Merge pull request #21121 from paolostivanin/p175135

Update security tests to work with SLES 16

tests/console/firewalld.pm

@@ -361,6 +361,8 @@ sub test_default_backend {
 sub run {
     select_serial_terminal;
 
+    zypper_call('in iptables') if is_sle('>=16');
+
     # Check Service State, enable it if necessary, set default zone to public
     pre_test;
 

tests/console/mdadm.pm

@@ -14,17 +14,21 @@ use base 'consoletest';
 use testapi;
 use Utils::Logging 'save_and_upload_log';
 use serial_terminal 'select_serial_terminal';
+use utils 'zypper_call';
 use version_utils 'is_sle';
 use strict;
 use warnings;
 
 sub run {
     select_serial_terminal;
-    my $timeout = 360;
+
+    zypper_call('in mdadm');
 
     record_info("mdadm build", script_output("rpm -q --qf '%{version}-%{release}' mdadm"));
 
     assert_script_run 'wget ' . data_url('qam/mdadm.sh');
+
+    my $timeout = 360;
     if (is_sle('<15')) {
         if (script_run('bash mdadm.sh |& tee mdadm.log; if [ ${PIPESTATUS[0]} -ne 0 ]; then false; fi', $timeout)) {
             record_soft_failure 'bsc#1105628';

tests/fips/strongswan/strongswan_client.pm

@@ -58,15 +58,14 @@ sub run {
     mutex_create('STRONGSWAN_HOST2_UP');
     mutex_wait('STRONGSWAN_HOST1_SERVER_START');
 
-    # Start stronswan daemon
-    assert_script_run('rcstrongswan start');
+    systemctl 'start strongswan';
 
     # Establish the ipsec tunnel
     assert_script_run('ipsec up host-host');
 
     mutex_create('STRONGSWAN_HOST2_START');
 
-    validate_script_output('rcstrongswan status', sub { m/Active: active/ });
+    systemctl 'is-active strongswan';
 
     validate_script_output('ipsec status', sub { m/Routed Connections/ && m/host-host\{\d\}:\s+$local_ip\/32\s===\s$remote_ip\/32/ && m/Security Associations.*1 up/ });
 

tests/fips/strongswan/strongswan_server.pm

@@ -17,12 +17,13 @@ use warnings;
 use utils;
 use lockapi;
 use mmapi qw(wait_for_children get_children);
-use version_utils 'package_version_cmp';
+use version_utils qw(package_version_cmp is_sle);
 
 sub run {
     my $self = shift;
     select_console 'root-console';
     zypper_call 'in strongswan strongswan-hmac tcpdump';
+    zypper_call 'in strongswan-mysql strongswan-sqlite wget' if is_sle('>=16');
 
     my $test_dir = '/root/strongswan';
     my $ca_pem = 'ca.pem';
@@ -43,8 +44,8 @@ sub run {
     }
 
     # Integrate hkdf function test
-    # POO: https://progress.opensuse.org/issues/111581
-    validate_script_output('rpm -q strongswan --changelog', sub { m/bsc#1195919/ });
+    # on SLE >= 15 we have version 5.8.x or greater, which includes the fix.
+    validate_script_output('rpm -q strongswan --changelog', sub { m/bsc#1195919/ }) if is_sle('<15');
     assert_script_run('openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -hexdump');
     assert_script_run('openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -pkeyopt mode:EXTRACT_ONLY -hexdump');
     assert_script_run('openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -pkeyopt mode:EXTRACT_AND_EXPAND -hexdump');
@@ -100,18 +101,18 @@ sub run {
     # Edit /etc/ipsec.secrets
     assert_script_run('echo ": RSA host1.pem" >> /etc/ipsec.secrets');
 
-    # Start stronswan daemon
-    assert_script_run('rcstrongswan start');
+    systemctl 'start strongswan';
 
     mutex_create('STRONGSWAN_HOST1_SERVER_START');
 
     mutex_wait('STRONGSWAN_HOST2_START', (keys %$children)[0]);
 
