4 #include <dpl/test/test_runner.h>
5 #include <dpl/test/test_runner_child.h>
7 #include <tests_common.h>
8 #include <ckm-common.h>
9 #include <access_provider2.h>
11 #include <ckmc/ckmc-manager.h>
12 #include <ckmc/ckmc-control.h>
13 #include <ckmc/ckmc-type.h>
14 #include <ckmc/ckmc-error.h>
16 #include <ckm/ckm-type.h>
20 const uid_t USER_ROOT = 0;
21 const char* APP_PASS = "user-pass";
22 const char* ROOT_PASS = "test-pass";
24 const char* NO_ALIAS = "definitely-non-existent-alias";
25 const char* NO_OWNER = "definitely-non-existent-owner";
27 const char* TEST_ALIAS = "test-alias";
28 const char* TEST_ALIAS2 = "test-alias2";
29 const char* TEST_ALIAS3 = "test-alias3";
31 const char* TEST_LABEL = "test-label";
32 const char* TEST_LABEL2 = "test-label2";
33 const char* TEST_LABEL3 = "test-label3";
34 const char* TEST_LABEL4 = "test-label4";
36 const char* TEST_DATA = "dsflsdkghkslhglrtghierhgilrehgidsafasdffsgfdgdgfdgfdgfdgfdggf";
38 void save_data(const char* alias, const char *data)
40 ckmc_raw_buffer_s buffer;
41 buffer.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data));
42 buffer.size = strlen(data);
44 policy.password = NULL;
45 policy.extractable = true;
47 int ret = ckmc_save_data(alias, buffer, policy);
48 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Saving data failed. Error: " << ret);
51 void save_data(const char* alias)
53 save_data(alias, TEST_DATA);
56 void check_remove_allowed(const char* alias)
58 int ret = ckmc_remove_data(alias);
59 // remove, but ignore non existing
60 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret || CKMC_ERROR_DB_ALIAS_UNKNOWN,
61 "Removing data failed: " << ret);
64 void check_remove_denied(const char* alias)
66 int ret = ckmc_remove_data(alias);
68 CKMC_ERROR_PERMISSION_DENIED == ret,
69 "App with different label shouldn't have rights to remove this data. Error: " << ret);
72 void check_remove_not_visible(const char* alias)
74 int ret = ckmc_remove_data(alias);
76 CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
77 "App with different label shouldn't have rights to see this data. Error: " << ret);
80 void check_read(const char* alias, const char *label, const char *test_data, int expected_code = CKMC_ERROR_NONE)
82 std::stringstream valid_address;
84 valid_address << label << ckmc_label_name_separator;
85 valid_address << alias;
87 ckmc_raw_buffer_s* buffer = NULL;
88 int ret = ckmc_get_data(valid_address.str().c_str(), NULL, &buffer);
89 RUNNER_ASSERT_MSG(expected_code == ret, "Getting data failed. Expected code: " << expected_code << ", while result code: " << ret);
91 if(expected_code == CKMC_ERROR_NONE)
93 // compare data with expected
95 buffer->size == strlen(test_data),
96 "Extracted data length do not match expected data length (encrypted?).");
99 memcmp(const_cast<const char*>(reinterpret_cast<char*>(buffer->data)), test_data, buffer->size) == 0,
100 "Extracted data do not match expected data (encrypted?).");
102 ckmc_buffer_free(buffer);
106 void check_read_allowed(const char* alias, const char *data)
108 // try to read previously saved data - label taken implicitly
109 check_read(alias, 0, data);
111 void check_read_allowed(const char* alias)
113 check_read_allowed(alias, TEST_DATA);
116 void check_read_denied(const char* alias)
118 // try to read previously saved data - label taken implicitly
120 ckmc_raw_buffer_s* buffer = NULL;
121 int ret = ckmc_get_data(alias, NULL, &buffer);
122 RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
123 "App with different label shouldn't have rights to read this data. Error: " << ret);
124 ckmc_buffer_free(buffer);
128 void check_read_not_visible(const char* alias)
130 // try to read previously saved data - label taken implicitly
132 ckmc_raw_buffer_s* buffer = NULL;
133 int ret = ckmc_get_data(alias, NULL, &buffer);
134 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
135 "App with different label shouldn't have rights to see this data. Error: " << ret);
136 ckmc_buffer_free(buffer);
140 void allow_access(const char* alias, const char* accessor, ckmc_access_right_e rights)
142 // data removal should revoke this access
143 int ret = ckmc_allow_access(alias, accessor, rights);
