mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/utils/test/test-aa.py

695 lines
36 KiB
Python
Raw Normal View History

Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
#! /usr/bin/env python
# ------------------------------------------------------------------
#
[patch] make set_profile_flags more strict this patch makes set_profile_flags more strict: - raise AppArmorBug if newflags contains only whitespace - raise AppArmorBug if the file doesn't contain the specified profile or no profile at all The tests are adjusted to expect AppArmorBug instead of a silent failure. Also, some tests are added for profile=None, which means to change the flags for all profiles in a file. - test_set_flags_08 is now test_set_flags_invalid_04 - test_set_flags_invalid_03 is changed to only contain one reason for a failure, not two ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:25:18 +02:00
# Copyright (C) 2014-2015 Christian Boltz
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
import unittest
Enable testloops for nosetests Ensure nosetests sees all tests in the tests[] tuples. This requires some name changes because nosetests thinks all function names containing "test" are tests. (A "not a test" docorator would be an alternative, but that would require some try/except magic to avoid a dependency on nose.) To avoid nosetests thinks the functions are a test, - rename setup_all_tests() to setup_all_loops() - rename regex_test() to _regex_test() (in test-regex_matches.py) Also add the module_name as parameter to setup_all_loops and always run it (not only if __name__ == '__main__'). Known issue: nosetests errors out with ValueError: no such test method in <class ...>: stub_test when trying to run a single test generated out of tests[]. (debugging hint: stub_test is the name used in setup_test_loop().) But that's still an improvement over not seeing those tests at all ;-) Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9.
2015-04-22 22:01:34 +02:00
from common_test import AATest, setup_all_loops
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
from common_test import read_file, write_file
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
merge script handling into get_interpreter_and_abstraction() Both create_new_profile() and handle_children() check if the given exec target is a script and add permissions for the interpreter and a matching abstraction. This patch merges that into the get_interpreter_and_abstraction() function and changes create_new_profile() and handle_children() to use this function. A nice side effect is that handle_children() now knows more abstractions (its original list was incomplete). The behaviour of create_new_profile() doesn't change. Also add tests for get_interpreter_and_abstraction() to make sure it does what we expect. Acked-by: Kshitij Gupta <kgupta8592@gmail.com> Bug: https://launchpad.net/bugs/1505775
2015-10-20 23:16:41 +02:00
import os
from apparmor.aa import (check_for_apparmor, get_interpreter_and_abstraction, create_new_profile,
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
get_profile_flags, set_profile_flags, is_skippable_file, is_skippable_dir,
Several fixes for variable handling Parsing variables was broken in several ways: - empty quotes (representing an intentionally empty value) were lost, causing parser failures - items consisting of only one letter were lost due to a bug in RE_VARS - RE_VARS didn't start with ^, which means leading garbage (= syntax errors) was ignored - trailing garbage was also ignored This patch fixes those issues in separate_vars() and changes var_transform() to write out empty quotes (instead of nothing) for empty values. Also add some tests for separate_vars() with empty quotes and adjust several tests with invalid syntax to expect an AppArmorException. var_transform() gets some tests added. Finally, remove 3 testcases from the "fails to raise an exception" list in test-parser-simple-tests.py. Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.9 (which also implies 2.10) Note: 2.9 doesn't have test-parser-simple-tests.py, therefore it won't get that part of the patch.
2015-12-12 12:59:13 +01:00
parse_profile_start, parse_profile_data, separate_vars, store_list_var, write_header,
var_transform, serialize_parse_profile_start)
update test-aa.py to match parse_profile_start() and get_profile_flags() changes The previous patch slightly changed the behaviour of parse_profile_start() and get_profile_flags() - they raise AppArmorBug instead of AppArmorException when specifying a line that is not the start of a profile and therefore doesn't match RE_PROFILE_START_2. This patch updates test-aa.py to expect the correct exceptions, and adds another test with quoted profile name to ensure that stripping the quotes works as expected. Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-31 22:45:45 +02:00
from apparmor.common import AppArmorException, AppArmorBug
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
add tests for write_header() Also add loop support to test-aa.py. BTW: In case you wonder - the need to replace unittest.TestCase with AATest is intentional. It might look annoying, but it makes sure that a test-*.py file doesn't contain a test class where tests = [...] is ignored because it's still unittest.TestCase. (Technically, setup_all_tests() will error out if a test class doesn't contain tests = [...] - either explicit or via its parent AATest.) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:48:50 +02:00
class AaTestWithTempdir(AATest):
Add tempdir and tempfile handling to AATest Add writeTmpfile() to AATest to write a file into the tmpdir. If no tmpdir exists yet, automatically create one. createTmpdir() is a separate function so that it's possible to manually create the tmpdir (for example, if a test needs an empty tmpdir). Also add a tearDown() function to delete the tmpdir again. This function calls self.AATeardown() to avoid the need for super() in child classes. Finally, simplify AaTestWithTempdir in test-aa.py to use createTmpdir() and add an example for AATeardown() to test-example.py. Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 12:55:38 +02:00
def AASetup(self):
self.createTmpdir()
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
class AaTest_check_for_apparmor(AaTestWithTempdir):
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
FILESYSTEMS_WITH_SECURITYFS = 'nodev\tdevtmpfs\nnodev\tsecurityfs\nnodev\tsockfs\n\text3\n\text2\n\text4'
FILESYSTEMS_WITHOUT_SECURITYFS = 'nodev\tdevtmpfs\nnodev\tsockfs\n\text3\n\text2\n\text4'
MOUNTS_WITH_SECURITYFS = ( 'proc /proc proc rw,relatime 0 0\n'
'securityfs %s/security securityfs rw,nosuid,nodev,noexec,relatime 0 0\n'
'/dev/sda1 / ext3 rw,noatime,data=ordered 0 0' )
MOUNTS_WITHOUT_SECURITYFS = ( 'proc /proc proc rw,relatime 0 0\n'
'/dev/sda1 / ext3 rw,noatime,data=ordered 0 0' )
def test_check_for_apparmor_None_1(self):
filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITHOUT_SECURITYFS)
mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS)
self.assertEqual(None, check_for_apparmor(filesystems, mounts))
def test_check_for_apparmor_None_2(self):
filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITHOUT_SECURITYFS)
mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITHOUT_SECURITYFS)
self.assertEqual(None, check_for_apparmor(filesystems, mounts))
def test_check_for_apparmor_None_3(self):
filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS)
mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITHOUT_SECURITYFS)
self.assertEqual(None, check_for_apparmor(filesystems, mounts))
def test_check_for_apparmor_securityfs_invalid_filesystems(self):
filesystems = ''
mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % self.tmpdir)
self.assertEqual(None, check_for_apparmor(filesystems, mounts))
def test_check_for_apparmor_securityfs_invalid_mounts(self):
filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS)
mounts = ''
self.assertEqual(None, check_for_apparmor(filesystems, mounts))
def test_check_for_apparmor_invalid_securityfs_path(self):
filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS)
mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % 'xxx')
self.assertEqual(None, check_for_apparmor(filesystems, mounts))
def test_check_for_apparmor_securityfs_mounted(self):
filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS)
mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % self.tmpdir)
self.assertEqual('%s/security/apparmor' % self.tmpdir, check_for_apparmor(filesystems, mounts))
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
class AaTest_create_new_profile(AATest):
tests = [
# file content expected interpreter expected abstraction (besides 'base')
Adjust test-aa.py for python2 This means: - expect unicode (instead of str) when reading from a file in py2 - convert keys() result to a set to avoid test failures because of dict_keys type After this change, all tests work for both py2 and py3. Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk and 2.10.
2015-12-17 23:44:18 +01:00
('#!/bin/bash\ntrue', (u'/bin/bash', 'abstractions/bash')),
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
('foo bar', (None, None)),
]
def _run_test(self, params, expected):
exp_interpreter_path, exp_abstraction = expected
program = self.writeTmpfile('script', params)
profile = create_new_profile(program)
if exp_interpreter_path:
self.assertEqual(profile[program][program]['allow']['path'][exp_interpreter_path]['mode'], {'x', '::i', '::x', 'i'} )
self.assertEqual(profile[program][program]['allow']['path'][exp_interpreter_path]['audit'], set() )
self.assertEqual(profile[program][program]['allow']['path'][program]['mode'], {'r', '::r'} )
self.assertEqual(profile[program][program]['allow']['path'][program]['audit'], set() )
Adjust test-aa.py for python2 This means: - expect unicode (instead of str) when reading from a file in py2 - convert keys() result to a set to avoid test failures because of dict_keys type After this change, all tests work for both py2 and py3. Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk and 2.10.
2015-12-17 23:44:18 +01:00
self.assertEqual(set(profile[program][program]['allow']['path'].keys()), {program, exp_interpreter_path} )
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
else:
self.assertEqual(profile[program][program]['allow']['path'][program]['mode'], {'r', '::r', 'm', '::m'} )
self.assertEqual(profile[program][program]['allow']['path'][program]['audit'], set() )
Adjust test-aa.py for python2 This means: - expect unicode (instead of str) when reading from a file in py2 - convert keys() result to a set to avoid test failures because of dict_keys type After this change, all tests work for both py2 and py3. Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk and 2.10.
2015-12-17 23:44:18 +01:00
self.assertEqual(set(profile[program][program]['allow']['path'].keys()), {program} )
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
if exp_abstraction:
Adjust test-aa.py for python2 This means: - expect unicode (instead of str) when reading from a file in py2 - convert keys() result to a set to avoid test failures because of dict_keys type After this change, all tests work for both py2 and py3. Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk and 2.10.
