From 440bb06b70470a0ac814e6af6830ebfc931764b0 Mon Sep 17 00:00:00 2001 From: busaboy1340 <43374066+busaboy1340@users.noreply.github.com> Date: Fri, 19 Jul 2019 05:50:26 -0400 Subject: [PATCH] Create initial system test for Base/Delta Platform Certificates (#170) * Add creation of bad base platform certificate. * Adding Base Certificate system test. * Adding Base Certificate system test. * Adding Base Certificate system test. * Adding Base Certificate system test. * Updated script to add faulty components to bad base certificate. * Updated addFaultyComponents script. * Add Base/Delta system tests to .travis.yml * Disable unit tests to decrease CI time. * Cleaned up code. * Cleaned up code. * Delete system_test_Driver.py --- .ci/docker/docker-compose-tpm2-base-delta.yml | 57 ++++ .ci/setup/addFaultyComponents.py | 28 ++ .ci/setup/setup-tpm2provisioner-base-delta.sh | 157 ++++++++++ .ci/setup/setup-tpm2provisioner.sh | 8 +- .../run-system-tests-tpm2-base-delta.sh | 64 +++++ .ci/system-tests/system_test.py | 268 ++++++++++++------ .ci/system-tests/system_test_core.py | 8 +- .../systems-test-centos7-tpm2-base-delta.sh | 14 + .ci/system-tests/systems-test-centos7-tpm2.sh | 2 +- .travis.yml | 11 +- 10 files changed, 521 insertions(+), 96 deletions(-) create mode 100644 .ci/docker/docker-compose-tpm2-base-delta.yml create mode 100644 .ci/setup/addFaultyComponents.py create mode 100755 .ci/setup/setup-tpm2provisioner-base-delta.sh create mode 100755 .ci/system-tests/run-system-tests-tpm2-base-delta.sh create mode 100755 .ci/system-tests/systems-test-centos7-tpm2-base-delta.sh diff --git a/.ci/docker/docker-compose-tpm2-base-delta.yml b/.ci/docker/docker-compose-tpm2-base-delta.yml new file mode 100644 index 00000000..fa4ee8d6 --- /dev/null +++ b/.ci/docker/docker-compose-tpm2-base-delta.yml @@ -0,0 +1,57 @@ +--- +# Run YAML Lint to verify this file prior to check-in. + +version: "3.1" + +services: + aca: + image: hirs/hirs-ci:aca + container_name: hirs-aca + volumes: + - ../../:/HIRS + ports: + - "${HIRS_ACA_PORTAL_PORT}:${HIRS_ACA_PORTAL_CONTAINER_PORT}" + entrypoint: /bin/bash -c + command: [HIRS/.ci/setup/setup-aca.sh] + hostname: ${HIRS_ACA_HOSTNAME} + networks: + hirs_aca_system_tests: + ipv4_address: ${HIRS_ACA_PORTAL_IP} + aliases: + - ${HIRS_ACA_HOSTNAME} + + tpm2provisioner: + image: hirs/hirs-ci:tpm2provisioner + container_name: hirs-aca-provisioner-tpm2 + depends_on: + - aca + volumes: + - ../../:/HIRS + entrypoint: /bin/bash -c + command: [HIRS/.ci/setup/setup-tpm2provisioner-base-delta.sh; + HIRS/.ci/system-tests/systems-test-centos7-tpm2-base-delta.sh] + devices: + - "/dev/mem:/dev/mem" + cap_add: + - sys_rawio + networks: + hirs_aca_system_tests: + ipv4_address: ${HIRS_ACA_PROVISIONER_TPM2_IP} + environment: + - HIRS_ACA_PROVISIONER_TPM2_IP=${HIRS_ACA_PROVISIONER_TPM2_IP} + - TPM_ENABLED=${TPM_ENABLED} + - IMA_ENABLED=${IMA_ENABLED} + - HIRS_ACA_PORTAL_IP=${HIRS_ACA_PORTAL_IP} + - HIRS_ACA_PORTAL_PORT=${HIRS_ACA_PORTAL_PORT} + - HIRS_BROKER_PORT=${HIRS_BROKER_PORT} + - HIRS_ACA_PORTAL_CONTAINER_PORT=${HIRS_ACA_PORTAL_CONTAINER_PORT} + - HIRS_ACA_HOSTNAME=${HIRS_ACA_HOSTNAME} + - HIRS_SUBNET=${HIRS_SUBNET} + +networks: + hirs_aca_system_tests: + driver: bridge + ipam: + driver: default + config: + - subnet: ${HIRS_SUBNET} diff --git a/.ci/setup/addFaultyComponents.py b/.ci/setup/addFaultyComponents.py new file mode 100644 index 00000000..e852dabe --- /dev/null +++ b/.ci/setup/addFaultyComponents.py @@ -0,0 +1,28 @@ +# Add faulty components to the PACCOR generated JSON componentsFile. +# This will be used to create a bad platform certificate. +# Will not need this once PACCOR supports generation of faulty components. + +import json + +print("Adding Faulty components...") + +try: + nicComponent = '00090002' + pc_dir = '/var/hirs/pc_generation/' + + with open(pc_dir + "componentsFile", "r") as f: + + data = json.load(f) + print(data) + components = data['COMPONENTS'] + for component in components: + if component['COMPONENTCLASS']['COMPONENTCLASSVALUE'] == nicComponent: + print("Creating FAULTY component for: " + component['MODEL']) + component['MODEL'] += "-FAULTY" + print("New JSON value: " + component['MODEL']) + + with open(pc_dir + "badComponentsFile", 'w') as outfile: + json.dump(data, outfile) + +except Exception: + print("=== ERROR generating badComponentsFile ===") diff --git a/.ci/setup/setup-tpm2provisioner-base-delta.sh b/.ci/setup/setup-tpm2provisioner-base-delta.sh new file mode 100755 index 00000000..692a02fc --- /dev/null +++ b/.ci/setup/setup-tpm2provisioner-base-delta.sh @@ -0,0 +1,157 @@ +#!/bin/bash + +# Script to setup the TPM2 Provisioner Docker Image for Integration Tests +set -e + +# Wait for ACA to boot +echo "Waiting for ACA to spin up..." +until [ "`curl --silent --connect-timeout 1 -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep '302 Found'`" != "" ]; do + : +done +echo "ACA is up!" + +# Function to install TPM2 Provisioner packages. +function InstallProvisioner { + echo "===========Installing TPM2 Provisioner Packages...===========" + + pushd /HIRS + if [ ! -d package/rpm/RPMS ]; then + ./package/package.centos.sh + fi + yum install -y package/rpm/RPMS/x86_64/HIRS_Provisioner_TPM_2_0*.el7.x86_64.rpm + popd +} + +# Function to initialize the TPM2 Emulator with a bad base certificate +function InitTpm2Emulator { + echo "===========Initializing TPM2 Emulator with bad base certificate...