def setUpClass(cls):
"""Prepare the keys and payload to give to the CV"""
contents = "random garbage to test as payload"
# contents = contents.encode('utf-8')
ret = user_data_encrypt.encrypt(contents)
cls.K = ret["k"]
cls.U = ret["u"]
cls.V = ret["v"]
cls.payload = ret["ciphertext"]
# Set up to register an agent
cls.auth_tag = crypto.do_hmac(cls.K, tenant_templ.agent_uuid)
# Prepare policies for agent
cls.tpm_policy = config.get("tenant", "tpm_policy")
cls.tpm_policy = tpm_abstract.TPM_Utilities.readPolicy(cls.tpm_policy)
# Allow targeting a specific API version (default latest)
cls.api_version = "2.0"
# Set up allowlist bundles. Use invalid exclusion list regex for bad bundle.
cls.ima_policy_bundle = ima.read_allowlist()
cls.ima_policy_bundle["excllist"] = []
cls.bad_ima_policy_bundle = ima.read_allowlist()
cls.bad_ima_policy_bundle["excllist"] = ["*"]
def test_read_allowlist(self):
"""Test reading and processing of the IMA allow-list"""
curdir = os.path.dirname(os.path.abspath(__file__))
allowlist_file = os.path.join(curdir, "data",
"ima-allowlist-short.txt")
allowlist_sig = os.path.join(curdir, "data", "ima-allowlist-short.sig")
allowlist_bad_sig = os.path.join(curdir, "data",
"ima-allowlist-bad.sig")
allowlist_gpg_key = os.path.join(curdir, "data", "gpg-sig.pub")
allowlist_checksum = "6b010e359bbcebafb9b3e5010c302c94d29e249f86ae6293339506041aeebd41"
allowlist_bad_checksum = "4c143670836f96535d9e617359b4d87c59e89e633e2773b4d7feae97f561b3dc"
# simple read, no fancy verification
al_data = ima.read_allowlist(allowlist_file)
self.assertIsNotNone(al_data, "AllowList data is present")
self.assertIsNotNone(al_data["meta"], "AllowList metadata is present")
self.assertEqual(al_data["meta"]["version"], 5,
"AllowList metadata version is correct")
self.assertEqual(al_data["meta"]["generator"],
"keylime-legacy-format-upgrade",
"AllowList metadata generator is correct")
self.assertNotIn("checksum", al_data["meta"],
"AllowList metadata no checksum")
self.assertIsNotNone(al_data["hashes"], "AllowList hashes are present")
self.assertEqual(len(al_data["hashes"]), 21,
"AllowList hashes are correct length")
self.assertEqual(
al_data["hashes"]["/boot/grub2/i386-pc/testload.mod"][0],
"68e1d012e3f193dcde955e6ffbbc80e22b0f8778",
"AllowList sample hash is correct",
)
self.assertIsNotNone(al_data["keyrings"],
"AllowList keyrings are present")
self.assertEqual(len(al_data["keyrings"]), 1,
"AllowList keyrings are correct length")
self.assertEqual(
al_data["keyrings"][".ima"][0],
"a7d52aaa18c23d2d9bb2abb4308c0eeee67387a42259f4a6b1a42257065f3d5a",
"AllowList sample keyring is correct",
)
# validate checkum
al_data = ima.read_allowlist(allowlist_file, allowlist_checksum)
self.assertIsNotNone(al_data, "AllowList data is present")
self.assertEqual(al_data["meta"]["checksum"], allowlist_checksum,
"AllowList metadata correct checksum")
self.assertIsNotNone(al_data["hashes"], "AllowList hashes are present")
self.assertEqual(len(al_data["hashes"]), 21,
"AllowList hashes are correct length")
self.assertEqual(
al_data["hashes"]["/boot/grub2/i386-pc/testload.mod"][0],
"68e1d012e3f193dcde955e6ffbbc80e22b0f8778",
"AllowList sample hash is correct",
)
# test with a bad checksum
with self.assertRaises(Exception) as bad_checksum_context:
ima.read_allowlist(allowlist_file, allowlist_bad_checksum)
self.assertIn("Checksum of allowlist does not match",
str(bad_checksum_context.exception))
# validate GPG signature
al_data = ima.read_allowlist(allowlist_file, None, allowlist_sig,
allowlist_gpg_key)
self.assertIsNotNone(al_data, "AllowList data is present")
self.assertNotIn("checksum", al_data["meta"],
"AllowList metadata no checksum")
self.assertIsNotNone(al_data["hashes"], "AllowList hashes are present")
self.assertEqual(len(al_data["hashes"]), 21,
"AllowList hashes are correct length")
self.assertEqual(
al_data["hashes"]["/boot/grub2/i386-pc/testload.mod"][0],
"68e1d012e3f193dcde955e6ffbbc80e22b0f8778",
"AllowList sample hash is correct",
)
# test with a bad GPG sig
with self.assertRaises(Exception) as bad_sig_context:
ima.read_allowlist(allowlist_file, None, allowlist_bad_sig,
allowlist_gpg_key)
self.assertIn("Allowlist signature verification failed",
str(bad_sig_context.exception))
# validate everything together
al_data = ima.read_allowlist(allowlist_file, allowlist_checksum,
allowlist_sig, allowlist_gpg_key)
self.assertIsNotNone(al_data, "AllowList data is present")
self.assertEqual(al_data["meta"]["checksum"], allowlist_checksum,
"AllowList metadata correct checksum")
self.assertIsNotNone(al_data["hashes"], "AllowList hashes are present")
self.assertEqual(len(al_data["hashes"]), 21,
"AllowList hashes are correct length")
self.assertEqual(
al_data["hashes"]["/boot/grub2/i386-pc/testload.mod"][0],
"68e1d012e3f193dcde955e6ffbbc80e22b0f8778",
"AllowList sample hash is correct",
)