Initial Commit. This adds the visual object to the policy page.

2024-12-19 04:58:00 +00:00 · 2021-10-29 14:55:23 -04:00 · 2021-10-29 14:55:23 -04:00 · aae6845730
commit aae6845730
parent 5434fe8ca7
5 changed files with 142 additions and 3 deletions
--- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/model/PolicyPageModel.java
+++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/model/PolicyPageModel.java
@ -20,6 +20,7 @@ public class PolicyPageModel {
    private boolean enableIgnoreIma;
    private boolean enableIgnoreTboot;
    private boolean enableIgnoreGpt;
+    private boolean enableIgnoreOsEvt;

    // Variables to get policy settings from page
    private String pcValidate;
@ -36,6 +37,7 @@ public class PolicyPageModel {
    private String ignoreIma;
    private String ignoretBoot;
    private String ignoreGpt;
+    private String ignoreOsEvt;
    private String expirationValue;
    private String devIdExpirationValue;
    private String thresholdValue;
@ -60,6 +62,7 @@ public class PolicyPageModel {
        this.enableIgnoreIma = policy.isIgnoreImaEnabled();
        this.enableIgnoreTboot = policy.isIgnoreTbootEnabled();
        this.enableIgnoreGpt = policy.isIgnoreGptEnabled();
+        this.enableIgnoreOsEvt = policy.isIgnoreOsEvtEnabled();
        this.expirationValue = policy.getValidityDays();
        this.thresholdValue = policy.getReissueThreshold();
        this.devIdExpirationValue = policy.getDevIdValidityDays();
@ -160,6 +163,14 @@ public class PolicyPageModel {
        return enableIgnoreGpt;
    }

+    /**
+     * Gets the Enable Ignore Os Events state.
+     * @return the validation state.
+     */
+    public boolean getEnableIgnoreOsEvt() {
+        return enableIgnoreOsEvt;
+    }
+
    /**
     * Gets the EC Validation value.
     *
@ -268,6 +279,15 @@ public class PolicyPageModel {
        return ignoreGpt;
    }

+    /**
+     * Gets the Ignore Os Evt validation value.
+     *
+     * @return the model string representation of this field (checked or unchecked)
+     */
+    public String getIgnoreOsEvt() {
+        return ignoreOsEvt;
+    }
+
    /**
     * Sets the EC Validation state.
     *
@ -359,6 +379,15 @@ public class PolicyPageModel {
        this.enableIgnoreGpt = enableIgnoreGpt;
    }

+    /**
+     * Sets the Enable Ignore Os Events state.
+     *
+     * @param enableIgnoreOsEvt true if performing validation, false otherwise
+     */
+    public void setEnableIgnoreOsEvt(final boolean enableIgnoreOsEvt) {
+        this.enableIgnoreOsEvt = enableIgnoreOsEvt;
+    }
+
    /**
     * Sets the Platform Certificate Validation state.
     *
@ -497,6 +526,15 @@ public class PolicyPageModel {
        this.ignoreGpt = ignoreGpt;
    }

+    /**
+     * Sets the Ignore Os Events state.
+     *
+     * @param ignoreOsEvt "checked" if enabling validation, false otherwise
+     */
+    public void setIgnoreOsEvt(final String ignoreOsEvt) {
+        this.ignoreOsEvt = ignoreOsEvt;
+    }
+
    /**
     * Getter for the expiration value.
     * @return the value
@ -577,6 +615,7 @@ public class PolicyPageModel {
                + ", enableIgnoreIma=" + enableIgnoreIma
                + ", enableIgnoreTboot=" + enableIgnoreTboot
                + ", enableIgnoreGpt=" + enableIgnoreGpt
+                + ", enableIgnoreOsEvt=" + enableIgnoreOsEvt
                + ", expirationValue=" + expirationValue
                + ", thresholdValue=" + thresholdValue
                + ", devIdExpirationValue=" + devIdExpirationValue
--- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java
+++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java
@ -90,7 +90,6 @@ public class PolicyPageController extends PageController<NoPageParams> {
        ModelAndView mav = getBaseModelAndView();

