHILD_TEST(security_manager_26_fetch_app_manifest_both_apps)
1063 {
1064     TemporaryTestUser user("sm_test_26_fetch_username", GUM_USERTYPE_NORMAL);
1065     user.create();
1066
1067     AppInstallHelper appGlobal("security_manager_26_fetch");
1068     appGlobal.setInstallType(SM_APP_INSTALL_GLOBAL);
1069     appGlobal.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1070     appGlobal.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1071     appGlobal.addPrivilege(std::string("http://tizen.org/privielge/contacts.read"));
1072     ScopedInstaller appGlobalInstall(appGlobal);
1073
1074     AppInstallHelper appLocal("security_manager_26_fetch", user.getUid());
1075     appLocal.setInstallType(SM_APP_INSTALL_LOCAL);
1076     appLocal.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1077     appLocal.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1078     ScopedInstaller appLocalInstall(appLocal);
1079
1080
1081     char **privileges;
1082     size_t nPrivs = 0;
1083
1084     int ret = security_manager_get_app_manifest_policy(appLocal.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1085     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1086     check_privileges_from_manifest(appLocal, privileges, nPrivs);
1087     security_manager_privileges_free(privileges, nPrivs);
1088
1089     nPrivs = 0;
1090     ret = security_manager_get_app_manifest_policy(appGlobal.getAppId().c_str(), 0, &privileges, &nPrivs);
1091     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected succes, returned " << ret);
1092     check_privileges_from_manifest(appGlobal, privileges, nPrivs);
1093     security_manager_privileges_free(privileges, nPrivs);
1094 }
1095
1096 RUNNER_CHILD_TEST(security_manager_27_fetch_app_manifest_app_context_local_positive)
1097 {
1098     TemporaryTestUser user("sm_test_27_fetch_username", GUM_USERTYPE_NORMAL);
1099     user.create();
1100
1101     AppInstallHelper app("security_manager_27_fetch", user.getUid());
1102     app.setInstallType(SM_APP_INSTALL_LOCAL);
1103     app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1104     app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1105     ScopedInstaller appInstall(app);
1106
1107     pid_t pid = fork();
1108     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1109     if (pid != 0) { //parent process
1110         waitPid(pid);
1111     } else { //child process
1112         Api::setProcessLabel(app.getAppId());
1113         RUNNER_ASSERT_ERRNO_MSG(
1114                 drop_root_privileges(user.getUid(), user.getGid()) == 0,
1115                 "drop_root_privileges failed");
1116         char **privileges;
1117         size_t nPrivs = 0;
1118         int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1119         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1120         check_privileges_from_manifest(app, privileges, nPrivs);
1121         security_manager_privileges_free(privileges, nPrivs);
1122         exit(0);
1123     }
1124 }
1125
1126 RUNNER_CHILD_TEST(security_manager_28_fetch_app_manifest_app_context_global_positive)
1127 {
1128     TemporaryTestUser user("sm_test_28_fetch_username", GUM_USERTYPE_NORMAL);
1129     user.create();
1130
1131     AppInstallHelper app("security_manager_28_fetch");
1132     app.setInstallType(SM_APP_INSTALL_GLOBAL);
1133     app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1134     app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1135     ScopedInstaller appInstall(app);
1136
1137     pid_t pid = fork();
1138     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1139     if (pid != 0) { //parent process
1140         waitPid(pid);
1141     } else { //child process
1142         Api::setProcessLabel(app.getAppId());
1143         RUNNER_ASSERT_ERRNO_MSG(
1144                 drop_root_privileges(user.getUid(), user.getGid()) == 0,
1145                 "drop_root_privileges failed");
1146         char **privileges;
1147         size_t nPrivs = 0;
1148         int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1149         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1150         check_privileges_from_manifest(app, privileges, nPrivs);
1151         security_manager_privileges_free(privileges, nPrivs);
1152         exit(0);
1153     }
1154 }
1155
1156 RUNNER_CHILD_TEST(security_manager_29_fetch_app_manifest_app_context_local_different_uid)
1157 {
1158     TemporaryTestUser user("sm_test_29_fetch_username", GUM_USERTYPE_NORMAL);
1159     user.create();
1160
1161     TemporaryTestUser user1("sm_test_29_fetch_username_1", GUM_USERTYPE_NORMAL);
1162     user1.create();
1163
1164     AppInstallHelper app("security_manager_29_fetch", user.getUid());
1165     app.setInstallType(SM_APP_INSTALL_LOCAL);
1166     app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1167     app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1168     ScopedInstaller appInstall(app);
1169
1170     AppInstallHelper app1("security_manager_29_fetch", user1.getUid());
1171     app1.setInstallType(SM_APP_INSTALL_LOCAL);
1172     app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1173     app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1174     app1.addPrivilege(std::string("http://tizen.org/privilege/contacts.read"));
