Refactor CC installation tests

lib/security/config.pm

@@ -0,0 +1,28 @@
+# openssl fips test
+#
+# Copyright SUSE LLC
+# SPDX-License-Identifier: FSFAP
+# Summary: Stronger password to be used with CC/FIPS.
+#
+# Maintainer: QE Security <[email protected]>
+
+package security::config;
+
+use strict;
+use warnings;
+
+use base 'Exporter';
+
+our @EXPORT = qw(strong_password);
+
+=head2 strong_password
+
+    $security::config:strong_password;
+
+This will return a strong, FIPS compliant password to be used, for example,
+during installation when setting the Common Criteria password on SLES 15-SP6+.
+=cut
+
+our $strong_password = "not-so-s3cr3t_BUT_VERY_STRONG.";
+
+1;

lib/security_boot_utils.pm

@@ -17,6 +17,8 @@ use grub_utils qw(grub_test);
 use utils;
 use testapi;
 use Utils::Architectures;
+use security::config;
+use version_utils 'is_sle';
 
 our @EXPORT = qw(
   boot_has_no_video
@@ -25,9 +27,7 @@ our @EXPORT = qw(
 
 sub boot_has_no_video {
     my $is_encrypted = check_var('FULL_LVM_ENCRYPT', '1') || check_var('ENCRYPT', '1');
-    my $is_qr = check_var('FLAVOR', 'Online-QR') || check_var('FLAVOR', 'Full-QR');
-    my $is_arch = is_aarch64() || is_s390x();
-    return ($is_encrypted && $is_qr && $is_arch);
+    return ($is_encrypted && is_aarch64);
 }
 
 sub boot_encrypt_no_video {
@@ -37,7 +37,8 @@ sub boot_encrypt_no_video {
     # used, for example, by aarch64 on 15-SP5 QR (https://progress.opensuse.org/issues/156655)
     assert_screen 'encrypted-disk-no-video';
     wait_serial("Please enter passphrase for disk.*");
-    type_string_slow("$testapi::password");
+    my $password = check_var('SYSTEM_ROLE', 'Common_Criteria') ? $security::config::strong_password : $testapi::password;
+    type_string_slow("$password");
     send_key 'ret';
     wait_still_screen 15;
     $self->wait_boot_past_bootloader;

lib/utils.pm

@@ -22,6 +22,7 @@ use Storable qw(dclone);
 use Getopt::Long qw(GetOptionsFromString);
 use File::Basename;
 use XML::LibXML;
+use security::config;
 
 our @EXPORT = qw(
   generate_results
@@ -202,12 +203,13 @@ C<$testapi::password> will be used as password.
 
 sub unlock_zvm_disk {
     my ($console) = @_;
+    my $password = check_var('SYSTEM_ROLE', 'Common_Criteria') ? $security::config::strong_password : $testapi::password;
     eval { $console->expect_3270(output_delim => 'Please enter passphrase', timeout => 30) };
     if ($@) {
         diag 'No passphrase asked, continuing';
     }
     else {
-        $console->sequence_3270("String(\"$testapi::password\")", "ENTER");
+        $console->sequence_3270("String(\"$password\")", "ENTER");
         diag 'Passphrase entered';
     }
 
@@ -338,11 +340,11 @@ C<$check_typed_password> will default to C<0>.
 sub unlock_if_encrypted {
     my (%args) = @_;
     $args{check_typed_password} //= 0;
+    my $password = check_var('SYSTEM_ROLE', 'Common_Criteria') ? $security::config::strong_password : $testapi::password;
 
     return unless get_var("ENCRYPT");
 
     if (get_var('S390_ZKVM')) {
-        my $password = $testapi::password;
         select_console('svirt');
 