2015-12-17 23:44:18 +01:00
self.assertEqual(set(profile[program][program]['include'].keys()), {exp_abstraction, 'abstractions/base'})
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
else:
Adjust test-aa.py for python2 This means: - expect unicode (instead of str) when reading from a file in py2 - convert keys() result to a set to avoid test failures because of dict_keys type After this change, all tests work for both py2 and py3. Acked-by: Tyler Hicks <tyhicks@canonical.com> for trunk and 2.10.
2015-12-17 23:44:18 +01:00
self.assertEqual(set(profile[program][program]['include'].keys()), {'abstractions/base'})
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
merge script handling into get_interpreter_and_abstraction() Both create_new_profile() and handle_children() check if the given exec target is a script and add permissions for the interpreter and a matching abstraction. This patch merges that into the get_interpreter_and_abstraction() function and changes create_new_profile() and handle_children() to use this function. A nice side effect is that handle_children() now knows more abstractions (its original list was incomplete). The behaviour of create_new_profile() doesn't change. Also add tests for get_interpreter_and_abstraction() to make sure it does what we expect. Acked-by: Kshitij Gupta <kgupta8592@gmail.com> Bug: https://launchpad.net/bugs/1505775
2015-10-20 23:16:41 +02:00
class AaTest_get_interpreter_and_abstraction(AATest):
tests = [
('#!/bin/bash', ('/bin/bash', 'abstractions/bash')),
('#!/bin/dash', ('/bin/dash', 'abstractions/bash')),
('#!/bin/sh', ('/bin/sh', 'abstractions/bash')),
('#! /bin/sh ', ('/bin/sh', 'abstractions/bash')),
Fix handling of interpreters with parameters If a script contains a hashbang like #! /usr/bin/perl -w aa-autodep created a profile entry like "/usr/bin/perl -w" ix, which is obviously incorrect. This patch fixes this (by using only the first part of the hashbang line) and also adds some tests for it. References: https://bugs.launchpad.net/apparmor/+bug/1505775 Acked-by: Kshitij Gupta <kgupta8592@gmail.com> Bug: https://launchpad.net/bugs/1393979
2015-10-20 23:18:43 +02:00
('#! /bin/sh -x ', ('/bin/sh', 'abstractions/bash')), # '-x' is not part of the interpreter path
merge script handling into get_interpreter_and_abstraction() Both create_new_profile() and handle_children() check if the given exec target is a script and add permissions for the interpreter and a matching abstraction. This patch merges that into the get_interpreter_and_abstraction() function and changes create_new_profile() and handle_children() to use this function. A nice side effect is that handle_children() now knows more abstractions (its original list was incomplete). The behaviour of create_new_profile() doesn't change. Also add tests for get_interpreter_and_abstraction() to make sure it does what we expect. Acked-by: Kshitij Gupta <kgupta8592@gmail.com> Bug: https://launchpad.net/bugs/1505775
2015-10-20 23:16:41 +02:00
('#!/usr/bin/perl', ('/usr/bin/perl', 'abstractions/perl')),
Fix handling of interpreters with parameters If a script contains a hashbang like #! /usr/bin/perl -w aa-autodep created a profile entry like "/usr/bin/perl -w" ix, which is obviously incorrect. This patch fixes this (by using only the first part of the hashbang line) and also adds some tests for it. References: https://bugs.launchpad.net/apparmor/+bug/1505775 Acked-by: Kshitij Gupta <kgupta8592@gmail.com> Bug: https://launchpad.net/bugs/1393979
2015-10-20 23:18:43 +02:00
('#!/usr/bin/perl -w', ('/usr/bin/perl', 'abstractions/perl')), # '-w' is not part of the interpreter path
merge script handling into get_interpreter_and_abstraction() Both create_new_profile() and handle_children() check if the given exec target is a script and add permissions for the interpreter and a matching abstraction. This patch merges that into the get_interpreter_and_abstraction() function and changes create_new_profile() and handle_children() to use this function. A nice side effect is that handle_children() now knows more abstractions (its original list was incomplete). The behaviour of create_new_profile() doesn't change. Also add tests for get_interpreter_and_abstraction() to make sure it does what we expect. Acked-by: Kshitij Gupta <kgupta8592@gmail.com> Bug: https://launchpad.net/bugs/1505775
2015-10-20 23:16:41 +02:00
('#!/usr/bin/python', ('/usr/bin/python', 'abstractions/python')),
('#!/usr/bin/python2', ('/usr/bin/python2', 'abstractions/python')),
('#!/usr/bin/python2.7', ('/usr/bin/python2.7', 'abstractions/python')),
('#!/usr/bin/python3', ('/usr/bin/python3', 'abstractions/python')),
('#!/usr/bin/python4', ('/usr/bin/python4', None)), # python abstraction is only applied to py2 and py3
('#!/usr/bin/ruby', ('/usr/bin/ruby', 'abstractions/ruby')),
utils: handle versioned ruby interpreters On Debian and Ubuntu it's possible to have multiple ruby interpreters installed, and the default to use is handled by the ruby-defaults package, which includes a symlink from /usr/bin/ruby to the versioned ruby interpreter. This patch makes aa.py:get_interpreter_and_abstraction() take that into account by using a regex to match possible versions of ruby. Testcases are included. (I noticed this lack of support because on Ubuntu the ruby test was failing because get_interpreter_and_abstraction() would get the complete path, which on my 16.04 laptop would get /usr/bin/ruby2.2.) Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2016-01-25 22:54:53 -08:00
('#!/usr/bin/ruby2.2', ('/usr/bin/ruby2.2', 'abstractions/ruby')),
('#!/usr/bin/ruby1.9.1', ('/usr/bin/ruby1.9.1', 'abstractions/ruby')),
merge script handling into get_interpreter_and_abstraction() Both create_new_profile() and handle_children() check if the given exec target is a script and add permissions for the interpreter and a matching abstraction. This patch merges that into the get_interpreter_and_abstraction() function and changes create_new_profile() and handle_children() to use this function. A nice side effect is that handle_children() now knows more abstractions (its original list was incomplete). The behaviour of create_new_profile() doesn't change. Also add tests for get_interpreter_and_abstraction() to make sure it does what we expect. Acked-by: Kshitij Gupta <kgupta8592@gmail.com> Bug: https://launchpad.net/bugs/1505775
2015-10-20 23:16:41 +02:00
('#!/usr/bin/foobarbaz', ('/usr/bin/foobarbaz', None)), # we don't have an abstraction for "foobarbaz"
('foo', (None, None)), # no hashbang - not a script
]
def _run_test(self, params, expected):
exp_interpreter_path, exp_abstraction = expected
program = self.writeTmpfile('program', "%s\nfoo\nbar" % params)
interpreter_path, abstraction = get_interpreter_and_abstraction(program)
# damn symlinks!
if exp_interpreter_path and os.path.islink(exp_interpreter_path):
dirname = os.path.dirname(exp_interpreter_path)
exp_interpreter_path = os.readlink(exp_interpreter_path)
if not exp_interpreter_path.startswith('/'):
exp_interpreter_path = os.path.join(dirname, exp_interpreter_path)
self.assertEqual(interpreter_path, exp_interpreter_path)
self.assertEqual(abstraction, exp_abstraction)
def test_special_file(self):
self.assertEqual((None, None), get_interpreter_and_abstraction('/dev/null'))
def test_file_not_found(self):
self.createTmpdir()
self.assertEqual((None, None), get_interpreter_and_abstraction('%s/file-not-found' % self.tmpdir))
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
class AaTest_get_profile_flags(AaTestWithTempdir):
def _test_get_flags(self, profile_header, expected_flags):
file = write_file(self.tmpdir, 'profile', '%s {\n}\n' % profile_header)
flags = get_profile_flags(file, '/foo')
self.assertEqual(flags, expected_flags)
def test_get_flags_01(self):
self._test_get_flags('/foo', None)
def test_get_flags_02(self):
self._test_get_flags('/foo ( complain )', ' complain ')
def test_get_flags_04(self):
self._test_get_flags('/foo (complain)', 'complain')
def test_get_flags_05(self):
self._test_get_flags('/foo flags=(complain)', 'complain')
def test_get_flags_06(self):
self._test_get_flags('/foo flags=(complain, audit)', 'complain, audit')
def test_get_flags_invalid_01(self):
replace RE_PROFILE_START Replace RE_PROFILE_START with RE_PROFILE_START_2 and adjust all code sections that used RE_PROFILE_START_2. The only real change is that test_get_flags_invalid_01 and test_get_flags_invalid_02 now expect AppArmorException instead of AppArmorBug. Acked-by: Steve Beattie <steve@nxnw.org> for trunk
2015-04-03 17:28:03 +02:00
with self.assertRaises(AppArmorException):
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
self._test_get_flags('/foo ()', None)
def test_get_flags_invalid_02(self):
replace RE_PROFILE_START Replace RE_PROFILE_START with RE_PROFILE_START_2 and adjust all code sections that used RE_PROFILE_START_2. The only real change is that test_get_flags_invalid_01 and test_get_flags_invalid_02 now expect AppArmorException instead of AppArmorBug. Acked-by: Steve Beattie <steve@nxnw.org> for trunk
2015-04-03 17:28:03 +02:00
with self.assertRaises(AppArmorException):
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
self._test_get_flags('/foo flags=()', None)
def test_get_flags_invalid_03(self):
with self.assertRaises(AppArmorException):
self._test_get_flags('/foo ( )', ' ')
def test_get_flags_other_profile(self):
with self.assertRaises(AppArmorException):
self._test_get_flags('/no-such-profile flags=(complain)', 'complain')
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
class AaTest_set_profile_flags(AaTestWithTempdir):
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
def _test_set_flags(self, profile, old_flags, new_flags, whitespace='', comment='',
more_rules='', expected_more_rules='@-@-@',
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
expected_flags='@-@-@', check_new_flags=True, profile_name='/foo'):
if old_flags:
old_flags = ' %s' % old_flags
if expected_flags == '@-@-@':
expected_flags = new_flags
if expected_flags:
expected_flags = ' flags=(%s)' % (expected_flags)
else:
expected_flags = ''
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
if expected_more_rules == '@-@-@':
expected_more_rules = more_rules
