Create Authorization groups ; Implement TCs for TS-0018 Clause 7.2.2.10.4.2...

Create Authorization groups ; Implement TCs for TS-0018 Clause 7.2.2.10.4.2 Impersonation Prevention

Create Authorization groups ; Implement TCs for TS-0018 Clause 7.2.2.10.4.2...
fd2ec4d8 · Yann Garcia · 23de0214 · fd2ec4d8 · fd2ec4d8
Commit fd2ec4d8 authored 4 years ago by Yann Garcia
--- a/LibOneM2M/OneM2M_Pics.ttcn
+++ b/LibOneM2M/OneM2M_Pics.ttcn
@@ -31,7 +31,7 @@ module OneM2M_Pics {
 	/**
 	 * @desc End-to-End Certificate-based Key Establishment Procedure support 
-	 * @see  oneM2M TS-0003
+	 * @see  oneM2M TS-0003 Clause 8.2.2.2
 	 */
 	modulepar boolean PICS_ESC_SUPPORT := true;

--- a/OneM2M_Testcases_CSE_Release_4.ttcn
+++ b/OneM2M_Testcases_CSE_Release_4.ttcn
@@ -575,6 +575,8 @@ module OneM2M_Testcases_CSE_Release_4 {
 		group Security {
+			group authentication {
 				group ESPrim {
 					group Notify{
@@ -584,7 +586,7 @@ module OneM2M_Testcases_CSE_Release_4 {
 				}//end group ESPrim
-			group Role_Based_Access_Control {
+				group Role_Based_Access_Control { // TODO To be moved to authorization group
 					group Create{
@@ -612,16 +614,339 @@ module OneM2M_Testcases_CSE_Release_4 {
 				}// end of group ESCertKE	
-			group Access_Control_Policy {
+				group Access_Control_Policy { // TODO To be moved to authorization group
 				}//end group AccessControlPolicy
+			} // End of group authentication
+			group authorization {
 					group Impersonation_Prevention {
+						group Create {
+							/**
+							 * @desc	Check that the IUT processes properly AE Impersonation attacks
+							 */
+							testcase TC_CSE_SEC_IP_CRE_001() runs on Tester system CseSystem {
+								var AeSimu v_ae1 := AeSimu.create("AE1") alive;
+								v_ae1.start(f_CSE_SEC_IP_CRE_001());
+								v_ae1.done;
+							}
+							function f_CSE_SEC_IP_CRE_001() runs on AeSimu system CseSystem {
+								// Local variables
+								var integer v_aeIndex := -1;
+								var integer v_acpIndex := -1;
+								var integer v_groupIndex := -1;
+								var XSD.ID v_ae1ResourceId;
+								var template RequestPrimitive v_groupRequest := m_createGroup(1, -, omit, int2, -, -, -);
+								var template RequestPrimitive v_createRequest := valueof(m_createAcpBase);
+								// Test control
+								if (not PICS_ESC_SUPPORT) {
+									setverdict(inconc, __SCOPE__ & ": End-to-End Certificate-based Key Establishment Procedure support is required to run this test case");
+									stop;
+								}
+								// Test component configuration
+								f_cf03Up();
+								// Test adapter configuration
+								// Preamble
+								// FIXME Security association establishment may be performed using AE1, E.g. TLS using AE1_ID
+								v_aeIndex := f_cse_preamble_registerAe(-, -);
+								vc_ae1.start(f_cse_createResource(int2, m_createAe(PX_TS_AE1.appId, -, PX_TS_AE1.aeIdStem, c_defaultAe1ResourceName, omit), -1)); // AE1 is registred
+								f_aeSimu_checkComponentDoneAndGetVerdict(vc_ae1);
+								v_ae1ResourceId := f_getLatestResourceAddress(vc_ae1, e_nonHierarchical, e_cseRelative);
+								v_groupRequest.primitiveContent.group_.memberIDs := {v_ae1ResourceId};
+								v_groupIndex := f_cse_createResource(int9, v_groupRequest, v_aeIndex); 
+								v_createRequest := m_createAcp(-, {f_getResourceId(vc_resourcesList[v_groupIndex].resource)} , -);
+								// Test Body
+								v_createRequest := f_getCreateRequestPrimitive(int1, v_createRequest, v_aeIndex);
+								// Alter the 'From' field using AE identifier different that AE1_ID
+								v_createRequest.from_ := PX_TS_AE2.appId;
+								f_send(e_mcaPort, m_request(valueof(v_createRequest)));
+								tc_ac.start;
+								alt {
+									[] mcaPort.receive(mw_response(mw_responsePrimitive(int4106))) -> value vc_response {
+										tc_ac.stop;
+										setverdict(pass, __SCOPE__ & ": AE impersonation attack detected");
+									}
+									[] mcaPort.receive(mw_response) -> value vc_response {
+										tc_ac.stop;
+										setverdict(fail, __SCOPE__ & ": Wrong response status code");
+									}
+									[] tc_ac.timeout {
+										setverdict(fail, __SCOPE__ & ": No answer while creating resource");
+									}
+								}
+								//Postamble
+								f_cse_postamble_deleteResources();
