diff --git a/utils/test/common_test.py b/utils/test/common_test.py index 38265a657..fd2a4c1d0 100755 --- a/utils/test/common_test.py +++ b/utils/test/common_test.py @@ -50,6 +50,14 @@ class AATest(unittest.TestCase): self.createTmpdir() return write_file(self.tmpdir, file, contents) + def parseInvalidRule(self, rule_class, rawrule, expected): + ''' verify that invalid rules raise an exception, and verify if they at least match the rule regex''' + + exp_exception, matches_regex = expected + self.assertEqual(matches_regex, rule_class.match(rawrule)) # does the invalid rules still match the main regex? + with self.assertRaises(exp_exception): + rule_class.create_instance(rawrule) + tests = () tmpdir = None diff --git a/utils/test/test-abi.py b/utils/test/test-abi.py index 339da00a1..c99985b7f 100644 --- a/utils/test/test-abi.py +++ b/utils/test/test-abi.py @@ -64,17 +64,16 @@ class AbiTestParse(AbiTest): class AbiTestParseInvalid(AbiTest): - # tests = ( - # (' some abi ', AppArmorException), - # (' /etc/fstab r,', AppArmorException), - # ('/usr/abi r,', AppArmorException), - # ('/abi r,', AppArmorException), - # ) + tests = ( + # exception matches regex + (' some abi ', (AppArmorException, False)), + (' /etc/fstab r,', (AppArmorException, False)), + ('/usr/abi r,', (AppArmorException, False)), + ('/abi r,', (AppArmorException, False)), + ) def _run_test(self, rawrule, expected): - self.assertTrue(AbiRule.match(rawrule)) # the above invalid rules still match the main regex! - with self.assertRaises(expected): - AbiRule.create_instance(rawrule) + self.parseInvalidRule(AbiRule, rawrule, expected) # class AbiTestParseFromLog(AbiTest): # we'll never have log events for abi diff --git a/utils/test/test-alias.py b/utils/test/test-alias.py index ea9ed47cb..9a36d9729 100644 --- a/utils/test/test-alias.py +++ b/utils/test/test-alias.py @@ -58,18 +58,16 @@ class AliasTestParse(AliasTest): class AliasTestParseInvalid(AliasTest): tests = ( - # rawrule matches regex exception - ('alias ,', (False, AppArmorException)), - ('alias /foo ,', (False, AppArmorException)), - ('alias /foo -> ,', (True, AppArmorException)), - ('alias -> /bar ,', (True, AppArmorException)), - ('/foo -> bar ,', (False, AppArmorException)), + # exception matches regex + ('alias ,', (AppArmorException, False)), + ('alias /foo ,', (AppArmorException, False)), + ('alias /foo -> ,', (AppArmorException, True)), + ('alias -> /bar ,', (AppArmorException, True)), + ('/foo -> bar ,', (AppArmorException, False)), ) def _run_test(self, rawrule, expected): - self.assertEqual(AliasRule.match(rawrule), expected[0]) - with self.assertRaises(expected[1]): - AliasRule.create_instance(rawrule) + self.parseInvalidRule(AliasRule, rawrule, expected) class AliasFromInit(AliasTest): diff --git a/utils/test/test-all.py b/utils/test/test-all.py index 7d38d3cb7..0ca655bc6 100644 --- a/utils/test/test-all.py +++ b/utils/test/test-all.py @@ -60,23 +60,16 @@ class AllTestParse(AllTest): class AllTestParseInvalid(AllTest): tests = ( - ('all -> ,', AppArmorException), - ('owner all,', AppArmorException), - ('all foo ,', AppArmorException), + # exception matches regex + ('all -> ,', (AppArmorException, False)), + ('owner all,', (AppArmorException, False)), + ('all foo ,', (AppArmorException, False)), + ('priority=a all,', (AppArmorException, False)), + ('priority=1042 all,', (AppArmorException, True)), ) def _run_test(self, rawrule, expected): - self.assertFalse(AllRule.match(rawrule)) - with self.assertRaises(expected): - AllRule.create_instance(rawrule) - - def test_invalid_priority(self): - with self.assertRaises(AppArmorException): - AllRule.create_instance('priority=a all,') - - def test_invalid_priority_2(self): - with self.assertRaises(AppArmorException): - AllRule.create_instance('priority=1042 all,') + self.parseInvalidRule(AllRule, rawrule, expected) # we won't ever support converting a log event to an 'all,' rule diff --git a/utils/test/test-boolean.py b/utils/test/test-boolean.py index