Implement role/type/user criteria unit tests for ConstraintQuery

closes #7 closes #8 closes #9
2025-02-22 15:16:58 +00:00 · 2015-03-12 09:27:36 -04:00 · 2015-03-12 09:27:36 -04:00 · 14aa57c669
commit 14aa57c669
parent 2f9999752d
3 changed files with 166 additions and 2 deletions
--- a/setools/constraintquery.py
+++ b/setools/constraintquery.py
@ -88,7 +88,7 @@ class ConstraintQuery(mixins.MatchObjClass, mixins.MatchPermission, PolicyQuery)
        if indirect:
            obj = set()
            for item in expr:
-                obj |= set(item.expand())
+                obj.update(item.expand())
        else:
            obj = expr

--- a/tests/constraintquery.conf
+++ b/tests/constraintquery.conf
@ -12,6 +12,15 @@ class test20c
 class test21a
 class test21b
 class test21c
+class test30
+class test31a
+class test31b
+class test40
+class test41a
+class test41b
+class test50
+class test51a
+class test51b

 sid kernel
 sid security
@ -87,6 +96,32 @@ class test21c
    test21bp
 }

+class test30
+inherits test
+
+class test31a
+inherits test
+
+class test31b
+inherits test
+
+class test40
+inherits test
+
+class test41a
+inherits test
+
+class test41b
+inherits test
+
+class test50
+inherits test
+
+class test51a
+inherits test
+
+class test51b
+inherits test

 sensitivity low_s;
 sensitivity medium_s alias med;
@ -114,18 +149,39 @@ type system;
 role system;
 role system types system;

+role test30r;
+role test30r types system;
+
+role test31ra;
+role test31ra types system;
+role test31rb;
+role test31rb types system;
+
+type test40t;
+type test41ta;
+type test41tb;
+
 user system roles system level med range low_s - high_s:here.lost;
+user test50u roles system level med range low_s - high_s:here.lost;
+user test51u1 roles system level med range low_s - high_s:here.lost;
+user test51u2 roles system level med range low_s - high_s:here.lost;

 # test 10:
 # ruletype: unset
 # tclass: test10
 # perms: unset
+# role: unset
+# type: unset
+# user: unset
 constrain test10 hi_w (u1 == u2);

 # test 11:
 # ruletype: unset
 # tclass: test11a, test11b
 # perms: unset
+# role: unset
+# type: unset
+# user: unset
 constrain test11a hi_w (u1 == u2);
 constrain test11b hi_w (u1 == u2);
 constrain test11c hi_w (u1 == u2);
@ -134,6 +190,9 @@ constrain test11c hi_w (u1 == u2);
 # ruletype: unset
 # tclass: intoflow12(a|c), regex
 # perms: unset
+# role: unset
+# type: unset
+# user: unset
 constrain test12a hi_w (u1 == u2);
 constrain test12b hi_w (u1 == u2);
 constrain test12c hi_w (u1 == u2);
@ -142,6 +201,9 @@ constrain test12c hi_w (u1 == u2);
 # ruletype: unset
 # tclass: unset
 # perms: test20ap, test20bp
+# role: unset
+# type: unset
+# user: unset
 constrain test20a test20ap (u1 == u2);
 constrain test20b test20bp (u1 == u2);

@ -149,10 +211,70 @@ constrain test20b test20bp (u1 == u2);
 # ruletype: unset
 # tclass: unset
 # perms: test21ap, test21bp, equal
+# role: unset
+# type: unset
+# user: unset
 constrain test21a test21ap (u1 == u2);
 constrain test21b test21bp (u1 == u2);
 constrain test21c { test21bp test21ap } (u1 == u2);

+# test 30:
+# ruletype: unset
+# tclass: unset
+# perms: unset
+# role: test30r
+# type: unset
+# user: unset
+constrain test30 hi_w (u1 == u2 or r1 == test30r);
+
+# test 31:
+# ruletype: unset
+# tclass: unset
+# perms: unset
+# role: test31r. regex
+# type: unset
+# user: unset
+constrain test31a hi_w (u1 == u2 or r1 == test31ra);
+constrain test31b hi_w (u1 == u2 or r2 == test31rb);
+
+# test 40:
+# ruletype: unset
+# tclass: unset
+# perms: unset
+# role: unset
+# type: test40
+# user: unset
+constrain test40 hi_w (u1 == u2 or t1 == test40t);
+
+# test 41:
+# ruletype: unset
+# tclass: unset
+# perms: unset
+# role: unset
+# type: test41. regex
+# user: unset
+constrain test41a hi_w (u1 == u2 or t1 == test41ta);
+constrain test41b hi_w (u1 == u2 or t2 == test41tb);
+
+# test 50:
+# ruletype: unset
+# tclass: unset
+# perms: unset
+# role: unset
+# type: unset
+# user: test50
+constrain test50 hi_w (u1 == u2 or u1 == test50u);
+
+# test 51:
+# ruletype: unset
+# tclass: unset
+# perms: unset
+# role: unset
+# type: unset
+# user: test51u. regex
+constrain test51a hi_w (u1 == u2 or u1 == test51u1);
+constrain test51b hi_w (u1 == u2 or u2 == test51u2);
+
 #isids
 sid kernel system:system:system:medium_s:here
 sid security system:system:system:high_s:lost
--- a/tests/constraintquery.py
+++ b/tests/constraintquery.py
@ -70,9 +70,51 @@ class ConstraintQueryTest(unittest.TestCase):
        constraint = sorted(c.tclass for c in q.results())
        self.assertListEqual(["test20a", "test20b"], constraint)

-    def test_020_perms_equal(self):
+    def test_021_perms_equal(self):
        """Constraint query with permission set equality match."""
        q = ConstraintQuery(self.p, perms=["test21ap", "test21bp"], perms_equal=True)

        constraint = sorted(c.tclass for c in q.results())
        self.assertListEqual(["test21c"], constraint)
+
+    def test_030_role_match_single(self):
+        """Constraint query with role match."""
+        q = ConstraintQuery(self.p, role="test30r")
+
+        constraint = sorted(c.tclass for c in q.results())
+        self.assertListEqual(["test30"], constraint)
+
+    def test_031_role_match_regex(self):
+        """Constraint query with regex role match."""
+        q = ConstraintQuery(self.p, role="test31r.", role_regex=True)
+
+        constraint = sorted(c.tclass for c in q.results())
+        self.assertListEqual(["test31a", "test31b"], constraint)
+
+    def test_040_type_match_single(self):
+        """Constraint query with type match."""
+        q = ConstraintQuery(self.p, type_="test40t")
+
+        constraint = sorted(c.tclass for c in q.results())
+        self.assertListEqual(["test40"], constraint)
+
+    def test_041_type_match_regex(self):
+        """Constraint query with regex type match."""
+        q = ConstraintQuery(self.p, type_="test41t.", type_regex=True)
+
+        constraint = sorted(c.tclass for c in q.results())
+        self.assertListEqual(["test41a", "test41b"], constraint)
+
+    def test_050_user_match_single(self):
+        """Constraint query with user match."""
+        q = ConstraintQuery(self.p, user="test50u")
+
+        constraint = sorted(c.tclass for c in q.results())
+        self.assertListEqual(["test50"], constraint)
+
+    def test_051_user_match_regex(self):
+        """Constraint query with regex user match."""
+        q = ConstraintQuery(self.p, user="test51u.", user_regex=True)
+
+        constraint = sorted(c.tclass for c in q.results())
+        self.assertListEqual(["test51a", "test51b"], constraint)