+								//Tear down
+								f_cf03Down();
+							}//end TC_CSE_SEC_IP_CRE_001
+						}// end of group Create
+						group Retrieve {
+							/**
+							 * @desc	Check that the IUT processes properly AE Impersonation attacks
+							 */
+							testcase TC_CSE_SEC_IP_RET_001() runs on Tester system CseSystem {
+								var AeSimu v_ae1 := AeSimu.create("AE1") alive;
+								v_ae1.start(f_CSE_SEC_IP_RET_001());
+								v_ae1.done;
+							}
+							function f_CSE_SEC_IP_RET_001() runs on AeSimu system CseSystem {
+								// Local variables
+								var integer v_aeIndex := -1;
+								var integer v_acpIndex := -1;
+								var integer v_groupIndex := -1;
+								var XSD.ID v_parentIndex;
+								var XSD.ID v_resourceIndex;
+								var template RequestPrimitive v_request := valueof(m_retrieve);
+								// Test control
+								if (not PICS_ESC_SUPPORT) {
+									setverdict(inconc, __SCOPE__ & ": End-to-End Certificate-based Key Establishment Procedure support is required to run this test case");
+									stop;
+								}
+								// Test component configuration
+								f_cf03Up();
+								// Test adapter configuration
+								// Preamble
+								// FIXME Security association establishment may be performed using AE1, E.g. TLS using AE1_ID
+								f_cse_createAccessControlPolicyAux();
+								v_aeIndex := f_cse_createResource_withAcpAux(int2, m_createAe(vc_aeSimuDesc.appId, -, vc_aeSimuDesc.aeIdStem, c_defaultAe1ResourceName, {f_getCompletePoA(vc_aeSimuDesc.mcaPortIn, "")}), -1); // AE1 is registred
+								v_parentIndex := f_cse_createResource(int3, m_createContainerBase, v_aeIndex);
+								v_resourceIndex := f_cse_createResource(int4, m_createContainerBase, v_parentIndex);
+								// Test Body
+								v_request := m_retrieve(f_getResourceAddress(v_resourceIndex), f_getOriginator(v_resourceIndex));
+								// Alter the 'From' field using AE identifier different that AE1_ID
+								v_request.from_ := PX_TS_AE2.appId;
+								f_send(e_mcaPort, m_request(valueof(v_request)));
+								tc_ac.start;
+								alt {
+									[] mcaPort.receive(mw_response(mw_responsePrimitive(int4106))) -> value vc_response {
+										tc_ac.stop;
+										setverdict(pass, __SCOPE__ & ": AE impersonation attack detected");
+									}
+									[] mcaPort.receive(mw_response) -> value vc_response {
+										tc_ac.stop;
+										setverdict(fail, __SCOPE__ & ": Wrong response status code");
+									}
+									[] tc_ac.timeout {
+										setverdict(fail, __SCOPE__ & ": No answer while creating resource");
+									}
+								}
+								//Postamble
+								f_cse_postamble_deleteResources();
+								//Tear down
+								f_cf03Down();
+							}//end TC_CSE_SEC_IP_RET_001
+						}// end of group Retrieve
+						group Update {
+							/**
+							 * @desc	Check that the IUT processes properly AE Impersonation attacks
+							 */
+							testcase TC_CSE_SEC_IP_UPD_001() runs on Tester system CseSystem {
+								var AeSimu v_ae1 := AeSimu.create("AE1") alive;
+								v_ae1.start(f_CSE_SEC_IP_UPD_001());
+								v_ae1.done;
+							}
+							function f_CSE_SEC_IP_UPD_001() runs on AeSimu system CseSystem {
+								// Local variables
+								var integer v_aeIndex := -1;
+								var integer v_acpIndex := -1;
+								var integer v_groupIndex := -1;
+								var XSD.ID v_parentIndex;
+								var XSD.ID v_resourceIndex;
+								var template RequestPrimitive v_update := valueof(m_update);
+								// Test control
+								if (not PICS_ESC_SUPPORT) {
+									setverdict(inconc, __SCOPE__ & ": End-to-End Certificate-based Key Establishment Procedure support is required to run this test case");
+									stop;
+								}
+								// Test component configuration
+								f_cf03Up();
+								// Test adapter configuration
+								// Preamble
+								// FIXME Security association establishment may be performed using AE1, E.g. TLS using AE1_ID
+								f_cse_createAccessControlPolicyAux();
+								v_aeIndex := f_cse_createResource_withAcpAux(int2, m_createAe(vc_aeSimuDesc.appId, -, vc_aeSimuDesc.aeIdStem, c_defaultAe1ResourceName, {f_getCompletePoA(vc_aeSimuDesc.mcaPortIn, "")}), -1); // AE1 is registred
+								v_parentIndex := f_cse_createResource(int3, m_createContainerBase, v_aeIndex);
