|
@@ -95,72 +95,72 @@ class TC_00_PolicyRule(qubes.tests.QubesTestCase):
|
|
self.assertTrue(
|
|
self.assertTrue(
|
|
qubespolicy.verify_target_value(system_info, 'default-dvm'))
|
|
qubespolicy.verify_target_value(system_info, 'default-dvm'))
|
|
self.assertTrue(
|
|
self.assertTrue(
|
|
- qubespolicy.verify_target_value(system_info, '$dispvm'))
|
|
|
|
|
|
+ qubespolicy.verify_target_value(system_info, '@dispvm'))
|
|
self.assertTrue(
|
|
self.assertTrue(
|
|
- qubespolicy.verify_target_value(system_info, '$dispvm:default-dvm'))
|
|
|
|
|
|
+ qubespolicy.verify_target_value(system_info, '@dispvm:default-dvm'))
|
|
self.assertTrue(
|
|
self.assertTrue(
|
|
qubespolicy.verify_target_value(system_info, 'test-template'))
|
|
qubespolicy.verify_target_value(system_info, 'test-template'))
|
|
self.assertTrue(
|
|
self.assertTrue(
|
|
qubespolicy.verify_target_value(system_info, 'test-standalone'))
|
|
qubespolicy.verify_target_value(system_info, 'test-standalone'))
|
|
self.assertTrue(
|
|
self.assertTrue(
|
|
- qubespolicy.verify_target_value(system_info, '$adminvm'))
|
|
|
|
|
|
+ qubespolicy.verify_target_value(system_info, '@adminvm'))
|
|
self.assertFalse(
|
|
self.assertFalse(
|
|
qubespolicy.verify_target_value(system_info, 'no-such-vm'))
|
|
qubespolicy.verify_target_value(system_info, 'no-such-vm'))
|
|
self.assertFalse(
|
|
self.assertFalse(
|
|
qubespolicy.verify_target_value(system_info,
|
|
qubespolicy.verify_target_value(system_info,
|
|
- '$dispvm:test-invalid-dvm'))
|
|
|
|
|
|
+ '@dispvm:test-invalid-dvm'))
|
|
self.assertFalse(
|
|
self.assertFalse(
|
|
- qubespolicy.verify_target_value(system_info, '$dispvm:test-vm1'))
|
|
|
|
|
|
+ qubespolicy.verify_target_value(system_info, '@dispvm:test-vm1'))
|
|
self.assertFalse(
|
|
self.assertFalse(
|
|
qubespolicy.verify_target_value(system_info, ''))
|
|
qubespolicy.verify_target_value(system_info, ''))
|
|
self.assertFalse(
|
|
self.assertFalse(
|
|
- qubespolicy.verify_target_value(system_info, '$default'))
|
|
|
|
|
|
+ qubespolicy.verify_target_value(system_info, '@default'))
|
|
self.assertFalse(
|
|
self.assertFalse(
|
|
- qubespolicy.verify_target_value(system_info, '$anyvm'))
|
|
|
|
|
|
+ qubespolicy.verify_target_value(system_info, '@anyvm'))
|
|
self.assertFalse(
|
|
self.assertFalse(
|
|
- qubespolicy.verify_target_value(system_info, '$tag:tag1'))
|
|
|
|
|
|
+ qubespolicy.verify_target_value(system_info, '@tag:tag1'))
|
|
self.assertFalse(
|
|
self.assertFalse(
|
|
- qubespolicy.verify_target_value(system_info, '$dispvm:$tag:tag1'))
|
|
|
|
|
|
+ qubespolicy.verify_target_value(system_info, '@dispvm:@tag:tag1'))
|
|
self.assertFalse(
|
|
self.assertFalse(
|
|
- qubespolicy.verify_target_value(system_info, '$invalid'))
|
|
|
|
|
|
+ qubespolicy.verify_target_value(system_info, '@invalid'))
|
|
|
|
|
|
def test_010_verify_special_value(self):
|
|
def test_010_verify_special_value(self):
|
|
- self.assertTrue(qubespolicy.verify_special_value('$tag:tag',
|
|
|
|
|
|
+ self.assertTrue(qubespolicy.verify_special_value('@tag:tag',
|
|
for_target=False))
|
|
for_target=False))
|
|
- self.assertTrue(qubespolicy.verify_special_value('$tag:other-tag',
|
|
|
|
|
|
+ self.assertTrue(qubespolicy.verify_special_value('@tag:other-tag',
|
|
for_target=False))
|
|
for_target=False))
|
|
- self.assertTrue(qubespolicy.verify_special_value('$type:AppVM',
|
|
|
|
|
|
+ self.assertTrue(qubespolicy.verify_special_value('@type:AppVM',
|
|
for_target=False))
|
|
for_target=False))
|
|
- self.assertTrue(qubespolicy.verify_special_value('$adminvm',
|
|
|
|
|
|
+ self.assertTrue(qubespolicy.verify_special_value('@adminvm',
|
|
for_target=False))
|
|
for_target=False))
|
|
- self.assertTrue(qubespolicy.verify_special_value('$dispvm:some-vm',
|
|
|
|
|
|
+ self.assertTrue(qubespolicy.verify_special_value('@dispvm:some-vm',
|
|
for_target=True))
|
|
for_target=True))
|
|
- self.assertTrue(qubespolicy.verify_special_value('$dispvm:$tag:tag1',
|
|
|
|
|
|
+ self.assertTrue(qubespolicy.verify_special_value('@dispvm:@tag:tag1',
|
|
for_target=True))
|
|
for_target=True))
|
|
- self.assertFalse(qubespolicy.verify_special_value('$default',
|
|
|
|
|
|
+ self.assertFalse(qubespolicy.verify_special_value('@default',
|
|
for_target=False))
|
|
for_target=False))
|
|
- self.assertFalse(qubespolicy.verify_special_value('$dispvm',
|
|
|
|
|
|
+ self.assertFalse(qubespolicy.verify_special_value('@dispvm',
|
|
for_target=False))
|
|
for_target=False))
|
|
- self.assertFalse(qubespolicy.verify_special_value('$dispvm:some-vm',
|
|
|
|
|
|
+ self.assertFalse(qubespolicy.verify_special_value('@dispvm:some-vm',
|
|
for_target=False))
|
|
for_target=False))
|
|
- self.assertFalse(qubespolicy.verify_special_value('$dispvm:$tag:tag1',
|
|
|
|
|
|
+ self.assertFalse(qubespolicy.verify_special_value('@dispvm:@tag:tag1',
|
|
for_target=False))
|
|
for_target=False))
|
|
- self.assertFalse(qubespolicy.verify_special_value('$invalid',
|
|
|
|
|
|
+ self.assertFalse(qubespolicy.verify_special_value('@invalid',
|
|
for_target=False))
|
|
for_target=False))
|
|
self.assertFalse(qubespolicy.verify_special_value('vm-name',
|
|
self.assertFalse(qubespolicy.verify_special_value('vm-name',
|
|
for_target=False))
|
|
for_target=False))
|
|
- self.assertFalse(qubespolicy.verify_special_value('$tag:',
|
|
|
|
|
|
+ self.assertFalse(qubespolicy.verify_special_value('@tag:',
|
|
for_target=False))
|
|
for_target=False))
|
|
- self.assertFalse(qubespolicy.verify_special_value('$type:',
|
|
|
|
|
|
+ self.assertFalse(qubespolicy.verify_special_value('@type:',
|
|
for_target=False))
|
|
for_target=False))
|
|
|
|
|
|
def test_020_line_simple(self):
|
|
def test_020_line_simple(self):
|
|
- line = qubespolicy.PolicyRule('$anyvm $anyvm ask', 'filename', 12)
|
|
|
|
|
|
+ line = qubespolicy.PolicyRule('@anyvm @anyvm ask', 'filename', 12)
|
|
self.assertEqual(line.filename, 'filename')
|
|
self.assertEqual(line.filename, 'filename')
|
|
self.assertEqual(line.lineno, 12)
|
|
self.assertEqual(line.lineno, 12)
|
|
self.assertEqual(line.action, qubespolicy.Action.ask)
|
|
self.assertEqual(line.action, qubespolicy.Action.ask)
|
|
- self.assertEqual(line.source, '$anyvm')
|
|
|
|
- self.assertEqual(line.target, '$anyvm')
|
|
|
|
|
|
+ self.assertEqual(line.source, '@anyvm')
|
|
|
|
+ self.assertEqual(line.target, '@anyvm')
|
|
self.assertEqual(line.full_action, 'ask')
|
|
self.assertEqual(line.full_action, 'ask')
|
|
self.assertIsNone(line.override_target)
|
|
self.assertIsNone(line.override_target)
|
|
