Skip to content
Snippets Groups Projects
Commit fd2ec4d8 authored by Yann Garcia's avatar Yann Garcia
Browse files

Create Authorization groups ; Implement TCs for TS-0018 Clause 7.2.2.10.4.2... 

Create Authorization groups ; Implement TCs for TS-0018 Clause 7.2.2.10.4.2 Impersonation Prevention
parent 23de0214
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
LibOneM2M/OneM2M_Pics.ttcn
+ 2
2
View file @ fd2ec4d8
......@@ -31,10 +31,10 @@ module OneM2M_Pics {
/**
* @desc End-to-End Certificate-based Key Establishment Procedure support
* @see oneM2M TS-0003
* @see oneM2M TS-0003 Clause 8.2.2.2
*/
modulepar boolean PICS_ESC_SUPPORT := true;
/**
* @desc Dynamic Authorization resource support
* @see oneM2M TS-0017 A.5.6.53
......
OneM2M_Testcases_CSE_Release_4.ttcn
+ 402
75
View file @ fd2ec4d8
/**
* Copyright Notification
* No part of this document may be reproduced, in an electronic retrieval system or otherwise, except as authorized by written permission.
* The copyright and the foregoing restriction extend to reproduction in all media.
* © 2016, oneM2M Partners Type 1 (ARIB, ATIS, CCSA, ETSI, TIA, TSDSI, TTA, TTC).
* All rights reserved.
*
* @author ETSI
* @version $URL: https://oldforge.etsi.org/svn/oneM2M/branches/Release1/ttcn/OneM2M_Testcases.ttcn $
* $Id: OneM2M_Testcases.ttcn 347 2017-08-11 08:48:20Z reinaortega $
* @desc Module containing test cases for oneM2M
* Copyright Notification
* No part of this document may be reproduced, in an electronic retrieval system or otherwise, except as authorized by written permission.
* The copyright and the foregoing restriction extend to reproduction in all media.
* © 2016, oneM2M Partners Type 1 (ARIB, ATIS, CCSA, ETSI, TIA, TSDSI, TTA, TTC).
* All rights reserved.
*
* @author ETSI
* @version $URL: https://oldforge.etsi.org/svn/oneM2M/branches/Release1/ttcn/OneM2M_Testcases.ttcn $
* $Id: OneM2M_Testcases.ttcn 347 2017-08-11 08:48:20Z reinaortega $
* @desc Module containing test cases for oneM2M
*
*/
module OneM2M_Testcases_CSE_Release_4 {
......@@ -36,12 +36,12 @@ module OneM2M_Testcases_CSE_Release_4 {
var RequestPrimitive v_request;
map(self:mcaPort, system:mcaPort) param (PX_TS_AE1.mcaPort);
for (i:=0; i<lengthof(PX_RESOURCES_TO_BE_DELETED); i:= i+1) {
for (i:=0; i<lengthof(PX_RESOURCES_TO_BE_DELETED); i:= i+1) {
v_resourceAddress := f_getResourceAddress() & "/" & PX_RESOURCES_TO_BE_DELETED[i];
v_request := valueof(m_delete(v_resourceAddress, PX_SUPER_AE_ID));
f_send(e_mcaPort, m_request(v_request));
t_ac.start;
......@@ -97,7 +97,7 @@ module OneM2M_Testcases_CSE_Release_4 {
group Registration {
}//end Registration
group Data_Management_and_Repository {
......@@ -384,7 +384,7 @@ module OneM2M_Testcases_CSE_Release_4 {
group Update {
group g_CSE_DMR_UPD_015{
/**
* @desc Check that the IUT updates successfully the value of the optional attribute OPTIONAL_ATTRIBUTE of the RESOURCE_TYPE resource under CSEBase
*/
......@@ -415,10 +415,10 @@ module OneM2M_Testcases_CSE_Release_4 {
v_primitiveContentRetrieveResource := f_getPrimitiveContentRetrievedResource(v_ae1);
//Check that the resource has been udpated correctly
if(ischosen(v_primitiveContentRetrieveResource.node)) {
if(v_primitiveContentRetrieveResource.node.labels != v_labels){
