From 0f74186752d85d80006187261e9bdb8b104a05fe Mon Sep 17 00:00:00 2001
From: Jake Hunsaker <jhunsake@redhat.com>
Date: Wed, 6 Jan 2021 12:51:38 -0500
Subject: [Policy] Add policy-controlled forbidden paths

This adds policy-controlled forbidden path checking, which
should be the final part of implementing "global" forbidden paths. With
this commit, policies may now add paths and glob matches for paths which
should never be collected in any plugin.

Combined with plugin-defined paths and user-defined paths already
available, plugins should now be able to be properly restricted from
sensitive collections.

Note that the way this is implemented is that policies that define the
`set_forbidden_paths()` classmethod *extend* this forbidden list as it
is built from the subclass(es) that also define one. This way,
"top-level" policies do not need to maintain independent copies of
entire trees of paths just to add a few specific additional ones that
are not forbidden within other policies.

This initial commit adds paths that are either very well-known to be
ones we should avoid, or are paths that have previously been part of
reported issues where these paths/files should not be collected.

Closes: #316
Closes: #796
Closes: #919
Closes: #1316
Resolves: #2360

Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
---
 tests/policy_tests.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'tests')

diff --git a/tests/policy_tests.py b/tests/policy_tests.py
index 4b248b70..6d0c42b9 100644
--- a/tests/policy_tests.py
+++ b/tests/policy_tests.py
@@ -8,6 +8,7 @@
 import unittest
 
 from sos.policies import Policy, import_policy
+from sos.policies.distros import LinuxPolicy
 from sos.policies.package_managers import PackageManager
 from sos.report.plugins import (Plugin, IndependentPlugin,
                                 RedHatPlugin, DebianPlugin)
@@ -17,6 +18,14 @@ class FauxPolicy(Policy):
     distro = "Faux"
 
 
+class FauxLinuxPolicy(LinuxPolicy):
+    distro = "FauxLinux"
+
+    @classmethod
+    def set_forbidden_paths(cls):
+        return ['/etc/secret']
+
+
 class FauxPlugin(Plugin, IndependentPlugin):
     pass
 
@@ -31,12 +40,19 @@ class FauxDebianPlugin(Plugin, DebianPlugin):
 
 class PolicyTests(unittest.TestCase):
 
+
     def test_independent_only(self):
         p = FauxPolicy()
         p.valid_subclasses = []
 
         self.assertTrue(p.validate_plugin(FauxPlugin))
 
+    def test_forbidden_paths_building(self):
+        p = FauxLinuxPolicy(probe_runtime=False)
+        self.assertTrue('*.pyc' in p.forbidden_paths)
+        self.assertTrue('/etc/passwd' in p.forbidden_paths)
+        self.assertTrue('/etc/secret' in p.forbidden_paths)
+
     def test_redhat(self):
         p = FauxPolicy()
         p.valid_subclasses = [RedHatPlugin]
-- 
cgit