self.assertIsNone(line.override_user)
|
|
self.assertIsNone(line.override_user)
|
|
@@ -169,13 +169,13 @@ class TC_00_PolicyRule(qubes.tests.QubesTestCase):
|
|
def test_021_line_simple(self):
|
|
def test_021_line_simple(self):
|
|
# also check spaces in action field
|
|
# also check spaces in action field
|
|
line = qubespolicy.PolicyRule(
|
|
line = qubespolicy.PolicyRule(
|
|
- '$tag:tag1 $type:AppVM ask, target=test-vm2, user=user',
|
|
|
|
|
|
+ '@tag:tag1 @type:AppVM ask, target=test-vm2, user=user',
|
|
'filename', 12)
|
|
'filename', 12)
|
|
self.assertEqual(line.filename, 'filename')
|
|
self.assertEqual(line.filename, 'filename')
|
|
self.assertEqual(line.lineno, 12)
|
|
self.assertEqual(line.lineno, 12)
|
|
self.assertEqual(line.action, qubespolicy.Action.ask)
|
|
self.assertEqual(line.action, qubespolicy.Action.ask)
|
|
- self.assertEqual(line.source, '$tag:tag1')
|
|
|
|
- self.assertEqual(line.target, '$type:AppVM')
|
|
|
|
|
|
+ self.assertEqual(line.source, '@tag:tag1')
|
|
|
|
+ self.assertEqual(line.target, '@type:AppVM')
|
|
self.assertEqual(line.full_action, 'ask, target=test-vm2, user=user')
|
|
self.assertEqual(line.full_action, 'ask, target=test-vm2, user=user')
|
|
self.assertEqual(line.override_target, 'test-vm2')
|
|
self.assertEqual(line.override_target, 'test-vm2')
|
|
self.assertEqual(line.override_user, 'user')
|
|
self.assertEqual(line.override_user, 'user')
|
|
@@ -183,27 +183,27 @@ class TC_00_PolicyRule(qubes.tests.QubesTestCase):
|
|
|
|
|
|
def test_022_line_simple(self):
|
|
def test_022_line_simple(self):
|
|
line = qubespolicy.PolicyRule(
|
|
line = qubespolicy.PolicyRule(
|
|
- '$anyvm $default allow,target=$dispvm:test-vm2',
|
|
|
|
|
|
+ '@anyvm @default allow,target=@dispvm:test-vm2',
|
|
'filename', 12)
|
|
'filename', 12)
|
|
self.assertEqual(line.filename, 'filename')
|
|
self.assertEqual(line.filename, 'filename')
|
|
self.assertEqual(line.lineno, 12)
|
|
self.assertEqual(line.lineno, 12)
|
|
self.assertEqual(line.action, qubespolicy.Action.allow)
|
|
self.assertEqual(line.action, qubespolicy.Action.allow)
|
|
- self.assertEqual(line.source, '$anyvm')
|
|
|
|
- self.assertEqual(line.target, '$default')
|
|
|
|
- self.assertEqual(line.full_action, 'allow,target=$dispvm:test-vm2')
|
|
|
|
- self.assertEqual(line.override_target, '$dispvm:test-vm2')
|
|
|
|
|
|
+ self.assertEqual(line.source, '@anyvm')
|
|
|
|
+ self.assertEqual(line.target, '@default')
|
|
|
|
+ self.assertEqual(line.full_action, 'allow,target=@dispvm:test-vm2')
|
|
|
|
+ self.assertEqual(line.override_target, '@dispvm:test-vm2')
|
|
self.assertIsNone(line.override_user)
|
|
self.assertIsNone(line.override_user)
|
|
self.assertIsNone(line.default_target)
|
|
self.assertIsNone(line.default_target)
|
|
|
|
|
|
def test_023_line_simple(self):
|
|
def test_023_line_simple(self):
|
|
line = qubespolicy.PolicyRule(
|
|
line = qubespolicy.PolicyRule(
|
|
- '$anyvm $default ask,default_target=test-vm1',
|
|
|
|
|
|
+ '@anyvm @default ask,default_target=test-vm1',
|
|
'filename', 12)
|
|
'filename', 12)
|
|
self.assertEqual(line.filename, 'filename')
|
|
self.assertEqual(line.filename, 'filename')
|
|
self.assertEqual(line.lineno, 12)
|
|
self.assertEqual(line.lineno, 12)
|
|
self.assertEqual(line.action, qubespolicy.Action.ask)
|
|
self.assertEqual(line.action, qubespolicy.Action.ask)
|
|
- self.assertEqual(line.source, '$anyvm')
|
|
|
|
- self.assertEqual(line.target, '$default')
|
|
|
|
|
|
+ self.assertEqual(line.source, '@anyvm')
|
|
|
|
+ self.assertEqual(line.target, '@default')
|
|
self.assertEqual(line.full_action, 'ask,default_target=test-vm1')
|
|
self.assertEqual(line.full_action, 'ask,default_target=test-vm1')
|
|
self.assertIsNone(line.override_target)
|
|
self.assertIsNone(line.override_target)
|
|
self.assertIsNone(line.override_user)
|
|
self.assertIsNone(line.override_user)
|
|
@@ -211,39 +211,39 @@ class TC_00_PolicyRule(qubes.tests.QubesTestCase):
|
|
|
|
|
|
def test_024_line_simple(self):
|
|
def test_024_line_simple(self):
|
|
line = qubespolicy.PolicyRule(
|
|
line = qubespolicy.PolicyRule(
|
|
- '$anyvm $adminvm ask,default_target=$adminvm',
|
|
|
|
|
|
+ '@anyvm @adminvm ask,default_target=@adminvm',
|
|
'filename', 12)
|
|
'filename', 12)
|
|
self.assertEqual(line.filename, 'filename')
|
|
self.assertEqual(line.filename, 'filename')
|
|
self.assertEqual(line.lineno, 12)
|
|
self.assertEqual(line.lineno, 12)
|
|
self.assertEqual(line.action, qubespolicy.Action.ask)
|
|
self.assertEqual(line.action, qubespolicy.Action.ask)
|
|
- self.assertEqual(line.source, '$anyvm')
|
|
|
|
- self.assertEqual(line.target, '$adminvm')
|
|
|
|
- self.assertEqual(line.full_action, 'ask,default_target=$adminvm')
|
|
|
|
|
|
+ self.assertEqual(line.source, '@anyvm')
|
|
|
|
+ self.assertEqual(line.target, '@adminvm')
|
|
|
|
+ self.assertEqual(line.full_action, 'ask,default_target=@adminvm')
|
|
self.assertIsNone(line.override_target)
|
|
self.assertIsNone(line.override_target)
|
|
self.assertIsNone(line.override_user)
|
|
self.assertIsNone(line.override_user)
|
|
- self.assertEqual(line.default_target, '$adminvm')
|
|
|
|
|
|
+ self.assertEqual(line.default_target, '@adminvm')
|
|
|
|
|
|
def test_030_line_invalid(self):
|
|
def test_030_line_invalid(self):
|
|
invalid_lines = [
|
|
invalid_lines = [
|
|
- '$dispvm $default allow', # $dispvm can't be a source
|
|
|
|
- '$default $default allow', # $default can't be a source
|
|
|
|
- '$anyvm $default allow,target=$dispvm:$tag:tag1', # $dispvm:$tag
|
|
|
|
|
|
+ '@dispvm @default allow', # @dispvm can't be a source
|
|
|
|
+ '@default @default allow', # @default can't be a source
|
|
|
|
+ '@anyvm @default allow,target=@dispvm:@tag:tag1', # @dispvm:@tag
|
|
# as override target
|
|
# as override target
|
|
- '$anyvm $default allow,target=$tag:tag1', # $tag as override target
|
|
|
|
- '$anyvm $default deny,target=test-vm1', # target= used with deny
|
|
|
|
- '$anyvm $anyvm deny,default_target=test-vm1', # default_target=
|
|
|
|
|
|
+ '@anyvm @default allow,target=@tag:tag1', # @tag as override target
|
|
|
|
+ '@anyvm @default deny,target=test-vm1', # target= used with deny
|
|
|
|
+ '@anyvm @anyvm deny,default_target=test-vm1', # default_target=
|
|
# with deny
|
|
# with deny
|
|
- '$anyvm $anyvm deny,user=user', # user= with deny
|
|
|
|
- '$anyvm $anyvm invalid', # invalid action
|
|
|
|
- '$anyvm $anyvm allow,invalid=xx', # invalid option
|
|
|
|
- '$anyvm $anyvm', # missing action
|
|
|
|
- '$anyvm $anyvm allow,default_target=test-vm1', # default_target=
|
