From: Tomasz Swierczek <t.swierczek@samsung.com>
Date: Thu, 16 Jan 2020 09:04:46 +0000 (+0100)
Subject: Fix nss tests
X-Git-Url: http://review.tizen.org/git/?p=platform%2Fcore%2Ftest%2Fsecurity-tests.git;a=commitdiff_plain;h=600d1e1cee7e35ff3aca676fe9507cb2da838824

Fix nss tests

Adjusted to new nss implementation where daemon set of groups
is always static.

Change-Id: I50974b1cce07b1ca77d0b42118042ae0210631fa
---

diff --git a/src/security-manager-tests/common/policy_configuration.cpp b/src/security-manager-tests/common/policy_configuration.cpp
index 1259b36..208155b 100644
--- a/src/security-manager-tests/common/policy_configuration.cpp
+++ b/src/security-manager-tests/common/policy_configuration.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016-2020 Samsung Electronics Co., Ltd. All rights reserved
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
 
 #define CONF_DIR "/usr/share/security-manager/policy/"
 #define CONF_GROUP_FILE "privilege-group.list"
+#define CONF_SYSTEMD_PRIVS_FILE "privilege-managed-by-systemd-for-daemons.list"
 #define CONF_USER_TEMPLATE_FILE "usertype-%s.profile"
 
 namespace SecurityManagerTest {
@@ -152,6 +153,24 @@ PolicyConfiguration::GroupVector PolicyConfiguration::privToGroup(const PolicyCo
     return result;
 }
 
+PolicyConfiguration::PrivVector PolicyConfiguration::getSystemdManagedPrivs()
+{
+    PolicyConfiguration::PrivVector result;
+    std::ifstream file(CONF_DIR CONF_SYSTEMD_PRIVS_FILE);
+    if (!file.is_open()) {
+        RUNNER_ASSERT_MSG(file.is_open(),
+          "Unable to read config file " << CONF_DIR CONF_SYSTEMD_PRIVS_FILE);
+    }
+    std::string line;
+    std::regex r("^(http(.*))");
+    while (std::getline(file, line)) {
+        std::smatch m;
+        if (std::regex_search(line, m, r))
+            result.emplace_back(m[1]);
+    }
+    return result;
+}
+
 void PolicyConfiguration::loadPrivGroupMap(void) {
     std::string pgPath(CONF_DIR CONF_GROUP_FILE);
     std::ifstream file(pgPath);
diff --git a/src/security-manager-tests/common/policy_configuration.h b/src/security-manager-tests/common/policy_configuration.h
index d7bc1c1..bce5faf 100644
--- a/src/security-manager-tests/common/policy_configuration.h
+++ b/src/security-manager-tests/common/policy_configuration.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016-2020 Samsung Electronics Co., Ltd. All rights reserved
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -50,12 +50,13 @@ public:
     UserDescription& getUserDescription(UserType userType);
     gid_t groupToGid(const std::string &gname);
     PrivGroupMap getPrivGroupMap();
+    PrivVector getSystemdManagedPrivs();
     GroupVector privToGroup(const PrivVector &privVector);
+    GidVector groupToGid(const GroupVector &groupVector);
 
 static bool getIsAskuserEnabled();
 
 private:
-    GidVector groupToGid(const GroupVector &groupVector);
     UserDescription loadUserDescription(UserType userType);
     PrivVector loadPrivFile(const std::string &path);
     void loadPrivGroupMap(void);
diff --git a/src/security-manager-tests/test_cases_nss.cpp b/src/security-manager-tests/test_cases_nss.cpp
index 90099e2..82ce87b 100644
--- a/src/security-manager-tests/test_cases_nss.cpp
+++ b/src/security-manager-tests/test_cases_nss.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016-2020 Samsung Electronics Co., Ltd. All rights reserved
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -35,149 +35,102 @@ using namespace SecurityManagerTest;
 
 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_NSS_PLUGIN)
 
-RUNNER_CHILD_TEST(nss_01_unknown_user) {
+RUNNER_CHILD_TEST(nss_01_normal_user_without_inter_daemon_groups) {
     const std::string newUserName = "nss_01_user";
-    PolicyConfiguration pc;
     TemporaryTestUser testUser(newUserName, GUM_USERTYPE_NORMAL, false);
     testUser.create();
 
-    auto gidVector = pc.getGid();
+    UserRequest addUserRequest;
+    addUserRequest.setUid(testUser.getUid());
+    addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
+    Api::addUser(addUserRequest);
 