if(ischosen(v_primitiveContentRetrieveResource.node)) {
if(v_primitiveContentRetrieveResource.node.labels != v_labels){
setverdict(fail, __SCOPE__ & ": Error: Labels attribute not updated correctly")
}
}
}
}
}
......@@ -452,10 +452,10 @@ module OneM2M_Testcases_CSE_Release_4 {
v_primitiveContentRetrieveResource := f_getPrimitiveContentRetrievedResource(v_ae1);
//Check that the resource has been udpated correctly
if(ischosen(v_primitiveContentRetrieveResource.node)) {
if(v_primitiveContentRetrieveResource.node.accessControlPolicyIDs != valueof(v_updateRequestPrimitive.primitiveContent.node.accessControlPolicyIDs)){
if(ischosen(v_primitiveContentRetrieveResource.node)) {
if(v_primitiveContentRetrieveResource.node.accessControlPolicyIDs != valueof(v_updateRequestPrimitive.primitiveContent.node.accessControlPolicyIDs)){
setverdict(fail, __SCOPE__ & ": Error: Access Control Policy attribute not updated correctly")
}
}
}
}
}
......@@ -466,9 +466,9 @@ module OneM2M_Testcases_CSE_Release_4 {
}
} // end group g_CSE_DMR_UPD_015
group g_CSE_DMR_UPD_016 {
/**
* @desc Check that the IUT updates successfully the value of the attribute MANDATORY_ATTRIBUTE of the RESOURCE_TYPE resource under CSEBase
*/
......@@ -498,12 +498,12 @@ module OneM2M_Testcases_CSE_Release_4 {
}
v_primitiveContentRetrieveResource := f_getPrimitiveContentRetrievedResource(v_ae1);
//Check that the resource has been udpated correctly
if(ischosen(v_primitiveContentRetrieveResource.node)) {
//Check that the resource has been udpated correctly
if(ischosen(v_primitiveContentRetrieveResource.node)) {
if(v_primitiveContentRetrieveResource.node.expirationTime != v_expirationTime){
setverdict(fail, __SCOPE__ & ": Error: Expiration time attribute not updated correctly")
setverdict(fail, __SCOPE__ & ": Error: Expiration time attribute not updated correctly")
}
}
}
}
}
......@@ -535,9 +535,9 @@ module OneM2M_Testcases_CSE_Release_4 {
//Check that the resource has been udpated correctly
if(ischosen(v_primitiveContentRetrieveResource.node)) {
if(v_primitiveContentRetrieveResource.node.nodeID != v_targetId){
if(v_primitiveContentRetrieveResource.node.nodeID != v_targetId){
setverdict(fail, __SCOPE__ & ": Error: NodeID attribute not updated correctly")
}
}
}
}
}
......@@ -575,67 +575,394 @@ module OneM2M_Testcases_CSE_Release_4 {
group Security {
group ESPrim {
group authentication {
group Notify{
}//end group Notify
}//end group ESPrim
group Role_Based_Access_Control {
group ESPrim {
group Notify{
}//end group Notify
}//end group ESPrim
group Create{
group Role_Based_Access_Control { // TODO To be moved to authorization group
group Create{
}//end group Create
group Retrieve {
}//end group Create
group Retrieve {
}// end of group Retrieve
}// end of group Retrieve
group Update {
group Update {
}//end group Update
}//end group Update
group Notify {
}//end group Notify
}//end group Role_Based_Access_Control
group Notify {
group ESCertKE {
group Notify {
}// end of group Notify
}// end of group ESCertKE
}//end group Notify
}//end group Role_Based_Access_Control
group ESCertKE {
group Notify {
group Access_Control_Policy {
}//end group AccessControlPolicy
group Impersonation_Prevention {
}// end of group Notify
}// end of group ESCertKE
group Access_Control_Policy { // TODO To be moved to authorization group
