tests/probes/fwupdsecattr: Add tests

Add 2 tests:

A test that would try and use real fwupd service D-Bus API if present
with a HW-neutral kernel-related parameter.

A test that would use a mock of the fwupd service for edge cases.

Author: evgenyz

tests/probes/CMakeLists.txt

@@ -6,6 +6,7 @@ add_subdirectory("fileextendedattribute")
 add_subdirectory("filehash")
 add_subdirectory("filehash58")
 add_subdirectory("filemd5")
+add_subdirectory("fwupdsecattr")
 add_subdirectory("iflisteners")
 add_subdirectory("interface")
 add_subdirectory("isainfo")

tests/probes/fwupdsecattr/CMakeLists.txt

@@ -0,0 +1,7 @@
+if(ENABLE_PROBES_LINUX)
+	if(DBUS_FOUND)
+		add_oscap_test("test_probes_fwupdsecattr.sh")
+		add_oscap_test("test_probes_fwupdsecattr_mock.sh")
+	endif()
+endif()
+

tests/probes/fwupdsecattr/org.freedesktop.fwupd.py

@@ -0,0 +1,33 @@
+# This is a template for D-Bus mock
+# see init_dbus_mock() from test_common.sh.
+# The Exit() method is expected by
+# clean_dbus_mock() from the same file.
+
+__author__ = 'Evgenii Kolesnikov'
+__copyright__ = '''
+(c) 2023 Red Hat Inc.
+'''
+
+import dbus
+
+
+BUS_NAME = 'org.freedesktop.fwupd'
+MAIN_OBJ = '/'
+MAIN_IFACE = 'org.freedesktop.fwupd'
+SYSTEM_BUS = False
+
+
+def load(mock, _parameters):
+    mock.AddMethods(MAIN_IFACE, [
+        ('GetHostSecurityAttrs', '', 'aa{sv}', 'ret = self.SecurityAattrs'),
+        ('Exit', '', '', 'sys.exit()'),
+    ])
+
+    mock.SecurityAattrs = [
+        {
+            'AppstreamId': 'org.fwupd.hsi.Kernel.Lockdown', 'HsiResult': dbus.UInt32(2)
+        },
+        {
+            'AppstreamId': 'org.fwupd.hsi.Kernel.InvalidStatus', 'HsiResult': dbus.UInt32(200)
+        }
+    ]

tests/probes/fwupdsecattr/test_probes_fwupdsecattr.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+. $builddir/tests/test_common.sh
+
+set -e -o pipefail
+
+function test_probes_fwupdsecattr {
+
+    probecheck "fwupdsecattr" || return 255
+    require_dbus "system" "org.freedesktop.fwupd" "/" || return 255
+
+    # Check if org.freedesktop.fwupd.GetHostSecurityAttrs method
+    # is supported (it might fail, e.g. in hypervisor env).
+    gdbus call --system -d org.freedesktop.fwupd -o / \
+        -m org.freedesktop.fwupd.GetHostSecurityAttrs >/dev/null || return 255
+
+    local ret_val=0
+    local DF="${srcdir}/test_probes_fwupdsecattr.xml"
+    local RF="results.xml"
+
+    [ -f $RF ] && rm -f $RF
+
+    $OSCAP oval eval --results $RF $DF
+
+    if [ -f $RF ]; then
+        verify_results "def" $DF $RF 1 && verify_results "tst" $DF $RF 1
+        ret_val=$?
+    else
+        ret_val=1
+    fi
+
+    return $ret_val
+}
+
+test_probes_fwupdsecattr

