]> git.saurik.com Git - apple/securityd.git/blob - tests/testauth.cpp
projects / apple / securityd.git / blob
? search:


d017a7c79ca7c817fbc450d14102fbafcab2b9a7
[apple/securityd.git] / tests / testauth.cpp
1 /*
2 * Copyright (c) 2000-2001,2004 Apple Computer, Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved.
7 *
8 * This file contains Original Code and/or Modifications of Original Code
9 * as defined in and that are subject to the Apple Public Source License
10 * Version 2.0 (the 'License'). You may not use this file except in
11 * compliance with the License. Please obtain a copy of the License at
12 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * file.
14 *
15 * The Original Code and all software distributed under the License are
16 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
17 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
18 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
20 * Please see the License for the specific language governing rights and
21 * limitations under the License.
22 *
23 * @APPLE_LICENSE_HEADER_END@
24 */
25
26
27 //
28 // testacls - ACL-related test cases.
29 //
30 #include "testclient.h"
31 #include "testutils.h"
32 #include <Security/osxsigner.h>
33
34 using namespace CodeSigning;
35
36
37 //
38 // Authorization test.
39 // This tests the authorization API support.
40 // @@@ Incomplete and not satisfactory.
41 //
42 void authorizations()
43 {
44 printf("* authorization test\n");
45 ClientSession ss(CssmAllocator::standard(), CssmAllocator::standard());
46
47 // make a simple authorization query
48 AuthorizationBlob auth;
49 AuthorizationItem testingItem = { "debug.testing", 0, NULL, NULL };
50 AuthorizationItem testingMoreItem = { "debug.testing.more", 0, NULL, NULL };
51 AuthorizationItem denyItem = { "debug.deny", 0, NULL, NULL };
52 AuthorizationItemSet request = { 1, &testingItem };
53 ss.authCreate(&request, NULL/*environment*/,
54 kAuthorizationFlagInteractionAllowed |
55 kAuthorizationFlagExtendRights |
56 kAuthorizationFlagPartialRights,
57 auth);
58 detail("Initial authorization obtained");
59
60 // ask for rights from this authorization
61 {
62 AuthorizationItem moreItems[3] = { testingItem, denyItem, testingMoreItem };
63 AuthorizationItemSet moreRequests = { 3, moreItems };
64 AuthorizationItemSet *rightsVector;
65 ss.authCopyRights(auth, &moreRequests, NULL/*environment*/,
66 kAuthorizationFlagInteractionAllowed |
67 kAuthorizationFlagExtendRights |
68 kAuthorizationFlagPartialRights,
69 &rightsVector);
70 if (rightsVector->count != 2)
71 error("COPYRIGHTS RETURNED %d RIGHTS (EXPECTED 2)", int(rightsVector->count));
72 // the output rights could be in either order -- be flexible
73 set<string> rights;
74 rights.insert(rightsVector->items[0].name);
75 rights.insert(rightsVector->items[1].name);
76 assert(rights.find("debug.testing") != rights.end() &&
77 rights.find("debug.testing.more") != rights.end());
78 free(rightsVector);
79 detail("CopyRights okay");
80 }
81
82 // ask for the impossible
83 try {
84 AuthorizationBlob badAuth;
85 AuthorizationItem badItem = { "debug.deny", 0, NULL, NULL };
86 AuthorizationItemSet badRequest = { 1, &badItem };
87 ss.authCreate(&badRequest, NULL/*environment*/,
88 kAuthorizationFlagInteractionAllowed |
89 kAuthorizationFlagExtendRights,
90 auth);
91 error("AUTHORIZED debug.deny OPERATION");
92 } catch (CssmCommonError &err) {
93 detail(err, "debug.deny authorization denied properly");
94 }
95
96 // externalize
97 AuthorizationExternalForm extForm;
98 ss.authExternalize(auth, extForm);
99
100 // re-internalize
101 AuthorizationBlob auth2;
102 ss.authInternalize(extForm, auth2);
103
104 // make sure it still works
105 {
106 AuthorizationItem moreItems[2] = { testingItem, denyItem };
107 AuthorizationItemSet moreRequests = { 2, moreItems };
108 AuthorizationItemSet *rightsVector;
109 ss.authCopyRights(auth2, &moreRequests, NULL/*environment*/,
110 kAuthorizationFlagInteractionAllowed |
111 kAuthorizationFlagExtendRights |
112 kAuthorizationFlagPartialRights,
113 &rightsVector);
114 if (rightsVector->count != 1)
115 error("COPYRIGHTS RETURNED %d RIGHTS (EXPECTED 1)", int(rightsVector->count));
116 assert(!strcmp(rightsVector->items[0].name, "debug.testing"));
117 free(rightsVector);
118 detail("Re-internalized authorization checks out okay");
119
120 // try it with no rights output (it's optional)
121 ss.authCopyRights(auth2, &moreRequests, NULL/*environment*/,
122 kAuthorizationFlagPartialRights, NULL);
123 detail("authCopyRights partial success OK (with no output)");
124
125 // but this will fail if we want ALL rights...
126 try {
127 ss.authCopyRights(auth2, &moreRequests, NULL/*environment*/,
128 kAuthorizationFlagDefaults, NULL);
129 error("authCopyRights succeeded with (only) partial success");
130 } catch (CssmError &err) {
131 detail("authCopyRight failed for (only) partial success");
132 }
133 }
134 }
mirror of securityd