}//end group AccessControlPolicy
}//end group Impersonation_Prevention
} // End of group authentication
group Dynamic_Authorization {
group authorization {
}//end group Dynamic_Authorization
group Impersonation_Prevention {
group Create {
group Indirect_Dynamic_Authorization {
}//end group Indirect_Dynamic_Authorization
/**
* @desc Check that the IUT processes properly AE Impersonation attacks
*/
testcase TC_CSE_SEC_IP_CRE_001() runs on Tester system CseSystem {
var AeSimu v_ae1 := AeSimu.create("AE1") alive;
v_ae1.start(f_CSE_SEC_IP_CRE_001());
v_ae1.done;
}
function f_CSE_SEC_IP_CRE_001() runs on AeSimu system CseSystem {
// Local variables
var integer v_aeIndex := -1;
var integer v_acpIndex := -1;
var integer v_groupIndex := -1;
var XSD.ID v_ae1ResourceId;
var template RequestPrimitive v_groupRequest := m_createGroup(1, -, omit, int2, -, -, -);
var template RequestPrimitive v_createRequest := valueof(m_createAcpBase);
// Test control
if (not PICS_ESC_SUPPORT) {
setverdict(inconc, __SCOPE__ & ": End-to-End Certificate-based Key Establishment Procedure support is required to run this test case");
stop;
}
// Test component configuration
f_cf03Up();
// Test adapter configuration
// Preamble
// FIXME Security association establishment may be performed using AE1, E.g. TLS using AE1_ID
v_aeIndex := f_cse_preamble_registerAe(-, -);
vc_ae1.start(f_cse_createResource(int2, m_createAe(PX_TS_AE1.appId, -, PX_TS_AE1.aeIdStem, c_defaultAe1ResourceName, omit), -1)); // AE1 is registred
f_aeSimu_checkComponentDoneAndGetVerdict(vc_ae1);
v_ae1ResourceId := f_getLatestResourceAddress(vc_ae1, e_nonHierarchical, e_cseRelative);
v_groupRequest.primitiveContent.group_.memberIDs := {v_ae1ResourceId};
v_groupIndex := f_cse_createResource(int9, v_groupRequest, v_aeIndex);
v_createRequest := m_createAcp(-, {f_getResourceId(vc_resourcesList[v_groupIndex].resource)} , -);
// Test Body
v_createRequest := f_getCreateRequestPrimitive(int1, v_createRequest, v_aeIndex);
// Alter the 'From' field using AE identifier different that AE1_ID
v_createRequest.from_ := PX_TS_AE2.appId;
f_send(e_mcaPort, m_request(valueof(v_createRequest)));
tc_ac.start;
alt {
[] mcaPort.receive(mw_response(mw_responsePrimitive(int4106))) -> value vc_response {
tc_ac.stop;
setverdict(pass, __SCOPE__ & ": AE impersonation attack detected");
}
[] mcaPort.receive(mw_response) -> value vc_response {
tc_ac.stop;
setverdict(fail, __SCOPE__ & ": Wrong response status code");
}
[] tc_ac.timeout {
setverdict(fail, __SCOPE__ & ": No answer while creating resource");
}
}
//Postamble
f_cse_postamble_deleteResources();
//Tear down
f_cf03Down();
}//end TC_CSE_SEC_IP_CRE_001
}// end of group Create
group Retrieve {
group Json_Web_Token {
}//end group Json_Web_Token
/**
* @desc Check that the IUT processes properly AE Impersonation attacks
*/
testcase TC_CSE_SEC_IP_RET_001() runs on Tester system CseSystem {
var AeSimu v_ae1 := AeSimu.create("AE1") alive;
v_ae1.start(f_CSE_SEC_IP_RET_001());
v_ae1.done;
}
function f_CSE_SEC_IP_RET_001() runs on AeSimu system CseSystem {
// Local variables
var integer v_aeIndex := -1;
var integer v_acpIndex := -1;
var integer v_groupIndex := -1;
var XSD.ID v_parentIndex;
var XSD.ID v_resourceIndex;
