OSX/sec/Security/Regressions/secitem/si-76-shared-credentials.c

   1 //
   2 //  si-76-shared-credentials.c
   3 //  sec
   4 //
   5
   6
   7 #include <CoreFoundation/CoreFoundation.h>
   8 #include <Security/SecBasePriv.h>
   9 #include <Security/SecCertificate.h>
  10 #include <Security/SecCertificatePriv.h>
  11 #include <Security/SecCertificateInternal.h>
  12 #include <Security/SecItem.h>
  13 #include <Security/SecItemPriv.h>
  14 #include <Security/SecIdentityPriv.h>
  15 #include <Security/SecIdentity.h>
  16 #include <Security/SecPolicy.h>
  17 #include <Security/SecPolicyPriv.h>
  18 #include <Security/SecPolicyInternal.h>
  19 #include <Security/SecSharedCredential.h>
  20 #include <Security/SecCMS.h>
  21 #include <utilities/SecCFWrappers.h>
  22 #include <stdlib.h>
  23 #include <unistd.h>
  24
  25 #include "Security_regressions.h"
  26
  27 #if TARGET_OS_IOS
  28
  29 #define WAIT_WHILE(X) { while ((X)) { (void)CFRunLoopRunInMode(kCFRunLoopDefaultMode, 0.1, TRUE); } }
  30
  31 static bool expected_failure(OSStatus status)
  32 {
  33     return ((status == errSecMissingEntitlement) ||
  34             (status == errSecBadReq));
  35 }
  36
  37 static void tests(void)
  38 {
  39     // look up our entry for localhost
  40     CFStringRef acct1 = CFSTR("local");
  41     CFStringRef acct2 = CFSTR("admin");
  42     CFStringRef fqdn = CFSTR("localhost");
  43     CFStringRef not_my_fqdn = CFSTR("store.apple.com"); // something we aren't entitled to share
  44     __block bool adding;
  45     __block bool requesting;
  46     __block bool deleting;
  47
  48 //  UInt8 buf[6] = { 'l', 'o', 'c', 'a', 'l', '\0' };
  49 //  CFDataRef cred = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)&buf, sizeof(buf));
  50     CFStringRef cred = CFStringCreateCopy(kCFAllocatorDefault, CFSTR("local"));
  51
  52     // should get denied if we request a fqdn which is not in our entitlement
  53     requesting = true;
  54     SecRequestSharedWebCredential(not_my_fqdn, NULL, ^void (CFArrayRef credentials, CFErrorRef error) {
  55         OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
  56         is(status == errSecItemNotFound || expected_failure(status), true, "fqdn not entitled");
  57         is(CFArrayGetCount(credentials) > 0, false, "returned credential array == 0");
  58         requesting = false;
  59     });
  60     WAIT_WHILE(requesting);
  61
  62     // add (or update) credentials for two different accounts on the same server
  63     adding = true;
  64     SecAddSharedWebCredential(fqdn, acct1, cred, ^void (CFErrorRef error) {
  65         OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
  66         // TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
  67         if (status == errSecAuthFailed || expected_failure(status)) { status = errSecSuccess; }
  68         ok_status(status);
  69         adding = false;
  70     });
  71     WAIT_WHILE(adding);
  72
  73     adding = true;
  74     SecAddSharedWebCredential(fqdn, acct2, cred, ^void (CFErrorRef error) {
  75         OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
  76         // TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
  77         if (status == errSecAuthFailed || expected_failure(status)) { status = errSecSuccess; }
  78         ok_status(status);
  79         adding = false;
  80     });
  81     WAIT_WHILE(adding);
  82
  83     // look up credential with specific account
  84     requesting = true;
  85     SecRequestSharedWebCredential(fqdn, acct1, ^void (CFArrayRef credentials, CFErrorRef error) {
  86         OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
  87         // TODO: need a proper teamID-enabled application identifier to succeed; expect no items
  88         bool notFound = false;
  89         if (status == errSecItemNotFound || expected_failure(status)) {
  90             status = errSecSuccess; notFound = true;
  91         }
  92         ok_status(status);
  93
  94         // should find only one credential if a specific account is provided
  95         CFIndex credentialCount = CFArrayGetCount(credentials);
  96         // TODO: need a proper teamID-enabled application identifier to succeed; expect 0 items
  97         if (credentialCount == 0 && notFound) { credentialCount = 1; }
  98         is(credentialCount == 1, true, "returned credentials == 1");
  99         requesting = false;
 100     });
 101     WAIT_WHILE(requesting);
 102
 103     // look up credential with NULL account parameter
 104     requesting = true;
 105     SecRequestSharedWebCredential(fqdn, NULL, ^void (CFArrayRef credentials, CFErrorRef error) {
 106         OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
 107         // TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
 108         bool notFound = false;
 109         if (status == errSecItemNotFound || expected_failure(status)) {
 110             status = errSecSuccess; notFound = true;
 111         }
 112         ok_status(status);
 113
 114         // should find only one credential if no account is provided
 115         // (since UI dialog only permits one credential to be selected)
 116         CFIndex credentialCount = CFArrayGetCount(credentials);
 117         // TODO: need a proper teamID-enabled application identifier to succeed
 118         if (credentialCount == 0 && notFound) { credentialCount = 1; }
 119         is(credentialCount == 1, true, "returned credentials == 1");
 120         requesting = false;
 121     });
 122     WAIT_WHILE(requesting);
 123
 124     // pass NULL to delete our credentials
 125     deleting = true;
 126     SecAddSharedWebCredential(fqdn, acct1, NULL, ^void (CFErrorRef error) {
 127         OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
 128         // TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
 129         if (status == errSecAuthFailed || expected_failure(status)) { status = errSecSuccess; }
 130         ok_status(status);
 131         deleting = false;
 132     });
 133     WAIT_WHILE(deleting);
 134
 135     deleting = true;
 136     SecAddSharedWebCredential(fqdn, acct2, NULL, ^void (CFErrorRef error) {
 137         OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
 138         // TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
 139         if (status == errSecAuthFailed || expected_failure(status)) { status = errSecSuccess; }
 140         ok_status(status);
 141         deleting = false;
 142     });
 143     WAIT_WHILE(deleting);
 144
 145     // look up credentials again; should find nothing this time
 146     requesting = true;
 147     SecRequestSharedWebCredential(fqdn, NULL, ^void (CFArrayRef credentials, CFErrorRef error) {
 148         OSStatus status = (OSStatus)((error) ? CFErrorGetCode(error) : errSecSuccess);
 149         // TODO: need a proper teamID-enabled application identifier to succeed; expect auth failure
 150         if (status == errSecAuthFailed || expected_failure(status)) { status = errSecItemNotFound; }
 151         is_status(status, errSecItemNotFound);
 152         is(CFArrayGetCount(credentials) > 0, false, "returned credential array == 0");
 153         requesting = false;
 154     });
 155     WAIT_WHILE(requesting);
 156
 157     CFRelease(cred);
 158 }
 159
 160 #endif // !TARGET_OS_WATCH
 161
 162 int si_76_shared_credentials(int argc, char *const *argv)
 163 {
 164 #if TARGET_OS_IOS
 165                 plan_tests(12);
 166                 tests();
 167 #else
 168                 plan_tests(1);
 169                 ok_status(0);
 170 #endif
 171                 return 0;
 172 }