         # enter passphrase twice (before grub and after grub) if full disk is encrypted
@@ -365,13 +367,13 @@ sub unlock_if_encrypted {
     }
     else {
         assert_screen("encrypted-disk-password-prompt", 200);
-        type_password;    # enter PW at boot
+        type_password $password;
         save_screenshot;
         if ($args{check_typed_password}) {
             unless (check_screen "encrypted_disk-typed_password", 30) {
                 record_info("Invalid password", "Not all password characters were typed successfully, retyping");
                 send_key "backspace" for (0 .. 9);
-                type_password;
+                type_password $password;
                 assert_screen "encrypted_disk-typed_password";
             }
         }

schedule/security/create_hdd_cc_libyui/aarch64/cc_beta.yaml

@@ -8,13 +8,9 @@ schedule:
   system_role:
     - installation/system_role/select_common_criteria_role
     - installation/common_criteria_configuration/common_criteria_configuration
-  suggested_partitioning:
-    - installation/partitioning/new_partitioning_gpt
-  grub:
-    - installation/handle_reboot
+  grub: []
   first_login:
-    - installation/boot_encrypt
-    - installation/first_boot
+    - security/boot_disk
   system_preparation:
     - console/hostname
     - console/system_prepare

schedule/security/create_hdd_cc_libyui/x86_64/cc_qr_no_fde_15sp4.yaml → schedule/security/create_hdd_cc_libyui/aarch64/cc_maint_15sp3.yaml

@@ -1,15 +1,24 @@
 ---
 name: create_hdd_common_criteria
-description: >
-  Installation using the Common Criteria role without full disk
-  encryption on QR SLES 15-SP4.
+description: For 15-SP3, 15-SP4 and 15-SP5 maintenance installation for CC
+vars:
+  PATTERNS: 'default,-enhanced_base'
+  YUI_REST_API: 1
 schedule:
   access_beta: []
   product_selection:
     - installation/product_selection/install_SLES
+  add_on_product:
+    - installation/add_on_product/add_maintenance_repos
+  additional_products: []
   system_role:
     - installation/system_role/select_common_criteria_role
     - installation/common_criteria_configuration/common_criteria_configuration
+  software:
+    - installation/select_patterns
+  grub: []
+  first_login:
+    - security/boot_disk
   system_preparation:
     - console/hostname
     - console/system_prepare

schedule/security/create_hdd_cc_libyui/aarch64/cc_maint_15sp6.yaml

@@ -0,0 +1,27 @@
+---
+name: create_hdd_common_criteria
+description: For 15-SP6+ maintenance installation for CC
+vars:
+  PATTERNS: 'default,-enhanced_base'
+  YUI_REST_API: 1
+schedule:
+  access_beta: []
+  add_on_product:
+    - installation/add_on_product/add_maintenance_repos
+  additional_products: []
+  system_role:
+    - installation/system_role/select_common_criteria_role
+    - installation/common_criteria_configuration/common_criteria_configuration
+  software:
+    - installation/select_patterns
+  grub: []
+  first_login:
+    - security/boot_disk
+  system_preparation:
+    - console/hostname
+    - console/system_prepare
+    - console/force_scheduled_tasks
+    - security/cc/ensure_crypto_checks_enabled
+    - shutdown/grub_set_bootargs
+    - shutdown/cleanup_before_shutdown
+    - shutdown/shutdown

schedule/security/create_hdd_cc_libyui/aarch64/cc_qr.yaml

@@ -10,8 +10,6 @@ schedule:
   system_role:
     - installation/system_role/select_common_criteria_role
     - installation/common_criteria_configuration/common_criteria_configuration
-  suggested_partitioning:
-    - installation/partitioning/new_partitioning_gpt
   grub: []
   first_login:
     - security/boot_disk

schedule/security/create_hdd_cc_libyui/s390x/cc_beta.yaml

@@ -8,10 +8,6 @@ schedule:
   system_role:
     - installation/system_role/select_common_criteria_role
     - installation/common_criteria_configuration/common_criteria_configuration
-  suggested_partitioning:
-    - installation/partitioning/new_partitioning_gpt
-  grub:
-    - installation/handle_reboot
   first_login:
     - installation/boot_encrypt
     - installation/first_boot

