def test_hyperrelation(self):
policyManager = ConfigPolicyManager("policy_config/hyperrelation_ruleset.conf")
dataName = Name('/SecurityTestSecRule/Basic/Longer/Data2')
data1 = Data(dataName)
data2 = Data(dataName)
matchedRule = policyManager._findMatchingRule(dataName, 'data')
self.keyChain.sign(data1, self.defaultCertName)
self.keyChain.sign(data2, self.shortCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
self.assertTrue(policyManager._checkSignatureMatch(signatureName1,
dataName, matchedRule))
self.assertFalse(policyManager._checkSignatureMatch(signatureName2,
dataName, matchedRule))
dataName = Name('/SecurityTestSecRule/Basic/Other/Data1')
data1 = Data(dataName)
data2 = Data(dataName)
matchedRule = policyManager._findMatchingRule(dataName, 'data')
self.keyChain.sign(data1, self.defaultCertName)
self.keyChain.sign(data2, self.shortCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
self.assertFalse(policyManager._checkSignatureMatch(signatureName1,
dataName, matchedRule))
self.assertTrue(policyManager._checkSignatureMatch(signatureName2,
dataName, matchedRule))
def setUp(self):
testCertDirectory = 'policy_config/certs'
self.testCertFile = os.path.join(testCertDirectory, 'test.cert')
self.pibImpl = PibMemory()
self.tpmBackEnd = TpmBackEndMemory()
self.policyManager = ConfigPolicyManager(
'policy_config/simple_rules.conf', CertificateCacheV2())
self.identityName = Name('/TestConfigPolicyManager/temp')
# to match the anchor cert
self.keyName = Name(
self.identityName).append("KEY").append("ksk-1416010123")
self.pibImpl.addKey(self.identityName, self.keyName,
TEST_RSA_PUBLIC_KEY_DER)
# Set the password to None since we have an unencrypted PKCS #8 private key.
self.tpmBackEnd.importKey(self.keyName, TEST_RSA_PRIVATE_KEY_PKCS8,
None)
self.keyChain = KeyChain(self.pibImpl, self.tpmBackEnd,
self.policyManager)
pibKey = self.keyChain.getPib().getIdentity(self.identityName).getKey(
self.keyName)
# selfSign adds to the PIB.
self.keyChain.selfSign(pibKey)
def setUp(self):
testCertDirectory = 'policy_config/certs'
self.testCertFile = os.path.join(testCertDirectory, 'test.cert')
self.identityStorage = MemoryIdentityStorage()
self.privateKeyStorage = MemoryPrivateKeyStorage()
self.identityManager = IdentityManager(self.identityStorage,
self.privateKeyStorage)
self.policyManager = ConfigPolicyManager('policy_config/simple_rules.conf')
self.identityName = Name('/TestConfigPolicyManager/temp')
# to match the anchor cert
keyName = Name(self.identityName).append('ksk-1416010123')
self.privateKeyStorage.setKeyPairForKeyName(
keyName, KeyType.RSA, TEST_RSA_PUBLIC_KEY_DER, TEST_RSA_PRIVATE_KEY_DER)
self.identityStorage.addKey(
keyName, KeyType.RSA, Blob(TEST_RSA_PUBLIC_KEY_DER))
cert = self.identityManager.selfSign(keyName)
self.identityStorage.setDefaultKeyNameForIdentity(keyName)
self.identityManager.addCertificateAsDefault(cert)
self.keyChain = KeyChain(self.identityManager, self.policyManager)
self.keyName = keyName
self.face = Face()
def test_hyperrelation(self):
policyManager = ConfigPolicyManager("policy_config/hyperrelation_ruleset.conf")
dataName = Name('/SecurityTestSecRule/Basic/Longer/Data2')
data1 = Data(dataName)
data2 = Data(dataName)
matchedRule = policyManager._findMatchingRule(dataName, 'data')
self.keyChain.sign(data1, self.defaultCertName)
self.keyChain.sign(data2, self.shortCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
self.assertTrue(policyManager._checkSignatureMatch(signatureName1,
dataName, matchedRule))
self.assertFalse(policyManager._checkSignatureMatch(signatureName2,
dataName, matchedRule))
dataName = Name('/SecurityTestSecRule/Basic/Other/Data1')
data1 = Data(dataName)
data2 = Data(dataName)
matchedRule = policyManager._findMatchingRule(dataName, 'data')