|
|
|
|
|
+ '@anyvm @anyvm deny,user=user', # user= with deny
|
|
|
|
+ '@anyvm @anyvm invalid', # invalid action
|
|
|
|
+ '@anyvm @anyvm allow,invalid=xx', # invalid option
|
|
|
|
+ '@anyvm @anyvm', # missing action
|
|
|
|
+ '@anyvm @anyvm allow,default_target=test-vm1', # default_target=
|
|
# with allow
|
|
# with allow
|
|
- '$invalid $anyvm allow', # invalid source
|
|
|
|
- '$anyvm $invalid deny', # invalid target
|
|
|
|
|
|
+ '@invalid @anyvm allow', # invalid source
|
|
|
|
+ '@anyvm @invalid deny', # invalid target
|
|
'', # empty line
|
|
'', # empty line
|
|
- '$anyvm $anyvm allow extra', # trailing words
|
|
|
|
- '$anyvm $default allow', # $default allow without target=
|
|
|
|
|
|
+ '@anyvm @anyvm allow extra', # trailing words
|
|
|
|
+ '@anyvm @default allow', # @default allow without target=
|
|
]
|
|
]
|
|
for line in invalid_lines:
|
|
for line in invalid_lines:
|
|
with self.subTest(line):
|
|
with self.subTest(line):
|
|
@@ -252,118 +252,118 @@ class TC_00_PolicyRule(qubes.tests.QubesTestCase):
|
|
|
|
|
|
def test_040_match_single(self):
|
|
def test_040_match_single(self):
|
|
is_match_single = qubespolicy.PolicyRule.is_match_single
|
|
is_match_single = qubespolicy.PolicyRule.is_match_single
|
|
- self.assertTrue(is_match_single(system_info, '$anyvm', 'test-vm1'))
|
|
|
|
- self.assertTrue(is_match_single(system_info, '$anyvm', '$default'))
|
|
|
|
- self.assertTrue(is_match_single(system_info, '$anyvm', ''))
|
|
|
|
- self.assertTrue(is_match_single(system_info, '$default', ''))
|
|
|
|
- self.assertTrue(is_match_single(system_info, '$default', '$default'))
|
|
|
|
- self.assertTrue(is_match_single(system_info, '$tag:tag1', 'test-vm1'))
|
|
|
|
- self.assertTrue(is_match_single(system_info, '$type:AppVM', 'test-vm1'))
|
|
|
|
|
|
+ self.assertTrue(is_match_single(system_info, '@anyvm', 'test-vm1'))
|
|
|
|
+ self.assertTrue(is_match_single(system_info, '@anyvm', '@default'))
|
|
|
|
+ self.assertTrue(is_match_single(system_info, '@anyvm', ''))
|
|
|
|
+ self.assertTrue(is_match_single(system_info, '@default', ''))
|
|
|
|
+ self.assertTrue(is_match_single(system_info, '@default', '@default'))
|
|
|
|
+ self.assertTrue(is_match_single(system_info, '@tag:tag1', 'test-vm1'))
|
|
|
|
+ self.assertTrue(is_match_single(system_info, '@type:AppVM', 'test-vm1'))
|
|
self.assertTrue(is_match_single(system_info,
|
|
self.assertTrue(is_match_single(system_info,
|
|
- '$type:TemplateVM', 'test-template'))
|
|
|
|
- self.assertTrue(is_match_single(system_info, '$anyvm', '$dispvm'))
|
|
|
|
|
|
+ '@type:TemplateVM', 'test-template'))
|
|
|
|
+ self.assertTrue(is_match_single(system_info, '@anyvm', '@dispvm'))
|
|
self.assertTrue(is_match_single(system_info,
|
|
self.assertTrue(is_match_single(system_info,
|
|
- '$anyvm', '$dispvm:default-dvm'))
|
|
|
|
- self.assertTrue(is_match_single(system_info, '$dispvm', '$dispvm'))
|
|
|
|
|
|
+ '@anyvm', '@dispvm:default-dvm'))
|
|
|
|
+ self.assertTrue(is_match_single(system_info, '@dispvm', '@dispvm'))
|
|
self.assertTrue(is_match_single(system_info,
|
|
self.assertTrue(is_match_single(system_info,
|
|
- '$dispvm:$tag:tag3', '$dispvm:test-vm3'))
|
|
|
|
- self.assertTrue(is_match_single(system_info, '$adminvm', '$adminvm'))
|
|
|
|
- self.assertTrue(is_match_single(system_info, '$adminvm', 'dom0'))
|
|
|
|
- self.assertTrue(is_match_single(system_info, 'dom0', '$adminvm'))
|
|
|
|
|
|
+ '@dispvm:@tag:tag3', '@dispvm:test-vm3'))
|
|
|
|
+ self.assertTrue(is_match_single(system_info, '@adminvm', '@adminvm'))
|
|
|
|
+ self.assertTrue(is_match_single(system_info, '@adminvm', 'dom0'))
|
|
|
|
+ self.assertTrue(is_match_single(system_info, 'dom0', '@adminvm'))
|
|
self.assertTrue(is_match_single(system_info, 'dom0', 'dom0'))
|
|
self.assertTrue(is_match_single(system_info, 'dom0', 'dom0'))
|
|
self.assertTrue(is_match_single(system_info,
|
|
self.assertTrue(is_match_single(system_info,
|
|
- '$dispvm:default-dvm', '$dispvm:default-dvm'))
|
|
|
|
- self.assertTrue(is_match_single(system_info, '$anyvm', '$dispvm'))
|
|
|
|
- self.assertTrue(is_match_single(system_info, '$anyvm', 'test-vm1'))
|
|
|
|
- self.assertTrue(is_match_single(system_info, '$anyvm', 'test-vm1'))
|
|
|
|
- self.assertTrue(is_match_single(system_info, '$anyvm', 'test-vm1'))
|
|
|
|
-
|
|
|
|
- self.assertFalse(is_match_single(system_info, '$default', 'test-vm1'))
|
|
|
|
- self.assertFalse(is_match_single(system_info, '$tag:tag1', 'test-vm3'))
|
|
|
|
- self.assertFalse(is_match_single(system_info, '$anyvm', 'no-such-vm'))
|
|
|
|
|
|
+ '@dispvm:default-dvm', '@dispvm:default-dvm'))
|
|
|
|
+ self.assertTrue(is_match_single(system_info, '@anyvm', '@dispvm'))
|
|
|
|
+ self.assertTrue(is_match_single(system_info, '@anyvm', 'test-vm1'))
|
|
|
|
+ self.assertTrue(is_match_single(system_info, '@anyvm', 'test-vm1'))
|
|
|
|
+ self.assertTrue(is_match_single(system_info, '@anyvm', 'test-vm1'))
|
|
|
|
+
|
|
|
|
+ self.assertFalse(is_match_single(system_info, '@default', 'test-vm1'))
|
|
|
|
+ self.assertFalse(is_match_single(system_info, '@tag:tag1', 'test-vm3'))
|
|
|
|
+ self.assertFalse(is_match_single(system_info, '@anyvm', 'no-such-vm'))
|
|
# test-vm1.template_for_dispvms=False
|
|
# test-vm1.template_for_dispvms=False
|
|
self.assertFalse(is_match_single(system_info,
|
|
self.assertFalse(is_match_single(system_info,
|
|
- '$anyvm', '$dispvm:test-vm1'))
|
|
|
|
|
|
+ '@anyvm', '@dispvm:test-vm1'))
|
|
# test-vm1.template_for_dispvms=False
|
|
# test-vm1.template_for_dispvms=False
|
|
self.assertFalse(is_match_single(system_info,
|
|
self.assertFalse(is_match_single(system_info,
|
|
- '$dispvm:test-vm1', '$dispvm:test-vm1'))
|
|
|
|
|
|
+ '@dispvm:test-vm1', '@dispvm:test-vm1'))
|
|
self.assertFalse(is_match_single(system_info,
|
|
self.assertFalse(is_match_single(system_info,
|
|
- '$dispvm:$tag:tag1', '$dispvm:test-vm1'))
|
|
|
|
|
|
+ '@dispvm:@tag:tag1', '@dispvm:test-vm1'))
|
|
# test-vm3 has not tag1
|
|
# test-vm3 has not tag1
|
|
self.assertFalse(is_match_single(system_info,
|
|
self.assertFalse(is_match_single(system_info,
|
|
- '$dispvm:$tag:tag1', '$dispvm:test-vm3'))
|
|
|
|
|
|
+ '@dispvm:@tag:tag1', '@dispvm:test-vm3'))
|
|
# default-dvm has no tag3
|
|
# default-dvm has no tag3
|
|
self.assertFalse(is_match_single(system_info,
|
|
self.assertFalse(is_match_single(system_info,
|
|
- '$dispvm:$tag:tag3', '$dispvm:default-dvm'))
|
|
|
|
- self.assertFalse(is_match_single(system_info, '$anyvm', 'dom0'))
|
|
|
|
- self.assertFalse(is_match_single(system_info, '$anyvm', '$adminvm'))
