diff options
Diffstat (limited to 'test/security_tests')
-rw-r--r-- | test/security_tests/conf/security_test_config_client_external_allow.json.in | 90 | ||||
-rw-r--r-- | test/security_tests/conf/security_test_config_client_external_deny.json.in | 90 | ||||
-rw-r--r-- | test/security_tests/conf/security_test_config_service_external_allow.json.in | 84 | ||||
-rw-r--r-- | test/security_tests/conf/security_test_config_service_external_deny.json.in | 84 | ||||
-rw-r--r-- | test/security_tests/conf/security_test_local_config.json.in (renamed from test/security_tests/conf/security_test_config.json.in) | 29 | ||||
-rw-r--r-- | test/security_tests/security_test_client.cpp | 148 | ||||
-rw-r--r-- | test/security_tests/security_test_client.hpp | 7 | ||||
-rwxr-xr-x | test/security_tests/security_test_client_start.sh | 9 | ||||
-rwxr-xr-x | test/security_tests/security_test_external_master_start.sh | 83 | ||||
-rwxr-xr-x | test/security_tests/security_test_external_slave_start.sh | 60 | ||||
-rwxr-xr-x | test/security_tests/security_test_local_start.sh (renamed from test/security_tests/security_test_start.sh) | 16 | ||||
-rw-r--r-- | test/security_tests/security_test_service.cpp | 86 |
12 files changed, 745 insertions, 41 deletions
diff --git a/test/security_tests/conf/security_test_config_client_external_allow.json.in b/test/security_tests/conf/security_test_config_client_external_allow.json.in new file mode 100644 index 0000000..531c620 --- /dev/null +++ b/test/security_tests/conf/security_test_config_client_external_allow.json.in @@ -0,0 +1,90 @@ +{ + "unicast" : "@TEST_IP_MASTER@", + "netmask" : "255.255.255.0", + "logging" : + { + "level" : "info", + "console" : "true", + "file" : { "enable" : "false", "path" : "/tmp/vsomeip.log" }, + "dlt" : "false" + }, + "applications" : + [ + { + "name" : "client-sample", + "id" : "0x1255" + }, + { + "name" : "vsomeipd", + "id" : "0x2222" + } + ], + "services" : + [ + { + "service" : "0x1234", + "instance" : "0x5678", + "unicast" : "@TEST_IP_MASTER@", + "unreliable" : "30509" + }, + { + "service" : "0x111", + "instance" : "0x5678", + "unicast" : "@TEST_IP_MASTER@", + "unreliable" : "30509" + }, + { + "service" : "0x1234", + "instance" : "0x02", + "unicast" : "@TEST_IP_MASTER@", + "unreliable" : "30509" + } + ], + "security" : + { + "check_credentials" : "true", + "allow_remote_clients" : "true", + "policies" : + [ + { + "credentials" : { "uid" : "@TEST_UID@", "gid" : "@TEST_GID@" }, + "allow" : + { + "requests": + [ + { + "service" : "0x1234", + "instances" : + [ + { + "ids" : ["0x5678"], + "methods" : [ {"first" : "0x8421", "last" : "0x8422" }, "0x8001", "0x7777" ] + } + ] + } + ] + } + } + ] + }, + "routing" : "vsomeipd", + "routing-credentials" : + { + "uid" : "@TEST_UID@", + "gid" : "@TEST_GID@" + }, + "service-discovery" : + { + "enable" : "true", + "multicast" : "224.0.0.1", + "port" : "30490", + "protocol" : "udp", + "initial_delay_min" : "10", + "initial_delay_max" : "100", + "repetitions_base_delay" : "200", + "repetitions_max" : "3", + "ttl" : "3", + "cyclic_offer_delay" : "2000", + "request_response_delay" : "1500" + } +} diff --git a/test/security_tests/conf/security_test_config_client_external_deny.json.in b/test/security_tests/conf/security_test_config_client_external_deny.json.in new file mode 100644 index 0000000..0cd96fb --- /dev/null +++ b/test/security_tests/conf/security_test_config_client_external_deny.json.in @@ -0,0 +1,90 @@ +{ + "unicast" : "@TEST_IP_MASTER@", + "netmask" : "255.255.255.0", + "logging" : + { + "level" : "info", + "console" : "true", + "file" : { "enable" : "false", "path" : "/tmp/vsomeip.log" }, + "dlt" : "false" + }, + "applications" : + [ + { + "name" : "client-sample", + "id" : "0x1255" + }, + { + "name" : "vsomeipd", + "id" : "0x2222" + } + ], + "services" : + [ + { + "service" : "0x1234", + "instance" : "0x5678", + "unicast" : "@TEST_IP_MASTER@", + "unreliable" : "30509" + }, + { + "service" : "0x111", + "instance" : "0x5678", + "unicast" : "@TEST_IP_MASTER@", + "unreliable" : "30509" + }, + { + "service" : "0x1234", + "instance" : "0x02", + "unicast" : "@TEST_IP_MASTER@", + "unreliable" : "30509" + } + ], + "security" : + { + "check_credentials" : "true", + "allow_remote_clients" : "false", + "policies" : + [ + { + "credentials" : { "uid" : "@TEST_UID@", "gid" : "@TEST_GID@" }, + "allow" : + { + "requests": + [ + { + "service" : "0x1234", + "instances" : + [ + { + "ids" : ["0x5678"], + "methods" : [ {"first" : "0x8421", "last" : "0x8422" }, "0x8001", "0x7777" ] + } + ] + } + ] + } + } + ] + }, + "routing" : "vsomeipd", + "routing-credentials" : + { + "uid" : "@TEST_UID@", + "gid" : "@TEST_GID@" + }, + "service-discovery" : + { + "enable" : "true", + "multicast" : "224.0.0.1", + "port" : "30490", + "protocol" : "udp", + "initial_delay_min" : "10", + "initial_delay_max" : "100", + "repetitions_base_delay" : "200", + "repetitions_max" : "3", + "ttl" : "3", + "cyclic_offer_delay" : "2000", + "request_response_delay" : "1500" + } +} diff --git a/test/security_tests/conf/security_test_config_service_external_allow.json.in b/test/security_tests/conf/security_test_config_service_external_allow.json.in new file mode 100644 index 0000000..e95b942 --- /dev/null +++ b/test/security_tests/conf/security_test_config_service_external_allow.json.in @@ -0,0 +1,84 @@ +{ + "unicast" : "@TEST_IP_SLAVE@", + "netmask" : "255.255.255.0", + "logging" : + { + "level" : "info", + "console" : "true", + "file" : { "enable" : "false", "path" : "/tmp/vsomeip.log" }, + "dlt" : "false" + }, + "applications" : + [ + { + "name" : "service-sample", + "id" : "0x1277" + }, + { + "name" : "vsomeipd", + "id" : "0x1111" + } + ], + "services" : + [ + { + "service" : "0x1234", + "instance" : "0x5678", + "unicast" : "@TEST_IP_MASTER@", + "unreliable" : "30509" + }, + { + "service" : "0x111", + "instance" : "0x5678", + "unicast" : "@TEST_IP_MASTER@", + "unreliable" : "30509" + }, + { + "service" : "0x1234", + "instance" : "0x02", + "unicast" : "@TEST_IP_MASTER@", + "unreliable" : "30509" + } + ], + "security" : + { + "check_credentials" : "true", + "allow_remote_clients" : "true", + "policies" : + [ + { + "credentials" : { "uid" : "@TEST_UID@", "gid" : "@TEST_GID@" }, + "allow" : + { + "offers": + [ + { + "service" : "0x1234", + "instance" : "0x5678" + } + ] + } + } + ] + }, + "routing" : "vsomeipd", + "routing-credentials" : + { + "uid" : "@TEST_UID@", + "gid" : "@TEST_GID@" + }, + "service-discovery" : + { + "enable" : "true", + "multicast" : "224.0.0.1", + "port" : "30490", + "protocol" : "udp", + "initial_delay_min" : "10", + "initial_delay_max" : "100", + "repetitions_base_delay" : "200", + "repetitions_max" : "3", + "ttl" : "3", + "cyclic_offer_delay" : "2000", + "request_response_delay" : "1500" + } +} diff --git a/test/security_tests/conf/security_test_config_service_external_deny.json.in b/test/security_tests/conf/security_test_config_service_external_deny.json.in new file mode 100644 index 0000000..8caf0af --- /dev/null +++ b/test/security_tests/conf/security_test_config_service_external_deny.json.in @@ -0,0 +1,84 @@ +{ + "unicast" : "@TEST_IP_SLAVE@", + "netmask" : "255.255.255.0", + "logging" : + { + "level" : "info", + "console" : "true", + "file" : { "enable" : "false", "path" : "/tmp/vsomeip.log" }, + "dlt" : "false" + }, + "applications" : + [ + { + "name" : "service-sample", + "id" : "0x1277" + }, + { + "name" : "vsomeipd", + "id" : "0x1111" + } + ], + "services" : + [ + { + "service" : "0x1234", + "instance" : "0x5678", + "unicast" : "@TEST_IP_MASTER@", + "unreliable" : "30509" + }, + { + "service" : "0x111", + "instance" : "0x5678", + "unicast" : "@TEST_IP_MASTER@", + "unreliable" : "30509" + }, + { + "service" : "0x1234", + "instance" : "0x02", + "unicast" : "@TEST_IP_MASTER@", + "unreliable" : "30509" + } + ], + "security" : + { + "check_credentials" : "true", + "allow_remote_clients" : "false", + "policies" : + [ + { + "credentials" : { "uid" : "@TEST_UID@", "gid" : "@TEST_GID@" }, + "allow" : + { + "offers": + [ + { + "service" : "0x1234", + "instance" : "0x5678" + } + ] + } + } + ] + }, + "routing" : "vsomeipd", + "routing-credentials" : + { + "uid" : "@TEST_UID@", + "gid" : "@TEST_GID@" + }, + "service-discovery" : + { + "enable" : "true", + "multicast" : "224.0.0.1", + "port" : "30490", + "protocol" : "udp", + "initial_delay_min" : "10", + "initial_delay_max" : "100", + "repetitions_base_delay" : "200", + "repetitions_max" : "3", + "ttl" : "3", + "cyclic_offer_delay" : "2000", + "request_response_delay" : "1500" + } +} diff --git a/test/security_tests/conf/security_test_config.json.in b/test/security_tests/conf/security_test_local_config.json.in index 693bf58..aab7f39 100644 --- a/test/security_tests/conf/security_test_config.json.in +++ b/test/security_tests/conf/security_test_local_config.json.in @@ -16,6 +16,10 @@ { "name" : "client-sample", "id" : "0x1255" + }, + { + "name" : "vsomeipd", + "id" : "0x1111" } ], "security" : @@ -24,7 +28,6 @@ "policies" : [ { - "client" : "0x1277", "credentials" : { "uid" : "@TEST_UID@", "gid" : "@TEST_GID@" }, "allow" : { @@ -34,26 +37,30 @@ "service" : "0x1234", "instance" : "0x5678" } - ] - } - }, - { - "client" : "0x1255", - "credentials" : { "uid" : "@TEST_UID@", "gid" : "@TEST_GID@" }, - "allow" : - { + ], "requests": [ { "service" : "0x1234", - "instance" : "0x5678" + "instances" : + [ + { + "ids" : ["0x5678"], + "methods" : [ {"first" : "0x8421", "last" : "0x8422" }, "0x8001", "0x7777" ] + } + ] } ] } } ] }, - "routing" : "service-sample", + "routing" : "vsomeipd", + "routing-credentials" : + { + "uid" : "@TEST_UID@", + "gid" : "@TEST_GID@" + }, "service-discovery" : { "enable" : "true", diff --git a/test/security_tests/security_test_client.cpp b/test/security_tests/security_test_client.cpp index 924f13c..2841f23 100644 --- a/test/security_tests/security_test_client.cpp +++ b/test/security_tests/security_test_client.cpp @@ -5,11 +5,18 @@ #include "security_test_client.hpp" -security_test_client::security_test_client() +static bool is_remote_test = false; +static bool remote_client_allowed = true; + +security_test_client::security_test_client(bool _test_external_communication, + bool _is_remote_client_allowed) : app_(vsomeip::runtime::get()->create_application()), is_available_(false), sender_(std::bind(&security_test_client::run, this)), - received_responses_(0) { + received_responses_(0), + received_allowed_events_(0), + test_external_communication_(_test_external_communication), + is_remote_client_allowed_(_is_remote_client_allowed) { } @@ -33,6 +40,18 @@ bool security_test_client::init() { std::bind(&security_test_client::on_availability, this, std::placeholders::_1, std::placeholders::_2, std::placeholders::_3)); + + app_->register_availability_handler(0x111, + vsomeip_test::TEST_SERVICE_INSTANCE_ID, + std::bind(&security_test_client::on_availability, this, + std::placeholders::_1, std::placeholders::_2, + std::placeholders::_3)); + + app_->register_availability_handler(vsomeip_test::TEST_SERVICE_SERVICE_ID, + 0x02, + std::bind(&security_test_client::on_availability, this, + std::placeholders::_1, std::placeholders::_2, + std::placeholders::_3)); return true; } @@ -45,7 +64,9 @@ void security_test_client::start() { void security_test_client::stop() { VSOMEIP_INFO << "Stopping..."; - shutdown_service(); + if (is_remote_client_allowed_) { + shutdown_service(); + } std::this_thread::sleep_for(std::chrono::milliseconds(100)); @@ -57,6 +78,32 @@ void security_test_client::on_state(vsomeip::state_type_e _state) { if(_state == vsomeip::state_type_e::ST_REGISTERED) { app_->request_service(vsomeip_test::TEST_SERVICE_SERVICE_ID, vsomeip_test::TEST_SERVICE_INSTANCE_ID, false); + + // request not allowed service ID + app_->request_service(0x111, + vsomeip_test::TEST_SERVICE_INSTANCE_ID, false); + + // request not allowed instance ID + app_->request_service(vsomeip_test::TEST_SERVICE_SERVICE_ID, + 0x02, false); + + // request events of eventgroup 0x01 which holds events 0x8001 (allowed) and 0x8002 (denied) + std::set<vsomeip::eventgroup_t> its_eventgroups; + its_eventgroups.insert(0x01); + app_->request_event(vsomeip_test::TEST_SERVICE_SERVICE_ID, vsomeip_test::TEST_SERVICE_INSTANCE_ID, + static_cast<vsomeip::event_t>(0x8001), + its_eventgroups, true); + app_->request_event(vsomeip_test::TEST_SERVICE_SERVICE_ID, vsomeip_test::TEST_SERVICE_INSTANCE_ID, + static_cast<vsomeip::event_t>(0x8002), + its_eventgroups, true); + + app_->subscribe(vsomeip_test::TEST_SERVICE_SERVICE_ID, vsomeip_test::TEST_SERVICE_INSTANCE_ID, 0x01, + vsomeip::DEFAULT_MAJOR, vsomeip::subscription_type_e::SU_RELIABLE_AND_UNRELIABLE, + static_cast<vsomeip::event_t>(0x8001)); + + app_->subscribe(vsomeip_test::TEST_SERVICE_SERVICE_ID, vsomeip_test::TEST_SERVICE_INSTANCE_ID, 0x01, + vsomeip::DEFAULT_MAJOR, vsomeip::subscription_type_e::SU_RELIABLE_AND_UNRELIABLE, + static_cast<vsomeip::event_t>(0x8002)); } } @@ -68,6 +115,12 @@ void security_test_client::on_availability(vsomeip::service_t _service, << _service << "." << _instance << "] is " << (_is_available ? "available." : "NOT available."); + // check that only the allowed service / instance ID gets available + if (_is_available) { + EXPECT_EQ(vsomeip_test::TEST_SERVICE_SERVICE_ID, _service); + EXPECT_EQ(vsomeip_test::TEST_SERVICE_INSTANCE_ID, _instance); + } + if(vsomeip_test::TEST_SERVICE_SERVICE_ID == _service && vsomeip_test::TEST_SERVICE_INSTANCE_ID == _instance) { std::unique_lock<std::mutex> its_lock(mutex_); @@ -92,13 +145,26 @@ void security_test_client::on_message(const std::shared_ptr<vsomeip::message> &_ << std::setw(4) << std::setfill('0') << std::hex << _response->get_session() << "]"; - if (_response->get_service() == vsomeip_test::TEST_SERVICE_SERVICE_ID && - _response->get_instance() == vsomeip_test::TEST_SERVICE_INSTANCE_ID) { - received_responses_++; - if (received_responses_ == vsomeip_test::NUMBER_OF_MESSAGES_TO_SEND_SECURITY_TESTS) { - VSOMEIP_WARNING << std::hex << app_->get_client() - << ": Received all messages ~> going down!"; + if(_response->get_message_type() == vsomeip::message_type_e::MT_RESPONSE) { + EXPECT_EQ(vsomeip_test::TEST_SERVICE_SERVICE_ID, _response->get_service()); + EXPECT_EQ(vsomeip_test::TEST_SERVICE_INSTANCE_ID, _response->get_instance()); + EXPECT_EQ(vsomeip_test::TEST_SERVICE_METHOD_ID, _response->get_method()); + + if (_response->get_service() == vsomeip_test::TEST_SERVICE_SERVICE_ID && + _response->get_instance() == vsomeip_test::TEST_SERVICE_INSTANCE_ID && + _response->get_method() == vsomeip_test::TEST_SERVICE_METHOD_ID) { + received_responses_++; + if (received_responses_ == vsomeip_test::NUMBER_OF_MESSAGES_TO_SEND_SECURITY_TESTS) { + VSOMEIP_WARNING << std::hex << app_->get_client() + << ": Received all messages ~> going down!"; + } } + } else if (_response->get_message_type() == vsomeip::message_type_e::MT_NOTIFICATION) { + // check that only allowed event 0x8001 is received + EXPECT_EQ(vsomeip_test::TEST_SERVICE_SERVICE_ID, _response->get_service()); + EXPECT_EQ(vsomeip_test::TEST_SERVICE_INSTANCE_ID, _response->get_instance()); + EXPECT_EQ(0x8001, _response->get_method()); + received_allowed_events_++; } } @@ -116,15 +182,31 @@ void security_test_client::run() { request->set_service(vsomeip_test::TEST_SERVICE_SERVICE_ID); request->set_instance(vsomeip_test::TEST_SERVICE_INSTANCE_ID); request->set_method(vsomeip_test::TEST_SERVICE_METHOD_ID); + + // send a request which is allowed by policy -> expect answer + app_->send(request, true); + + // send a request with a not allowed method ID -> expect no answer + request->set_method(0x888); app_->send(request, true); std::this_thread::sleep_for(std::chrono::milliseconds(250)); } std::this_thread::sleep_for(std::chrono::milliseconds(250)); - EXPECT_EQ(vsomeip_test::NUMBER_OF_MESSAGES_TO_SEND_SECURITY_TESTS, - received_responses_); + if (!test_external_communication_) { + EXPECT_EQ(vsomeip_test::NUMBER_OF_MESSAGES_TO_SEND_SECURITY_TESTS, + received_responses_); + EXPECT_EQ(received_allowed_events_, (uint32_t) 0x01); + } else if (test_external_communication_ && !is_remote_client_allowed_) { + EXPECT_EQ((uint32_t)0, received_responses_); + EXPECT_EQ((uint32_t)0, received_allowed_events_); + } else if (test_external_communication_ && is_remote_client_allowed_) { + EXPECT_EQ(vsomeip_test::NUMBER_OF_MESSAGES_TO_SEND_SECURITY_TESTS, + received_responses_); + EXPECT_EQ(received_allowed_events_, (uint32_t) 0x01); + } stop(); } @@ -143,9 +225,9 @@ void security_test_client::shutdown_service() { app_->send(request,true); } -TEST(someip_security_test, basic_request_response) +TEST(someip_security_test, basic_subscribe_request_response) { - security_test_client test_client; + security_test_client test_client(is_remote_test, remote_client_allowed); if (test_client.init()) { test_client.start(); test_client.join_sender_thread(); @@ -153,6 +235,44 @@ TEST(someip_security_test, basic_request_response) } int main(int argc, char** argv) { + + std::string test_remote("--remote"); + std::string test_local("--local"); + std::string test_allow_remote_client("--allow"); + std::string test_deny_remote_client("--deny"); + std::string help("--help"); + + int i = 1; + while (i < argc) + { + if(test_remote == argv[i]) + { + is_remote_test = true; + } + else if(test_local == argv[i]) + { + is_remote_test = false; + } + else if(test_allow_remote_client == argv[i]) + { + remote_client_allowed = true; + } + else if(test_deny_remote_client == argv[i]) + { + remote_client_allowed = false; + } + else if(help == argv[i]) + { + VSOMEIP_INFO << "Parameters:\n" + << "--remote: Run test between two hosts\n" + << "--local: Run test locally\n" + << "--allow: test is started with a policy that allows remote messages sent by this test client to the service\n" + << "--deny: test is started with a policy that denies remote messages sent by this test client to the service\n" + << "--help: print this help"; + } + i++; + } + ::testing::InitGoogleTest(&argc, argv); return RUN_ALL_TESTS(); -}
\ No newline at end of file +} diff --git a/test/security_tests/security_test_client.hpp b/test/security_tests/security_test_client.hpp index ed010fa..df2acc8 100644 --- a/test/security_tests/security_test_client.hpp +++ b/test/security_tests/security_test_client.hpp @@ -20,7 +20,8 @@ class security_test_client { public: - security_test_client(); + security_test_client(bool _test_external_communication, + bool _is_remote_client_allowed); bool init(); void start(); void stop(); @@ -45,6 +46,10 @@ private: std::thread sender_; std::atomic<std::uint32_t> received_responses_; + std::atomic<std::uint32_t> received_allowed_events_; + + bool test_external_communication_; + bool is_remote_client_allowed_; }; #endif // SECURITY_TEST_CLIENT_HPP diff --git a/test/security_tests/security_test_client_start.sh b/test/security_tests/security_test_client_start.sh deleted file mode 100755 index e87ca31..0000000 --- a/test/security_tests/security_test_client_start.