[apple/security.git] / OSX / sec / Security / Regressions / secitem / si-76-shared-credentials.c

//
//  si-76-shared-credentials.c
//  sec
//


#include <CoreFoundation/CoreFoundation.h>
#include <Security/SecBasePriv.h>
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
#include <Security/SecCertificateInternal.h>
#include <Security/SecItem.h>
#include <Security/SecItemPriv.h>
#include <Security/SecIdentityPriv.h>
#include <Security/SecIdentity.h>
#include <Security/SecPolicy.h>
#include <Security/SecPolicyPriv.h>
#include <Security/SecPolicyInternal.h>
#include <Security/SecSharedCredential.h>
#include <Security/SecCMS.h>
#include <utilities/SecCFWrappers.h>
#include <stdlib.h>
#include <unistd.h>

#include "Security_regressions.h"

#if TARGET_OS_IOS

#define WAIT_WHILE(X) { while ((X)) { (void)CFRunLoopRunInMode(kCFRunLoopDefaultMode, 0.1, TRUE); } }

static bool expected_failure(OSStatus status)
{
    return ((status == errSecMissingEntitlement) ||
            (status == errSecBadReq));
}

static void tests(void)
{
    // look up our entry for localhost
    CFStringRef acct1 = CFSTR("local");
    CFStringRef acct2 = CFSTR("admin");
    CFStringRef fqdn = CFSTR("localhost");
    CFStringRef not_my_fqdn = CFSTR("store.apple.com"); // something we aren't entitled to share
    __block bool adding;
    __block bool requesting;
    __block bool deleting;

//  UInt8 buf[6] = { 'l', 'o', 'c', 'a', 'l', '\0' };
//  CFDataRef cred = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)&buf, sizeof(buf));
    CFStringRef cred = CFStringCreateCopy(kCFAllocatorDefault, CFSTR("local"));

    // should get denied if we request a fqdn which is not in our entitlement
    requesting = true;
    SecRequestSharedWebCredential(not_my_fqdn, NULL, ^void (CFArrayRef credentials, CFErrorRef error) {
        OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
        is(status == errSecItemNotFound || expected_failure(status), true, "fqdn not entitled");
        is(CFArrayGetCount(credentials) > 0, false, "returned credential array == 0");
        requesting = false;
    });
    WAIT_WHILE(requesting);

    // add (or update) credentials for two different accounts on the same server
    adding = true;
    SecAddSharedWebCredential(fqdn, acct1, cred, ^void (CFErrorRef error) {
        OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
        // TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
        if (status == errSecAuthFailed || expected_failure(status)) { status = errSecSuccess; }
        ok_status(status);
        adding = false;
    });
    WAIT_WHILE(adding);

    adding = true;
    SecAddSharedWebCredential(fqdn, acct2, cred, ^void (CFErrorRef error) {
        OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
        // TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
        if (status == errSecAuthFailed || expected_failure(status)) { status = errSecSuccess; }
        ok_status(status);
        adding = false;
    });
    WAIT_WHILE(adding);

    // look up credential with specific account
    requesting = true;
    SecRequestSharedWebCredential(fqdn, acct1, ^void (CFArrayRef credentials, CFErrorRef error) {
        OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
        // TODO: need a proper teamID-enabled application identifier to succeed; expect no items
        bool notFound = false;
        if (status == errSecItemNotFound || expected_failure(status)) {
            status = errSecSuccess; notFound = true;
        }
        ok_status(status);

        // should find only one credential if a specific account is provided
        CFIndex credentialCount = CFArrayGetCount(credentials);
        // TODO: need a proper teamID-enabled application identifier to succeed; expect 0 items
        if (credentialCount == 0 && notFound) { credentialCount = 1; }
        is(credentialCount == 1, true, "returned credentials == 1");
        requesting = false;
    });
    WAIT_WHILE(requesting);

    // look up credential with NULL account parameter
    requesting = true;
    SecRequestSharedWebCredential(fqdn, NULL, ^void (CFArrayRef credentials, CFErrorRef error) {
        OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
        // TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
        bool notFound = false;
        if (status == errSecItemNotFound || expected_failure(status)) {
            status = errSecSuccess; notFound = true;
        }
        ok_status(status);

        // should find only one credential if no account is provided
        // (since UI dialog only permits one credential to be selected)
        CFIndex credentialCount = CFArrayGetCount(credentials);
        // TODO: need a proper teamID-enabled application identifier to succeed
        if (credentialCount == 0 && notFound) { credentialCount = 1; }
        is(credentialCount == 1, true, "returned credentials == 1");
        requesting = false;
    });
    WAIT_WHILE(requesting);