|
|
|
|
|
|
+ '@dispvm:@tag:tag3', '@dispvm:default-dvm'))
|
|
|
|
+ self.assertFalse(is_match_single(system_info, '@anyvm', 'dom0'))
|
|
|
|
+ self.assertFalse(is_match_single(system_info, '@anyvm', '@adminvm'))
|
|
self.assertFalse(is_match_single(system_info,
|
|
self.assertFalse(is_match_single(system_info,
|
|
- '$tag:dom0-tag', '$adminvm'))
|
|
|
|
|
|
+ '@tag:dom0-tag', '@adminvm'))
|
|
self.assertFalse(is_match_single(system_info,
|
|
self.assertFalse(is_match_single(system_info,
|
|
- '$type:AdminVM', '$adminvm'))
|
|
|
|
|
|
+ '@type:AdminVM', '@adminvm'))
|
|
self.assertFalse(is_match_single(system_info,
|
|
self.assertFalse(is_match_single(system_info,
|
|
- '$tag:dom0-tag', 'dom0'))
|
|
|
|
|
|
+ '@tag:dom0-tag', 'dom0'))
|
|
self.assertFalse(is_match_single(system_info,
|
|
self.assertFalse(is_match_single(system_info,
|
|
- '$type:AdminVM', 'dom0'))
|
|
|
|
- self.assertFalse(is_match_single(system_info, '$tag:tag1', 'dom0'))
|
|
|
|
- self.assertFalse(is_match_single(system_info, '$anyvm', '$tag:tag1'))
|
|
|
|
- self.assertFalse(is_match_single(system_info, '$anyvm', '$type:AppVM'))
|
|
|
|
- self.assertFalse(is_match_single(system_info, '$anyvm', '$invalid'))
|
|
|
|
- self.assertFalse(is_match_single(system_info, '$invalid', '$invalid'))
|
|
|
|
- self.assertFalse(is_match_single(system_info, '$anyvm', 'no-such-vm'))
|
|
|
|
|
|
+ '@type:AdminVM', 'dom0'))
|
|
|
|
+ self.assertFalse(is_match_single(system_info, '@tag:tag1', 'dom0'))
|
|
|
|
+ self.assertFalse(is_match_single(system_info, '@anyvm', '@tag:tag1'))
|
|
|
|
+ self.assertFalse(is_match_single(system_info, '@anyvm', '@type:AppVM'))
|
|
|
|
+ self.assertFalse(is_match_single(system_info, '@anyvm', '@invalid'))
|
|
|
|
+ self.assertFalse(is_match_single(system_info, '@invalid', '@invalid'))
|
|
|
|
+ self.assertFalse(is_match_single(system_info, '@anyvm', 'no-such-vm'))
|
|
self.assertFalse(is_match_single(system_info,
|
|
self.assertFalse(is_match_single(system_info,
|
|
'no-such-vm', 'no-such-vm'))
|
|
'no-such-vm', 'no-such-vm'))
|
|
- self.assertFalse(is_match_single(system_info, '$dispvm', 'test-vm1'))
|
|
|
|
- self.assertFalse(is_match_single(system_info, '$dispvm', 'default-dvm'))
|
|
|
|
|
|
+ self.assertFalse(is_match_single(system_info, '@dispvm', 'test-vm1'))
|
|
|
|
+ self.assertFalse(is_match_single(system_info, '@dispvm', 'default-dvm'))
|
|
self.assertFalse(is_match_single(system_info,
|
|
self.assertFalse(is_match_single(system_info,
|
|
- '$dispvm:default-dvm', 'default-dvm'))
|
|
|
|
- self.assertFalse(is_match_single(system_info, '$anyvm', 'test-vm1\n'))
|
|
|
|
- self.assertFalse(is_match_single(system_info, '$anyvm', 'test-vm1 '))
|
|
|
|
|
|
+ '@dispvm:default-dvm', 'default-dvm'))
|
|
|
|
+ self.assertFalse(is_match_single(system_info, '@anyvm', 'test-vm1\n'))
|
|
|
|
+ self.assertFalse(is_match_single(system_info, '@anyvm', 'test-vm1 '))
|
|
|
|
|
|
def test_050_match(self):
|
|
def test_050_match(self):
|
|
- line = qubespolicy.PolicyRule('$anyvm $anyvm allow')
|
|
|
|
|
|
+ line = qubespolicy.PolicyRule('@anyvm @anyvm allow')
|
|
self.assertTrue(line.is_match(system_info, 'test-vm1', 'test-vm2'))
|
|
self.assertTrue(line.is_match(system_info, 'test-vm1', 'test-vm2'))
|
|
- line = qubespolicy.PolicyRule('$anyvm $anyvm allow')
|
|
|
|
|
|
+ line = qubespolicy.PolicyRule('@anyvm @anyvm allow')
|
|
self.assertFalse(line.is_match(system_info, 'no-such-vm', 'test-vm2'))
|
|
self.assertFalse(line.is_match(system_info, 'no-such-vm', 'test-vm2'))
|
|
- line = qubespolicy.PolicyRule('$anyvm $anyvm allow')
|
|
|
|
|
|
+ line = qubespolicy.PolicyRule('@anyvm @anyvm allow')
|
|
self.assertFalse(line.is_match(system_info, 'test-vm1', 'no-such-vm'))
|
|
self.assertFalse(line.is_match(system_info, 'test-vm1', 'no-such-vm'))
|
|
- line = qubespolicy.PolicyRule('$anyvm $dispvm allow')
|
|
|
|
- self.assertTrue(line.is_match(system_info, 'test-vm1', '$dispvm'))
|
|
|
|
- line = qubespolicy.PolicyRule('$anyvm $dispvm allow')
|
|
|
|
|
|
+ line = qubespolicy.PolicyRule('@anyvm @dispvm allow')
|
|
|
|
+ self.assertTrue(line.is_match(system_info, 'test-vm1', '@dispvm'))
|
|
|
|
+ line = qubespolicy.PolicyRule('@anyvm @dispvm allow')
|
|
self.assertFalse(line.is_match(system_info,
|
|
self.assertFalse(line.is_match(system_info,
|
|
- 'test-vm1', '$dispvm:default-dvm'))
|
|
|
|
- line = qubespolicy.PolicyRule('$anyvm $dispvm:default-dvm allow')
|
|
|
|
- self.assertTrue(line.is_match(system_info, 'test-vm1', '$dispvm'))
|
|
|
|
- line = qubespolicy.PolicyRule('$anyvm $dispvm:default-dvm allow')
|
|
|
|
|
|
+ 'test-vm1', '@dispvm:default-dvm'))
|
|
|
|
+ line = qubespolicy.PolicyRule('@anyvm @dispvm:default-dvm allow')
|
|
|
|
+ self.assertTrue(line.is_match(system_info, 'test-vm1', '@dispvm'))
|
|
|
|
+ line = qubespolicy.PolicyRule('@anyvm @dispvm:default-dvm allow')
|
|
self.assertTrue(line.is_match(system_info,
|
|
self.assertTrue(line.is_match(system_info,
|
|
- 'test-vm1', '$dispvm:default-dvm'))
|
|
|
|
- line = qubespolicy.PolicyRule('$anyvm $dispvm:$tag:tag3 allow')
|
|
|
|
|
|
+ 'test-vm1', '@dispvm:default-dvm'))
|
|
|
|
+ line = qubespolicy.PolicyRule('@anyvm @dispvm:@tag:tag3 allow')
|
|
self.assertTrue(line.is_match(system_info,
|
|
self.assertTrue(line.is_match(system_info,
|
|
- 'test-vm1', '$dispvm:test-vm3'))
|
|
|
|
|
|
+ 'test-vm1', '@dispvm:test-vm3'))
|
|
|
|
|
|
def test_060_expand_target(self):
|
|
def test_060_expand_target(self):
|
|
lines = {
|
|
lines = {
|
|
- '$anyvm $anyvm allow': ['test-vm1', 'test-vm2', 'test-vm3',
|
|
|
|
- '$dispvm:test-vm3',
|
|
|
|
- 'default-dvm', '$dispvm:default-dvm', 'test-invalid-dvm',
|
|
|
|
- 'test-no-dvm', 'test-template', 'test-standalone', '$dispvm'],
|
|
|
|
- '$anyvm $dispvm allow': ['$dispvm'],
|
|
|
|
- '$anyvm $dispvm:default-dvm allow': ['$dispvm:default-dvm'],
|
|
|
|
|
|
+ '@anyvm @anyvm allow': ['test-vm1', 'test-vm2', 'test-vm3',
|
|
|
|
+ '@dispvm:test-vm3',
|
|
|
|
+ 'default-dvm', '@dispvm:default-dvm', 'test-invalid-dvm',
|
|
|
|
+ 'test-no-dvm', 'test-template', 'test-standalone', '@dispvm'],
|
|
|
|
+ '@anyvm @dispvm allow': ['@dispvm'],
|
|
|
|
+ '@anyvm @dispvm:default-dvm allow': ['@dispvm:default-dvm'],
|
|
# no DispVM from test-vm1 allowed
|
|
# no DispVM from test-vm1 allowed
|
|
- '$anyvm $dispvm:test-vm1 allow': [],
|
|
|
|
- '$anyvm $dispvm:test-vm3 allow': ['$dispvm:test-vm3'],
|
|
|
|
- '$anyvm $dispvm:$tag:tag1 allow': [],
|
|
|
|
- '$anyvm $dispvm:$tag:tag3 allow': ['$dispvm:test-vm3'],
|
|
|
|
- '$anyvm test-vm1 allow': ['test-vm1'],