rewrite set_profile_flags() to use write_header() Changes in set_profile_flags(): - rewrite set_profile_flags to use parse_profile_start_line() and write_header(). - replace the silent failure for non-existing files with a proper exception (using lazy programming - the check is done by removing the "if os.path.isfile()" check, open_file_read then raises the exception ;-) - comment out regex_hat_flag and the code that was supposed to handle hat flags, which were totally broken. We'll need another patch to fix it, and we also need to decide if we want to do that because it introduces a behaviour change (currently, aa-complain etc. don't change hat flags). The tests for set_profile_flags() are also updated: - prepend a space to comments because write_header always adds a space between '{' and the comment - remove a test with superfluous quotes that are no longer kept (that's just a profile cleanup, so dropping that test is the easiest way) - update test_set_flags_10 and test_set_flags_12 to use the correct profile name - enable the tests for invalid (empty) flags - update the test for a non-existing file Note: test_set_flags_10, test_set_flags_12 and test_set_flags_nochange_09 will fail with this patch applied. The next patch will fix that. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:20:14 +02:00
if comment:
comment = ' %s' % comment
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
dummy_profile_content = ' #include <abstractions/base>\n capability chown,\n /bar r,'
prof_template = '%s%s%s {%s\n%s\n%s\n}\n'
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
old_prof = prof_template % (whitespace, profile, old_flags, comment, more_rules, dummy_profile_content)
new_prof = prof_template % (whitespace, profile, expected_flags, comment, expected_more_rules, dummy_profile_content)
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
self.file = write_file(self.tmpdir, 'profile', old_prof)
set_profile_flags(self.file, profile_name, new_flags)
if check_new_flags:
real_new_prof = read_file(self.file)
self.assertEqual(new_prof, real_new_prof)
# tests that actually don't change the flags
def test_set_flags_nochange_01(self):
self._test_set_flags('/foo', '', '')
def test_set_flags_nochange_02(self):
self._test_set_flags('/foo', '( complain )', ' complain ', whitespace=' ')
def test_set_flags_nochange_03(self):
self._test_set_flags('/foo', '(complain)', 'complain')
def test_set_flags_nochange_04(self):
self._test_set_flags('/foo', 'flags=(complain)', 'complain')
def test_set_flags_nochange_05(self):
self._test_set_flags('/foo', 'flags=(complain, audit)', 'complain, audit', whitespace=' ')
def test_set_flags_nochange_06(self):
self._test_set_flags('/foo', 'flags=(complain, audit)', 'complain, audit', whitespace=' ', comment='# a comment')
def test_set_flags_nochange_07(self):
self._test_set_flags('/foo', 'flags=(complain, audit)', 'complain, audit', whitespace=' ', more_rules=' # a comment\n#another comment')
def test_set_flags_nochange_08(self):
self._test_set_flags('profile /foo', 'flags=(complain)', 'complain')
def test_set_flags_nochange_09(self):
Finally implement attachment handling This patch implements attachment handling - aa-logprof now works with profiles that have an attachment defined, instead of ignoring audit.log entries for those profiles. Changes: - parse_profile_start_line(): remove workaround that merged the attachment into the profile name - parse_profile_data(): store attachment when parsing a profile - update test_parse_profile_start_03, test_serialize_parse_profile_start_03, test_set_flags_nochange_09 and some parse_profile_start_line() tests - they now expect correct attachment handling Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:26:26 +02:00
self._test_set_flags('profile xy /foo', 'flags=(complain)', 'complain', profile_name='xy')
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
def test_set_flags_nochange_10(self):
self._test_set_flags('profile "/foo bar"', 'flags=(complain)', 'complain', profile_name='/foo bar')
[patch] make set_profile_flags more strict this patch makes set_profile_flags more strict: - raise AppArmorBug if newflags contains only whitespace - raise AppArmorBug if the file doesn't contain the specified profile or no profile at all The tests are adjusted to expect AppArmorBug instead of a silent failure. Also, some tests are added for profile=None, which means to change the flags for all profiles in a file. - test_set_flags_08 is now test_set_flags_invalid_04 - test_set_flags_invalid_03 is changed to only contain one reason for a failure, not two ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:25:18 +02:00
def test_set_flags_nochange_11(self):
self._test_set_flags('/foo', '(complain)', 'complain', profile_name=None)
#def test_set_flags_nochange_12(self):
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
# XXX changes the flags for the child profile (which happens to have the same profile name) to 'complain'
# self._test_set_flags('/foo', 'flags=(complain)', 'complain', more_rules=' profile /foo {\n}')
# tests that change the flags
def test_set_flags_01(self):
self._test_set_flags('/foo', '', 'audit')
def test_set_flags_02(self):
self._test_set_flags('/foo', '( complain )', 'audit ', whitespace=' ')
def test_set_flags_04(self):
self._test_set_flags('/foo', '(complain)', 'audit')
def test_set_flags_05(self):
self._test_set_flags('/foo', 'flags=(complain)', 'audit')
def test_set_flags_06(self):
self._test_set_flags('/foo', 'flags=(complain, audit)', None, whitespace=' ')
def test_set_flags_07(self):
self._test_set_flags('/foo', 'flags=(complain, audit)', '', expected_flags=None)
def test_set_flags_08(self):
[patch] make set_profile_flags more strict this patch makes set_profile_flags more strict: - raise AppArmorBug if newflags contains only whitespace - raise AppArmorBug if the file doesn't contain the specified profile or no profile at all The tests are adjusted to expect AppArmorBug instead of a silent failure. Also, some tests are added for profile=None, which means to change the flags for all profiles in a file. - test_set_flags_08 is now test_set_flags_invalid_04 - test_set_flags_invalid_03 is changed to only contain one reason for a failure, not two ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:25:18 +02:00
self._test_set_flags('/foo', '( complain )', 'audit ', whitespace=' ', profile_name=None)
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
def test_set_flags_09(self):
self._test_set_flags('profile /foo', 'flags=(complain)', 'audit')
def test_set_flags_10(self):
rewrite set_profile_flags() to use write_header() Changes in set_profile_flags(): - rewrite set_profile_flags to use parse_profile_start_line() and write_header(). - replace the silent failure for non-existing files with a proper exception (using lazy programming - the check is done by removing the "if os.path.isfile()" check, open_file_read then raises the exception ;-) - comment out regex_hat_flag and the code that was supposed to handle hat flags, which were totally broken. We'll need another patch to fix it, and we also need to decide if we want to do that because it introduces a behaviour change (currently, aa-complain etc. don't change hat flags). The tests for set_profile_flags() are also updated: - prepend a space to comments because write_header always adds a space between '{' and the comment - remove a test with superfluous quotes that are no longer kept (that's just a profile cleanup, so dropping that test is the easiest way) - update test_set_flags_10 and test_set_flags_12 to use the correct profile name - enable the tests for invalid (empty) flags - update the test for a non-existing file Note: test_set_flags_10, test_set_flags_12 and test_set_flags_nochange_09 will fail with this patch applied. The next patch will fix that. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:20:14 +02:00
self._test_set_flags('profile xy /foo', 'flags=(complain)', 'audit', profile_name='xy')
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
def test_set_flags_11(self):
self._test_set_flags('profile "/foo bar"', 'flags=(complain)', 'audit', profile_name='/foo bar')
def test_set_flags_12(self):
rewrite set_profile_flags() to use write_header() Changes in set_profile_flags(): - rewrite set_profile_flags to use parse_profile_start_line() and write_header(). - replace the silent failure for non-existing files with a proper exception (using lazy programming - the check is done by removing the "if os.path.isfile()" check, open_file_read then raises the exception ;-) - comment out regex_hat_flag and the code that was supposed to handle hat flags, which were totally broken. We'll need another patch to fix it, and we also need to decide if we want to do that because it introduces a behaviour change (currently, aa-complain etc. don't change hat flags). The tests for set_profile_flags() are also updated: - prepend a space to comments because write_header always adds a space between '{' and the comment - remove a test with superfluous quotes that are no longer kept (that's just a profile cleanup, so dropping that test is the easiest way) - update test_set_flags_10 and test_set_flags_12 to use the correct profile name - enable the tests for invalid (empty) flags - update the test for a non-existing file Note: test_set_flags_10, test_set_flags_12 and test_set_flags_nochange_09 will fail with this patch applied. The next patch will fix that. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:20:14 +02:00
self._test_set_flags('profile xy "/foo bar"', 'flags=(complain)', 'audit', profile_name='xy')
Add more set_profile_flags() tests The existing tests didn't test removing all flags. Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-26 23:21:29 +02:00
def test_set_flags_13(self):
self._test_set_flags('/foo', '(audit)', '')
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
# test handling of hat flags
def test_set_flags_with_hat_01(self):
self._test_set_flags('/foo', 'flags=(complain)', 'audit',
more_rules='\n ^foobar {\n}\n',
expected_more_rules='\n ^foobar flags=(audit) {\n}\n'
)
def test_set_flags_with_hat_02(self):
self._test_set_flags('/foo', 'flags=(complain)', 'audit',
profile_name=None,
more_rules='\n ^foobar {\n}\n',
expected_more_rules='\n ^foobar flags=(audit) {\n}\n'
)
def test_set_flags_with_hat_03(self):
self._test_set_flags('/foo', 'flags=(complain)', 'audit',
more_rules='\n^foobar (attach_disconnected) { # comment\n}\n', # XXX attach_disconnected will be lost!
