1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
#include <memory>
#include "gtest/gtest.h"
#include "../../common/utility.hpp"
namespace {
vsomeip_v3::uid_t uid_1 = 4003031;
vsomeip_v3::gid_t gid_1 = 4003031;
vsomeip_v3::service_t service_1 = 0xf913;
vsomeip_v3::service_t service_2 = 0x41; // service not defined in policies
vsomeip_v3::instance_t instance = 0x03;
vsomeip_v3::instance_t instance_2 = 0x04;
vsomeip_v3::method_t method = 0x04;
vsomeip_v3::method_t method_2 = 0x05;
vsomeip_v3::gid_t invalid_uid = 1;
vsomeip_v3::gid_t invalid_gid = 1;
vsomeip_v3::uid_t ANY_UID = 0xFFFFFFFF;
vsomeip_v3::gid_t ANY_GID = 0xFFFFFFFF;
vsomeip_v3::gid_t deny_uid = 9999;
vsomeip_v3::gid_t deny_gid = 9999;
vsomeip_v3::service_t deny_service = 0x40;
}
TEST(is_client_allowed_test, check_no_policies_loaded) {
std::unique_ptr<vsomeip_v3::policy_manager_impl> its_manager(new vsomeip_v3::policy_manager_impl);
//no policies loaded -> is_client_allowed must return true
ASSERT_FALSE(its_manager->is_enabled());
vsomeip_sec_client_t its_sec_client_invalid = utility::create_uds_client(invalid_uid, invalid_gid);
EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client_invalid, service_1, instance, method));
}
TEST(is_client_allowed_test, check_policies_loaded) {
std::unique_ptr<vsomeip_v3::policy_manager_impl> its_manager(new vsomeip_v3::policy_manager_impl);
//force load of some policies
std::set<std::string> its_failed;
std::vector<vsomeip_v3::configuration_element> policy_elements;
std::vector<std::string> dir_skip;
utility::read_data(utility::get_all_files_in_dir(utility::get_policies_path(), dir_skip), policy_elements, its_failed);
//check if the load worked
ASSERT_TRUE(policy_elements.size() > 0);
ASSERT_TRUE(its_failed.size() == 0);
for (const auto& e : policy_elements) {
its_manager->load(e, false);
}
// check if the policies are loaded and check_credentials_ variable are true
ASSERT_TRUE(its_manager->is_enabled());
ASSERT_FALSE(its_manager->is_audit());
// create security clients
vsomeip_sec_client_t its_sec_client = utility::create_uds_client(uid_1, gid_1);
vsomeip_sec_client_t its_sec_client_invalid_uid = utility::create_uds_client(invalid_uid, gid_1);
vsomeip_sec_client_t its_sec_client_invalid_gid = utility::create_uds_client(uid_1, invalid_gid);
vsomeip_sec_client_t its_sec_client_any = utility::create_uds_client(ANY_UID, ANY_GID);
vsomeip_sec_client_t its_sec_client_deny = utility::create_uds_client(deny_uid, deny_gid);
//valid credential for valid service / istance / method
EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance, method));
// test is_client_allowed_cache_, request with the same credentials and service / instance / method
EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance, method));
// test is_client_allowed_cache_, request with the same credentials and service but with a different instance or method
// is_client_allowed return true because it's define ANY_INSTANCE and ANY_METHOD in the policy
EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance_2, method));
EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance, method_2));
//invalid credential for the service / istance / method
EXPECT_FALSE(its_manager->is_client_allowed(&its_sec_client_invalid_uid, service_1, instance, method));
EXPECT_FALSE(its_manager->is_client_allowed(&its_sec_client_invalid_gid, service_1, instance, method));
//ANY_UID and ANY_GID
EXPECT_FALSE(its_manager->is_client_allowed(&its_sec_client_any, service_1, instance, method));
// test deny client
// deny client with credentials for the service
EXPECT_FALSE(its_manager->is_client_allowed(&its_sec_client_deny, deny_service, instance, method));
// credencials exists in deny policy, but not for that service
EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client_deny, service_2, instance, method));
}
// is_client_allowed with policies loaded but in audit mode
// vsomeip's security implementation can be put in a so called 'Audit Mode' where
// all security violations will be logged but allowed.
// To activate the 'Audit Mode' the 'security' object has to be included in the
// json file but the 'check_credentials' switch has to be set to false.
TEST(is_client_allowed_test, check_policies_loaded_in_audit_mode) {
std::unique_ptr<vsomeip_v3::policy_manager_impl> its_manager(new vsomeip_v3::policy_manager_impl);
//force load of some policies
std::set<std::string> its_failed;
std::vector<vsomeip_v3::configuration_element> policy_elements;
std::vector<std::string> dir_skip;
utility::read_data(utility::get_all_files_in_dir(utility::get_policies_path(), dir_skip), policy_elements, its_failed);
//check if the load worked
ASSERT_TRUE(policy_elements.size() > 0);
ASSERT_TRUE(its_failed.size() == 0);
utility::force_check_credentials(policy_elements, "false");
for (const auto& e : policy_elements) {
its_manager->load(e, false);
}
// check if the policies are loaded and check_credentials_ variable are false
ASSERT_TRUE(its_manager->is_enabled());
ASSERT_TRUE(its_manager->is_audit());
// create security clients
vsomeip_sec_client_t its_sec_client = utility::create_uds_client(uid_1, gid_1);
vsomeip_sec_client_t its_sec_client_invalid_uid = utility::create_uds_client(invalid_uid, gid_1);
vsomeip_sec_client_t its_sec_client_invalid_gid = utility::create_uds_client(uid_1, invalid_gid);
vsomeip_sec_client_t its_sec_client_any = utility::create_uds_client(ANY_UID, ANY_GID);
vsomeip_sec_client_t its_sec_client_deny = utility::create_uds_client(deny_uid, deny_gid);
// is expected is_client_allowed method always returns true
// valid credential for valid service / istance / method
EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance, method));
// test is_client_allowed_cache_, request with the same credentials and service / instance / method
EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance, method));
// test is_client_allowed_cache_, request with the same credentials and service but with a different instance or method
EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance_2, method));
EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client, service_1, instance, method_2));
// invalid credential for the service / istance / method
EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client_invalid_uid, service_1, instance, method));
EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client_invalid_gid, service_1, instance, method));
// ANY_UID and ANY_GID
EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client_any, service_1, instance, method));
// test deny client
// deny client with credentials for the service
EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client_deny, deny_service, instance, method));
// credencials exists in deny policy, but not for that service
EXPECT_TRUE(its_manager->is_client_allowed(&its_sec_client_deny, service_2, instance, method));
}
|