|
|
|
|
- '$anyvm $type:AppVM allow': ['test-vm1', 'test-vm2', 'test-vm3',
|
|
|
|
|
|
+ '@anyvm @dispvm:test-vm1 allow': [],
|
|
|
|
+ '@anyvm @dispvm:test-vm3 allow': ['@dispvm:test-vm3'],
|
|
|
|
+ '@anyvm @dispvm:@tag:tag1 allow': [],
|
|
|
|
+ '@anyvm @dispvm:@tag:tag3 allow': ['@dispvm:test-vm3'],
|
|
|
|
+ '@anyvm test-vm1 allow': ['test-vm1'],
|
|
|
|
+ '@anyvm @type:AppVM allow': ['test-vm1', 'test-vm2', 'test-vm3',
|
|
'default-dvm', 'test-invalid-dvm', 'test-no-dvm'],
|
|
'default-dvm', 'test-invalid-dvm', 'test-no-dvm'],
|
|
- '$anyvm $type:TemplateVM allow': ['test-template'],
|
|
|
|
- '$anyvm $tag:tag1 allow': ['test-vm1', 'test-invalid-dvm',
|
|
|
|
|
|
+ '@anyvm @type:TemplateVM allow': ['test-template'],
|
|
|
|
+ '@anyvm @tag:tag1 allow': ['test-vm1', 'test-invalid-dvm',
|
|
'test-template', 'test-standalone', 'test-no-dvm'],
|
|
'test-template', 'test-standalone', 'test-no-dvm'],
|
|
- '$anyvm $tag:tag2 allow': ['test-vm1', 'test-vm2',
|
|
|
|
|
|
+ '@anyvm @tag:tag2 allow': ['test-vm1', 'test-vm2',
|
|
'test-invalid-dvm', 'test-template', 'test-standalone',
|
|
'test-invalid-dvm', 'test-template', 'test-standalone',
|
|
'test-no-dvm'],
|
|
'test-no-dvm'],
|
|
- '$anyvm $tag:no-such-tag allow': [],
|
|
|
|
|
|
+ '@anyvm @tag:no-such-tag allow': [],
|
|
}
|
|
}
|
|
for line in lines:
|
|
for line in lines:
|
|
with self.subTest(line):
|
|
with self.subTest(line):
|
|
@@ -373,56 +373,56 @@ class TC_00_PolicyRule(qubes.tests.QubesTestCase):
|
|
|
|
|
|
def test_070_expand_override_target(self):
|
|
def test_070_expand_override_target(self):
|
|
line = qubespolicy.PolicyRule(
|
|
line = qubespolicy.PolicyRule(
|
|
- '$anyvm $anyvm allow,target=test-vm2')
|
|
|
|
|
|
+ '@anyvm @anyvm allow,target=test-vm2')
|
|
self.assertEqual(
|
|
self.assertEqual(
|
|
line.expand_override_target(system_info, 'test-vm1'),
|
|
line.expand_override_target(system_info, 'test-vm1'),
|
|
'test-vm2')
|
|
'test-vm2')
|
|
|
|
|
|
def test_071_expand_override_target_dispvm(self):
|
|
def test_071_expand_override_target_dispvm(self):
|
|
line = qubespolicy.PolicyRule(
|
|
line = qubespolicy.PolicyRule(
|
|
- '$anyvm $anyvm allow,target=$dispvm')
|
|
|
|
|
|
+ '@anyvm @anyvm allow,target=@dispvm')
|
|
self.assertEqual(
|
|
self.assertEqual(
|
|
line.expand_override_target(system_info, 'test-vm1'),
|
|
line.expand_override_target(system_info, 'test-vm1'),
|
|
- '$dispvm:default-dvm')
|
|
|
|
|
|
+ '@dispvm:default-dvm')
|
|
|
|
|
|
def test_072_expand_override_target_dispvm_specific(self):
|
|
def test_072_expand_override_target_dispvm_specific(self):
|
|
line = qubespolicy.PolicyRule(
|
|
line = qubespolicy.PolicyRule(
|
|
- '$anyvm $anyvm allow,target=$dispvm:test-vm3')
|
|
|
|
|
|
+ '@anyvm @anyvm allow,target=@dispvm:test-vm3')
|
|
self.assertEqual(
|
|
self.assertEqual(
|
|
line.expand_override_target(system_info, 'test-vm1'),
|
|
line.expand_override_target(system_info, 'test-vm1'),
|
|
- '$dispvm:test-vm3')
|
|
|
|
|
|
+ '@dispvm:test-vm3')
|
|
|
|
|
|
def test_073_expand_override_target_dispvm_none(self):
|
|
def test_073_expand_override_target_dispvm_none(self):
|
|
line = qubespolicy.PolicyRule(
|
|
line = qubespolicy.PolicyRule(
|
|
- '$anyvm $anyvm allow,target=$dispvm')
|
|
|
|
|
|
+ '@anyvm @anyvm allow,target=@dispvm')
|
|
self.assertEqual(
|
|
self.assertEqual(
|
|
line.expand_override_target(system_info, 'test-no-dvm'),
|
|
line.expand_override_target(system_info, 'test-no-dvm'),
|
|
None)
|
|
None)
|
|
|
|
|
|
def test_074_expand_override_target_dom0(self):
|
|
def test_074_expand_override_target_dom0(self):
|
|
line = qubespolicy.PolicyRule(
|
|
line = qubespolicy.PolicyRule(
|
|
- '$anyvm $anyvm allow,target=dom0')
|
|
|
|
|
|
+ '@anyvm @anyvm allow,target=dom0')
|
|
self.assertEqual(
|
|
self.assertEqual(
|
|
line.expand_override_target(system_info, 'test-no-dvm'),
|
|
line.expand_override_target(system_info, 'test-no-dvm'),
|
|
'dom0')
|
|
'dom0')
|
|
|
|
|
|
def test_075_expand_override_target_dom0(self):
|
|
def test_075_expand_override_target_dom0(self):
|
|
line = qubespolicy.PolicyRule(
|
|
line = qubespolicy.PolicyRule(
|
|
- '$anyvm $anyvm allow,target=$adminvm')
|
|
|
|
|
|
+ '@anyvm @anyvm allow,target=@adminvm')
|
|
self.assertEqual(
|
|
self.assertEqual(
|
|
line.expand_override_target(system_info, 'test-no-dvm'),
|
|
line.expand_override_target(system_info, 'test-no-dvm'),
|
|
- '$adminvm')
|
|
|
|
|
|
+ '@adminvm')
|
|
|
|
|
|
|
|
|
|
class TC_10_PolicyAction(qubes.tests.QubesTestCase):
|
|
class TC_10_PolicyAction(qubes.tests.QubesTestCase):
|
|
def test_000_init(self):
|
|
def test_000_init(self):
|
|
- rule = qubespolicy.PolicyRule('$anyvm $anyvm deny')
|
|
|
|
|
|
+ rule = qubespolicy.PolicyRule('@anyvm @anyvm deny')
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
qubespolicy.PolicyAction('test.service', 'test-vm1', 'test-vm2',
|
|
qubespolicy.PolicyAction('test.service', 'test-vm1', 'test-vm2',
|
|
rule, 'test-vm2')
|
|
rule, 'test-vm2')
|
|
|
|
|
|
def test_001_init(self):
|
|
def test_001_init(self):
|
|
- rule = qubespolicy.PolicyRule('$anyvm $anyvm ask')
|
|
|
|
|
|
+ rule = qubespolicy.PolicyRule('@anyvm @anyvm ask')
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
None, rule, 'test-vm2', ['test-vm2', 'test-vm3'])
|
|
None, rule, 'test-vm2', ['test-vm2', 'test-vm3'])
|
|
self.assertEqual(action.service, 'test.service')
|
|
self.assertEqual(action.service, 'test.service')
|
|
@@ -434,8 +434,8 @@ class TC_10_PolicyAction(qubes.tests.QubesTestCase):
|
|
self.assertEqual(action.action, qubespolicy.Action.ask)
|
|
self.assertEqual(action.action, qubespolicy.Action.ask)
|
|
|
|
|
|
def test_002_init_invalid(self):
|
|
def test_002_init_invalid(self):
|
|
- rule_ask = qubespolicy.PolicyRule('$anyvm $anyvm ask')
|
|
|
|
- rule_allow = qubespolicy.PolicyRule('$anyvm $anyvm allow')
|
|
|
|
|
|
+ rule_ask = qubespolicy.PolicyRule('@anyvm @anyvm ask')
|
|
|
|
+ rule_allow = qubespolicy.PolicyRule('@anyvm @anyvm allow')
|
|
with self.assertRaises(AssertionError):
|
|
with self.assertRaises(AssertionError):
|
|
qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
None, rule_allow, 'test-vm2', None)
|
|
None, rule_allow, 'test-vm2', None)
|
|
@@ -448,7 +448,7 @@ class TC_10_PolicyAction(qubes.tests.QubesTestCase):
|
|
None, rule_ask, 'test-vm2', None)
|
|
None, rule_ask, 'test-vm2', None)
|
|
|
|
|
|
def test_003_init_default_target(self):
|
|
def test_003_init_default_target(self):
|
|
- rule_ask = qubespolicy.PolicyRule('$anyvm $anyvm ask')
|
|
|
|
|
|