1175     ScopedInstaller appInstall1(app1);
1176
1177
1178     pid_t pid = fork();
1179     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1180     if (pid != 0) { //parent process
1181         waitPid(pid);
1182     } else { //child process
1183         Api::setProcessLabel(app1.getAppId());
1184         RUNNER_ASSERT_ERRNO_MSG(
1185                 drop_root_privileges(user1.getUid(), user1.getGid()) == 0,
1186                 "drop_root_privileges failed");
1187         char **privileges;
1188         size_t nPrivs = 0;
1189         int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1190         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, "Expected auth failed, returned " << ret);
1191
1192         nPrivs = 0;
1193         ret = security_manager_get_app_manifest_policy(app1.getAppId().c_str(), user1.getUid(), &privileges, &nPrivs);
1194         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1195         check_privileges_from_manifest(app1, privileges, nPrivs);
1196         security_manager_privileges_free(privileges, nPrivs);
1197         exit(0);
1198     }
1199 }
1200
1201 RUNNER_CHILD_TEST(security_manager_30_fetch_app_manifest_app_context_local_different_label)
1202 {
1203     TemporaryTestUser user("sm_test_30_fetch_username", GUM_USERTYPE_NORMAL);
1204     user.create();
1205
1206     AppInstallHelper app("security_manager_30_fetch", user.getUid());
1207     app.setInstallType(SM_APP_INSTALL_LOCAL);
1208     app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1209     app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1210     ScopedInstaller appInstall(app);
1211
1212     AppInstallHelper app1("security_manager_30_fetch_1", user.getUid());
1213     app1.setInstallType(SM_APP_INSTALL_LOCAL);
1214     app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1215     app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1216     app1.addPrivilege(std::string("http://tizen.org/privilege/contacts.read"));
1217     ScopedInstaller appInstall1(app1);
1218
1219
1220     pid_t pid = fork();
1221     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1222     if (pid != 0) { //parent process
1223         waitPid(pid);
1224     } else { //child process
1225         Api::setProcessLabel(app1.getAppId());
1226         RUNNER_ASSERT_ERRNO_MSG(
1227                 drop_root_privileges(user.getUid(), user.getGid()) == 0,
1228                 "drop_root_privileges failed");
1229         char **privileges;
1230         size_t nPrivs = 0;
1231         int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1232         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, "Expected auth failed, returned " << ret);
1233
1234         nPrivs = 0;
1235         ret = security_manager_get_app_manifest_policy(app1.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1236         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1237         check_privileges_from_manifest(app1, privileges, nPrivs);
1238         security_manager_privileges_free(privileges, nPrivs);
1239         exit(0);
1240     }
1241 }
1242
1243 RUNNER_CHILD_TEST(security_manager_31_fetch_app_manifest_app_context_local_different_label_with_privilege)
1244 {
1245     TemporaryTestUser user("sm_test_31_fetch_username", GUM_USERTYPE_ADMIN);
1246     user.create();
1247
1248     AppInstallHelper app("security_manager_31_fetch", user.getUid());
1249     app.setInstallType(SM_APP_INSTALL_LOCAL);
1250     app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1251     app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1252     ScopedInstaller appInstall(app);
1253
1254     AppInstallHelper app1("security_manager_31_fetch_1", user.getUid());
1255     app1.setInstallType(SM_APP_INSTALL_LOCAL);
1256     app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1257     app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1258     app1.addPrivilege(std::string("http://tizen.org/privilege/contacts.read"));
1259     app1.addPrivilege(std::string("http://tizen.org/privilege/internal/usermanagement"));
1260     ScopedInstaller appInstall1(app1);
1261
1262
1263     pid_t pid = fork();
1264     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1265     if (pid != 0) { //parent process
1266         waitPid(pid);
1267     } else { //child process
1268         Api::setProcessLabel(app1.getAppId());
1269         RUNNER_ASSERT_ERRNO_MSG(
1270                 drop_root_privileges(user.getUid(), user.getGid()) == 0,
1271                 "drop_root_privileges failed");
1272         char **privileges;
1273         size_t nPrivs = 0;
1274         int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1275         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1276         check_privileges_from_manifest(app, privileges, nPrivs);
1277         security_manager_privileges_free(privileges, nPrivs);
1278
1279         nPrivs = 0;
1280         ret = security_manager_get_app_manifest_policy(app1.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1281         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1282         check_privileges_from_manifest(app1, privileges, nPrivs);
1283         security_manager_privileges_free(privileges, nPrivs);
1284         exit(0);
1285     }
1286 }