def test_hyperrelation(self):
        policyManager = ConfigPolicyManager("policy_config/hyperrelation_ruleset.conf")

        dataName = Name('/SecurityTestSecRule/Basic/Longer/Data2')
        data1 = Data(dataName)
        data2 = Data(dataName)

        matchedRule = policyManager._findMatchingRule(dataName, 'data')
        self.keyChain.sign(data1, self.defaultCertName)
        self.keyChain.sign(data2, self.shortCertName)

        signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
        signatureName2 = data2.getSignature().getKeyLocator().getKeyName()

        self.assertTrue(policyManager._checkSignatureMatch(signatureName1,
            dataName, matchedRule))
        self.assertFalse(policyManager._checkSignatureMatch(signatureName2,
            dataName, matchedRule))

        dataName = Name('/SecurityTestSecRule/Basic/Other/Data1')
        data1 = Data(dataName)
        data2 = Data(dataName)

        matchedRule = policyManager._findMatchingRule(dataName, 'data')
        self.keyChain.sign(data1, self.defaultCertName)
        self.keyChain.sign(data2, self.shortCertName)

        signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
        signatureName2 = data2.getSignature().getKeyLocator().getKeyName()

        self.assertFalse(policyManager._checkSignatureMatch(signatureName1,
            dataName, matchedRule))
        self.assertTrue(policyManager._checkSignatureMatch(signatureName2,
            dataName, matchedRule))
    def setUp(self):
        testCertDirectory = 'policy_config/certs'
        self.testCertFile = os.path.join(testCertDirectory, 'test.cert')

        self.pibImpl = PibMemory()
        self.tpmBackEnd = TpmBackEndMemory()
        self.policyManager = ConfigPolicyManager(
            'policy_config/simple_rules.conf', CertificateCacheV2())

        self.identityName = Name('/TestConfigPolicyManager/temp')
        # to match the anchor cert
        self.keyName = Name(
            self.identityName).append("KEY").append("ksk-1416010123")
        self.pibImpl.addKey(self.identityName, self.keyName,
                            TEST_RSA_PUBLIC_KEY_DER)
        # Set the password to None since we have an unencrypted PKCS #8 private key.
        self.tpmBackEnd.importKey(self.keyName, TEST_RSA_PRIVATE_KEY_PKCS8,
                                  None)

        self.keyChain = KeyChain(self.pibImpl, self.tpmBackEnd,
                                 self.policyManager)

        pibKey = self.keyChain.getPib().getIdentity(self.identityName).getKey(
            self.keyName)
        # selfSign adds to the PIB.
        self.keyChain.selfSign(pibKey)
    def setUp(self):
        testCertDirectory = 'policy_config/certs'
        self.testCertFile = os.path.join(testCertDirectory, 'test.cert')

        self.identityStorage = MemoryIdentityStorage()
        self.privateKeyStorage = MemoryPrivateKeyStorage()
        self.identityManager = IdentityManager(self.identityStorage,
                self.privateKeyStorage)
        self.policyManager = ConfigPolicyManager('policy_config/simple_rules.conf')

        self.identityName = Name('/TestConfigPolicyManager/temp')
        # to match the anchor cert
        keyName = Name(self.identityName).append('ksk-1416010123')
        self.privateKeyStorage.setKeyPairForKeyName(
          keyName, KeyType.RSA, TEST_RSA_PUBLIC_KEY_DER, TEST_RSA_PRIVATE_KEY_DER)
        self.identityStorage.addKey(
          keyName, KeyType.RSA, Blob(TEST_RSA_PUBLIC_KEY_DER))

        cert = self.identityManager.selfSign(keyName)
        self.identityStorage.setDefaultKeyNameForIdentity(keyName)
        self.identityManager.addCertificateAsDefault(cert)

        self.keyChain = KeyChain(self.identityManager, self.policyManager)
        self.keyName = keyName

        self.face = Face()
    def test_hyperrelation(self):
        policyManager = ConfigPolicyManager("policy_config/hyperrelation_ruleset.conf")