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash -# Copyright (C) 2015-2017 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -export VSOMEIP_APPLICATION_NAME=client-sample -export VSOMEIP_CONFIGURATION=vsomeip-security.json -./security_test_client diff --git a/test/security_tests/security_test_external_master_start.sh b/test/security_tests/security_test_external_master_start.sh new file mode 100755 index 0000000..855654b --- /dev/null +++ b/test/security_tests/security_test_external_master_start.sh @@ -0,0 +1,83 @@ +#!/bin/bash +# Copyright (C) 2015-2018 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# Purpose: This script is needed to start the services with +# one command. This is necessary as ctest - which is used to run the +# tests - isn't able to start multiple binaries for one testcase. Therefore +# the testcase simply executes this script. This script then runs the services +# and checks that all exit successfully. + +if [ $# -lt 2 ] +then + echo "Please pass a json file to this script and wether remote clients are allowed or not " + echo "For example: $0 security_test_config_client_external_allow.json --allow" + exit 1 +fi + +MASTER_JSON_FILE=$1 +SERVICE_JSON_FILE=${MASTER_JSON_FILE/client/service} +ALLOW_DENY=$2 + +FAIL=0 + +export VSOMEIP_CONFIGURATION=$1 +export VSOMEIP_APPLICATION_NAME=vsomeipd +# start daemon +../daemon/./vsomeipd & +PID_VSOMEIPD=$! + +export VSOMEIP_CONFIGURATION=$1 +export VSOMEIP_APPLICATION_NAME=client-sample +./security_test_client --remote $2 & +PID_CLIENT=$! + + +if [ ! -z "$USE_LXC_TEST" ]; then + echo "starting external security test on slave LXC" + ssh -tt -i $SANDBOX_ROOT_DIR/commonapi_main/lxc-config/.ssh/mgc_lxc/rsa_key_file.pub -o StrictHostKeyChecking=no root@$LXC_TEST_SLAVE_IP "bash -ci \"set -m; cd \\\$SANDBOX_TARGET_DIR/vsomeip/test; ./security_test_external_slave_start.sh $SERVICE_JSON_FILE $2\"" & +elif [ ! -z "$USE_DOCKER" ]; then + docker run --name citms --cap-add NET_ADMIN $DOCKER_IMAGE sh -c "route add -net 224.0.0.0/4 dev eth0 && cd $DOCKER_TESTS && ./security_test_external_slave_start.sh $SERVICE_JSON_FILE $2" & +else +cat <<End-of-message +******************************************************************************* +******************************************************************************* +** Please now run: +** security_test_external_slave_start.sh $SERVICE_JSON_FILE $2 +** from an external host to successfully complete this test. +** +** You probably will need to adapt the 'unicast' settings in +** security_test_config_service_external_allow.json and +** security_test_config_client_external_allow.json to your personal setup. +******************************************************************************* +******************************************************************************* +End-of-message +fi + +# Wait until client and service are finished +for client_pid in "${PID_CLIENT}" +do + if [ -n "$client_pid" ]; then + # Fail gets incremented if either client or service exit + # with a non-zero exit code + wait "$client_pid" || ((FAIL+=1)) + fi +done + +if [ ! -z "$USE_DOCKER" ]; then + docker stop citms + docker rm citms +fi + +kill $PID_VSOMEIPD +kill $PID_CLIENT + +# Check if both exited successfully +if [ $FAIL -eq 0 ] +then + exit 0 +else + exit 1 +fi diff --git a/test/security_tests/security_test_external_slave_start.sh b/test/security_tests/security_test_external_slave_start.sh new file mode 100755 index 0000000..2b2391f --- /dev/null +++ b/test/security_tests/security_test_external_slave_start.sh @@ -0,0 +1,60 @@ +#!