d6bce0e47..cc588e3f9 100644 --- a/utils/test/test-boolean.py +++ b/utils/test/test-boolean.py @@ -61,20 +61,18 @@ class BooleanTestParse(BooleanTest): class BooleanTestParseInvalid(BooleanTest): tests = ( - # rawrule matches regex exception - ('$foo =', (False, AppArmorException)), - ('$ foo = # comment', (False, AppArmorException)), - ('${foo = ', (False, AppArmorException)), + # exception matches regex + ('$foo =', (AppArmorException, False)), + ('$ foo = # comment', (AppArmorException, False)), + ('${foo = ', (AppArmorException, False)), # XXX RE_PROFILE_BOOLEAN allows a trailing comma even if the parser disallows it - # ('$foo = true,', (True, AppArmorException)), # trailing comma - # ('$foo = false , ', (True, AppArmorException)), # trailing comma - # ('$foo = true, # comment', (True, AppArmorException)), # trailing comma + # ('$foo = true,', (AppArmorException, True)), # trailing comma + # ('$foo = false , ', (AppArmorException, True)), # trailing comma + # ('$foo = true, # comment', (AppArmorException, True)), # trailing comma ) def _run_test(self, rawrule, expected): - self.assertEqual(BooleanRule.match(rawrule), expected[0]) - with self.assertRaises(expected[1]): - BooleanRule.create_instance(rawrule) + self.parseInvalidRule(BooleanRule, rawrule, expected) class BooleanFromInit(BooleanTest): diff --git a/utils/test/test-capability.py b/utils/test/test-capability.py index f3d3a7572..6ba498088 100644 --- a/utils/test/test-capability.py +++ b/utils/test/test-capability.py @@ -250,10 +250,7 @@ class CapabilityTestParseInvalid(AATest): ) def _run_test(self, rawrule, expected): - exp_exception, matches_regex = expected - self.assertEqual(matches_regex, CapabilityRule.match(rawrule)) # does the invalid rules still match the main regex? - with self.assertRaises(exp_exception): - CapabilityRule.create_instance(rawrule) + self.parseInvalidRule(CapabilityRule, rawrule, expected) class InvalidCapabilityTest(AATest): diff --git a/utils/test/test-change_profile.py b/utils/test/test-change_profile.py index c5f1cffc4..aaa228a89 100644 --- a/utils/test/test-change_profile.py +++ b/utils/test/test-change_profile.py @@ -84,7 +84,7 @@ class ChangeProfileTestParse(ChangeProfileTest): class ChangeProfileTestParseInvalid(ChangeProfileTest): tests = ( - # rule exception, matches regex? + # exception matches regex ('change_profile', (AppArmorException, False)), # missing comma ('dbus,', (AppArmorException, False)), # not a change_profile rule ('change_profile -> ,', (AppArmorException, False)), @@ -96,10 +96,7 @@ class ChangeProfileTestParseInvalid(ChangeProfileTest): ) def _run_test(self, rawrule, expected): - exp_exception, matches_regex = expected - self.assertEqual(matches_regex, ChangeProfileRule.match(rawrule)) # does the invalid rules still match the main regex? - with self.assertRaises(exp_exception): - ChangeProfileRule.create_instance(rawrule) + self.parseInvalidRule(ChangeProfileRule, rawrule, expected) class ChangeProfileTestParseFromLog(ChangeProfileTest): diff --git a/utils/test/test-dbus.py b/utils/test/test-dbus.py index 0585a3b68..d31dff00e 100644 --- a/utils/test/test-dbus.py +++ b/utils/test/test-dbus.py @@ -109,28 +109,24 @@ class DbusTestParse(DbusTest): class DbusTestParseInvalid(DbusTest): tests = ( - ('dbus foo,', AppArmorException), - ('dbus foo bar,', AppArmorException), - ('dbus foo int,', AppArmorException), - ('dbus send bar,', AppArmorException), - ('dbus send receive,', AppArmorException), - ('dbus peer=,', AppArmorException), - ('dbus peer=(label=foo) path=,', AppArmorException), - ('dbus (invalid),', AppArmorException), - ('dbus peer=,', AppArmorException), - ('dbus bus=session bind bus=system,', AppArmorException), - ('dbus bus=1 bus=2 bus=3 bus=4 bus=5 bus=6 bus=7,', AppArmorException), - ('priority=1042 dbus,', AppArmorException), + # exception matches regex + ('dbus foo,', (AppArmorException, True)), + ('dbus foo bar,', (AppArmorException, True)), + ('dbus foo int,', (AppArmorException, True)), + ('dbus