Skip to content

Commit

Permalink
Added verification of GPG key URIs against a list of trusted reposito…
Browse files Browse the repository at this point in the history
…ries for enhanced security

RTC 537769

check if sourceApplication Gpg key URL is in trusted repo
  • Loading branch information
tsirlapu committed Jan 11, 2024
1 parent ca909c7 commit 4078406
Show file tree
Hide file tree
Showing 4 changed files with 34 additions and 3 deletions.
7 changes: 6 additions & 1 deletion inbc-program/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -417,6 +417,12 @@ inbc query --option sw
Optionally Downloads and encrypts GPG key and stores it on the system under <em>/usr/share/keyrings</em>. Creates a file under <em>/etc/apt/sources.list.d</em> to store the update source information.
This list file is used during 'sudo apt update' to update the application. <em>Deb882</em> format may be used instead of downloading a GPG key.

**NOTE:** Make sure to add gpgKeyUri to trustedrepositories using INBC Config Append command before using Inbc source application add command
Step 1: Refer to Inbc Config Append command to set gpgKeyUri to trustedRepositories in intel-manageability.conf file
Step 2: Use Inbc source appplication add command
```
### Usage
```
inbc source application add
Expand All @@ -442,7 +448,6 @@ inbc source application add
- Each blank line has a period in it. -> " ."
- Each line after the Signed-By: starts with a space -> " gibberish"

```
inbc source application add
--sources
Expand Down
2 changes: 2 additions & 0 deletions inbm/Changelog.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).

### Added
- RTC 536601 - Added 'source' command to INBM. This command manages `/etc/apt/sources.list` and `/etc/apt/sources.list.d/*` and associated gpg keys on Ubuntu.
- RTC 537769 - Added verification of GPG key URIs against a list of trusted repositories for enhanced security

check if sourceApplication Gpg key URL is in trusted repo
### Fixed
- RTC 534426 - Could not write to /var/log/inbm-update-status.log on Yocto due to /var/log being a symlink to /var/volatile/log.
- RTC 523677 - Improve INBC error logging - invalid child tag not printed
Expand Down
15 changes: 13 additions & 2 deletions inbm/dispatcher-agent/dispatcher/source/ubuntu_source_manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@
import logging
import os

from dispatcher.packagemanager.package_manager import verify_source
from dispatcher.dispatcher_broker import DispatcherBroker
from dispatcher.dispatcher_exception import DispatcherException
from dispatcher.source.source_exception import SourceError
from dispatcher.source.constants import (
UBUNTU_APT_SOURCES_LIST,
Expand Down Expand Up @@ -98,11 +101,19 @@ def __init__(self) -> None:

def add(self, parameters: ApplicationAddSourceParameters) -> None:
"""Adds a source file and optional GPG key to be used during Ubuntu application updates."""
# Step 1: Add key (Optional)
# Step 1: Verify gpg key uri from trusted repo list
if parameters.gpg_key_name and parameters.gpg_key_uri:
try:
url = parameters.gpg_key_uri
#URL slicing to remove the last segment (filename) from the URL
source = url.value[:-(len(url.value.split('/')[-1]) + 1)]
verify_source(source=source, dispatcher_broker=DispatcherBroker)
except DispatcherException as err:
raise SourceError(f"Source Gpg key URI verification check failed: {err}")
# Step 2: Add key (Optional)
add_gpg_key(parameters.gpg_key_uri, parameters.gpg_key_name)

# Step 2: Add the source
# Step 3: Add the source
try:
create_file_with_contents(
os.path.join(UBUNTU_APT_SOURCES_LIST_D, parameters.file_name), parameters.sources
Expand Down
13 changes: 13 additions & 0 deletions inbm/dispatcher-agent/tests/unit/source/test_ubuntu_source_cmd.py
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,19 @@ def test_successfully_remove_gpg_key_and_source_list(
except SourceError:
self.fail("Remove GPG key raised DispatcherException unexpectedly!")

@patch("dispatcher.packagemanager.package_manager.verify_source", side_effect=DispatcherException('error'))
def test_successfully_add_gpg_key(self, mock_verify_source):
parameters = ApplicationAddSourceParameters(
gpg_key_uri="https://dl-ssl.google.com/linux/linux_signing_key.pub",
gpg_key_name="name"
)
command = UbuntuApplicationSourceManager()
try:
command.add(parameters)
self.assertIsNotNone(result) # Assuming the add method returns some value on success
except SourceError:
self.fail("Source Gpg key URI verification check failed: error")

@patch("dispatcher.source.ubuntu_source_manager.remove_gpg_key_if_exists")
def test_raises_when_space_check_fails(self, mock_remove_gpg_key):
parameters = ApplicationRemoveSourceParameters(
Expand Down

0 comments on commit 4078406

Please sign in to comment.