diff --git a/Library/test-helpers/lib.sh b/Library/test-helpers/lib.sh index c337b5fb..10c95fee 100644 --- a/Library/test-helpers/lib.sh +++ b/Library/test-helpers/lib.sh @@ -1541,11 +1541,11 @@ Returns 0 when the start was successful, 1 otherwise. limeWaitForAgentStatus() { local FIELD='operational_state' + [ "$1" == "--field" ] && FIELD="$2" && shift 2 local TIMEOUT=${limeTIMEOUT} local UUID="$1" local VALUE="$2" local OUTPUT=`mktemp` - [ "$1" == "--field" ] && FIELD="$2" && shift 2 [ -z "$1" ] && return 3 [ -z "$2" ] && return 4 [ -n "$3" ] && TIMEOUT=$3 diff --git a/Library/test-helpers/lime_con_install_upstream.sh b/Library/test-helpers/lime_con_install_upstream.sh index ad862ec0..62fd82fe 100644 --- a/Library/test-helpers/lime_con_install_upstream.sh +++ b/Library/test-helpers/lime_con_install_upstream.sh @@ -92,23 +92,16 @@ RPMPKG=$( awk '/Wrote:/ { print $2 }' build.log ) rpm -ivh $RPMPKG # enable rust agent COPR repo and install agent -cat > /etc/yum.repos.d/copr-rust-keylime-master.repo <<_EOF -[copr-rust-keylime-master] -name=Copr repo for keylime-rust-keylime-master owned by packit -baseurl=https://download.copr.fedorainfracloud.org/results/packit/keylime-rust-keylime-master/fedora-\$releasever-\$basearch/ -type=rpm-md -skip_if_unavailable=True -gpgcheck=1 -gpgkey=https://download.copr.fedorainfracloud.org/results/packit/keylime-rust-keylime-master/pubkey.gpg -repo_gpgcheck=0 -enabled=1 -enabled_metadata=1 -priority=1 -_EOF -sed -i 's|keylime-rust-keylime-master/fedora|keylime-rust-keylime-master/centos-stream|' /etc/yum.repos.d/copr-rust-keylime-master.repo -yum -y install keylime-agent-rust +if [ -f /etc/fedora-release ]; then + dnf -y copr enable packit/keylime-rust-keylime-master-fedora +else + _MAJOR=$( rpm -q --qf '%{VERSION}' centos-stream-release | cut -d '.' -f 1 ) + _ARCH=$( arch ) + dnf -y copr enable packit/keylime-rust-keylime-master-centos centos-stream-${_MAJOR}-${_ARCH} +fi +yum -y install keylime-agent-rust keylime-agent-rust-push curl -o /etc/keylime/keylime-agent.conf https://raw.githubusercontent.com/keylime/rust-keylime/master/keylime-agent.conf -mkdir -p /etc/systemd/system/keylime_agent.service.d +mkdir -p /etc/systemd/system/keylime_agent.service.d /etc/systemd/system/keylime_push_model_agent.service.d mkdir -p /etc/keylime/agent.conf.d # fix conf file ownership diff --git a/container/functional/keylime_agent_container-basic-attestation/main.fmf b/container/functional/keylime_agent_container-basic-attestation/main.fmf index e0157a40..c9a6ef76 100644 --- a/container/functional/keylime_agent_container-basic-attestation/main.fmf +++ b/container/functional/keylime_agent_container-basic-attestation/main.fmf @@ -21,12 +21,17 @@ require: - podman recommend: - keylime -duration: 10m +duration: 15m enabled: true -id: 3b782552-e418-4b35-86c3-d346cb8b0442 -extra-nitrate: TC#0615276 - adjust: - when: swtpm != yes enabled: false because: We need to emulate multiple TPM devices with swtpm +/push: + environment: + AGENT_SERVICE: PushAgent + id: be2bbaa2-f97a-4ad9-bd03-2eb6a1dac0e5 +/pull: + environment: + AGENT_SERVICE: Agent + id: 3b782552-e418-4b35-86c3-d346cb8b0442 diff --git a/container/functional/keylime_agent_container-basic-attestation/test.sh b/container/functional/keylime_agent_container-basic-attestation/test.sh index 6e474417..932daf5e 100755 --- a/container/functional/keylime_agent_container-basic-attestation/test.sh +++ b/container/functional/keylime_agent_container-basic-attestation/test.sh @@ -14,6 +14,13 @@ [ -n "$REGISTRY" ] || REGISTRY=quay.io +TENANT_ARGS="" +AGENT_CMD="keylime_agent" +if [ "${AGENT_SERVICE}" == "PushAgent" ]; then + TENANT_ARGS="--push-model" + AGENT_CMD="keylime_push_model_agent" +fi + rlJournalStart rlPhaseStartSetup "Do the keylime setup" @@ -34,6 +41,17 @@ rlJournalStart #verifier rlRun "limeUpdateConf verifier ip $SERVER_IP" + rlRun "limeUpdateConf verifier quote_interval 10" + + # configure push attestation + if [ "${AGENT_SERVICE}" == "PushAgent" ]; then + # Set the verifier to run in PUSH mode + rlRun "limeUpdateConf verifier mode 'push'" + rlRun "limeUpdateConf verifier challenge_lifetime 1800" + rlRun "limeUpdateConf agent attestation_interval_seconds 10" + rlRun "limeUpdateConf agent tls_accept_invalid_hostnames true" + rlRun "limeUpdateConf agent verifier_url '\"https://$SERVER_IP:8881\"'" + fi # start tpm emulator rlRun "limeStartTPMEmulator" @@ -45,8 +63,8 @@ rlJournalStart # start tpm emulator rlRun "limeTPMDevNo=1 limeStartTPMEmulator" rlRun "limeTPMDevNo=1 limeWaitForTPMEmulator" - # start ima emulator - rlRun "limeTPMDevNo=1 TCTI=device:/dev/tpmrm1 limeStartIMAEmulator" + # start ima emulator, use --no-stop so we won't stop the previous one + rlRun "limeTPMDevNo=1 TPM2TOOLS_TCTI=device:/dev/tpmrm1 limeStartIMAEmulator --no-stop" sleep 5 @@ -82,7 +100,7 @@ rlJournalStart rlRun "limeconPrepareAgentConfdir $AGENT_ID_FIRST $IP_AGENT_FIRST confdir_$CONT_AGENT_FIRST" #run of first agent - rlRun "limeconRunAgent $CONT_AGENT_FIRST $TAG_AGENT $IP_AGENT_FIRST $CONT_NETWORK_NAME $TESTDIR_FIRST keylime_agent $PWD/confdir_$CONT_AGENT_FIRST $PWD/cv_ca" + rlRun "limeconRunAgent $CONT_AGENT_FIRST $TAG_AGENT $IP_AGENT_FIRST $CONT_NETWORK_NAME $TESTDIR_FIRST $AGENT_CMD $PWD/confdir_$CONT_AGENT_FIRST $PWD/cv_ca" rlRun "limeWaitForAgentRegistration ${AGENT_ID_FIRST}" #setup of second agent @@ -92,7 +110,7 @@ rlJournalStart rlRun "limeconPrepareAgentConfdir $AGENT_ID_SECOND $IP_AGENT_SECOND confdir_$CONT_AGENT_SECOND" #run of second agent - rlRun "limeTPMDevNo=1 limeconRunAgent $CONT_AGENT_SECOND $TAG_AGENT $IP_AGENT_SECOND $CONT_NETWORK_NAME $TESTDIR_SECOND keylime_agent $PWD/confdir_$CONT_AGENT_SECOND $PWD/cv_ca" + rlRun "limeTPMDevNo=1 limeconRunAgent $CONT_AGENT_SECOND $TAG_AGENT $IP_AGENT_SECOND $CONT_NETWORK_NAME $TESTDIR_SECOND $AGENT_CMD $PWD/confdir_$CONT_AGENT_SECOND $PWD/cv_ca" rlRun "limeWaitForAgentRegistration ${AGENT_ID_SECOND}" # create allowlist and excludelist for each agent @@ -103,42 +121,60 @@ rlJournalStart rlPhaseEnd rlPhaseStartTest "Add keylime agents" - rlRun -s "keylime_tenant -v $SERVER_IP -t $IP_AGENT_FIRST -u $AGENT_ID_FIRST --runtime-policy policy1.json -f /etc/hosts -c add" - rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST 'Get Quote'" + rlRun -s "keylime_tenant -v $SERVER_IP -t $IP_AGENT_FIRST -u $AGENT_ID_FIRST --runtime-policy policy1.json -f /etc/hosts -c add ${TENANT_ARGS}" + if [ "${AGENT_SERVICE}" == "PushAgent" ]; then + rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_FIRST 'PASS'" + else + rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST 'Get Quote'" + fi rlRun -s "keylime_tenant -c cvlist" rlAssertGrep "{'code': 200, 'status': 'Success', 'results': {'uuids':.