New scenario with keylime tenant in container

New scenario with keylime tenant in container. Add new limecon function which prepare, build and manage tenant container.
RedHat-SP-Security · Jul 3, 2023 · 25d8478 · 25d8478
1 parent 627cb17
commit 25d8478
Show file tree

Hide file tree

Showing 4 changed files with 320 additions and 17 deletions.
diff --git a/Library/test-helpers/Dockerfile.tenant b/Library/test-helpers/Dockerfile.tenant
@@ -0,0 +1,9 @@
+FROM quay.io/centos/centos:stream9
+COPY id_*.pub /root/
+COPY lime_con_start.sh /usr/local/bin/lime_con_start
+RUN dnf install -y keylime-agent-rust util-linux-core openssh openssh-server which && \
+  dnf clean all && \
+  ssh-keygen -A && mkdir -p /root/.ssh && \
+  cat /root/id_*.pub > /root/.ssh/authorized_keys && \
+  chmod 700 /root/.ssh/authorized_keys && \
+  chmod a+x /usr/local/bin/lime_con_start
diff --git a/Library/test-helpers/lib.sh b/Library/test-helpers/lib.sh
@@ -1134,10 +1134,18 @@ true <<'=cut'
 Run 'keylime_tenant -c status' wrapper repeatedly up to TIMEOUT seconds
 until the expected agent status is returned.
 
-    limeWaitForAgentStatus UUID STATUS [TIMEOUT]
+    limeWaitForAgentStatus [--container] [NAME] UUID STATUS [TIMEOUT]
 
 =over
 
+=item
+
+    --container - Option specify to run wait of agent status via tenant in container.
+
+=item
+
+    NAME - Specify name of the container, where run tenant.
+
 =item
 
     UUID - Agent UUID to query the status for.
@@ -1158,6 +1166,10 @@ Returns 0 when the start was successful, 1 otherwise.
 
 limeWaitForAgentStatus() {
     local TIMEOUT=${limeTIMEOUT}
+    if [ "$1" == "--container" ]; then
+        local NAME="$2"
+        shift 2
+    fi
     local UUID="$1"
     local STATUS="$2"
     local OUTPUT=`mktemp`
@@ -1166,32 +1178,44 @@ limeWaitForAgentStatus() {
     [ -n "$3" ] && TIMEOUT=$3
 
     for I in `seq $TIMEOUT`; do
-        keylime_tenant -c status -u $UUID &> $OUTPUT
-	if grep -E -q "\"operational_state\": \"$STATUS\"" $OUTPUT; then
-            cat $OUTPUT
-	    rm $OUTPUT
-	    return 0
-	fi
-        sleep 1
+	    if [ -n "$NAME" ]; then
+            podman exec -i $NAME keylime_tenant -c status -u $UUID &> $OUTPUT
+	    else
+	        keylime_tenant -c status -u $UUID &> $OUTPUT
+	    fi
+	    if grep -E -q "\"operational_state\": \"$STATUS\"" $OUTPUT; then
+	        cat $OUTPUT
+	        rm $OUTPUT
+	        return 0
+	    fi
+    sleep 1
     done
     cat $OUTPUT
     rm $OUTPUT
     return 1
 }
 
-
 true <<'=cut'
 =pod
 
 =head2 limeWaitForAgentRegistration
 
 Run 'keylime_tenant -c regstatus' wrapper repeatedly up to TIMEOUT seconds
-until the expected agent is registered.
+until the expected agent is registered. With specifying --container can be run 
+in tenant container.
 