        dataName = Name('/SecurityTestSecRule/Basic/Longer/Data2')
        data1 = Data(dataName)
        data2 = Data(dataName)

        matchedRule = policyManager._findMatchingRule(dataName, 'data')
        self.keyChain.sign(data1, self.defaultCertName)
        self.keyChain.sign(data2, self.shortCertName)

        signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
        signatureName2 = data2.getSignature().getKeyLocator().getKeyName()

        self.assertTrue(policyManager._checkSignatureMatch(signatureName1,
            dataName, matchedRule))
        self.assertFalse(policyManager._checkSignatureMatch(signatureName2,
            dataName, matchedRule))

        dataName = Name('/SecurityTestSecRule/Basic/Other/Data1')
        data1 = Data(dataName)
        data2 = Data(dataName)

        matchedRule = policyManager._findMatchingRule(dataName, 'data')
        self.keyChain.sign(data1, self.defaultCertName)
        self.keyChain.sign(data2, self.shortCertName)

        signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
        signatureName2 = data2.getSignature().getKeyLocator().getKeyName()

        self.assertFalse(policyManager._checkSignatureMatch(signatureName1,
            dataName, matchedRule))
        self.assertTrue(policyManager._checkSignatureMatch(signatureName2,
            dataName, matchedRule))
    def test_simple_regex(self):
        policyManager = ConfigPolicyManager("policy_config/regex_ruleset.conf")
        dataName1 = Name('/SecurityTestSecRule/Basic')
        dataName2 = Name('/SecurityTestSecRule/Basic/More')
        dataName3 = Name('/SecurityTestSecRule/')
        dataName4 = Name('/SecurityTestSecRule/Other/TestData')
        dataName5 = Name('/Basic/Data')

        matchedRule1 = policyManager._findMatchingRule(dataName1, 'data')
        matchedRule2 = policyManager._findMatchingRule(dataName2, 'data')
        matchedRule3 = policyManager._findMatchingRule(dataName3, 'data')
        matchedRule4 = policyManager._findMatchingRule(dataName4, 'data')
        matchedRule5 = policyManager._findMatchingRule(dataName5, 'data')

        self.assertIsNotNone(matchedRule1)
        self.assertIsNone(matchedRule2)
        self.assertIsNotNone(matchedRule3)
        self.assertNotEqual(matchedRule3, matchedRule1,
                "Rule regex matched extra components")
        self.assertIsNotNone(matchedRule4)
        self.assertNotEqual(matchedRule4, matchedRule1,
                "Rule regex matched with missing component")

        self.assertIsNone(matchedRule5)
    def test_simple_regex(self):
        policyManager = ConfigPolicyManager("policy_config/regex_ruleset.conf")
        dataName1 = Name('/SecurityTestSecRule/Basic')
        dataName2 = Name('/SecurityTestSecRule/Basic/More')
        dataName3 = Name('/SecurityTestSecRule/')
        dataName4 = Name('/SecurityTestSecRule/Other/TestData')
        dataName5 = Name('/Basic/Data')

        matchedRule1 = policyManager._findMatchingRule(dataName1, 'data')
        matchedRule2 = policyManager._findMatchingRule(dataName2, 'data')
        matchedRule3 = policyManager._findMatchingRule(dataName3, 'data')
        matchedRule4 = policyManager._findMatchingRule(dataName4, 'data')
        matchedRule5 = policyManager._findMatchingRule(dataName5, 'data')

        self.assertIsNotNone(matchedRule1)
        self.assertIsNone(matchedRule2)
        self.assertIsNotNone(matchedRule3)
        self.assertNotEqual(matchedRule3, matchedRule1,
                            "Rule regex matched extra components")
        self.assertIsNotNone(matchedRule4)
        self.assertNotEqual(matchedRule4, matchedRule1,
                            "Rule regex matched with missing component")

        self.assertIsNone(matchedRule5)
Exemple #7
0
    def test_checker_hierarchical(self):
        policyManager = ConfigPolicyManager(
            "policy_config/hierarchical_ruleset.conf")

        dataName1 = Name('/SecurityTestSecRule/Basic/Data1')
        dataName2 = Name('/SecurityTestSecRule/Basic/Longer/Data2')