        SupplyChainPolicy policy = getDefaultPolicy();
-
        PolicyPageModel pageModel = new PolicyPageModel(policy);
        mav.addObject(INITIAL_DATA, pageModel);

@ -662,6 +661,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
                policy.setFirmwareValidationEnabled(false);
                policy.getPcrPolicy().setEnableIgnoreIma(false);
                policy.getPcrPolicy().setEnableIgnoretBoot(false);
+                policy.setIgnoreOsEvtEnabled(false);
                successMessage = "Firmware validation disabled";
            }

@ -805,7 +805,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
            //If Ignore TBoot is enabled without firmware, disallow change
            if (ignoreGptOptionEnabled && !policy.isFirmwareValidationEnabled()) {
                handleUserError(model, messages,
-                        "Ignore TBoot can not be "
+                        "Ignore GPT Events can not be "
                                + "enabled without Firmware Validation policy enabled.");
                return redirectToSelf(new NoPageParams(), model, attr);
            }
@ -830,6 +830,59 @@ public class PolicyPageController extends PageController<NoPageParams> {
        return redirectToSelf(new NoPageParams(), model, attr);
    }

+    /**
+     * Updates the ignore Os Events policy setting and
+     * redirects back to the original page.
+     *
+     * @param ppModel The data posted by the form mapped into an object.
+     * @param attr RedirectAttributes used to forward data back to the original
+     * page.
+     * @return View containing the url and parameters
+     * @throws URISyntaxException if malformed URI
+     */
+    @RequestMapping(value = "update-os-evt-ignore", method = RequestMethod.POST)
+    public RedirectView updateIgnoreOsEvents(
+            @ModelAttribute final PolicyPageModel ppModel,
+            final RedirectAttributes attr)
+            throws URISyntaxException {
+        // set the data received to be populated back into the form
+        Map<String, Object> model = new HashMap<>();
+        PageMessages messages = new PageMessages();
+        String successMessage;
+        boolean ignoreOsEvtOptionEnabled = ppModel.getIgnoreOsEvt()
+                .equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
+
+        try {
+            SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
+
+            //If Ignore TBoot is enabled without firmware, disallow change
+            if (ignoreOsEvtOptionEnabled && !policy.isFirmwareValidationEnabled()) {
+                handleUserError(model, messages,
+                        "Ignore Os Events can not be "
+                                + "enabled without Firmware Validation policy enabled.");
+                return redirectToSelf(new NoPageParams(), model, attr);
+            }
+
+            // set the policy option and create success message
+            if (ignoreOsEvtOptionEnabled) {
+                policy.getPcrPolicy().setEnableIgnoreOsEvt(true);
+                successMessage = "Ignore GPT enabled";
+            } else {
+                policy.getPcrPolicy().setEnableIgnoreOsEvt(false);
+                successMessage = "Ignore GPT disabled";
+            }
+
+            savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
+        } catch (PolicyManagerException e) {
+            handlePolicyManagerUpdateError(model, messages, e,
+                    "Error changing ACA Os Events ignore policy",
+                    "Error updating policy. \n" + e.getMessage());
+        }
+
+        // return the redirect
+        return redirectToSelf(new NoPageParams(), model, attr);
+    }
+
    private void handlePolicyManagerUpdateError(final Map<String, Object> model,
            final PageMessages messages,
            final PolicyManagerException e,
--- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp
+++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp
@ -107,7 +107,19 @@
                                        <label><input id="gptTop" type="radio" name="ignoreGpt" ${initialData.enableIgnoreGpt ? 'checked' : ''} value="checked"/> Ignore GPT enabled</label>
                                    </div>
                                    <div class="radio">
-                                        <label><input id="gptBot" type="radio" name="ignoreGpt" ${initialData.enableIgnoreGpt ? '' : 'checked'}  value="unchecked"/> Ignore GPT disabled</label>
+                                        <label><input id="gptBot" type="radio" name="ignoreGpt" ${initialData.enableIgnoreGpt ? '' : 'checked'} value="unchecked"/> Ignore GPT disabled</label>
+                                    </div>
+                                </my:editor>
+                            </li>
+                        </form:form>
+                        <form:form method="POST" modelAttribute="initialData" action="policy/update-os-evt-ignore">
+                            <li>Ignore OS Events: ${initialData.enableIgnoreOsEvt ? 'Enabled' : 'Disabled'}
+                                <my:editor id="ignoreOsEvtPolicyEditor" label="Edit Settings">
+                                    <div class="radio">
+                                        <label><input id="osTop" type="radio" name="ignoreOsEvt" ${initialData.enableIgnoreOsEvt ? 'checked' : ''} value="checked"/> Ignore Os Events enabled</label>
+                                    </div>
+                                    <div class="radio">
+                                        <label><input id="osBot" type="radio" name="ignoreOsEvt" ${initialData.enableIgnoreOsEvt ? '' : 'checked'} value="unchecked"/> Ignore Os Events disabled</label>
                                    </div>
                                </my:editor>
                            </li>
--- a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
+++ b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
@ -40,6 +40,8 @@ public final class PCRPolicy extends Policy {
    private boolean linuxOs = false;
    @Column(nullable = false)
    private boolean enableIgnoreGpt = true;
+    @Column(nullable = false)
+    private boolean enableIgnoreOsEvt = false;