+ rule_ask = qubespolicy.PolicyRule('@anyvm @anyvm ask')
|
|
|
|
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
'test-vm1', rule_ask, 'test-vm2', ['test-vm2'])
|
|
'test-vm1', rule_ask, 'test-vm2', ['test-vm2'])
|
|
@@ -459,7 +459,7 @@ class TC_10_PolicyAction(qubes.tests.QubesTestCase):
|
|
self.assertEqual(action.target, 'test-vm2')
|
|
self.assertEqual(action.target, 'test-vm2')
|
|
|
|
|
|
def test_010_handle_user_response(self):
|
|
def test_010_handle_user_response(self):
|
|
- rule = qubespolicy.PolicyRule('$anyvm $anyvm ask')
|
|
|
|
|
|
+ rule = qubespolicy.PolicyRule('@anyvm @anyvm ask')
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
None, rule, 'test-vm2', ['test-vm2', 'test-vm3'])
|
|
None, rule, 'test-vm2', ['test-vm2', 'test-vm3'])
|
|
action.handle_user_response(True, 'test-vm2')
|
|
action.handle_user_response(True, 'test-vm2')
|
|
@@ -467,14 +467,14 @@ class TC_10_PolicyAction(qubes.tests.QubesTestCase):
|
|
self.assertEqual(action.target, 'test-vm2')
|
|
self.assertEqual(action.target, 'test-vm2')
|
|
|
|
|
|
def test_011_handle_user_response(self):
|
|
def test_011_handle_user_response(self):
|
|
- rule = qubespolicy.PolicyRule('$anyvm $anyvm ask')
|
|
|
|
|
|
+ rule = qubespolicy.PolicyRule('@anyvm @anyvm ask')
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
None, rule, 'test-vm2', ['test-vm2', 'test-vm3'])
|
|
None, rule, 'test-vm2', ['test-vm2', 'test-vm3'])
|
|
with self.assertRaises(AssertionError):
|
|
with self.assertRaises(AssertionError):
|
|
action.handle_user_response(True, 'test-no-dvm')
|
|
action.handle_user_response(True, 'test-no-dvm')
|
|
|
|
|
|
def test_012_handle_user_response(self):
|
|
def test_012_handle_user_response(self):
|
|
- rule = qubespolicy.PolicyRule('$anyvm $anyvm ask')
|
|
|
|
|
|
+ rule = qubespolicy.PolicyRule('@anyvm @anyvm ask')
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
None, rule, 'test-vm2', ['test-vm2', 'test-vm3'])
|
|
None, rule, 'test-vm2', ['test-vm2', 'test-vm3'])
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
@@ -483,7 +483,7 @@ class TC_10_PolicyAction(qubes.tests.QubesTestCase):
|
|
|
|
|
|
def test_013_handle_user_response_with_default_target(self):
|
|
def test_013_handle_user_response_with_default_target(self):
|
|
rule = qubespolicy.PolicyRule(
|
|
rule = qubespolicy.PolicyRule(
|
|
- '$anyvm $anyvm ask,default_target=test-vm2')
|
|
|
|
|
|
+ '@anyvm @anyvm ask,default_target=test-vm2')
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
None, rule, 'test-vm2', ['test-vm2', 'test-vm3'])
|
|
None, rule, 'test-vm2', ['test-vm2', 'test-vm3'])
|
|
action.handle_user_response(True, 'test-vm2')
|
|
action.handle_user_response(True, 'test-vm2')
|
|
@@ -493,7 +493,7 @@ class TC_10_PolicyAction(qubes.tests.QubesTestCase):
|
|
@unittest.mock.patch('qubespolicy.qubesd_call')
|
|
@unittest.mock.patch('qubespolicy.qubesd_call')
|
|
@unittest.mock.patch('subprocess.call')
|
|
@unittest.mock.patch('subprocess.call')
|
|
def test_020_execute(self, mock_subprocess, mock_qubesd_call):
|
|
def test_020_execute(self, mock_subprocess, mock_qubesd_call):
|
|
- rule = qubespolicy.PolicyRule('$anyvm $anyvm allow')
|
|
|
|
|
|
+ rule = qubespolicy.PolicyRule('@anyvm @anyvm allow')
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
'test-vm2', rule, 'test-vm2')
|
|
'test-vm2', rule, 'test-vm2')
|
|
action.execute('some-ident')
|
|
action.execute('some-ident')
|
|
@@ -506,7 +506,7 @@ class TC_10_PolicyAction(qubes.tests.QubesTestCase):
|
|
@unittest.mock.patch('qubespolicy.qubesd_call')
|
|
@unittest.mock.patch('qubespolicy.qubesd_call')
|
|
@unittest.mock.patch('subprocess.call')
|
|
@unittest.mock.patch('subprocess.call')
|
|
def test_021_execute_dom0(self, mock_subprocess, mock_qubesd_call):
|
|
def test_021_execute_dom0(self, mock_subprocess, mock_qubesd_call):
|
|
- rule = qubespolicy.PolicyRule('$anyvm dom0 allow')
|
|
|
|
|
|
+ rule = qubespolicy.PolicyRule('@anyvm dom0 allow')
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
'dom0', rule, 'dom0')
|
|
'dom0', rule, 'dom0')
|
|
action.execute('some-ident')
|
|
action.execute('some-ident')
|
|
@@ -519,9 +519,9 @@ class TC_10_PolicyAction(qubes.tests.QubesTestCase):
|
|
@unittest.mock.patch('qubespolicy.qubesd_call')
|
|
@unittest.mock.patch('qubespolicy.qubesd_call')
|
|
@unittest.mock.patch('subprocess.call')
|
|
@unittest.mock.patch('subprocess.call')
|
|
def test_021_execute_dom0_keyword(self, mock_subprocess, mock_qubesd_call):
|
|
def test_021_execute_dom0_keyword(self, mock_subprocess, mock_qubesd_call):
|
|
- rule = qubespolicy.PolicyRule('$anyvm dom0 allow')
|
|
|
|
|
|
+ rule = qubespolicy.PolicyRule('@anyvm dom0 allow')
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
- 'dom0', rule, '$adminvm')
|
|
|
|
|
|
+ 'dom0', rule, '@adminvm')
|
|
action.execute('some-ident')
|
|
action.execute('some-ident')
|
|
self.assertEqual(mock_qubesd_call.mock_calls, [])
|
|
self.assertEqual(mock_qubesd_call.mock_calls, [])
|
|
self.assertEqual(mock_subprocess.mock_calls,
|
|
self.assertEqual(mock_subprocess.mock_calls,
|
|
@@ -532,9 +532,9 @@ class TC_10_PolicyAction(qubes.tests.QubesTestCase):
|
|
@unittest.mock.patch('qubespolicy.qubesd_call')
|
|
@unittest.mock.patch('qubespolicy.qubesd_call')
|
|
@unittest.mock.patch('subprocess.call')
|
|
@unittest.mock.patch('subprocess.call')
|
|
def test_022_execute_dispvm(self, mock_subprocess, mock_qubesd_call):
|
|
def test_022_execute_dispvm(self, mock_subprocess, mock_qubesd_call):
|
|
- rule = qubespolicy.PolicyRule('$anyvm $dispvm:default-dvm allow')
|
|
|
|
|
|
+ rule = qubespolicy.PolicyRule('@anyvm @dispvm:default-dvm allow')
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
- '$dispvm:default-dvm', rule, '$dispvm:default-dvm')
|
|
|
|
|
|
+ '@dispvm:default-dvm', rule, '@dispvm:default-dvm')
|
|
mock_qubesd_call.side_effect = (lambda target, call:
|
|
mock_qubesd_call.side_effect = (lambda target, call:
|
|
b'dispvm-name' if call == 'admin.vm.CreateDisposable' else
|
|
b'dispvm-name' if call == 'admin.vm.CreateDisposable' else
|
|
unittest.mock.DEFAULT)
|
|
unittest.mock.DEFAULT)
|
|
@@ -552,7 +552,7 @@ class TC_10_PolicyAction(qubes.tests.QubesTestCase):
|
|
@unittest.mock.patch('subprocess.call')
|
|
@unittest.mock.patch('subprocess.call')
|
|
def test_023_execute_already_running(self, mock_subprocess,
|
|
def test_023_execute_already_running(self, mock_subprocess,
|
|
mock_qubesd_call):
|
|
mock_qubesd_call):
|
|
- rule = qubespolicy.PolicyRule('$anyvm $anyvm allow')
|
|
|
|
|
|
+ rule = qubespolicy.PolicyRule('@anyvm @anyvm allow')
