1/* 2 * Copyright (c) 2000-2001,2003-2004 Apple Computer, Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24 25// 26// testacls - ACL-related test cases. 27// 28#include "testclient.h" 29#include "testutils.h" 30#include <Security/osxsigner.h> 31 32using namespace CodeSigning; 33 34 35// 36// Authorization test. 37// This tests the authorization API support. 38// @@@ Incomplete and not satisfactory. 39// 40void authorizations() 41{ 42 printf("* authorization test\n"); 43 ClientSession ss(CssmAllocator::standard(), CssmAllocator::standard()); 44 45 // make a simple authorization query 46 AuthorizationBlob auth; 47 AuthorizationItem testingItem = { "debug.testing", 0, NULL, NULL }; 48 AuthorizationItem testingMoreItem = { "debug.testing.more", 0, NULL, NULL }; 49 AuthorizationItem denyItem = { "debug.deny", 0, NULL, NULL }; 50 AuthorizationItemSet request = { 1, &testingItem }; 51 ss.authCreate(&request, NULL/*environment*/, 52 kAuthorizationFlagInteractionAllowed | 53 kAuthorizationFlagExtendRights | 54 kAuthorizationFlagPartialRights, 55 auth); 56 detail("Initial authorization obtained"); 57 58 // ask for rights from this authorization 59 { 60 AuthorizationItem moreItems[3] = { testingItem, denyItem, testingMoreItem }; 61 AuthorizationItemSet moreRequests = { 3, moreItems }; 62 AuthorizationItemSet *rightsVector; 63 ss.authCopyRights(auth, &moreRequests, NULL/*environment*/, 64 kAuthorizationFlagInteractionAllowed | 65 kAuthorizationFlagExtendRights | 66 kAuthorizationFlagPartialRights, 67 &rightsVector); 68 if (rightsVector->count != 2) 69 error("COPYRIGHTS RETURNED %d RIGHTS (EXPECTED 2)", int(rightsVector->count)); 70 // the output rights could be in either order -- be flexible 71 set<string> rights; 72 rights.insert(rightsVector->items[0].name); 73 rights.insert(rightsVector->items[1].name); 74 assert(rights.find("debug.testing") != rights.end() && 75 rights.find("debug.testing.more") != rights.end()); 76 free(rightsVector); 77 detail("CopyRights okay"); 78 } 79 80 // ask for the impossible 81 try { 82 AuthorizationBlob badAuth; 83 AuthorizationItem badItem = { "debug.deny", 0, NULL, NULL }; 84 AuthorizationItemSet badRequest = { 1, &badItem }; 85 ss.authCreate(&badRequest, NULL/*environment*/, 86 kAuthorizationFlagInteractionAllowed | 87 kAuthorizationFlagExtendRights, 88 auth); 89 error("AUTHORIZED debug.deny OPERATION"); 90 } catch (CssmCommonError &err) { 91 detail(err, "debug.deny authorization denied properly"); 92 } 93 94 // externalize 95 AuthorizationExternalForm extForm; 96 ss.authExternalize(auth, extForm); 97 98 // re-internalize 99 AuthorizationBlob auth2; 100 ss.authInternalize(extForm, auth2); 101 102 // make sure it still works 103 { 104 AuthorizationItem moreItems[2] = { testingItem, denyItem }; 105 AuthorizationItemSet moreRequests = { 2, moreItems }; 106 AuthorizationItemSet *rightsVector; 107 ss.authCopyRights(auth2, &moreRequests, NULL/*environment*/, 108 kAuthorizationFlagInteractionAllowed | 109 kAuthorizationFlagExtendRights | 110 kAuthorizationFlagPartialRights, 111 &rightsVector); 112 if (rightsVector->count != 1) 113 error("COPYRIGHTS RETURNED %d RIGHTS (EXPECTED 1)", int(rightsVector->count)); 114 assert(!strcmp(rightsVector->items[0].name, "debug.testing")); 115 free(rightsVector); 116 detail("Re-internalized authorization checks out okay"); 117 118 // try it with no rights output (it's optional) 119 ss.authCopyRights(auth2, &moreRequests, NULL/*environment*/, 120 kAuthorizationFlagPartialRights, NULL); 121 detail("authCopyRights partial success OK (with no output)"); 122 123 // but this will fail if we want ALL rights... 124 try { 125 ss.authCopyRights(auth2, &moreRequests, NULL/*environment*/, 126 kAuthorizationFlagDefaults, NULL); 127 error("authCopyRights succeeded with (only) partial success"); 128 } catch (CssmError &err) { 129 detail("authCopyRight failed for (only) partial success"); 130 } 131 } 132} 133