diff options
Diffstat (limited to 'test/unit_tests/security_tests/ut_is_client_allowed.cpp')
-rw-r--r-- | test/unit_tests/security_tests/ut_is_client_allowed.cpp | 149 |
1 files changed, 149 insertions, 0 deletions
diff --git a/test/unit_tests/security_tests/ut_is_client_allowed.cpp b/test/unit_tests/security_tests/ut_is_client_allowed.cpp new file mode 100644 index 0000000..ab65153 --- /dev/null +++ b/test/unit_tests/security_tests/ut_is_client_allowed.cpp @@ -0,0 +1,149 @@ +#include <memory> +#include "gtest/gtest.h" +#include "../../common/utility.hpp" + +namespace { + vsomeip_v3::uid_t uid_1 = 4003031; + vsomeip_v3::gid_t gid_1 = 4003031; + vsomeip_v3::service_t service_1 = 0xf913; + + vsomeip_v3::service_t service_2 = 0x41; // service not defined in policies + + vsomeip_v3::instance_t instance = 0x03; + vsomeip_v3::instance_t instance_2 = 0x04; + vsomeip_v3::method_t method = 0x04; + vsomeip_v3::method_t method_2 = 0x05; + + vsomeip_v3::gid_t invalid_uid = 1; + vsomeip_v3::gid_t invalid_gid = 1; + vsomeip_v3::uid_t ANY_UID = 0xFFFFFFFF; + vsomeip_v3::gid_t ANY_GID = 0xFFFFFFFF; + + vsomeip_v3::gid_t deny_uid = 9999; + vsomeip_v3::gid_t deny_gid = 9999; + vsomeip_v3::service_t deny_service = 0x40; +} + +TEST(is_client_allowed_test, check_no_policies_loaded) { + std::unique_ptr<vsomeip_v3::policy_manager_impl> its_manager(new vsomeip_v3::policy_manager_impl); + + //no policies loaded -> is_client_allowed must return true + ASSERT_FALSE(its_manager->is_enabled()); + + vsomeip_sec_client_t its_sec_client_invalid = utility::create_uds_client(invalid_uid, invalid_gid); + EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client_invalid, service_1, instance, method)); +} + +TEST(is_client_allowed_test, check_policies_loaded) { + std::unique_ptr<vsomeip_v3::policy_manager_impl> its_manager(new vsomeip_v3::policy_manager_impl); + + //force load of some policies + std::set<std::string> its_failed; + std::vector<vsomeip_v3::configuration_element> policy_elements; + std::vector<std::string> dir_skip; + utility::read_data(utility::get_all_files_in_dir(utility::get_policies_path(), dir_skip), policy_elements, its_failed); + + //check if the load worked + ASSERT_TRUE(policy_elements.size() > 0); + ASSERT_TRUE(its_failed.size() == 0); + + for (const auto& e : policy_elements) { + its_manager->load(e, false); + } + + // check if the policies are loaded and check_credentials_ variable are true + ASSERT_TRUE(its_manager->is_enabled()); + ASSERT_FALSE(its_manager->is_audit()); + + // create security clients + vsomeip_sec_client_t its_sec_client = utility::create_uds_client(uid_1, gid_1); + vsomeip_sec_client_t its_sec_client_invalid_uid = utility::create_uds_client(invalid_uid, gid_1); + vsomeip_sec_client_t its_sec_client_invalid_gid = utility::create_uds_client(uid_1, invalid_gid); + vsomeip_sec_client_t its_sec_client_any = utility::create_uds_client(ANY_UID, ANY_GID); + vsomeip_sec_client_t its_sec_client_deny = utility::create_uds_client(deny_uid, deny_gid); + + //valid credential for valid service / istance / method + EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance, method)); + + // test is_client_allowed_cache_, request with the same credentials and service / instance / method + EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance, method)); + + // test is_client_allowed_cache_, request with the same credentials and service but with a different instance or method + // is_client_allowed return true because it's define ANY_INSTANCE and ANY_METHOD in the policy + EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance_2, method)); + EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance, method_2)); + + //invalid credential for the service / istance / method + EXPECT_FALSE(its_manager->is_client_allowed(&its_sec_client_invalid_uid, service_1, instance, method)); + EXPECT_FALSE(its_manager->is_client_allowed(&its_sec_client_invalid_gid, service_1, instance, method)); + + //ANY_UID and ANY_GID + EXPECT_FALSE(its_manager->is_client_allowed(&its_sec_client_any, service_1, instance, method)); + + // test deny client + // deny client with credentials for the service + EXPECT_FALSE(its_manager->is_client_allowed(&its_sec_client_deny, deny_service, instance, method)); + // credencials exists in deny policy, but not for that service + EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client_deny, service_2, instance, method)); +} + + +// is_client_allowed with policies loaded but in audit mode +// vsomeip's security implementation can be put in a so called 'Audit Mode' where +// all security violations will be logged but allowed. +// To activate the 'Audit Mode' the 'security' object has to be included in the +// json file but the 'check_credentials' switch has to be set to false. + TEST(is_client_allowed_test, check_policies_loaded_in_audit_mode) { + std::unique_ptr<vsomeip_v3::policy_manager_impl> its_manager(new vsomeip_v3::policy_manager_impl); + + //force load of some policies + std::set<std::string> its_failed; + std::vector<vsomeip_v3::configuration_element> policy_elements; + std::vector<std::string> dir_skip; + utility::read_data(utility::get_all_files_in_dir(utility::get_policies_path(), dir_skip), policy_elements, its_failed); + + //check if the load worked + ASSERT_TRUE(policy_elements.size() > 0); + ASSERT_TRUE(its_failed.size() == 0); + + utility::force_check_credentials(policy_elements, "false"); + + for (const auto& e : policy_elements) { + its_manager->load(e, false); + } + + // check if the policies are loaded and check_credentials_ variable are false + ASSERT_TRUE(its_manager->is_enabled()); + ASSERT_TRUE(its_manager->is_audit()); + + // create security clients + vsomeip_sec_client_t its_sec_client = utility::create_uds_client(uid_1, gid_1); + vsomeip_sec_client_t its_sec_client_invalid_uid = utility::create_uds_client(invalid_uid, gid_1); + vsomeip_sec_client_t its_sec_client_invalid_gid = utility::create_uds_client(uid_1, invalid_gid); + vsomeip_sec_client_t its_sec_client_any = utility::create_uds_client(ANY_UID, ANY_GID); + vsomeip_sec_client_t its_sec_client_deny = utility::create_uds_client(deny_uid, deny_gid); + + // is expected is_client_allowed method always returns true + // valid credential for valid service / istance / method + EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance, method)); + + // test is_client_allowed_cache_, request with the same credentials and service / instance / method + EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance, method)); + + // test is_client_allowed_cache_, request with the same credentials and service but with a different instance or method + EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance_2, method)); + EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance, method_2)); + + // invalid credential for the service / istance / method + EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client_invalid_uid, service_1, instance, method)); + EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client_invalid_gid, service_1, instance, method)); + + // ANY_UID and ANY_GID + EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client_any, service_1, instance, method)); + + // test deny client + // deny client with credentials for the service + EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client_deny, deny_service, instance, method)); + // credencials exists in deny policy, but not for that service + EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client_deny, service_2, instance, method)); +}
\ No newline at end of file |