/bin/bash +# Copyright (C) 2015-2018 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# Purpose: This script is needed to start the services with +# one command. This is necessary as ctest - which is used to run the +# tests - isn't able to start multiple binaries for one testcase. Therefore +# the testcase simply executes this script. This script then runs the services +# and checks that all exit successfully. + +if [ $# -lt 2 ] +then + echo "Please pass a json file to this script and wether remote clients are allowed or not " + echo "For example: $0 security_test_config_service_external_allow.json --allow" + exit 1 +fi + +CLIENT_JSON_FILE=$1 +ALLOW_DENY=$2 + +FAIL=0 + +export VSOMEIP_CONFIGURATION=$1 +export VSOMEIP_APPLICATION_NAME=vsomeipd +# start daemon +../daemon/./vsomeipd & +PID_VSOMEIPD=$! + +export VSOMEIP_CONFIGURATION=$1 +export VSOMEIP_APPLICATION_NAME=service-sample +./security_test_service --remote $2 & +PID_SERVICE=$! + +# Wait until client and service are finished +for client_pid in "${PID_SERVICE}" +do + if [ -n "$client_pid" ]; then + # Fail gets incremented if either client or service exit + # with a non-zero exit code + wait "$client_pid" || ((FAIL+=1)) + fi +done + +if [ ! -z "$USE_DOCKER" ]; then + docker stop citms + docker rm citms +fi + +kill $PID_VSOMEIPD +kill $PID_SERVICE + +# Check if both exited successfully +if [ $FAIL -eq 0 ] +then + exit 0 +else + exit 1 +fi diff --git a/test/security_tests/security_test_start.sh b/test/security_tests/security_test_local_start.sh index ac4f51f..886b412 100755 --- a/test/security_tests/security_test_start.sh +++ b/test/security_tests/security_test_local_start.sh @@ -4,12 +4,22 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. -export VSOMEIP_CONFIGURATION=security_test_config.json +export VSOMEIP_CONFIGURATION=security_test_local_config.json + +export VSOMEIP_APPLICATION_NAME=vsomeipd +# start daemon +../daemon/./vsomeipd & +PID_VSOMEIPD=$! + +sleep 1 export VSOMEIP_APPLICATION_NAME=service-sample -./security_test_service & +./security_test_service --local & sleep 1 export VSOMEIP_APPLICATION_NAME=client-sample -./security_test_client +./security_test_client --local + +kill $PID_VSOMEIPD +sleep 1 diff --git a/test/security_tests/security_test_service.cpp b/test/security_tests/security_test_service.cpp index 99fb14e..baaa60d 100644 --- a/test/security_tests/security_test_service.cpp +++ b/test/security_tests/security_test_service.cpp @@ -5,6 +5,9 @@ #include "security_test_service.hpp" +static bool is_remote_test = false; +static bool remote_client_allowed = true; + security_test_service::security_test_service() : app_(vsomeip::runtime::get()->create_application()), is_registered_(false), @@ -34,6 +37,31 @@ bool security_test_service::init() { app_->register_state_handler( std::bind(&security_test_service::on_state, this, std::placeholders::_1)); + + // offer allowed field 0x8001 eventgroup 0x01 + std::set<vsomeip::eventgroup_t> its_eventgroups; + its_eventgroups.insert(0x01); + + app_->offer_event(vsomeip_test::TEST_SERVICE_SERVICE_ID, vsomeip_test::TEST_SERVICE_INSTANCE_ID, + static_cast<vsomeip::event_t>(0x8001), its_eventgroups, true); + + // also offer field 0x8002 which is not allowed to be received by client + app_->offer_event(vsomeip_test::TEST_SERVICE_SERVICE_ID, vsomeip_test::TEST_SERVICE_INSTANCE_ID, + static_cast<vsomeip::event_t>(0x8002), its_eventgroups, true); + + // set value to fields + std::shared_ptr<vsomeip::payload> its_payload = + vsomeip::runtime::get()->create_payload(); + vsomeip::byte_t