OSX/codesign_tests/CaspianTests/CaspianTests

   1 #!/bin/sh
   2
   3 # only zin or newer
   4 if expr "$(sw_vers -buildVersion)" : "1[2-9].*[A-Z]" >/dev/null; then
   5     :
   6 # only or SULionDuchess or newer
   7 elif expr "$(sw_vers -buildVersion)" : "11.*[D-Z]" >/dev/null; then
   8     :
   9 else
  10    exit 0
  11 fi
  12
  13 v=:
  14
  15 fails=0
  16 t=$(mktemp -d /tmp/csXXXXXX)
  17
  18 runTest () {
  19     test=$1
  20     shift;
  21     echo "[BEGIN] ${test}"
  22
  23     ${v} echo cmd: "$@"
  24     "$@" > $t/outfile.txt 2>&1
  25     res=$?
  26     [ $res != 0 ] && res=1 #normalize
  27
  28     if expr "$test" : "fail"  > /dev/null; then
  29         exp=1
  30     else
  31         exp=0
  32     fi
  33
  34
  35     if [ $res = $exp ]; then
  36         echo "[PASS] ${test}"
  37     else
  38         cat $t/outfile.txt
  39         echo "[FAIL] ${test}"
  40         fails=$(expr $fails + 1)
  41     fi
  42     rm -f $t/outfile.txt
  43 }
  44
  45 runTest isroot test $UID = 0
  46 runTest disable-tests spctl --master-disable
  47 runTest disable-check eval "spctl --status | grep disable > /dev/null"
  48 runTest enable-tests spctl --master-enable
  49 runTest enable-check eval "spctl --status | grep enable >/dev/null"
  50
  51 runTest enable-tests spctl --test-devid-enable
  52 runTest enable-check eval "spctl --test-devid-status | grep enable >/dev/null"
  53
  54
  55 runTest fail-exec-ls spctl -a -t exec /bin/ls
  56 runTest fail-open-txt spctl -a -t open /usr/local/OpenSourceLicenses/xar.txt
  57 runTest fail-open-pdf spctl -a -t open /usr/share//cups/ipptool/testfile.pdf
  58
  59 app=XXXXX
  60
  61 selfsign () {
  62     b=$(basename "$2")
  63
  64     cp -r "$2" ${t}/"${b}"
  65     codesign -s - -f ${t}/"${b}" > /dev/null 2>&1 || exit 1
  66
  67     eval $1=\${t}/\${b}
  68 }
  69
  70 selfsign lsbin /bin/ls
  71 selfsign sysprefs /Applications/System\ Preferences.app
  72
  73 runTest unpack-caspian-tests tar Cxf $t /AppleInternal/CoreOS/codesign_tests/caspian-tests.tar.gz
  74 runTest unpack-caspian-test-apple-script tar Cxvf $t /AppleInternal/CoreOS/codesign_tests/broken-AppleScript-app.tgz
  75
  76 ct="$t/caspian-tests/tests"
  77
  78 runTest fail-exec-ls spctl -a -t exec $lsbin
  79 runTest fail-exec-ls spctl -a -t exec "$sysprefs"
  80
  81 runTest disable-tests2 spctl --master-disable
  82 runTest disable-check2 eval "spctl --status | grep disable > /dev/null"
  83
  84 runTest exec-ls spctl -a -t exec $lsbin
  85 runTest exec-ls spctl -a -t exec "$sysprefs"
  86
  87 runTest enable-tests3 spctl --master-enable
  88 runTest enable-check3 eval "spctl --status | grep enable > /dev/null"
  89
  90 xardir=/AppleInternal/CoreOS/codesign_tests/xar
  91
  92 caspianvalid="OSUpgrade-XBS Nothing-valid Nothing-noocsp Nothing-expired"
  93 caspianinvalid="Nothing-adhoc Nothing-revoked Nothing-unsigned"
  94 applescriptbroken="Broken.app"
  95
  96 runTest fail-install-no-existant-file spctl -a -t install ${xardir}/really-i-dont-exists.pkg
  97
  98 for a in Nothing-bnisigned ; do
  99     runTest install-${a} spctl -a -t install ${xardir}/${a}.pkg
 100 done
 101 for a in old-sig new-sig ; do
 102     runTest fail-install-${a} spctl -a -t install ${xardir}/${a}.pkg
 103 done
