keychain/securityd/Regressions/secd-68-fullPeerInfoIntegrity.m

   1 //
   2 //  secd-68-fullPeerInfoIntegrity.m
   3 //  secdRegressions
   4 //
   5 //  Created by Richard Murphy on 4/30/20.
   6 //
   7
   8 #import <Foundation/Foundation.h>
   9
  10 #include <Security/SecBase.h>
  11 #include <Security/SecItem.h>
  12
  13 #include <CoreFoundation/CFDictionary.h>
  14
  15 #include "keychain/SecureObjectSync/SOSAccount.h"
  16 #include <Security/SecureObjectSync/SOSCloudCircle.h>
  17 #include "keychain/SecureObjectSync/SOSInternal.h"
  18 #include "keychain/SecureObjectSync/SOSUserKeygen.h"
  19 #include "keychain/SecureObjectSync/SOSTransport.h"
  20 #include "keychain/SecureObjectSync/SOSAccountTrustClassic+Circle.h"
  21
  22 #include <stdlib.h>
  23 #include <unistd.h>
  24
  25 #include "secd_regressions.h"
  26 #include "SOSTestDataSource.h"
  27
  28 #include "SOSRegressionUtilities.h"
  29 #include <utilities/SecCFWrappers.h>
  30 #include <Security/SecKeyPriv.h>
  31
  32 #include "keychain/securityd/SOSCloudCircleServer.h"
  33
  34 #include "SOSAccountTesting.h"
  35
  36 #include "SecdTestKeychainUtilities.h"
  37 #if SOS_ENABLED
  38
  39 static NSString *makeCircle(SOSAccount* testaccount, CFMutableDictionaryRef changes) {
  40     CFErrorRef error = NULL;
  41
  42     // Every time we resetToOffering should result in a new fpi
  43     NSString *lastPeerID = testaccount.peerID;
  44     ok(SOSAccountResetToOffering_wTxn(testaccount, &error), "Reset to offering (%@)", error);
  45     CFReleaseNull(error);
  46     is(ProcessChangesUntilNoChange(changes, testaccount, NULL), 1, "updates");
  47     NSString *currentPeerID = testaccount.peerID;
  48     ok(![lastPeerID isEqualToString:currentPeerID], "peerID changed on circle reset");
  49     return currentPeerID;
  50 }
  51
  52 static void tests(void) {
  53     CFErrorRef error = NULL;
  54     CFDataRef cfpassword = CFDataCreate(NULL, (uint8_t *) "FooFooFoo", 10);
  55     CFStringRef cfaccount = CFSTR("test@test.org");
  56
  57     CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
  58     SOSAccount* testaccount = CreateAccountForLocalChanges(CFSTR("TestDev"), CFSTR("TestSource"));
  59
  60     // Just making an account object to mess with
  61     ok(SOSAccountAssertUserCredentialsAndUpdate(testaccount, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
  62     is(ProcessChangesUntilNoChange(changes, testaccount, NULL), 1, "updates");
  63     CFReleaseNull(error);
  64
  65     // make a circle then make sure fpi isn't reset just for a normal ensureFullPeerAvailable
  66     NSString *lastPeerID = makeCircle(testaccount, changes);
  67     ok([testaccount.trust ensureFullPeerAvailable:testaccount err:&error], "fullPeer is available");
  68     NSString *currentPeerID = testaccount.peerID;
  69     ok([lastPeerID isEqualToString: currentPeerID], "peerID did not alter in trip through ensureFullPeerAvailable");
  70
  71
  72     // leaving a circle should reset the fpi
  73     lastPeerID = makeCircle(testaccount, changes);
  74     ok([testaccount.trust leaveCircle:testaccount err:&error], "leave the circle %@", error);
  75     CFReleaseNull(error);
  76     is(ProcessChangesUntilNoChange(changes, testaccount, NULL), 1, "updates");
  77     currentPeerID = testaccount.peerID;
  78     ok(![lastPeerID isEqualToString:currentPeerID], "peerID changed on leaving circle");
  79
  80     // break the fullpeerinfo by purging the private key - then fix in ensureFullPeerAvailable
  81     lastPeerID = makeCircle(testaccount, changes);
  82     ok(SOSFullPeerInfoPurgePersistentKey(testaccount.fullPeerInfo, &error), "purging persistent key %@", error);
  83     currentPeerID = testaccount.peerID;
  84     ok([lastPeerID isEqualToString:currentPeerID], "pre-ensuring peerID remains the same");
  85     lastPeerID = currentPeerID;
  86     ok([testaccount.trust ensureFullPeerAvailable:testaccount err:&error], "fullPeer is available");
  87     currentPeerID = testaccount.peerID;
  88     ok(![lastPeerID isEqualToString: currentPeerID], "peerID changed because fullPeerInfo fixed in ensureFullPeerAvailable");
  89     lastPeerID = currentPeerID;
  90
  91     // If that last thing worked this peer won't be in the circle any more - changing fpi changes "me"
  92     ok(SOSAccountAssertUserCredentialsAndUpdate(testaccount, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
  93     is(ProcessChangesUntilNoChange(changes, testaccount, NULL), 1, "updates");
  94     CFReleaseNull(error);
  95     ok(![testaccount isInCircle: &error], "No longer in circle");
  96
  97     // This join should work because the peer we left in the circle will be a ghost and there are no other peers
  98     ok(SOSAccountJoinCircles_wTxn(testaccount, &error), "Apply to circle (%@)", error);
  99     CFReleaseNull(error);
 100     is(ProcessChangesUntilNoChange(changes, testaccount, NULL), 1, "updates");
 101     ok([testaccount isInCircle: &error], "Is in circle");
 102     currentPeerID = testaccount.peerID;
 103     ok(![lastPeerID isEqualToString: currentPeerID], "peerID changed because fullPeerInfo changed during join");
 104
 105     CFReleaseNull(cfpassword);
 106     testaccount = nil;
 107     SOSTestCleanup();
 108 }
 109 #endif
 110
 111 int secd_68_fullPeerInfoIntegrity(int argc, char *const *argv)
 112 {
 113 #if SOS_ENABLED
 114     plan_tests(29);
 115     secd_test_setup_temp_keychain(__FUNCTION__, NULL);
 116     tests();
 117 #else
 118     plan_tests(0);
 119 #endif
 120     return 0;
 121 }