--- /dev/null
+/*
+ * Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <functional>
+#include <string>
+#include <sys/types.h>
+#include <sys/un.h>
+#include <unistd.h>
+
+#include <cynara_test_client.h>
+#include <dpl/test/test_runner.h>
+#include <sm_api.h>
+#include <sm_commons.h>
+#include <sm_request.h>
+#include <tests_common.h>
+#include <tzplatform.h>
+#include <app_install_helper.h>
+#include <scoped_installer.h>
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_APP_DEFINED_PRIVILEGE)
+
+using namespace SecurityManagerTest;
+
+RUNNER_CHILD_TEST(app_defined_01_global_install_untrusted)
+{
+ const std::string privilege = "http://tizen.org/applicationDefinedPrivilege/app_defined_01";
+ const app_defined_privilege_type type = SM_APP_DEFINED_PRIVILEGE_TYPE_UNTRUSTED;
+ const std::string providerAppId = "app_def_01_provider_appid";
+ const std::string consumerAppId = "app_def_01_client_appid";
+ const std::string ownerId = "5001";
+ const std::string session = "S0M3S3SSI0N";
+
+ AppInstallHelper provider(providerAppId);
+ AppInstallHelper consumer(consumerAppId);
+
+ std::string consumerLabel = consumer.generateAppLabel();
+
+ provider.addAppDefinedPrivilege(std::make_pair(privilege, type));
+ consumer.addPrivilege(privilege);
+
+ ScopedInstaller req1(provider);
+ ScopedInstaller req2(consumer);
+
+ CynaraTestClient::Client cynara;
+ cynara.check(consumerLabel, session, ownerId, privilege, CYNARA_API_ACCESS_ALLOWED);
+
+ // uninstall provider
+ req1.uninstallApp();
+
+ cynara.check(consumerLabel, session, ownerId, privilege, CYNARA_API_ACCESS_DENIED);
+}
+
+RUNNER_CHILD_TEST(app_defined_02_global_install_licensed)
+{
+ const std::string privilege = "http://tizen.org/licensedPrivilege/app_defined_02";
+ const app_defined_privilege_type type = SM_APP_DEFINED_PRIVILEGE_TYPE_LICENSED;
+ const std::string providerAppId = "app_def_02_provider_appid";
+ const std::string consumerAppId = "app_def_02_client_appid";
+ const std::string ownerId = "5001";
+ const std::string session = "S0M33S3SSI0N";
+
+ AppInstallHelper provider(providerAppId);
+ AppInstallHelper consumer(consumerAppId);
+
+ std::string consumerLabel = consumer.generateAppLabel();
+
+ provider.addAppDefinedPrivilege(std::make_pair(privilege, type));
+ consumer.addPrivilege(privilege);
+
+ ScopedInstaller req1(provider);
+ ScopedInstaller req2(consumer);
+
+ CynaraTestClient::Client cynara;
+ cynara.check(consumerLabel, session, ownerId, privilege, CYNARA_API_ACCESS_ALLOWED);
+
+ // uninstall provider
+ req1.uninstallApp();
+
+ cynara.check(consumerLabel, session, ownerId, privilege, CYNARA_API_ACCESS_DENIED);
+}
+
+RUNNER_CHILD_TEST(app_defined_03_database_update)
+{
+ // Because of a bug in implementation during installation of
+ // providerB privileges of providerA were deleted from cynara
+ // database. This test should check if bug was fixed.