 104 for a in ${caspianvalid}; do
 105     runTest install-${a} spctl -a -t install ${ct}/${a}.pkg
 106 done
 107 for a in ${caspianinvalid}; do
 108     runTest fail-install-${a} spctl -a -t install ${ct}/${a}.pkg
 109 done
 110 for a in ${applescriptbroken}; do
 111     runTest fail-install-${a} spctl -a -t install ${t}/${a}.pkg
 112 done
 113
 114 runTest disable-tests3 spctl --master-disable
 115 runTest disable-check3 eval "spctl --status | grep disable > /dev/null"
 116
 117 for a in Nothing-bnisigned; do
 118     runTest install-${a} spctl -a -t install ${xardir}/${a}.pkg
 119 done
 120 for a in ${caspianvalid} ${caspianinvalid}; do
 121     runTest install-master-disabled-${a} spctl -a -t install ${xardir}/${a}.pkg
 122 done
 123
 124 #
 125 # check path based --add/--disable/--remove
 126 #
 127
 128 runTest enable-tests4 spctl --master-enable
 129 runTest enable-check4 eval "spctl --status | grep enable > /dev/null"
 130
 131 runTest copyTextEdit cp -R /Applications/TextEdit.app $t/MyTextEdit.app
 132 runTest codesignMyTextEdit codesign -f -s - $t/MyTextEdit.app
 133
 134 runTest fail-run-MyTextEdit1 spctl -a -t exec $t/MyTextEdit.app
 135 runTest add-MyTextEdit spctl --add --path $t/MyTextEdit.app
 136 runTest assess-MyTextEdit2 spctl -a -t exec $t/MyTextEdit.app
 137
 138 runTest disable-MyTextEdit spctl --disable --path $t/MyTextEdit.app
 139 runTest fail-assess-MyTextEdit3 spctl -a -t exec $t/MyTextEdit.app
 140
 141 runTest enable-MyTextEdit spctl --enable --path $t/MyTextEdit.app
 142 runTest assess-MyTextEdit4 spctl -a -t exec $t/MyTextEdit.app
 143
 144 runTest remove-MyTextEdit spctl --remove --path $t/MyTextEdit.app
 145 runTest fail-assess-MyTextEdit5 spctl -a -t exec $t/MyTextEdit.app
 146
 147 runTest disable-tests4 spctl --master-disable
 148 runTest disable-check4 eval "spctl --status | grep disable > /dev/null"
 149
 150 runTest assess-MyTextEdit6 spctl -a -t exec $t/MyTextEdit.app
 151
 152 #
 153 # check label based --add/--disable/--remove
 154 #
 155
 156 runTest enable-tests7 spctl --master-enable
 157 runTest enable-check7 eval "spctl --status | grep enable > /dev/null"
 158
 159 runTest fail-run-MyTextEdit1 spctl -a -t exec $t/MyTextEdit.app
 160 runTest add-MyTextEdit spctl --add --label CaspianTest --path $t/MyTextEdit.app
 161 runTest assess-MyTextEdit2 spctl -a -t exec $t/MyTextEdit.app
 162
 163 runTest disable-MyTextEdit spctl --disable --label CaspianTest
 164 runTest fail-assess-MyTextEdit3 spctl -a -t exec $t/MyTextEdit.app
 165
 166 runTest enable-MyTextEdit spctl --enable --label CaspianTest
 167 runTest assess-MyTextEdit4 spctl -a -t exec $t/MyTextEdit.app
 168
 169 runTest remove-MyTextEdit spctl --remove --label CaspianTest
 170 runTest fail-assess-MyTextEdit5 spctl -a -t exec $t/MyTextEdit.app
 171
 172 runTest disable-tests8 spctl --master-disable
 173 runTest disable-check8 eval "spctl --status | grep disable > /dev/null"
 174
 175 runTest assess-MyTextEdit6 spctl -a -t exec $t/MyTextEdit.app
 176
 177 #
 178 # check adding certificate based --add/--disable/--remove
 179 #
 180
 181 runTest enable-tests9 spctl --master-enable
 182 runTest enable-check9 eval "spctl --status | grep enable > /dev/null"
 183
 184 # clear out existing rules
