From: Bartlomiej Grzelewski Date: Fri, 11 Sep 2015 12:45:43 +0000 (+0200) Subject: CKMI: Add ckm-integration tests. X-Git-Tag: security-manager_5.5_testing~9^2~50 X-Git-Url: http://review.tizen.org/git/?p=platform%2Fcore%2Ftest%2Fsecurity-tests.git;a=commitdiff_plain;h=9544a3ff01fe88e1ec41ae66daead0840deb9343 CKMI: Add ckm-integration tests. Change-Id: I6a253a2a763e49d61c4b758b87ac240f06536bff --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 8b76681..c20c6bc 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -81,6 +81,7 @@ ENDIF(SMACK_ENABLE) ############################# Targets names ################################### SET(TARGET_CKM_TESTS "ckm-tests") +SET(TARGET_CKMI_TESTS "ckm-integration-tests") SET(COMMON_TARGET_TEST "tests-common") ############################# subdirectories ################################## diff --git a/packaging/security-tests.manifest b/packaging/security-tests.manifest index 9a62ddc..dc31795 100644 --- a/packaging/security-tests.manifest +++ b/packaging/security-tests.manifest @@ -18,6 +18,7 @@ + diff --git a/packaging/security-tests.spec b/packaging/security-tests.spec index 54174ce..3ecc230 100644 --- a/packaging/security-tests.spec +++ b/packaging/security-tests.spec @@ -105,6 +105,7 @@ echo "security-tests postinst done ..." /usr/bin/test-app-wgt /usr/bin/cynara-test /usr/bin/ckm-tests +/usr/bin/ckm-integration-tests /usr/share/ckm-test/* /etc/security-tests /usr/lib/security-tests/cynara-tests/plugins/single-policy/* diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index dfc23dc..a73e120 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -83,6 +83,7 @@ INSTALL(FILES ADD_SUBDIRECTORY(common) ADD_SUBDIRECTORY(ckm) +ADD_SUBDIRECTORY(ckm-integration) ADD_SUBDIRECTORY(libprivilege-control-tests) ADD_SUBDIRECTORY(libsmack-tests) ADD_SUBDIRECTORY(smack-dbus-tests) diff --git a/src/ckm-integration/CMakeLists.txt b/src/ckm-integration/CMakeLists.txt new file mode 100644 index 0000000..9ee8ce4 --- /dev/null +++ b/src/ckm-integration/CMakeLists.txt @@ -0,0 +1,55 @@ +# Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# @file CMakeLists.txt +# @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) +# @brief +# + +INCLUDE(FindPkgConfig) + +PKG_CHECK_MODULES(CKMI_DEP + REQUIRED + libsmack + libgum + key-manager + security-manager + dbus-1 + vconf + REQUIRED) + +SET(CKMI_SOURCES_DIR ${PROJECT_SOURCE_DIR}/src/ckm-integration) + +SET(CKMI_SOURCES + ${CKMI_SOURCES_DIR}/process-settings/change-uid.cpp + ${CKMI_SOURCES_DIR}/process-settings/create-user.cpp + ${CKMI_SOURCES_DIR}/process-settings/change-smack.cpp + ${CKMI_SOURCES_DIR}/process-settings/install-app.cpp + ${CKMI_SOURCES_DIR}/process-settings/unlock-ckm.cpp + ${CKMI_SOURCES_DIR}/ckm-policy.cpp + ${CKMI_SOURCES_DIR}/group01.cpp + ${CKMI_SOURCES_DIR}/group02.cpp + ${CKMI_SOURCES_DIR}/main.cpp +) + +INCLUDE_DIRECTORIES(SYSTEM ${CKMI_DEP_INCLUDE_DIRS}) +INCLUDE_DIRECTORIES(${PROJECT_SOURCE_DIR}/src/common/ ) +INCLUDE_DIRECTORIES(${PROJECT_SOURCE_DIR}/src/ckm-integration/ ) + +ADD_EXECUTABLE(${TARGET_CKMI_TESTS} ${CKMI_SOURCES}) + +TARGET_LINK_LIBRARIES(${TARGET_CKMI_TESTS} ${CKMI_DEP_LIBRARIES} ${COMMON_TARGET_TEST}) + +INSTALL(TARGETS ${TARGET_CKMI_TESTS} DESTINATION bin) + diff --git a/src/ckm-integration/ckm-policy.h b/src/ckm-integration/ckm-policy.h index 1051141..967e580 100644 --- a/src/ckm-integration/ckm-policy.h +++ b/src/ckm-integration/ckm-policy.h @@ -26,6 +26,7 @@ #include #include #include +#include class CKMPolicy : public ProcessSettings::Policy { public: diff --git a/src/ckm-integration/group01.cpp b/src/ckm-integration/group01.cpp new file mode 100644 index 0000000..3b75177 --- /dev/null +++ b/src/ckm-integration/group01.cpp @@ -0,0 +1,120 @@ +/* + * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/* + * @file group01.cpp + * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @version 1.0 + */ +#include +#include + +#include +#include + +#include +#include +#include +#include + +#include + +typedef