-    validate_script_output('rcstrongswan status', sub { m/Active: active/ });
+    systemctl 'is-active strongswan';
 
     # Check the tcpdump result
     my $tcpdump_log_file = '/tmp/tcpdump.log';
-    my $pid = background_script_run("tcpdump -n -i eth0 -e \"esp\" -vv > $tcpdump_log_file 2>&1");
+    my $net_device = script_output("ip route | awk '/default/ {print \$5}'");
+    my $pid = background_script_run("tcpdump -n -i $net_device -e \"esp\" -vv > $tcpdump_log_file 2>&1");
     mutex_create('TCPDUMP_READY');
     mutex_wait('PING_DONE', (keys %$children)[0]);
     assert_script_run("kill -15 $pid");

tests/fips/stunnel.pm

@@ -20,17 +20,20 @@ use version_utils 'package_version_cmp';
 my $hostname = get_var('HOSTNAME');
 # Set vnc password
 my $message = 'Hello from the server';
+# Set stunnel dir
+my $stunnel_chroot_dir = "/var/run/stunnel";
 
 sub conf_stunnel_netcat {
     my $stunnel_config = <<EOF;
-client = no
-chroot = /var/lib/stunnel/
-pid = /var/run/stunnel.pid
+chroot = $stunnel_chroot_dir
+pid = /stunnel.pid
 socket = l:TCP_NODELAY=1
 socket = r:TCP_NODELAY=1
+
+client = no
 cert = /etc/stunnel/stunnel.pem
 
-fips =yes
+fips = yes
 
 [NETCAT]
 accept = 15905
@@ -41,18 +44,16 @@ EOF
         assert_script_run q(sed -i 's/^client = no/client = yes/' /etc/stunnel/stunnel.conf);
         assert_script_run q(sed -i 's/^connect = 5905/connect = 10.0.2.101:15905/' /etc/stunnel/stunnel.conf);
     }
-    assert_script_run('chown -R stunnel:nogroup /var/lib/stunnel');
+    assert_script_run("mkdir -p $stunnel_chroot_dir");
+    assert_script_run("chown -R stunnel:nogroup $stunnel_chroot_dir");
     systemctl('start stunnel');
     systemctl('is-active stunnel');
-    assert_script_run q(grep 'stunnel:.*FIPS mode enabled' /var/log/messages);
+    assert_script_run q(systemctl status stunnel | grep "FIPS mode enabled");
 }
 
 sub run {
     select_console 'root-console';
-    # Package version check
-    my $pkg_list = {stunnel => '5.62'};
-    zypper_call("in " . join(' ', keys %$pkg_list));
-    package_upgrade_check($pkg_list);
+    zypper_call("in stunnel netcat-openbsd");
     if ($hostname =~ /server|master/) {
         # Generate a self-signed certificate
         assert_script_run('mkdir stunnel_fips; cd stunnel_fips');
@@ -62,6 +63,7 @@ q(openssl req -new -x509 -newkey rsa:2048 -keyout stunnel.key -days 356 -out stu
         assert_script_run('cat stunnel.key stunnel.crt > stunnel.pem');
         # Copy the certificate to "/etc/stunnel"
         assert_script_run('cp stunnel.pem /etc/stunnel; cd');
+        assert_script_run('chmod 600  /etc/stunnel/stunnel.pem');
         # Configure stunnel file
         conf_stunnel_netcat;
         # Add lock for client
@@ -70,8 +72,7 @@ q(openssl req -new -x509 -newkey rsa:2048 -keyout stunnel.key -days 356 -out stu
         assert_script_run("echo $message|nc -l 127.0.0.1 5905", timeout => 300);
         # Finish job
         wait_for_children;
-    }
-    else {
+    } else {
         mutex_wait('stunnel');
         # Copy the certificate from server
         exec_and_insert_password('scp -o StrictHostKeyChecking=no root@10.0.2.101:/etc/stunnel/stunnel.pem /etc/stunnel');

tests/security/dm_crypt.pm

@@ -13,10 +13,13 @@ use base "consoletest";
 use testapi;
 use serial_terminal 'select_serial_terminal';
 use utils;
+use version_utils 'is_sle';
 
 sub run {
     select_serial_terminal;
 
