test_create_runtime_policy: Add tests for algorithm priority

Add test cases to verify that the used digest algorithm follow the expected priority depending on the source from where it was obtained Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
ansasaki · Sep 23, 2024 · 943b295 · 943b295
1 parent 7428263
commit 943b295
Show file tree

Hide file tree

Showing 14 changed files with 112 additions and 0 deletions.
diff --git a/test/data/create-runtime-policy/allowlist-sha1 b/test/data/create-runtime-policy/allowlist-sha1
@@ -0,0 +1 @@
+009b0d8ee8fb8d890fa70f9c8e02b3f1eded1509  data
diff --git a/test/data/create-runtime-policy/allowlist-sha256 b/test/data/create-runtime-policy/allowlist-sha256
@@ -0,0 +1 @@
+96d7fae8adb7286a419a88f78c13d35fb782d63df654b7db56f154765698b754  data
diff --git a/test/data/create-runtime-policy/allowlist-sha384 b/test/data/create-runtime-policy/allowlist-sha384
@@ -0,0 +1 @@
+20393b3e109c55b3128ba761bab1c555d8f39afe118eb1a29929ba8e017e8b2cdfc805c304e10d280604a829145ba6f0  data
diff --git a/test/data/create-runtime-policy/allowlist-sha512 b/test/data/create-runtime-policy/allowlist-sha512
@@ -0,0 +1 @@
+4fb914b8ed30ff69c65551573ce096aaf0c3507896cce44868d7a7e553891043c68a3889f3fc8056ef8c6bc3a54a9db83cd8112928ad51c5cd9e1a4ef332de53  data
diff --git a/test/data/create-runtime-policy/ima-log-sha1 b/test/data/create-runtime-policy/ima-log-sha1
@@ -0,0 +1,2 @@
+10 0000000000000000000000000000000000000000 ima-ng sha1:0000000000000000000000000000000000000000 boot_aggregate
+10 edcfbc3299860219161af60b266f8e2fa1fbd0c0 ima-ng sha1:009b0d8ee8fb8d890fa70f9c8e02b3f1eded1509 /data
diff --git a/test/data/create-runtime-policy/ima-log-sha256 b/test/data/create-runtime-policy/ima-log-sha256
@@ -0,0 +1,2 @@
+10 6309e2c83b7814367bb3912a55e5473454623535 ima-ng sha256:f4845392eca429a4c941a6a07fc32faf843a88c5c3dfa3b9329ab8f4171d9ce3 boot_aggregate
+10 80255d9c7dad91ef5f21b18560a47642d6f4d653 ima-ng sha256:96d7fae8adb7286a419a88f78c13d35fb782d63df654b7db56f154765698b754 /data
diff --git a/test/data/create-runtime-policy/ima-log-sha384 b/test/data/create-runtime-policy/ima-log-sha384
@@ -0,0 +1,2 @@
+10 0000000000000000000000000000000000000000 ima-ng sha384:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 boot_aggregate
+10 75c0136ea25f6ef9ad3e029fc5ffde6a4d293a07 ima-ng sha384:20393b3e109c55b3128ba761bab1c555d8f39afe118eb1a29929ba8e017e8b2cdfc805c304e10d280604a829145ba6f0 /data
diff --git a/test/data/create-runtime-policy/ima-log-sha512 b/test/data/create-runtime-policy/ima-log-sha512
@@ -0,0 +1,2 @@
