| #!/bin/bash |
| |
| . ../../../prepare.inc.sh |
| . ../../../toolbox.inc.sh |
| |
| |
| # ---- do the actual testing ---- |
| |
| if [ $have_grant = 0 ] |
| then |
| toolbox_skip_test $TEST "SKIPPING DUE TO LACK OF GRANT PERMIT" |
| exit 0 |
| fi |
| |
| result=PASS |
| echo "++++ BEGINNING TEST" >$OUTPUTFILE |
| |
| # create a keyring and attach it to the session keyring |
| marker "ADD KEYRING" |
| create_keyring --new=keyringid wibble @s |
| |
| # Create a keyring and remove most permissions from it; leaving just |
| # setsec for the owner. |
| marker "ADD KEYRING" |
| create_keyring --new=keyid lizard $keyringid |
| marker "REMOVE PERMITS" |
| grant_key_permit $keyid own S |
| grant_key_permit $keyid pos 0 |
| grant_key_permit $keyid grp 0 |
| grant_key_permit $keyid all 0 |
| |
| # Test the View permit |
| marker "TEST VIEW" |
| describe_key --fail $keyid |
| expect_error EACCES |
| grant_key_permit $keyid grp v |
| describe_key $keyid |
| grant_key_permit $keyid grp 0 |
| describe_key --fail $keyid |
| expect_error EACCES |
| |
| # Test the Read permit |
| marker "TEST READ" |
| list_keyring --fail $keyid |
| expect_error EACCES |
| grant_key_permit $keyid grp r |
| list_keyring $keyid |
| grant_key_permit $keyid grp 0 |
| list_keyring --fail $keyid |
| expect_error EACCES |
| |
| # Test the Write permit |
| marker "TEST WRITE" |
| create_key --fail user lizard gizzard $keyid |
| expect_error EACCES |
| grant_key_permit $keyid grp w |
| create_key --new=keyid2 user lizard gizzard $keyid |
| grant_key_permit $keyid grp 0 |
| unlink_key --fail $keyid $keyid2 |
| expect_error EACCES |
| create_key --fail user lizard gizzard $keyid |
| expect_error EACCES |
| |
| # Test the Search permit (we're allowed to read a key we can search out) |
| marker "TEST SEARCH" |
| search_for_key --fail $keyid user lizard |
| expect_error EACCES |
| grant_key_permit $keyid pos s |
| search_for_key --expect=$keyid2 $keyid user lizard |
| grant_key_permit $keyid pos 0 |
| search_for_key --fail $keyid user lizard |
| expect_error EACCES |
| |
| marker "TEST SEARCH 2" |
| search_for_key --fail @s user lizard |
| expect_error ENOKEY |
| grant_key_permit $keyid pos s |
| search_for_key --expect=$keyid2 @s user lizard |
| grant_key_permit $keyid pos 0 |
| search_for_key --fail @s user lizard |
| expect_error ENOKEY |
| |
| # Test the Link permit |
| marker "TEST LINK" |
| link_key --fail $keyid @s |
| expect_error EACCES |
| grant_key_permit $keyid grp l |
| link_key $keyid @s |
| grant_key_permit $keyid grp 0 |
| link_key --fail $keyid @s |
| expect_error EACCES |
| unlink_key $keyid @s |
| |
| # Test the Clear permit |
| marker "TEST CLEAR" |
| clear_keyring --fail $keyid |
| expect_error EACCES |
| grant_key_permit $keyid grp c |
| clear_keyring $keyid |
| grant_key_permit $keyid grp 0 |
| clear_keyring --fail $keyid |
| expect_error EACCES |
| |
| # Test the Join permit |
| marker "TEST JOIN" |
| new_session lizard /bin/true |
| expect_joined_session ses |
| if [ $ses = $keyid ]; then failed; fi |
| grant_key_permit $keyid grp j |
| new_session lizard /bin/true |
| expect_joined_session ses |
| if [ $ses != $keyid ]; then failed; fi |
| grant_key_permit $keyid grp 0 |
| new_session lizard /bin/true |
| expect_joined_session ses |
| if [ $ses = $keyid ]; then failed; fi |
| |
| # Test the Invalidate permit |
| marker "TEST INVAL" |
| invalidate_key --fail $keyid |
| expect_error EACCES |
| grant_key_permit $keyid grp I |
| invalidate_key $keyid |
| grant_key_permit --fail $keyid grp 0 |
| expect_error ENOKEY |
| invalidate_key --fail $keyid |
| expect_error ENOKEY |
| |
| # Create a keyring and remove most permissions from it; leaving just |
| # setsec for the owner. |
| marker "ADD KEYRING 2" |
| create_keyring --new=keyid lizard $keyringid |
| marker "REMOVE PERMITS 2" |
| grant_key_permit $keyid own S |
| grant_key_permit $keyid pos 0 |
| grant_key_permit $keyid grp 0 |
| grant_key_permit $keyid all 0 |
| |
| # Test the Revoke permit |
| marker "TEST REVOKE" |
| revoke_key --fail $keyid |
| expect_error EACCES |
| grant_key_permit $keyid grp R |
| revoke_key $keyid |
| grant_key_permit --fail $keyid grp 0 |
| expect_error EKEYREVOKED |
| revoke_key --fail $keyid |
| expect_error EKEYREVOKED |
| |
| # Create a keyring and remove most permissions from it; leaving just |
| # setsec for the owner. |
| marker "ADD KEYRING 3" |
| create_keyring --new=keyid lizard $keyringid |
| marker "REMOVE PERMITS 3" |
| grant_key_permit $keyid grp Sv |
| grant_key_permit $keyid own 0 |
| grant_key_permit $keyid pos 0 |
| grant_key_permit $keyid all 0 |
| |
| # Test the Set Security permit |
| marker "TEST SET SECURITY" |
| describe_key $keyid |
| grant_key_permit $keyid grp v |
| describe_key $keyid |
| grant_key_permit --fail $keyid grp Sv |
| expect_error EACCES |
| |
| # remove the keyring we added |
| marker "UNLINK KEYRING" |
| unlink_key $keyringid @s |
| |
| echo "++++ FINISHED TEST: $result" >>$OUTPUTFILE |
| |
| # --- then report the results in the database --- |
| toolbox_report_result $TEST $result |