send bar,', (AppArmorException, True)), + ('dbus send receive,', (AppArmorException, True)), + ('dbus peer=,', (AppArmorException, True)), + ('dbus peer=(label=foo) path=,', (AppArmorException, True)), + ('dbus (invalid),', (AppArmorException, True)), + ('dbus peer=,', (AppArmorException, True)), + ('dbus bus=session bind bus=system,', (AppArmorException, True)), + ('dbus bus=1 bus=2 bus=3 bus=4 bus=5 bus=6 bus=7,', (AppArmorException, True)), + ('priority=a dbus,', (AppArmorException, False)), + ('priority=1042 dbus,', (AppArmorException, True)), ) def _run_test(self, rawrule, expected): - self.assertTrue(DbusRule.match(rawrule)) # the above invalid rules still match the main regex! - with self.assertRaises(expected): - DbusRule.create_instance(rawrule) - - def test_invalid_priority(self): - with self.assertRaises(AppArmorException): - DbusRule.create_instance('priority=a dbus,') + self.parseInvalidRule(DbusRule, rawrule, expected) class DbusTestParseFromLog(DbusTest): diff --git a/utils/test/test-file.py b/utils/test/test-file.py index 0f5ab7280..20ac1728f 100644 --- a/utils/test/test-file.py +++ b/utils/test/test-file.py @@ -111,28 +111,24 @@ class FileTestParse(FileTest): class FileTestParseInvalid(FileTest): tests = ( - ('/foo x,', AppArmorException), # should be *x - ('/foo raw,', AppArmorException), # r and a conflict - ('deny /foo ix,', AppArmorException), # endy only allows x, but not *x - ('deny /foo Px,', AppArmorException), # deny only allows x, but not *x - ('deny /foo Pi,', AppArmorException), # missing 'x', and P not allowed - ('allow /foo x,', AppArmorException), # should be *x - ('/foo Pxrix,', AppArmorException), # exec mode conflict - ('/foo PixUx,', AppArmorException), # exec mode conflict - ('/foo PxUx,', AppArmorException), # exec mode conflict - ('/foo PUxPix,', AppArmorException), # exec mode conflict - ('/foo Pi,', AppArmorException), # missing 'x' - ('priority=-1042 file,', AppArmorException), # priority must be a number + # exception matches regex + ('/foo x,', (AppArmorException, True)), # should be *x + ('/foo raw,', (AppArmorException, True)), # r and a conflict + ('deny /foo ix,', (AppArmorException, True)), # endy only allows x, but not *x + ('deny /foo Px,', (AppArmorException, True)), # deny only allows x, but not *x + ('deny /foo Pi,', (AppArmorException, True)), # missing 'x', and P not allowed + ('allow /foo x,', (AppArmorException, True)), # should be *x + ('/foo Pxrix,', (AppArmorException, True)), # exec mode conflict + ('/foo PixUx,', (AppArmorException, True)), # exec mode conflict + ('/foo PxUx,', (AppArmorException, True)), # exec mode conflict + ('/foo PUxPix,', (AppArmorException, True)), # exec mode conflict + ('/foo Pi,', (AppArmorException, True)), # missing 'x' + ('priority=-a file,', (AppArmorException, False)), # priority must be a number + ('priority=-1042 file,', (AppArmorException, True)), # priority out of range ) def _run_test(self, rawrule, expected): - self.assertTrue(FileRule.match(rawrule)) # the above invalid rules still match the main regex! - with self.assertRaises(expected): - FileRule.create_instance(rawrule) - - def test_invalid_priority(self): - with self.assertRaises(AppArmorException): - FileRule.create_instance('priority=a file,') + self.parseInvalidRule(FileRule, rawrule, expected) class FileTestNonMatch(AATest): diff --git a/utils/test/test-include.py b/utils/test/test-include.py index 9c1bf7039..3e30b03af 100644 --- a/utils/test/test-include.py +++ b/utils/test/test-include.py @@ -95,16 +95,17 @@ class IncludeTestParse(IncludeTest): class IncludeTestParseInvalid(IncludeTest): tests = ( - # (' some #include if exists ', AppArmorException), - # (' /etc/fstab r,', AppArmorException), - # ('/usr/include r,', AppArmorException), - # ('/include r,', AppArmorException), + # exception matches regex + (' some #include if exists ', (AppArmorException, False)), + (' /etc/fstab r,', (AppArmorException, False)), + ('/usr/include r,', (AppArmorException, False)), + ('/include