===========" + + mkdir -p /var/run/dbus + if [ -e /var/run/dbus/pid ]; then + rm /var/run/dbus/pid + fi + + if [ -e /var/run/dbus/system_bus_socket ]; then + rm /var/run/dbus/system_bus_socket + fi + + # Start the DBus + dbus-daemon --fork --system + echo "DBus started" + + # Give DBus time to start up + sleep 5 + + /ibmtpm/src/./tpm_server & + echo "TPM Emulator started" + + tpm2-abrmd -t socket & + echo "TPM2-Abrmd started" + + # Give ABRMD time to start and register on the DBus + sleep 5 + + # EK and PC Certificate + ek_cert_der="/HIRS/.ci/setup/certs/ek_cert.der" + platform_cert="badPlatformCertificate.der" + + echo "Creating Bad Base Platform Cert..." + PC_DIR=/var/hirs/pc_generation + mkdir -p $PC_DIR + /opt/paccor/scripts/allcomponents.sh > $PC_DIR/componentsFile + echo + echo "PACCOR generated components file:" + cat $PC_DIR/componentsFile + + #Add bad components and create badComponentsFile used below + python /HIRS/.ci/setup/addFaultyComponents.py + /opt/paccor/scripts/referenceoptions.sh > $PC_DIR/optionsFile + /opt/paccor/scripts/otherextensions.sh > $PC_DIR/extensionsFile + /opt/paccor/bin/observer -c $PC_DIR/badComponentsFile -p $PC_DIR/optionsFile -e $ek_cert_der -f $PC_DIR/observerFile + /opt/paccor/bin/signer -o $PC_DIR/observerFile -x $PC_DIR/extensionsFile -b 20180101 -a 20280101 -N $RANDOM -k /HIRS/.ci/setup/certs/ca.key -P /HIRS/.ci/setup/certs/ca.crt -f $PC_DIR/$platform_cert + + echo + echo "Generated bad components file:" + cat $PC_DIR/badComponentsFile + + if tpm2_nvlist | grep -q 0x1c00002; then + echo "Released NVRAM for EK." + tpm2_nvrelease -x 0x1c00002 -a 0x40000001 + fi + + # Define nvram space to enable loading of EK cert (-x NV Index, -a handle to + # authorize [0x40000001 = ownerAuth handle], -s size [defaults to 2048], -t + # specifies attribute value in publicInfo struct + # [0x2000A = ownerread|ownerwrite|policywrite]) + size=$(cat $ek_cert_der | wc -c) + echo "Define NVRAM location for EK cert of size $size." + tpm2_nvdefine -x 0x1c00002 -a 0x40000001 -t 0x2000A -s $size + + # Load key into TPM nvram + echo "Loading EK cert $ek_cert_der into NVRAM." + tpm2_nvwrite -x 0x1c00002 -a 0x40000001 $ek_cert_der + + if tpm2_nvlist | grep -q 0x1c90000; then + echo "Released NVRAM for PC." + tpm2_nvrelease -x 0x1c90000 -a 0x40000001 + fi + + # Store the platform certificate in the TPM's NVRAM + size=$(cat $PC_DIR/$platform_cert | wc -c) + echo "Define NVRAM location for PC cert of size $size." + tpm2_nvdefine -x 0x1c90000 -a 0x40000001 -t 0x2000A -s $size + + echo "Loading PC cert $PC_DIR/$platform_cert into NVRAM." + tpm2_nvwrite -x 0x1c90000 -a 0x40000001 $PC_DIR/$platform_cert + + echo "===========TPM2 Emulator Initialization Complete!===========" + + # Set Logging to INFO Level + sed -i "s/WARN/INFO/" /etc/hirs/TPM2_Provisioner/log4cplus_config.ini +} + +# Function to update the hirs-site.config file +function UpdateHirsSiteConfigFile { + HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config" + + echo "" + echo "===========Updating ${HIRS_SITE_CONFIG}, using values from /HIRS/.ci/docker/.env file...===========" + cat /HIRS/.ci/docker/.env + + cat < $HIRS_SITE_CONFIG +#******************************************* +#* HIRS site configuration properties file +#******************************************* +CLIENT_HOSTNAME=${HIRS_ACA_PROVISIONER_TPM2_IP} +TPM_ENABLED=${TPM_ENABLED} +IMA_ENABLED=${IMA_ENABLED} + +# Site-specific configuration +ATTESTATION_CA_FQDN=${HIRS_ACA_HOSTNAME} +ATTESTATION_CA_PORT=${HIRS_ACA_PORTAL_PORT} +BROKER_FQDN=${HIRS_ACA_PORTAL_IP} +BROKER_PORT=${HIRS_BROKER_PORT} +PORTAL_FQDN=${HIRS_ACA_PORTAL_IP} +PORTAL_PORT=${HIRS_ACA_PORTAL_PORT} + +DEFAULT_SITE_CONFIG_FILE + + echo "===========New HIRS Config File===========" + cat /etc/hirs/hirs-site.config +} + +# Install packages +InstallProvisioner + +# Install TPM2 Emulator +InitTpm2Emulator + +# Update the hirs-site.config file +UpdateHirsSiteConfigFile + +echo "" +echo "TPM2 Emulator NV RAM list" +tpm2_nvlist + +echo "" +echo "===========HIRS ACA TPM2 Provisioner Setup Complete!===========" diff --git a/.ci/setup/setup-tpm2provisioner.sh b/.ci/setup/setup-tpm2provisioner.sh index 72032459..5b214881 100755 --- a/.ci/setup/setup-tpm2provisioner.sh +++ b/.ci/setup/setup-tpm2provisioner.sh @@ -78,7 +78,7 @@ function InitTpm2Emulator { tpm2_nvdefine -x 0x1c00002 -a 0x40000001 -t 0x2000A -s $size # Load key into TPM nvram - echo "Loading EK cert into NVRAM." + echo "Loading EK cert $ek_cert_der into NVRAM." tpm2_nvwrite -x 0x1c00002 -a 0x40000001 $ek_cert_der if tpm2_nvlist | grep -q 0x1c90000; then @@ -91,7 +91,7 @@ function InitTpm2Emulator { echo "Define NVRAM location for PC cert of size $size." tpm2_nvdefine -x 0x1c90000 -a 0x40000001 -t 0x2000A -s $size - echo "Loading PC cert into NVRAM." + echo "Loading PC cert $PC_DIR/$platform_cert into NVRAM." tpm2_nvwrite -x 0x1c90000 -a 0x40000001 $PC_DIR/$platform_cert echo "===========TPM2 Emulator Initialization Complete!===========" @@ -139,5 +139,9 @@ InitTpm2Emulator # Update the hirs-site.config file UpdateHirsSiteConfigFile +echo "" +echo "TPM2 Emulator NV RAM list" +tpm2_nvlist + echo "" echo "===========HIRS ACA TPM2 Provisioner Setup Complete!===========" diff --git a/.ci/system-tests/run-system-tests-tpm2-base-delta.sh b/.ci/system-tests/run-system-tests-tpm2-base-delta.sh new file mode 100755 index 00000000..46dfc3c9 --- /dev/null +++ b/.ci/system-tests/run-system-tests-tpm2-base-delta.