Added verification of GPG key URIs against a list of trusted reposito…

…ries for enhanced security RTC 537769 check if sourceApplication Gpg key URL is in trusted repo
intel · Jan 11, 2024 · e5a087d · e5a087d
1 parent ca909c7
commit e5a087d
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 3 deletions.
diff --git a/inbc-program/README.md b/inbc-program/README.md
@@ -417,6 +417,12 @@ inbc query --option sw
 Optionally Downloads and encrypts GPG key and stores it on the system under <em>/usr/share/keyrings</em>. Creates a file under <em>/etc/apt/sources.list.d</em> to store the update source information.
 This list file is used during 'sudo apt update' to update the application. <em>Deb882</em> format may be used instead of downloading a GPG key.
 
+**NOTE:** Make sure to add gpgKeyUri to trustedrepositories using INBC Config Append command before using Inbc source application add command
+ Step 1: Refer to Inbc Config Append command to set gpgKeyUri to trustedRepositories in intel-manageability.conf file
+ Step 2: Use Inbc source appplication add command 
+```
+
+
 ### Usage
 ```
 inbc source application add
@@ -442,7 +448,6 @@ inbc source application add
 
  - Each blank line has a period in it. -> " ."
  - Each line after the Signed-By: starts with a space -> " gibberish"
-
 ```
 inbc source application add 
  --sources 

diff --git a/inbm/Changelog.md b/inbm/Changelog.md
@@ -10,7 +10,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ### Added
  - RTC 536601 - Added 'source' command to INBM. This command manages `/etc/apt/sources.list` and `/etc/apt/sources.list.d/*` and associated gpg keys on Ubuntu.
+- RTC 537769 - Added verification of GPG key URIs against a list of trusted repositories for enhanced security
 
+check if sourceApplication Gpg key URL is in trusted repo
 ### Fixed
  - RTC 534426 - Could not write to /var/log/inbm-update-status.log on Yocto due to /var/log being a symlink to /var/volatile/log.
  - RTC 523677 - Improve INBC error logging - invalid child tag not printed

diff --git a/inbm/dispatcher-agent/dispatcher/source/ubuntu_source_manager.py b/inbm/dispatcher-agent/dispatcher/source/ubuntu_source_manager.py
@@ -7,6 +7,9 @@
 import logging
 import os
 
+from dispatcher.packagemanager.package_manager import verify_source
+from dispatcher.dispatcher_broker import DispatcherBroker
+from dispatcher.dispatcher_exception import DispatcherException
 from dispatcher.source.source_exception import SourceError
 from dispatcher.source.constants import (
  UBUNTU_APT_SOURCES_LIST,
@@ -98,11 +101,19 @@ def __init__(self) -> None:
 
  def add(self, parameters: ApplicationAddSourceParameters) -> None:
  """Adds a source file and optional GPG key to be used during Ubuntu application updates."""
- # Step 1: Add key (Optional)
+ # Step 1: Verify gpg key uri from trusted repo list 
  if parameters.gpg_key_name and parameters.gpg_key_uri:
+ try:
+ url = parameters.gpg_key_uri
+ #URL slicing to remove the last segment (filename) from the URL 
+ source = url.value[:-(len(url.value.split('/')[-1]) + 1)]
+ verify_source(source=source, dispatcher_broker=DispatcherBroker)
+ except (DispatcherException, IndexError) as err:
+ raise SourceError(f"Source Gpg key URI verification check failed: {err}")
+ # Step 2: Add key (Optional)
  add_gpg_key(parameters.gpg_key_uri, parameters.gpg_key_name)
 
- # Step 2: Add the source
+ # Step 3: Add the source
  try:
  create_file_with_contents(
  os.path.join(UBUNTU_APT_SOURCES_LIST_D, parameters.file_name), parameters.sources

diff --git a/inbm/dispatcher-agent/tests/unit/source/test_ubuntu_source_cmd.py b/inbm/dispatcher-agent/tests/unit/source/test_ubuntu_source_cmd.py
@@ -279,6 +279,33 @@ def test_successfully_remove_gpg_key_and_source_list(
  except SourceError:
  self.fail("Remove GPG key raised DispatcherException unexpectedly!")
 
+ @patch("dispatcher.packagemanager.package_manager.verify_source", side_effect=DispatcherException('error'))
+ def test_failed_add_gpg_key_method(self, mock_verify_source):
+ parameters = ApplicationAddSourceParameters(
+ gpg_key_uri="https://dl-ssl.google.com/linux/linux_signing_key.pub",
+ gpg_key_name="name"
+ )
+ command = UbuntuApplicationSourceManager()
+ try:
+ command.add(parameters)
+ self.assertIsNotNone(result) # Assuming the add method returns some value on success 
+ except SourceError:
+ self.fail("Source Gpg key URI verification check failed: error")
+
+
+ @patch("dispatcher.packagemanager.package_manager.verify_source")
+ def test_success_add_gpg_key_method(self, mock_verify_source):
+ parameters = ApplicationAddSourceParameters(
+ gpg_key_uri="https://dl-ssl.google.com/linux/linux_signing_key.pub",
+ gpg_key_name="name"
+ )
+ command = UbuntuApplicationSourceManager()
+ try:
+ command.add(parameters)
+ self.assertIsNotNone(result) # Assuming the add method returns some value on success
+ except SourceError:
+ assert False, f"'UbuntuApplicationSourceManager.add' raised an exception {err}"
+
  @patch("dispatcher.source.ubuntu_source_manager.remove_gpg_key_if_exists")
  def test_raises_when_space_check_fails(self, mock_remove_gpg_key):
  parameters = ApplicationRemoveSourceParameters(