+10 0000000000000000000000000000000000000000 ima-ng sha512:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 boot_aggregate
+10 edc4bec94ffdeb86c4062d9841b41da5c94c7a5d ima-ng sha512:4fb914b8ed30ff69c65551573ce096aaf0c3507896cce44868d7a7e553891043c68a3889f3fc8056ef8c6bc3a54a9db83cd8112928ad51c5cd9e1a4ef332de53 /data
diff --git a/test/data/create-runtime-policy/policy-sha1 b/test/data/create-runtime-policy/policy-sha1
@@ -0,0 +1 @@
+{"meta": {"version": 1, "generator": 3, "timestamp": "2024-09-12 13:44:44.298873"}, "release": 0, "digests": {"/base_policy_data": ["b261df1756a43b2d35c8ca13389c026840961d36"]}, "excludes": [], "keyrings": {}, "ima": {"ignored_keyrings": [], "log_hash_alg": "sha1", "dm_policy": null}, "ima-buf": {}, "verification-keys": ""}
diff --git a/test/data/create-runtime-policy/policy-sha256 b/test/data/create-runtime-policy/policy-sha256
@@ -0,0 +1 @@
+{"meta": {"version": 1, "generator": 3, "timestamp": "2024-09-12 13:44:44.797331"}, "release": 0, "digests": {"/base_policy_data": ["35f6036dcbb4d819a90cc3282659754ab1a225e60f593a209c27b80174ba3180"]}, "excludes": [], "keyrings": {}, "ima": {"ignored_keyrings": [], "log_hash_alg": "sha1", "dm_policy": null}, "ima-buf": {}, "verification-keys": ""}
diff --git a/test/data/create-runtime-policy/policy-sha384 b/test/data/create-runtime-policy/policy-sha384
@@ -0,0 +1 @@
+{"meta": {"version": 1, "generator": 3, "timestamp": "2024-09-12 13:44:45.296199"}, "release": 0, "digests": {"/base_policy_data": ["407272428a6bda6a8a0e450b4ccfe3ba52a2faf5f45853692b05212aa3103d43524e03050b4ee119a0ec0a069cb5794b"]}, "excludes": [], "keyrings": {}, "ima": {"ignored_keyrings": [], "log_hash_alg": "sha1", "dm_policy": null}, "ima-buf": {}, "verification-keys": ""}
diff --git a/test/data/create-runtime-policy/policy-sha512 b/test/data/create-runtime-policy/policy-sha512
@@ -0,0 +1 @@
+{"meta": {"version": 1, "generator": 3, "timestamp": "2024-09-12 13:44:45.797865"}, "release": 0, "digests": {"/base_policy_data": ["5afaedd4458b68515747262bc32e84a3b8c70aaf299f4eeeae027b594d4e9d35850ff2838a9d075ad1d15ee3663c36a9349486b421a3b630401c817c179c6404"]}, "excludes": [], "keyrings": {}, "ima": {"ignored_keyrings": [], "log_hash_alg": "sha1", "dm_policy": null}, "ima-buf": {}, "verification-keys": ""}
diff --git a/test/data/create-runtime-policy/rootfs/rootfs_data b/test/data/create-runtime-policy/rootfs/rootfs_data
@@ -0,0 +1 @@
+some data owned by root in rootfs
diff --git a/test/test_create_runtime_policy.py b/test/test_create_runtime_policy.py
@@ -3,6 +3,7 @@
 Copyright 2024 Red Hat, Inc.
 """
 
