def test_hyperrelation(self):
policyManager = ConfigPolicyManager("policy_config/hyperrelation_ruleset.conf")
dataName = Name('/SecurityTestSecRule/Basic/Longer/Data2')
data1 = Data(dataName)
data2 = Data(dataName)
matchedRule = policyManager._findMatchingRule(dataName, 'data')
self.keyChain.sign(data1, self.defaultCertName)
self.keyChain.sign(data2, self.shortCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
self.assertTrue(policyManager._checkSignatureMatch(signatureName1,
dataName, matchedRule))
self.assertFalse(policyManager._checkSignatureMatch(signatureName2,
dataName, matchedRule))
dataName = Name('/SecurityTestSecRule/Basic/Other/Data1')
data1 = Data(dataName)
data2 = Data(dataName)
matchedRule = policyManager._findMatchingRule(dataName, 'data')
self.keyChain.sign(data1, self.defaultCertName)
self.keyChain.sign(data2, self.shortCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
self.assertFalse(policyManager._checkSignatureMatch(signatureName1,
dataName, matchedRule))
self.assertTrue(policyManager._checkSignatureMatch(signatureName2,
dataName, matchedRule))
def test_hyperrelation(self):
policyManager = ConfigPolicyManager("policy_config/hyperrelation_ruleset.conf")
dataName = Name('/SecurityTestSecRule/Basic/Longer/Data2')
data1 = Data(dataName)
data2 = Data(dataName)
matchedRule = policyManager._findMatchingRule(dataName, 'data')
self.keyChain.sign(data1, self.defaultCertName)
self.keyChain.sign(data2, self.shortCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
self.assertTrue(policyManager._checkSignatureMatch(signatureName1,
dataName, matchedRule))
self.assertFalse(policyManager._checkSignatureMatch(signatureName2,
dataName, matchedRule))
dataName = Name('/SecurityTestSecRule/Basic/Other/Data1')
data1 = Data(dataName)
data2 = Data(dataName)
matchedRule = policyManager._findMatchingRule(dataName, 'data')
self.keyChain.sign(data1, self.defaultCertName)
self.keyChain.sign(data2, self.shortCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
self.assertFalse(policyManager._checkSignatureMatch(signatureName1,
dataName, matchedRule))
self.assertTrue(policyManager._checkSignatureMatch(signatureName2,
dataName, matchedRule))
def test_checker_hierarchical(self):
policyManager = ConfigPolicyManager(
"policy_config/hierarchical_ruleset.conf")
dataName1 = Name('/SecurityTestSecRule/Basic/Data1')
dataName2 = Name('/SecurityTestSecRule/Basic/Longer/Data2')
data1 = Data(dataName1)
data2 = Data(dataName2)
matchedRule = policyManager._findMatchingRule(dataName1, 'data')
self.assertEqual(matchedRule,
policyManager._findMatchingRule(dataName2, 'data'))
self.keyChain.sign(data1, self.defaultCertName)
self.keyChain.sign(data2, self.defaultCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
failureReason = ["unknown"]
self.assertFalse(
policyManager._checkSignatureMatch(signatureName1, dataName1,
matchedRule, failureReason),
"Hierarchical matcher matched short data name to long key name")
self.assertTrue(
policyManager._checkSignatureMatch(signatureName2, dataName2,
matchedRule, failureReason))
self.keyChain.sign(data1, self.shortCertName)
self.keyChain.sign(data2, self.shortCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
self.assertTrue(
policyManager._checkSignatureMatch(signatureName1, dataName1,
matchedRule, failureReason))
self.assertTrue(
policyManager._checkSignatureMatch(signatureName2, dataName2,
matchedRule, failureReason))
def test_checker_hierarchical(self):
policyManager = ConfigPolicyManager("policy_config/hierarchical_ruleset.conf")
dataName1 = Name('/SecurityTestSecRule/Basic/Data1')
dataName2 = Name('/SecurityTestSecRule/Basic/Longer/Data2')
data1 = Data(dataName1)
data2 = Data(dataName2)
matchedRule = policyManager._findMatchingRule(dataName1, 'data')
self.assertEqual(matchedRule,
policyManager._findMatchingRule(dataName2, 'data'))
self.keyChain.sign(data1, self.defaultCertName)
self.keyChain.sign(data2, self.defaultCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
failureReason = ["unknown"]
self.assertFalse(policyManager._checkSignatureMatch(signatureName1,
dataName1, matchedRule, failureReason),
"Hierarchical matcher matched short data name to long key name")
self.assertTrue(policyManager._checkSignatureMatch(signatureName2,
dataName2, matchedRule, failureReason))
self.keyChain.sign(data1, self.shortCertName)
self.keyChain.sign(data2, self.shortCertName)
signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
signatureName2 = data2.getSignature().getKeyLocator().getKeyName()
self.assertTrue(policyManager._checkSignatureMatch(signatureName1,
dataName1, matchedRule, failureReason))
self.assertTrue(policyManager._checkSignatureMatch(signatureName2,
dataName2, matchedRule, failureReason))
def test_simple_regex(self):
policyManager = ConfigPolicyManager("policy_config/regex_ruleset.conf")
dataName1 = Name('/SecurityTestSecRule/Basic')
dataName2 = Name('/SecurityTestSecRule/Basic/More')