144 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << ret);
147 void allow_access_negative(const char* alias, const char* accessor, ckmc_access_right_e rights, int expectedCode)
149 // data removal should revoke this access
150 int ret = ckmc_allow_access(alias, accessor, rights);
151 RUNNER_ASSERT_MSG(expectedCode == ret, "Trying to allow access returned: " << ret << ", while expected: " << expectedCode);
154 void deny_access(const char* alias, const char* accessor)
156 int ret = ckmc_deny_access(alias, accessor);
157 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Denying access failed. Error: " << ret);
160 void deny_access_negative(const char* alias, const char* accessor, int expectedCode)
162 int ret = ckmc_deny_access(alias, accessor);
163 RUNNER_ASSERT_MSG(expectedCode == ret, "Denying access failed. Error: " << ret << ", while expected: " << expectedCode);
166 void allow_access_by_adm(const char* alias, const char* accessor, ckmc_access_right_e rights)
168 // data removal should revoke this access
169 CharPtr label = get_label();
170 int ret = ckmc_allow_access_by_adm(USER_ROOT, label.get(), alias, accessor, rights);
171 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Trying to allow access returned: " << ret);
174 void deny_access_by_adm(const char* alias, const char* accessor)
176 CharPtr label = get_label();
177 int ret = ckmc_deny_access_by_adm(USER_ROOT, label.get(), alias, accessor);
178 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == ret, "Denying access failed. Error: " << ret);
183 ckmc_alias_list_s *aliasList = NULL;
184 int ret = ckmc_get_data_alias_list(&aliasList);
185 if (ret == CKMC_ERROR_DB_ALIAS_UNKNOWN)
188 RUNNER_ASSERT_MSG(ret == 0, "Failed to get the list of data aliases. Error: " << ret);
190 ckmc_alias_list_s *plist = aliasList;
197 ckmc_alias_list_all_free(aliasList);
201 void check_alias_count(int expected)
203 int count = count_aliases();
204 RUNNER_ASSERT_MSG(count == expected, "Expected " << expected << " aliases, got " << count);
207 // saves data upon construction and deletes it upon destruction
211 ScopedSaveData(const char* alias) : m_alias(alias)
215 ScopedSaveData(const char* alias, const char *data) : m_alias(alias)
217 save_data(alias, data);
223 * Let it throw. If we can't remove data then remaining tests results will be
226 check_remove_allowed(m_alias);
232 } // namespace anonymous
234 RUNNER_TEST_GROUP_INIT (T300_CKMC_ACCESS_CONTROL_C_API);
237 /////////////////////////////////////////////////////////////////////////////
239 RUNNER_TEST(T3000_init)
242 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_unlock_user_key(APP_UID, APP_PASS)),
244 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(APP_UID)),
246 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_unlock_user_key(USER_ROOT, ROOT_PASS)),
248 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(USER_ROOT)),
253 // invalid arguments check
254 RUNNER_TEST(T3001_manager_allow_access_invalid)
257 CKMC_ERROR_INVALID_PARAMETER == ckmc_allow_access(NULL, "accessor", CKMC_AR_READ));
259 CKMC_ERROR_INVALID_PARAMETER == ckmc_allow_access("alias", NULL, CKMC_AR_READ));
262 // invalid arguments check
263 RUNNER_TEST(T3002_manager_deny_access_invalid)
265 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ckmc_deny_access(NULL, "accessor"));
266 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ckmc_deny_access("alias", NULL));
269 // tries to allow access for non existing alias
270 RUNNER_CHILD_TEST(T3003_manager_allow_access_non_existing)
272 switch_to_storage_user(TEST_LABEL);
274 int ret = ckmc_allow_access(NO_ALIAS, "label", CKMC_AR_READ);
275 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
276 "Allowing access for non existing alias returned " << ret);
279 // tries to deny access for non existing alias
280 RUNNER_CHILD_TEST(T3004_manager_deny_access_non_existing)
282 switch_to_storage_user(TEST_LABEL);
284 int ret = ckmc_deny_access(NO_ALIAS, "label");
285 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
286 "Denying access for non existing alias returned " << ret);
289 // tries to deny access that does not exist in database
290 RUNNER_CHILD_TEST(T3005_manager_deny_access_non_existing_access)
