add push model subtest to keylime_agent_container-basic-attestation

Library/test-helpers/lib.sh

@@ -1541,11 +1541,11 @@ Returns 0 when the start was successful, 1 otherwise.
 
 limeWaitForAgentStatus() {
     local FIELD='operational_state'
+    [ "$1" == "--field" ] && FIELD="$2" && shift 2
     local TIMEOUT=${limeTIMEOUT}
     local UUID="$1"
     local VALUE="$2"
     local OUTPUT=`mktemp`
-    [ "$1" == "--field" ] && FIELD="$2" && shift 2
     [ -z "$1" ] && return 3
     [ -z "$2" ] && return 4
     [ -n "$3" ] && TIMEOUT=$3

Library/test-helpers/lime_con_install_upstream.sh

@@ -92,23 +92,16 @@
 rpm -ivh $RPMPKG
 
 # enable rust agent COPR repo and install agent
-cat > /etc/yum.repos.d/copr-rust-keylime-master.repo <<_EOF
-[copr-rust-keylime-master]
-name=Copr repo for keylime-rust-keylime-master owned by packit
-baseurl=https://download.copr.fedorainfracloud.org/results/packit/keylime-rust-keylime-master/fedora-\$releasever-\$basearch/
-type=rpm-md
-skip_if_unavailable=True
-gpgcheck=1
-gpgkey=https://download.copr.fedorainfracloud.org/results/packit/keylime-rust-keylime-master/pubkey.gpg
-repo_gpgcheck=0
-enabled=1
-enabled_metadata=1
-priority=1
-_EOF
-sed -i 's|keylime-rust-keylime-master/fedora|keylime-rust-keylime-master/centos-stream|' /etc/yum.repos.d/copr-rust-keylime-master.repo
-yum -y install keylime-agent-rust
+if [ -f /etc/fedora-release ]; then
+    dnf -y copr enable packit/keylime-rust-keylime-master-fedora
+else
+    _MAJOR=$( rpm -q --qf '%{VERSION}' centos-stream-release | cut -d '.' -f 1 )
+    _ARCH=$( arch )
+    dnf -y copr enable packit/keylime-rust-keylime-master-centos centos-stream-${_MAJOR}-${_ARCH}
+fi
+yum -y install keylime-agent-rust keylime-agent-rust-push
 curl -o /etc/keylime/keylime-agent.conf https://raw.githubusercontent.com/keylime/rust-keylime/master/keylime-agent.conf
-mkdir -p /etc/systemd/system/keylime_agent.service.d
+mkdir -p /etc/systemd/system/keylime_agent.service.d /etc/systemd/system/keylime_push_model_agent.service.d
 mkdir -p /etc/keylime/agent.conf.d
 
 # fix conf file ownership

container/functional/keylime_agent_container-basic-attestation/main.fmf

@@ -21,12 +21,17 @@ require:
   - podman
 recommend:
   - keylime
-duration: 10m
+duration: 15m
 enabled: true
-id: 3b782552-e418-4b35-86c3-d346cb8b0442
-extra-nitrate: TC#0615276
-
 adjust:
   - when: swtpm != yes
     enabled: false
     because: We need to emulate multiple TPM devices with swtpm
+/push:
+    environment:
+        AGENT_SERVICE: PushAgent
+    id: be2bbaa2-f97a-4ad9-bd03-2eb6a1dac0e5
+/pull:
+    environment:
+        AGENT_SERVICE: Agent
+    id: 3b782552-e418-4b35-86c3-d346cb8b0442

container/functional/keylime_agent_container-basic-attestation/test.sh

@@ -14,6 +14,13 @@
 
 [ -n "$REGISTRY" ] || REGISTRY=quay.io
 
+TENANT_ARGS=""
+AGENT_CMD="keylime_agent"
+if [ "${AGENT_SERVICE}" == "PushAgent" ]; then
+    TENANT_ARGS="--push-model"
+    AGENT_CMD="keylime_push_model_agent"
+fi
+
 rlJournalStart
 
     rlPhaseStartSetup "Do the keylime setup"
@@ -34,6 +41,17 @@
 
         #verifier
         rlRun "limeUpdateConf verifier ip $SERVER_IP"
+        rlRun "limeUpdateConf verifier quote_interval 10"
+
+        # configure push attestation
+        if [ "${AGENT_SERVICE}" == "PushAgent" ]; then
+            # Set the verifier to run in PUSH mode
+            rlRun "limeUpdateConf verifier mode 'push'"
+            rlRun "limeUpdateConf verifier challenge_lifetime 1800"
+            rlRun "limeUpdateConf agent attestation_interval_seconds 10"
+            rlRun "limeUpdateConf agent tls_accept_invalid_hostnames true"
+            rlRun "limeUpdateConf agent verifier_url '\"https://$SERVER_IP:8881\"'"
+        fi
 
