secd-31-keychain-unreadable.m [plain text]
/*
* Copyright (c) 2008-2010,2013-2014,2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
#include <CoreFoundation/CoreFoundation.h>
#include <Security/SecBase.h>
#include <Security/SecItem.h>
#include <Security/SecInternal.h>
#include <utilities/SecFileLocations.h>
#include <utilities/SecCFWrappers.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sqlite3.h>
#include "secd_regressions.h"
#include <securityd/SecItemServer.h>
#include "SecdTestKeychainUtilities.h"
#if !(TARGET_OS_IOS && TARGET_OS_SIMULATOR)
static void setKeychainPermissions(int perm) {
CFStringRef kc_path_cf = __SecKeychainCopyPath();
CFStringPerformWithCString(kc_path_cf, ^(const char *path) {
ok_unix(chmod(path, perm), "chmod keychain file });
}
#endif
int secd_31_keychain_unreadable(int argc, char *const *argv)
{
#if TARGET_OS_IOS && TARGET_OS_SIMULATOR
// When running on iOS device in debugger, the target usually runs
// as root, which means it has access to the file even after setting 000.
return 0;
#else
plan_tests(10 + kSecdTestSetupTestCount);
secd_test_setup_temp_keychain("secd_31_keychain_unreadable", ^{
CFStringRef keychain_path_cf = __SecKeychainCopyPath();
CFStringPerformWithCString(keychain_path_cf, ^(const char *keychain_path) {
int fd;
ok_unix(fd = open(keychain_path, O_RDWR | O_CREAT | O_TRUNC, 0644),
"create keychain file '%s'", keychain_path);
SKIP: {
skip("Cannot fchmod keychain file with invalid fd", 2, fd > -1);
ok_unix(fchmod(fd, 0), " keychain file '%s'", keychain_path);
ok_unix(close(fd), "close keychain file '%s'", keychain_path);
}
});
CFReleaseSafe(keychain_path_cf);
});
int v_eighty = 80;
CFNumberRef eighty = CFNumberCreate(NULL, kCFNumberSInt32Type, &v_eighty);
const char *v_data = "test";
CFDataRef pwdata = CFDataCreate(NULL, (UInt8 *)v_data, strlen(v_data));
CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
CFDictionaryAddValue(query, kSecClass, kSecClassInternetPassword);
CFDictionaryAddValue(query, kSecAttrServer, CFSTR("members.spamcop.net"));
CFDictionaryAddValue(query, kSecAttrAccount, CFSTR("smith"));
CFDictionaryAddValue(query, kSecAttrPort, eighty);
CFDictionaryAddValue(query, kSecAttrProtocol, kSecAttrProtocolHTTP);
CFDictionaryAddValue(query, kSecAttrAuthenticationType, kSecAttrAuthenticationTypeDefault);
CFDictionaryAddValue(query, kSecValueData, pwdata);
is_status(SecItemAdd(query, NULL), errSecNotAvailable, "Cannot add items to unreadable keychain");
is_status(SecItemCopyMatching(query, NULL), errSecNotAvailable, "Cannot read items in unreadable keychain");
setKeychainPermissions(0644);
ok_status(SecItemAdd(query, NULL), "Add internet password");
is_status(SecItemAdd(query, NULL), errSecDuplicateItem,
"Add internet password again");
ok_status(SecItemCopyMatching(query, NULL), "Found the item we added");
// For commented tests need to convince secd to let go of connections.
// Without intervention it keeps them and accesses continue to succeed.
/*
setKeychainPermissions(0);
is_status(SecItemCopyMatching(query, NULL), errSecNotAvailable, "Still cannot read items in unreadable keychain");
setKeychainPermissions(0644);
ok_status(SecItemCopyMatching(query, NULL), "Found the item again");
*/
ok_status(SecItemDelete(query),"Deleted the item we added");
CFReleaseNull(eighty);
CFReleaseNull(pwdata);
CFReleaseNull(query);
#endif // !(TARGET_OS_IOS && TARGET_OS_SIMULATOR)
return 0;
}