expected_more_rules='\n^foobar flags=(audit) { # comment\n}\n'
)
def test_set_flags_with_hat_04(self):
self._test_set_flags('/foo', '', 'audit',
more_rules='\n hat foobar (attach_disconnected) { # comment\n}\n', # XXX attach_disconnected will be lost!
expected_more_rules='\n hat foobar flags=(audit) { # comment\n}\n'
)
Add more set_profile_flags() tests The existing tests didn't test removing all flags. Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-26 23:21:29 +02:00
def test_set_flags_with_hat_05(self):
self._test_set_flags('/foo', '(audit)', '',
more_rules='\n hat foobar (attach_disconnected) { # comment\n}\n', # XXX attach_disconnected will be lost!
expected_more_rules='\n hat foobar { # comment\n}\n'
)
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
# test handling of child profiles
def test_set_flags_with_child_01(self):
self._test_set_flags('/foo', 'flags=(complain)', 'audit',
profile_name=None,
more_rules='\n profile /bin/bar {\n}\n',
expected_more_rules='\n profile /bin/bar flags=(audit) {\n}\n'
)
#def test_set_flags_with_child_02(self):
# XXX child profile flags aren't changed if profile parameter is not None
#self._test_set_flags('/foo', 'flags=(complain)', 'audit',
# more_rules='\n profile /bin/bar {\n}\n',
# expected_more_rules='\n profile /bin/bar flags=(audit) {\n}\n'
#)
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
rewrite set_profile_flags() to use write_header() Changes in set_profile_flags(): - rewrite set_profile_flags to use parse_profile_start_line() and write_header(). - replace the silent failure for non-existing files with a proper exception (using lazy programming - the check is done by removing the "if os.path.isfile()" check, open_file_read then raises the exception ;-) - comment out regex_hat_flag and the code that was supposed to handle hat flags, which were totally broken. We'll need another patch to fix it, and we also need to decide if we want to do that because it introduces a behaviour change (currently, aa-complain etc. don't change hat flags). The tests for set_profile_flags() are also updated: - prepend a space to comments because write_header always adds a space between '{' and the comment - remove a test with superfluous quotes that are no longer kept (that's just a profile cleanup, so dropping that test is the easiest way) - update test_set_flags_10 and test_set_flags_12 to use the correct profile name - enable the tests for invalid (empty) flags - update the test for a non-existing file Note: test_set_flags_10, test_set_flags_12 and test_set_flags_nochange_09 will fail with this patch applied. The next patch will fix that. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:20:14 +02:00
def test_set_flags_invalid_01(self):
with self.assertRaises(AppArmorBug):
self._test_set_flags('/foo', '()', None, check_new_flags=False)
def test_set_flags_invalid_02(self):
with self.assertRaises(AppArmorBug):
self._test_set_flags('/foo', 'flags=()', None, check_new_flags=False)
def test_set_flags_invalid_03(self):
with self.assertRaises(AppArmorException):
[patch] make set_profile_flags more strict this patch makes set_profile_flags more strict: - raise AppArmorBug if newflags contains only whitespace - raise AppArmorBug if the file doesn't contain the specified profile or no profile at all The tests are adjusted to expect AppArmorBug instead of a silent failure. Also, some tests are added for profile=None, which means to change the flags for all profiles in a file. - test_set_flags_08 is now test_set_flags_invalid_04 - test_set_flags_invalid_03 is changed to only contain one reason for a failure, not two ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:25:18 +02:00
self._test_set_flags('/foo', '( )', '', check_new_flags=False)
def test_set_flags_invalid_04(self):
with self.assertRaises(AppArmorBug):
self._test_set_flags('/foo', 'flags=(complain, audit)', ' ', check_new_flags=False) # whitespace-only newflags
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
def test_set_flags_other_profile(self):
# test behaviour if the file doesn't contain the specified /foo profile
orig_prof = '/no-such-profile flags=(complain) {\n}'
self.file = write_file(self.tmpdir, 'profile', orig_prof)
[patch] make set_profile_flags more strict this patch makes set_profile_flags more strict: - raise AppArmorBug if newflags contains only whitespace - raise AppArmorBug if the file doesn't contain the specified profile or no profile at all The tests are adjusted to expect AppArmorBug instead of a silent failure. Also, some tests are added for profile=None, which means to change the flags for all profiles in a file. - test_set_flags_08 is now test_set_flags_invalid_04 - test_set_flags_invalid_03 is changed to only contain one reason for a failure, not two ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:25:18 +02:00
with self.assertRaises(AppArmorBug):
set_profile_flags(self.file, '/foo', 'audit')
# the file should not be changed
real_new_prof = read_file(self.file)
self.assertEqual(orig_prof, real_new_prof)
def test_set_flags_no_profile_found(self):
# test behaviour if the file doesn't contain any profile
orig_prof = '# /comment flags=(complain) {\n# }'
self.file = write_file(self.tmpdir, 'profile', orig_prof)
with self.assertRaises(AppArmorBug):
set_profile_flags(self.file, None, 'audit')
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
# the file should not be changed
real_new_prof = read_file(self.file)
self.assertEqual(orig_prof, real_new_prof)
def test_set_flags_file_not_found(self):
rewrite set_profile_flags() to use write_header() Changes in set_profile_flags(): - rewrite set_profile_flags to use parse_profile_start_line() and write_header(). - replace the silent failure for non-existing files with a proper exception (using lazy programming - the check is done by removing the "if os.path.isfile()" check, open_file_read then raises the exception ;-) - comment out regex_hat_flag and the code that was supposed to handle hat flags, which were totally broken. We'll need another patch to fix it, and we also need to decide if we want to do that because it introduces a behaviour change (currently, aa-complain etc. don't change hat flags). The tests for set_profile_flags() are also updated: - prepend a space to comments because write_header always adds a space between '{' and the comment - remove a test with superfluous quotes that are no longer kept (that's just a profile cleanup, so dropping that test is the easiest way) - update test_set_flags_10 and test_set_flags_12 to use the correct profile name - enable the tests for invalid (empty) flags - update the test for a non-existing file Note: test_set_flags_10, test_set_flags_12 and test_set_flags_nochange_09 will fail with this patch applied. The next patch will fix that. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:20:14 +02:00
with self.assertRaises(IOError):
set_profile_flags('%s/file-not-found' % self.tmpdir, '/foo', 'audit')
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
add tests for write_header() Also add loop support to test-aa.py. BTW: In case you wonder - the need to replace unittest.TestCase with AATest is intentional. It might look annoying, but it makes sure that a test-*.py file doesn't contain a test class where tests = [...] is ignored because it's still unittest.TestCase. (Technically, setup_all_tests() will error out if a test class doesn't contain tests = [...] - either explicit or via its parent AATest.) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:48:50 +02:00
class AaTest_is_skippable_file(AATest):
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_not_skippable_01(self):
self.assertFalse(is_skippable_file('bin.ping'))
def test_not_skippable_02(self):
self.assertFalse(is_skippable_file('usr.lib.dovecot.anvil'))
def test_not_skippable_03(self):
self.assertFalse(is_skippable_file('bin.~ping'))
def test_not_skippable_04(self):
self.assertFalse(is_skippable_file('bin.rpmsave.ping'))
def test_not_skippable_05(self):
# normally is_skippable_file should be called without directory, but it shouldn't hurt too much
self.assertFalse(is_skippable_file('/etc/apparmor.d/bin.ping'))
def test_not_skippable_06(self):
self.assertFalse(is_skippable_file('bin.pingrej'))
def test_skippable_01(self):
self.assertTrue(is_skippable_file('bin.ping.dpkg-new'))
def test_skippable_02(self):
self.assertTrue(is_skippable_file('bin.ping.dpkg-old'))
def test_skippable_03(self):
self.assertTrue(is_skippable_file('bin.ping..dpkg-dist'))
def test_skippable_04(self):
self.assertTrue(is_skippable_file('bin.ping..dpkg-bak'))
def test_skippable_05(self):
self.assertTrue(is_skippable_file('bin.ping.rpmnew'))
def test_skippable_06(self):
self.assertTrue(is_skippable_file('bin.ping.rpmsave'))
def test_skippable_07(self):
self.assertTrue(is_skippable_file('bin.ping.orig'))
def test_skippable_08(self):
self.assertTrue(is_skippable_file('bin.ping.rej'))
def test_skippable_09(self):
self.assertTrue(is_skippable_file('bin.ping~'))
def test_skippable_10(self):
self.assertTrue(is_skippable_file('.bin.ping'))
def test_skippable_11(self):
self.assertTrue(is_skippable_file('')) # empty filename
def test_skippable_12(self):
self.assertTrue(is_skippable_file('/etc/apparmor.d/')) # directory without filename
def test_skippable_13(self):
self.assertTrue(is_skippable_file('README'))
fix is_skippable_dir() and add tests Fix is_skippable_dir() - the regex also matched things like /etc/apparmor.d/dont_disable, while it should match on the full directory name. Also add some tests based on a real-world aa-logprof run (with "print (path)" in is_skippable_dir()) and some additional "funny"[tm] dirs. Needless to say that the tests ('dont_disable', False), ('/etc/apparmor.d/cache_foo', False), will fail with the old is_skippable_dir(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:29:44 +02:00
class AaTest_is_skippable_dir(AATest):
tests = [
('disable', True),
('cache', True),
('lxc', True),
('force-complain', True),
('/etc/apparmor.d/cache', True),
('/etc/apparmor.d/lxc/', True),
('dont_disable', False),
('/etc/apparmor.d/cache_foo', False),
('abstractions', False),
('apache2.d', False),
('/etc/apparmor.d/apache2.d', False),
('local', False),
('/etc/apparmor.d/local/', False),
('tunables', False),
('/etc/apparmor.d/tunables', False),
('/etc/apparmor.d/tunables/multiarch.d', False),
('/etc/apparmor.d/tunables/xdg-user-dirs.d', False),
('/etc/apparmor.d/tunables/home.d', False),
('/etc/apparmor.d/abstractions', False),
('/etc/apparmor.d/abstractions/ubuntu-browsers.d', False),
('/etc/apparmor.d/abstractions/apparmor_api', False),
]
def _run_test(self, params, expected):
self.assertEqual(is_skippable_dir(params), expected)
add tests for write_header() Also add loop support to test-aa.py. BTW: In case you wonder - the need to replace unittest.TestCase with AATest is intentional. It might look annoying, but it makes sure that a test-*.py file doesn't contain a test class where tests = [...] is ignored because it's still unittest.TestCase. (Technically, setup_all_tests() will error out if a test class doesn't contain tests = [...] - either explicit or via its parent AATest.) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:48:50 +02:00
class AaTest_parse_profile_start(AATest):
