# Copyright 2014-2015, Tresys Technology, LLC # # SPDX-License-Identifier: GPL-2.0-only # import os import unittest from setools import InfoFlowAnalysis from setools import TERuletype as TERT from setools.exception import InvalidType from setools.permmap import PermissionMap from setools.policyrep import Type from . import mixins from .policyrep.util import compile_policy # Note: the testing for having correct rules on every edge is only # performed once on the full graph, since it is assumed that NetworkX's # Digraph.subgraph() function correctly copies the edge attributes into # the subgraph. class ConditionalInfoFlowAnalysisTest(unittest.TestCase): @classmethod def setUpClass(cls): cls.p = compile_policy("tests/conditionalinfoflow.conf", mls=False) cls.m = PermissionMap("tests/perm_map") cls.a = InfoFlowAnalysis(cls.p, cls.m) @classmethod def tearDownClass(cls): os.unlink(cls.p.path) def test_001_keep_conditional_rules(self): """Keep all conditional rules.""" self.a.booleans = None self.a._rebuildgraph = True self.a._build_subgraph() source = self.p.lookup_type("src") target = self.p.lookup_type("tgt") flow_true = self.p.lookup_type("flow_true") flow_false = self.p.lookup_type("flow_false") r = self.a.G.edges[source, flow_true]["rules"] self.assertEqual(len(r), 1) r = self.a.G.edges[flow_true, target]["rules"] self.assertEqual(len(r), 1) r = self.a.G.edges[source, flow_false]["rules"] self.assertEqual(len(r), 1) r = self.a.G.edges[flow_false, target]["rules"] self.assertEqual(len(r), 1) def test_002_default_conditional_rules(self): """Keep only default conditional rules.""" self.a.booleans = {} self.a._rebuildgraph = True self.a._build_subgraph() source = self.p.lookup_type("src") target = self.p.lookup_type("tgt") flow_true = self.p.lookup_type("flow_true") flow_false = self.p.lookup_type("flow_false") r = self.a.G.edges[source, flow_true]["rules"] self.assertEqual(len(r), 0) r = self.a.G.edges[flow_true, target]["rules"] self.assertEqual(len(r), 0) r = self.a.G.edges[source, flow_false]["rules"] self.assertEqual(len(r), 1) r = self.a.G.edges[flow_false, target]["rules"] self.assertEqual(len(r), 1) def test_003_user_conditional_true(self): """Keep only conditional rules selected by user specified booleans (True Case.)""" self.a.booleans = {"condition": True} self.a.rebuildgraph = True self.a._build_subgraph() source = self.p.lookup_type("src") target = self.p.lookup_type("tgt") flow_true = self.p.lookup_type("flow_true") flow_false = self.p.lookup_type("flow_false") r = self.a.G.edges[source, flow_true]["rules"] self.assertEqual(len(r), 1) r = self.a.G.edges[flow_true, target]["rules"] self.assertEqual(len(r), 1) r = self.a.G.edges[source, flow_false]["rules"] self.assertEqual(len(r), 0) r = self.a.G.edges[flow_false, target]["rules"] self.assertEqual(len(r), 0) def test_004_user_conditional_false(self): """Keep only conditional rules selected by user specified booleans (False Case.)""" self.a.booleans = {"condition": False} self.a.rebuildgraph = True self.a._build_subgraph() source = self.p.lookup_type("src") target = self.p.lookup_type("tgt") flow_true = self.p.lookup_type("flow_true") flow_false = self.p.lookup_type("flow_false") r = self.a.G.edges[source, flow_true]["rules"] self.assertEqual(len(r), 0) r = self.a.G.edges[flow_true, target]["rules"] self.assertEqual(len(r), 0) r = self.a.G.edges[source, flow_false]["rules"] self.assertEqual(len(r), 1) r = self.a.G.edges[flow_false, target]["rules"] self.assertEqual(len(r), 1) def test_005_remaining_edges(self): """Keep edges when rules are deleted, but there are still remaining rules on the edge.""" self.a.booleans = {} self.a.rebuildgraph = True self.a._build_subgraph() source = self.p.lookup_type("src_remain") target = self.p.lookup_type("tgt_remain") flow = self.p.lookup_type("flow_remain") r = self.a.G.edges[source, flow]["rules"] self.assertEqual(len(r), 1) self.assertEqual(str(r[0]), 'allow src_remain flow_remain:infoflow hi_w;') r = self.a.G.edges[flow, target]["rules"] self.assertEqual(len(r), 1) self.assertEqual(str(r[0]), 'allow tgt_remain flow_remain:infoflow hi_r;')