From f799787fcf99b94b6ee32503e5e1f6f24a1ea551 Mon Sep 17 00:00:00 2001 From: Karel Srot Date: Thu, 31 Oct 2024 15:47:24 +0100 Subject: [PATCH 1/6] Install builddeps and fix entering builddir --- .../test.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh b/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh index ac6753ef..280ae475 100755 --- a/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh +++ b/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh @@ -59,8 +59,14 @@ rlJournalStart rlLogInfo "Will use agent sources from SRPM" rlFetchSrcForInstalled keylime-agent-rust rlRun "rpm -i keylime-agent-rust*.src.rpm" + rlRun "dnf -y builddep ~/rpmbuild/SPECS/keylime-agent-rust.spec" rlRun "rpmbuild -bp ~/rpmbuild/SPECS/keylime-agent-rust.spec --nodeps --define '_builddir $PWD'" 0,1 - rlRun "pushd keylime-agent-rust*build/rust-keylime*" + if ls -d keylime-agent-rust*build; then + rlRun "pushd keylime-agent-rust*build/rust-keylime*" + else + rlRun "rm -rf rust-keylime-*SPECPARTS" + rlRun "pushd rust-keylime*" + fi else rlLogInfo "Will use agent sources from upstream repo" rlRun "git clone ${RUST_KEYLIME_UPSTREAM_URL} ${WORKDIR}/rust-keylime" From fa8dcf0d94cc9bb4158e3ecd3e7db9a675b197a6 Mon Sep 17 00:00:00 2001 From: Karel Srot Date: Thu, 12 Dec 2024 13:40:41 +0100 Subject: [PATCH 2/6] Fix regexp syntax error --- .../basic-attestation-on-localhost-api-version-bump/test.sh | 2 +- setup/generate_coverage_report/patchcov.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh b/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh index 280ae475..2c4f22af 100755 --- a/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh +++ b/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh @@ -55,7 +55,7 @@ rlJournalStart # in this case I am going to use sources from RPM file because # I need to use the right version and extra patches from SRPM may # be necessary - if rpm -q keylime-agent-rust; then + if rpm -q keylime-agent-rust && rpm -q --qf '%{VENDOR}' keylime-agent-rust | grep -qv 'Fedora Copr - user packit'; then rlLogInfo "Will use agent sources from SRPM" rlFetchSrcForInstalled keylime-agent-rust rlRun "rpm -i keylime-agent-rust*.src.rpm" diff --git a/setup/generate_coverage_report/patchcov.py b/setup/generate_coverage_report/patchcov.py index 17038f50..20721fc9 100755 --- a/setup/generate_coverage_report/patchcov.py +++ b/setup/generate_coverage_report/patchcov.py @@ -184,7 +184,7 @@ def get_patch_coverage(patch_path, db_path): for row in table_context: if row[0] in contexts_used: prefix = get_test_code(row[0]) - name = re.sub('^.*\/discover\/[^/]*\/tests', '', row[1]) + name = re.sub(r'^.*/discover/[^/]*/tests', '', row[1]) print(' {} {}'.format(prefix, name)) print() From e4e956171504ad56288f0b7a8409fa33fee6cbbb Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Thu, 19 Dec 2024 18:03:40 +0100 Subject: [PATCH 3/6] Update test to use agent with multiple API version support Replace the re-compilation of the agent using an older version with a simple reconfigurion of the agent enabling the desired API version. Signed-off-by: Anderson Toshiyuki Sasaki --- .../test.sh | 61 +++++-------------- 1 file changed, 15 insertions(+), 46 deletions(-) diff --git a/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh b/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh index 2c4f22af..b6e5147a 100755 --- a/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh +++ b/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh @@ -11,11 +11,6 @@ rlJournalStart rlPhaseStartSetup "Do the keylime setup" rlRun 'rlImport "./test-helpers"' || rlDie "cannot import keylime-tests/test-helpers library" - # install recommend devel packages from CRB if missing - rpm -q tpm2-tss-devel 2> /dev/null || INSTALL_PKGS="$INSTALL_PKGS tpm2-tss-devel" - rpm -q libarchive-devel 2> /dev/null || INSTALL_PKGS="$INSTALL_PKGS libarchive-devel" - rpm -q zeromq-devel 2> /dev/null || INSTALL_PKGS="$INSTALL_PKGS zeromq-devel" - [ -n "$INSTALL_PKGS" ] && rlRun "dnf --enablerepo \*CRB --enablerepo epel -y install $INSTALL_PKGS" rlAssertRpm keylime # update /etc/keylime.conf @@ -48,50 +43,23 @@ rlJournalStart WORKDIR=$( mktemp -d -p "/var/tmp" ) rlPhaseEnd - rlPhaseStartTest "Compile keylime agent with old API version" - # Store a backup of the installed binary - rlRun "rlFileBackup --namespace agent /usr/bin/keylime_agent" - # check if I am running agent from RPM file, i.e. not the upstream one - # in this case I am going to use sources from RPM file because - # I need to use the right version and extra patches from SRPM may - # be necessary - if rpm -q keylime-agent-rust && rpm -q --qf '%{VENDOR}' keylime-agent-rust | grep -qv 'Fedora Copr - user packit'; then - rlLogInfo "Will use agent sources from SRPM" - rlFetchSrcForInstalled keylime-agent-rust - rlRun "rpm -i keylime-agent-rust*.src.rpm" - rlRun "dnf -y builddep ~/rpmbuild/SPECS/keylime-agent-rust.spec" - rlRun "rpmbuild -bp ~/rpmbuild/SPECS/keylime-agent-rust.spec --nodeps --define '_builddir $PWD'" 0,1 - if ls -d keylime-agent-rust*build; then - rlRun "pushd keylime-agent-rust*build/rust-keylime*" - else - rlRun "rm -rf rust-keylime-*SPECPARTS" - rlRun "pushd rust-keylime*" - fi - else - rlLogInfo "Will use agent sources from upstream repo" - rlRun "git clone ${RUST_KEYLIME_UPSTREAM_URL} ${WORKDIR}/rust-keylime" - rlRun "pushd ${WORKDIR}/rust-keylime" + rlPhaseStartTest "Get agent supported versions" + rlRun "limeStartAgent" + rlRun "limeWaitForAgentRegistration ${AGENT_ID}" + mapfile -t SUPPORTED_VERSIONS< <(grep -ohE '> Starting server with API version.*' "$(limeAgentLogfile)" | grep -ohE '[0-9]*\.[0-9]*' | sort -V) + if [[ "${#SUPPORTED_VERSIONS[@]}" -lt 2 ]]; then + rlFail "Agent supports only one API version: ${SUPPORTED_VERSIONS[*]}" fi - # Get a supported version older than the current - CURRENT_VERSION="$(grep -E '(^.*API_VERSION.*v)([0-9]+\.[0-9]+)' keylime-agent/src/common.rs | grep -o -E '[0-9]+\.[0-9]+')" - OLD_VERSION="$(grep -o -E "Supported older API versions: .*" "$(limeVerifierLogfile)" | grep -o -E '[0-9]+\.[0-9]+' | sed -n "1,/^$CURRENT_VERSION\$/ p" | grep -v "^$CURRENT_VERSION\$" | tail -1)" - - # Replace the API version to fake an older version - rlRun "cp keylime-agent/src/common.rs keylime-agent/src/common.rs.backup" - rlRun "sed -i -E \"s/(^.*API_VERSION.*v)([0-9]+\.[0-9]+)/\1$OLD_VERSION/\" keylime-agent/src/common.rs" - rlRun "diff keylime-agent/src/common.rs.backup keylime-agent/src/common.rs" 1 - # Replace agent binary - rlRun "cargo build" + rlLog "Agent supported versions: ${SUPPORTED_VERSIONS[*]}" + OLD_VERSION=${SUPPORTED_VERSIONS[0]} + LATEST_VERSION=${SUPPORTED_VERSIONS[${#SUPPORTED_VERSIONS[@]} -1]} rlRun "limeStopAgent" - BUILDDIR=$PWD - rlRun "cp ${BUILDDIR}/target/debug/keylime_agent /usr/bin/keylime_agent" - rlRun "popd" rlPhaseEnd rlPhaseStartTest "Add keylime agent with old API version" + rlRun "limeUpdateConf agent api_versions \"\\\"${OLD_VERSION}\\\"\"" rlRun "limeStartAgent" - rlRun "limeWaitForAgentRegistration ${AGENT_ID}" - rlAssertGrep "Starting server with API version v${OLD_VERSION}" "$(limeAgentLogfile)" -E + rlAssertGrep "Starting server with API versions: ${OLD_VERSION}$" "$(limeAgentLogfile)" -E rlRun "cat > script.expect <<_EOF set timeout 20 spawn keylime_tenant -v 127.0.0.1 -t 127.0.0.1 -u $AGENT_ID --verify --runtime-policy policy.json --cert default -c add @@ -108,8 +76,9 @@ _EOF" rlPhaseStartTest "Verify that API version is automatically bumped" rlRun "limeStopAgent" - rlRun "rlFileRestore --namespace agent" + rlRun "limeUpdateConf agent api_versions \"\\\"${LATEST_VERSION}\\\"\"" rlRun "limeStartAgent" + rlAssertGrep "Starting server with API versions: ${LATEST_VERSION}$" "$(limeAgentLogfile)" -E rlRun "rlWaitForCmd 'tail \$(limeVerifierLogfile) | grep -q \"Agent $AGENT_ID API version updated\"' -m 10 -d 1 -t 10" rlRun "limeWaitForAgentStatus $AGENT_ID 'Get Quote'" rlRun -s "keylime_tenant -c cvlist" @@ -118,8 +87,9 @@ _EOF" rlPhaseStartTest "Verify that API version downgrade is not allowed" rlRun "limeStopAgent" - rlRun "cp ${BUILDDIR}/target/debug/keylime_agent /usr/bin/keylime_agent" + rlRun "limeUpdateConf agent api_versions \"\\\"${OLD_VERSION}\\\"\"" rlRun "limeStartAgent" + rlAssertGrep "Starting server with API