diff --git a/test/data/create-runtime-policy/allowlist-sha1 b/test/data/create-runtime-policy/allowlist-sha1 new file mode 100644 index 000000000..ab7640ca0 --- /dev/null +++ b/test/data/create-runtime-policy/allowlist-sha1 @@ -0,0 +1 @@ +009b0d8ee8fb8d890fa70f9c8e02b3f1eded1509 data diff --git a/test/data/create-runtime-policy/allowlist-sha256 b/test/data/create-runtime-policy/allowlist-sha256 new file mode 100644 index 000000000..c757b4838 --- /dev/null +++ b/test/data/create-runtime-policy/allowlist-sha256 @@ -0,0 +1 @@ +96d7fae8adb7286a419a88f78c13d35fb782d63df654b7db56f154765698b754 data diff --git a/test/data/create-runtime-policy/allowlist-sha384 b/test/data/create-runtime-policy/allowlist-sha384 new file mode 100644 index 000000000..ea64b3c44 --- /dev/null +++ b/test/data/create-runtime-policy/allowlist-sha384 @@ -0,0 +1 @@ +20393b3e109c55b3128ba761bab1c555d8f39afe118eb1a29929ba8e017e8b2cdfc805c304e10d280604a829145ba6f0 data diff --git a/test/data/create-runtime-policy/allowlist-sha512 b/test/data/create-runtime-policy/allowlist-sha512 new file mode 100644 index 000000000..3be6c5cbc --- /dev/null +++ b/test/data/create-runtime-policy/allowlist-sha512 @@ -0,0 +1 @@ +4fb914b8ed30ff69c65551573ce096aaf0c3507896cce44868d7a7e553891043c68a3889f3fc8056ef8c6bc3a54a9db83cd8112928ad51c5cd9e1a4ef332de53 data diff --git a/test/data/create-runtime-policy/ima-log-sha1 b/test/data/create-runtime-policy/ima-log-sha1 new file mode 100644 index 000000000..3c9acc095 --- /dev/null +++ b/test/data/create-runtime-policy/ima-log-sha1 @@ -0,0 +1,2 @@ +10 0000000000000000000000000000000000000000 ima-ng sha1:0000000000000000000000000000000000000000 boot_aggregate +10 edcfbc3299860219161af60b266f8e2fa1fbd0c0 ima-ng sha1:009b0d8ee8fb8d890fa70f9c8e02b3f1eded1509 /data diff --git a/test/data/create-runtime-policy/ima-log-sha256 b/test/data/create-runtime-policy/ima-log-sha256 new file mode 100644 index 000000000..1a313c314 --- /dev/null +++ b/test/data/create-runtime-policy/ima-log-sha256 @@ -0,0 +1,2 @@ +10 6309e2c83b7814367bb3912a55e5473454623535 ima-ng sha256:f4845392eca429a4c941a6a07fc32faf843a88c5c3dfa3b9329ab8f4171d9ce3 boot_aggregate +10 80255d9c7dad91ef5f21b18560a47642d6f4d653 ima-ng sha256:96d7fae8adb7286a419a88f78c13d35fb782d63df654b7db56f154765698b754 /data diff --git a/test/data/create-runtime-policy/ima-log-sha384 b/test/data/create-runtime-policy/ima-log-sha384 new file mode 100644 index 000000000..bbdd48a7d --- /dev/null +++ b/test/data/create-runtime-policy/ima-log-sha384 @@ -0,0 +1,2 @@ +10 0000000000000000000000000000000000000000 ima-ng sha384:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 boot_aggregate +10 75c0136ea25f6ef9ad3e029fc5ffde6a4d293a07 ima-ng sha384:20393b3e109c55b3128ba761bab1c555d8f39afe118eb1a29929ba8e017e8b2cdfc805c304e10d280604a829145ba6f0 /data diff --git a/test/data/create-runtime-policy/ima-log-sha512 b/test/data/create-runtime-policy/ima-log-sha512 new file mode 100644 index 000000000..7f1df7bc1 --- /dev/null +++ b/test/data/create-runtime-policy/ima-log-sha512 @@ -0,0 +1,2 @@ +10 0000000000000000000000000000000000000000 