292 switch_to_storage_user(TEST_LABEL);
294 ScopedSaveData ssd(TEST_ALIAS);
296 // deny non existing access to existing alias
297 int ret = ckmc_deny_access(TEST_ALIAS, "label");
298 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
299 "Denying non existing access returned: " << ret);
302 // tries to allow access to application own data
303 RUNNER_CHILD_TEST(T3006_manager_allow_access_to_myself)
305 switch_to_storage_user(TEST_LABEL);
307 ScopedSaveData ssd(TEST_ALIAS);
309 CharPtr label = get_label();
310 int ret = ckmc_allow_access(TEST_ALIAS, label.get(), CKMC_AR_READ);
311 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
312 "Trying to allow myself returned: " << ret);
315 // verifies that alias can not contain forbidden characters
316 RUNNER_CHILD_TEST(T3007_manager_check_alias_valid)
318 switch_to_storage_user(TEST_LABEL);
319 ScopedSaveData ssd(TEST_ALIAS);
321 std::string test_alias_playground = std::string("AAA BBB CCC");
322 check_read(test_alias_playground.c_str(), 0, TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
324 // control: expect success
325 check_read(TEST_ALIAS, 0, TEST_DATA);
326 check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
329 // verifies that label can not contain forbidden characters
330 RUNNER_CHILD_TEST(T3008_manager_check_label_valid)
332 switch_to_storage_user(TEST_LABEL);
333 ScopedSaveData ssd(TEST_ALIAS);
336 std::string test_label_playground = std::string("AAA BBB CCC");
337 check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
339 // insert part of the separator in the middle
340 test_label_playground = std::string(TEST_LABEL);
341 test_label_playground.insert(test_label_playground.size()/2, ckmc_label_name_separator);
342 check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
345 test_label_playground = std::string(TEST_LABEL);
346 test_label_playground.insert(0, ckmc_label_name_separator);
347 check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
350 test_label_playground = std::string(TEST_LABEL);
351 test_label_playground.append(ckmc_label_name_separator);
352 check_read(TEST_ALIAS, test_label_playground.c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
354 // control: expect success
355 check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
358 // tries to access other application data without permission
359 RUNNER_TEST(T3020_manager_access_not_allowed)
361 CharPtr top_label = get_label();
363 ScopedSaveData ssd(TEST_ALIAS);
365 ScopedLabel sl(TEST_LABEL2);
367 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
368 check_read_not_visible(TEST_ALIAS_adr.c_str());
369 check_remove_not_visible(TEST_ALIAS_adr.c_str());
373 // tries to access other application data with permission
374 RUNNER_TEST(T3021_manager_access_allowed)
376 CharPtr top_label = get_label();
377 ScopedSaveData ssd(TEST_ALIAS);
379 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
381 ScopedLabel sl(TEST_LABEL2);
383 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
387 // tries to read other application data with permission for read/remove
388 RUNNER_TEST(T3022_manager_access_allowed_with_remove)
390 CharPtr top_label = get_label();
391 ScopedSaveData ssd(TEST_ALIAS);
393 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
395 ScopedLabel sl(TEST_LABEL2);
397 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
401 // tries to remove other application data with permission for reading only
402 RUNNER_TEST(T3023_manager_access_allowed_remove_denied)
404 CharPtr top_label = get_label();
405 ScopedSaveData ssd(TEST_ALIAS);
407 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
409 ScopedLabel sl(TEST_LABEL2);
411 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
412 check_remove_denied(TEST_ALIAS_adr.c_str());
413 check_read_allowed(TEST_ALIAS_adr.c_str());
417 // tries to remove other application data with permission
418 RUNNER_TEST(T3025_manager_remove_allowed)
420 CharPtr top_label = get_label();
421 ScopedSaveData ssd(TEST_ALIAS);
423 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
425 ScopedLabel sl(TEST_LABEL2);
427 check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
431 // tries to access other application data after allow function was called twice with different
