def test_hyperrelation(self): policyManager = ConfigPolicyManager("policy_config/hyperrelation_ruleset.conf") dataName = Name('/SecurityTestSecRule/Basic/Longer/Data2') data1 = Data(dataName) data2 = Data(dataName) matchedRule = policyManager._findMatchingRule(dataName, 'data') self.keyChain.sign(data1, self.defaultCertName) self.keyChain.sign(data2, self.shortCertName) signatureName1 = data1.getSignature().getKeyLocator().getKeyName() signatureName2 = data2.getSignature().getKeyLocator().getKeyName() self.assertTrue(policyManager._checkSignatureMatch(signatureName1, dataName, matchedRule)) self.assertFalse(policyManager._checkSignatureMatch(signatureName2, dataName, matchedRule)) dataName = Name('/SecurityTestSecRule/Basic/Other/Data1') data1 = Data(dataName) data2 = Data(dataName) matchedRule = policyManager._findMatchingRule(dataName, 'data') self.keyChain.sign(data1, self.defaultCertName) self.keyChain.sign(data2, self.shortCertName) signatureName1 = data1.getSignature().getKeyLocator().getKeyName() signatureName2 = data2.getSignature().getKeyLocator().getKeyName() self.assertFalse(policyManager._checkSignatureMatch(signatureName1, dataName, matchedRule)) self.assertTrue(policyManager._checkSignatureMatch(signatureName2, dataName, matchedRule))
def test_hyperrelation(self): policyManager = ConfigPolicyManager("policy_config/hyperrelation_ruleset.conf") dataName = Name('/SecurityTestSecRule/Basic/Longer/Data2') data1 = Data(dataName) data2 = Data(dataName) matchedRule = policyManager._findMatchingRule(dataName, 'data') self.keyChain.sign(data1, self.defaultCertName) self.keyChain.sign(data2, self.shortCertName) signatureName1 = data1.getSignature().getKeyLocator().getKeyName() signatureName2 = data2.getSignature().getKeyLocator().getKeyName() self.assertTrue(policyManager._checkSignatureMatch(signatureName1, dataName, matchedRule)) self.assertFalse(policyManager._checkSignatureMatch(signatureName2, dataName, matchedRule)) dataName = Name('/SecurityTestSecRule/Basic/Other/Data1') data1 = Data(dataName) data2 = Data(dataName) matchedRule = policyManager._findMatchingRule(dataName, 'data') self.keyChain.sign(data1, self.defaultCertName) self.keyChain.sign(data2, self.shortCertName) signatureName1 = data1.getSignature().getKeyLocator().getKeyName() signatureName2 = data2.getSignature().getKeyLocator().getKeyName() self.assertFalse(policyManager._checkSignatureMatch(signatureName1, dataName, matchedRule)) self.assertTrue(policyManager._checkSignatureMatch(signatureName2, dataName, matchedRule))
def test_checker_hierarchical(self): policyManager = ConfigPolicyManager( "policy_config/hierarchical_ruleset.conf") dataName1 = Name('/SecurityTestSecRule/Basic/Data1') dataName2 = Name('/SecurityTestSecRule/Basic/Longer/Data2') data1 = Data(dataName1) data2 = Data(dataName2) matchedRule = policyManager._findMatchingRule(dataName1, 'data') self.assertEqual(matchedRule, policyManager._findMatchingRule(dataName2, 'data')) self.keyChain.sign(data1, self.defaultCertName) self.keyChain.sign(data2, self.defaultCertName) signatureName1 = data1.getSignature().getKeyLocator().getKeyName() signatureName2 = data2.getSignature().getKeyLocator().getKeyName() failureReason = ["unknown"] self.assertFalse( policyManager._checkSignatureMatch(signatureName1, dataName1, matchedRule, failureReason), "Hierarchical matcher matched short data name to long key name") self.assertTrue( policyManager._checkSignatureMatch(signatureName2, dataName2, matchedRule, failureReason)) self.keyChain.sign(data1, self.shortCertName) self.keyChain.sign(data2, self.shortCertName) signatureName1 = data1.getSignature().getKeyLocator().getKeyName() signatureName2 = data2.getSignature().getKeyLocator().getKeyName() self.assertTrue( policyManager._checkSignatureMatch(signatureName1, dataName1, matchedRule, failureReason)) self.assertTrue( policyManager._checkSignatureMatch(signatureName2, dataName2, matchedRule, failureReason))
def test_checker_hierarchical(self): policyManager = ConfigPolicyManager("policy_config/hierarchical_ruleset.conf") dataName1 = Name('/SecurityTestSecRule/Basic/Data1') dataName2 = Name('/SecurityTestSecRule/Basic/Longer/Data2') data1 = Data(dataName1) data2 = Data(dataName2) matchedRule = policyManager._findMatchingRule(dataName1, 'data') self.assertEqual(matchedRule, policyManager._findMatchingRule(dataName2, 'data')) self.keyChain.sign(data1, self.defaultCertName) self.keyChain.sign(data2, self.defaultCertName) signatureName1 = data1.getSignature().getKeyLocator().getKeyName() signatureName2 = data2.getSignature().getKeyLocator().getKeyName() failureReason = ["unknown"] self.assertFalse(policyManager._checkSignatureMatch(signatureName1, dataName1, matchedRule, failureReason), "Hierarchical matcher matched short data name to long key name") self.assertTrue(policyManager._checkSignatureMatch(signatureName2, dataName2, matchedRule, failureReason)) self.keyChain.sign(data1, self.shortCertName) self.keyChain.sign(data2, self.shortCertName) signatureName1 = data1.getSignature().getKeyLocator().getKeyName() signatureName2 = data2.getSignature().getKeyLocator().getKeyName() self.assertTrue(policyManager._checkSignatureMatch(signatureName1, dataName1, matchedRule, failureReason)) self.assertTrue(policyManager._checkSignatureMatch(signatureName2, dataName2, matchedRule, failureReason))