its_data[2] = {static_cast<vsomeip::byte_t>((vsomeip_test::TEST_SERVICE_SERVICE_ID & 0xFF00) >> 8), + static_cast<vsomeip::byte_t>((vsomeip_test::TEST_SERVICE_SERVICE_ID & 0xFF))}; + its_payload->set_data(its_data, 2); + + app_->notify(vsomeip_test::TEST_SERVICE_SERVICE_ID, vsomeip_test::TEST_SERVICE_INSTANCE_ID, + static_cast<vsomeip::event_t>(0x8001), its_payload); + + app_->notify(vsomeip_test::TEST_SERVICE_SERVICE_ID, vsomeip_test::TEST_SERVICE_INSTANCE_ID, + static_cast<vsomeip::event_t>(0x8002), its_payload); + return true; } @@ -56,6 +84,12 @@ void security_test_service::join_offer_thread() { void security_test_service::offer() { app_->offer_service(vsomeip_test::TEST_SERVICE_SERVICE_ID, vsomeip_test::TEST_SERVICE_INSTANCE_ID); + + // try to offer a not allowed instance ID 0x02 (client requesting the service should not get available) + app_->offer_service(vsomeip_test::TEST_SERVICE_SERVICE_ID, 0x02); + + // try to offer a not allowed service ID 0x111 (client requesting the service should not get available) + app_->offer_service(0x111, vsomeip_test::TEST_SERVICE_INSTANCE_ID); } void security_test_service::stop_offer() { @@ -83,12 +117,12 @@ void security_test_service::on_state(vsomeip::state_type_e _state) { void security_test_service::on_message(const std::shared_ptr<vsomeip::message>& _request) { ASSERT_EQ(vsomeip_test::TEST_SERVICE_SERVICE_ID, _request->get_service()); - ASSERT_EQ(vsomeip_test::TEST_SERVICE_METHOD_ID, _request->get_method()); + ASSERT_EQ(vsomeip_test::TEST_SERVICE_INSTANCE_ID, _request->get_instance()); VSOMEIP_INFO << "Received a message with Client/Session [" << std::setw(4) << std::setfill('0') << std::hex << _request->get_client() << "/" << std::setw(4) << std::setfill('0') << std::hex - << _request->get_session() << "]"; + << _request->get_session() << "] method: " << _request->get_method() ; // send response std::shared_ptr<vsomeip::message> its_response = @@ -115,9 +149,17 @@ void security_test_service::run() { condition_.wait(its_lock); offer(); + + // do not wait for the shutdown method to be called + if (is_remote_test && !remote_client_allowed) { + std::this_thread::sleep_for(std::chrono::milliseconds(250 * vsomeip_test::NUMBER_OF_MESSAGES_TO_SEND_SECURITY_TESTS + 10000)); + VSOMEIP_INFO << "Shutdown the service after timeout as remote client is not allowed by policy to call shutdown method!"; + stop(); + } + } -TEST(someip_security_test, basic_request_response) { +TEST(someip_security_test, basic_subscribe_request_response) { security_test_service test_service; if (test_service.init()) { test_service.start(); @@ -127,6 +169,44 @@ TEST(someip_security_test, basic_request_response) { #ifndef _WIN32 int main(int argc, char** argv) { + + std::string test_remote("--remote"); + std::string test_local("--local"); + std::string test_allow_remote_client("--allow"); + std::string test_deny_remote_client("--deny"); + std::string help("--help"); + + int i = 1; + while (i < argc) + { + if(test_remote == argv[i]) + { + is_remote_test = true; + } + else if(test_local == argv[i]) + { + is_remote_test = false; + } + else if(test_allow_remote_client == argv[i]) + { + remote_client_allowed = true; + } + else if(test_deny_remote_client == argv[i]) + { + remote_client_allowed = false; + } + else if(help == argv[i]) + { + VSOMEIP_INFO << "Parameters:\n" + << "--remote: Run test between two hosts\n" + << "--local: Run test locally\n" + << "--allow: test is started with a policy that allows remote messages sent by this test client to the service\n" + << "--deny: test is started with a policy that denies remote messages sent by this test client to the service\n" + << "--help: print this help"; + } + i++; + } + ::testing::InitGoogleTest(&argc, argv); return RUN_ALL_TESTS(); } |