*'$AGENT_ID_FIRST'" $rlRun_LOG -E #check second agent - rlRun -s "keylime_tenant -v $SERVER_IP -t $IP_AGENT_SECOND -u $AGENT_ID_SECOND --runtime-policy policy2.json -f /etc/hosts -c add" - rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'" + rlRun -s "keylime_tenant -v $SERVER_IP -t $IP_AGENT_SECOND -u $AGENT_ID_SECOND --runtime-policy policy2.json -f /etc/hosts -c add ${TENANT_ARGS}" + if [ "${AGENT_SERVICE}" == "PushAgent" ]; then + rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_SECOND 'PASS'" + else + rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'" + fi rlPhaseEnd rlPhaseStartTest "Execute good scripts" rlRun "$TESTDIR_FIRST/good-script.sh" rlRun "$TESTDIR_SECOND/good-script.sh" - sleep 5 - rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST 'Get Quote'" - rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'" + sleep $limeTimeout + if [ "${AGENT_SERVICE}" == "PushAgent" ]; then + rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_FIRST 'PASS'" + rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_SECOND 'PASS'" + else + rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST 'Get Quote'" + rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'" + fi rlPhaseEnd - rlPhaseStartTest "Fail first keylime agent and check second" rlRun "echo -e '#!/bin/bash\necho boom' > $TESTDIR_FIRST/bad-script.sh && chmod a+x $TESTDIR_FIRST/bad-script.sh" rlRun "$TESTDIR_FIRST/bad-script.sh" - rlRun "rlWaitForCmd 'tail \$(limeVerifierLogfile) | grep -q \"Agent $AGENT_ID_FIRST failed\"' -m 10 -d 1 -t 10" - rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST '(Failed|Invalid Quote)'" + rlRun "rlWaitForCmd 'tail -30 \$(limeVerifierLogfile) | grep -Eiq \"Agent.*$AGENT_ID_FIRST.*failed\"' -m 30 -d 2 -t 60" rlAssertGrep "WARNING - File not found in allowlist: $TESTDIR_FIRST/bad-script.sh" $(limeVerifierLogfile) - rlAssertGrep "WARNING - Agent $AGENT_ID_FIRST failed, stopping polling" $(limeVerifierLogfile) - #check status of first agent - rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'" + if [ "${AGENT_SERVICE}" == "PushAgent" ]; then + rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_FIRST 'FAIL'" + rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_SECOND 'PASS'" + else + rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST '(Failed|Invalid Quote)'" + rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'" + fi rlPhaseEnd rlPhaseStartTest "Fail second keylime agent" rlRun "echo -e '#!/bin/bash\necho boom' > $TESTDIR_SECOND/bad-script.sh && chmod a+x $TESTDIR_SECOND/bad-script.sh" rlRun "$TESTDIR_SECOND/bad-script.sh" - rlRun "rlWaitForCmd 'tail \$(limeVerifierLogfile) | grep -q \"Agent $AGENT_ID_SECOND failed\"' -m 10 -d 1 -t 10" - rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND '(Failed|Invalid Quote)'" + rlRun "rlWaitForCmd 'tail -30 \$(limeVerifierLogfile) | grep -Eiq \"Agent.*$AGENT_ID_SECOND.*failed\"' -m 30 -d 2 -t 60" rlAssertGrep "WARNING - File not found in allowlist: $TESTDIR_SECOND/bad-script.sh" $(limeVerifierLogfile) - rlAssertGrep "WARNING - Agent $AGENT_ID_SECOND failed, stopping polling" $(limeVerifierLogfile) + if [ "${AGENT_SERVICE}" == "PushAgent" ]; then + rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_SECOND 'FAIL'" + else + rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND '(Failed|Invalid Quote)'" + fi rlPhaseEnd rlPhaseStartCleanup "Do the keylime cleanup"