+    zypper_call('in cryptsetup');
+
     my $crypt_pass = "dm#*crypt_iYBJY_rIekeV123";
     my $crypt_tmp = "/tmp/foo";
     my $crypt_dev = "foo";
@@ -35,25 +38,24 @@ sub run {
             my $check = script_run "grep '$i' $bench_log | grep -E -v 'N\/A\\s+N\/A'";
             die "$i should not be supported anywhere!" if ($check eq 0);
         }
-    }
-    elsif ($ret) {
+    } elsif ($ret) {
         die "Benchmark failed with return value $ret";
     }
 
     # Here we check the ciphers in the practice with LUKS support, since
     # cryptsetup benchmark does not support cipher+hash combination as a
     # parameter
-    assert_script_run "dd if=/dev/urandom of=$crypt_tmp bs=4M count=3";
+    assert_script_run "dd if=/dev/urandom of=$crypt_tmp bs=4M count=25";
 
     my @check_list = (
-        {name => "aes", mode => "xts-plain64", hash => "sha1"},
         {name => "aes", mode => "xts-plain64", hash => "md5", no_support => 1},
         {name => "aes", mode => "xts-plain64", hash => "sha256"},
         {name => "aes", mode => "xts-plain", hash => "sha512"},
         {name => "aes", mode => "cbc-plain64", hash => "sha256"},
         {name => "serpent", mode => "xts-plain64", hash => "sha256", no_fips => 1},
         {name => "twofish", mode => "cbc-plain64", hash => "sha1", no_fips => 1},
     );    # Not all the combinations will be checked here
+    push @check_list, {name => "aes", mode => "xts-plain64", hash => "sha1"} if is_sle('<16');
 
     foreach my $c (@check_list) {
         my $cipher = "@$c{name}-@$c{mode}";
@@ -64,20 +66,24 @@ sub run {
             die "$cipher with @$c{hash} verification failed";
         }
 
-        validate_script_output "cryptsetup luksDump $crypt_tmp", sub {
-            m/
-            Cipher\sname:\s+@$c{name}.*
-            Cipher\smode:\s+@$c{mode}.*
-            Hash\sspec:\s+@$c{hash}/sxx
-        };
+        if (is_sle('>=16')) {
+            validate_script_output "cryptsetup luksDump $crypt_tmp", sub {
+                m/
+                .*Cipher:\s+@$c{name}-@$c{mode}.*
+                .*AF\shash:\s+@$c{hash}/sxx
+            };
+        } else {
+            validate_script_output "cryptsetup luksDump $crypt_tmp", sub {
+                m/
+                Cipher\sname:\s+@$c{name}.*
+                Cipher\smode:\s+@$c{mode}.*
+                Hash\sspec:\s+@$c{hash}/sxx
+            };
+        }
 
         assert_script_run "echo -e $crypt_pass | cryptsetup -q luksOpen $crypt_tmp $crypt_dev";
         assert_script_run "cryptsetup luksClose $crypt_dev";
     }
 }
 
-sub test_flags {
-    return {always_rollback => 1};
-}
-
 1;

tests/security/vsftpd/vsftpd_setup.pm

@@ -29,7 +29,7 @@ sub run {
     zypper_call("in vsftpd expect openssl wget");
 
     # Create self-signed certificate
-    assert_script_run("mkdir $vsftpd_path && cd $vsftpd_path");
+    assert_script_run("(test -d $vsftpd_path || mkdir $vsftpd_path) && cd $vsftpd_path");
     assert_script_run "expect -c 'spawn openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $key_file -out $cert_file;
 expect \"Country Name (2 letter code) \\[AU\\]\"; send \"DE\\r\";
 expect \"State or Province Name (full name) \\[Some-State\\]:\"; send \"Nuremberg\\r\";