+import argparse
 import os
 import pathlib
 import shutil
@@ -692,3 +693,97 @@ def test_rootfs_with_symbolic_links(self):
                 )
 
                 self.assertEqual(digests, case["expected_out"])
+
+    def test_digest_algorithm_priority(self):
+        """Test that the priority for the algorithm selection follows the
+        expected source order: --algo option > base policy > allowlist > ima log"""
+
+        test_cases = []
+
+        rootfs = os.path.join(HELPER_DIR, "rootfs")
+        # Prepare test cases
+        for algo in ["sha1", "sha256", "sha384", "sha512"]:
+            base_policy = os.path.join(HELPER_DIR, f"policy-{algo}")
+            allowlist = os.path.join(HELPER_DIR, f"allowlist-{algo}")
+            ima_log = os.path.join(HELPER_DIR, f"ima-log-{algo}")
+
+            # Case where the algorithm from the IMA measurement list should be
+            # kept
+            test_cases.append(
+                {
+                    "algo_opt": [],
+                    "base_policy": [],
+                    "allowlist": [],
+                    "ima_log": ["--use-ima-measurement-list", "--ima-measurement-list", ima_log],
+                    "rootfs": [],
+                    "expected_algo": f"{algo}",
+                    "expected_source": "IMA measurement list",
+                }
+            )
+
+            # Cases where the algorithm from the allowlist should be kept
+            for il in [[], ["--use-ima-measurement-list", "--ima-measurement-list", ima_log]]:
+                for rfs in [[], ["--rootfs", rootfs]]:
+                    test_cases.append(
+                        {
+                            "algo_opt": [],
+                            "base_policy": [],
+                            "allowlist": ["--allowlist", allowlist],
+                            "ima_log": il,
+                            "rootfs": rfs,
+                            "expected_algo": f"{algo}",
+                            "expected_source": "allowlist",
+                        }
+                    )
+
+                    # Cases where the algorithm from the base policy should be kept
+                    for al in [[], ["--allowlist", allowlist]]:
+                        test_cases.append(
+                            {
+                                "algo_opt": [],
+                                "base_policy": ["--base-policy", base_policy],
+                                "allowlist": al,
+                                "ima_log": il,
+                                "rootfs": rfs,
+                                "expected_algo": f"{algo}",
+                                "expected_source": "base policy",
+                            }
+                        )
+
+                        # Cases where the algorithm from the --algo option should be kept
+                        for bp in [[], ["--base-policy", base_policy]]:
+                            test_cases.append(
+                                {
+                                    "algo_opt": ["--algo", algo],
+                                    "base_policy": bp,
+                                    "allowlist": al,
+                                    "ima_log": il,
+                                    "rootfs": ["--rootfs", rootfs],
+                                    "expected_algo": f"{algo}",
+                                    "expected_source": "--algo option",
+                                }
+                            )
+
+        # Create an argument parser
+        parent_parser = argparse.ArgumentParser(add_help=False)
+        main_parser = argparse.ArgumentParser()
+        subparser = main_parser.add_subparsers(title="actions")
+        parser = create_runtime_policy.get_arg_parser(subparser, parent_parser)
+
+        for case in test_cases:
+            cli_args = []
+            # Prepare argument input
+            for k in ["algo_opt", "base_policy", "allowlist", "ima_log", "rootfs"]:
+                cli_args.extend(case.get(k, []))
+
+            args = parser.parse_args(cli_args)
+            expected_algo = case["expected_algo"]
+            expected_source = case["expected_source"]
+
+            with self.assertLogs("policy.create_runtime_policy", level="DEBUG") as logs:
+                _policy = create_runtime_policy.create_runtime_policy(args)
+
+                self.assertIn(
+                    f"DEBUG:policy.create_runtime_policy:Using digest algorithm '{expected_algo}' obtained from the {expected_source}",
+                    logs.output,
+                )
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		96d7fae8adb7286a419a88f78c13d35fb782d63df654b7db56f154765698b754 data
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		20393b3e109c55b3128ba761bab1c555d8f39afe118eb1a29929ba8e017e8b2cdfc805c304e10d280604a829145ba6f0 data
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		4fb914b8ed30ff69c65551573ce096aaf0c3507896cce44868d7a7e553891043c68a3889f3fc8056ef8c6bc3a54a9db83cd8112928ad51c5cd9e1a4ef332de53 data
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		10 0000000000000000000000000000000000000000 ima-ng sha1:0000000000000000000000000000000000000000 boot_aggregate
		10 edcfbc3299860219161af60b266f8e2fa1fbd0c0 ima-ng sha1:009b0d8ee8fb8d890fa70f9c8e02b3f1eded1509 /data
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		10 6309e2c83b7814367bb3912a55e5473454623535 ima-ng sha256:f4845392eca429a4c941a6a07fc32faf843a88c5c3dfa3b9329ab8f4171d9ce3 boot_aggregate
		10 80255d9c7dad91ef5f21b18560a47642d6f4d653 ima-ng sha256:96d7fae8adb7286a419a88f78c13d35fb782d63df654b7db56f154765698b754 /data
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		10 0000000000000000000000000000000000000000 ima-ng sha384:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 boot_aggregate
		10 75c0136ea25f6ef9ad3e029fc5ffde6a4d293a07 ima-ng sha384:20393b3e109c55b3128ba761bab1c555d8f39afe118eb1a29929ba8e017e8b2cdfc805c304e10d280604a829145ba6f0 /data
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		10 0000000000000000000000000000000000000000 ima-ng sha512:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 boot_aggregate
		10 edc4bec94ffdeb86c4062d9841b41da5c94c7a5d ima-ng sha512:4fb914b8ed30ff69c65551573ce096aaf0c3507896cce44868d7a7e553891043c68a3889f3fc8056ef8c6bc3a54a9db83cd8112928ad51c5cd9e1a4ef332de53 /data
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"meta": {"version": 1, "generator": 3, "timestamp": "2024-09-12 13:44:44.298873"}, "release": 0, "digests": {"/base_policy_data": ["b261df1756a43b2d35c8ca13389c026840961d36"]}, "excludes": [], "keyrings": {}, "ima": {"ignored_keyrings": [], "log_hash_alg": "sha1", "dm_policy": null}, "ima-buf": {}, "verification-keys": ""}