     RUNNER_ASSERT_MSG(0 == initgroups(newUserName.c_str(), 0), "Init groups failed");
 
-    gid_t list[64];
-    int grsize = getgroups(64, list);
-    size_t counter = 0;
+    gid_t list[NGROUPS_MAX + 1];
+    int grsize = getgroups(NGROUPS_MAX + 1, list);
 
-    for (size_t i=0; i<gidVector.size(); ++i) {
-        for (int j=0; j<grsize; ++j)
-            if(list[j] == gidVector[i]) {
-                counter++;
-                break;
-            }
+    PolicyConfiguration pc;
+    auto sysdGidVec = pc.groupToGid(pc.privToGroup(pc.getSystemdManagedPrivs()));
+    auto allPrivGids = pc.getGid();
+    unsigned int privGidsOther = 0;
+    for (int i = 0; i < grsize; ++i) {
+        RUNNER_ASSERT_MSG(std::find(sysdGidVec.begin(), sysdGidVec.end(), list[i]) == sysdGidVec.end() , "Process should not get gid " << list[i]);
+        if (std::find(allPrivGids.begin(), allPrivGids.end(), list[i]) != allPrivGids.end())
+            ++privGidsOther;
     }
 
-    RUNNER_ASSERT_MSG(gidVector.size() == counter,
-        "Process should have all groups related with privileges but it have only " <<
-        counter << " of " << gidVector.size() << " required groups");
+    RUNNER_ASSERT_MSG(privGidsOther + sysdGidVec.size() == allPrivGids.size(), "Improper GID setup for process, has priv_*: " <<
+                      privGidsOther << ", systemd managed all: " << sysdGidVec.size() << " , all: " << allPrivGids.size() );
 }
 
-RUNNER_CHILD_TEST(nss_02_normal_user_all_priv) {
+RUNNER_CHILD_TEST(nss_02_guest_user_without_inter_daemon_groups) {
     const std::string newUserName = "nss_02_user";
-    PolicyConfiguration pc;
-    TemporaryTestUser testUser(newUserName, GUM_USERTYPE_NORMAL, false);
+    TemporaryTestUser testUser(newUserName, GUM_USERTYPE_GUEST, false);
     testUser.create();
 
-    auto gidVector = pc.getUserGid(PolicyConfiguration::NORMAL);
-
     UserRequest addUserRequest;
     addUserRequest.setUid(testUser.getUid());
-    addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
+    addUserRequest.setUserType(SM_USER_TYPE_GUEST);
     Api::addUser(addUserRequest);
 
     RUNNER_ASSERT_MSG(0 == initgroups(newUserName.c_str(), 0), "Init groups failed");
 
-    gid_t list[64];
-    int grsize = getgroups(64, list);
-    size_t counter = 0;
+    gid_t list[NGROUPS_MAX + 1];
+    int grsize = getgroups(NGROUPS_MAX + 1, list);
 
-    for (size_t i=0; i<gidVector.size(); ++i) {
-        for (int j=0; j<grsize; ++j)
-            if(list[j] == gidVector[i]) {
-                counter++;
-                break;
-            }
+    PolicyConfiguration pc;
+    auto sysdGidVec = pc.groupToGid(pc.privToGroup(pc.getSystemdManagedPrivs()));
+    auto allPrivGids = pc.getGid();
+    unsigned int privGidsOther = 0;
+    for (int i = 0; i < grsize; ++i) {
+        RUNNER_ASSERT_MSG(std::find(sysdGidVec.begin(), sysdGidVec.end(), list[i]) == sysdGidVec.end() , "Process should not get gid " << list[i]);
+        if (std::find(allPrivGids.begin(), allPrivGids.end(), list[i]) != allPrivGids.end())
+            ++privGidsOther;
     }
 
-    RUNNER_ASSERT_MSG(gidVector.size() == counter,
-        "Process should have all groups related with privileges but it have only " <<
-        counter << " of " << gidVector.size() << " required groups");
+    RUNNER_ASSERT_MSG(privGidsOther + sysdGidVec.size() == allPrivGids.size(), "Improper GID setup for process, has priv_*: " <<
+                      privGidsOther << ", systemd managed all: " << sysdGidVec.size() << " , all: " << allPrivGids.size() );
 }
 
