| blob | 76cfe670a2d7a95f62d8e3ad009df9e89ab9624d |
1 Then /^the shipped Tails signing key is not outdated$/ do
2 # "old" here is w.r.t. the one we fetch from Tails' website
3 next if @skip_steps_while_restoring_background
4 sig_key_fingerprint = "0D24B36AA9A2A651787876451202821CBE2CD9C1"
5 fresh_sig_key = "/tmp/tails-signing.key"
6 tmp_keyring = "/tmp/tmp-keyring.gpg"
7 key_url = "https://tails.boum.org/tails-signing.key"
8 @vm.execute("curl --silent --socks5-hostname localhost:9062 " +
9 "#{key_url} -o #{fresh_sig_key}", $live_user)
10 @vm.execute("gpg --batch --no-default-keyring --keyring #{tmp_keyring} " +
11 "--import #{fresh_sig_key}", $live_user)
12 fresh_sig_key_info =
13 @vm.execute("gpg --batch --no-default-keyring --keyring #{tmp_keyring} " +
14 "--list-key #{sig_key_fingerprint}", $live_user).stdout
15 shipped_sig_key_info = @vm.execute("gpg --batch --list-key #{sig_key_fingerprint}",
16 $live_user).stdout
17 assert_equal(fresh_sig_key_info, shipped_sig_key_info,
18 "The Tails signing key shipped inside Tails is outdated:\n" +
19 "Shipped key:\n" +
20 shipped_sig_key_info +
21 "Newly fetched key from #{key_url}:\n" +
22 fresh_sig_key_info)
23 end
25 Then /^the live user has been setup by live\-boot$/ do
26 next if @skip_steps_while_restoring_background
27 assert(@vm.execute("test -e /var/lib/live/config/user-setup").success?,
28 "live-boot failed its user-setup")
29 actual_username = @vm.execute(". /etc/live/config/username.conf; " +
30 "echo $LIVE_USERNAME").stdout.chomp
31 assert_equal($live_user, actual_username)
32 end
34 Then /^the live user is a member of only its own group and "(.*?)"$/ do |groups|
35 next if @skip_steps_while_restoring_background
36 expected_groups = groups.split(" ") << $live_user
37 actual_groups = @vm.execute("groups #{$live_user}").stdout.chomp.sub(/^#{$live_user} : /, "").split(" ")
38 unexpected = actual_groups - expected_groups
39 missing = expected_groups - actual_groups
40 assert_equal(0, unexpected.size,
41 "live user in unexpected groups #{unexpected}")
42 assert_equal(0, missing.size,
43 "live user not in expected groups #{missing}")
44 end
46 Then /^the live user owns its home dir and it has normal permissions$/ do
47 next if @skip_steps_while_restoring_background
48 home = "/home/#{$live_user}"
49 assert(@vm.execute("test -d #{home}").success?,
50 "The live user's home doesn't exist or is not a directory")
51 owner = @vm.execute("stat -c %U:%G #{home}").stdout.chomp
52 perms = @vm.execute("stat -c %a #{home}").stdout.chomp
53 assert_equal("#{$live_user}:#{$live_user}", owner)
54 assert_equal("700", perms)
55 end
57 Given /^I wait between (\d+) and (\d+) seconds$/ do |min, max|
58 next if @skip_steps_while_restoring_background
59 time = rand(max.to_i - min.to_i + 1) + min.to_i
60 puts "Slept for #{time} seconds"
61 sleep(time)
62 end
64 Then /^no unexpected services are listening for network connections$/ do
65 next if @skip_steps_while_restoring_background
66 netstat_cmd = @vm.execute("netstat -ltupn")
67 assert netstat_cmd.success?
68 for line in netstat_cmd.stdout.chomp.split("\n") do
69 splitted = line.split(/[[:blank:]]+/)
70 proto = splitted[0]
71 if proto == "tcp"
72 proc_index = 6
73 elsif proto == "udp"
74 proc_index = 5
75 else
76 next
77 end
78 laddr, lport = splitted[3].split(":")
79 proc = splitted[proc_index].split("/")[1]
80 # Services listening on loopback is not a threat
81 if /127(\.[[:digit:]]{1,3}){3}/.match(laddr).nil?
82 if $services_expected_on_all_ifaces.include? [proc, laddr, lport] or
83 $services_expected_on_all_ifaces.include? [proc, laddr, "*"]
84 puts "Service '#{proc}' is listening on #{laddr}:#{lport} " +
85 "but has an exception"
86 else
87 raise "Unexpected service '#{proc}' listening on #{laddr}:#{lport}"
88 end
89 end
90 end
91 end
93 When /^Tails has booted a 64-bit kernel$/ do
94 next if @skip_steps_while_restoring_background
95 assert(@vm.execute("uname -r | grep -qs 'amd64$'").success?,
96 "Tails has not booted a 64-bit kernel.")
97 end
99 Then /^the VirtualBox guest modules are available$/ do
100 next if @skip_steps_while_restoring_background
101 assert(@vm.execute("modinfo vboxguest").success?,
102 "The vboxguest module is not available.")
103 end
105 def shared_pdf_dir_on_guest
106 "/tmp/shared_pdf_dir"
107 end
109 Given /^I setup a filesystem share containing a sample PDF$/ do
110 next if @skip_steps_while_restoring_background
111 @vm.add_share($misc_files_dir, shared_pdf_dir_on_guest)
112 end
114 Then /^MAT can clean some sample PDF file$/ do
115 next if @skip_steps_while_restoring_background
116 for pdf_on_host in Dir.glob("#{$misc_files_dir}/*.pdf") do
117 pdf_name = File.basename(pdf_on_host)
118 pdf_on_guest = "/home/#{$live_user}/#{pdf_name}"
119 step "I copy \"#{shared_pdf_dir_on_guest}/#{pdf_name}\" to \"#{pdf_on_guest}\" as user \"#{$live_user}\""
120 @vm.execute("mat --display '#{pdf_on_guest}'",
121 $live_user).stdout
122 check_before = @vm.execute("mat --check '#{pdf_on_guest}'",
123 $live_user).stdout
124 if check_before.include?("#{pdf_on_guest} is clean")
125 STDERR.puts "warning: '#{pdf_on_host}' is already clean so it is a " +
126 "bad candidate for testing MAT"
127 end
128 @vm.execute("mat '#{pdf_on_guest}'", $live_user)
129 check_after = @vm.execute("mat --check '#{pdf_on_guest}'",
130 $live_user).stdout
131 assert(check_after.include?("#{pdf_on_guest} is clean"),
132 "MAT failed to clean '#{pdf_on_host}'")
133 end
134 end
136 Then /^AppArmor is enabled$/ do
137 assert(@vm.execute("aa-status").success?, "AppArmor is not enabled")
138 end
140 Then /^some AppArmor profiles are enforced$/ do
141 assert(@vm.execute("aa-status --enforced").stdout.chomp.to_i > 0,
142 "No AppArmor profile is enforced")
143 end