        data1 = Data(dataName1)
        data2 = Data(dataName2)

        matchedRule = policyManager._findMatchingRule(dataName1, 'data')
        self.assertEqual(matchedRule,
                         policyManager._findMatchingRule(dataName2, 'data'))

        self.keyChain.sign(data1, self.defaultCertName)
        self.keyChain.sign(data2, self.defaultCertName)

        signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
        signatureName2 = data2.getSignature().getKeyLocator().getKeyName()

        failureReason = ["unknown"]
        self.assertFalse(
            policyManager._checkSignatureMatch(signatureName1, dataName1,
                                               matchedRule, failureReason),
            "Hierarchical matcher matched short data name to long key name")

        self.assertTrue(
            policyManager._checkSignatureMatch(signatureName2, dataName2,
                                               matchedRule, failureReason))

        self.keyChain.sign(data1, self.shortCertName)
        self.keyChain.sign(data2, self.shortCertName)

        signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
        signatureName2 = data2.getSignature().getKeyLocator().getKeyName()

        self.assertTrue(
            policyManager._checkSignatureMatch(signatureName1, dataName1,
                                               matchedRule, failureReason))
        self.assertTrue(
            policyManager._checkSignatureMatch(signatureName2, dataName2,
                                               matchedRule, failureReason))
Exemple #8
0
    def setUp(self):
        testCertDirectory = 'policy_config/certs'
        self.testCertFile = os.path.join(testCertDirectory, 'test.cert')

        # Reuse the policy_config subdirectory for the temporary SQLite file.
        self.databaseFilePath = "policy_config/test-public-info.db"
        try:
            os.remove(self.databaseFilePath)
        except OSError:
            # no such file
            pass

        self.identityStorage = BasicIdentityStorage(self.databaseFilePath)
        self.privateKeyStorage = MemoryPrivateKeyStorage()
        self.identityManager = IdentityManager(self.identityStorage,
                                               self.privateKeyStorage)
        self.policyManager = ConfigPolicyManager(
            'policy_config/simple_rules.conf')

        self.identityName = Name('/TestConfigPolicyManager/temp')
        # to match the anchor cert
        keyName = Name(self.identityName).append('ksk-1416010123')
        self.privateKeyStorage.setKeyPairForKeyName(keyName, KeyType.RSA,
                                                    TEST_RSA_PUBLIC_KEY_DER,
                                                    TEST_RSA_PRIVATE_KEY_DER)
        self.identityStorage.addKey(keyName, KeyType.RSA,
                                    Blob(TEST_RSA_PUBLIC_KEY_DER))

        cert = self.identityManager.selfSign(keyName)
        self.identityStorage.setDefaultKeyNameForIdentity(keyName)
        self.identityManager.addCertificateAsDefault(cert)

        self.keyChain = KeyChain(self.identityManager, self.policyManager)
        self.keyName = keyName

        self.face = Face()
    def test_checker_hierarchical(self):
        policyManager = ConfigPolicyManager("policy_config/hierarchical_ruleset.conf")

        dataName1 = Name('/SecurityTestSecRule/Basic/Data1')
        dataName2 = Name('/SecurityTestSecRule/Basic/Longer/Data2')

        data1 = Data(dataName1)
        data2 = Data(dataName2)

        matchedRule = policyManager._findMatchingRule(dataName1, 'data')
        self.assertEqual(matchedRule,
                policyManager._findMatchingRule(dataName2, 'data'))

        self.keyChain.sign(data1, self.defaultCertName)
        self.keyChain.sign(data2, self.defaultCertName)

        signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
        signatureName2 = data2.getSignature().getKeyLocator().getKeyName()

        failureReason = ["unknown"]
        self.assertFalse(policyManager._checkSignatureMatch(signatureName1,
            dataName1, matchedRule, failureReason),
            "Hierarchical matcher matched short data name to long key name")

        self.assertTrue(policyManager._checkSignatureMatch(signatureName2,
            dataName2, matchedRule, failureReason))