self.keyChain.sign(data1, self.defaultCertName)
self.keyChain.sign(data2, self.shortCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
self.assertFalse(policyManager._checkSignatureMatch(signatureName1,
dataName, matchedRule))
self.assertTrue(policyManager._checkSignatureMatch(signatureName2,
dataName, matchedRule))
def test_simple_regex(self):
policyManager = ConfigPolicyManager("policy_config/regex_ruleset.conf")
dataName1 = Name('/SecurityTestSecRule/Basic')
dataName2 = Name('/SecurityTestSecRule/Basic/More')
dataName3 = Name('/SecurityTestSecRule/')
dataName4 = Name('/SecurityTestSecRule/Other/TestData')
dataName5 = Name('/Basic/Data')
matchedRule1 = policyManager._findMatchingRule(dataName1, 'data')
matchedRule2 = policyManager._findMatchingRule(dataName2, 'data')
matchedRule3 = policyManager._findMatchingRule(dataName3, 'data')
matchedRule4 = policyManager._findMatchingRule(dataName4, 'data')
matchedRule5 = policyManager._findMatchingRule(dataName5, 'data')
self.assertIsNotNone(matchedRule1)
self.assertIsNone(matchedRule2)
self.assertIsNotNone(matchedRule3)
self.assertNotEqual(matchedRule3, matchedRule1,
"Rule regex matched extra components")
self.assertIsNotNone(matchedRule4)
self.assertNotEqual(matchedRule4, matchedRule1,
"Rule regex matched with missing component")
self.assertIsNone(matchedRule5)
def test_simple_regex(self):
policyManager = ConfigPolicyManager("policy_config/regex_ruleset.conf")
dataName1 = Name('/SecurityTestSecRule/Basic')
dataName2 = Name('/SecurityTestSecRule/Basic/More')
dataName3 = Name('/SecurityTestSecRule/')
dataName4 = Name('/SecurityTestSecRule/Other/TestData')
dataName5 = Name('/Basic/Data')
matchedRule1 = policyManager._findMatchingRule(dataName1, 'data')
matchedRule2 = policyManager._findMatchingRule(dataName2, 'data')
matchedRule3 = policyManager._findMatchingRule(dataName3, 'data')
matchedRule4 = policyManager._findMatchingRule(dataName4, 'data')
matchedRule5 = policyManager._findMatchingRule(dataName5, 'data')
self.assertIsNotNone(matchedRule1)
self.assertIsNone(matchedRule2)
self.assertIsNotNone(matchedRule3)
self.assertNotEqual(matchedRule3, matchedRule1,
"Rule regex matched extra components")
self.assertIsNotNone(matchedRule4)
self.assertNotEqual(matchedRule4, matchedRule1,
"Rule regex matched with missing component")
self.assertIsNone(matchedRule5)
def test_checker_hierarchical(self):
policyManager = ConfigPolicyManager(
"policy_config/hierarchical_ruleset.conf")
dataName1 = Name('/SecurityTestSecRule/Basic/Data1')
dataName2 = Name('/SecurityTestSecRule/Basic/Longer/Data2')
data1 = Data(dataName1)
data2 = Data(dataName2)
matchedRule = policyManager._findMatchingRule(dataName1, 'data')
self.assertEqual(matchedRule,
policyManager._findMatchingRule(dataName2, 'data'))
self.keyChain.sign(data1, self.defaultCertName)
self.keyChain.sign(data2, self.defaultCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
failureReason = ["unknown"]
self.assertFalse(
policyManager._checkSignatureMatch(signatureName1, dataName1,
matchedRule, failureReason),
"Hierarchical matcher matched short data name to long key name")
self.assertTrue(
policyManager._checkSignatureMatch(signatureName2, dataName2,
matchedRule, failureReason))
self.keyChain.sign(data1, self.shortCertName)
self.keyChain.sign(data2, self.shortCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
self.assertTrue(
policyManager._checkSignatureMatch(signatureName1, dataName1,
matchedRule, failureReason))
self.assertTrue(
policyManager._checkSignatureMatch(signatureName2, dataName2,
matchedRule, failureReason))
def setUp(self):
testCertDirectory = 'policy_config/certs'
self.testCertFile = os.path.join(testCertDirectory, 'test.cert')
