]> git.saurik.com Git - apple/security.git/blob - SecurityServer/tests/testauth.cpp
Security-28.tar.gz
[apple/security.git] / SecurityServer / tests / testauth.cpp
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 //
20 // testacls - ACL-related test cases.
21 //
22 #include "testclient.h"
23 #include "testutils.h"
24 #include <Security/osxsigner.h>
25
26 using namespace CodeSigning;
27
28
29 //
30 // Authorization test.
31 // This tests the authorization API support.
32 // @@@ Incomplete and not satisfactory.
33 //
34 void authorizations()
35 {
36 printf("* authorization test\n");
37 ClientSession ss(CssmAllocator::standard(), CssmAllocator::standard());
38
39 // make a simple authorization query
40 AuthorizationBlob auth;
41 AuthorizationItem testingItem = { "debug.testing", 0, NULL, NULL };
42 AuthorizationItem testingMoreItem = { "debug.testing.more", 0, NULL, NULL };
43 AuthorizationItem denyItem = { "debug.deny", 0, NULL, NULL };
44 AuthorizationItemSet request = { 1, &testingItem };
45 ss.authCreate(&request, NULL/*environment*/,
46 kAuthorizationFlagInteractionAllowed |
47 kAuthorizationFlagExtendRights |
48 kAuthorizationFlagPartialRights,
49 auth);
50 detail("Initial authorization obtained");
51
52 // ask for rights from this authorization
53 {
54 AuthorizationItem moreItems[3] = { testingItem, denyItem, testingMoreItem };
55 AuthorizationItemSet moreRequests = { 3, moreItems };
56 AuthorizationItemSet *rightsVector;
57 ss.authCopyRights(auth, &moreRequests, NULL/*environment*/,
58 kAuthorizationFlagInteractionAllowed |
59 kAuthorizationFlagExtendRights |
60 kAuthorizationFlagPartialRights,
61 &rightsVector);
62 if (rightsVector->count != 2)
63 error("COPYRIGHTS RETURNED %d RIGHTS (EXPECTED 2)", int(rightsVector->count));
64 // the output rights could be in either order -- be flexible
65 set<string> rights;
66 rights.insert(rightsVector->items[0].name);
67 rights.insert(rightsVector->items[1].name);
68 assert(rights.find("debug.testing") != rights.end() &&
69 rights.find("debug.testing.more") != rights.end());
70 free(rightsVector);
71 detail("CopyRights okay");
72 }
73
74 // ask for the impossible
75 try {
76 AuthorizationBlob badAuth;
77 AuthorizationItem badItem = { "debug.deny", 0, NULL, NULL };
78 AuthorizationItemSet badRequest = { 1, &badItem };
79 ss.authCreate(&badRequest, NULL/*environment*/,
80 kAuthorizationFlagInteractionAllowed |
81 kAuthorizationFlagExtendRights,
82 auth);
83 error("AUTHORIZED debug.deny OPERATION");
84 } catch (CssmCommonError &err) {
85 detail(err, "debug.deny authorization denied properly");
86 }
87
88 // externalize
89 AuthorizationExternalForm extForm;
90 ss.authExternalize(auth, extForm);
91
92 // re-internalize
93 AuthorizationBlob auth2;
94 ss.authInternalize(extForm, auth2);
95
96 // make sure it still works
97 {
98 AuthorizationItem moreItems[2] = { testingItem, denyItem };
99 AuthorizationItemSet moreRequests = { 2, moreItems };
100 AuthorizationItemSet *rightsVector;
101 ss.authCopyRights(auth2, &moreRequests, NULL/*environment*/,
102 kAuthorizationFlagInteractionAllowed |
103 kAuthorizationFlagExtendRights |
104 kAuthorizationFlagPartialRights,
105 &rightsVector);
106 if (rightsVector->count != 1)
107 error("COPYRIGHTS RETURNED %d RIGHTS (EXPECTED 1)", int(rightsVector->count));
108 assert(!strcmp(rightsVector->items[0].name, "debug.testing"));
109 free(rightsVector);
110 detail("Re-internalized authorization checks out okay");
111
112 // try it with no rights output (it's optional)
113 ss.authCopyRights(auth2, &moreRequests, NULL/*environment*/,
114 kAuthorizationFlagPartialRights, NULL);
115 detail("authCopyRights partial success OK (with no output)");
116
117 // but this will fail if we want ALL rights...
118 try {
119 ss.authCopyRights(auth2, &moreRequests, NULL/*environment*/,
120 kAuthorizationFlagDefaults, NULL);
121 error("authCopyRights succeeded with (only) partial success");
122 } catch (CssmError &err) {
123 detail("authCopyRight failed for (only) partial success");
124 }
125 }
126 }