        self.keyChain.sign(data1, self.shortCertName)
        self.keyChain.sign(data2, self.shortCertName)

        signatureName1 = data1.getSignature().getKeyLocator().getKeyName()
        signatureName2 = data2.getSignature().getKeyLocator().getKeyName()

        self.assertTrue(policyManager._checkSignatureMatch(signatureName1,
            dataName1, matchedRule, failureReason))
        self.assertTrue(policyManager._checkSignatureMatch(signatureName2,
            dataName2, matchedRule, failureReason))
    def test_name_relation(self):
        policyManagerPrefix = ConfigPolicyManager("policy_config/relation_ruleset_prefix.conf")
        policyManagerStrict = ConfigPolicyManager("policy_config/relation_ruleset_strict.conf")
        policyManagerEqual = ConfigPolicyManager("policy_config/relation_ruleset_equal.conf")

        dataName = Name('/TestRule1')

        self.assertIsNotNone(
                policyManagerPrefix._findMatchingRule(dataName, 'data'),
                "Prefix relation should match prefix name")
        self.assertIsNotNone(
                policyManagerEqual._findMatchingRule(dataName, 'data'),
                "Equal relation should match prefix name")
        self.assertIsNone(
                policyManagerStrict._findMatchingRule(dataName, 'data'),
                "Strict-prefix relation should not match prefix name")

        dataName = Name('/TestRule1/hi')
        self.assertIsNotNone(
                policyManagerPrefix._findMatchingRule(dataName, 'data'),
                "Prefix relation should match longer name")
        self.assertIsNone(
                policyManagerEqual._findMatchingRule(dataName, 'data'),
                "Equal relation should not match longer name")
        self.assertIsNotNone(
                policyManagerStrict._findMatchingRule(dataName, 'data'),
                "Strict-prefix relation should match longer name")

        dataName = Name('/Bad/TestRule1/')
        self.assertIsNone(
                policyManagerPrefix._findMatchingRule(dataName, 'data'),
                "Prefix relation should not match inner components")
        self.assertIsNone(
                policyManagerEqual._findMatchingRule(dataName, 'data'),
                "Equal relation should not match inner components")
        self.assertIsNone(
                policyManagerStrict._findMatchingRule(dataName, 'data'),
                "Strict-prefix relation should  not match inner components")
    def test_name_relation(self):
        policyManagerPrefix = ConfigPolicyManager(
            "policy_config/relation_ruleset_prefix.conf")
        policyManagerStrict = ConfigPolicyManager(
            "policy_config/relation_ruleset_strict.conf")
        policyManagerEqual = ConfigPolicyManager(
            "policy_config/relation_ruleset_equal.conf")

        dataName = Name('/TestRule1')

        self.assertIsNotNone(
            policyManagerPrefix._findMatchingRule(dataName, 'data'),
            "Prefix relation should match prefix name")
        self.assertIsNotNone(
            policyManagerEqual._findMatchingRule(dataName, 'data'),
            "Equal relation should match prefix name")
        self.assertIsNone(
            policyManagerStrict._findMatchingRule(dataName, 'data'),
            "Strict-prefix relation should not match prefix name")

        dataName = Name('/TestRule1/hi')
        self.assertIsNotNone(
            policyManagerPrefix._findMatchingRule(dataName, 'data'),
            "Prefix relation should match longer name")
        self.assertIsNone(
            policyManagerEqual._findMatchingRule(dataName, 'data'),
            "Equal relation should not match longer name")
        self.assertIsNotNone(
            policyManagerStrict._findMatchingRule(dataName, 'data'),
            "Strict-prefix relation should match longer name")

        dataName = Name('/Bad/TestRule1/')
        self.assertIsNone(
            policyManagerPrefix._findMatchingRule(dataName, 'data'),
            "Prefix relation should not match inner components")
        self.assertIsNone(
            policyManagerEqual._findMatchingRule(dataName, 'data'),
            "Equal relation should not match inner components")
        self.assertIsNone(
            policyManagerStrict._findMatchingRule(dataName, 'data'),
            "Strict-prefix relation should  not match inner components")