schedule/security/create_hdd_cc_libyui/s390x/cc_maint_fde.yaml

@@ -0,0 +1,28 @@
+---
+name: create_hdd_common_criteria
+vars:
+  PATTERNS: 'default,-enhanced_base'
+  YUI_REST_API: 1
+schedule:
+  access_beta: []
+  extension_module_selection:
+    - installation/module_registration/register_extensions_and_modules
+  add_on_product:
+    - installation/add_on_product/add_maintenance_repos
+  system_role:
+    - installation/system_role/select_common_criteria_role
+    - installation/common_criteria_configuration/common_criteria_configuration
+  software:
+    - installation/select_patterns
+  first_login:
+    - installation/boot_encrypt
+    - installation/first_boot
+  system_preparation:
+    - console/hostname
+    - console/system_prepare
+    - console/force_scheduled_tasks
+    - security/cc/ensure_crypto_checks_enabled
+    - shutdown/grub_set_bootargs
+    - shutdown/cleanup_before_shutdown
+    - shutdown/shutdown
+    - shutdown/svirt_upload_assets

schedule/security/create_hdd_cc_libyui/s390x/cc_maint_no_fde.yaml

@@ -0,0 +1,25 @@
+---
+name: create_hdd_common_criteria
+vars:
+  PATTERNS: 'default,-enhanced_base'
+  YUI_REST_API: 1
+schedule:
+  access_beta: []
+  extension_module_selection:
+    - installation/module_registration/register_extensions_and_modules
+  add_on_product:
+    - installation/add_on_product/add_maintenance_repos
+  system_role:
+    - installation/system_role/select_common_criteria_role
+    - installation/common_criteria_configuration/common_criteria_configuration
+  software:
+    - installation/select_patterns
+  system_preparation:
+    - console/hostname
+    - console/system_prepare
+    - console/force_scheduled_tasks
+    - security/cc/ensure_crypto_checks_enabled
+    - shutdown/grub_set_bootargs
+    - shutdown/cleanup_before_shutdown
+    - shutdown/shutdown
+    - shutdown/svirt_upload_assets

schedule/security/create_hdd_cc_libyui/s390x/cc_qr.yaml

@@ -8,10 +8,6 @@ schedule:
   system_role:
     - installation/system_role/select_common_criteria_role
     - installation/common_criteria_configuration/common_criteria_configuration
-  suggested_partitioning:
-    - installation/partitioning/new_partitioning_gpt
-  grub:
-    - installation/handle_reboot
   first_login:
     - installation/boot_encrypt
     - installation/first_boot

schedule/security/create_hdd_cc_libyui/x86_64/cc_beta.yaml

@@ -8,13 +8,9 @@ schedule:
   system_role:
     - installation/system_role/select_common_criteria_role
     - installation/common_criteria_configuration/common_criteria_configuration
-  suggested_partitioning:
-    - installation/partitioning/new_partitioning_gpt
-  grub:
-    - installation/handle_reboot
+  grub: []
   first_login:
-    - installation/boot_encrypt
-    - installation/first_boot
+    - security/boot_disk
   system_preparation:
     - console/hostname
     - console/system_prepare

schedule/security/create_hdd_cc_libyui/aarch64/cc_qr_no_fde_15sp4.yaml → schedule/security/create_hdd_cc_libyui/x86_64/cc_maint.yaml

@@ -1,15 +1,21 @@
 ---
 name: create_hdd_common_criteria
-description: >
-  Installation using the Common Criteria role without full disk
-  encryption on QR SLES 15-SP4.
+vars:
+  PATTERNS: 'default,-enhanced_base'
+  YUI_REST_API: 1
 schedule:
   access_beta: []
-  product_selection:
-    - installation/product_selection/install_SLES
+  add_on_product:
+    - installation/add_on_product/add_maintenance_repos
+  additional_products: []
   system_role:
     - installation/system_role/select_common_criteria_role
     - installation/common_criteria_configuration/common_criteria_configuration
+  software:
+    - installation/select_patterns
+  grub: []
+  first_login:
+    - security/boot_disk
   system_preparation:
     - console/hostname
     - console/system_prepare

schedule/security/create_hdd_cc_libyui/x86_64/cc_qr.yaml

@@ -10,8 +10,6 @@ schedule:
   system_role:
     - installation/system_role/select_common_criteria_role
     - installation/common_criteria_configuration/common_criteria_configuration
-  suggested_partitioning:
-    - installation/partitioning/new_partitioning_gpt
   grub: []
   first_login:
     - security/boot_disk

schedule/yast/sle/flows/default_sle15sp4_aarch64.yaml

@@ -41,3 +41,5 @@ grub:
   - installation/grub_test
 first_login:
   - installation/first_boot
+system_preparation: []
+system_validation: []

schedule/yast/sle/flows/default_sle15sp4_s390x_kvm.yaml

@@ -41,3 +41,5 @@ reboot:
   - installation/handle_reboot
 first_login:
   - installation/first_boot
+system_preparation: []
+system_validation: []

tests/console/cryptsetup.pm

@@ -18,10 +18,10 @@ use testapi;
 use serial_terminal 'select_serial_terminal';
 use utils 'zypper_call';
 use version_utils qw(is_sle);
+use security::config;
 
 sub run {
-    # Strengthen password to avoid password quality check failed on Tumbleweed
-    my $cryptpasswd = $testapi::password . '_on-a-sunny-D4Y';
+    my $cryptpasswd = $security::config::strong_password;
     select_serial_terminal;
 
     # Update related packages including latest systemd

tests/installation/common_criteria_configuration/common_criteria_configuration.pm

@@ -9,13 +9,13 @@ use parent 'y2_installbase';
 use strict;
 use testapi;
 use warnings;
+use security::config;
 
 sub run {
     my $common_criteria_configuration = $testapi::distri->get_common_criteria_configuration();
     if (check_var('ENCRYPT', '1')) {
-        $common_criteria_configuration->configure_encryption($testapi::password);
+        $common_criteria_configuration->configure_encryption($security::config::strong_password);
         $common_criteria_configuration->go_forward();
-        $common_criteria_configuration->get_weak_password_warning->press_yes();
     } else {
         $common_criteria_configuration->go_forward();
     }

tests/installation/logs_from_installation_system.pm

@@ -34,13 +34,16 @@ sub run {
 
     # on a CC enabled system, root ssh login is disabled by default, but we need it enabled
     if (check_var('SYSTEM_ROLE', 'Common_Criteria') && is_sle && is_s390x) {
-        my $vg_name = "vg-system";
-        my $lv_name = "lv-root";
-        my $crypt_name = "encrypted_disk";
         my $stor_inst = "/var/log/YaST2/storage-inst/*committed.yml";
-        my $root_hd = get_var('ENCRYPT') ? "/dev/$vg_name/$lv_name " : script_output("cat $stor_inst | grep -B4 'mount_point: \"/\"' | grep name | awk -F \\\" '{print \$2}'");
+        my $is_encrypted = check_var('ENCRYPT', '1') || check_var('FULL_LVM_ENCRYPT', '1');
+        my $root_hd = script_output("cat $stor_inst | grep -B4 'mount_point: \"/\"' | grep name | awk -F \\\" '{print \$2}'");
+        if ($is_encrypted) {
+            $root_hd = "/dev/mapper/" . script_output("dmsetup ls | grep root | awk '{print \$1}'");
+        }
+
         assert_script_run("mount $root_hd /mnt");
         assert_script_run("sed -i -e 's/PermitRootLogin no/PermitRootLogin yes/g' /mnt/etc/ssh/sshd_config");
+        assert_script_run("sed -i -e 's/PermitRootLogin prohibit-password/PermitRootLogin yes/g' /mnt/etc/ssh/sshd_config.d/51-permit-root-login.conf") if is_sle('>=15-SP6');
         assert_script_run('umount /mnt');
     }