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
'test-vm2', rule, 'test-vm2')
|
|
'test-vm2', rule, 'test-vm2')
|
|
mock_qubesd_call.side_effect = \
|
|
mock_qubesd_call.side_effect = \
|
|
@@ -568,7 +568,7 @@ class TC_10_PolicyAction(qubes.tests.QubesTestCase):
|
|
@unittest.mock.patch('subprocess.call')
|
|
@unittest.mock.patch('subprocess.call')
|
|
def test_024_execute_startup_error(self, mock_subprocess,
|
|
def test_024_execute_startup_error(self, mock_subprocess,
|
|
mock_qubesd_call):
|
|
mock_qubesd_call):
|
|
- rule = qubespolicy.PolicyRule('$anyvm $anyvm allow')
|
|
|
|
|
|
+ rule = qubespolicy.PolicyRule('@anyvm @anyvm allow')
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
action = qubespolicy.PolicyAction('test.service', 'test-vm1',
|
|
'test-vm2', rule, 'test-vm2')
|
|
'test-vm2', rule, 'test-vm2')
|
|
mock_qubesd_call.side_effect = \
|
|
mock_qubesd_call.side_effect = \
|
|
@@ -597,7 +597,7 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
|
|
f.write('# comment\n')
|
|
f.write('# comment\n')
|
|
f.write('test-vm2 test-vm3 ask\n')
|
|
f.write('test-vm2 test-vm3 ask\n')
|
|
f.write(' # comment \n')
|
|
f.write(' # comment \n')
|
|
- f.write('$anyvm $anyvm ask\n')
|
|
|
|
|
|
+ f.write('@anyvm @anyvm ask\n')
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
self.assertEqual(policy.service, 'test.service')
|
|
self.assertEqual(policy.service, 'test.service')
|
|
self.assertEqual(len(policy.policy_rules), 3)
|
|
self.assertEqual(len(policy.policy_rules), 3)
|
|
@@ -613,10 +613,10 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
|
|
def test_002_include(self):
|
|
def test_002_include(self):
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
f.write('test-vm1 test-vm2 allow\n')
|
|
f.write('test-vm1 test-vm2 allow\n')
|
|
- f.write('$include:test.service2\n')
|
|
|
|
- f.write('$anyvm $anyvm deny\n')
|
|
|
|
|
|
+ f.write('@include:test.service2\n')
|
|
|
|
+ f.write('@anyvm @anyvm deny\n')
|
|
with open(os.path.join(tmp_policy_dir, 'test.service2'), 'w') as f:
|
|
with open(os.path.join(tmp_policy_dir, 'test.service2'), 'w') as f:
|
|
- f.write('test-vm3 $default allow,target=test-vm2\n')
|
|
|
|
|
|
+ f.write('test-vm3 @default allow,target=test-vm2\n')
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
self.assertEqual(policy.service, 'test.service')
|
|
self.assertEqual(policy.service, 'test.service')
|
|
self.assertEqual(len(policy.policy_rules), 3)
|
|
self.assertEqual(len(policy.policy_rules), 3)
|
|
@@ -628,31 +628,46 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
|
|
tmp_policy_dir + '/test.service')
|
|
tmp_policy_dir + '/test.service')
|
|
self.assertEqual(policy.policy_rules[0].lineno, 1)
|
|
self.assertEqual(policy.policy_rules[0].lineno, 1)
|
|
self.assertEqual(policy.policy_rules[1].source, 'test-vm3')
|
|
self.assertEqual(policy.policy_rules[1].source, 'test-vm3')
|
|
- self.assertEqual(policy.policy_rules[1].target, '$default')
|
|
|
|
|
|
+ self.assertEqual(policy.policy_rules[1].target, '@default')
|
|
self.assertEqual(policy.policy_rules[1].action,
|
|
self.assertEqual(policy.policy_rules[1].action,
|
|
qubespolicy.Action.allow)
|
|
qubespolicy.Action.allow)
|
|
self.assertEqual(policy.policy_rules[1].filename,
|
|
self.assertEqual(policy.policy_rules[1].filename,
|
|
tmp_policy_dir + '/test.service2')
|
|
tmp_policy_dir + '/test.service2')
|
|
self.assertEqual(policy.policy_rules[1].lineno, 1)
|
|
self.assertEqual(policy.policy_rules[1].lineno, 1)
|
|
- self.assertEqual(policy.policy_rules[2].source, '$anyvm')
|
|
|
|
- self.assertEqual(policy.policy_rules[2].target, '$anyvm')
|
|
|
|
|
|
+ self.assertEqual(policy.policy_rules[2].source, '@anyvm')
|
|
|
|
+ self.assertEqual(policy.policy_rules[2].target, '@anyvm')
|
|
self.assertEqual(policy.policy_rules[2].action,
|
|
self.assertEqual(policy.policy_rules[2].action,
|
|
qubespolicy.Action.deny)
|
|
qubespolicy.Action.deny)
|
|
self.assertEqual(policy.policy_rules[2].filename,
|
|
self.assertEqual(policy.policy_rules[2].filename,
|
|
tmp_policy_dir + '/test.service')
|
|
tmp_policy_dir + '/test.service')
|
|
self.assertEqual(policy.policy_rules[2].lineno, 3)
|
|
self.assertEqual(policy.policy_rules[2].lineno, 3)
|
|
|
|
|
|
|
|
+ def test_003_load_convert(self):
|
|
|
|
+ with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
|
|
+ f.write('test-vm2 test-vm3 ask\n')
|
|
|
|
+ f.write(' # comment \n')
|
|
|
|
+ f.write('$anyvm $dispvm ask,default_target=$dispvm\n')
|
|
|
|
+ policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
|
|
+ self.assertEqual(policy.service, 'test.service')
|
|
|
|
+ self.assertEqual(len(policy.policy_rules), 2)
|
|
|
|
+ self.assertEqual(policy.policy_rules[1].source, '@anyvm')
|
|
|
|
+ self.assertEqual(policy.policy_rules[1].target, '@dispvm')
|
|
|
|
+ self.assertEqual(policy.policy_rules[1].action,
|
|
|
|
+ qubespolicy.Action.ask)
|
|
|
|
+ self.assertEqual(policy.policy_rules[1].default_target,
|
|
|
|
+ '@dispvm')
|
|
|
|
+
|
|
def test_010_find_rule(self):
|
|
def test_010_find_rule(self):
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
f.write('test-vm1 test-vm2 allow\n')
|
|
f.write('test-vm1 test-vm2 allow\n')
|
|
- f.write('test-vm1 $anyvm ask\n')
|
|
|
|
- f.write('test-vm2 $tag:tag1 deny\n')
|
|
|
|
- f.write('test-vm2 $tag:tag2 allow\n')
|
|
|
|
- f.write('test-vm2 $dispvm:$tag:tag3 allow\n')
|
|
|
|
- f.write('test-vm2 $dispvm:$tag:tag2 allow\n')
|
|
|
|
- f.write('test-vm2 $dispvm:default-dvm allow\n')
|
|
|
|
- f.write('$type:AppVM $default allow,target=test-vm3\n')
|
|
|
|
- f.write('$tag:tag1 $type:AppVM allow\n')
|
|
|
|
|
|
+ f.write('test-vm1 @anyvm ask\n')
|
|
|
|
+ f.write('test-vm2 @tag:tag1 deny\n')
|
|
|
|
+ f.write('test-vm2 @tag:tag2 allow\n')
|
|
|
|
+ f.write('test-vm2 @dispvm:@tag:tag3 allow\n')
|
|
|
|
+ f.write('test-vm2 @dispvm:@tag:tag2 allow\n')
|
|
|
|
+ f.write('test-vm2 @dispvm:default-dvm allow\n')
|
|
|
|
+ f.write('@type:AppVM @default allow,target=test-vm3\n')
|
|
|
|
+ f.write('@tag:tag1 @type:AppVM allow\n')
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
self.assertEqual(policy.find_matching_rule(
|
|
self.assertEqual(policy.find_matching_rule(
|
|
system_info, 'test-vm1', 'test-vm2'), policy.policy_rules[0])
|
|
system_info, 'test-vm1', 'test-vm2'), policy.policy_rules[0])
|
|
@@ -662,47 +677,47 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
|
|
system_info, 'test-vm2', 'test-vm2'), policy.policy_rules[3])
|
|
system_info, 'test-vm2', 'test-vm2'), policy.policy_rules[3])
|
|