         # start tpm emulator
         rlRun "limeStartTPMEmulator"
@@ -45,8 +63,8 @@
         # start tpm emulator
         rlRun "limeTPMDevNo=1 limeStartTPMEmulator"
         rlRun "limeTPMDevNo=1 limeWaitForTPMEmulator"
-        # start ima emulator
-        rlRun "limeTPMDevNo=1 TCTI=device:/dev/tpmrm1 limeStartIMAEmulator"
+        # start ima emulator, use --no-stop so we won't stop the previous one
+        rlRun "limeTPMDevNo=1 TPM2TOOLS_TCTI=device:/dev/tpmrm1 limeStartIMAEmulator --no-stop"
 
         sleep 5
 
@@ -82,7 +100,7 @@
         rlRun "limeconPrepareAgentConfdir $AGENT_ID_FIRST $IP_AGENT_FIRST confdir_$CONT_AGENT_FIRST"
 
         #run of first agent 
-        rlRun "limeconRunAgent $CONT_AGENT_FIRST $TAG_AGENT $IP_AGENT_FIRST $CONT_NETWORK_NAME $TESTDIR_FIRST keylime_agent $PWD/confdir_$CONT_AGENT_FIRST $PWD/cv_ca"
+        rlRun "limeconRunAgent $CONT_AGENT_FIRST $TAG_AGENT $IP_AGENT_FIRST $CONT_NETWORK_NAME $TESTDIR_FIRST $AGENT_CMD $PWD/confdir_$CONT_AGENT_FIRST $PWD/cv_ca"
         rlRun "limeWaitForAgentRegistration ${AGENT_ID_FIRST}"
 
         #setup of second agent
@@ -92,7 +110,7 @@
         rlRun "limeconPrepareAgentConfdir $AGENT_ID_SECOND $IP_AGENT_SECOND confdir_$CONT_AGENT_SECOND"
 
         #run of second agent
-        rlRun "limeTPMDevNo=1 limeconRunAgent $CONT_AGENT_SECOND $TAG_AGENT $IP_AGENT_SECOND $CONT_NETWORK_NAME $TESTDIR_SECOND keylime_agent $PWD/confdir_$CONT_AGENT_SECOND $PWD/cv_ca"
+        rlRun "limeTPMDevNo=1 limeconRunAgent $CONT_AGENT_SECOND $TAG_AGENT $IP_AGENT_SECOND $CONT_NETWORK_NAME $TESTDIR_SECOND $AGENT_CMD $PWD/confdir_$CONT_AGENT_SECOND $PWD/cv_ca"
         rlRun "limeWaitForAgentRegistration ${AGENT_ID_SECOND}"
 
         # create allowlist and excludelist for each agent
@@ -103,42 +121,60 @@
     rlPhaseEnd
 
     rlPhaseStartTest "Add keylime agents"
-        rlRun -s "keylime_tenant -v $SERVER_IP  -t $IP_AGENT_FIRST -u $AGENT_ID_FIRST --runtime-policy policy1.json -f /etc/hosts -c add"
-        rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST 'Get Quote'"
+        rlRun -s "keylime_tenant -v $SERVER_IP  -t $IP_AGENT_FIRST -u $AGENT_ID_FIRST --runtime-policy policy1.json -f /etc/hosts -c add ${TENANT_ARGS}"
+        if [ "${AGENT_SERVICE}" == "PushAgent" ]; then
+            rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_FIRST 'PASS'"
+        else
+            rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST 'Get Quote'"
+        fi
         rlRun -s "keylime_tenant -c cvlist"
         rlAssertGrep "{'code': 200, 'status': 'Success', 'results': {'uuids':.*'$AGENT_ID_FIRST'" $rlRun_LOG -E
         #check second agent
-        rlRun -s "keylime_tenant -v $SERVER_IP  -t $IP_AGENT_SECOND -u $AGENT_ID_SECOND --runtime-policy policy2.json -f /etc/hosts -c add"
-        rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'"
+        rlRun -s "keylime_tenant -v $SERVER_IP  -t $IP_AGENT_SECOND -u $AGENT_ID_SECOND --runtime-policy policy2.json -f /etc/hosts -c add ${TENANT_ARGS}"
+        if [ "${AGENT_SERVICE}" == "PushAgent" ]; then
+            rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_SECOND 'PASS'"
+        else
+            rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'"
+        fi
     rlPhaseEnd
 