-    limeWaitForAgentRegistration UUID [TIMEOUT]
+    limeWaitForAgentRegistration [--container] [NAME] UUID [TIMEOUT]
 
 =over
 
+=item
+
+    --container - Option specify to run wait of agent registration via tenant in container.
+
+=item
+
+    NAME - Specify name of the container, where run tenant.
+
 =item
 
     UUID - Agent UUID to query the status for.
@@ -1208,19 +1232,27 @@ Returns 0 when the start was successful, 1 otherwise.
 
 limeWaitForAgentRegistration() {
     local TIMEOUT=${limeTIMEOUT}
+    if [ "$1" == "--container" ]; then
+        local NAME="$2"
+        shift 2
+    fi
     local UUID="$1"
     local OUTPUT=`mktemp`
     [ -z "$1" ] && return 3
     [ -n "$2" ] && TIMEOUT=$2
 
     for I in `seq $TIMEOUT`; do
-        keylime_tenant -c regstatus -u $UUID &> $OUTPUT
-	if grep -q "Agent $UUID exists on registrar" $OUTPUT; then
+        if [ -n "$NAME" ]; then
+            podman exec -i $NAME keylime_tenant -c regstatus -u $UUID &> $OUTPUT
+        else
+	        keylime_tenant -c regstatus -u $UUID &> $OUTPUT
+        fi
+        if grep -q "Agent $UUID exists on registrar" $OUTPUT; then
             cat $OUTPUT
-	    rm $OUTPUT
-	    return 0
-	fi
-        sleep 1
+	        rm $OUTPUT
+	        return 0
+	    fi
+    sleep 1
     done
     cat $OUTPUT
     rm $OUTPUT
@@ -2217,6 +2249,50 @@ limeconRunSystemd() {
 true <<'=cut'
 =pod
 
+=head2 limeconRunTenant
+
+Tenant container run via podman with specified parameters.
+
+    limeconRunTenant NAME TAG IP NETWORK
+
+=item NAME
+
+Set name of container.
+
+=item TAG
+
+Name of image tag.
+
+=item IP
+
+IP address of container.
+
+=item NETWORK
+
+Name of used podman network.
+
+=back
+
+Returns 0.
+
+=cut
+
+limeconRunTenant() {
+
+    local NAME=$1
+    local TAG=$2
+    local IP=$3
+    local NETWORK=$4
+
+    limeconRun $NAME $TAG $IP $NETWORK "/sbin/init" "--volume=/etc/keylime/:/etc/keylime/"
+
+    #copy necesary cert files for tenant to /var/lib/keylime
+    podman exec -d $NAME cp -r /mnt/cv_ca /var/lib/keylime/
+}
+
+true <<'=cut'
+=pod
+
 =head2 limeconRunVerifier
 
 Container run via podman with specified parameters.
@@ -2358,6 +2434,43 @@ limeconSubmitLogs() {
     done
 }
 
+true <<'=cut'
+=pod
+
+=head2 limeconTenant
+
+Run tenant in container with specified arguments.
+
+    limeconStop NAME [-d] ARGS
+
+=over
+
+=item NAME
+
+Name of the container in which is run keylime_tenant.
+
+Returns 0.
+
+=item ARGS
+
+Arguments for keylime_tenant CLI.
+
+Returns 0.
+
+=cut
+
+limeconTenant() {
+
+    local NAME=$1
+    if [ "$2" == "-d" ]; then
+        local MODE="-d"
+        shift
+    fi
+    local ARG=$2
+
+    podman exec $MODE $NAME keylime_tenant $ARG
+}
+
 
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #   Initialization

diff --git a/container/functional/keylime_all_in_container-basic-attestation/main.fmf b/container/functional/keylime_all_in_container-basic-attestation/main.fmf
@@ -0,0 +1,28 @@
+summary: Tests basic keylime attestation scenario for all keylime component in containers
+description: |
+    Running agents,verifier and registrar and tenant in containers.
+    Every container uses certificates generated by keylime verifier.
+    Build container image for agent, verifier,registrar and tenant.
+    Starts verifier, registrar in container.
+    Setup agent conf for agent.
+    Run container with agent.
+    Register agent by verifier.
+    Verifiers that container passed with agent attestation.
+    Do changes in scripts monitored by agent and confirm that agent fail attestation accordingly.
+contact: Patrik Koncity <[email protected]>
+tag:
+  - container
+component:
+  - keylime
+test: ./test.sh
+framework: beakerlib
+require:
+  - yum
+  - podman
+  - nmap
+recommend:
+  - keylime
+duration: 10m
+enabled: true
+extra-nitrate: TC#0614624
+id: d36f0263-0c8a-4615-bdf4-7b80bf870fe3