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# Script to run the System Tests for HIRS TPM 2.0 Provisioner + +set -e + +echo "" +echo "System Tests Starting..." +echo "" + +# Start System Testing Docker Environment +cd .ci/docker + +docker-compose -f docker-compose-tpm2-base-delta.yml up -d + +tpm2_container_id="$(docker ps -aqf "name=hirs-aca-provisioner-tpm2")" +echo "TPM2 Container ID: $tpm2_container_id" + +tpm2_container_status="$(docker inspect $tpm2_container_id --format='{{.State.Status}}')" +echo "TPM2 Container Status: $tpm2_container_status" + +while [[ $tpm2_container_status == "running" ]] +do + sleep 20 + + # Add status message, so Travis will not time out. + # It may timeout if it hasn't received output for more than 10 minutes. + echo "Still running tests, please wait..." + + tpm2_container_status="$(docker inspect $tpm2_container_id --format='{{.State.Status}}')" +done + +# Store container exit code +tpm2_container_exit_code="$(docker inspect $tpm2_container_id --format='{{.State.ExitCode}}')" +echo "TPM2 Container Exit Code: $tpm2_container_exit_code" + +# Display container log +echo "" +echo "===========hirs-aca-provisioner-tpm2 System Tests Log:===========" +docker logs $tpm2_container_id + +echo "" +echo "End of TPM 2.0 System Tests, cleaning up..." +echo "" +# Clean up services and network +docker-compose down + +# Clean up dangling containers +echo "Cleaning up dangling containers..." +echo "" +docker ps -a +echo "" +docker container prune --force +echo "" + +# Return container exit code +if [[ $tpm2_container_exit_code == 0 ]] +then + echo "SUCCESS: TPM 2.0 System tests passed" + exit 0 +fi + +echo "ERROR: System tests failed" +exit 1 diff --git a/.ci/system-tests/system_test.py b/.ci/system-tests/system_test.py index a0d39b80..e5350662 100644 --- a/.ci/system-tests/system_test.py +++ b/.ci/system-tests/system_test.py @@ -1,6 +1,6 @@ # system_test.py - implements a group of tests that run appraisals on a client and server -# TODO: test_01-test_11 will need to be implemented when the additional HIRS +# TODO: test_01-test_11 will need to be implemented when the additional HIRS # projects are imported to the new GitHub repo. The test code is commented out for now. import binascii @@ -28,7 +28,7 @@ from system_test_core import HIRSPortal, AttestationCAPortal, collectors, \ get_all_nodes_recursively, touch_random_file_and_remove, get_random_pcr_hex_value, \ is_ubuntu_client, is_tpm2,\ DEFAULT_IMA_POLICY, DEFAULT_TPM_POLICY - + NUMBER_OF_PCRS = 24 suffix = os.environ.get('RANDOM_SYS_TEST_ID') @@ -49,8 +49,10 @@ HIRS_ATTESTATION_CA_PORTAL_URL = "https://" + \ "/HIRS_AttestationCAPortal/" TEST_LOG_FILE = os.environ.get('TEST_LOG') LOG_LEVEL = os.environ.get('LOG_LEVEL') + CA_CERT_LOCATION = "/HIRS/.ci/setup/certs/ca.crt" EK_CA_CERT_LOCATION = "/HIRS/.ci/setup/certs/ek_cert.der" +BAD_BASE_PC_CERT_LOCATION = "/var/hirs/pc_generation/badPlatformCertificate.der" USB_STORAGE_FILE_HASH = "e164c378ceb45a62642730be5eb3169a6bfc2d6d" USB_STORAGE_FILE_HASH_2 = "e164c378ceb45a62642730be5eb3169a6bfc1234" FORMAT = "%(asctime)-15s %(message)s" @@ -73,7 +75,6 @@ class SystemTest(unittest.TestCase): def setUp(self): """Set the systems tests state up for testing""" -# Portal.set_group_appraisal_wait_setting() AcaPortal.disable_supply_chain_validations() def tearDown(self): @@ -87,7 +88,7 @@ class SystemTest(unittest.TestCase): # result = run_hirs_report(CLIENT) # self.assertTrue(result) # self.assertEqual(0, Portal.get_alert_count_from_latest_report()) - + @collectors(['IMA'], COLLECTOR_LIST) def test_02_small_ima_appraisal(self): """Test that appraisal works with a small hard-coded IMA baseline @@ -103,8 +104,8 @@ class SystemTest(unittest.TestCase): # policy_name = Portal.add_ima_policy(required_set=baseline, policy_name_prefix='small_ima') # Portal.set_default_policies(ima_policy=policy_name) # result = run_hirs_report(CLIENT) -# self.assertTrue(result) - +# self.assertTrue(result) + @collectors(['IMA'], COLLECTOR_LIST) def test_03_large_ima_appraisal(self): """Test that appraisal works with a full-size IMA baseline @@ -134,7 +135,7 @@ class SystemTest(unittest.TestCase): # logging.warning("new alert count: " + str(new_alert_count)) # #logging.debug("new alerts:\n{0}".format(pprint.pformat(after_alerts['data'][0:new_alert_count]))) # self.assertTrue(True) - + @collectors(['IMA'], COLLECTOR_LIST) def test_04_small_ima_appraisal_required_set_missing(self): """Test that appraisal results in an appropriate alert generation when a required set file is missing @@ -155,19 +156,19 @@ class SystemTest(unittest.TestCase): # baseline["records"].append({"path": missing_file, "hash": random_hash}) # policy_name = Portal.add_ima_policy(required_set=baseline, policy_name_prefix="small_ima_req") # Portal.set_default_policies(ima_policy=policy_name) -# +# # result = run_hirs_report(CLIENT) # self.assertFalse(result) # after_alerts = Portal.get_alerts_from_latest_report() # new_alert_count = after_alerts['recordsTotal'] # self.assertEqual(new_alert_count, 1) -# +# # # find the alert with the most recent createTime # latest_alert = max(after_alerts['data'], key=lambda alert: alert['createTime']) # self.assertTrue("MISSING_RECORD" in latest_alert['type']) # self.assertTrue(random_hash in latest_alert['expected']) # self.assertTrue(missing_file in latest_alert['expected']) - + @collectors(['TPM'], COLLECTOR_LIST) def test_05_tpm_white_list_appraisal(self): """Test that appraisal works with a TPM white list baseline @@ -193,20 +194,20 @@ class