def setUpClass(cls): """Prepare the keys and payload to give to the CV""" contents = "random garbage to test as payload" # contents = contents.encode('utf-8') ret = user_data_encrypt.encrypt(contents) cls.K = ret["k"] cls.U = ret["u"] cls.V = ret["v"] cls.payload = ret["ciphertext"] # Set up to register an agent cls.auth_tag = crypto.do_hmac(cls.K, tenant_templ.agent_uuid) # Prepare policies for agent cls.tpm_policy = config.get("tenant", "tpm_policy") cls.tpm_policy = tpm_abstract.TPM_Utilities.readPolicy(cls.tpm_policy) # Allow targeting a specific API version (default latest) cls.api_version = "2.0" # Set up allowlist bundles. Use invalid exclusion list regex for bad bundle. cls.ima_policy_bundle = ima.read_allowlist() cls.ima_policy_bundle["excllist"] = [] cls.bad_ima_policy_bundle = ima.read_allowlist() cls.bad_ima_policy_bundle["excllist"] = ["*"]
def test_read_allowlist(self): """Test reading and processing of the IMA allow-list""" curdir = os.path.dirname(os.path.abspath(__file__)) allowlist_file = os.path.join(curdir, "data", "ima-allowlist-short.txt") allowlist_sig = os.path.join(curdir, "data", "ima-allowlist-short.sig") allowlist_bad_sig = os.path.join(curdir, "data", "ima-allowlist-bad.sig") allowlist_gpg_key = os.path.join(curdir, "data", "gpg-sig.pub") allowlist_checksum = "6b010e359bbcebafb9b3e5010c302c94d29e249f86ae6293339506041aeebd41" allowlist_bad_checksum = "4c143670836f96535d9e617359b4d87c59e89e633e2773b4d7feae97f561b3dc" # simple read, no fancy verification al_data = ima.read_allowlist(allowlist_file) self.assertIsNotNone(al_data, "AllowList data is present") self.assertIsNotNone(al_data["meta"], "AllowList metadata is present") self.assertEqual(al_data["meta"]["version"], 5, "AllowList metadata version is correct") self.assertEqual(al_data["meta"]["generator"], "keylime-legacy-format-upgrade", "AllowList metadata generator is correct") self.assertNotIn("checksum", al_data["meta"], "AllowList metadata no checksum") self.assertIsNotNone(al_data["hashes"], "AllowList hashes are present") self.assertEqual(len(al_data["hashes"]), 21, "AllowList hashes are correct length") self.assertEqual( al_data["hashes"]["/boot/grub2/i386-pc/testload.mod"][0], "68e1d012e3f193dcde955e6ffbbc80e22b0f8778", "AllowList sample hash is correct", ) self.assertIsNotNone(al_data["keyrings"], "AllowList keyrings are present") self.assertEqual(len(al_data["keyrings"]), 1, "AllowList keyrings are correct length") self.assertEqual( al_data["keyrings"][".ima"][0], "a7d52aaa18c23d2d9bb2abb4308c0eeee67387a42259f4a6b1a42257065f3d5a", "AllowList sample keyring is correct", ) # validate checkum al_data = ima.read_allowlist(allowlist_file, allowlist_checksum) self.assertIsNotNone(al_data, "AllowList data is present") self.assertEqual(al_data["meta"]["checksum"], allowlist_checksum, "AllowList metadata correct checksum") self.assertIsNotNone(al_data["hashes"], "AllowList hashes are present") self.assertEqual(len(al_data["hashes"]), 21, "AllowList hashes are correct length") self.assertEqual( al_data["hashes"]["/boot/grub2/i386-pc/testload.mod"][0], "68e1d012e3f193dcde955e6ffbbc80e22b0f8778", "AllowList sample hash is correct", ) # test with a bad checksum with self.assertRaises(Exception) as bad_checksum_context: ima.read_allowlist(allowlist_file, allowlist_bad_checksum) self.assertIn("Checksum of allowlist does not match", str(bad_checksum_context.exception)) # validate GPG signature al_data = ima.read_allowlist(allowlist_file, None, allowlist_sig, allowlist_gpg_key) self.assertIsNotNone(al_data, "AllowList data is present") self.assertNotIn("checksum", al_data["meta"], "AllowList metadata no checksum") self.assertIsNotNone(al_data["hashes"], "AllowList hashes are present") self.assertEqual(len(al_data["hashes"]), 21, "AllowList hashes are correct length") self.assertEqual( al_data["hashes"]["/boot/grub2/i386-pc/testload.mod"][0], "68e1d012e3f193dcde955e6ffbbc80e22b0f8778", "AllowList sample hash is correct", ) # test with a bad GPG sig with self.assertRaises(Exception) as bad_sig_context: ima.read_allowlist(allowlist_file, None, allowlist_bad_sig, allowlist_gpg_key) self.assertIn("Allowlist signature verification failed", str(bad_sig_context.exception)) # validate everything together al_data = ima.read_allowlist(allowlist_file, allowlist_checksum, allowlist_sig, allowlist_gpg_key) self.assertIsNotNone(al_data, "AllowList data is present") self.assertEqual(al_data["meta"]["checksum"], allowlist_checksum, "AllowList metadata correct checksum") self.assertIsNotNone(al_data["hashes"], "AllowList hashes are present") self.assertEqual(len(al_data["hashes"]), 21, "AllowList hashes are correct length") self.assertEqual( al_data["hashes"]["/boot/grub2/i386-pc/testload.mod"][0], "68e1d012e3f193dcde955e6ffbbc80e22b0f8778", "AllowList sample hash is correct", )