aa.py: split off parse_profile_start() from parse_profile_data() and add tests Move the code for parsing the profile start ("/foo {") from aa.py parse_profile_data() to a separate function parse_profile_start(). Most of the changes are just moving around code, with some small exceptions: - instead of handing over profile_data to parse_profile_start() to modify it, it sets two variables (pps_set_profile and pps_set_hat_external) as part of its return value, which are then used in parse_profile_data() to set the flags in profile_data. - existing_profiles[profile] = file is executed later, which means it used the strip_quotes() version of profile now - whitespace / tab level changes The patch also adds some tests for the parse_profile_start() function. Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 21:12:12 +01:00
def _parse(self, line, profile, hat):
return parse_profile_start(line, 'somefile', 1, profile, hat)
# (profile, hat, flags, in_contained_hat, pps_set_profile, pps_set_hat_external)
def test_parse_profile_start_01(self):
result = self._parse('/foo {', None, None)
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/foo', '/foo', None, None, False, False, False)
aa.py: split off parse_profile_start() from parse_profile_data() and add tests Move the code for parsing the profile start ("/foo {") from aa.py parse_profile_data() to a separate function parse_profile_start(). Most of the changes are just moving around code, with some small exceptions: - instead of handing over profile_data to parse_profile_start() to modify it, it sets two variables (pps_set_profile and pps_set_hat_external) as part of its return value, which are then used in parse_profile_data() to set the flags in profile_data. - existing_profiles[profile] = file is executed later, which means it used the strip_quotes() version of profile now - whitespace / tab level changes The patch also adds some tests for the parse_profile_start() function. Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 21:12:12 +01:00
self.assertEqual(result, expected)
def test_parse_profile_start_02(self):
result = self._parse('/foo (complain) {', None, None)
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/foo', '/foo', None, 'complain', False, False, False)
aa.py: split off parse_profile_start() from parse_profile_data() and add tests Move the code for parsing the profile start ("/foo {") from aa.py parse_profile_data() to a separate function parse_profile_start(). Most of the changes are just moving around code, with some small exceptions: - instead of handing over profile_data to parse_profile_start() to modify it, it sets two variables (pps_set_profile and pps_set_hat_external) as part of its return value, which are then used in parse_profile_data() to set the flags in profile_data. - existing_profiles[profile] = file is executed later, which means it used the strip_quotes() version of profile now - whitespace / tab level changes The patch also adds some tests for the parse_profile_start() function. Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 21:12:12 +01:00
self.assertEqual(result, expected)
def test_parse_profile_start_03(self):
result = self._parse('profile foo /foo {', None, None) # named profile
Finally implement attachment handling This patch implements attachment handling - aa-logprof now works with profiles that have an attachment defined, instead of ignoring audit.log entries for those profiles. Changes: - parse_profile_start_line(): remove workaround that merged the attachment into the profile name - parse_profile_data(): store attachment when parsing a profile - update test_parse_profile_start_03, test_serialize_parse_profile_start_03, test_set_flags_nochange_09 and some parse_profile_start_line() tests - they now expect correct attachment handling Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:26:26 +02:00
expected = ('foo', 'foo', '/foo', None, False, False, False)
aa.py: split off parse_profile_start() from parse_profile_data() and add tests Move the code for parsing the profile start ("/foo {") from aa.py parse_profile_data() to a separate function parse_profile_start(). Most of the changes are just moving around code, with some small exceptions: - instead of handing over profile_data to parse_profile_start() to modify it, it sets two variables (pps_set_profile and pps_set_hat_external) as part of its return value, which are then used in parse_profile_data() to set the flags in profile_data. - existing_profiles[profile] = file is executed later, which means it used the strip_quotes() version of profile now - whitespace / tab level changes The patch also adds some tests for the parse_profile_start() function. Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 21:12:12 +01:00
self.assertEqual(result, expected)
def test_parse_profile_start_04(self):
result = self._parse('profile /foo {', '/bar', '/bar') # child profile
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/bar', '/foo', None, None, True, True, False)
aa.py: split off parse_profile_start() from parse_profile_data() and add tests Move the code for parsing the profile start ("/foo {") from aa.py parse_profile_data() to a separate function parse_profile_start(). Most of the changes are just moving around code, with some small exceptions: - instead of handing over profile_data to parse_profile_start() to modify it, it sets two variables (pps_set_profile and pps_set_hat_external) as part of its return value, which are then used in parse_profile_data() to set the flags in profile_data. - existing_profiles[profile] = file is executed later, which means it used the strip_quotes() version of profile now - whitespace / tab level changes The patch also adds some tests for the parse_profile_start() function. Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 21:12:12 +01:00
self.assertEqual(result, expected)
def test_parse_profile_start_05(self):
result = self._parse('/foo//bar {', None, None) # external hat
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/foo', 'bar', None, None, False, False, True)
aa.py: split off parse_profile_start() from parse_profile_data() and add tests Move the code for parsing the profile start ("/foo {") from aa.py parse_profile_data() to a separate function parse_profile_start(). Most of the changes are just moving around code, with some small exceptions: - instead of handing over profile_data to parse_profile_start() to modify it, it sets two variables (pps_set_profile and pps_set_hat_external) as part of its return value, which are then used in parse_profile_data() to set the flags in profile_data. - existing_profiles[profile] = file is executed later, which means it used the strip_quotes() version of profile now - whitespace / tab level changes The patch also adds some tests for the parse_profile_start() function. Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 21:12:12 +01:00
self.assertEqual(result, expected)
update test-aa.py to match parse_profile_start() and get_profile_flags() changes The previous patch slightly changed the behaviour of parse_profile_start() and get_profile_flags() - they raise AppArmorBug instead of AppArmorException when specifying a line that is not the start of a profile and therefore doesn't match RE_PROFILE_START_2. This patch updates test-aa.py to expect the correct exceptions, and adds another test with quoted profile name to ensure that stripping the quotes works as expected. Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-31 22:45:45 +02:00
def test_parse_profile_start_06(self):
result = self._parse('profile "/foo" (complain) {', None, None)
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/foo', '/foo', None, 'complain', False, False, False)
update test-aa.py to match parse_profile_start() and get_profile_flags() changes The previous patch slightly changed the behaviour of parse_profile_start() and get_profile_flags() - they raise AppArmorBug instead of AppArmorException when specifying a line that is not the start of a profile and therefore doesn't match RE_PROFILE_START_2. This patch updates test-aa.py to expect the correct exceptions, and adds another test with quoted profile name to ensure that stripping the quotes works as expected. Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-31 22:45:45 +02:00
self.assertEqual(result, expected)
aa.py: split off parse_profile_start() from parse_profile_data() and add tests Move the code for parsing the profile start ("/foo {") from aa.py parse_profile_data() to a separate function parse_profile_start(). Most of the changes are just moving around code, with some small exceptions: - instead of handing over profile_data to parse_profile_start() to modify it, it sets two variables (pps_set_profile and pps_set_hat_external) as part of its return value, which are then used in parse_profile_data() to set the flags in profile_data. - existing_profiles[profile] = file is executed later, which means it used the strip_quotes() version of profile now - whitespace / tab level changes The patch also adds some tests for the parse_profile_start() function. Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 21:12:12 +01:00
def test_parse_profile_start_invalid_01(self):
with self.assertRaises(AppArmorException):
self._parse('/foo {', '/bar', '/bar') # child profile without profile keyword
def test_parse_profile_start_invalid_02(self):
update test-aa.py to match parse_profile_start() and get_profile_flags() changes The previous patch slightly changed the behaviour of parse_profile_start() and get_profile_flags() - they raise AppArmorBug instead of AppArmorException when specifying a line that is not the start of a profile and therefore doesn't match RE_PROFILE_START_2. This patch updates test-aa.py to expect the correct exceptions, and adds another test with quoted profile name to ensure that stripping the quotes works as expected. Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-31 22:45:45 +02:00
with self.assertRaises(AppArmorBug):
aa.py: split off parse_profile_start() from parse_profile_data() and add tests Move the code for parsing the profile start ("/foo {") from aa.py parse_profile_data() to a separate function parse_profile_start(). Most of the changes are just moving around code, with some small exceptions: - instead of handing over profile_data to parse_profile_start() to modify it, it sets two variables (pps_set_profile and pps_set_hat_external) as part of its return value, which are then used in parse_profile_data() to set the flags in profile_data. - existing_profiles[profile] = file is executed later, which means it used the strip_quotes() version of profile now - whitespace / tab level changes The patch also adds some tests for the parse_profile_start() function. Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 21:12:12 +01:00
self._parse('xy', '/bar', '/bar') # not a profile start
let parse_profile_data() check for in-file duplicate profiles Add a check to parse_profile_data() to detect if a file contains two profiles with the same name. Note: Two profiles with the same name, but in different files, won't be detected by this check. Also add basic tests to ensure that a valid profile gets parsed, and two profiles with the same name inside the same file raise an exception. (Sidenote: these simple tests improve aa.py coverage from 9% to 12%, which also confirms the function is too long ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 13:00:32 +02:00