+ const std::string privilegeA = "http://tizen.org/licensedPrivilege/app_defined_03a";
+ const std::string privilegeB = "http://tizen.org/licensedPrivilege/app_defined_03b";
+ const app_defined_privilege_type type = SM_APP_DEFINED_PRIVILEGE_TYPE_LICENSED;
+ const std::string providerAppIdA = "app_def_03a_provider_appid";
+ const std::string providerAppIdB = "app_def_03b_provider_appid";
+ const std::string consumerAppId = "app_def_03_client_appid";
+ const std::string ownerId = "5001";
+ const std::string session = "S0M33S3SSI0N";
+
+ AppInstallHelper providerA(providerAppIdA);
+ AppInstallHelper providerB(providerAppIdB);
+ AppInstallHelper consumer(consumerAppId);
+
+ std::string consumerLabel = consumer.generateAppLabel();
+
+ providerA.addAppDefinedPrivilege(std::make_pair(privilegeA, type));
+ providerB.addAppDefinedPrivilege(std::make_pair(privilegeB, type));
+ consumer.addPrivilege(privilegeA);
+ consumer.addPrivilege(privilegeB);
+
+ ScopedInstaller req1(providerA);
+ ScopedInstaller req2(providerB);
+ ScopedInstaller req3(consumer);
+
+ CynaraTestClient::Client cynara;
+ cynara.check(consumerLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(consumerLabel, session, ownerId, privilegeB, CYNARA_API_ACCESS_ALLOWED);
+
+ // uninstall providerA
+ req1.uninstallApp();
+
+ cynara.check(consumerLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_DENIED);
+ cynara.check(consumerLabel, session, ownerId, privilegeB, CYNARA_API_ACCESS_ALLOWED);
+
+ // uninstall providerB
+ req2.uninstallApp();
+
+ cynara.check(consumerLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_DENIED);
+ cynara.check(consumerLabel, session, ownerId, privilegeB, CYNARA_API_ACCESS_DENIED);
+}
+
+RUNNER_CHILD_TEST(app_defined_04_app_update)
+{
+ const std::string privilegeA = "http://tizen.org/licensedPrivilege/app_defined_04a";
+ const std::string privilegeB = "http://tizen.org/applicationDefinedPrivilege/app_defined_04b";
+ const std::string privilegeC = "http://tizen.org/licensedPrivilege/app_defined_04c";
+ const std::string providerAppId = "app_def_04_provider_appid";
+ const std::string consumerAppId = "app_def_04_client_appid";
+ const std::string ownerId = "5001";
+ const std::string session = "S0M33S3SSI0N";
+
+ AppInstallHelper providerV1(providerAppId);
+ AppInstallHelper providerV2(providerAppId);
+ AppInstallHelper consumer(consumerAppId);
+
+ std::string consumerLabel = consumer.generateAppLabel();
+
+ providerV1.addAppDefinedPrivilege(std::make_pair(privilegeA, SM_APP_DEFINED_PRIVILEGE_TYPE_LICENSED));
+ providerV1.addAppDefinedPrivilege(std::make_pair(privilegeB, SM_APP_DEFINED_PRIVILEGE_TYPE_UNTRUSTED));
+ consumer.addPrivilege(privilegeA);
+ consumer.addPrivilege(privilegeB);
+ consumer.addPrivilege(privilegeC);
+
+ ScopedInstaller req1(providerV1);
+ ScopedInstaller req2(consumer);
+
+ CynaraTestClient::Client cynara;
+ cynara.check(consumerLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(consumerLabel, session, ownerId, privilegeB, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(consumerLabel, session, ownerId, privilegeC, CYNARA_API_ACCESS_DENIED);
+
+ // update provider version, remove privilegeA, add privilegeC
+ providerV2.addAppDefinedPrivilege(std::make_pair(privilegeB, SM_APP_DEFINED_PRIVILEGE_TYPE_UNTRUSTED));
+ providerV2.addAppDefinedPrivilege(std::make_pair(privilegeC, SM_APP_DEFINED_PRIVILEGE_TYPE_LICENSED));
+ ScopedInstaller req3(providerV2);
+
+ cynara.check(consumerLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_DENIED);
+ cynara.check(consumerLabel, session, ownerId, privilegeB, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(consumerLabel, session, ownerId, privilegeC, CYNARA_API_ACCESS_ALLOWED);