 185 spctl --remove --label CapsianTest-apple-root > /dev/null 2>&1
 186
 187 runTest add-add-anchor-by-label spctl --add --label CapsianTest-apple-root --anchor 611E5B662C593A08FF58D14AE22452D198DF6C60
 188 runTest add-remove-by-label spctl --remove --label CapsianTest-apple-root
 189
 190 runTest disable-tests10 spctl --master-disable
 191 runTest disable-check10 eval "spctl --status | grep disable > /dev/null"
 192
 193 #
 194 # check devid is still revoked while caspian is disabled
 195 #
 196
 197 runTest fail-0-hello-revoked spctl -a -t exec ${ct}/hello-revoked.app
 198 runTest 0-hello-expired spctl -a -t exec ${ct}/hello-expired.app
 199
 200 #
 201 # check enabled w/o devid
 202 #
 203
 204 runTest enable-tests11 spctl --master-enable
 205 runTest enable-check11 eval "spctl --status | grep enable > /dev/null"
 206
 207 runTest fail-1-hello-revoked spctl -a -t exec ${ct}/hello-revoked.app
 208 #runTest fail-1-hello-expired spctl -a -t exec ${ct}/hello-expired #### failes because of broken ocsp
 209
 210 #
 211 # check with devid
 212 #
 213
 214 runTest enable-tests11 spctl --test-devid-enable
 215 runTest enable-check11 eval "spctl --test-devid-status | grep enable > /dev/null"
 216
 217 runTest fail-1id-hello-revoked spctl -a -t exec ${ct}/hello-revoked.app
 218 runTest 1id-hello-expired spctl -a -t exec ${ct}/hello-expired.app
 219
 220 #
 221 #
 222 #
 223
 224 runTest disable-tests11 spctl --master-disable
 225 runTest disable-check11 eval "spctl --status | grep disable > /dev/null"
 226
 227 #
 228 # Check that Capsian is on/off by default
 229 #
 230
 231 case $(sw_vers -buildVersion) in
 232     11*) status=disable ;;
 233     12A154*) status=disable ;; ## was disabled for ZinDP2
 234     *) status=enable ;;
 235 esac
 236
 237 rm -f /var/db/.sp_visible /var/db/SystemPolicy-prefs.plist
 238 notifyutil -p com.apple.security.assessment.masterswitch
 239
 240 runTest enable-check11 eval "spctl --status | grep $status > /dev/null"
 241
 242 #
 243 # check that --list works
 244 #
 245
 246 case $(sw_vers -buildVersion) in
 247     11*)  ;;
 248     12A178*) ;; #disable in dp3
 249     *)
 250
 251         runTest checkSystemRule eval "spctl --list | grep 'P0 allow execute'"
 252         runTest addTextEdit spctl --add --path /Applications/TextEdit.app
 253         runTest checkTextEditInList eval "spctl --list | grep TextEdit"
 254         runTest removeTextEdit spctl --remove --path /Applications/TextEdit.app
 255
 256         runTest checkListRule2 spctl --list --rule 2
 257
 258         ;;
 259
 260 esac
 261
 262 #
 263 # Misc regression cases
 264 #
 265
 266 runTest fail-evil-itunes spctl -a -t exec $ct/evil-itunes.app
 267 runTest fail-finderinfo codesign -fs- $ct/ls-finderinfo
 268 runTest fail-resourcefork codesign -fs- $ct/cp-resourcefork
 269 runTest fail-finderinfo-app codesign -fs- $ct/HelloCaspian-finderinfo.app
 270 runTest fail-resourcefork-app codesign -fs- $ct/HelloCaspian-resourcefork.app
 271 runTest override-resourcefork-app codesign -fs- --no-strict $ct/HelloCaspian-resourcefork.app
 272
 273
 274 #
 275 # cleanup
 276 #
 277
 278 rm -rf $t
 279
 280 if [ $fails != 0 ] ; then
 281     echo "$fails caspian tests failed"
 282     exit 1
 283 else
 284     echo "all caspian tests passed"
 285 fi
 286
 287 exit 0