class AaTest_parse_profile_data(AATest):
def test_parse_empty_profile_01(self):
prof = parse_profile_data('/foo {\n}\n'.split(), 'somefile', False)
self.assertEqual(list(prof.keys()), ['/foo'])
self.assertEqual(list(prof['/foo'].keys()), ['/foo'])
self.assertEqual(prof['/foo']['/foo']['name'], '/foo')
self.assertEqual(prof['/foo']['/foo']['filename'], 'somefile')
self.assertEqual(prof['/foo']['/foo']['flags'], None)
def test_parse_empty_profile_02(self):
with self.assertRaises(AppArmorException):
# file contains two profiles with the same name
parse_profile_data('profile /foo {\n}\nprofile /foo {\n}\n'.split(), 'somefile', False)
fix handling of adding to variables the LibreOffice profile uncovered that handling of @{var} += is broken: File ".../utils/apparmor/aa.py", line 3272, in store_list_var var[list_var] = set(var[list_var] + vlist) TypeError: unsupported operand type(s) for +: 'set' and 'list' This patch fixes it: - change separate_vars() to use and return a set instead of a list (FYI: separate_vars() is only called by store_list_var()) - adoptstore_list_var() to expect a set - remove some old comments in these functions - explain the less-intuitive parameters of store_list_var() Also add some tests for separate_vars() and store_list_var(). The tests were developed based on the old code, but not all of them succeed with the old code. As usual, the tests uncovered some interesting[tm] behaviour in separate_vars() (see the XXX comments and tell me what the really expected behaviour is ;-) Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-04-16 01:58:24 +02:00
class AaTest_separate_vars(AATest):
tests = [
('' , set() ),
(' ' , set() ),
(' foo bar' , {'foo', 'bar' }),
Several fixes for variable handling Parsing variables was broken in several ways: - empty quotes (representing an intentionally empty value) were lost, causing parser failures - items consisting of only one letter were lost due to a bug in RE_VARS - RE_VARS didn't start with ^, which means leading garbage (= syntax errors) was ignored - trailing garbage was also ignored This patch fixes those issues in separate_vars() and changes var_transform() to write out empty quotes (instead of nothing) for empty values. Also add some tests for separate_vars() with empty quotes and adjust several tests with invalid syntax to expect an AppArmorException. var_transform() gets some tests added. Finally, remove 3 testcases from the "fails to raise an exception" list in test-parser-simple-tests.py. Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.9 (which also implies 2.10) Note: 2.9 doesn't have test-parser-simple-tests.py, therefore it won't get that part of the patch.
2015-12-12 12:59:13 +01:00
('foo " ' , AppArmorException ),
(' " foo ' , AppArmorException ), # half-quoted
fix handling of adding to variables the LibreOffice profile uncovered that handling of @{var} += is broken: File ".../utils/apparmor/aa.py", line 3272, in store_list_var var[list_var] = set(var[list_var] + vlist) TypeError: unsupported operand type(s) for +: 'set' and 'list' This patch fixes it: - change separate_vars() to use and return a set instead of a list (FYI: separate_vars() is only called by store_list_var()) - adoptstore_list_var() to expect a set - remove some old comments in these functions - explain the less-intuitive parameters of store_list_var() Also add some tests for separate_vars() and store_list_var(). The tests were developed based on the old code, but not all of them succeed with the old code. As usual, the tests uncovered some interesting[tm] behaviour in separate_vars() (see the XXX comments and tell me what the really expected behaviour is ;-) Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-04-16 01:58:24 +02:00
(' foo bar ' , {'foo', 'bar' }),
Several fixes for variable handling Parsing variables was broken in several ways: - empty quotes (representing an intentionally empty value) were lost, causing parser failures - items consisting of only one letter were lost due to a bug in RE_VARS - RE_VARS didn't start with ^, which means leading garbage (= syntax errors) was ignored - trailing garbage was also ignored This patch fixes those issues in separate_vars() and changes var_transform() to write out empty quotes (instead of nothing) for empty values. Also add some tests for separate_vars() with empty quotes and adjust several tests with invalid syntax to expect an AppArmorException. var_transform() gets some tests added. Finally, remove 3 testcases from the "fails to raise an exception" list in test-parser-simple-tests.py. Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.9 (which also implies 2.10) Note: 2.9 doesn't have test-parser-simple-tests.py, therefore it won't get that part of the patch.
2015-12-12 12:59:13 +01:00
(' foo bar # comment' , {'foo', 'bar', '#', 'comment'}), # XXX should comments be stripped?
fix handling of adding to variables the LibreOffice profile uncovered that handling of @{var} += is broken: File ".../utils/apparmor/aa.py", line 3272, in store_list_var var[list_var] = set(var[list_var] + vlist) TypeError: unsupported operand type(s) for +: 'set' and 'list' This patch fixes it: - change separate_vars() to use and return a set instead of a list (FYI: separate_vars() is only called by store_list_var()) - adoptstore_list_var() to expect a set - remove some old comments in these functions - explain the less-intuitive parameters of store_list_var() Also add some tests for separate_vars() and store_list_var(). The tests were developed based on the old code, but not all of them succeed with the old code. As usual, the tests uncovered some interesting[tm] behaviour in separate_vars() (see the XXX comments and tell me what the really expected behaviour is ;-) Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-04-16 01:58:24 +02:00
('foo' , {'foo' }),
('"foo" "bar baz"' , {'foo', 'bar baz' }),
('foo "bar baz" xy' , {'foo', 'bar baz', 'xy' }),
Several fixes for variable handling Parsing variables was broken in several ways: - empty quotes (representing an intentionally empty value) were lost, causing parser failures - items consisting of only one letter were lost due to a bug in RE_VARS - RE_VARS didn't start with ^, which means leading garbage (= syntax errors) was ignored - trailing garbage was also ignored This patch fixes those issues in separate_vars() and changes var_transform() to write out empty quotes (instead of nothing) for empty values. Also add some tests for separate_vars() with empty quotes and adjust several tests with invalid syntax to expect an AppArmorException. var_transform() gets some tests added. Finally, remove 3 testcases from the "fails to raise an exception" list in test-parser-simple-tests.py. Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.9 (which also implies 2.10) Note: 2.9 doesn't have test-parser-simple-tests.py, therefore it won't get that part of the patch.
2015-12-12 12:59:13 +01:00
('foo "bar baz ' , AppArmorException ), # half-quoted
fix handling of adding to variables the LibreOffice profile uncovered that handling of @{var} += is broken: File ".../utils/apparmor/aa.py", line 3272, in store_list_var var[list_var] = set(var[list_var] + vlist) TypeError: unsupported operand type(s) for +: 'set' and 'list' This patch fixes it: - change separate_vars() to use and return a set instead of a list (FYI: separate_vars() is only called by store_list_var()) - adoptstore_list_var() to expect a set - remove some old comments in these functions - explain the less-intuitive parameters of store_list_var() Also add some tests for separate_vars() and store_list_var(). The tests were developed based on the old code, but not all of them succeed with the old code. As usual, the tests uncovered some interesting[tm] behaviour in separate_vars() (see the XXX comments and tell me what the really expected behaviour is ;-) Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-04-16 01:58:24 +02:00
(' " foo" bar' , {' foo', 'bar' }),
Several fixes for variable handling Parsing variables was broken in several ways: - empty quotes (representing an intentionally empty value) were lost, causing parser failures - items consisting of only one letter were lost due to a bug in RE_VARS - RE_VARS didn't start with ^, which means leading garbage (= syntax errors) was ignored - trailing garbage was also ignored This patch fixes those issues in separate_vars() and changes var_transform() to write out empty quotes (instead of nothing) for empty values. Also add some tests for separate_vars() with empty quotes and adjust several tests with invalid syntax to expect an AppArmorException. var_transform() gets some tests added. Finally, remove 3 testcases from the "fails to raise an exception" list in test-parser-simple-tests.py. Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.9 (which also implies 2.10) Note: 2.9 doesn't have test-parser-simple-tests.py, therefore it won't get that part of the patch.
2015-12-12 12:59:13 +01:00
(' " foo" bar x' , {' foo', 'bar', 'x' }),
('""' , {'' }), # empty value
('"" foo' , {'', 'foo' }), # empty value + 'foo'
('"" foo "bar"' , {'', 'foo', 'bar' }), # empty value + 'foo' + 'bar' (bar has superfluous quotes)
('"bar"' , {'bar' }), # 'bar' with superfluous quotes
fix handling of adding to variables the LibreOffice profile uncovered that handling of @{var} += is broken: File ".../utils/apparmor/aa.py", line 3272, in store_list_var var[list_var] = set(var[list_var] + vlist) TypeError: unsupported operand type(s) for +: 'set' and 'list' This patch fixes it: - change separate_vars() to use and return a set instead of a list (FYI: separate_vars() is only called by store_list_var()) - adoptstore_list_var() to expect a set - remove some old comments in these functions - explain the less-intuitive parameters of store_list_var() Also add some tests for separate_vars() and store_list_var(). The tests were developed based on the old code, but not all of them succeed with the old code. As usual, the tests uncovered some interesting[tm] behaviour in separate_vars() (see the XXX comments and tell me what the really expected behaviour is ;-) Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-04-16 01:58:24 +02:00
]
def _run_test(self, params, expected):
Several fixes for variable handling Parsing variables was broken in several ways: - empty quotes (representing an intentionally empty value) were lost, causing parser failures - items consisting of only one letter were lost due to a bug in RE_VARS - RE_VARS didn't start with ^, which means leading garbage (= syntax errors) was ignored - trailing garbage was also ignored This patch fixes those issues in separate_vars() and changes var_transform() to write out empty quotes (instead of nothing) for empty values. Also add some tests for separate_vars() with empty quotes and adjust several tests with invalid syntax to expect an AppArmorException. var_transform() gets some tests added. Finally, remove 3 testcases from the "fails to raise an exception" list in test-parser-simple-tests.py. Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.9 (which also implies 2.10) Note: 2.9 doesn't have test-parser-simple-tests.py, therefore it won't get that part of the patch.
