OSX/sec/securityd/Regressions/secd-31-keychain-unreadable.m

   1 /*
   2  * Copyright (c) 2008-2010,2013-2014,2016 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 #include <CoreFoundation/CoreFoundation.h>
  26 #include <Security/SecBase.h>
  27 #include <Security/SecItem.h>
  28 #include <Security/SecInternal.h>
  29 #include <utilities/SecFileLocations.h>
  30 #include <utilities/SecCFWrappers.h>
  31
  32 #include <stdlib.h>
  33 #include <fcntl.h>
  34 #include <unistd.h>
  35 #include <sys/stat.h>
  36 #include <sqlite3.h>
  37
  38 #include "secd_regressions.h"
  39
  40 #include <securityd/SecItemServer.h>
  41
  42 #include "SecdTestKeychainUtilities.h"
  43
  44
  45 #if !(TARGET_OS_IOS && TARGET_OS_SIMULATOR)
  46 static void setKeychainPermissions(int perm) {
  47     CFStringRef kc_path_cf = __SecKeychainCopyPath();
  48     CFStringPerformWithCString(kc_path_cf, ^(const char *path) {
  49         ok_unix(chmod(path, perm), "chmod keychain file %s to be %d", path, perm);
  50     });
  51 }
  52 #endif
  53
  54 int secd_31_keychain_unreadable(int argc, char *const *argv)
  55 {
  56 #if TARGET_OS_IOS && TARGET_OS_SIMULATOR
  57     // When running on iOS device in debugger, the target usually runs
  58     // as root, which means it has access to the file even after setting 000.
  59     return 0;
  60 #else
  61     plan_tests(10 + kSecdTestSetupTestCount);
  62     secd_test_setup_temp_keychain("secd_31_keychain_unreadable", ^{
  63         CFStringRef keychain_path_cf = __SecKeychainCopyPath();
  64
  65         CFStringPerformWithCString(keychain_path_cf, ^(const char *keychain_path) {
  66             int fd;
  67             ok_unix(fd = open(keychain_path, O_RDWR | O_CREAT | O_TRUNC, 0644),
  68                     "create keychain file '%s'", keychain_path);
  69             SKIP: {
  70                 skip("Cannot fchmod keychain file with invalid fd", 2, fd > -1);
  71                 ok_unix(fchmod(fd, 0), " keychain file '%s'", keychain_path);
  72                 ok_unix(close(fd), "close keychain file '%s'", keychain_path);
  73             }
  74         });
  75
  76         CFReleaseSafe(keychain_path_cf);
  77     });
  78
  79     int v_eighty = 80;
  80     CFNumberRef eighty = CFNumberCreate(NULL, kCFNumberSInt32Type, &v_eighty);
  81     const char *v_data = "test";
  82     CFDataRef pwdata = CFDataCreate(NULL, (UInt8 *)v_data, strlen(v_data));
  83     CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
  84     CFDictionaryAddValue(query, kSecClass, kSecClassInternetPassword);
  85     CFDictionaryAddValue(query, kSecAttrServer, CFSTR("members.spamcop.net"));
  86     CFDictionaryAddValue(query, kSecAttrAccount, CFSTR("smith"));
  87     CFDictionaryAddValue(query, kSecAttrPort, eighty);
  88     CFDictionaryAddValue(query, kSecAttrProtocol, kSecAttrProtocolHTTP);
  89     CFDictionaryAddValue(query, kSecAttrAuthenticationType, kSecAttrAuthenticationTypeDefault);
  90     CFDictionaryAddValue(query, kSecValueData, pwdata);
  91
  92     is_status(SecItemAdd(query, NULL), errSecNotAvailable, "Cannot add items to unreadable keychain");
  93     is_status(SecItemCopyMatching(query, NULL), errSecNotAvailable, "Cannot read items in unreadable keychain");
  94
  95     setKeychainPermissions(0644);
  96
  97     ok_status(SecItemAdd(query, NULL), "Add internet password");
  98     is_status(SecItemAdd(query, NULL), errSecDuplicateItem,
  99               "Add internet password again");
 100     ok_status(SecItemCopyMatching(query, NULL), "Found the item we added");
 101
 102     // For commented tests need to convince secd to let go of connections.
 103     // Without intervention it keeps them and accesses continue to succeed.
 104     /*
 105      setKeychainPermissions(0);
 106      is_status(SecItemCopyMatching(query, NULL), errSecNotAvailable, "Still cannot read items in unreadable keychain");
 107
 108      setKeychainPermissions(0644);
 109      ok_status(SecItemCopyMatching(query, NULL), "Found the item again");
 110      */
 111     ok_status(SecItemDelete(query),"Deleted the item we added");
 112
 113     CFReleaseNull(eighty);
 114     CFReleaseNull(pwdata);
 115     CFReleaseNull(query);
 116 #endif  // !(TARGET_OS_IOS && TARGET_OS_SIMULATOR)
 117     return 0;
 118 }