433 RUNNER_TEST(T3026_manager_double_allow)
435 CharPtr top_label = get_label();
436 ScopedSaveData ssd(TEST_ALIAS);
438 // access should be overwritten
439 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
440 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
442 ScopedLabel sl(TEST_LABEL2);
444 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
445 check_remove_denied(TEST_ALIAS_adr.c_str());
446 check_read_allowed(TEST_ALIAS_adr.c_str());
450 // tries to access application data with permission and after permission has been revoked
451 RUNNER_TEST(T3027_manager_allow_deny)
453 CharPtr top_label = get_label();
454 ScopedSaveData ssd(TEST_ALIAS);
456 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
458 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
460 ScopedLabel sl(TEST_LABEL2);
462 check_remove_denied(TEST_ALIAS_adr.c_str());
463 check_read_allowed(TEST_ALIAS_adr.c_str());
466 deny_access(TEST_ALIAS, TEST_LABEL2);
468 ScopedLabel sl(TEST_LABEL2);
470 check_remove_not_visible(TEST_ALIAS_adr.c_str());
471 check_read_not_visible(TEST_ALIAS_adr.c_str());
475 RUNNER_TEST(T3028_manager_access_by_label)
477 CharPtr top_label = get_label();
478 const char *additional_data = "label-2-data";
479 ScopedSaveData ssd(TEST_ALIAS);
481 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
483 ScopedLabel sl(TEST_LABEL2);
484 ScopedSaveData ssd(TEST_ALIAS, additional_data);
485 allow_access(TEST_ALIAS, top_label.get(), CKMC_AR_READ);
487 // test if accessing valid alias (of label2 domain)
488 check_read_allowed(TEST_ALIAS, additional_data);
490 // this has to be done here - in the scope, otherwise
491 // scope destructor will remove the TEST_LABEL2::TEST_ALIAS
493 ScopedLabel sl(top_label.get());
495 // test if can access label2 alias from label1 domain - should succeed
496 check_read_allowed(aliasWithLabel(TEST_LABEL2, TEST_ALIAS).c_str(), additional_data);
500 // test if accessing valid alias (of label1 domain)
501 check_read_allowed(TEST_ALIAS);
503 // access should not be possible - already left the LABEL2 scope, object should be removed
504 check_read_not_visible(aliasWithLabel(TEST_LABEL2, TEST_ALIAS).c_str());
507 // tries to modify another label's permission
508 RUNNER_TEST(T3029_manager_access_modification_by_foreign_label)
510 ScopedLabel sl(TEST_LABEL);
511 ScopedSaveData ssd(TEST_ALIAS);
512 allow_access(TEST_ALIAS, TEST_LABEL3, CKMC_AR_READ_REMOVE);
514 ScopedLabel sl(TEST_LABEL2);
516 // create address to the other label's alias
517 std::stringstream valid_address;
518 valid_address << TEST_LABEL << ckmc_label_name_separator;
519 valid_address << TEST_ALIAS;
521 allow_access_negative(valid_address.str().c_str(), TEST_LABEL4, CKMC_AR_READ_REMOVE, CKMC_ERROR_PERMISSION_DENIED);
522 deny_access_negative(valid_address.str().c_str(), TEST_LABEL4, CKMC_ERROR_PERMISSION_DENIED);
526 // checks if only aliases readable by given app are returned
527 RUNNER_TEST(T3030_manager_get_all_aliases)
529 ScopedSaveData ssd1(TEST_ALIAS);
530 ScopedSaveData ssd2(TEST_ALIAS2);
532 int count = count_aliases();
534 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
536 ScopedLabel sl(TEST_LABEL2);
538 // check that app can access other aliases when it has permission
539 check_alias_count(count - 1);
541 ScopedSaveData ssd3(TEST_ALIAS3);
543 // check that app can access its own aliases
544 check_alias_count(count - 1 + 1);
547 deny_access(TEST_ALIAS, TEST_LABEL2);
549 ScopedLabel sl(TEST_LABEL2);
551 // check that app can't access other aliases for which permission has been revoked
552 check_alias_count(count - 2);
556 RUNNER_TEST(T3031_manager_test_decrypt_from_another_label)
559 CharPtr top_label = get_label();
560 ScopedSaveData ssd(TEST_ALIAS);
562 allow_access(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
564 ScopedLabel sl(TEST_LABEL2);
566 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
568 // remove the DKEK key - so that on read it must be added again
569 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_lock_user_key(0)),
572 // on this read, DKEK key will be added again
573 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
