diff options
Diffstat (limited to 'test/unit_tests/security_tests/ut_is_policy_update_allowed.cpp')
-rw-r--r-- | test/unit_tests/security_tests/ut_is_policy_update_allowed.cpp | 221 |
1 files changed, 221 insertions, 0 deletions
diff --git a/test/unit_tests/security_tests/ut_is_policy_update_allowed.cpp b/test/unit_tests/security_tests/ut_is_policy_update_allowed.cpp new file mode 100644 index 0000000..20c6ba5 --- /dev/null +++ b/test/unit_tests/security_tests/ut_is_policy_update_allowed.cpp @@ -0,0 +1,221 @@ +// Copyright (C) 2022 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +#include <memory> +#include <iostream> +#include <gtest/gtest.h> +#include "../../common/utility.hpp" + +namespace { +std::string configuration_file { "/vsomeip/0_0/vsomeip_security.json" }; + +vsomeip_v3::uid_t valid_uid { 0 }; +vsomeip_v3::uid_t invalid_uid { 1234567 }; + +vsomeip_v3::gid_t valid_gid { 0 }; + +vsomeip_v3::service_t valid_service { 0xf913 }; +vsomeip_v3::service_t invalid_service { 0x41 }; +} + +TEST(is_policy_update_allowed, check_whitelist_disabled) +{ + // Test object. + std::unique_ptr<vsomeip_v3::policy_manager_impl> security(new vsomeip_v3::policy_manager_impl); + + // Get some configurations. + std::set<std::string> its_failed; + std::vector<vsomeip_v3::configuration_element> policy_elements; + std::set<std::string> input { utility::get_policies_path() + configuration_file }; + utility::read_data(input, policy_elements, its_failed); + + // Load the configuration into the security. + ASSERT_GT(policy_elements.size(), 0) << "Failed to fetch policy elements!"; + const bool check_whitelist { false }; + utility::add_security_whitelist(policy_elements.at(0), check_whitelist); + security->load(policy_elements.at(0), false); + + // Create policy credentials. + boost::icl::discrete_interval<uid_t> its_uids(valid_uid, valid_uid); + boost::icl::interval_set<gid_t> its_gids; + its_gids.insert(boost::icl::interval<gid_t>::closed(valid_gid, valid_gid)); + + // Create a policy. + std::shared_ptr<vsomeip::policy> policy(std::make_shared<vsomeip::policy>()); + policy->credentials_ += std::make_pair(its_uids, its_gids); + policy->allow_who_ = true; + policy->allow_what_ = true; + + // NO REQUESTS IN POLICY ---------------------------------------------------------------------// + + EXPECT_TRUE(security->is_policy_update_allowed(invalid_uid, policy)) + << "Failed to allow policy update with invalid user id when check_whitelist is " + "disabled!"; + + EXPECT_TRUE(security->is_policy_update_allowed(valid_uid, policy)) + << "Failed to allow policy update with valid user id when check_whitelist is " + "disabled!"; + + // ONLY VALID REQUESTS IN POLICY -------------------------------------------------------------// + + boost::icl::discrete_interval<vsomeip::instance_t> its_instances(0x1, 0x2); + boost::icl::interval_set<vsomeip::method_t> its_methods; + its_methods.insert(boost::icl::interval<vsomeip::method_t>::closed(0x01, 0x2)); + boost::icl::interval_map<vsomeip::instance_t, boost::icl::interval_set<vsomeip::method_t>> + its_instances_methods; + its_instances_methods += std::make_pair(its_instances, its_methods); + + // Add a valid request to the policy. + policy->requests_ += std::make_pair( + boost::icl::discrete_interval<vsomeip::service_t>( + valid_service, valid_service, boost::icl::interval_bounds::closed()), + its_instances_methods); + + EXPECT_TRUE(security->is_policy_update_allowed(invalid_uid, policy)) + << "Failed to allow policy update with invalid user id and valid request when " + "check_whitelist is disabled!"; + + EXPECT_TRUE(security->is_policy_update_allowed(valid_uid, policy)) + << "Failed to allow policy update with valid user id and valid request when " + "check_whitelist is disabled!"; + + // INVALID REQUESTS IN POLICY ----------------------------------------------------------------// + + // Add a invalid request to the policy. + policy->requests_ += std::make_pair( + boost::icl::discrete_interval<vsomeip::service_t>( + invalid_service, invalid_service, boost::icl::interval_bounds::closed()), + its_instances_methods); + + EXPECT_TRUE(security->is_policy_update_allowed(invalid_uid, policy)) + << "Failed to allow policy update with invalid user id and invalid request when " + "check_whitelist is disabled!"; + + EXPECT_TRUE(security->is_policy_update_allowed(valid_uid, policy)) + << "Failed to allow policy update with valid user id and invalid request when " + "check_whitelist is disabled!"; +} + +TEST(is_policy_update_allowed, check_whitelist_enabled) +{ + // Test object. + std::unique_ptr<vsomeip_v3::policy_manager_impl> security(new vsomeip_v3::policy_manager_impl); + + // Get some configurations. + std::set<std::string> its_failed; + std::vector<vsomeip_v3::configuration_element> policy_elements; + std::set<std::string> input { utility::get_policies_path() + configuration_file }; + utility::read_data(input, policy_elements, its_failed); + + // Load the policy into the security. + ASSERT_GT(policy_elements.size(), 0) << "Failed to fetch policy elements!"; + const bool check_whitelist { true }; + utility::add_security_whitelist(policy_elements.at(0), check_whitelist); + security->load(policy_elements.at(0), false); + + // Create policy credentials. + boost::icl::discrete_interval<uid_t> its_uids(valid_uid, valid_uid); + boost::icl::interval_set<gid_t> its_gids; + its_gids.insert(boost::icl::interval<gid_t>::closed(valid_gid, valid_gid)); + + // Create a policy. + std::shared_ptr<vsomeip::policy> policy(std::make_shared<vsomeip::policy>()); + policy->credentials_ += std::make_pair(its_uids, its_gids); + policy->allow_who_ = true; + policy->allow_what_ = true; + + // NO REQUESTS IN POLICY ---------------------------------------------------------------------// + + EXPECT_FALSE(security->is_policy_update_allowed(invalid_uid, policy)) + << "Failed to deny policy update with invalid user id!"; + + EXPECT_TRUE(security->is_policy_update_allowed(valid_uid, policy)) + << "Failed to allow policy update with valid user id!"; + + // ONLY VALID REQUESTS IN POLICY -------------------------------------------------------------// + + boost::icl::discrete_interval<vsomeip::instance_t> its_instances(0x1, 0x2); + boost::icl::interval_set<vsomeip::method_t> its_methods; + its_methods.insert(boost::icl::interval<vsomeip::method_t>::closed(0x01, 0x2)); + boost::icl::interval_map<vsomeip::instance_t, boost::icl::interval_set<vsomeip::method_t>> + its_instances_methods; + its_instances_methods += std::make_pair(its_instances, its_methods); + + // Add valid request to the policy. + policy->requests_ += std::make_pair( + boost::icl::discrete_interval<vsomeip::service_t>( + valid_service, valid_service, boost::icl::interval_bounds::closed()), + its_instances_methods); + + EXPECT_FALSE(security->is_policy_update_allowed(invalid_uid, policy)) + << "Failed to deny policy update with invalid user id and valid request!"; + + EXPECT_TRUE(security->is_policy_update_allowed(valid_uid, policy)) + << "Failed to allow policy update with valid user id and valid request!"; + + // INVALID REQUESTS IN POLICY ----------------------------------------------------------------// + + // Add invalid request to the policy. + policy->requests_ += std::make_pair( + boost::icl::discrete_interval<vsomeip::service_t>( + invalid_service, invalid_service, boost::icl::interval_bounds::closed()), + its_instances_methods); + + EXPECT_FALSE(security->is_policy_update_allowed(invalid_uid, policy)) + << "Failed to deny policy update with invalid user id and invalid request!"; + + EXPECT_FALSE(security->is_policy_update_allowed(valid_uid, policy)) + << "Failed to deny policy update with valid user id and invalid request!"; +} + +TEST(is_policy_update_allowed, null_policy) +{ + // Test objects. + std::unique_ptr<vsomeip_v3::policy_manager_impl> security(new vsomeip_v3::policy_manager_impl); + std::shared_ptr<vsomeip_v3::policy> policy = nullptr; + + // NO POLICIES LOADED ------------------------------------------------------------------------// + + ASSERT_EXIT((security->is_policy_update_allowed(0, policy), exit(0)), + testing::ExitedWithCode(0), ".*") + << "Could not handle a nullptr when no policies are loaded!"; + + EXPECT_TRUE(security->is_policy_update_allowed(0, policy)) + << "Denied update of policy when security whitelist is not loaded!"; + + // LOADED POLICY W/O SECURITY WHITELIST ------------------------------------------------------// + + // Get some configurations. + std::set<std::string> its_failed; + std::vector<vsomeip_v3::configuration_element> policy_elements; + std::set<std::string> input { utility::get_policies_path() + configuration_file }; + utility::read_data(input, policy_elements, its_failed); + + // Load the policy into the security. + ASSERT_GT(policy_elements.size(), 0) << "Failed to fetch policy elements!"; + security->load(policy_elements.at(0), false); + + ASSERT_EXIT((security->is_policy_update_allowed(0, policy), exit(0)), + testing::ExitedWithCode(0), ".*") + << "Could not handle a nullptr when a policy without a security whitelist was loaded!"; + + EXPECT_TRUE(security->is_policy_update_allowed(0, policy)) + << "Denied update of policy when security whitelist is not loaded!"; + + // LOADED POLICY W/ SECURITY WHITELIST -------------------------------------------------------// + + // Add a security whitelist to the policy. + + utility::add_security_whitelist(policy_elements.at(0), true); + + security->load(policy_elements.at(0), false); + + ASSERT_EXIT((security->is_policy_update_allowed(0, policy), exit(0)), + testing::ExitedWithCode(0), ".*") + << "Could not handle a nullptr when a policy with a security whitelist was loaded!"; + + EXPECT_FALSE(security->is_policy_update_allowed(0, policy)) + << "Allowed update of invalid policy!"; +} |