tests/probes/fwupdsecattr/test_probes_fwupdsecattr.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0"?>
+<oval_definitions xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
+
+  <generator>
+    <oval:product_name>fwupdsecattr</oval:product_name>
+    <oval:product_version>1.0</oval:product_version>
+    <oval:schema_version>5.11.3</oval:schema_version>
+    <oval:timestamp>2020-02-13T00:00:00-00:00</oval:timestamp>
+  </generator>
+
+  <definitions>
+
+  <definition class="compliance" id="oval:0:def:1" version="1"> <!-- comment="true" -->
+   <metadata>
+    <title>Kernel Lockdown</title>
+    <description>Kernel lockdown is an important mechanism to limit what hardware actions userspace programs can perform.</description>
+   </metadata>
+   <criteria operator="AND">
+    <criterion comment="Kernel Lockdown" test_ref="oval:0:tst:1" />
+   </criteria>
+  </definition>
+
+  </definitions>
+
+  <tests>
+
+  <lin-def:fwupdsecattr_test check="at least one" id="oval:0:tst:1" version="1" comment="true">
+   <lin-def:object object_ref="oval:0:obj:1" />
+   <lin-def:state state_ref="oval:0:ste:1" />
+  </lin-def:fwupdsecattr_test>
+
+  </tests>
+
+  <objects>
+
+  <lin-def:fwupdsecattr_object id="oval:0:obj:1" version="1">
+   <lin-def:stream_id datatype="string">org.fwupd.hsi.Kernel.Lockdown</lin-def:stream_id>
+  </lin-def:fwupdsecattr_object>
+
+  </objects>
+
+  <states>
+
+  <lin-def:fwupdsecattr_state id="oval:0:ste:1" version="1">
+   <lin-def:security_attr datatype="string" operation="pattern match">not-valid|not-enabled</lin-def:security_attr>
+  </lin-def:fwupdsecattr_state>
+
+  </states>
+
+</oval_definitions>

tests/probes/fwupdsecattr/test_probes_fwupdsecattr_mock.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+. $builddir/tests/test_common.sh
+
+set -e -o pipefail
+
+function test_probes_fwupdsecattr {
+
+    probecheck "fwupdsecattr" || return 255
+
+    local ret_val=0
+    local DF="${srcdir}/test_probes_fwupdsecattr_mock.xml"
+    local RF="results.xml"
+    local DBUS_MOCK_NAME="org.freedesktop.fwupd"
+    local stderr=$(mktemp test_probes_fwupdsecattr_mock.err.XXXXXX)
+    echo "stderr file: $stderr"
+
+    [ -f $RF ] && rm -f $RF
+
+    init_dbus_mock $DBUS_MOCK_NAME
+    $OSCAP oval eval --results $RF $DF 2>$stderr
+    clean_dbus_mock $DBUS_MOCK_NAME
+
+    if [ -f $RF ]; then
+        verify_results "def" $DF $RF 1 && verify_results "tst" $DF $RF 1
+        ret_val=$?
+    else
+        ret_val=1
+    fi
+
+    grep -iq "HSI key not found: org.fwupd.hsi.Kernel.InvalidOrNonExisting" $stderr || {
+        ret_val=2
+        echo "Expected warning 'HSI key not found: org.fwupd.hsi.Kernel.InvalidOrNonExisting' is missing!"
+    }
+
+    grep -iq "Unknown/invalid FwupdSecurityAttrResult value: 200" $stderr || {
+        ret_val=2
+        echo "Expected warning 'Unknown/invalid FwupdSecurityAttrResult value: 200' is missing!"
+    }
+
+    return $ret_val
+}
+
+test_probes_fwupdsecattr