dataName3 = Name('/SecurityTestSecRule/')
dataName4 = Name('/SecurityTestSecRule/Other/TestData')
dataName5 = Name('/Basic/Data')
matchedRule1 = policyManager._findMatchingRule(dataName1, 'data')
matchedRule2 = policyManager._findMatchingRule(dataName2, 'data')
matchedRule3 = policyManager._findMatchingRule(dataName3, 'data')
matchedRule4 = policyManager._findMatchingRule(dataName4, 'data')
matchedRule5 = policyManager._findMatchingRule(dataName5, 'data')
self.assertIsNotNone(matchedRule1)
self.assertIsNone(matchedRule2)
self.assertIsNotNone(matchedRule3)
self.assertNotEqual(matchedRule3, matchedRule1,
"Rule regex matched extra components")
self.assertIsNotNone(matchedRule4)
self.assertNotEqual(matchedRule4, matchedRule1,
"Rule regex matched with missing component")
self.assertIsNone(matchedRule5)
def test_simple_regex(self):
policyManager = ConfigPolicyManager("policy_config/regex_ruleset.conf")
dataName1 = Name('/SecurityTestSecRule/Basic')
dataName2 = Name('/SecurityTestSecRule/Basic/More')
dataName3 = Name('/SecurityTestSecRule/')
dataName4 = Name('/SecurityTestSecRule/Other/TestData')
dataName5 = Name('/Basic/Data')
matchedRule1 = policyManager._findMatchingRule(dataName1, 'data')
matchedRule2 = policyManager._findMatchingRule(dataName2, 'data')
matchedRule3 = policyManager._findMatchingRule(dataName3, 'data')
matchedRule4 = policyManager._findMatchingRule(dataName4, 'data')
matchedRule5 = policyManager._findMatchingRule(dataName5, 'data')
self.assertIsNotNone(matchedRule1)
self.assertIsNone(matchedRule2)
self.assertIsNotNone(matchedRule3)
self.assertNotEqual(matchedRule3, matchedRule1,
"Rule regex matched extra components")
self.assertIsNotNone(matchedRule4)
self.assertNotEqual(matchedRule4, matchedRule1,
"Rule regex matched with missing component")
self.assertIsNone(matchedRule5)
def test_name_relation(self):
policyManagerPrefix = ConfigPolicyManager(
"policy_config/relation_ruleset_prefix.conf")
policyManagerStrict = ConfigPolicyManager(
"policy_config/relation_ruleset_strict.conf")
policyManagerEqual = ConfigPolicyManager(
"policy_config/relation_ruleset_equal.conf")
dataName = Name('/TestRule1')
self.assertIsNotNone(
policyManagerPrefix._findMatchingRule(dataName, 'data'),
"Prefix relation should match prefix name")
self.assertIsNotNone(
policyManagerEqual._findMatchingRule(dataName, 'data'),
"Equal relation should match prefix name")
self.assertIsNone(
policyManagerStrict._findMatchingRule(dataName, 'data'),
"Strict-prefix relation should not match prefix name")
dataName = Name('/TestRule1/hi')
self.assertIsNotNone(
policyManagerPrefix._findMatchingRule(dataName, 'data'),
"Prefix relation should match longer name")
self.assertIsNone(
policyManagerEqual._findMatchingRule(dataName, 'data'),
"Equal relation should not match longer name")
self.assertIsNotNone(
policyManagerStrict._findMatchingRule(dataName, 'data'),
"Strict-prefix relation should match longer name")
dataName = Name('/Bad/TestRule1/')
self.assertIsNone(
policyManagerPrefix._findMatchingRule(dataName, 'data'),
"Prefix relation should not match inner components")
self.assertIsNone(
policyManagerEqual._findMatchingRule(dataName, 'data'),
"Equal relation should not match inner components")
self.assertIsNone(
policyManagerStrict._findMatchingRule(dataName, 'data'),
"Strict-prefix relation should not match inner components")
def test_name_relation(self):
policyManagerPrefix = ConfigPolicyManager("policy_config/relation_ruleset_prefix.conf")
policyManagerStrict = ConfigPolicyManager("policy_config/relation_ruleset_strict.conf")
policyManagerEqual = ConfigPolicyManager("policy_config/relation_ruleset_equal.conf")
dataName = Name('/TestRule1')
self.assertIsNotNone(
policyManagerPrefix._findMatchingRule(dataName, 'data'),
"Prefix relation should match prefix name")
self.assertIsNotNone(
policyManagerEqual._findMatchingRule(dataName, 'data'),
"Equal relation should match prefix name")
self.assertIsNone(
policyManagerStrict._findMatchingRule(dataName, 'data'),
"Strict-prefix relation should not match prefix name")
dataName = Name('/TestRule1/hi')
self.assertIsNotNone(
policyManagerPrefix._findMatchingRule(dataName, 'data'),
"Prefix relation should match longer name")
self.assertIsNone(
policyManagerEqual._findMatchingRule(dataName, 'data'),
"Equal relation should not match longer name")
self.assertIsNotNone(
policyManagerStrict._findMatchingRule(dataName, 'data'),
"Strict-prefix relation should match longer name")
dataName = Name('/Bad/TestRule1/')
self.assertIsNone(
policyManagerPrefix._findMatchingRule(dataName, 'data'),
"Prefix relation should not match inner components")
self.assertIsNone(
policyManagerEqual._findMatchingRule(dataName, 'data'),
"Equal relation should not match inner components")
self.assertIsNone(
policyManagerStrict._findMatchingRule(dataName, 'data'),
"Strict-prefix relation should not match inner components")