     rlPhaseStartTest "Execute good scripts"
         rlRun "$TESTDIR_FIRST/good-script.sh"
         rlRun "$TESTDIR_SECOND/good-script.sh"
-        sleep 5
-        rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST 'Get Quote'"
-        rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'"
+        sleep $limeTimeout
+        if [ "${AGENT_SERVICE}" == "PushAgent" ]; then
+            rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_FIRST 'PASS'"
+            rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_SECOND 'PASS'"
+        else
+            rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST 'Get Quote'"
+            rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'"
+        fi
     rlPhaseEnd
 
-
     rlPhaseStartTest "Fail first keylime agent and check second"
         rlRun "echo -e '#!/bin/bash\necho boom' > $TESTDIR_FIRST/bad-script.sh && chmod a+x $TESTDIR_FIRST/bad-script.sh"
         rlRun "$TESTDIR_FIRST/bad-script.sh"
-        rlRun "rlWaitForCmd 'tail \$(limeVerifierLogfile) | grep -q \"Agent $AGENT_ID_FIRST failed\"' -m 10 -d 1 -t 10"
-        rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST '(Failed|Invalid Quote)'"
+        rlRun "rlWaitForCmd 'tail -30 \$(limeVerifierLogfile) | grep -Eiq \"Agent.*$AGENT_ID_FIRST.*failed\"' -m 30 -d 2 -t 60"
         rlAssertGrep "WARNING - File not found in allowlist: $TESTDIR_FIRST/bad-script.sh" $(limeVerifierLogfile)
-        rlAssertGrep "WARNING - Agent $AGENT_ID_FIRST failed, stopping polling" $(limeVerifierLogfile)
-        #check status of first agent
-        rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'"
+        if [ "${AGENT_SERVICE}" == "PushAgent" ]; then
+            rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_FIRST 'FAIL'"
+            rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_SECOND 'PASS'"
+        else
+            rlRun "limeWaitForAgentStatus $AGENT_ID_FIRST '(Failed|Invalid Quote)'"
+            rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND 'Get Quote'"
+        fi
     rlPhaseEnd
 
     rlPhaseStartTest "Fail second keylime agent"
         rlRun "echo -e '#!/bin/bash\necho boom' > $TESTDIR_SECOND/bad-script.sh && chmod a+x $TESTDIR_SECOND/bad-script.sh"
         rlRun "$TESTDIR_SECOND/bad-script.sh"
-        rlRun "rlWaitForCmd 'tail \$(limeVerifierLogfile) | grep -q \"Agent $AGENT_ID_SECOND failed\"' -m 10 -d 1 -t 10"
-        rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND '(Failed|Invalid Quote)'"
+        rlRun "rlWaitForCmd 'tail -30 \$(limeVerifierLogfile) | grep -Eiq \"Agent.*$AGENT_ID_SECOND.*failed\"' -m 30 -d 2 -t 60"
         rlAssertGrep "WARNING - File not found in allowlist: $TESTDIR_SECOND/bad-script.sh" $(limeVerifierLogfile)
-        rlAssertGrep "WARNING - Agent $AGENT_ID_SECOND failed, stopping polling" $(limeVerifierLogfile)
+        if [ "${AGENT_SERVICE}" == "PushAgent" ]; then
+            rlRun "limeWaitForAgentStatus --field attestation_status $AGENT_ID_SECOND 'FAIL'"
+        else
+            rlRun "limeWaitForAgentStatus $AGENT_ID_SECOND '(Failed|Invalid Quote)'"
+        fi
     rlPhaseEnd
 
     rlPhaseStartCleanup "Do the keylime cleanup"