-RUNNER_CHILD_TEST(nss_03_normal_user_without_camera) {
+
+RUNNER_CHILD_TEST(nss_03_guest_user_without_inter_daemon_groups_unaffected_by_cynara) {
     const std::string newUserName = "nss_03_user";
-    TemporaryTestUser testUser(newUserName, GUM_USERTYPE_NORMAL, false);
+    TemporaryTestUser testUser(newUserName, GUM_USERTYPE_GUEST, false);
     testUser.create();
-    gid_t cameraPrivId = nameToGid("priv_camera");
 
     UserRequest addUserRequest;
     addUserRequest.setUid(testUser.getUid());
-    addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
+    addUserRequest.setUserType(SM_USER_TYPE_GUEST);
     Api::addUser(addUserRequest);
 
+    // Removing one more privilege from policy (that has GID associated), which should not affect nss daemon groups
     PolicyRequest policyRequest;
+
     PolicyEntry entry(
         SECURITY_MANAGER_ANY,
         std::to_string(static_cast<int>(testUser.getUid())),
         "http://tizen.org/privilege/camera");
     entry.setMaxLevel("Deny");
+
     policyRequest.addEntry(entry);
     Api::sendPolicy(policyRequest);
 
     RUNNER_ASSERT_MSG(0 == initgroups(newUserName.c_str(), 0), "Init groups failed");
 
-    gid_t list[64];
-    int grsize = getgroups(64, list);
-    size_t counter = 0;
-
-    for (int i=0; i<grsize; ++i) {
-        if (list[i] == cameraPrivId) {
-            counter++;
-            break;
-        }
-    }
-
-    RUNNER_ASSERT_MSG(0 == counter, "Process should not have priv_camera group");
-
-    PolicyConfiguration pc;
-    auto gidVector = pc.getUserGid(PolicyConfiguration::NORMAL);
-    gidVector.erase(
-        std::remove_if(gidVector.begin(), gidVector.end(), [=](gid_t g) { return g == cameraPrivId; }),
-        gidVector.end());
-
-    for (size_t i=0; i<gidVector.size(); ++i) {
-        for (int j=0; j<grsize; ++j)
-            if(list[j] == gidVector[i]) {
-                counter++;
-                break;
-            }
-    }
-
-    RUNNER_ASSERT_MSG(gidVector.size() == counter,
-        "Process should have all groups related with privileges but it have only " <<
-        counter << " of " << gidVector.size() << " required groups");
-}
-
-RUNNER_CHILD_TEST(nss_04_guest_user) {
-    const std::string newUserName = "nss_04_user";
-    TemporaryTestUser testUser(newUserName, GUM_USERTYPE_GUEST, false);
-    testUser.create();
-
-    UserRequest addUserRequest;
-    addUserRequest.setUid(testUser.getUid());
-    addUserRequest.setUserType(SM_USER_TYPE_GUEST);
-    Api::addUser(addUserRequest);
-
-    RUNNER_ASSERT_MSG(0 == initgroups(newUserName.c_str(), 0), "Init groups failed");
-
-    gid_t list[64];
-    int grsize = getgroups(64, list);
-    size_t counter = 0;
+    gid_t list[NGROUPS_MAX + 1];
+    int grsize = getgroups(NGROUPS_MAX + 1, list);
 
     PolicyConfiguration pc;
-    auto gidVector = pc.getUserGid(PolicyConfiguration::GUEST);
-
-    for (size_t i=0; i<gidVector.size(); ++i) {
-        for (int j=0; j<grsize; ++j)
-            if(list[j] == gidVector[i]) {
-                counter++;
-                break;
-            }
+    auto sysdGidVec = pc.groupToGid(pc.privToGroup(pc.getSystemdManagedPrivs()));
+    auto allPrivGids = pc.getGid();
+    unsigned int privGidsOther = 0;
+    for (int i = 0; i < grsize; ++i) {
+        RUNNER_ASSERT_MSG(std::find(sysdGidVec.begin(), sysdGidVec.end(), list[i]) == sysdGidVec.end() , "Process should not get gid " << list[i]);
+        if (std::find(allPrivGids.begin(), allPrivGids.end(), list[i]) != allPrivGids.end())
+            ++privGidsOther;
     }
 
-    RUNNER_ASSERT_MSG(gidVector.size() == counter,
-        "Process should have all groups related with privileges but it have only " <<
-        counter << " of " << gidVector.size() << " required groups");
+    RUNNER_ASSERT_MSG(privGidsOther + sysdGidVec.size() == allPrivGids.size(), "Improper GID setup for process, has priv_*: " <<
+                      privGidsOther << ", systemd managed all: " << sysdGidVec.size() << " , all: " << allPrivGids.size() );
 }
-
-