+								v_resourceIndex := f_cse_createResource(int4, m_createContainerBase, v_parentIndex);
+								// Test Body
+								v_update := m_update(f_getResourceAddress(v_resourceIndex), f_getOriginator(v_resourceIndex));
+								// Alter the 'From' field using AE identifier different that AE1_ID
+								v_update.from_ := PX_TS_AE2.appId;
+								f_send(e_mcaPort, m_request(valueof(v_update)));
+								tc_ac.start;
+								alt {
+									[] mcaPort.receive(mw_response(mw_responsePrimitive(int4106))) -> value vc_response {
+										tc_ac.stop;
+										setverdict(pass, __SCOPE__ & ": AE impersonation attack detected");
+									}
+									[] mcaPort.receive(mw_response) -> value vc_response {
+										tc_ac.stop;
+										setverdict(fail, __SCOPE__ & ": Wrong response status code");
+									}
+									[] tc_ac.timeout {
+										setverdict(fail, __SCOPE__ & ": No answer while creating resource");
+									}
+								}
+								//Postamble
+								f_cse_postamble_deleteResources();
+								//Tear down
+								f_cf03Down();
+							}//end TC_CSE_SEC_IP_UPD_001
+						}// end of group Update
+						group Delete {
+							/**
+							 * @desc	Check that the IUT processes properly AE Impersonation attacks
+							 */
+							testcase TC_CSE_SEC_IP_DEL_001() runs on Tester system CseSystem {
+								var AeSimu v_ae1 := AeSimu.create("AE1") alive;
+								v_ae1.start(f_CSE_SEC_IP_DEL_001());
+								v_ae1.done;
+							}
+							function f_CSE_SEC_IP_DEL_001() runs on AeSimu system CseSystem {
+								// Local variables
+								var integer v_aeIndex := -1;
+								var XSD.ID v_parentIndex;
+								var XSD.ID v_resourceIndex;
+								var template RequestPrimitive v_delete := valueof(m_delete);
+								// Test control
+								if (not PICS_ESC_SUPPORT) {
+									setverdict(inconc, __SCOPE__ & ": End-to-End Certificate-based Key Establishment Procedure support is required to run this test case");
+									stop;
+								}
+								// Test component configuration
+								f_cf03Up();
+								// Test adapter configuration
+								// Preamble
+								// FIXME Security association establishment may be performed using AE1, E.g. TLS using AE1_ID
+								f_cse_createAccessControlPolicyAux();
+								v_aeIndex := f_cse_createResource_withAcpAux(int2, m_createAe(vc_aeSimuDesc.appId, -, vc_aeSimuDesc.aeIdStem, c_defaultAe1ResourceName, {f_getCompletePoA(vc_aeSimuDesc.mcaPortIn, "")}), -1); // AE1 is registred
+								v_parentIndex := f_cse_createResource(int3, m_createContainerBase, v_aeIndex);
+								v_resourceIndex := f_cse_createResource(int4, m_createContainerBase, v_parentIndex);
+								// Test Body
+								v_delete := m_delete(f_getResourceAddress(v_resourceIndex), f_getOriginator(v_resourceIndex));
+								// Alter the 'From' field using AE identifier different that AE1_ID
+								v_delete.from_ := PX_TS_AE2.appId;
+								f_send(e_mcaPort, m_request(valueof(v_delete)));
+								tc_ac.start;
+								alt {
+									[] mcaPort.receive(mw_response(mw_responsePrimitive(int4106))) -> value vc_response {
+										tc_ac.stop;
+										setverdict(pass, __SCOPE__ & ": AE impersonation attack detected");
+									}
+									[] mcaPort.receive(mw_response) -> value vc_response {
+										tc_ac.stop;
+										setverdict(fail, __SCOPE__ & ": Wrong response status code");
+									}
+									[] tc_ac.timeout {
+										setverdict(fail, __SCOPE__ & ": No answer while creating resource");
+									}
+								}
+								//Postamble
+								f_cse_postamble_deleteResources();
+								//Tear down
+								f_cf03Down();
+							}//end TC_CSE_SEC_IP_DEL_001
+						}// end of group Delete
 					}//end group Impersonation_Prevention
 					group Dynamic_Authorization {
+							group Direct_Dynamic_Authorization {
+							}//end group DirectDynamic_Authorization
+							group Indirect_Dynamic_Authorization {
+							}//end group IndirectDynamic_Authorization
 					}//end group Dynamic_Authorization
 					group Indirect_Dynamic_Authorization {
@@ -636,6 +961,8 @@ module OneM2M_Testcases_CSE_Release_4 {
 					}//end group Distributed_Authorization
+			} // End of group authorization
 		}//end group Security
 		group Device_Management {