ProcessSettings::Executor< + CKMPolicy, + ProcessSettings::CreateUser, + ProcessSettings::InstallApp, + ProcessSettings::ChangeSmack, + ProcessSettings::ChangeUid> ProcSettings; + +RUNNER_TEST_GROUP_INIT(GROUP_01_ControlApiAccess); + +RUNNER_CHILD_TEST(G01T01_ControlNegative) { + // Socket is secured with 0700 + // in this test we have no access to this socket + // DAC should DENIED access to CKM + ProcSettings ps("PkgIdG01T01", "UserG01T01", PrivNone); + ps.Apply(); + + int temp; + auto control = CKM::Control::create(); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = control->removeUserData(ps.GetUid())), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = control->resetUserPassword(ps.GetUid(), + "simple-password")), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = control->resetUserPassword(ps.GetUid(), "something")), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = control->unlockUserKey(ps.GetUid(), "test-pass")), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = control->lockUserKey(ps.GetUid())), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = control->resetUserPassword(ps.GetUid(), "something")), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = control->removeUserData(ps.GetUid())), + "Error=" << CKM::ErrorToString(temp)); +} + +RUNNER_CHILD_TEST(G01T02_ControlPositive) { + // We have root privileges. + // We should be able to control data. + // The cynara should give us an access. + uid_t USER_UID = 5102; + int temp; + auto control = CKM::Control::create(); + + RUNNER_ASSERT_MSG( + CKM_API_SUCCESS == (temp = control->removeUserData(USER_UID)), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_SUCCESS == (temp = control->resetUserPassword(USER_UID, + "simple-password")), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_SUCCESS == (temp = control->resetUserPassword(USER_UID, "something")), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_SUCCESS == (temp = control->unlockUserKey(USER_UID, "test-pass")), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_SUCCESS == (temp = control->lockUserKey(USER_UID)), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_BAD_REQUEST == (temp = control->resetUserPassword(USER_UID, "something")), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_SUCCESS == (temp = control->removeUserData(USER_UID)), + "Error=" << CKM::ErrorToString(temp)); +} + diff --git a/src/ckm-integration/group02.cpp b/src/ckm-integration/group02.cpp new file mode 100644 index 0000000..98320c6 --- /dev/null +++ b/src/ckm-integration/group02.cpp @@ -0,0 +1,173 @@ +/* + * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/* + * @file group02.cpp + * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @version 1.0 + */ + +#include +#include + +#include +#include + +#include +#include +#include +#include + +#include + +typedef ProcessSettings::Executor< + CKMPolicy, + ProcessSettings::CreateUser, + ProcessSettings::UnlockCkm, + ProcessSettings::InstallApp, + ProcessSettings::ChangeSmack, + ProcessSettings::ChangeUid> PS; + +typedef ProcessSettings::Executor< + CKMPolicy, + ProcessSettings::CreateUser, + ProcessSettings::UnlockCkm, + ProcessSettings::InstallApp, + ProcessSettings::ChangeSmack> PSNoUid; + +typedef ProcessSettings::Executor< + CKMPolicy, + ProcessSettings::ChangeUid> PSUid; + +RUNNER_TEST_GROUP_INIT(GROUP_02_StorageApiAccess); + +RUNNER_CHILD_TEST(G02T01_StorageNegative) { + // We are ordinary user without any privileges. + // Cynara should deny all accesses. + PS ps("PkgIdG02T01", "UserG02T01", PrivNone); + ps.Apply(); + + int temp; + auto manager = CKM::Manager::create(); + std::string data = "Custom data"; + CKM::RawBuffer rawBuffer(data.begin(), data.end()); + CKM::RawBuffer output; + const char *alias = "dataG02T01"; + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = manager->saveData(alias, rawBuffer, CKM::Policy())), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = manager->getData(alias, CKM::Password(), output)), + "Error=" << CKM::ErrorToString(temp)); +} + +RUNNER_CHILD_TEST(G02T02_StoragePositive) { + // We are root. We will be allowed. + int