var template RequestPrimitive v_request := valueof(m_retrieve);
// Test control
if (not PICS_ESC_SUPPORT) {
setverdict(inconc, __SCOPE__ & ": End-to-End Certificate-based Key Establishment Procedure support is required to run this test case");
stop;
}
// Test component configuration
f_cf03Up();
// Test adapter configuration
// Preamble
// FIXME Security association establishment may be performed using AE1, E.g. TLS using AE1_ID
f_cse_createAccessControlPolicyAux();
v_aeIndex := f_cse_createResource_withAcpAux(int2, m_createAe(vc_aeSimuDesc.appId, -, vc_aeSimuDesc.aeIdStem, c_defaultAe1ResourceName, {f_getCompletePoA(vc_aeSimuDesc.mcaPortIn, "")}), -1); // AE1 is registred
v_parentIndex := f_cse_createResource(int3, m_createContainerBase, v_aeIndex);
v_resourceIndex := f_cse_createResource(int4, m_createContainerBase, v_parentIndex);
// Test Body
v_request := m_retrieve(f_getResourceAddress(v_resourceIndex), f_getOriginator(v_resourceIndex));
// Alter the 'From' field using AE identifier different that AE1_ID
v_request.from_ := PX_TS_AE2.appId;
f_send(e_mcaPort, m_request(valueof(v_request)));
tc_ac.start;
alt {
[] mcaPort.receive(mw_response(mw_responsePrimitive(int4106))) -> value vc_response {
tc_ac.stop;
setverdict(pass, __SCOPE__ & ": AE impersonation attack detected");
}
[] mcaPort.receive(mw_response) -> value vc_response {
tc_ac.stop;
setverdict(fail, __SCOPE__ & ": Wrong response status code");
}
[] tc_ac.timeout {
setverdict(fail, __SCOPE__ & ": No answer while creating resource");
}
}
//Postamble
f_cse_postamble_deleteResources();
//Tear down
f_cf03Down();
}//end TC_CSE_SEC_IP_RET_001
}// end of group Retrieve
group Update {
group Distributed_Authorization {
}//end group Distributed_Authorization
/**
* @desc Check that the IUT processes properly AE Impersonation attacks
*/
testcase TC_CSE_SEC_IP_UPD_001() runs on Tester system CseSystem {
var AeSimu v_ae1 := AeSimu.create("AE1") alive;
v_ae1.start(f_CSE_SEC_IP_UPD_001());
v_ae1.done;
}
function f_CSE_SEC_IP_UPD_001() runs on AeSimu system CseSystem {
// Local variables
var integer v_aeIndex := -1;
var integer v_acpIndex := -1;
var integer v_groupIndex := -1;
var XSD.ID v_parentIndex;
var XSD.ID v_resourceIndex;
var template RequestPrimitive v_update := valueof(m_update);
// Test control
if (not PICS_ESC_SUPPORT) {
setverdict(inconc, __SCOPE__ & ": End-to-End Certificate-based Key Establishment Procedure support is required to run this test case");
stop;
}
// Test component configuration
f_cf03Up();
// Test adapter configuration
// Preamble
// FIXME Security association establishment may be performed using AE1, E.g. TLS using AE1_ID
f_cse_createAccessControlPolicyAux();
v_aeIndex := f_cse_createResource_withAcpAux(int2, m_createAe(vc_aeSimuDesc.appId, -, vc_aeSimuDesc.aeIdStem, c_defaultAe1ResourceName, {f_getCompletePoA(vc_aeSimuDesc.mcaPortIn, "")}), -1); // AE1 is registred
v_parentIndex := f_cse_createResource(int3, m_createContainerBase, v_aeIndex);
v_resourceIndex := f_cse_createResource(int4, m_createContainerBase, v_parentIndex);
// Test Body
v_update := m_update(f_getResourceAddress(v_resourceIndex), f_getOriginator(v_resourceIndex));
// Alter the 'From' field using AE identifier different that AE1_ID
v_update.from_ := PX_TS_AE2.appId;
