DTA: add error testing on the interface.

2025-04-01 22:58:12 +00:00 · 2015-03-27 09:15:15 -04:00 · 2015-03-27 09:15:15 -04:00 · c6f11ca80e
commit c6f11ca80e
parent 758865e3a9
2 changed files with 210 additions and 33 deletions
--- a/setools/dta.py
+++ b/setools/dta.py
@ -21,6 +21,7 @@ import logging
 from collections import defaultdict

 import networkx as nx
+from networkx.exception import NetworkXError, NetworkXNoPath


 class DomainTransitionAnalysis(object):
@ -158,11 +159,13 @@ class DomainTransitionAnalysis(object):

        self.log.info("Generating one shortest path from {0} to {1}...".format(s, t))

-        if s in self.subG and t in self.subG:
-            try:
-                yield self.__get_steps(nx.shortest_path(self.subG, s, t))
-            except nx.exception.NetworkXNoPath:
-                pass
+        try:
+            yield self.__get_steps(nx.shortest_path(self.subG, s, t))
+        except (NetworkXNoPath, NetworkXError):
+            # NetworkXError: the type is valid but not in graph, e.g. excluded
+            # NetworkXNoPath: no paths or the target type is
+            # not in the graph
+            pass

    def all_paths(self, source, target, maxlen=2):
        """
@ -181,6 +184,9 @@ class DomainTransitionAnalysis(object):
                 source, target, and rules for each
                 domain transition.
        """
+        if maxlen < 1:
+            raise ValueError("Maximum path length must be positive.")
+
        s = self.policy.lookup_type(source)
        t = self.policy.lookup_type(target)

@ -189,12 +195,14 @@ class DomainTransitionAnalysis(object):

        self.log.info("Generating all paths from {0} to {1}, max len {2}...".format(s, t, maxlen))

-        if s in self.subG and t in self.subG:
-            try:
-                for p in nx.all_simple_paths(self.subG, s, t, maxlen):
-                    yield self.__get_steps(p)
-            except nx.exception.NetworkXNoPath:
-                pass
+        try:
+            for p in nx.all_simple_paths(self.subG, s, t, maxlen):
+                yield self.__get_steps(p)
+        except (NetworkXNoPath, NetworkXError):
+            # NetworkXError: the type is valid but not in graph, e.g. excluded
+            # NetworkXNoPath: no paths or the target type is
+            # not in the graph
+            pass

    def all_shortest_paths(self, source, target):
        """
@ -219,12 +227,16 @@ class DomainTransitionAnalysis(object):

        self.log.info("Generating all shortest paths from {0} to {1}...".format(s, t))

-        if s in self.subG and t in self.subG:
-            try:
-                for p in nx.all_shortest_paths(self.subG, s, t):
-                    yield self.__get_steps(p)
-            except nx.exception.NetworkXNoPath:
-                pass
+        try:
+            for p in nx.all_shortest_paths(self.subG, s, t):
+                yield self.__get_steps(p)
+        except (NetworkXNoPath, NetworkXError, KeyError):
+            # NetworkXError: the type is valid but not in graph, e.g. excluded
+            # NetworkXNoPath: no paths or the target type is
+            # not in the graph
+            # KeyError: work around NetworkX bug
+            # when the source node is not in the graph
+            pass

    def transitions(self, type_):
        """
@ -248,23 +260,27 @@ class DomainTransitionAnalysis(object):
        self.log.info("Generating all transitions {1} {0}".
                      format(s, "in to" if self.reverse else "out from"))

-        for source, target in self.subG.out_edges_iter(s):
-            if self.reverse:
-                real_source, real_target = target, source
-            else:
-                real_source, real_target = source, target
+        try:
+            for source, target in self.subG.out_edges_iter(s):
+                if self.reverse:
+                    real_source, real_target = target, source
+                else:
+                    real_source, real_target = source, target

-            # It seems that NetworkX does not reverse the dictionaries
-            # that store the attributes, so real_* is used everywhere
-            # below, rather than just the first line.
-            yield real_source, real_target, \
-                self.subG.edge[real_source][real_target]['transition'], \
-                self.__get_entrypoints(real_source, real_target), \
-                self.subG.edge[real_source][real_target]['setexec'], \
-                self.subG.edge[real_source][real_target]['dyntransition'], \
-                self.subG.edge[real_source][real_target]['setcurrent']
+                # It seems that NetworkX does not reverse the dictionaries
+                # that store the attributes, so real_* is used everywhere
+                # below, rather than just the first line.
+                yield real_source, real_target, \
+                    self.subG.edge[real_source][real_target]['transition'], \
+                    self.__get_entrypoints(real_source, real_target), \
+                    self.subG.edge[real_source][real_target]['setexec'], \
+                    self.subG.edge[real_source][real_target]['dyntransition'], \
+                    self.subG.edge[real_source][real_target]['setcurrent']
+        except NetworkXError:
+            # NetworkXError: the type is valid but not in graph, e.g. excluded
+            pass

-    def get_stats(self):
+    def get_stats(self):  # pragma: no cover
        """
        Get the domain transition graph statistics.

