Implement User unit tests.

This commit is contained in:
Chris PeBenito 2015-04-10 14:53:07 -04:00
parent 52d119c58f
commit 26e0396290
3 changed files with 269 additions and 0 deletions

View File

@ -17,3 +17,4 @@
#
from . import mls
from . import selinuxpolicy
from . import user

136
tests/policyrep/user.conf Normal file
View File

@ -0,0 +1,136 @@
class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
sid kernel
sid security
common infoflow
{
low_w
med_w
hi_w
low_r
med_r
hi_r
}
class infoflow
inherits infoflow
class infoflow2
inherits infoflow
{
super_w
super_r
}
class infoflow3
{
null
}
class infoflow4
inherits infoflow
class infoflow5
inherits infoflow
class infoflow6
inherits infoflow
class infoflow7
inherits infoflow
{
super_w
super_r
super_none
super_both
super_unmapped
}
sensitivity s0;
sensitivity s1;
sensitivity s2;
dominance { s0 s1 s2 }
category c0;
category c1;
category c2;
category c3;
category c4;
category c5;
category c6;
category c7;
category c8;
category c9;
category c10;
category c11;
category c12;
category c13;
#level decl
level s0:c0.c2;
level s1:c0.c13;
level s2:c0.c13;
#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
attribute mls_exempt;
type system;
role system;
role system types system;
role role20_r;
role role21a_r;
role role21b_r;
role role21c_r;
role role20_r types system;
role role21a_r types system;
role role21b_r types system;
role role21c_r types system;
type type30;
type type31a;
type type31b;
type type31c;
role system types { type30 type31a type31b type31c };
allow system self:infoflow hi_w;
#users
user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4;
user user10 roles system level s0 range s0 - s2:c0.c4;
user user11a roles system level s0 range s0 - s2:c0.c4;
user user11b roles system level s0 range s0 - s2:c0.c4;
user user11c roles system level s0 range s0 - s2:c0.c4;
#normal constraints
constrain infoflow hi_w (u1 == u2);
#isids
sid kernel system:system:system:s0
sid security system:system:system:s0
#fs_use
fs_use_trans devpts system:object_r:system:s0;
fs_use_xattr ext3 system:object_r:system:s0;
fs_use_task pipefs system:object_r:system:s0;
#genfscon
genfscon proc / system:object_r:system:s1
genfscon proc /sys system:object_r:system:s0
genfscon selinuxfs / system:object_r:system:s2:c0.c4
portcon tcp 1 system:system:system:s0:c0.c1
netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0

132
tests/policyrep/user.py Normal file
View File

@ -0,0 +1,132 @@
# Copyright 2015, Tresys Technology, LLC
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import unittest
try:
from unittest.mock import Mock, patch
except ImportError:
from mock import Mock, patch
from setools import SELinuxPolicy
from setools.policyrep import qpol
from setools.policyrep.exception import MLSDisabled, InvalidUser
from setools.policyrep.user import user_factory
class UserTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/policyrep/user.conf")
def mock_user_factory(self, name, roles, level=None, range_=None):
"""Factory function for User objects, using a mock qpol object."""
assert (level and range_) or (not level and not range_)
# inject object_r, like the compiler does
roles_with_objr = roles
roles_with_objr.append('object_r')
mock_user = Mock(qpol.qpol_user_t)
mock_user.name.return_value = name
mock_user.role_iter.return_value = iter(roles_with_objr)
mock_user.dfltlevel.return_value = level
mock_user.range.return_value = range_
return user_factory(self.p.policy, mock_user)
def test_001_lookup(self):
"""User factory policy lookup."""
user = user_factory(self.p.policy, "user10")
self.assertEqual("user10", user.qpol_symbol.name(self.p.policy))
def test_002_lookup_invalid(self):
"""Sensitivity factory policy invalid lookup."""
with self.assertRaises(InvalidUser):
user_factory(self.p.policy, "INVALID")
def test_010_string(self):
"""User basic string rendering."""
user = self.mock_user_factory("username", ['role1'])
self.assertEqual("username", str(user))
def test_020_statement_role(self):
"""User statement, one role."""
with patch('setools.policyrep.mls.enabled', return_value=False):
user = self.mock_user_factory("username", ['role20_r'])
self.assertEqual("user username roles role20_r;", user.statement())
def test_021_statement_two_roles(self):
"""User statement, two roles."""
with patch('setools.policyrep.mls.enabled', return_value=False):
user = self.mock_user_factory("username", ['role20_r', 'role21a_r'])
# roles are stored in a set, so the role order may vary
self.assertRegexpMatches(user.statement(), "("
"user username roles { role20_r role21a_r };"
"|"
"user username roles { role21a_r role20_r };"
")")
def test_022_statement_one_role_mls(self):
"""User statement, one role, MLS."""
user = self.mock_user_factory("username", ['role20_r'], level="s0", range_="s0-s2")
self.assertEqual("user username roles role20_r level s0 range s0 - s2;", user.statement())
def test_023_statement_two_roles_mls(self):
"""User statement, two roles, MLS."""
user = self.mock_user_factory("username", ['role20_r', 'role21a_r'],
level="s0", range_="s0 - s2")
# roles are stored in a set, so the role order may vary
self.assertRegexpMatches(
user.statement(), "("
"user username roles { role20_r role21a_r } level s0 range s0 - s2;"
"|"
"user username roles { role21a_r role20_r } level s0 range s0 - s2;"
")")
def test_030_roles(self):
"""User roles."""
user = self.mock_user_factory("username", ['role20_r', 'role21a_r'])
self.assertSetEqual(user.roles, set(['role20_r', 'role21a_r']))
def test_040_level(self):
"""User level."""
user = self.mock_user_factory("username", ['role20_r', 'role21a_r'],
level="s0", range_="s0-s2")
self.assertEqual("s0", user.mls_level)
def test_041_level_non_mls(self):
"""User level, MLS disabled."""
user = self.mock_user_factory("username", ['role20_r', 'role21a_r'])
with patch('setools.policyrep.mls.enabled', return_value=False):
with self.assertRaises(MLSDisabled):
user.mls_level
def test_050_range(self):
"""User level."""
user = self.mock_user_factory("username", ['role20_r', 'role21a_r'],
level="s0", range_="s0-s2")
self.assertEqual("s0 - s2", user.mls_range)
def test_051_range_non_mls(self):
"""User level, MLS disabled."""
user = self.mock_user_factory("username", ['role20_r', 'role21a_r'],
level="s0", range_="s0-s2")
with patch('setools.policyrep.mls.enabled', return_value=False):
with self.assertRaises(MLSDisabled):
user.mls_range