actions: creating and unlocking policies

This commit adds in the Policy structure. This structure represents an
unlocked policy key and its associated data. Policies can add or remove
Protectors, apply encryption policies to filesystem directories, and
provision a key into the kernel keyring.

Change-Id: I089710223221e0ea60188d523703469e5d67ad0e

1 files changed, 137 insertions, 0 deletions

diff --git a/actions/policy_test.go b/actions/policy_test.go
new file mode 100644
index 0000000..3a64e01
--- /dev/null
+++ b/actions/policy_test.go
@@ -0,0 +1,137 @@
+/*
+ * policy_test.go - tests for creating and modifying policies
+ *
+ * Copyright 2017 Google Inc.
+ * Author: Joe Richey (joerichey@google.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package actions
+
+import "testing"
+
+// Makes a context, protector, and policy
+func makeAll() (ctx *Context, protector *Protector, policy *Policy, err error) {
+	ctx, err = makeContext()
+	if err != nil {
+		return
+	}
+	protector, err = ctx.NewProtector(testProtectorName, goodCallback)
+	if err != nil {
+		return
+	}
+	policy, err = ctx.NewPolicy(protector)
+	return
+}
+
+// Cleans up a context, protector, and policy
+func cleanupAll(protector *Protector, policy *Policy) {
+	if policy != nil {
+		policy.Wipe()
+	}
+	if protector != nil {
+		protector.Wipe()
+	}
+	cleaupContext()
+}
+
+// Tests that we can make a policy/protector pair
+func TestNewPolicy(t *testing.T) {
+	_, pro, pol, err := makeAll()
+	defer cleanupAll(pro, pol)
+	if err != nil {
+		t.Error(err)
+	}
+}
+
+// Tests that we can add another protector to the policy
+func TestPolicyGoodAddProtector(t *testing.T) {
+	ctx, pro1, pol, err := makeAll()
+	defer cleanupAll(pro1, pol)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pro2, err := ctx.NewProtector(testProtectorName2, goodCallback)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer pro2.Wipe()
+
+	err = pol.AddProtector(pro2)
+	if err != nil {
+		t.Error(err)
+	}
+}
+
+// Tests that we cannot add a protector to a policy twice
+func TestPolicyBadAddProtector(t *testing.T) {
+	_, pro, pol, err := makeAll()
+	defer cleanupAll(pro, pol)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if pol.AddProtector(pro) == nil {
+		t.Error("we should not be able to add the same protector twice")
+	}
+}
+
+// Tests that we can remove a protector we added
+func TestPolicyGoodRemoveProtector(t *testing.T) {
+	ctx, pro1, pol, err := makeAll()
+	defer cleanupAll(pro1, pol)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pro2, err := ctx.NewProtector(testProtectorName2, goodCallback)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer pro2.Wipe()
+
+	err = pol.AddProtector(pro2)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = pol.RemoveProtector(pro1)
+	if err != nil {
+		t.Error(err)
+	}
+}
+
+// Tests various bad ways to remove protectors
+func TestPolicyBadRemoveProtector(t *testing.T) {
+	ctx, pro1, pol, err := makeAll()
+	defer cleanupAll(pro1, pol)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pro2, err := ctx.NewProtector(testProtectorName2, goodCallback)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer pro2.Wipe()
+
+	if pol.RemoveProtector(pro2) == nil {
+		t.Error("we should not be able to remove a protector we did not add")
+	}
+
+	if pol.RemoveProtector(pro1) == nil {
+		t.Error("we should not be able to remove all the protectors from a policy")
+	}
+}