2015-12-12 12:59:13 +01:00
if expected == AppArmorException:
with self.assertRaises(expected):
separate_vars(params)
else:
result = separate_vars(params)
self.assertEqual(result, expected)
fix handling of adding to variables the LibreOffice profile uncovered that handling of @{var} += is broken: File ".../utils/apparmor/aa.py", line 3272, in store_list_var var[list_var] = set(var[list_var] + vlist) TypeError: unsupported operand type(s) for +: 'set' and 'list' This patch fixes it: - change separate_vars() to use and return a set instead of a list (FYI: separate_vars() is only called by store_list_var()) - adoptstore_list_var() to expect a set - remove some old comments in these functions - explain the less-intuitive parameters of store_list_var() Also add some tests for separate_vars() and store_list_var(). The tests were developed based on the old code, but not all of them succeed with the old code. As usual, the tests uncovered some interesting[tm] behaviour in separate_vars() (see the XXX comments and tell me what the really expected behaviour is ;-) Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-04-16 01:58:24 +02:00
class AaTest_store_list_var(AATest):
tests = [
# old var value operation expected (False for exception)
([ {} , 'foo' , '=' ], {'foo'} ), # set
([ {} , 'foo bar' , '=' ], {'foo', 'bar'} ), # set multi
([ {'@{var}': {'foo'}} , 'bar' , '=' ], False ), # redefine var
([ {} , 'bar' , '+=' ], False ), # add to undefined var
([ {'@{var}': {'foo'}} , 'bar' , '+=' ], {'foo', 'bar'} ), # add
([ {'@{var}': {'foo'}} , 'bar baz' , '+=' ], {'foo', 'bar', 'baz'} ), # add multi
([ {'@{var}': {'foo', 'xy'}} , 'bar baz' , '+=' ], {'foo', 'xy', 'bar', 'baz'} ), # add multi to multi
([ {} , 'foo' , '-=' ], False ), # unknown operation
]
def _run_test(self, params, expected):
var = params[0]
value = params[1]
operation = params[2]
if not expected:
with self.assertRaises(AppArmorException):
store_list_var(var, '@{var}', value, operation, 'somefile')
return
# dumy value that must not be changed
var['@{foo}'] = {'one', 'two'}
exp_var = {
'@{foo}': {'one', 'two'},
'@{var}': expected,
}
store_list_var(var, '@{var}', value, operation, 'somefile')
self.assertEqual(var.keys(), exp_var.keys())
for key in exp_var:
self.assertEqual(var[key], exp_var[key])
add tests for write_header() Also add loop support to test-aa.py. BTW: In case you wonder - the need to replace unittest.TestCase with AATest is intentional. It might look annoying, but it makes sure that a test-*.py file doesn't contain a test class where tests = [...] is ignored because it's still unittest.TestCase. (Technically, setup_all_tests() will error out if a test class doesn't contain tests = [...] - either explicit or via its parent AATest.) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:48:50 +02:00
class AaTest_write_header(AATest):
tests = [
test new parameters of write_header() Change the write_header tests so that the 'profile_keyword' and 'header_comment' parameters can be (and are) tested: - add a None for both to the existing tests - add some tests that come with the profile keyword and/or a comment Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-02 01:31:22 +02:00
# name embedded_hat write_flags depth flags attachment prof.keyw. comment expected
(['/foo', False, True, 1, 'complain', None, None, None ], ' /foo flags=(complain) {'),
(['/foo', True, True, 1, 'complain', None, None, None ], ' profile /foo flags=(complain) {'),
(['/foo sp', False, False, 2, 'complain', None, None, None ], ' "/foo sp" {'),
(['/foo' ,False, False, 2, 'complain', None, None, None ], ' /foo {'),
(['/foo', True, False, 2, 'complain', None, None, None ], ' profile /foo {'),
(['/foo', False, True, 0, None, None, None, None ], '/foo {'),
(['/foo', True, True, 0, None, None, None, None ], 'profile /foo {'),
(['/foo', False, False, 0, None, None, None, None ], '/foo {'),
(['/foo', True, False, 0, None, None, None, None ], 'profile /foo {'),
(['bar', False, True, 1, 'complain', None, None, None ], ' profile bar flags=(complain) {'),
(['bar', False, True, 1, 'complain', '/foo', None, None ], ' profile bar /foo flags=(complain) {'),
(['bar', True, True, 1, 'complain', '/foo', None, None ], ' profile bar /foo flags=(complain) {'),
(['bar baz', False, True, 1, None, '/foo', None, None ], ' profile "bar baz" /foo {'),
(['bar', True, True, 1, None, '/foo', None, None ], ' profile bar /foo {'),
(['bar baz', False, True, 1, 'complain', '/foo sp', None, None ], ' profile "bar baz" "/foo sp" flags=(complain) {'),
(['^foo', False, True, 1, 'complain', None, None, None ], ' profile ^foo flags=(complain) {'),
(['^foo', True, True, 1, 'complain', None, None, None ], ' ^foo flags=(complain) {'),
(['^foo', True, True, 1.5, 'complain', None, None, None ], ' ^foo flags=(complain) {'),
(['^foo', True, True, 1.3, 'complain', None, None, None ], ' ^foo flags=(complain) {'),
(['/foo', False, True, 1, 'complain', None, 'profile', None ], ' profile /foo flags=(complain) {'),
(['/foo', True, True, 1, 'complain', None, 'profile', None ], ' profile /foo flags=(complain) {'),
(['/foo', False, True, 1, 'complain', None, None, '# x' ], ' /foo flags=(complain) { # x'),
(['/foo', True, True, 1, None, None, None, '# x' ], ' profile /foo { # x'),
(['/foo', False, True, 1, None, None, 'profile', '# x' ], ' profile /foo { # x'),
(['/foo', True, True, 1, 'complain', None, 'profile', '# x' ], ' profile /foo flags=(complain) { # x'),
add tests for write_header() Also add loop support to test-aa.py. BTW: In case you wonder - the need to replace unittest.TestCase with AATest is intentional. It might look annoying, but it makes sure that a test-*.py file doesn't contain a test class where tests = [...] is ignored because it's still unittest.TestCase. (Technically, setup_all_tests() will error out if a test class doesn't contain tests = [...] - either explicit or via its parent AATest.) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:48:50 +02:00
]
def _run_test(self, params, expected):
name = params[0]
embedded_hat = params[1]
write_flags = params[2]
depth = params[3]
test new parameters of write_header() Change the write_header tests so that the 'profile_keyword' and 'header_comment' parameters can be (and are) tested: - add a None for both to the existing tests - add some tests that come with the profile keyword and/or a comment Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-02 01:31:22 +02:00
prof_data = { 'flags': params[4], 'attachment': params[5], 'profile_keyword': params[6], 'header_comment': params[7] }
add tests for write_header() Also add loop support to test-aa.py. BTW: In case you wonder - the need to replace unittest.TestCase with AATest is intentional. It might look annoying, but it makes sure that a test-*.py file doesn't contain a test class where tests = [...] is ignored because it's still unittest.TestCase. (Technically, setup_all_tests() will error out if a test class doesn't contain tests = [...] - either explicit or via its parent AATest.) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:48:50 +02:00
result = write_header(prof_data, depth, name, embedded_hat, write_flags)
self.assertEqual(result, [expected])
Several fixes for variable handling Parsing variables was broken in several ways: - empty quotes (representing an intentionally empty value) were lost, causing parser failures - items consisting of only one letter were lost due to a bug in RE_VARS - RE_VARS didn't start with ^, which means leading garbage (= syntax errors) was ignored - trailing garbage was also ignored This patch fixes those issues in separate_vars() and changes var_transform() to write out empty quotes (instead of nothing) for empty values. Also add some tests for separate_vars() with empty quotes and adjust several tests with invalid syntax to expect an AppArmorException. var_transform() gets some tests added. Finally, remove 3 testcases from the "fails to raise an exception" list in test-parser-simple-tests.py. Acked-by: John Johansen <john.johansen@canonical.com> for trunk and 2.9 (which also implies 2.10) Note: 2.9 doesn't have test-parser-simple-tests.py, therefore it won't get that part of the patch.
2015-12-12 12:59:13 +01:00
class AaTest_var_transform(AATest):
tests = [
(['foo', ''], 'foo ""' ),
(['foo', 'bar'], 'foo bar' ),
([''], '""' ),
(['bar baz', 'foo'], '"bar baz" foo' ),
]
def _run_test(self, params, expected):
self.assertEqual(var_transform(params), expected)
add tests for write_header() Also add loop support to test-aa.py. BTW: In case you wonder - the need to replace unittest.TestCase with AATest is intentional. It might look annoying, but it makes sure that a test-*.py file doesn't contain a test class where tests = [...] is ignored because it's still unittest.TestCase. (Technically, setup_all_tests() will error out if a test class doesn't contain tests = [...] - either explicit or via its parent AATest.) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:48:50 +02:00
class AaTest_serialize_parse_profile_start(AATest):
add tests for serialize_parse_profile_start() to test-aa.py to document the function's behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:57:24 +02:00
def _parse(self, line, profile, hat, prof_data_profile, prof_data_external):
# 'correct' is always True in the code that uses serialize_parse_profile_start() (set some lines above the function call)
return serialize_parse_profile_start(line, 'somefile', 1, profile, hat, prof_data_profile, prof_data_external, True)
def test_serialize_parse_profile_start_01(self):
result = self._parse('/foo {', None, None, False, False)
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/foo', '/foo', None, None, False, True)
add tests for serialize_parse_profile_start() to test-aa.py to document the function's behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:57:24 +02:00
self.assertEqual(result, expected)
def test_serialize_parse_profile_start_02(self):
result = self._parse('/foo (complain) {', None, None, False, False)
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/foo', '/foo', None, 'complain', False, True)
add tests for serialize_parse_profile_start() to test-aa.py to document the function's behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:57:24 +02:00
self.assertEqual(result, expected)
def test_serialize_parse_profile_start_03(self):
result = self._parse('profile foo /foo {', None, None, False, False) # named profile
Finally implement attachment handling This patch implements attachment handling - aa-logprof now works with profiles that have an attachment defined, instead of ignoring audit.log entries for those profiles. Changes: - parse_profile_start_line(): remove workaround that merged the attachment into the profile name - parse_profile_data(): store attachment when parsing a profile - update test_parse_profile_start_03, test_serialize_parse_profile_start_03, test_set_flags_nochange_09 and some parse_profile_start_line() tests - they now expect correct attachment handling Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:26:26 +02:00
expected = ('foo', 'foo', '/foo', None, False, True)
add tests for serialize_parse_profile_start() to test-aa.py to document the function's behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:57:24 +02:00
self.assertEqual(result, expected)
def test_serialize_parse_profile_start_04(self):
result = self._parse('profile /foo {', '/bar', '/bar', False, False) # child profile
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/bar', '/foo', None, None, True, True)
add tests for serialize_parse_profile_start() to test-aa.py to document the function's behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:57:24 +02:00
self.assertEqual(result, expected)
def test_serialize_parse_profile_start_05(self):
result = self._parse('/foo//bar {', None, None, False, False) # external hat
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/foo', 'bar', None, None, False, False) # note correct == False here
add tests for serialize_parse_profile_start() to test-aa.py to document the function's behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:57:24 +02:00
self.assertEqual(result, expected)
def test_serialize_parse_profile_start_06(self):
result = self._parse('profile "/foo" (complain) {', None, None, False, False)
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/foo', '/foo', None, 'complain', False, True)
add tests for serialize_parse_profile_start() to test-aa.py to document the function's behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:57:24 +02:00
self.assertEqual(result, expected)
def test_serialize_parse_profile_start_07(self):
result = self._parse('/foo {', None, None, True, False)
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/foo', '/foo', None, None, False, True)
add tests for serialize_parse_profile_start() to test-aa.py to document the function's behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:57:24 +02:00
self.assertEqual(result, expected)
def test_serialize_parse_profile_start_08(self):
result = self._parse('/foo {', None, None, False, True)
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/foo', '/foo', None, None, False, True)
add tests for serialize_parse_profile_start() to test-aa.py to document the function's behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:57:24 +02:00
self.assertEqual(result, expected)
def test_serialize_parse_profile_start_09(self):
result = self._parse('/foo {', None, None, True, True)
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/foo', '/foo', None, None, False, True)
add tests for serialize_parse_profile_start() to test-aa.py to document the function's behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:57:24 +02:00
self.assertEqual(result, expected)
def test_serialize_parse_profile_start_10(self):
result = self._parse('profile /foo {', '/bar', '/bar', True, False) # child profile
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/bar', '/foo', None, None, True, True)
add tests for serialize_parse_profile_start() to test-aa.py to document the function's behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:57:24 +02:00
self.assertEqual(result, expected)
def test_serialize_parse_profile_start_11(self):
result = self._parse('profile /foo {', '/bar', '/bar', False, True) # child profile
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/bar', '/foo', None, None, True, True)
add tests for serialize_parse_profile_start() to test-aa.py to document the function's behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:57:24 +02:00
self.assertEqual(result, expected)
def test_serialize_parse_profile_start_12(self):
result = self._parse('profile /foo {', '/bar', '/bar', True, True) # child profile
add attachment to parse_profile_start() return values Add the attachment to the parse_profile_start() and serialize_parse_profile_start() return values, and adjust the functions calling the *parse_profile_start() functions to save the attachment in the "attachment" variable (which isn't used yet). Also adjust the tests for the added return value. (Sorry for not getting the resultset right from the beginning!) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:58:29 +02:00
expected = ('/bar', '/foo', None, None, True, True)
add tests for serialize_parse_profile_start() to test-aa.py to document the function's behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:57:24 +02:00
self.assertEqual(result, expected)
simplify serialize_parse_profile_start() Change serialize_parse_profile_start() to use parse_profile_start() instead of using duplicated code. The behaviour is mostly kept, with the exception that the function is more strict now and raises exceptions instead of ignoring errors. In practise, this won't change anything because the profiles are parsed with parse_profile() (which calls parse_profile_start()) - and that already errors out. The tests are updated to match the more strict behaviour. The next step would be to drop serialize_parse_profile_start() completely, but this isn't urgent and can/should be done when we have test coverage for serialize_profile_from_old_profile() one day ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:32:06 +02:00
class AaTestInvalid_serialize_parse_profile_start(AATest):
tests = [
# line profile hat p_d_profile p_d_external expected
(['/foo {', '/bar', '/bar', False, False ], AppArmorException), # child profile without 'profile' keyword
(['profile /foo {', '/bar', '/xy', False, False ], AppArmorException), # already inside a child profile - nesting level reached
(['/ext//hat {', '/bar', '/bar', True, True ], AppArmorException), # external hat inside a profile
(['/ext//hat {', '/bar', '/bar', True, False ], AppArmorException), # external hat inside a profile
(['xy', '/bar', '/bar', False, False ], AppArmorBug ), # not a profile start
]
convert serialize_parse_profile_start() to use parse_profile_start_line() Convert serialize_parse_profile_start() to use parse_profile_start_line(), and adjust a test to expect an AppArmorBug instead of an AttributeError exception. Also add two tests (they succeed with the old and the new code). Note that these tests document interesting[tm] behaviour - I tend to think that those cases should raise an exception, but I'm not sure about this because serialize_profile_from_old_profile() is a good example for interesting[tm] code :-/ I couldn't come up with a real-world test profile that would hit those cases without erroring out aa-logprof earlier - maybe the (more sane-looking) parse_profiles() / serialize_parse_profile_start() protects us from hitting this interesting[tm] behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:58:27 +02:00
simplify serialize_parse_profile_start() Change serialize_parse_profile_start() to use parse_profile_start() instead of using duplicated code. The behaviour is mostly kept, with the exception that the function is more strict now and raises exceptions instead of ignoring errors. In practise, this won't change anything because the profiles are parsed with parse_profile() (which calls parse_profile_start()) - and that already errors out. The tests are updated to match the more strict behaviour. The next step would be to drop serialize_parse_profile_start() completely, but this isn't urgent and can/should be done when we have test coverage for serialize_profile_from_old_profile() one day ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:32:06 +02:00
def _run_test(self, params, expected):
line = params[0]
profile = params[1]
hat = params[2]
prof_data_profile = params[3]
prof_data_external = params[4]
add tests for serialize_parse_profile_start() to test-aa.py to document the function's behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:57:24 +02:00
simplify serialize_parse_profile_start() Change serialize_parse_profile_start() to use parse_profile_start() instead of using duplicated code. The behaviour is mostly kept, with the exception that the function is more strict now and raises exceptions instead of ignoring errors. In practise, this won't change anything because the profiles are parsed with parse_profile() (which calls parse_profile_start()) - and that already errors out. The tests are updated to match the more strict behaviour. The next step would be to drop serialize_parse_profile_start() completely, but this isn't urgent and can/should be done when we have test coverage for serialize_profile_from_old_profile() one day ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:32:06 +02:00
with self.assertRaises(expected):
# 'correct' is always True in the code that uses serialize_parse_profile_start() (set some lines above the function call)
serialize_parse_profile_start(line, 'somefile', 1, profile, hat, prof_data_profile, prof_data_external, True)
add tests for serialize_parse_profile_start() to test-aa.py to document the function's behaviour. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 10:57:24 +02:00
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
Enable testloops for nosetests Ensure nosetests sees all tests in the tests[] tuples. This requires some name changes because nosetests thinks all function names containing "test" are tests. (A "not a test" docorator would be an alternative, but that would require some try/except magic to avoid a dependency on nose.) To avoid nosetests thinks the functions are a test, - rename setup_all_tests() to setup_all_loops() - rename regex_test() to _regex_test() (in test-regex_matches.py) Also add the module_name as parameter to setup_all_loops and always run it (not only if __name__ == '__main__'). Known issue: nosetests errors out with ValueError: no such test method in <class ...>: stub_test when trying to run a single test generated out of tests[]. (debugging hint: stub_test is the name used in setup_test_loop().) But that's still an improvement over not seeing those tests at all ;-) Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9.
2015-04-22 22:01:34 +02:00
setup_all_loops(__name__)
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
if __name__ == '__main__':
unittest.main(verbosity=2)
Reference in a new issue Copy permalink