+}
+
+RUNNER_CHILD_TEST(app_defined_05_global_local_install)
+{
+ const std::string privilegeA = "http://tizen.org/licensedPrivilege/app_defined_05a";
+ const std::string privilegeB = "http://tizen.org/applicationDefinedPrivilege/app_defined_05b";
+ const std::string privilegeC = "http://tizen.org/applicationDefinedPrivilege/app_defined_05c";
+ const std::string providerAppId = "app_def_05_provider_appid";
+ const std::string consumerAppId = "app_def_05_client_appid";
+ const std::string ownerId = "5001";
+ const std::string bobId = "5002";
+ const std::string session = "S0M33S3SSI0N";
+
+ AppInstallHelper providerGlobal(providerAppId);
+ AppInstallHelper providerLocal(providerAppId, 5002);
+ AppInstallHelper consumerGlobal(consumerAppId);
+ AppInstallHelper consumerLocal(consumerAppId, 5002);
+
+ std::string consumerGlobalLabel = consumerGlobal.generateAppLabel();
+ std::string consumerLocalLabel = consumerLocal.generateAppLabel();
+
+ providerGlobal.addAppDefinedPrivilege(std::make_pair(privilegeA, SM_APP_DEFINED_PRIVILEGE_TYPE_UNTRUSTED));
+ providerGlobal.addAppDefinedPrivilege(std::make_pair(privilegeC, SM_APP_DEFINED_PRIVILEGE_TYPE_UNTRUSTED));
+
+ providerLocal.addAppDefinedPrivilege(std::make_pair(privilegeA, SM_APP_DEFINED_PRIVILEGE_TYPE_UNTRUSTED));
+ providerLocal.addAppDefinedPrivilege(std::make_pair(privilegeB, SM_APP_DEFINED_PRIVILEGE_TYPE_LICENSED));
+
+ consumerGlobal.addPrivilege(privilegeA);
+ consumerGlobal.addPrivilege(privilegeB);
+ consumerGlobal.addPrivilege(privilegeC);
+
+ consumerLocal.addPrivilege(privilegeB);
+ consumerLocal.addPrivilege(privilegeC);
+
+ CynaraTestClient::Client cynara;
+
+ // local provider only and global consumer only
+ ScopedInstaller req1(providerLocal);
+ ScopedInstaller req2(consumerGlobal);
+ cynara.check(consumerGlobalLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_DENIED);
+ cynara.check(consumerGlobalLabel, session, ownerId, privilegeB, CYNARA_API_ACCESS_DENIED);
+ cynara.check(consumerGlobalLabel, session, ownerId, privilegeC, CYNARA_API_ACCESS_DENIED);
+ cynara.check(consumerGlobalLabel, session, bobId, privilegeA, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(consumerGlobalLabel, session, bobId, privilegeB, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(consumerGlobalLabel, session, bobId, privilegeC, CYNARA_API_ACCESS_DENIED);
+
+ // local provider only and global/local consumer
+ ScopedInstaller req3(consumerLocal);
+ cynara.check(consumerLocalLabel, session, bobId, privilegeA, CYNARA_API_ACCESS_DENIED);
+ cynara.check(consumerLocalLabel, session, bobId, privilegeB, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(consumerLocalLabel, session, bobId, privilegeC, CYNARA_API_ACCESS_DENIED);
+
+ // global/local provider and global/local consumer
+ ScopedInstaller req4(providerGlobal);
+ cynara.check(consumerGlobalLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(consumerGlobalLabel, session, ownerId, privilegeB, CYNARA_API_ACCESS_DENIED);
+ cynara.check(consumerGlobalLabel, session, ownerId, privilegeC, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(consumerLocalLabel, session, bobId, privilegeA, CYNARA_API_ACCESS_DENIED);
+ cynara.check(consumerLocalLabel, session, bobId, privilegeB, CYNARA_API_ACCESS_ALLOWED);
+ //cynara.check(consumerLocalLabel, session, bobId, privilegeC, CYNARA_API_ACCESS_DENIED);
+
+ // global provider only and global/local consumer
+ req1.uninstallApp();
+ cynara.check(consumerGlobalLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(consumerGlobalLabel, session, ownerId, privilegeB, CYNARA_API_ACCESS_DENIED);
