summaryrefslogtreecommitdiff
path: root/test/unit_tests/security_tests/ut_check_credentials.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'test/unit_tests/security_tests/ut_check_credentials.cpp')
-rw-r--r--test/unit_tests/security_tests/ut_check_credentials.cpp122
1 files changed, 122 insertions, 0 deletions
diff --git a/test/unit_tests/security_tests/ut_check_credentials.cpp b/test/unit_tests/security_tests/ut_check_credentials.cpp
new file mode 100644
index 0000000..7696892
--- /dev/null
+++ b/test/unit_tests/security_tests/ut_check_credentials.cpp
@@ -0,0 +1,122 @@
+// Copyright (C) 2022 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#include <gtest/gtest.h>
+
+#include "../../common/utility.hpp"
+
+namespace {
+ vsomeip_v3::client_t client = 1;
+ vsomeip_v3::uid_t invalid_uid = 1;
+ vsomeip_v3::uid_t valid_uid = 4004201;
+ vsomeip_v3::gid_t invalid_gid = 1;
+ vsomeip_v3::gid_t valid_gid = 4004200;
+}
+
+TEST(check_credentials_test, check_no_policies_loaded) {
+
+ std::unique_ptr<vsomeip_v3::policy_manager_impl> its_manager(new vsomeip_v3::policy_manager_impl);
+
+ //no policies loaded -> check credentials will return false independent of the uid or gid
+ ASSERT_TRUE(its_manager->is_audit());
+ ASSERT_FALSE(its_manager->is_enabled());
+
+ // create security clients
+ vsomeip_sec_client_t its_sec_client_invalid = utility::create_uds_client(invalid_uid, invalid_gid);
+ EXPECT_TRUE(its_manager->check_credentials(client, &its_sec_client_invalid));
+}
+
+TEST(check_credentials_test, check_policies_loaded) {
+
+ std::unique_ptr<vsomeip_v3::policy_manager_impl> its_manager(
+ new vsomeip_v3::policy_manager_impl);
+
+ //force load of some policies
+ std::set<std::string> its_failed;
+ std::vector<vsomeip_v3::configuration_element> policy_elements;
+ std::vector<std::string> dir_skip;
+
+ utility::read_data(utility::get_all_files_in_dir(
+ utility::get_policies_path(), dir_skip), policy_elements, its_failed);
+
+ for (const auto& e : policy_elements)
+ its_manager->load(e, false);
+
+ //check if the load worked
+ ASSERT_TRUE(policy_elements.size() > 0);
+ ASSERT_TRUE(its_failed.size() == 0);
+
+ //the check_credentials_ and the policy_enabled_ variables should be set to true
+ ASSERT_FALSE(its_manager->is_audit());
+ ASSERT_TRUE(its_manager->is_enabled());
+
+ // create security clients
+ vsomeip_sec_client_t its_sec_client_valid = utility::create_uds_client(valid_uid, valid_gid);
+
+ vsomeip_sec_client_t its_sec_client_invalid = utility::create_uds_client(invalid_uid, invalid_gid);
+
+ //invalid uid and gid -> the check must return false
+ EXPECT_FALSE(its_manager->check_credentials(client, &its_sec_client_invalid));
+
+ //invalid uid and valid gid -> the check must return false
+ EXPECT_FALSE(its_manager->check_credentials(client, &its_sec_client_invalid));
+
+ //valid uid and invalid gid -> the check must return false
+ EXPECT_FALSE(its_manager->check_credentials(client, &its_sec_client_invalid));
+
+ //valid uid and gid -> the check must return true
+ EXPECT_TRUE(its_manager->check_credentials(client, &its_sec_client_valid));
+}
+
+// check_credentials with policies loaded but in audit mode
+// vsomeip's security implementation can be put in a so called 'Audit Mode' where
+// all security violations will be logged but allowed.
+// To activate the 'Audit Mode' the 'security' object has to be included in the
+// json file but the 'check_credentials' switch has to be set to false.
+TEST(check_credentials_test, check_policies_loaded_in_audit_mode) {
+
+ std::unique_ptr<vsomeip_v3::policy_manager_impl> its_manager(
+ new vsomeip_v3::policy_manager_impl);
+
+ //force load of some policies
+ std::set<std::string> its_failed;
+ std::vector<vsomeip_v3::configuration_element> policy_elements;
+ std::vector<std::string> dir_skip;
+ utility::read_data(utility::get_all_files_in_dir(
+ utility::get_policies_path(), dir_skip), policy_elements, its_failed);
+
+ //the check_credentials_ variable is force to be false
+ utility::force_check_credentials(policy_elements, "false");
+
+ for (const auto& e : policy_elements)
+ its_manager->load(e, false);
+
+ //check if the load worked
+ ASSERT_TRUE(policy_elements.size() > 0);
+ ASSERT_TRUE(its_failed.size() == 0);
+
+ //expect check_credentials_ false and the policy_enabled_ true
+ ASSERT_TRUE(its_manager->is_audit());
+ ASSERT_TRUE(its_manager->is_enabled());
+
+ // create security clients
+ vsomeip_sec_client_t its_sec_client_valid = utility::create_uds_client(valid_uid, valid_gid);
+ vsomeip_sec_client_t its_sec_client_invalid_valid = utility::create_uds_client(invalid_uid, valid_gid);
+ vsomeip_sec_client_t its_sec_client_valid_invalid = utility::create_uds_client(valid_uid, invalid_gid);
+ vsomeip_sec_client_t its_sec_client_invalid = utility::create_uds_client(invalid_uid, invalid_gid);
+
+ // is expected check_credentials method always return true
+ //invalid uid and gid
+ EXPECT_TRUE(its_manager->check_credentials(client, &its_sec_client_invalid));
+
+ //invalid uid and valid gid
+ EXPECT_TRUE(its_manager->check_credentials(client, &its_sec_client_invalid_valid));
+
+ //valid uid and invalid gid
+ EXPECT_TRUE(its_manager->check_credentials(client, &its_sec_client_valid_invalid));
+
+ //valid uid and gid
+ EXPECT_TRUE(its_manager->check_credentials(client, &its_sec_client_valid));
+} \ No newline at end of file
View Lorry Controller Status