SystemTest(unittest.TestCase): # result = run_hirs_report(CLIENT) # self.assertTrue(result) # self.assertEqual(0, Portal.get_alert_count_from_latest_report()) -# +# # # create a new baseline with random PCR values # baseline_bad_tpm_pcr = make_baseline_from_xml(xml_report, "TPM") # for pcr_index in range(0, NUMBER_OF_PCRS): # baseline_bad_tpm_pcr["records"][pcr_index]["hash"] = get_random_pcr_hex_value() -# +# # policy_name = Portal.add_tpm_wl_policy(baseline_bad_tpm_pcr, policy_name_prefix='bad_vals') # Portal.set_default_policies(tpm_policy=policy_name) # result = run_hirs_report(CLIENT) # self.assertFalse(result) # self.assertEqual(NUMBER_OF_PCRS, Portal.get_alert_count_from_latest_report()) -# +# # after_alerts = Portal.get_alerts() -# +# # # for the set of new alerts, verify the alert fields for each PCR value # # the order of the alerts it not necessarily PCR 0, 1, 2... , so we must index # # in to the hash table correctly @@ -214,17 +215,17 @@ class SystemTest(unittest.TestCase): # pcr_alert = after_alerts["data"][alert_index] # alert_details = pcr_alert["details"] # pcr_int = int(re.findall(r'\d+', alert_details)[0]) -# +# # logging.info("Checking TPM alert for PCR %s", pcr_int) -# +# # self.assertTrue("WHITE_LIST_PCR_MISMATCH" in pcr_alert['type']) # self.assertTrue("TPM_APPRAISER" in pcr_alert['source']) # baseline_hash = baseline_bad_tpm_pcr["records"][pcr_int]["hash"] # reported_hash = baseline["records"][pcr_int]["hash"] -# +# # self.assertTrue(baseline_hash in pcr_alert['expected']) # self.assertTrue(reported_hash in pcr_alert['received']) - + @collectors(['IMA'], COLLECTOR_LIST) @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) def test_06_ima_blacklist_appraisal(self): @@ -241,102 +242,102 @@ class SystemTest(unittest.TestCase): # baseline = make_simple_ima_blacklist_baseline() # policy_name = Portal.add_ima_policy(blacklist=baseline, policy_name_prefix='small_ima_blacklist') # Portal.set_default_policies(ima_policy=policy_name) -# +# # result = run_hirs_report(CLIENT) # self.assertTrue(result) -# +# # send_command('touch /boot/usb-storage-foo.ko') # #send_command('sudo cat /tmp/usb-storage-foo.ko') # result = run_hirs_report(CLIENT) # self.assertFalse(result) -# +# # after_alerts = Portal.get_alerts_from_latest_report() # new_alert_count = after_alerts['recordsTotal'] # self.assertEqual(new_alert_count, 1) -# +# # # find the alert with the most recent createTime # latest_alert = after_alerts['data'][0] # self.assertTrue("IMA_BLACKLIST_PATH_MATCH" in latest_alert['type']) # self.assertTrue("usb-storage-foo.ko" in latest_alert['expected']) -# +# # # # # create ima blacklist baseline that contains a hash and generate alert upon detection # # -# +# # # create file and add content to file # send_command('touch /tmp/usb-storage_2.ko') # send_command('echo blacklist >> /tmp/usb-storage_2.ko') # policy_name = Portal.add_ima_policy(blacklist=None, # policy_name_prefix='empty') # Portal.set_default_policies(ima_policy=policy_name) -# +# # # send report to verify successful appraisal # result = run_hirs_report(CLIENT) # self.assertTrue(result) -# +# # # create blacklist baseline with hash and update policy # baseline = make_simple_ima_blacklist_baseline_with_hash(); # policy_name = Portal.add_ima_policy(blacklist=baseline, # policy_name_prefix='small_ima_blacklist_with_hash') # Portal.set_default_policies(ima_policy=policy_name) -# +# # # trigger measurement of file and run hirs report # send_command('sudo cat /tmp/usb-storage_2.ko') # result = run_hirs_report(CLIENT) # self.assertFalse(result) -# +# # after_alerts = Portal.get_alerts_from_latest_report() # new_alert_count = after_alerts['recordsTotal'] # self.assertEqual(new_alert_count, 1) -# +# # # find the alert with the most recent createTime # latest_alert = after_alerts['data'][0] # self.assertTrue("IMA_BLACKLIST_HASH_MATCH" in latest_alert['type']) # self.assertTrue(USB_STORAGE_FILE_HASH in latest_alert['expected']) -# +# # # # # create ima blacklist baseline that contains a file and hash and generate alert upon detection # # # policy_name = Portal.add_ima_policy(blacklist=None, # policy_name_prefix='empty') # Portal.set_default_policies(ima_policy=policy_name) -# +# # # send report to verify successful appraisal # result = run_hirs_report(CLIENT) # self.assertTrue(result) -# +# # # create blacklist baseline with file and hash and update policy # baseline = make_simple_ima_blacklist_baseline_with_file_and_hash(); # policy_name = Portal.add_ima_policy(blacklist=baseline, # policy_name_prefix='small_ima_blacklist_with_file_and_hash') # Portal.set_default_policies(ima_policy=policy_name) -# +# # result = run_hirs_report(CLIENT) # self.assertFalse(result) -# +# # after_alerts = Portal.get_alerts_from_latest_report() # new_alert_count = after_alerts['recordsTotal'] # self.assertEqual(new_alert_count, 1) -# +# # # find the alert with the most recent createTime # latest_alert = after_alerts['data'][0] # self.assertTrue("IMA_BLACKLIST_PATH_AND_HASH_MATCH" in latest_alert['type']) # self.assertTrue("usb-storage_2.ko" in latest_alert['expected']) # self.assertTrue(USB_STORAGE_FILE_HASH in latest_alert['expected']) -# +# # # # # change ima blacklist baseline file and hash and verify alert is not generated # # -# +# # # create blacklist baseline with file and hash and update policy # baseline = make_simple_ima_blacklist_baseline_with_updated_file_and_hash(); # policy_name = Portal.add_ima_policy(blacklist=baseline, # policy_name_prefix='small_ima_blacklist_with_updated_file_and_hash') # Portal.set_default_policies(ima_policy=policy_name) -# +# # result = run_hirs_report(CLIENT) # self.assertTrue(result) - + @collectors(['IMA'], COLLECTOR_LIST) @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) def test_07_delta_reports_required_set(self): @@ -366,12 +367,12 @@ class SystemTest(unittest.TestCase): # foo_file_name = 'foo-file-' + unique_name # foo_bar_file_name = 'foo-bar-file-' + unique_name # test_hash = 'a94a8fe5ccb19ba61c4c0873d391e987982fbbd3' -# +# # baseline = {"name": baseline_name, # "description": "a simple hard-coded ima baseline " # "for delta reports systems testing", # "records": []} -# +# # ima_policy = Portal.add_ima_policy(required_set=baseline, delta_reports_enabled="true", policy_name_prefix="delta_with_required_set") # Portal.set_default_policies(ima_policy=ima_policy) # run_hirs_report(CLIENT) @@ -380,16 +381,16 @@ class SystemTest(unittest.TestCase): # found_foo_bar_file = foo_bar_file_name in report # self.assertFalse(found_foo_file) # self.assertFalse(found_foo_bar_file) -# +# # Portal.add_to_ima_baseline(baseline_name, foo_file_name, test_hash) # Portal.add_to_ima_baseline(baseline_name, foo_bar_file_name, test_hash) -# +# # #create foo_file_name. Don't create foo_bar_file_name yet. # #send_vagrant_command('echo {0} > {1}'.format("test", foo_file_name), CLIENT) # #send_vagrant_command('sudo cat {0}'.format(foo_file_name), CLIENT) # send_command('echo {0} > {1}'.format("test", foo_file_name)) # send_command('sudo cat {0}'.format(foo_file_name)) -# +# # result = run_hirs_report(CLIENT) # self.assertFalse(result, msg="report should fail - " + foo_bar_file_name + " not present") # report = Portal.get_latest_report() @@ -397,7 +398,7 @@ class SystemTest(unittest.TestCase): # found_foo_bar_file = foo_bar_file_name in report # self.assertTrue(found_foo_file) # self.assertFalse(found_foo_bar_file) -# +# # send_vagrant_command('echo {0} > {1}'.format("test", foo_bar_file_name), CLIENT) # send_vagrant_command('sudo cat {0}'.format(foo_bar_file_name), CLIENT) # result = run_hirs_report(CLIENT) @@ -407,10 +408,10 @@ class SystemTest(unittest.TestCase): # found_foo_bar_file = foo_bar_file_name in report # self.assertFalse(found_foo_file) # self.assertTrue(found_foo_bar_file) -# +# # send_vagrant_command('rm {0}'.format(foo_file_name), CLIENT) # send_vagrant_command('rm {0}'.format(foo_bar_file_name), CLIENT) - + @collectors(['IMA'], COLLECTOR_LIST) @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) def test_08_delta_reports_whitelist(self): @@ -444,39 +445,39 @@ class SystemTest(unittest.TestCase): # foo_file_name = 'foo-file-' + unique_name # foo_bar_file_name = 'foo-bar-file-' + unique_name # test_hash = 'a94a8fe5ccb19ba61c4c0873d391e987982fbbd3' -# +# # baseline = {"name": baseline_name, # "description": "a simple hard-coded ima baseline " # "for delta reports systems testing", # "records": []} -# +# # ima_policy = Portal.add_ima_policy(whitelist=baseline, delta_reports_enabled="true", policy_name_prefix="delta_with_whitelist") # Portal.set_default_policies(ima_policy=ima_policy) # run_hirs_report(CLIENT) # report = Portal.get_latest_report() # found_foo_file = foo_file_name in report # self.assertFalse(found_foo_file) -# +# # Portal.add_to_ima_baseline(baseline_name, foo_file_name, test_hash) -# +# # #create foo_file_name. Don't create foo_bar_file_name yet. # send_vagrant_command('echo \'foo-file\' > {0}'.format(foo_file_name), CLIENT) # send_vagrant_command('sudo cat {0}'.format(foo_file_name), CLIENT) -# +# # result = run_hirs_report(CLIENT) # self.assertFalse(result, msg="report should fail - whitelist mismatch for " + foo_bar_file_name) # report = Portal.get_latest_report() # found_foo_file = foo_file_name in report # self.assertTrue(found_foo_file) -# +# # result = run_hirs_report(CLIENT) # self.assertTrue(result, msg="delta reporting should pass because the mismatched record should be found in a previous report") # report = Portal.get_latest_report() # found_foo_file = foo_file_name in report # self.assertFalse(found_foo_file) -# +# # send_vagrant_command('rm {0}'.format(foo_file_name), CLIENT) - + @collectors(['IMA', 'TPM'], COLLECTOR_LIST) @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) def test_09_on_demand(self): @@ -499,15 +500,15 @@ class SystemTest(unittest.TestCase): # logging.info('on demand policy name: %s', policy_name) # Portal.set_default_policies(ima_policy=policy_name, tpm_policy=DEFAULT_TPM_POLICY) # first_report_summary = Portal.get_latest_report_summary() -# +# # (filename, sha_hash) = touch_random_file_and_remove(CLIENT) # partial_filename = filename.split('/')[-1] # logging.info("touched file {} with hash {}".format(filename, sha_hash)) # Portal.start_on_demand() # logging.info("started on-demand appraisal") -# +# # latest_report_summary = None -# +# # attempts = 0 # while latest_report_summary == None or latest_report_summary['report']['id'] == first_report_summary['report']['id']: # attempts += 1 @@ -515,15 +516,15 @@ class SystemTest(unittest.TestCase): # latest_report_summary = Portal.get_latest_report_summary() # if attempts == 6: # self.fail("No new report summary was found after 120 seconds; failing.") -# +# # self.assertEqual(latest_report_summary["hirsAppraisalResult"]["appraisalStatus"], 'PASS') -# +# # self.assertTrue(Portal.report_contains_ima_record( # partial_filename, sha_hash, latest_report_summary['report']['id'])) # sub_reports = latest_report_summary['report']['reports'] # self.assertTrue(any(sr for sr in sub_reports if 'TPMReport' in sr['reportType']), # "report summary should contain a TPMReport as a sub-report") - + @collectors(['IMA'], COLLECTOR_LIST) @unittest.skip("SELinux issues are preventing repo sync from working") def test_10_failing_ima_appraisal_broad_repo_baseline(self): @@ -541,13 +542,13 @@ class SystemTest(unittest.TestCase): # baseline_name = "Test Broad Baseline" # policy_name = "Test Broad Repo IMA Policy" # repo_url = 'file:///flamethrower/Systems_Tests/resources/repositories/small_yum_repo' -# +# # Portal.configure_yum_repository(repo_name, repo_url) # Portal.create_broad_ima_baseline(baseline_name, repo_name) # Portal.create_policy(policy_name, "IMA") # Portal.add_baseline_to_required_sets(policy_name, baseline_name) # Portal.set_tpm_ima_policy(ima_policy=policy_name, tpm_policy=DEFAULT_TPM_POLICY) -# +# # self.assertFalse(run_hirs_report(CLIENT)) # alerts = Portal.get_alerts_from_latest_report() # self.assertTrue(alerts_contain(alerts['data'], { @@ -555,7 +556,7 @@ class SystemTest(unittest.TestCase): # 'type': 'MISSING_RECORD', # 'expected': '(/usr/lib64/glusterfs/3.7.6/xlator/features/quota.so, SHA-1 - 0xc9b5e8df6b50f2f58ea55fd41a962393d9eeec94)', # })) - + @collectors(['IMA'], COLLECTOR_LIST) @unittest.skip("SELinux issues are preventing repo sync from working") @unittest.skipIf(is_ubuntu_client(CLIENT_OS), "Skipping this test due to client OS " + CLIENT_OS) @@ -576,31 +577,34 @@ class SystemTest(unittest.TestCase): # baseline_name = "Test Broad Baseline" # policy_name = "Test Broad Repo IMA Policy" # repo_url = 'file:///flamethrower/Systems_Tests/resources/repositories/two_package_yum_repo' -# +# # Portal.configure_yum_repository(repo_name, repo_url) # Portal.create_broad_ima_baseline(baseline_name, repo_name) # Portal.create_policy(policy_name, "IMA") # Portal.add_baseline_to_required_sets(policy_name, baseline_name) # Portal.set_partial_paths_for_ima_policy(policy_name, True) # Portal.set_tpm_ima_policy(ima_policy=policy_name, tpm_policy=DEFAULT_TPM_POLICY) -# +# # if CLIENT_OS in ["centos6", "centos7"]: # send_vagrant_command("sudo rpm -i --force /flamethrower/Systems_Tests/resources/repositories/two_package_yum_repo/SimpleTest1-1-1.noarch.rpm", CLIENT) # send_vagrant_command("sudo rpm -i --force /flamethrower/Systems_Tests/resources/repositories/two_package_yum_repo/SimpleTest2-1-1.noarch.rpm", CLIENT) # else: # logging.error("unsupported client os: %s", CLIENT_OS) -# +# # send_vagrant_command("sudo find /opt/simpletest -type f -exec head {} \;", CLIENT) -# +# # self.assertTrue(run_hirs_report(CLIENT)) # self.assertEqual(Portal.get_alert_count_from_latest_report(), 0) + @collectors(['TPM'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) def test_12_attestation_ca_portal_online(self): """Test that the Attestation CA Portal is online and accessible by making a GET request. If not online, an exception will be raised since the response code is non-200""" logging.info("*****************beginning of attestation ca portal online test *****************") AcaPortal.check_is_online() + @collectors(['TPM'], COLLECTOR_LIST) @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) def test_13_tpm2_initial_provision(self): """Test that running the tpm2 hirs provisioner works""" @@ -608,16 +612,19 @@ class SystemTest(unittest.TestCase): # Run the provisioner to ensure that it provisions successfully provisioner_out = run_hirs_provisioner_tpm2(CLIENT) print("Initial provisioner run output: {0}".format(provisioner_out)) - + + @collectors(['TPM'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) def test_14_device_info_report_stored_after_provisioning(self): """Test that running the hirs provisioner results in storing a device info report for the device in the DB""" logging.info("*****************beginning of provisioner + device info report test *****************") logging.info("getting devices from ACA portal") aca_portal_devices = AcaPortal.get_devices() - self.assertEqual(aca_portal_devices['recordsTotal'], 1) - - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + self.assertEqual(aca_portal_devices['recordsTotal'], 1) + + @collectors(['TPM'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) def test_15_supply_chain_validation_summary_stored_after_second_provisioning(self): """Test that running the hirs provisioner, a second time, results in storing a supply chain validation record in the database""" @@ -634,7 +641,7 @@ class SystemTest(unittest.TestCase): AcaPortal.upload_ca_cert(EK_CA_CERT_LOCATION) AcaPortal.enable_ec_validation() provisioner_out = run_hirs_provisioner(CLIENT) - + print("Second provisioner run output: {0}".format(provisioner_out)) supply_chain_validation_summaries = AcaPortal.get_supply_chain_validation_summaries() # verify this is one SCVS record indicating PASS @@ -644,7 +651,8 @@ class SystemTest(unittest.TestCase): # verify device has been updated with supply chain appraisal result devices = AcaPortal.get_devices() self.assertEqual(devices['data'][0]['device']['supplyChainStatus'], "PASS") - + + @collectors(['TPM'], COLLECTOR_LIST) @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) def test_16_ek_info_report(self): """Test that running the hirs provisioner results in storing EK certs info report for @@ -652,20 +660,22 @@ class SystemTest(unittest.TestCase): logging.info("*****************beginning of provisioner + Endorsement certs info report test *****************") logging.info("getting ek certs from ACA portal") cert_list = AcaPortal.get_ek_certs() - self.assertEqual(cert_list['recordsTotal'], 1) + self.assertEqual(cert_list['recordsTotal'], 1) self.assertEqual(cert_list['data'][0]['credentialType'], "TCPA Trusted Platform Module Endorsement") - - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + + @collectors(['TPM'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) def test_17_pk_info_report(self): """Test that running the hirs provisioner results in storing PK certs info report for the device in the DB""" logging.info("*****************beginning of provisioner + Platform certs info report test *****************") logging.info("getting pk certs from ACA portal") cert_list = AcaPortal.get_pk_certs() - self.assertEqual(cert_list['recordsTotal'], 1) + self.assertEqual(cert_list['recordsTotal'], 1) self.assertEqual(cert_list['data'][0]['credentialType'], "TCG Trusted Platform Endorsement") - - @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + + @collectors(['TPM'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) def test_18_trust_chain_info_report(self): """Test that running the hirs provisioner results in storing trust chains info report for the device in the DB""" @@ -673,7 +683,99 @@ class SystemTest(unittest.TestCase): logging.info("getting trust chains from ACA portal") trust_chain_list = AcaPortal.get_trust_chains() self.assertEqual(trust_chain_list['recordsTotal'], 1) - + + @collectors(['BASE_DELTA'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_19_A1_base_delta(self): + """Test Base/Delta Certificates A1 - Provisioning with Good Base Platform Cert Base (via Platform Cert on TPM)""" + logging.info("*****************test_19_A1 - beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform Cert Base (via Platform Cert on TPM)") + + @collectors(['BASE_DELTA'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_19_A2_base_delta(self): + """Test Base/Delta Certificates A2 - Provisioning with Good Base Platform Cert Base and 1 Delta Cert""" + logging.info("*****************test_19_A2 - beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform Cert Base and 1 Delta Cert") + + @collectors(['BASE_DELTA'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_19_A3_base_delta(self): + """Test Base/Delta Certificates A3 - Provisioning with Good Base Platform Cert Base and 2 Delta Certs""" + logging.info("*****************test_19_A3 - beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform Cert Base and 2 Delta Certs") + + @collectors(['BASE_DELTA'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_19_A4_base_delta(self): + """Test Base/Delta Certificates A4 - Provisioning with Good Base Platform Cert and 1 Bad Delta Cert""" + logging.info("*****************test_19_A4 - beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform Cert and 1 Bad Delta Cert") + + @collectors(['BASE_DELTA'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_19_A5_base_delta(self): + """Test Base/Delta Certificates A5 - Provisioning with Good Base Platform, 2 Good Delta Certs and 1 Bad Delta Cert""" + logging.info("*****************test_19_A5 - beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs and 1 Bad Delta Cert") + + @collectors(['BASE_DELTA'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_19_A6_base_delta(self): + """Test Base/Delta Certificates A6 - Provisioning with Good Base Platform, 2 Good Delta Certs and + 1 Bad Delta Cert with non present component""" + logging.info("*****************test_19_A6 - beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs and 1 Bad Delta Cert with non present component") + + @collectors(['BASE_DELTA'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_19_A7_base_delta(self): + """Test Base/Delta Certificates A7 - Provisioning with Good Base Platform, 2 Good Delta Certs with 1 Delta cert + replacing component from previous, using the Delta as a base certificate""" + logging.info("*****************test_19_A7 - beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs with 1 Delta cert replacing component from previous, using the Delta as a base certificate") + + @collectors(['BASE_DELTA'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_19_A8_base_delta(self): + """Test Base/Delta Certificates A8 - Attempt to upload Base cert with holder already having a Base Platform Cert associated with it""" + logging.info("*****************test_19_A8 - beginning of delta certificate test *****************") + logging.info("Provisioning with Good Base Platform, 2 Good Delta Certs with 1 Delta cert replacing component from previous, using the Delta as a base certificate") + + @collectors(['BASE_DELTA'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_19_B1_base_delta(self): + """Test Base/Delta Certificates B1 - Provisioning with Bad Platform Cert Base """ + logging.info("*****************test_19_B1 - beginning of delta certificate test *****************") + logging.info("Provisioning with Bad Platform Cert Base") + logging.info("Check if ACA is online...") + AcaPortal.check_is_online() + if is_tpm2(TPM_VERSION): + logging.info("Using TPM 2.0") + logging.info("Uploading CA cert: " + CA_CERT_LOCATION) + AcaPortal.upload_ca_cert(CA_CERT_LOCATION) + AcaPortal.enable_supply_chain_validations() + provisioner_out = run_hirs_provisioner_tpm2(CLIENT) + + print("Bad Base Certificate provisioner run output: {0}".format(provisioner_out)) + + # Provisioning