    private String[] baselinePcrs;

@ -211,6 +213,22 @@ public final class PCRPolicy extends Policy {
        this.enableIgnoreGpt = enableIgnoreGpt;
    }

+    /**
+     * Getter for the Os Events ignore flag.
+     * @return true if Os Events is to be ignored.
+     */
+    public boolean isEnableIgnoreOsEvt() {
+        return enableIgnoreOsEvt;
+    }
+
+    /**
+     * Setter for the Os Evt ignore flag.
+     * @param enableIgnoreOsEvt true if Os Evt is to be ignored.
+     */
+    public void setEnableIgnoreOsEvt(final boolean enableIgnoreOsEvt) {
+        this.enableIgnoreOsEvt = enableIgnoreOsEvt;
+    }
+
    /**
     * Getter for a flag to indicate the type of OS.
     * @return true if the system is linux.
--- a/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainPolicy.java
+++ b/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainPolicy.java
@ -226,6 +226,15 @@ public class SupplyChainPolicy extends Policy {
        return this.pcrPolicy.isEnableIgnoreGpt();
    }

+    /**
+     * Returns whether or not to validate the ignore Os Events on the device.
+     *
+     * @return whether or not to validate the ignore Os Events
+     */
+    public boolean isIgnoreOsEvtEnabled() {
+        return this.pcrPolicy.isEnableIgnoreOsEvt();
+    }
+
    /**
     * Sets whether or not validate the ignore GPT on the device.
     * @param enableIgnoreGpt whether or not to validate the ignore GPT
@ -234,6 +243,14 @@ public class SupplyChainPolicy extends Policy {
        this.pcrPolicy.setEnableIgnoreGpt(enableIgnoreGpt);
    }

+    /**
+     * Sets whether or not validate the ignore Os Events on the device.
+     * @param enableIgnoreOsEvt whether or not to validate the ignore Os Events
+     */
+    public void setIgnoreOsEvtEnabled(final boolean enableIgnoreOsEvt) {
+        this.pcrPolicy.setEnableIgnoreOsEvt(enableIgnoreOsEvt);
+    }
+
    /**
     * Returns whether or not to allow expired credentials and certificates to be considered
     * valid if their supply chain is otherwise verified.