# Reuse the policy_config subdirectory for the temporary SQLite file.
self.databaseFilePath = "policy_config/test-public-info.db"
try:
os.remove(self.databaseFilePath)
except OSError:
# no such file
pass
self.identityStorage = BasicIdentityStorage(self.databaseFilePath)
self.privateKeyStorage = MemoryPrivateKeyStorage()
self.identityManager = IdentityManager(self.identityStorage,
self.privateKeyStorage)
self.policyManager = ConfigPolicyManager(
'policy_config/simple_rules.conf')
self.identityName = Name('/TestConfigPolicyManager/temp')
# to match the anchor cert
keyName = Name(self.identityName).append('ksk-1416010123')
self.privateKeyStorage.setKeyPairForKeyName(keyName, KeyType.RSA,
TEST_RSA_PUBLIC_KEY_DER,
TEST_RSA_PRIVATE_KEY_DER)
self.identityStorage.addKey(keyName, KeyType.RSA,
Blob(TEST_RSA_PUBLIC_KEY_DER))
cert = self.identityManager.selfSign(keyName)
self.identityStorage.setDefaultKeyNameForIdentity(keyName)
self.identityManager.addCertificateAsDefault(cert)
self.keyChain = KeyChain(self.identityManager, self.policyManager)
self.keyName = keyName
self.face = Face()
def test_checker_hierarchical(self):
policyManager = ConfigPolicyManager("policy_config/hierarchical_ruleset.conf")
dataName1 = Name('/SecurityTestSecRule/Basic/Data1')
dataName2 = Name('/SecurityTestSecRule/Basic/Longer/Data2')
data1 = Data(dataName1)
data2 = Data(dataName2)
matchedRule = policyManager._findMatchingRule(dataName1, 'data')
self.assertEqual(matchedRule,
policyManager._findMatchingRule(dataName2, 'data'))
self.keyChain.sign(data1, self.defaultCertName)
self.keyChain.sign(data2, self.defaultCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
failureReason = ["unknown"]
self.assertFalse(policyManager._checkSignatureMatch(signatureName1,
dataName1, matchedRule, failureReason),
"Hierarchical matcher matched short data name to long key name")
self.assertTrue(policyManager._checkSignatureMatch(signatureName2,
dataName2, matchedRule, failureReason))
self.keyChain.sign(data1, self.shortCertName)
self.keyChain.sign(data2, self.shortCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
self.assertTrue(policyManager._checkSignatureMatch(signatureName1,
dataName1, matchedRule, failureReason))
self.assertTrue(policyManager._checkSignatureMatch(signatureName2,
dataName2, matchedRule, failureReason))
def test_name_relation(self):
policyManagerPrefix = ConfigPolicyManager("policy_config/relation_ruleset_prefix.conf")
policyManagerStrict = ConfigPolicyManager("policy_config/relation_ruleset_strict.conf")
policyManagerEqual = ConfigPolicyManager("policy_config/relation_ruleset_equal.conf")
dataName = Name('/TestRule1')
self.assertIsNotNone(
policyManagerPrefix._findMatchingRule(dataName, 'data'),
"Prefix relation should match prefix name")
self.assertIsNotNone(
policyManagerEqual._findMatchingRule(dataName, 'data'),
"Equal relation should match prefix name")
self.assertIsNone(
policyManagerStrict._findMatchingRule(dataName, 'data'),
"Strict-prefix relation should not match prefix name")
dataName = Name('/TestRule1/hi')
self.assertIsNotNone(
policyManagerPrefix._findMatchingRule(dataName, 'data'),
"Prefix relation should match longer name")
self.assertIsNone(
policyManagerEqual._findMatchingRule(dataName, 'data'),
"Equal relation should not match longer name")
self.assertIsNotNone(
policyManagerStrict._findMatchingRule(dataName, 'data'),
"Strict-prefix relation should match longer name")
dataName = Name('/Bad/TestRule1/')
self.assertIsNone(
policyManagerPrefix._findMatchingRule(dataName, 'data'),
"Prefix relation should not match inner components")
self.assertIsNone(
policyManagerEqual._findMatchingRule(dataName, 'data'),
"Equal relation should not match inner components")
self.assertIsNone(
policyManagerStrict._findMatchingRule(dataName, 'data'),
"Strict-prefix relation should not match inner components")
def test_name_relation(self):
policyManagerPrefix = ConfigPolicyManager(
"policy_config/relation_ruleset_prefix.conf")
policyManagerStrict = ConfigPolicyManager(
"policy_config/relation_ruleset_strict.conf")
policyManagerEqual = ConfigPolicyManager(
"policy_config/relation_ruleset_equal.conf")
dataName = Name('/TestRule1')
self.assertIsNotNone(
policyManagerPrefix._findMatchingRule(dataName, 'data'),
"Prefix relation should match prefix name")
self.assertIsNotNone(
policyManagerEqual._findMatchingRule(dataName, 'data'),
"Equal relation should match prefix name")
self.assertIsNone(
policyManagerStrict._findMatchingRule(dataName, 'data'),
"Strict-prefix relation should not match prefix name")
dataName = Name('/TestRule1/hi')
self.assertIsNotNone(
policyManagerPrefix._findMatchingRule(dataName, 'data'),
"Prefix relation should match longer name")
self.assertIsNone(
policyManagerEqual._findMatchingRule(dataName, 'data'),
"Equal relation should not match longer name")
self.assertIsNotNone(
policyManagerStrict._findMatchingRule(dataName, 'data'),
"Strict-prefix relation should match longer name")
dataName = Name('/Bad/TestRule1/')
self.assertIsNone(
policyManagerPrefix._findMatchingRule(dataName, 'data'),
"Prefix relation should not match inner components")
self.assertIsNone(
policyManagerEqual._findMatchingRule(dataName, 'data'),
"Equal relation should not match inner components")
self.assertIsNone(
policyManagerStrict._findMatchingRule(dataName, 'data'),
"Strict-prefix relation should not match inner components")