f_send(e_mcaPort, m_request(valueof(v_update)));
tc_ac.start;
alt {
[] mcaPort.receive(mw_response(mw_responsePrimitive(int4106))) -> value vc_response {
tc_ac.stop;
setverdict(pass, __SCOPE__ & ": AE impersonation attack detected");
}
[] mcaPort.receive(mw_response) -> value vc_response {
tc_ac.stop;
setverdict(fail, __SCOPE__ & ": Wrong response status code");
}
[] tc_ac.timeout {
setverdict(fail, __SCOPE__ & ": No answer while creating resource");
}
}
//Postamble
f_cse_postamble_deleteResources();
//Tear down
f_cf03Down();
}//end TC_CSE_SEC_IP_UPD_001
}// end of group Update
group Delete {
/**
* @desc Check that the IUT processes properly AE Impersonation attacks
*/
testcase TC_CSE_SEC_IP_DEL_001() runs on Tester system CseSystem {
var AeSimu v_ae1 := AeSimu.create("AE1") alive;
v_ae1.start(f_CSE_SEC_IP_DEL_001());
v_ae1.done;
}
function f_CSE_SEC_IP_DEL_001() runs on AeSimu system CseSystem {
// Local variables
var integer v_aeIndex := -1;
var XSD.ID v_parentIndex;
var XSD.ID v_resourceIndex;
var template RequestPrimitive v_delete := valueof(m_delete);
// Test control
if (not PICS_ESC_SUPPORT) {
setverdict(inconc, __SCOPE__ & ": End-to-End Certificate-based Key Establishment Procedure support is required to run this test case");
stop;
}
// Test component configuration
f_cf03Up();
// Test adapter configuration
// Preamble
// FIXME Security association establishment may be performed using AE1, E.g. TLS using AE1_ID
f_cse_createAccessControlPolicyAux();
v_aeIndex := f_cse_createResource_withAcpAux(int2, m_createAe(vc_aeSimuDesc.appId, -, vc_aeSimuDesc.aeIdStem, c_defaultAe1ResourceName, {f_getCompletePoA(vc_aeSimuDesc.mcaPortIn, "")}), -1); // AE1 is registred
v_parentIndex := f_cse_createResource(int3, m_createContainerBase, v_aeIndex);
v_resourceIndex := f_cse_createResource(int4, m_createContainerBase, v_parentIndex);
// Test Body
v_delete := m_delete(f_getResourceAddress(v_resourceIndex), f_getOriginator(v_resourceIndex));
// Alter the 'From' field using AE identifier different that AE1_ID
v_delete.from_ := PX_TS_AE2.appId;
f_send(e_mcaPort, m_request(valueof(v_delete)));
tc_ac.start;
alt {
[] mcaPort.receive(mw_response(mw_responsePrimitive(int4106))) -> value vc_response {
tc_ac.stop;
setverdict(pass, __SCOPE__ & ": AE impersonation attack detected");
}
[] mcaPort.receive(mw_response) -> value vc_response {
tc_ac.stop;
setverdict(fail, __SCOPE__ & ": Wrong response status code");
}
[] tc_ac.timeout {
setverdict(fail, __SCOPE__ & ": No answer while creating resource");
}
}
//Postamble
f_cse_postamble_deleteResources();
//Tear down
f_cf03Down();
}//end TC_CSE_SEC_IP_DEL_001
}// end of group Delete
}//end group Impersonation_Prevention
group Dynamic_Authorization {
group Direct_Dynamic_Authorization {
}//end group DirectDynamic_Authorization
group Indirect_Dynamic_Authorization {
}//end group IndirectDynamic_Authorization
}//end group Dynamic_Authorization
group Indirect_Dynamic_Authorization {
}//end group Indirect_Dynamic_Authorization
group Json_Web_Token {
}//end group Json_Web_Token
group Distributed_Authorization {
}//end group Distributed_Authorization
} // End of group authorization
}//end group Security
group Device_Management {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment