diff options
| author | Jake Hunsaker <jhunsake@redhat.com> | 2021-01-06 12:51:38 -0500 |
|---|---|---|
| committer | Jake Hunsaker <jhunsake@redhat.com> | 2021-01-13 13:12:27 -0500 |
| commit | 0f74186752d85d80006187261e9bdb8b104a05fe (patch) | |
| tree | dbb8534d027023fc521122135eeaac9f564fe961 /tests | |
| parent | 5fb859f52a5a77657d509c7f4d3590fdca694931 (diff) | |
| download | sos-0f74186752d85d80006187261e9bdb8b104a05fe.tar.gz | |
[Policy] Add policy-controlled forbidden paths
This adds policy-controlled forbidden path checking, which
should be the final part of implementing "global" forbidden paths. With
this commit, policies may now add paths and glob matches for paths which
should never be collected in any plugin.
Combined with plugin-defined paths and user-defined paths already
available, plugins should now be able to be properly restricted from
sensitive collections.
Note that the way this is implemented is that policies that define the
`set_forbidden_paths()` classmethod *extend* this forbidden list as it
is built from the subclass(es) that also define one. This way,
"top-level" policies do not need to maintain independent copies of
entire trees of paths just to add a few specific additional ones that
are not forbidden within other policies.
This initial commit adds paths that are either very well-known to be
ones we should avoid, or are paths that have previously been part of
reported issues where these paths/files should not be collected.
Closes: #316
Closes: #796
Closes: #919
Closes: #1316
Resolves: #2360
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/policy_tests.py | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/tests/policy_tests.py b/tests/policy_tests.py index 4b248b70..6d0c42b9 100644 --- a/tests/policy_tests.py +++ b/tests/policy_tests.py @@ -8,6 +8,7 @@ import unittest from sos.policies import Policy, import_policy +from sos.policies.distros import LinuxPolicy from sos.policies.package_managers import PackageManager from sos.report.plugins import (Plugin, IndependentPlugin, RedHatPlugin, DebianPlugin) @@ -17,6 +18,14 @@ class FauxPolicy(Policy): distro = "Faux" +class FauxLinuxPolicy(LinuxPolicy): + distro = "FauxLinux" + + @classmethod + def set_forbidden_paths(cls): + return ['/etc/secret'] + + class FauxPlugin(Plugin, IndependentPlugin): pass @@ -31,12 +40,19 @@ class FauxDebianPlugin(Plugin, DebianPlugin): class PolicyTests(unittest.TestCase): + def test_independent_only(self): p = FauxPolicy() p.valid_subclasses = [] self.assertTrue(p.validate_plugin(FauxPlugin)) + def test_forbidden_paths_building(self): + p = FauxLinuxPolicy(probe_runtime=False) + self.assertTrue('*.pyc' in p.forbidden_paths) + self.assertTrue('/etc/passwd' in p.forbidden_paths) + self.assertTrue('/etc/secret' in p.forbidden_paths) + def test_redhat(self): p = FauxPolicy() p.valid_subclasses = [RedHatPlugin] |