578 /////////////////////////////////////////////////////////////////////////////
581 // invalid argument check
582 RUNNER_TEST(T3101_control_allow_access_invalid)
585 ret = ckmc_allow_access_by_adm(USER_ROOT, NULL, "alias", "accessor", CKMC_AR_READ);
586 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
587 ret = ckmc_allow_access_by_adm(USER_ROOT, "owner", NULL, "accessor", CKMC_AR_READ);
588 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
589 ret = ckmc_allow_access_by_adm(USER_ROOT, "owner", "alias", NULL, CKMC_AR_READ);
590 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
593 CharPtr label = get_label();
594 std::stringstream helper;
595 helper << label.get() << ckmc_label_name_separator << TEST_ALIAS;
596 ret = ckmc_allow_access_by_adm(USER_ROOT, "another-owner", helper.str().c_str(), TEST_LABEL, CKMC_AR_READ);
597 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER == ret);
600 // invalid argument check
601 RUNNER_TEST(T3102_control_deny_access_invalid)
603 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
604 ckmc_deny_access_by_adm(USER_ROOT, NULL, "alias", "accessor"));
605 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
606 ckmc_deny_access_by_adm(USER_ROOT, "owner", NULL, "accessor"));
607 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
608 ckmc_deny_access_by_adm(USER_ROOT, "owner", "alias", NULL));
611 CharPtr label = get_label();
612 std::stringstream helper;
613 helper << label.get() << ckmc_label_name_separator << TEST_ALIAS;
614 RUNNER_ASSERT(CKMC_ERROR_INVALID_PARAMETER ==
615 ckmc_deny_access_by_adm(USER_ROOT, "another-owner", helper.str().c_str(), TEST_LABEL));
618 // tries to allow access for non existing alias
619 RUNNER_TEST(T3103_control_allow_access_non_existing)
621 int ret = ckmc_allow_access_by_adm(USER_ROOT, NO_OWNER, NO_ALIAS, "label", CKMC_AR_READ);
622 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
623 "Allowing access for non existing alias returned " << ret);
626 // tries to deny access for non existing alias
627 RUNNER_TEST(T3104_control_deny_access_non_existing)
629 int ret = ckmc_deny_access_by_adm(USER_ROOT, NO_OWNER, NO_ALIAS, "label");
630 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
631 "Denying access for non existing alias returned " << ret);
634 // tries to deny non existing access
635 RUNNER_TEST(T3105_control_deny_access_non_existing_access)
637 ScopedSaveData ssd(TEST_ALIAS);
639 CharPtr label = get_label();
641 // deny non existing access to existing alias
642 int ret = ckmc_deny_access_by_adm(USER_ROOT, label.get(), TEST_ALIAS, "label");
643 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
644 "Denying non existing access returned: " << ret);
647 // tries to allow application to access its own data
648 RUNNER_TEST(T3106_control_allow_access_to_myself)
650 ScopedSaveData ssd(TEST_ALIAS);
652 CharPtr label = get_label();
653 int ret = ckmc_allow_access(TEST_ALIAS, label.get(), CKMC_AR_READ);
654 RUNNER_ASSERT_MSG(CKMC_ERROR_INVALID_PARAMETER == ret,
655 "Trying to allow myself returned: " << ret);
658 // tries to use admin API as a user
659 RUNNER_CHILD_TEST(T3110_control_allow_access_as_user)
661 switch_to_storage_user(TEST_LABEL);
662 int ret = ckmc_allow_access_by_adm(USER_ROOT, "owner", "alias", "accessor", CKMC_AR_READ);
663 RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
664 "Ordinary user should not be able to use control API. Error " << ret);
667 // tries to use admin API as a user
668 RUNNER_CHILD_TEST(T3111_control_allow_access_as_user)
670 switch_to_storage_user(TEST_LABEL);
671 int ret = ckmc_deny_access_by_adm(USER_ROOT, "owner", "alias", "accessor");
672 RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret,
673 "Ordinary user should not be able to use control API. Error " << ret);
676 // tries to read other application data with permission
677 RUNNER_TEST(T3121_control_access_allowed)
679 CharPtr top_label = get_label();
680 ScopedSaveData ssd(TEST_ALIAS);
682 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
684 ScopedLabel sl(TEST_LABEL2);
686 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
690 // tries to read other application data with permission to read/remove
691 RUNNER_TEST(T3122_control_access_allowed_with_remove)