--- a/tests/dta.py
+++ b/tests/dta.py
@ -22,9 +22,10 @@ import networkx as nx
 from setools import SELinuxPolicy
 from setools.dta import DomainTransitionAnalysis
 from setools.policyrep.rule import RuleNotConditional
+from setools.policyrep.typeattr import InvalidType


-class InfoFlowAnalysisTest(unittest.TestCase):
+class DomainTransitionAnalysisTest(unittest.TestCase):

    @classmethod
    def setUpClass(self):
@ -637,3 +638,163 @@ class InfoFlowAnalysisTest(unittest.TestCase):
                                 (start, trans1),
                                 (trans2, trans3),
                                 (trans3, trans5)]), edges)
+
+    def test_900_set_exclude_invalid_type(self):
+        """DTA: set invalid excluded type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(None)
+        self.assertRaises(InvalidType, self.a.set_exclude, ["trans1", "invalid_type"])
+
+    def test_910_all_paths_invalid_source(self):
+        """DTA: all paths with invalid source type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(None)
+        with self.assertRaises(InvalidType):
+            paths = list(self.a.all_paths("invalid_type", "trans1"))
+
+    def test_911_all_paths_invalid_target(self):
+        """DTA: all paths with invalid target type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(None)
+        with self.assertRaises(InvalidType):
+            paths = list(self.a.all_paths("trans1", "invalid_type"))
+
+    def test_912_all_paths_invalid_maxlen(self):
+        """DTA: all paths with invalid max path length."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(None)
+        with self.assertRaises(ValueError):
+            paths = list(self.a.all_paths("trans1", "trans2", maxlen=-2))
+
+    def test_913_all_paths_source_excluded(self):
+        """DTA: all paths with excluded source type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(["trans1"])
+        paths = list(self.a.all_paths("trans1", "trans2"))
+        self.assertEqual(0, len(paths))
+
+    def test_914_all_paths_target_excluded(self):
+        """DTA: all paths with excluded target type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(["trans2"])
+        paths = list(self.a.all_paths("trans1", "trans2"))
+        self.assertEqual(0, len(paths))
+
+    def test_915_all_paths_source_disconnected(self):
+        """DTA: all paths with disconnected source type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(None)
+        paths = list(self.a.all_paths("trans5", "trans2"))
+        self.assertEqual(0, len(paths))
+
+    def test_916_all_paths_target_disconnected(self):
+        """DTA: all paths with disconnected target type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(["trans3"])
+        paths = list(self.a.all_paths("trans2", "trans5"))
+        self.assertEqual(0, len(paths))
+
+    def test_920_shortest_path_invalid_source(self):
+        """DTA: shortest path with invalid source type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(None)
+        with self.assertRaises(InvalidType):
+            paths = list(self.a.shortest_path("invalid_type", "trans1"))
+
+    def test_921_shortest_path_invalid_target(self):
+        """DTA: shortest path with invalid target type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(None)
+        with self.assertRaises(InvalidType):
+            paths = list(self.a.shortest_path("trans1", "invalid_type"))
+
+    def test_922_shortest_path_source_excluded(self):
+        """DTA: shortest path with excluded source type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(["trans1"])
+        paths = list(self.a.shortest_path("trans1", "trans2"))
+        self.assertEqual(0, len(paths))
+
+    def test_923_shortest_path_target_excluded(self):
+        """DTA: shortest path with excluded target type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(["trans2"])
+        paths = list(self.a.shortest_path("trans1", "trans2"))
+        self.assertEqual(0, len(paths))
+
+    def test_924_shortest_path_source_disconnected(self):
+        """DTA: shortest path with disconnected source type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(None)
+        paths = list(self.a.shortest_path("trans5", "trans2"))
+        self.assertEqual(0, len(paths))
+
+    def test_925_shortest_path_target_disconnected(self):
+        """DTA: shortest path with disconnected target type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(["trans3"])
+        paths = list(self.a.shortest_path("trans2", "trans5"))
+        self.assertEqual(0, len(paths))
+
+    def test_930_all_shortest_paths_invalid_source(self):
+        """DTA: all shortest paths with invalid source type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(None)
+        with self.assertRaises(InvalidType):
+            paths = list(self.a.all_shortest_paths("invalid_type", "trans1"))
+
+    def test_931_all_shortest_paths_invalid_target(self):
+        """DTA: all shortest paths with invalid target type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(None)
+        with self.assertRaises(InvalidType):
+            paths = list(self.a.all_shortest_paths("trans1", "invalid_type"))
+
+    def test_932_all_shortest_paths_source_excluded(self):
+        """DTA: all shortest paths with excluded source type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(["trans1"])
+        paths = list(self.a.all_shortest_paths("trans1", "trans2"))
+        self.assertEqual(0, len(paths))
+
+    def test_933_all_shortest_paths_target_excluded(self):
+        """DTA: all shortest paths with excluded target type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(["trans2"])
+        paths = list(self.a.all_shortest_paths("trans1", "trans2"))
+        self.assertEqual(0, len(paths))
+
+    def test_934_all_shortest_paths_source_disconnected(self):
+        """DTA: all shortest paths with disconnected source type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(None)
+        paths = list(self.a.all_shortest_paths("trans5", "trans2"))
+        self.assertEqual(0, len(paths))
+
+    def test_935_all_shortest_paths_target_disconnected(self):
+        """DTA: all shortest paths with disconnected target type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(["trans3"])
+        paths = list(self.a.all_shortest_paths("trans2", "trans5"))
+        self.assertEqual(0, len(paths))
+
+    def test_940_transitions_invalid_source(self):
+        """DTA: transitions with invalid source type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(None)
+        with self.assertRaises(InvalidType):
+            paths = list(self.a.transitions("invalid_type"))
+
+    def test_941_transitions_source_excluded(self):
+        """DTA: transitions with excluded source type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(["trans1"])
+        paths = list(self.a.transitions("trans1"))
+        self.assertEqual(0, len(paths))
+
+    def test_942_transitions_source_disconnected(self):
+        """DTA: transitions with disconnected source type."""
+        self.a.set_reverse(False)
+        self.a.set_exclude(["trans3"])
+        paths = list(self.a.transitions("trans5"))
+        self.assertEqual(0, len(paths))