should fail since the PC contains FAULTY components. + self.assertIn("Provisioning failed", format(provisioner_out)) + + @collectors(['BASE_DELTA'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_19_B2_base_delta(self): + """Test Base/Delta Certificates B2 - Provisioning with Bad Platform Cert Base and 1 Good delta with 1 bad component unresolved""" + logging.info("*****************test_19_B2 - beginning of delta certificate test *****************") + logging.info("Provisioning with Bad Platform Cert Base and 1 Good delta with 1 bad component unresolved") + + @collectors(['BASE_DELTA'], COLLECTOR_LIST) + @unittest.skipIf(not is_tpm2(TPM_VERSION), "Skipping this test due to TPM Version " + TPM_VERSION) + def test_19_B3_base_delta(self): + """Test Base/Delta Certificates B3 - Provisioning with Bad Platform Cert Base and 2 Good delta with all component resolved""" + logging.info("*****************test_19_B3 - beginning of delta certificate test *****************") + logging.info("Provisioning with Bad Platform Cert Base and 2 Good delta with all component resolved") + def make_simple_ima_baseline(): timestamp = get_current_timestamp() @@ -731,7 +833,7 @@ def make_baseline_from_xml(xml_report, appraiser_type): logging.info("created {0} baseline from xml with {1} records".format( appraiser_type, str(len(baseline["records"])))) return baseline - + def make_simple_ima_blacklist_baseline(): return { "name": "simple_ima_blacklist_baseline_{0}".format(get_current_timestamp()), @@ -762,7 +864,7 @@ def make_simple_ima_blacklist_baseline_with_updated_file_and_hash(): "records": [{"path": "test-file", "hash": USB_STORAGE_FILE_HASH_2}] } - + if __name__ == '__main__': suite = unittest.TestLoader().loadTestsFromTestCase(SystemTest) ret = not unittest.TextTestRunner(verbosity=2).run(suite).wasSuccessful() diff --git a/.ci/system-tests/system_test_core.py b/.ci/system-tests/system_test_core.py index 3de7b169..e4a51967 100644 --- a/.ci/system-tests/system_test_core.py +++ b/.ci/system-tests/system_test_core.py @@ -317,7 +317,7 @@ class AttestationCAPortal: def get_devices(self): """Get devices from ACA portal.""" return self.request("get", "portal/devices/list").json() - + def get_ek_certs(self): """Get EK certs from ACA portal.""" return self.request("get", "portal/certificate-request/endorsement-key-credentials/list").json() @@ -325,14 +325,14 @@ class AttestationCAPortal: def get_pk_certs(self): """Get PK certs from ACA portal.""" return self.request("get", "portal/certificate-request/platform-credentials/list").json() - + def get_trust_chains(self): """Get trust chains from ACA portal.""" return self.request("get", "portal/certificate-request/trust-chain/list").json() - + def upload_ca_cert(self, ca_cert_file): file = {'file': open(ca_cert_file, 'rb')} - self.request("post", "portal/certificate-request/trust-chain/upload", files=file, operation="upload CA cert") + self.request("post", "portal/certificate-request/trust-chain/upload", files=file, operation="upload CA cert") def web_request(server_url, method, path, params={}, data={}, files={}, expected_status_codes=[200], operation=None, verify=False): url = server_url + path diff --git a/.ci/system-tests/systems-test-centos7-tpm2-base-delta.sh b/.ci/system-tests/systems-test-centos7-tpm2-base-delta.sh new file mode 100755 index 00000000..650e690d --- /dev/null +++ b/.ci/system-tests/systems-test-centos7-tpm2-base-delta.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +export CLIENT_OS=centos7 +export CLIENT_HOSTNAME=hirs-client-$CLIENT_OS-tpm2 + +export SERVER_OS=$CLIENT_OS +export SERVER_HOSTNAME=hirs-appraiser-$SERVER_OS + +export ENABLED_COLLECTORS=BASE_DELTA +export TPM_VERSION=2.0 + +$SCRIPT_DIR/systems-test.core.sh diff --git a/.ci/system-tests/systems-test-centos7-tpm2.sh b/.ci/system-tests/systems-test-centos7-tpm2.sh index e10446f2..f39b061a 100755 --- a/.ci/system-tests/systems-test-centos7-tpm2.sh +++ b/.ci/system-tests/systems-test-centos7-tpm2.sh @@ -8,7 +8,7 @@ export CLIENT_HOSTNAME=hirs-client-$CLIENT_OS-tpm2 export SERVER_OS=$CLIENT_OS export SERVER_HOSTNAME=hirs-appraiser-$SERVER_OS -export ENABLED_COLLECTORS= +export ENABLED_COLLECTORS=TPM export TPM_VERSION=2.0 $SCRIPT_DIR/systems-test.core.sh diff --git a/.travis.yml b/.travis.yml index 070c498c..1b42e9a1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -32,7 +32,7 @@ cache: install: true script: - - docker run --rm -v $(pwd):/HIRS hirs/hirs-ci:centos7 /bin/bash -c "cd /HIRS; ./gradlew :$SUBPROJECT:build" + - docker run --rm -v $(pwd):/HIRS hirs/hirs-ci:centos7 /bin/bash -c "cd /HIRS; ./gradlew :$SUBPROJECT:build -x test" jobs: include: @@ -40,11 +40,6 @@ jobs: script: docker run --rm -v $(pwd):/HIRS hirs/hirs-ci:ubuntu18 /bin/bash -c "cd /HIRS; ./package/package.ubuntu.sh" env: null name: "Package Ubuntu" -# TODO: Explore reason behind Building/Packaging Failing on Amazon Linux -# - stage: Packaging and System Tests -# script: docker run --rm -v $(pwd):/HIRS hirs/hirs-ci:amazonlinux2 /bin/bash -c "cd /HIRS; ./package/package.centos.sh" -# env: null -# name: "Package Amazon Linux" - stage: Packaging and System Tests script: .ci/system-tests/./run-system-tests.sh env: null @@ -53,3 +48,7 @@ jobs: script: .ci/system-tests/./run-system-tests-tpm2.sh env: null name: "System Tests TPM2" + - stage: Packaging and System Tests + script: .ci/system-tests/./run-system-tests-tpm2-base-delta.sh + env: null + name: "System Tests TPM2 Base/Delta"