693 CharPtr top_label = get_label();
694 ScopedSaveData ssd(TEST_ALIAS);
696 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
698 ScopedLabel sl(TEST_LABEL2);
700 check_read_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
704 // tries to remove other application data with permission to read
705 RUNNER_TEST(T3122_control_access_allowed_remove_denied)
707 CharPtr top_label = get_label();
708 ScopedSaveData ssd(TEST_ALIAS);
710 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
712 ScopedLabel sl(TEST_LABEL2);
714 check_remove_denied(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
718 // tries to remove other application data with permission
719 RUNNER_TEST(T3125_control_remove_allowed)
721 CharPtr top_label = get_label();
722 ScopedSaveData ssd(TEST_ALIAS);
724 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
726 ScopedLabel sl(TEST_LABEL2);
728 check_remove_allowed(aliasWithLabel(top_label.get(), TEST_ALIAS).c_str());
732 // tries to access other application data after allow function has been called twice with different
734 RUNNER_TEST(T3126_control_double_allow)
736 CharPtr top_label = get_label();
737 ScopedSaveData ssd(TEST_ALIAS);
739 // access should be overwritten
740 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
741 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
743 ScopedLabel sl(TEST_LABEL2);
745 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
746 check_remove_denied(TEST_ALIAS_adr.c_str());
747 check_read_allowed(TEST_ALIAS_adr.c_str());
751 // tries to access other application data with permission and after permission has been revoked
752 RUNNER_TEST(T3127_control_allow_deny)
754 CharPtr top_label = get_label();
755 ScopedSaveData ssd(TEST_ALIAS);
757 std::string TEST_ALIAS_adr = aliasWithLabel(top_label.get(), TEST_ALIAS);
759 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
761 ScopedLabel sl(TEST_LABEL2);
763 check_remove_denied(TEST_ALIAS_adr.c_str());
764 check_read_allowed(TEST_ALIAS_adr.c_str());
766 CharPtr label = get_label();
767 deny_access_by_adm(TEST_ALIAS, TEST_LABEL2);
769 ScopedLabel sl(TEST_LABEL2);
771 check_remove_not_visible(TEST_ALIAS_adr.c_str());
772 check_read_not_visible(TEST_ALIAS_adr.c_str());
776 // checks if only aliases readable by given app are returned
777 RUNNER_TEST(T3130_control_get_all_aliases)
779 ScopedSaveData ssd1(TEST_ALIAS);
780 ScopedSaveData ssd2(TEST_ALIAS2);
782 int count = count_aliases();
784 allow_access_by_adm(TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ);
786 ScopedLabel sl(TEST_LABEL2);
788 // check that app can access other aliases when it has permission
789 check_alias_count(count - 1);
791 ScopedSaveData ssd3(TEST_ALIAS3);
793 // check that app can access its own aliases
794 check_alias_count(count - 1 + 1);
797 deny_access_by_adm(TEST_ALIAS, TEST_LABEL2);
799 ScopedLabel sl(TEST_LABEL2);
801 // check that app can't access other aliases for which permission has been revoked
802 check_alias_count(count - 2);
806 // tries to add access to data in a database of invalid user
807 RUNNER_TEST(T3140_control_allow_invalid_user)
809 ScopedSaveData ssd(TEST_ALIAS);
811 CharPtr label = get_label();
812 int ret = ckmc_allow_access_by_adm(
813 APP_UID, label.get(), TEST_ALIAS, TEST_LABEL2, CKMC_AR_READ_REMOVE);
814 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
815 "Trying to allow access to invalid user returned: " << ret);
818 // tries to revoke access to data in a database of invalid user
819 RUNNER_TEST(T3141_control_deny_invalid_user)
821 ScopedSaveData ssd(TEST_ALIAS);
823 CharPtr label = get_label();
824 int ret = ckmc_deny_access_by_adm(APP_UID, label.get(), TEST_ALIAS, TEST_LABEL2);
825 RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
826 "Trying to deny access to invalid user returned: " << ret);
830 RUNNER_TEST(T3999_deinit)
833 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_lock_user_key(APP_UID)),
835 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(APP_UID)),
837 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_lock_user_key(USER_ROOT)),
839 RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == (temp = ckmc_remove_user_data(USER_ROOT)),