tests/probes/fwupdsecattr/test_probes_fwupdsecattr_mock.xml

@@ -0,0 +1,87 @@
+<?xml version="1.0"?>
+<oval_definitions xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
+
+  <generator>
+    <oval:product_name>fwupdsecattr</oval:product_name>
+    <oval:product_version>1.0</oval:product_version>
+    <oval:schema_version>5.11.3</oval:schema_version>
+    <oval:timestamp>2020-02-13T00:00:00-00:00</oval:timestamp>
+  </generator>
+
+  <definitions>
+
+  <definition class="compliance" id="oval:0:def:1" version="1"> <!-- comment="true" -->
+   <metadata>
+    <title>Kernel Lockdown</title>
+    <description>Kernel lockdown is an important mechanism to limit what hardware actions userspace programs can perform.</description>
+   </metadata>
+   <criteria operator="AND">
+    <criterion comment="Kernel Lockdown" test_ref="oval:0:tst:1" />
+    <criterion comment="Invalid Status" test_ref="oval:0:tst:11" />
+   </criteria>
+  </definition>
+
+  <definition class="compliance" id="oval:0:def:2" version="1"> <!-- comment="unknown" -->
+   <metadata>
+    <title>Unknown</title>
+    <description></description>
+   </metadata>
+   <criteria operator="AND">
+    <criterion comment="Invalid" test_ref="oval:0:tst:2" />
+   </criteria>
+  </definition>
+
+  </definitions>
+
+  <tests>
+
+  <lin-def:fwupdsecattr_test check="at least one" id="oval:0:tst:1" version="1" comment="true">
+   <lin-def:object object_ref="oval:0:obj:1" />
+   <lin-def:state state_ref="oval:0:ste:1" />
+  </lin-def:fwupdsecattr_test>
+
+  <lin-def:fwupdsecattr_test check="at least one" id="oval:0:tst:11" version="1" comment="true">
+   <lin-def:object object_ref="oval:0:obj:11" />
+   <lin-def:state state_ref="oval:0:ste:11" />
+  </lin-def:fwupdsecattr_test>
+
+  <lin-def:fwupdsecattr_test check="at least one" id="oval:0:tst:2" version="1" comment="unknown">
+   <lin-def:object object_ref="oval:0:obj:2" />
+   <lin-def:state state_ref="oval:0:ste:2" />
+  </lin-def:fwupdsecattr_test>
+
+  </tests>
+
+  <objects>
+
+  <lin-def:fwupdsecattr_object id="oval:0:obj:1" version="1">
+   <lin-def:stream_id datatype="string">org.fwupd.hsi.Kernel.Lockdown</lin-def:stream_id>
+  </lin-def:fwupdsecattr_object>
+
+  <lin-def:fwupdsecattr_object id="oval:0:obj:11" version="1">
+   <lin-def:stream_id datatype="string">org.fwupd.hsi.Kernel.InvalidStatus</lin-def:stream_id>
+  </lin-def:fwupdsecattr_object>
+
+  <lin-def:fwupdsecattr_object id="oval:0:obj:2" version="1">
+   <lin-def:stream_id datatype="string">org.fwupd.hsi.Kernel.InvalidOrNonExisting</lin-def:stream_id>
+  </lin-def:fwupdsecattr_object>
+
+  </objects>
+
+  <states>
+
+  <lin-def:fwupdsecattr_state id="oval:0:ste:1" version="1">
+   <lin-def:security_attr datatype="string" operation="pattern match">not-enabled</lin-def:security_attr>
+  </lin-def:fwupdsecattr_state>
+
+  <lin-def:fwupdsecattr_state id="oval:0:ste:11" version="1">
+   <lin-def:security_attr datatype="string" operation="pattern match">invalid-hsi-result</lin-def:security_attr>
+  </lin-def:fwupdsecattr_state>
+
+  <lin-def:fwupdsecattr_state id="oval:0:ste:2" version="1">
+   <lin-def:security_attr datatype="string" operation="pattern match">not-found</lin-def:security_attr>
+  </lin-def:fwupdsecattr_state>
+
+  </states>
+
+</oval_definitions>

tests/test_common.sh.in

@@ -127,7 +127,7 @@ function require {
 # Check if Python module is available. For example:
 # require_python_module 'dbusmock' || return 255
 function require_python_module {
-	eval "python -c \"import $1\" >/dev/null 2>&1"
+	eval "python3 -c \"import $1\" >/dev/null 2>&1"
 	if [ $? -gt 0 ]; then
 		echo -e "No '$1' Python module found!\n"
 		return 255 # Test is not applicable.
@@ -368,7 +368,7 @@ init_dbus_mock() {
 	require_python_module "dbusmock" || return 255
 	require "gdbus" || return 255
 	printf "%s\n" "Initializing D-Bus mock from template: $1.py"
-	python -m dbusmock --template "${srcdir}/$1.py" & disown
+	python3 -m dbusmock --template "${srcdir}/$1.py" & disown
 	# We have to replace system bus address because mock D-Bus
 	# endpoint is created inside the user session
 	export DBUS_SYSTEM_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS
@@ -379,7 +379,7 @@ init_dbus_mock() {
 clean_dbus_mock() {
 	require "gdbus" || return 255
 	printf "%s\n" "Shutting down D-Bus mock: $1"
-	gdbus call --session -d "$1" -o / -m "$1.Exit" || true
+	gdbus call --session -d "$1" -o / -m "$1.Exit" >/dev/null 2>&1 || true
 }
 
 export -f assert_exists