r,', (AppArmorException, False)), + (' include <>', (AppArmorException, True)), + (' include ""', (AppArmorException, True)), ) def _run_test(self, rawrule, expected): - self.assertTrue(IncludeRule.match(rawrule)) # the above invalid rules still match the main regex! - with self.assertRaises(expected): - IncludeRule.create_instance(rawrule) + self.parseInvalidRule(IncludeRule, rawrule, expected) # class IncludeTestParseFromLog(IncludeTest): # we'll never have log events for includes diff --git a/utils/test/test-io_uring.py b/utils/test/test-io_uring.py index ee2a27fad..355d47d84 100644 --- a/utils/test/test-io_uring.py +++ b/utils/test/test-io_uring.py @@ -48,25 +48,18 @@ class IOUringTestParse(AATest): class IOUringTestParseInvalid(AATest): tests = ( - ('io_uring invalidaccess,', AppArmorException), - ('io_uring label=,', AppArmorException), - ('io_uring invalidaccess label=foo,', AppArmorException), - ('io_uring sqpoll label=,', AppArmorException), - ('priority=1042 io_uring,', AppArmorException), + # exception matches regex + ('io_uring invalidaccess,', (AppArmorException, True)), + ('io_uring label=,', (AppArmorException, True)), + ('io_uring invalidaccess label=foo,', (AppArmorException, True)), + ('io_uring sqpoll label=,', (AppArmorException, True)), + ('foo', (AppArmorException, False)), + ('priority=a io_uring,', (AppArmorException, False)), + ('priority=1042 io_uring,', (AppArmorException, True)), ) def _run_test(self, rawrule, expected): - self.assertTrue(IOUringRule.match(rawrule)) # the above invalid rules still match the main regex! - with self.assertRaises(expected): - IOUringRule.create_instance(rawrule) - - def test_invalid_priority(self): - with self.assertRaises(AppArmorException): - IOUringRule.create_instance('priority=a io_uring,') - - def test_parse_fail(self): - with self.assertRaises(AppArmorException): - IOUringRule.create_instance('foo,') + self.parseInvalidRule(IOUringRule, rawrule, expected) def test_diff_non_iouringrule(self): exp = namedtuple('exp', ('audit', 'deny', 'priority')) diff --git a/utils/test/test-mount.py b/utils/test/test-mount.py index e18fe7177..62bdbea3b 100644 --- a/utils/test/test-mount.py +++ b/utils/test/test-mount.py @@ -119,29 +119,24 @@ class MountTestParse(AATest): class MountTestParseInvalid(AATest): tests = ( - ('mount fstype=,', AppArmorException), - ('mount fstype=(),', AppArmorException), - ('mount options=(),', AppArmorException), - ('mount option=(invalid),', AppArmorException), - ('mount option=(ext3ext4),', AppArmorException), - ('priority=-1042 umount,', AppArmorException), - ('mount fstype=({unclosed_regex),', AppArmorException), # invalid AARE - ('mount fstype=({closed}twice}),', AppArmorException), # invalid AARE + # exception matches regex + ('mount fstype=,', (AppArmorException, True)), + ('mount fstype=(),', (AppArmorException, True)), + ('mount options=(),', (AppArmorException, True)), + ('mount option=(invalid),', (AppArmorException, True)), + ('mount option=(ext3ext4),', (AppArmorException, True)), + ('priority=-1042 umount,', (AppArmorException, True)), + ('mount fstype=({unclosed_regex),', (AppArmorException, True)), # invalid AARE + ('mount fstype=({closed}twice}),', (AppArmorException, True)), # invalid AARE + ('foo,', (AppArmorException, False)), + ('priority=a mount,', (AppArmorException, False)), + ('priority=a umount,', (AppArmorException, False)), + ('priority=a unmount,', (AppArmorException, False)), + ('priority=a remount,', (AppArmorException, False)), ) def _run_test(self, rawrule, expected): - self.assertTrue(MountRule.match(rawrule)) # the above invalid rules still match the main regex! - with self.assertRaises(expected): - MountRule.create_instance(rawrule) - - def test_parse_fail(self): - with self.assertRaises(AppArmorException): - MountRule.create_instance('foo,') - - def test_invalid_priority(self): - for keyword in ['mount', 'umount', 'unmount', 'remount']: - with self.assertRaises(AppArmorException): - MountRule.create_instance('priority=a %s,' % keyword) + self.parseInvalidRule(MountRule, rawrule, expected) def test_invalid_priority_1(self): with self.assertRaises(TypeError): diff --git a/utils/test/test-mqueue.py b/utils/test/test-mqueue.py index c5d3030f1..8c6483a7e 100644 --- a/utils/test/test-mqueue.py +++ b/utils/test/test-mqueue.py @@ -57,29 +57,22 @@ class MessageQueueTestParse(AATest): class MessageQueueTestParseInvalid(AATest): tests = ( - ('mqueue label=,', AppArmorException), - ('mqueue invalidaccess /queuename,', AppArmorException), - ('mqueue invalidqueuename,', AppArmorException), - ('mqueue invalidqueuename1234,', AppArmorException), - ('mqueue foo label foo bar,', AppArmorException), - ('mqueue type=,', AppArmorException), - ('mqueue type=sysv /foo,', AppArmorException), - ('mqueue type=posix 1234,', AppArmorException), - ('priority=-1042 mqueue,', AppArmorException), + # exception matches regex + ('mqueue label=,', (AppArmorException, True)), + ('mqueue invalidaccess /queuename,', (AppArmorException, True)), + ('mqueue invalidqueuename,', (AppArmorException, True)), + ('mqueue invalidqueuename1234,', (AppArmorException, True)), + ('mqueue foo label foo bar,', (AppArmorException, True)), + ('mqueue type=,', (AppArmorException, True)), + ('mqueue type=sysv /foo,', (AppArmorException, True)), + ('mqueue type=posix 1234,', (AppArmorException, True)), + ('priority=a mqueue,', (AppArmorException, False)), + ('priority=-1042 mqueue,', (AppArmorException, True)), + ('foo,', (AppArmorException, False)), ) def _run_test(self, rawrule, expected): - self.assertTrue(MessageQueueRule.match(rawrule)) # the above invalid rules still match the main regex! - with self.assertRaises(expected): - MessageQueueRule.create_instance(rawrule) - - def test_parse_fail(self): - with self.assertRaises(AppArmorException): - MessageQueueRule.create_instance('foo,') - - def test_invalid_priority(self): - with self.assertRaises(AppArmorException): - MessageQueueRule.create_instance('priority=a mqueue,') + self.parseInvalidRule(MessageQueueRule, rawrule, expected) def test_diff_non_mqueuerule(self): exp = namedtuple('exp', ('audit', 'deny', 'priority')) diff --git a/utils/test/test-network.py b/utils/test/test-network.py index e861ac0cf..8dc71eb29 100644 --- a/utils/test/test-network.py +++ b/utils/test/test-network.py @@ -117,29 +117,25 @@ class NetworkTestParse(NetworkTest): class NetworkTestParseInvalid(NetworkTest): tests = ( - ('network foo,', AppArmorException), - ('network foo bar,', AppArmorException), - ('network foo tcp,', AppArmorException), - ('network inet bar,', AppArmorException), - ('network ip=999.999.999.999,', AppArmorException), - ('network port=99999,', AppArmorException), - ('network inet ip=in:va::li:d0,', AppArmorException), - ('network inet ip=in:va::li:d0,', AppArmorException), - ('network inet ip=1:2:3:4:5:6:7:8:9:0:0:0,', AppArmorException), # too many segments - ('network inet peer=(ip=1:2:3:4:5:6:7:8:9:0:0:0),', AppArmorException), # too many segments - ('network packet ip=1::,', AppArmorException), # Only inet[6] domains can be used in conjunction with a local expression - ('network packet peer=(ip=1::),', AppArmorException), # Only inet[6] domains can be used in conjunction with a peer expression - ('priority=-1042 network,', AppArmorException), + # exception matches regex + ('network foo,', (AppArmorException, True)), + ('network foo bar,', (AppArmorException, True)), + ('network foo tcp,', (AppArmorException, True)), + ('network inet bar,', (AppArmorException, True)), + ('network ip=999.999.999.999,', (AppArmorException, True)), + ('network port=99999,', (AppArmorException, True)), + ('network inet ip=in:va::li:d0,', (AppArmorException, True)), + ('network inet ip=in:va::li:d0,', (AppArmorException, True)), + ('network inet ip=1:2:3:4:5:6:7:8:9:0:0:0,', (AppArmorException, True)), # too many segments + ('network inet peer=(ip=1:2:3:4:5:6:7:8:9:0:0:0),', (AppArmorException, True)), # too many segments + ('network packet ip=1::,', (AppArmorException, True)), # Only inet[6] domains can be used in conjunction with a local expression + ('network packet peer=(ip=1::),', (AppArmorException, True)), # Only inet[6] domains can be used in conjunction with a peer expression + ('priority=a network,', (AppArmorException, False)), + ('priority=-1042 network,', (AppArmorException, True)), ) def _run_test(self, rawrule, expected): - self.assertTrue(NetworkRule.match(rawrule)) # the above invalid rules still match the main regex! - with self.assertRaises(expected): - NetworkRule.create_instance(rawrule) - - def test_invalid_priority(self): - with self.assertRaises(AppArmorException): - NetworkRule.create_instance('priority=a network,') + self.parseInvalidRule(NetworkRule, rawrule, expected) class NetworkTestParseFromLog(NetworkTest): diff --git a/utils/test/test-pivot_root.py b/utils/test/test-pivot_root.py index 7a9559a48..013ccef79 100644 --- a/utils/test/test-pivot_root.py +++ b/utils/test/test-pivot_root.py @@ -87,26 +87,18 @@ class PivotRootTestParse(PivotRootTest): class PivotRootTestParseInvalid(PivotRootTest): tests = ( - ('pivot_root foo,', AppArmorException), - ('pivot_root foo bar,', AppArmorException), - ('pivot_root oldroot= ,', AppArmorException), - ('pivot_root -> ,', AppArmorException), - ('priority=-1042 pivot_root,', AppArmorException), + # exception matches regex + ('pivot_root foo,', (AppArmorException, True)), + ('pivot_root foo bar,', (AppArmorException, True)), + ('pivot_root oldroot= ,', (AppArmorException, True)), + ('pivot_root -> ,', (AppArmorException, True)), + ('priority=a pivot_root,', (AppArmorException, False)), + ('priority=-1042 pivot_root,', (AppArmorException, True)), + ('pivot_rootbeer,', (AppArmorException, False)) ) def _run_test(self, rawrule, expected): - self.assertTrue(PivotRootRule.match(rawrule)) # the above invalid rules still match the main regex! - with self.assertRaises(expected): - PivotRootRule.create_instance(rawrule) - - def test_invalid_priority(self): - with self.assertRaises(AppArmorException): - PivotRootRule.create_instance('priority=a pivot_root,') - - def test_invalid_rule_name(self): - self.assertFalse(PivotRootRule.match('pivot_rootbeer,')) - with self.assertRaises(AppArmorException): - PivotRootRule.create_instance('pivot_rootbeer,') + self.parseInvalidRule(PivotRootRule, rawrule, expected) class PivotRootTestParseFromLog(PivotRootTest): diff --git a/utils/test/test-ptrace.py b/utils/test/test-ptrace.py index b92c2115f..69ba98d42 100644 --- a/utils/test/test-ptrace.py +++ b/utils/test/test-ptrace.py @@ -74,23 +74,19 @@ class PtraceTestParse(PtraceTest): class PtraceTestParseInvalid(PtraceTest): tests = ( - ('ptrace foo,', AppArmorException), - ('ptrace foo bar,', AppArmorException), - ('ptrace foo int,', AppArmorException), - ('ptrace read bar,', AppArmorException), - ('ptrace read tracedby,', AppArmorException), - ('ptrace peer=,', AppArmorException), - ('priority=1042 ptrace,', AppArmorException), + # exception matches regex + ('ptrace foo,', (AppArmorException, True)), + ('ptrace foo bar,', (AppArmorException, True)), + ('ptrace foo int,', (AppArmorException, True)), + ('ptrace read bar,', (AppArmorException, True)), + ('ptrace read tracedby,', (AppArmorException, True)), + ('ptrace peer=,', (AppArmorException, True)), + ('priority=a ptrace,', (AppArmorException, False)), + ('priority=1042 ptrace,', (AppArmorException, True)), ) def _run_test(self, rawrule, expected): - self.assertTrue(PtraceRule.match(rawrule)) # the above invalid rules still match the main regex! - with self.assertRaises(expected): - PtraceRule.create_instance(rawrule) - - def test_invalid_priority(self): - with self.assertRaises(AppArmorException): - PtraceRule.create_instance('priority=a ptrace,') + self.parseInvalidRule(PtraceRule, rawrule, expected) class PtraceTestParseFromLog(PtraceTest): diff --git a/utils/test/test-rlimit.py b/utils/test/test-rlimit.py index 7bbd3a7b7..67524ead0 100644 --- a/utils/test/test-rlimit.py +++ b/utils/test/test-rlimit.py @@ -77,24 +77,23 @@ class RlimitTestParse(RlimitTest): class RlimitTestParseInvalid(RlimitTest): tests = ( - ('set rlimit,', AppArmorException), # missing parts - ('set rlimit <= 5,', AppArmorException), - ('set rlimit cpu <= ,', AppArmorException), - ('set rlimit cpu <= "",', AppArmorBug), # evil quoting trick - ('set rlimit foo <= 5,', AppArmorException), # unknown rlimit - ('set rlimit rttime <= 60m,', AppArmorException), # 'm' could mean 'ms' or 'minutes' - ('set rlimit cpu <= 20ms,', AppArmorException), # cpu doesn't support 'ms'... - ('set rlimit cpu <= 20us,', AppArmorException), # ... or 'us' - ('set rlimit nice <= 20MB,', AppArmorException), # invalid unit for this rlimit type - ('set rlimit cpu <= 20MB,', AppArmorException), - ('set rlimit data <= 20seconds,', AppArmorException), - ('set rlimit locks <= 20seconds,', AppArmorException), + # exception matches regex + ('set rlimit,', (AppArmorException, False)), # missing parts + ('set rlimit <= 5,', (AppArmorException, False)), + ('set rlimit cpu <= ,', (AppArmorException, False)), + ('set rlimit cpu <= "",', (AppArmorBug, True)), # evil quoting trick + ('set rlimit foo <= 5,', (AppArmorException, True)), # unknown rlimit + ('set rlimit rttime <= 60m,', (AppArmorException, True)), # 'm' could mean 'ms' or 'minutes' + ('set rlimit cpu <= 20ms,', (AppArmorException, True)), # cpu doesn't support 'ms'... + ('set rlimit cpu <= 20us,', (AppArmorException, True)), # ... or 'us' + ('set rlimit nice <= 20MB,', (AppArmorException, True)), # invalid unit for this rlimit type + ('set rlimit cpu <= 20MB,', (AppArmorException, True)), + ('set rlimit data <= 20seconds,', (AppArmorException, True)), + ('set rlimit locks <= 20seconds,', (AppArmorException, True)), ) def _run_test(self, rawrule, expected): - # self.assertFalse(RlimitRule.match(rawrule)) # the main regex isn't very strict - with self.assertRaises(expected): - RlimitRule.create_instance(rawrule) + self.parseInvalidRule(RlimitRule, rawrule, expected) class RlimitTestParseFromLog(RlimitTest): diff --git a/utils/test/test-signal.py b/utils/test/test-signal.py index ab668760e..697f8a963 100644 --- a/utils/test/test-signal.py +++ b/utils/test/test-signal.py @@ -75,26 +75,22 @@ class SignalTestParse(SignalTest): class SignalTestParseInvalid(SignalTest): tests = ( - ('signal foo,', AppArmorException), - ('signal foo bar,', AppArmorException), - ('signal foo int,', AppArmorException), - ('signal send bar,', AppArmorException), - ('signal send receive,', AppArmorException), - ('signal set=,', AppArmorException), - ('signal set=int set=,', AppArmorException), - ('signal set=invalid,', AppArmorException), - ('signal peer=,', AppArmorException), - ('priority=-1042 signal,', AppArmorException), + # exception matches regex + ('signal foo,', (AppArmorException, True)), + ('signal foo bar,', (AppArmorException, True)), + ('signal foo int,', (AppArmorException, True)), + ('signal send bar,', (AppArmorException, True)), + ('signal send receive,', (AppArmorException, True)), + ('signal set=,', (AppArmorException, True)), + ('signal set=int set=,', (AppArmorException, True)), + ('signal set=invalid,', (AppArmorException, True)), + ('signal peer=,', (AppArmorException, True)), + ('priority=a signal,', (AppArmorException, False)), + ('priority=-1042 signal,', (AppArmorException, True)), ) def _run_test(self, rawrule, expected): - self.assertTrue(SignalRule.match(rawrule)) # the above invalid rules still match the main regex! - with self.assertRaises(expected): - SignalRule.create_instance(rawrule) - - def test_invalid_priority(self): - with self.assertRaises(AppArmorException): - SignalRule.create_instance('priority=a signal,') + self.parseInvalidRule(SignalRule, rawrule, expected) class SignalTestParseFromLog(SignalTest): diff --git a/utils/test/test-unix.py b/utils/test/test-unix.py index 77691cf67..abfbc66a5 100644 --- a/utils/test/test-unix.py +++ b/utils/test/test-unix.py @@ -67,23 +67,16 @@ class UnixTestParse(AATest): class UnixTestParseInvalid(AATest): tests = ( - ('unix invalid,', AppArmorException), - ('unix (invalid),', AppArmorException), - ('priority=1042 unix,', AppArmorException), + # exception matches regex + ('unix invalid,', (AppArmorException, True)), + ('unix (invalid),', (AppArmorException, True)), + ('foo,', (AppArmorException, False)), + ('priority=a unix,', (AppArmorException, False)), + ('priority=1042 unix,', (AppArmorException, True)), ) def _run_test(self, rawrule, expected): - self.assertTrue(UnixRule.match(rawrule)) # the above invalid rules still match the main regex! - with self.assertRaises(expected): - UnixRule.create_instance(rawrule) - - def test_parse_fail(self): - with self.assertRaises(AppArmorException): - UnixRule.create_instance('foo,') - - def test_invalid_priority(self): - with self.assertRaises(AppArmorException): - UnixRule.create_instance('priority=a unix,') + self.parseInvalidRule(UnixRule, rawrule, expected) def test_invalid_priority_1(self): with self.assertRaises(TypeError): diff --git a/utils/test/test-userns.py b/utils/test/test-userns.py index fc1e0c453..cab622ab2 100644 --- a/utils/test/test-userns.py +++ b/utils/test/test-userns.py @@ -46,22 +46,15 @@ class UserNamespaceTestParse(AATest): class UserNamespaceTestParseInvalid(AATest): tests = ( - ('userns invalidaccess,', AppArmorException), - ('priority=1042 userns,', AppArmorException), + # exception matches regex + ('userns invalidaccess,', (AppArmorException, True)), + ('priority=a userns,', (AppArmorException, False)), + ('priority=1042 userns,', (AppArmorException, True)), + ('foo,', (AppArmorException, False)), ) def _run_test(self, rawrule, expected): - self.assertTrue(UserNamespaceRule.match(rawrule)) # the above invalid rules still match the main regex! - with self.assertRaises(expected): - UserNamespaceRule.create_instance(rawrule) - - def test_parse_fail(self): - with self.assertRaises(AppArmorException): - UserNamespaceRule.create_instance('foo,') - - def test_invalid_priority(self): - with self.assertRaises(AppArmorException): - UserNamespaceRule.create_instance('priority=a userns,') + self.parseInvalidRule(UserNamespaceRule, rawrule, expected) def test_diff_non_usernsrule(self): exp = namedtuple('exp', ('audit', 'deny', 'priority')) diff --git a/utils/test/test-variable.py b/utils/test/test-variable.py index eba5b3f03..1494fae89 100644 --- a/utils/test/test-variable.py +++ b/utils/test/test-variable.py @@ -94,21 +94,19 @@ class VariableTestParse(VariableTest): class VariableTestParseInvalid(VariableTest): tests = ( - # rawrule matches regex exception - ('@{foo} =', (False, AppArmorException)), - ('@ {foo} = # comment', (False, AppArmorException)), - ('@ {foo} = ', (False, AppArmorException)), - ('@{foo} = /foo,', (True, AppArmorException)), # trailing comma - ('@{foo} = /foo, ', (True, AppArmorException)), # trailing comma - ('@{foo} = /foo, # comment', (True, AppArmorException)), # trailing comma - ('@{foo} = /foo, /bar', (True, AppArmorException)), # trailing comma in first value - ('@{foo = /foo f', (True, AppArmorException)), # variable name broken, missing } + # exception matches regex + ('@{foo} =', (AppArmorException, False)), + ('@ {foo} = # comment', (AppArmorException, False)), + ('@ {foo} = ', (AppArmorException, False)), + ('@{foo} = /foo,', (AppArmorException, True)), # trailing comma + ('@{foo} = /foo, ', (AppArmorException, True)), # trailing comma + ('@{foo} = /foo, # comment', (AppArmorException, True)), # trailing comma + ('@{foo} = /foo, /bar', (AppArmorException, True)), # trailing comma in first value + ('@{foo = /foo f', (AppArmorException, True)), # variable name broken, missing } ) def _run_test(self, rawrule, expected): - self.assertEqual(VariableRule.match(rawrule), expected[0]) - with self.assertRaises(expected[1]): - VariableRule.create_instance(rawrule) + self.parseInvalidRule(VariableRule, rawrule, expected) class VariableFromInit(VariableTest):