versions: ${OLD_VERSION}$" "$(limeAgentLogfile)" -E rlRun "limeWaitForAgentStatus $AGENT_ID '(Failed|Invalid Quote)'" rlAssertGrep "WARNING - Agent $AGENT_ID API version $OLD_VERSION is lower or equal to previous version" "$(limeVerifierLogfile)" rlAssertGrep "WARNING - Agent $AGENT_ID failed, stopping polling" "$(limeVerifierLogfile)" @@ -127,7 +97,6 @@ _EOF" rlPhaseStartCleanup "Do the keylime cleanup" rlRun "limeStopAgent" - rlRun "rlFileRestore --namespace agent" rlRun "limeStopRegistrar" rlRun "limeStopVerifier" if limeTPMEmulated; then From 02f6dc68a062d6760042421f779bd896037f24f9 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Tue, 14 Jan 2025 10:31:37 +0100 Subject: [PATCH 4/6] api-version-bump: Adjust regex to require version numbers Replace '*' with '+' to require at least a digit in the version numbers. Signed-off-by: Anderson Toshiyuki Sasaki --- .../basic-attestation-on-localhost-api-version-bump/test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh b/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh index b6e5147a..e35a80da 100755 --- a/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh +++ b/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh @@ -46,7 +46,7 @@ rlJournalStart rlPhaseStartTest "Get agent supported versions" rlRun "limeStartAgent" rlRun "limeWaitForAgentRegistration ${AGENT_ID}" - mapfile -t SUPPORTED_VERSIONS< <(grep -ohE '> Starting server with API version.*' "$(limeAgentLogfile)" | grep -ohE '[0-9]*\.[0-9]*' | sort -V) + mapfile -t SUPPORTED_VERSIONS< <(grep -ohE '> Starting server with API version.*' "$(limeAgentLogfile)" | grep -ohE '[0-9]+\.[0-9]+' | sort -V) if [[ "${#SUPPORTED_VERSIONS[@]}" -lt 2 ]]; then rlFail "Agent supports only one API version: ${SUPPORTED_VERSIONS[*]}" fi From a9a45acac96c869a1599f0d7fd44ac39d4f9e001 Mon Sep 17 00:00:00 2001 From: Karel Srot Date: Mon, 17 Feb 2025 21:56:58 +0100 Subject: [PATCH 5/6] Wait 3 seconds before checking agent log --- .../basic-attestation-on-localhost-api-version-bump/test.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh b/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh index e35a80da..1629df9c 100755 --- a/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh +++ b/compatibility/basic-attestation-on-localhost-api-version-bump/test.sh @@ -59,6 +59,7 @@ rlJournalStart rlPhaseStartTest "Add keylime agent with old API version" rlRun "limeUpdateConf agent api_versions \"\\\"${OLD_VERSION}\\\"\"" rlRun "limeStartAgent" + sleep 3 rlAssertGrep "Starting server with API versions: ${OLD_VERSION}$" "$(limeAgentLogfile)" -E rlRun "cat > script.expect <<_EOF set timeout 20 @@ -78,6 +79,7 @@ _EOF" rlRun "limeStopAgent" rlRun "limeUpdateConf agent api_versions \"\\\"${LATEST_VERSION}\\\"\"" rlRun "limeStartAgent" + sleep 3 rlAssertGrep "Starting server with API versions: ${LATEST_VERSION}$" "$(limeAgentLogfile)" -E rlRun "rlWaitForCmd 'tail \$(limeVerifierLogfile) | grep -q \"Agent $AGENT_ID API version updated\"' -m 10 -d 1 -t 10" rlRun "limeWaitForAgentStatus $AGENT_ID 'Get Quote'" @@ -89,6 +91,7 @@ _EOF" rlRun "limeStopAgent" rlRun "limeUpdateConf agent api_versions \"\\\"${OLD_VERSION}\\\"\"" rlRun "limeStartAgent" + sleep 3 rlAssertGrep "Starting server with API versions: ${OLD_VERSION}$" "$(limeAgentLogfile)" -E rlRun "limeWaitForAgentStatus $AGENT_ID '(Failed|Invalid Quote)'" rlAssertGrep "WARNING - Agent $AGENT_ID API version $OLD_VERSION is lower or equal to previous version" "$(limeVerifierLogfile)" From e843fe9d15f21a334d0307062c44d43c707863fe Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Thu, 20 Feb 2025 12:13:51 +0100 Subject: [PATCH 6/6] Enable compatibility tests Signed-off-by: Anderson Toshiyuki Sasaki --- plans/distribution-fedora-keylime.fmf | 1 + 1 file changed, 1 insertion(+) diff --git a/plans/distribution-fedora-keylime.fmf b/plans/distribution-fedora-keylime.fmf index 6b057cbf..127a60cb 100644 --- a/plans/distribution-fedora-keylime.fmf +++ b/plans/distribution-fedora-keylime.fmf @@ -27,6 +27,7 @@ discover: - /setup/inject_SELinux_AVC_check - "^/functional/.*" - "^/regression/.*" + - "^/compatibility/.*" execute: how: tmt