ima-ng sha512:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 boot_aggregate +10 edc4bec94ffdeb86c4062d9841b41da5c94c7a5d ima-ng sha512:4fb914b8ed30ff69c65551573ce096aaf0c3507896cce44868d7a7e553891043c68a3889f3fc8056ef8c6bc3a54a9db83cd8112928ad51c5cd9e1a4ef332de53 /data diff --git a/test/data/create-runtime-policy/policy-sha1 b/test/data/create-runtime-policy/policy-sha1 new file mode 100644 index 000000000..b40d7148c --- /dev/null +++ b/test/data/create-runtime-policy/policy-sha1 @@ -0,0 +1 @@ +{"meta": {"version": 1, "generator": 3, "timestamp": "2024-09-12 13:44:44.298873"}, "release": 0, "digests": {"/base_policy_data": ["b261df1756a43b2d35c8ca13389c026840961d36"]}, "excludes": [], "keyrings": {}, "ima": {"ignored_keyrings": [], "log_hash_alg": "sha1", "dm_policy": null}, "ima-buf": {}, "verification-keys": ""} diff --git a/test/data/create-runtime-policy/policy-sha256 b/test/data/create-runtime-policy/policy-sha256 new file mode 100644 index 000000000..5637c6a17 --- /dev/null +++ b/test/data/create-runtime-policy/policy-sha256 @@ -0,0 +1 @@ +{"meta": {"version": 1, "generator": 3, "timestamp": "2024-09-12 13:44:44.797331"}, "release": 0, "digests": {"/base_policy_data": ["35f6036dcbb4d819a90cc3282659754ab1a225e60f593a209c27b80174ba3180"]}, "excludes": [], "keyrings": {}, "ima": {"ignored_keyrings": [], "log_hash_alg": "sha1", "dm_policy": null}, "ima-buf": {}, "verification-keys": ""} diff --git a/test/data/create-runtime-policy/policy-sha384 b/test/data/create-runtime-policy/policy-sha384 new file mode 100644 index 000000000..3ea871844 --- /dev/null +++ b/test/data/create-runtime-policy/policy-sha384 @@ -0,0 +1 @@ +{"meta": {"version": 1, "generator": 3, "timestamp": "2024-09-12 13:44:45.296199"}, "release": 0, "digests": {"/base_policy_data": ["407272428a6bda6a8a0e450b4ccfe3ba52a2faf5f45853692b05212aa3103d43524e03050b4ee119a0ec0a069cb5794b"]}, "excludes": [], "keyrings": {}, "ima": {"ignored_keyrings": [], "log_hash_alg": "sha1", "dm_policy": null}, "ima-buf": {}, "verification-keys": ""} diff --git a/test/data/create-runtime-policy/policy-sha512 b/test/data/create-runtime-policy/policy-sha512 new file mode 100644 index 000000000..486157391 --- /dev/null +++ b/test/data/create-runtime-policy/policy-sha512 @@ -0,0 +1 @@ +{"meta": {"version": 1, "generator": 3, "timestamp": "2024-09-12 13:44:45.797865"}, "release": 0, "digests": {"/base_policy_data": ["5afaedd4458b68515747262bc32e84a3b8c70aaf299f4eeeae027b594d4e9d35850ff2838a9d075ad1d15ee3663c36a9349486b421a3b630401c817c179c6404"]}, "excludes": [], "keyrings": {}, "ima": {"ignored_keyrings": [], "log_hash_alg": "sha1", "dm_policy": null}, "ima-buf": {}, "verification-keys": ""} diff --git a/test/data/create-runtime-policy/rootfs/rootfs_data b/test/data/create-runtime-policy/rootfs/rootfs_data new file mode 100644 index 000000000..6764395dd --- /dev/null +++ b/test/data/create-runtime-policy/rootfs/rootfs_data @@ -0,0 +1 @@ +some data owned by root in rootfs diff --git a/test/test_create_runtime_policy.py b/test/test_create_runtime_policy.py index bc821393f..d9bc1c9d8 100644 --- a/test/test_create_runtime_policy.py +++ b/test/test_create_runtime_policy.py @@ -3,6 +3,7 @@ Copyright 2024 Red Hat, Inc. """ +import argparse import os import pathlib import shutil @@ -692,3 +693,97 @@ def test_rootfs_with_symbolic_links(self): ) self.assertEqual(digests, case["expected_out"]) + + def test_digest_algorithm_priority(self): + """Test that the priority for the algorithm selection follows the + expected source order: --algo option > base policy > allowlist > ima log""" + + test_cases = [] + + rootfs = os.path.join(HELPER_DIR, "rootfs") + # Prepare test cases + for algo in ["sha1", "sha256", "sha384", "sha512"]: + base_policy = os.path.join(HELPER_DIR, f"policy-{algo}") + allowlist = os.path.join(HELPER_DIR, f"allowlist-{algo}") + ima_log = os.path.join(HELPER_DIR, f"ima-log-{algo}") + + # Case where the algorithm from the IMA measurement list should be + # kept + test_cases.append( + { + "algo_opt": [], + "base_policy": [], + "allowlist": [], + "ima_log": ["--use-ima-measurement-list", "--ima-measurement-list", ima_log], + "rootfs": [], + "expected_algo": f"{algo}", + "expected_source": "IMA measurement list", + } + ) + + # Cases where the algorithm from the allowlist should be kept + for il in [[], ["--use-ima-measurement-list", "--ima-measurement-list", ima_log]]: + for rfs in [[], ["--rootfs", rootfs]]: + test_cases.append( + { + "algo_opt": [], + "base_policy": [], + "allowlist": ["--allowlist", allowlist], + "ima_log": il, + "rootfs": rfs, + "expected_algo": f"{algo}", + "expected_source": "allowlist", + } + ) + + # Cases where the algorithm from the base policy should be kept + for al in [[], ["--allowlist", allowlist]]: + test_cases.append( + { + "algo_opt": [], + "base_policy": ["--base-policy", base_policy], + "allowlist": al, + "ima_log": il, + "rootfs": rfs, + "expected_algo": f"{algo}", + "expected_source": "base policy", + } + ) + + # Cases where the algorithm from the --algo option should be kept + for bp in [[], ["--base-policy", base_policy]]: + test_cases.append( + { + "algo_opt": ["--algo", algo], + "base_policy": bp, + "allowlist": al, + "ima_log": il, + "rootfs": ["--rootfs", rootfs], + "expected_algo": f"{algo}", + "expected_source": "--algo option", + } + ) + + # Create an argument parser + parent_parser = argparse.ArgumentParser(add_help=False) + main_parser = argparse.ArgumentParser() + subparser = main_parser.add_subparsers(title="actions") + parser = create_runtime_policy.get_arg_parser(subparser, parent_parser) + + for case in test_cases: + cli_args = [] + # Prepare argument input + for k in ["algo_opt", "base_policy", "allowlist", "ima_log", "rootfs"]: + cli_args.extend(case.get(k, [])) + + args = parser.parse_args(cli_args) + expected_algo = case["expected_algo"] + expected_source = case["expected_source"] + + with self.assertLogs("policy.create_runtime_policy", level="DEBUG") as logs: + _policy = create_runtime_policy.create_runtime_policy(args) + + self.assertIn( + f"DEBUG:policy.create_runtime_policy:Using digest algorithm '{expected_algo}' obtained from the {expected_source}", + logs.output, + )