    // pass NULL to delete our credentials
    deleting = true;
    SecAddSharedWebCredential(fqdn, acct1, NULL, ^void (CFErrorRef error) {
        OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
        // TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
        if (status == errSecAuthFailed || expected_failure(status)) { status = errSecSuccess; }
        ok_status(status);
        deleting = false;
    });
    WAIT_WHILE(deleting);

    deleting = true;
    SecAddSharedWebCredential(fqdn, acct2, NULL, ^void (CFErrorRef error) {
        OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
        // TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
        if (status == errSecAuthFailed || expected_failure(status)) { status = errSecSuccess; }
        ok_status(status);
        deleting = false;
    });
    WAIT_WHILE(deleting);

    // look up credentials again; should find nothing this time
    requesting = true;
    SecRequestSharedWebCredential(fqdn, NULL, ^void (CFArrayRef credentials, CFErrorRef error) {
        OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
        // TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
        if (status == errSecAuthFailed || expected_failure(status)) { status = errSecItemNotFound; }
        is_status(status, errSecItemNotFound);
        is(CFArrayGetCount(credentials) > 0, false, "returned credential array == 0");
        requesting = false;
    });
    WAIT_WHILE(requesting);

    CFRelease(cred);
}

#endif // !TARGET_OS_WATCH

int si_76_shared_credentials(int argc, char *const *argv)
{
#if TARGET_OS_IOS
		plan_tests(12);
		tests();
#else
		plan_tests(1);
		ok_status(0);
#endif
		return 0;
}
Commit	Line	Data
d8f41ccd A	1	//
	2	// si-76-shared-credentials.c
	3	// sec
	4	//
	5
	6
	7	#include <CoreFoundation/CoreFoundation.h>
	8	#include <Security/SecBasePriv.h>
	9	#include <Security/SecCertificate.h>
	10	#include <Security/SecCertificatePriv.h>
	11	#include <Security/SecCertificateInternal.h>
	12	#include <Security/SecItem.h>
	13	#include <Security/SecItemPriv.h>
	14	#include <Security/SecIdentityPriv.h>
	15	#include <Security/SecIdentity.h>
	16	#include <Security/SecPolicy.h>
	17	#include <Security/SecPolicyPriv.h>
	18	#include <Security/SecPolicyInternal.h>
	19	#include <Security/SecSharedCredential.h>
	20	#include <Security/SecCMS.h>
	21	#include <utilities/SecCFWrappers.h>
	22	#include <stdlib.h>
	23	#include <unistd.h>
	24
	25	#include "Security_regressions.h"
	26
b04fe171	27	#if TARGET_OS_IOS
5c19dc3a	28
d8f41ccd A	29	#define WAIT_WHILE(X) { while ((X)) { (void)CFRunLoopRunInMode(kCFRunLoopDefaultMode, 0.1, TRUE); } }
	30
	31	static bool expected_failure(OSStatus status)
	32	{
	33	return ((status == errSecMissingEntitlement) \|\|
	34	(status == errSecBadReq));
	35	}
	36
	37	static void tests(void)
	38	{
	39	// look up our entry for localhost
	40	CFStringRef acct1 = CFSTR("local");
	41	CFStringRef acct2 = CFSTR("admin");
	42	CFStringRef fqdn = CFSTR("localhost");
	43	CFStringRef not_my_fqdn = CFSTR("store.apple.com"); // something we aren't entitled to share
	44	__block bool adding;
	45	__block bool requesting;
	46	__block bool deleting;
	47
	48	// UInt8 buf[6] = { 'l', 'o', 'c', 'a', 'l', '\0' };
	49	// CFDataRef cred = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)&buf, sizeof(buf));
	50	CFStringRef cred = CFStringCreateCopy(kCFAllocatorDefault, CFSTR("local"));
	51
	52	// should get denied if we request a fqdn which is not in our entitlement
	53	requesting = true;
	54	SecRequestSharedWebCredential(not_my_fqdn, NULL, ^void (CFArrayRef credentials, CFErrorRef error) {
	55	OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
	56	is(status == errSecItemNotFound \|\| expected_failure(status), true, "fqdn not entitled");
	57	is(CFArrayGetCount(credentials) > 0, false, "returned credential array == 0");
	58	requesting = false;
	59	});
	60	WAIT_WHILE(requesting);
	61
	62	// add (or update) credentials for two different accounts on the same server
	63	adding = true;
	64	SecAddSharedWebCredential(fqdn, acct1, cred, ^void (CFErrorRef error) {
	65	OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
	66	// TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