+ cynara.check(consumerGlobalLabel, session, ownerId, privilegeC, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(consumerLocalLabel, session, bobId, privilegeA, CYNARA_API_ACCESS_DENIED);
+ cynara.check(consumerLocalLabel, session, bobId, privilegeB, CYNARA_API_ACCESS_DENIED);
+ cynara.check(consumerLocalLabel, session, bobId, privilegeC, CYNARA_API_ACCESS_ALLOWED);
+
+ // global provider only and global consumer only
+ req3.uninstallApp();
+ cynara.check(consumerGlobalLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(consumerGlobalLabel, session, ownerId, privilegeB, CYNARA_API_ACCESS_DENIED);
+ cynara.check(consumerGlobalLabel, session, ownerId, privilegeC, CYNARA_API_ACCESS_ALLOWED);
+}
+
+RUNNER_CHILD_TEST(app_defined_06_get_provider)
+{
+ int result;
+ char *pkgId = nullptr;
+ char *appId = nullptr;
+ const std::string privilegeA = "http://tizen.org/applicationDefinedPrivilege/app_defined_06a";
+ const std::string privilegeB = "http://tizen.org/applicationDefinedPrivilege/app_defined_06b";
+ const app_defined_privilege_type type = SM_APP_DEFINED_PRIVILEGE_TYPE_UNTRUSTED;
+ const std::string providerId = "app_def_06_provider";
+ uid_t uid = 5001;
+
+ AppInstallHelper providerGlobal(providerId);
+ AppInstallHelper providerLocal(providerId, uid);
+ providerGlobal.addAppDefinedPrivilege(std::make_pair(privilegeB, type));
+ providerLocal.addAppDefinedPrivilege(std::make_pair(privilegeA, type));
+ ScopedInstaller req1(providerGlobal);
+ ScopedInstaller req2(providerLocal);
+
+ result = security_manager_identify_privilege_provider("noExistingPrivilege", uid, &pkgId, &appId);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ RUNNER_ASSERT(appId == nullptr);
+ RUNNER_ASSERT(pkgId == nullptr);
+
+ result = security_manager_identify_privilege_provider(privilegeA.c_str(), uid+1, &pkgId, &appId);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ RUNNER_ASSERT(appId == nullptr);
+ RUNNER_ASSERT(pkgId == nullptr);
+
+ result = security_manager_identify_privilege_provider(privilegeA.c_str(), uid, nullptr, nullptr);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_INPUT_PARAM);
+
+ result = security_manager_identify_privilege_provider(privilegeA.c_str(), uid, &pkgId, nullptr);
+ RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, "getting privilege provider failed");
+ RUNNER_ASSERT(pkgId && std::string(pkgId) == providerLocal.getPkgId());
+ free(pkgId);
+ pkgId = nullptr;
+
+ result = security_manager_identify_privilege_provider(privilegeA.c_str(), uid, nullptr, &appId);
+ RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, "getting privilege provider failed");
+ RUNNER_ASSERT(appId && std::string(appId) == providerLocal.getAppId());
+ free(appId);
+ appId = nullptr;
+
+ result = security_manager_identify_privilege_provider(privilegeA.c_str(), uid, &pkgId, &appId);
+ RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, "getting privilege provider failed");
+ RUNNER_ASSERT(appId && std::string(appId) == providerLocal.getAppId());
+ RUNNER_ASSERT(pkgId && std::string(pkgId) == providerLocal.getPkgId());
+ free(appId);
+ free(pkgId);
+ appId = nullptr;
+ pkgId = nullptr;
+
+ result = security_manager_identify_privilege_provider(privilegeB.c_str(), uid, &pkgId, &appId);
+ RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, "getting privilege provider failed");
+ RUNNER_ASSERT(appId && std::string(appId) == providerGlobal.getAppId());
+ RUNNER_ASSERT(pkgId && std::string(pkgId) == providerGlobal.getPkgId());
+ free(appId);
+ free(pkgId);
+ appId = nullptr;
+ pkgId = nullptr;
+}