summary: run keylime e2e tests

# define context to filter out all test requiring TPM device
context:
  swtpm: yes

prepare:
  - how: shell
    script:
     - dnf config-manager --set-enabled updates-testing updates-testing-modular
  - how: shell
    order: 90
    script:
     - sed -i "s/tpm_hash_alg =.*/tpm_hash_alg = sha256/" /etc/keylime.conf

discover:
    how: fmf
    url: https://github.com/RedHat-SP-Security/keylime-tests
    ref: "@.tmt/dynamic_ref.fmf"
    test:
     - /setup/configure_tpm_emulator
     # change IMA policy to simple and run one attestation scenario
     # this is to utilize also a different parser
     - /setup/configure_kernel_ima_module/ima_policy_simple
     - /setup/inject_SELinux_AVC_check
     - /functional/basic-attestation-on-localhost
     # now change IMA policy to signing and run all tests
     - /setup/configure_kernel_ima_module/ima_policy_signing
     - "/functional/.*"

execute:
    how: tmt

adjust:
    - when: distro == fedora-rawhide
      environment:
          AVC_CHECK_AUSEARCH_PARAMS: "-se keylime"
      because: "On Rawhide we ignore SELinux AVCs not related to keylime"