#include "testclient.h"
#include "testutils.h"
#include <Security/osxsigner.h>
using namespace CodeSigning;
void authorizations()
{
printf("* authorization test\n");
ClientSession ss(CssmAllocator::standard(), CssmAllocator::standard());
AuthorizationBlob auth;
AuthorizationItem testingItem = { "debug.testing", 0, NULL, NULL };
AuthorizationItem testingMoreItem = { "debug.testing.more", 0, NULL, NULL };
AuthorizationItem denyItem = { "debug.deny", 0, NULL, NULL };
AuthorizationItemSet request = { 1, &testingItem };
ss.authCreate(&request, NULL,
kAuthorizationFlagInteractionAllowed |
kAuthorizationFlagExtendRights |
kAuthorizationFlagPartialRights,
auth);
detail("Initial authorization obtained");
{
AuthorizationItem moreItems[3] = { testingItem, denyItem, testingMoreItem };
AuthorizationItemSet moreRequests = { 3, moreItems };
AuthorizationItemSet *rightsVector;
ss.authCopyRights(auth, &moreRequests, NULL,
kAuthorizationFlagInteractionAllowed |
kAuthorizationFlagExtendRights |
kAuthorizationFlagPartialRights,
&rightsVector);
if (rightsVector->count != 2)
error("COPYRIGHTS RETURNED %d RIGHTS (EXPECTED 2)", int(rightsVector->count));
set<string> rights;
rights.insert(rightsVector->items[0].name);
rights.insert(rightsVector->items[1].name);
assert(rights.find("debug.testing") != rights.end() &&
rights.find("debug.testing.more") != rights.end());
free(rightsVector);
detail("CopyRights okay");
}
try {
AuthorizationBlob badAuth;
AuthorizationItem badItem = { "debug.deny", 0, NULL, NULL };
AuthorizationItemSet badRequest = { 1, &badItem };
ss.authCreate(&badRequest, NULL,
kAuthorizationFlagInteractionAllowed |
kAuthorizationFlagExtendRights,
auth);
error("AUTHORIZED debug.deny OPERATION");
} catch (CssmCommonError &err) {
detail(err, "debug.deny authorization denied properly");
}
AuthorizationExternalForm extForm;
ss.authExternalize(auth, extForm);
AuthorizationBlob auth2;
ss.authInternalize(extForm, auth2);
{
AuthorizationItem moreItems[2] = { testingItem, denyItem };
AuthorizationItemSet moreRequests = { 2, moreItems };
AuthorizationItemSet *rightsVector;
ss.authCopyRights(auth2, &moreRequests, NULL,
kAuthorizationFlagInteractionAllowed |
kAuthorizationFlagExtendRights |
kAuthorizationFlagPartialRights,
&rightsVector);
if (rightsVector->count != 1)
error("COPYRIGHTS RETURNED %d RIGHTS (EXPECTED 1)", int(rightsVector->count));
assert(!strcmp(rightsVector->items[0].name, "debug.testing"));
free(rightsVector);
detail("Re-internalized authorization checks out okay");
ss.authCopyRights(auth2, &moreRequests, NULL,
kAuthorizationFlagPartialRights, NULL);
detail("authCopyRights partial success OK (with no output)");
try {
ss.authCopyRights(auth2, &moreRequests, NULL,
kAuthorizationFlagDefaults, NULL);
error("authCopyRights succeeded with (only) partial success");
} catch (CssmError &err) {
detail("authCopyRight failed for (only) partial success");
}
}
}