	67	if (status == errSecAuthFailed \|\| expected_failure(status)) { status = errSecSuccess; }
	68	ok_status(status);
	69	adding = false;
	70	});
	71	WAIT_WHILE(adding);
	72
	73	adding = true;
	74	SecAddSharedWebCredential(fqdn, acct2, cred, ^void (CFErrorRef error) {
	75	OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
	76	// TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
	77	if (status == errSecAuthFailed \|\| expected_failure(status)) { status = errSecSuccess; }
	78	ok_status(status);
	79	adding = false;
	80	});
	81	WAIT_WHILE(adding);
	82
	83	// look up credential with specific account
	84	requesting = true;
	85	SecRequestSharedWebCredential(fqdn, acct1, ^void (CFArrayRef credentials, CFErrorRef error) {
	86	OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
	87	// TODO: need a proper teamID-enabled application identifier to succeed; expect no items
	88	bool notFound = false;
	89	if (status == errSecItemNotFound \|\| expected_failure(status)) {
	90	status = errSecSuccess; notFound = true;
	91	}
	92	ok_status(status);
93
94	// should find only one credential if a specific account is provided
95	CFIndex credentialCount = CFArrayGetCount(credentials);
96	// TODO: need a proper teamID-enabled application identifier to succeed; expect 0 items
97	if (credentialCount == 0 && notFound) { credentialCount = 1; }
98	is(credentialCount == 1, true, "returned credentials == 1");
99	requesting = false;
100	});
101	WAIT_WHILE(requesting);
102
103	// look up credential with NULL account parameter
104	requesting = true;
105	SecRequestSharedWebCredential(fqdn, NULL, ^void (CFArrayRef credentials, CFErrorRef error) {
106	OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
107	// TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
108	bool notFound = false;
109	if (status == errSecItemNotFound \|\| expected_failure(status)) {
110	status = errSecSuccess; notFound = true;
111	}
112	ok_status(status);
113
114	// should find only one credential if no account is provided
115	// (since UI dialog only permits one credential to be selected)
116	CFIndex credentialCount = CFArrayGetCount(credentials);
117	// TODO: need a proper teamID-enabled application identifier to succeed
118	if (credentialCount == 0 && notFound) { credentialCount = 1; }
119	is(credentialCount == 1, true, "returned credentials == 1");
120	requesting = false;
121	});
122	WAIT_WHILE(requesting);
123
124	// pass NULL to delete our credentials
125	deleting = true;
126	SecAddSharedWebCredential(fqdn, acct1, NULL, ^void (CFErrorRef error) {
127	OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
128	// TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
129	if (status == errSecAuthFailed \|\| expected_failure(status)) { status = errSecSuccess; }
130	ok_status(status);
131	deleting = false;
132	});
133	WAIT_WHILE(deleting);
134
135	deleting = true;
136	SecAddSharedWebCredential(fqdn, acct2, NULL, ^void (CFErrorRef error) {
137	OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
138	// TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
139	if (status == errSecAuthFailed \|\| expected_failure(status)) { status = errSecSuccess; }
140	ok_status(status);
141	deleting = false;
142	});
143	WAIT_WHILE(deleting);
144
145	// look up credentials again; should find nothing this time
146	requesting = true;
147	SecRequestSharedWebCredential(fqdn, NULL, ^void (CFArrayRef credentials, CFErrorRef error) {
148	OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
149	// TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
150	if (status == errSecAuthFailed \|\| expected_failure(status)) { status = errSecItemNotFound; }
151	is_status(status, errSecItemNotFound);
152	is(CFArrayGetCount(credentials) > 0, false, "returned credential array == 0");
153	requesting = false;
154	});
155	WAIT_WHILE(requesting);
156
157	CFRelease(cred);
158	}
159
5c19dc3a A	160	#endif // !TARGET_OS_WATCH
5c19dc3a A	161
d8f41ccd A	162	int si_76_shared_credentials(int argc, char const argv)
d8f41ccd A	163	{
b04fe171	164	#if TARGET_OS_IOS
d8f41ccd A	165	plan_tests(12);
d8f41ccd A	166	tests();
e3d460c9 A	167	#else
	168	plan_tests(1);
	169	ok_status(0);
5c19dc3a	170	#endif
d8f41ccd A	171	return 0;
d8f41ccd A	172	}