def test_simple_regex(self): policyManager = ConfigPolicyManager("policy_config/regex_ruleset.conf") dataName1 = Name('/SecurityTestSecRule/Basic') dataName2 = Name('/SecurityTestSecRule/Basic/More') dataName3 = Name('/SecurityTestSecRule/') dataName4 = Name('/SecurityTestSecRule/Other/TestData') dataName5 = Name('/Basic/Data') matchedRule1 = policyManager._findMatchingRule(dataName1, 'data') matchedRule2 = policyManager._findMatchingRule(dataName2, 'data') matchedRule3 = policyManager._findMatchingRule(dataName3, 'data') matchedRule4 = policyManager._findMatchingRule(dataName4, 'data') matchedRule5 = policyManager._findMatchingRule(dataName5, 'data') self.assertIsNotNone(matchedRule1) self.assertIsNone(matchedRule2) self.assertIsNotNone(matchedRule3) self.assertNotEqual(matchedRule3, matchedRule1, "Rule regex matched extra components") self.assertIsNotNone(matchedRule4) self.assertNotEqual(matchedRule4, matchedRule1, "Rule regex matched with missing component") self.assertIsNone(matchedRule5)
def test_simple_regex(self): policyManager = ConfigPolicyManager("policy_config/regex_ruleset.conf") dataName1 = Name('/SecurityTestSecRule/Basic') dataName2 = Name('/SecurityTestSecRule/Basic/More') dataName3 = Name('/SecurityTestSecRule/') dataName4 = Name('/SecurityTestSecRule/Other/TestData') dataName5 = Name('/Basic/Data') matchedRule1 = policyManager._findMatchingRule(dataName1, 'data') matchedRule2 = policyManager._findMatchingRule(dataName2, 'data') matchedRule3 = policyManager._findMatchingRule(dataName3, 'data') matchedRule4 = policyManager._findMatchingRule(dataName4, 'data') matchedRule5 = policyManager._findMatchingRule(dataName5, 'data') self.assertIsNotNone(matchedRule1) self.assertIsNone(matchedRule2) self.assertIsNotNone(matchedRule3) self.assertNotEqual(matchedRule3, matchedRule1, "Rule regex matched extra components") self.assertIsNotNone(matchedRule4) self.assertNotEqual(matchedRule4, matchedRule1, "Rule regex matched with missing component") self.assertIsNone(matchedRule5)
def test_name_relation(self): policyManagerPrefix = ConfigPolicyManager( "policy_config/relation_ruleset_prefix.conf") policyManagerStrict = ConfigPolicyManager( "policy_config/relation_ruleset_strict.conf") policyManagerEqual = ConfigPolicyManager( "policy_config/relation_ruleset_equal.conf") dataName = Name('/TestRule1') self.assertIsNotNone( policyManagerPrefix._findMatchingRule(dataName, 'data'), "Prefix relation should match prefix name") self.assertIsNotNone( policyManagerEqual._findMatchingRule(dataName, 'data'), "Equal relation should match prefix name") self.assertIsNone( policyManagerStrict._findMatchingRule(dataName, 'data'), "Strict-prefix relation should not match prefix name") dataName = Name('/TestRule1/hi') self.assertIsNotNone( policyManagerPrefix._findMatchingRule(dataName, 'data'), "Prefix relation should match longer name") self.assertIsNone( policyManagerEqual._findMatchingRule(dataName, 'data'), "Equal relation should not match longer name") self.assertIsNotNone( policyManagerStrict._findMatchingRule(dataName, 'data'), "Strict-prefix relation should match longer name") dataName = Name('/Bad/TestRule1/') self.assertIsNone( policyManagerPrefix._findMatchingRule(dataName, 'data'), "Prefix relation should not match inner components") self.assertIsNone( policyManagerEqual._findMatchingRule(dataName, 'data'), "Equal relation should not match inner components") self.assertIsNone( policyManagerStrict._findMatchingRule(dataName, 'data'), "Strict-prefix relation should not match inner components")
def test_name_relation(self): policyManagerPrefix = ConfigPolicyManager("policy_config/relation_ruleset_prefix.conf") policyManagerStrict = ConfigPolicyManager("policy_config/relation_ruleset_strict.conf") policyManagerEqual = ConfigPolicyManager("policy_config/relation_ruleset_equal.conf") dataName = Name('/TestRule1') self.assertIsNotNone( policyManagerPrefix._findMatchingRule(dataName, 'data'), "Prefix relation should match prefix name") self.assertIsNotNone( policyManagerEqual._findMatchingRule(dataName, 'data'), "Equal relation should match prefix name") self.assertIsNone( policyManagerStrict._findMatchingRule(dataName, 'data'), "Strict-prefix relation should not match prefix name") dataName = Name('/TestRule1/hi') self.assertIsNotNone( policyManagerPrefix._findMatchingRule(dataName, 'data'), "Prefix relation should match longer name") self.assertIsNone( policyManagerEqual._findMatchingRule(dataName, 'data'), "Equal relation should not match longer name") self.assertIsNotNone( policyManagerStrict._findMatchingRule(dataName, 'data'), "Strict-prefix relation should match longer name") dataName = Name('/Bad/TestRule1/') self.assertIsNone( policyManagerPrefix._findMatchingRule(dataName, 'data'), "Prefix relation should not match inner components") self.assertIsNone( policyManagerEqual._findMatchingRule(dataName, 'data'), "Equal relation should not match inner components") self.assertIsNone( policyManagerStrict._findMatchingRule(dataName, 'data'), "Strict-prefix relation should not match inner components")