temp; + auto manager = CKM::Manager::create(); + std::string data = "Custom data"; + CKM::RawBuffer rawBuffer(data.begin(), data.end()); + CKM::RawBuffer output; + const char *alias = "/System dataG02T02"; + + // This funciton may return error. + manager->removeAlias(alias); + + RUNNER_ASSERT_MSG( + CKM_API_SUCCESS == (temp = manager->saveData(alias, rawBuffer, CKM::Policy())), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_SUCCESS == (temp = manager->getData(alias, CKM::Password(), output)), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG(rawBuffer == output, "Data mismatch."); +} + +RUNNER_CHILD_TEST(G02T03_StoragePositive) { + // We are oridinary user with proper privileges. + PS ps("PkgIdG02T03", "UserG02T03", PrivCKMStore); + ps.Apply(); + + int temp; + auto manager = CKM::Manager::create(); + std::string data = "Custom data"; + CKM::RawBuffer rawBuffer(data.begin(), data.end()); + CKM::RawBuffer output; + const char *dataAlias = "dataG02T03"; + + RUNNER_ASSERT_MSG( + CKM_API_SUCCESS == (temp = manager->saveData(dataAlias, rawBuffer, CKM::Policy())), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_SUCCESS == (temp = manager->getData(dataAlias, CKM::Password(), output)), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG(rawBuffer == output, "Data mismatch."); +} + +RUNNER_CHILD_TEST(G02T04_StorageNegative) { + // There is some user with privileges but we are + // are ordinary user without any. + // Cynara should deny all accesses. + PSNoUid ps("PkgIdG02T04", "UserG02T04", PrivCKMBoth); + ps.Apply(); + + PSUid ps2("", "", PrivNone); + ps2.SetUid(ps.GetUid()+1); + ps2.Apply(); + + int temp; + auto manager = CKM::Manager::create(); + std::string data = "Custom data"; + CKM::RawBuffer rawBuffer(data.begin(), data.end()); + CKM::RawBuffer output; + const char *alias = "dataG02T04"; + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = manager->saveData(alias, rawBuffer, CKM::Policy())), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = manager->getData(alias, CKM::Password(), output)), + "Error=" << CKM::ErrorToString(temp)); +} + +RUNNER_CHILD_TEST(G02T05_StorageNegative) { + // We have wrong privilege. + // Cynara should deny all accesses to storage. + PSNoUid ps("PkgIdG02T05", "UserG02T05", PrivCKMControl); + ps.Apply(); + + int temp; + auto manager = CKM::Manager::create(); + std::string data = "Custom data"; + CKM::RawBuffer rawBuffer(data.begin(), data.end()); + CKM::RawBuffer output; + const char *alias = "dataG02T05"; + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = manager->saveData(alias, rawBuffer, CKM::Policy())), + "Error=" << CKM::ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = manager->getData(alias, CKM::Password(), output)), + "Error=" << CKM::ErrorToString(temp)); +} + + diff --git a/src/ckm-integration/main.cpp b/src/ckm-integration/main.cpp new file mode 100644 index 0000000..6c5ea6b --- /dev/null +++ b/src/ckm-integration/main.cpp @@ -0,0 +1,27 @@ +/* + * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/* + * @file main.cpp + * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @version 1.0 + */ +#include + +int main (int argc, char *argv[]) { + return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv); +} + + diff --git a/src/ckm-integration/process-settings/create-user.cpp b/src/ckm-integration/process-settings/create-user.cpp index 48c9f3f..0a5b05c 100644 --- a/src/ckm-integration/process-settings/create-user.cpp +++ b/src/ckm-integration/process-settings/create-user.cpp @@ -42,7 +42,7 @@ void CreateUser::Apply() g_object_set(G_OBJECT(m_guser), "usertype", m_userType, NULL); g_object_set(G_OBJECT(m_guser), "username", m_userName.c_str(), NULL); gboolean added = gum_user_add_sync(m_guser); - RUNNER_ASSERT_MSG(added, "Failed to add user"); + RUNNER_ASSERT_MSG(added, "Failed to add user: " << m_userName); g_object_get(G_OBJECT(m_guser), "uid", &m_uid, NULL); RUNNER_ASSERT_MSG(m_uid != 0, "Something strange happened during user creation. uid == 0."); g_object_get(G_OBJECT(m_guser), "gid", &m_gid, NULL);