]> git.saurik.com Git - apple/securityd.git/blob - tests/testauth.cpp
securityd-55199.0.1.tar.gz
[apple/securityd.git] / tests / testauth.cpp
1 /*
2 * Copyright (c) 2000-2001,2004 Apple Computer, Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 //
26 // testacls - ACL-related test cases.
27 //
28 #include "testclient.h"
29 #include "testutils.h"
30 #include <Security/osxsigner.h>
31
32 using namespace CodeSigning;
33
34
35 //
36 // Authorization test.
37 // This tests the authorization API support.
38 // @@@ Incomplete and not satisfactory.
39 //
40 void authorizations()
41 {
42 printf("* authorization test\n");
43 ClientSession ss(CssmAllocator::standard(), CssmAllocator::standard());
44
45 // make a simple authorization query
46 AuthorizationBlob auth;
47 AuthorizationItem testingItem = { "debug.testing", 0, NULL, NULL };
48 AuthorizationItem testingMoreItem = { "debug.testing.more", 0, NULL, NULL };
49 AuthorizationItem denyItem = { "debug.deny", 0, NULL, NULL };
50 AuthorizationItemSet request = { 1, &testingItem };
51 ss.authCreate(&request, NULL/*environment*/,
52 kAuthorizationFlagInteractionAllowed |
53 kAuthorizationFlagExtendRights |
54 kAuthorizationFlagPartialRights,
55 auth);
56 detail("Initial authorization obtained");
57
58 // ask for rights from this authorization
59 {
60 AuthorizationItem moreItems[3] = { testingItem, denyItem, testingMoreItem };
61 AuthorizationItemSet moreRequests = { 3, moreItems };
62 AuthorizationItemSet *rightsVector;
63 ss.authCopyRights(auth, &moreRequests, NULL/*environment*/,
64 kAuthorizationFlagInteractionAllowed |
65 kAuthorizationFlagExtendRights |
66 kAuthorizationFlagPartialRights,
67 &rightsVector);
68 if (rightsVector->count != 2)
69 error("COPYRIGHTS RETURNED %d RIGHTS (EXPECTED 2)", int(rightsVector->count));
70 // the output rights could be in either order -- be flexible
71 set<string> rights;
72 rights.insert(rightsVector->items[0].name);
73 rights.insert(rightsVector->items[1].name);
74 assert(rights.find("debug.testing") != rights.end() &&
75 rights.find("debug.testing.more") != rights.end());
76 free(rightsVector);
77 detail("CopyRights okay");
78 }
79
80 // ask for the impossible
81 try {
82 AuthorizationBlob badAuth;
83 AuthorizationItem badItem = { "debug.deny", 0, NULL, NULL };
84 AuthorizationItemSet badRequest = { 1, &badItem };
85 ss.authCreate(&badRequest, NULL/*environment*/,
86 kAuthorizationFlagInteractionAllowed |
87 kAuthorizationFlagExtendRights,
88 auth);
89 error("AUTHORIZED debug.deny OPERATION");
90 } catch (CssmCommonError &err) {
91 detail(err, "debug.deny authorization denied properly");
92 }
93
94 // externalize
95 AuthorizationExternalForm extForm;
96 ss.authExternalize(auth, extForm);
97
98 // re-internalize
99 AuthorizationBlob auth2;
100 ss.authInternalize(extForm, auth2);
101
102 // make sure it still works
103 {
104 AuthorizationItem moreItems[2] = { testingItem, denyItem };
105 AuthorizationItemSet moreRequests = { 2, moreItems };
106 AuthorizationItemSet *rightsVector;
107 ss.authCopyRights(auth2, &moreRequests, NULL/*environment*/,
108 kAuthorizationFlagInteractionAllowed |
109 kAuthorizationFlagExtendRights |
110 kAuthorizationFlagPartialRights,
111 &rightsVector);
112 if (rightsVector->count != 1)
113 error("COPYRIGHTS RETURNED %d RIGHTS (EXPECTED 1)", int(rightsVector->count));
114 assert(!strcmp(rightsVector->items[0].name, "debug.testing"));
115 free(rightsVector);
116 detail("Re-internalized authorization checks out okay");
117
118 // try it with no rights output (it's optional)
119 ss.authCopyRights(auth2, &moreRequests, NULL/*environment*/,
120 kAuthorizationFlagPartialRights, NULL);
121 detail("authCopyRights partial success OK (with no output)");
122
123 // but this will fail if we want ALL rights...
124 try {
125 ss.authCopyRights(auth2, &moreRequests, NULL/*environment*/,
126 kAuthorizationFlagDefaults, NULL);
127 error("authCopyRights succeeded with (only) partial success");
128 } catch (CssmError &err) {
129 detail("authCopyRight failed for (only) partial success");
130 }
131 }
132 }