self.assertEqual(policy.find_matching_rule(
|
|
self.assertEqual(policy.find_matching_rule(
|
|
system_info, 'test-vm2', 'test-no-dvm'), policy.policy_rules[2])
|
|
system_info, 'test-vm2', 'test-no-dvm'), policy.policy_rules[2])
|
|
- # $anyvm matches $default too
|
|
|
|
|
|
+ # @anyvm matches @default too
|
|
self.assertEqual(policy.find_matching_rule(
|
|
self.assertEqual(policy.find_matching_rule(
|
|
system_info, 'test-vm1', ''), policy.policy_rules[1])
|
|
system_info, 'test-vm1', ''), policy.policy_rules[1])
|
|
self.assertEqual(policy.find_matching_rule(
|
|
self.assertEqual(policy.find_matching_rule(
|
|
system_info, 'test-vm2', ''), policy.policy_rules[7])
|
|
system_info, 'test-vm2', ''), policy.policy_rules[7])
|
|
self.assertEqual(policy.find_matching_rule(
|
|
self.assertEqual(policy.find_matching_rule(
|
|
- system_info, 'test-vm2', '$default'), policy.policy_rules[7])
|
|
|
|
|
|
+ system_info, 'test-vm2', '@default'), policy.policy_rules[7])
|
|
self.assertEqual(policy.find_matching_rule(
|
|
self.assertEqual(policy.find_matching_rule(
|
|
system_info, 'test-no-dvm', 'test-vm3'), policy.policy_rules[8])
|
|
system_info, 'test-no-dvm', 'test-vm3'), policy.policy_rules[8])
|
|
self.assertEqual(policy.find_matching_rule(
|
|
self.assertEqual(policy.find_matching_rule(
|
|
- system_info, 'test-vm2', '$dispvm:test-vm3'),
|
|
|
|
|
|
+ system_info, 'test-vm2', '@dispvm:test-vm3'),
|
|
policy.policy_rules[4])
|
|
policy.policy_rules[4])
|
|
self.assertEqual(policy.find_matching_rule(
|
|
self.assertEqual(policy.find_matching_rule(
|
|
- system_info, 'test-vm2', '$dispvm'),
|
|
|
|
|
|
+ system_info, 'test-vm2', '@dispvm'),
|
|
policy.policy_rules[6])
|
|
policy.policy_rules[6])
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
policy.find_matching_rule(
|
|
policy.find_matching_rule(
|
|
system_info, 'test-no-dvm', 'test-standalone')
|
|
system_info, 'test-no-dvm', 'test-standalone')
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
- policy.find_matching_rule(system_info, 'test-no-dvm', '$dispvm')
|
|
|
|
|
|
+ policy.find_matching_rule(system_info, 'test-no-dvm', '@dispvm')
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
policy.find_matching_rule(
|
|
policy.find_matching_rule(
|
|
- system_info, 'test-standalone', '$default')
|
|
|
|
|
|
+ system_info, 'test-standalone', '@default')
|
|
|
|
|
|
def test_020_collect_targets_for_ask(self):
|
|
def test_020_collect_targets_for_ask(self):
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
f.write('test-vm1 test-vm2 allow\n')
|
|
f.write('test-vm1 test-vm2 allow\n')
|
|
- f.write('test-vm1 $anyvm ask\n')
|
|
|
|
- f.write('test-vm2 $tag:tag1 deny\n')
|
|
|
|
- f.write('test-vm2 $tag:tag2 allow\n')
|
|
|
|
- f.write('test-no-dvm $type:AppVM deny\n')
|
|
|
|
- f.write('$type:AppVM $default allow,target=test-vm3\n')
|
|
|
|
- f.write('$tag:tag1 $type:AppVM allow\n')
|
|
|
|
- f.write('test-no-dvm $dispvm allow\n')
|
|
|
|
- f.write('test-standalone $dispvm allow\n')
|
|
|
|
- f.write('test-standalone $adminvm allow\n')
|
|
|
|
|
|
+ f.write('test-vm1 @anyvm ask\n')
|
|
|
|
+ f.write('test-vm2 @tag:tag1 deny\n')
|
|
|
|
+ f.write('test-vm2 @tag:tag2 allow\n')
|
|
|
|
+ f.write('test-no-dvm @type:AppVM deny\n')
|
|
|
|
+ f.write('@type:AppVM @default allow,target=test-vm3\n')
|
|
|
|
+ f.write('@tag:tag1 @type:AppVM allow\n')
|
|
|
|
+ f.write('test-no-dvm @dispvm allow\n')
|
|
|
|
+ f.write('test-standalone @dispvm allow\n')
|
|
|
|
+ f.write('test-standalone @adminvm allow\n')
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
self.assertCountEqual(policy.collect_targets_for_ask(system_info,
|
|
self.assertCountEqual(policy.collect_targets_for_ask(system_info,
|
|
'test-vm1'), ['test-vm1', 'test-vm2', 'test-vm3',
|
|
'test-vm1'), ['test-vm1', 'test-vm2', 'test-vm3',
|
|
- '$dispvm:test-vm3',
|
|
|
|
- 'default-dvm', '$dispvm:default-dvm', 'test-invalid-dvm',
|
|
|
|
|
|
+ '@dispvm:test-vm3',
|
|
|
|
+ 'default-dvm', '@dispvm:default-dvm', 'test-invalid-dvm',
|
|
'test-no-dvm', 'test-template', 'test-standalone'])
|
|
'test-no-dvm', 'test-template', 'test-standalone'])
|
|
self.assertCountEqual(policy.collect_targets_for_ask(system_info,
|
|
self.assertCountEqual(policy.collect_targets_for_ask(system_info,
|
|
'test-vm2'), ['test-vm2', 'test-vm3'])
|
|
'test-vm2'), ['test-vm2', 'test-vm3'])
|
|
@@ -711,7 +726,7 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
|
|
self.assertCountEqual(policy.collect_targets_for_ask(system_info,
|
|
self.assertCountEqual(policy.collect_targets_for_ask(system_info,
|
|
'test-standalone'), ['test-vm1', 'test-vm2', 'test-vm3',
|
|
'test-standalone'), ['test-vm1', 'test-vm2', 'test-vm3',
|
|
'default-dvm', 'test-no-dvm', 'test-invalid-dvm',
|
|
'default-dvm', 'test-no-dvm', 'test-invalid-dvm',
|
|
- '$dispvm:default-dvm', 'dom0'])
|
|
|
|
|
|
+ '@dispvm:default-dvm', 'dom0'])
|
|
self.assertCountEqual(policy.collect_targets_for_ask(system_info,
|
|
self.assertCountEqual(policy.collect_targets_for_ask(system_info,
|
|
'test-no-dvm'), [])
|
|
'test-no-dvm'), [])
|
|
|
|
|
|
@@ -728,37 +743,37 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
|
|
self.assertEqual(action.service, 'test.service')
|
|
self.assertEqual(action.service, 'test.service')
|
|
self.assertIsNone(action.targets_for_ask)
|
|
self.assertIsNone(action.targets_for_ask)
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
- policy.evaluate(system_info, 'test-vm2', '$default')
|
|
|
|
|
|
+ policy.evaluate(system_info, 'test-vm2', '@default')
|
|
|
|
|
|
def test_031_eval_default(self):
|
|
def test_031_eval_default(self):
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
f.write('test-vm1 test-vm2 allow\n')
|
|
f.write('test-vm1 test-vm2 allow\n')
|
|
- f.write('test-vm1 $default allow,target=test-vm2\n')
|
|
|
|
- f.write('$tag:tag1 test-vm2 ask\n')
|
|
|
|
- f.write('$tag:tag2 $anyvm allow\n')
|
|
|
|
- f.write('test-vm3 $anyvm deny\n')
|
|
|
|
|
|
+ f.write('test-vm1 @default allow,target=test-vm2\n')
|
|
|
|
+ f.write('@tag:tag1 test-vm2 ask\n')
|
|
|
|
+ f.write('@tag:tag2 @anyvm allow\n')
|
|
|
|
+ f.write('test-vm3 @anyvm deny\n')
|
|
|
|
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
- action = policy.evaluate(system_info, 'test-vm1', '$default')
|
|
|
|
|
|
+ action = policy.evaluate(system_info, 'test-vm1', '@default')
|
|
self.assertEqual(action.rule, policy.policy_rules[1])
|
|
self.assertEqual(action.rule, policy.policy_rules[1])
|
|
self.assertEqual(action.action, qubespolicy.Action.allow)
|
|
self.assertEqual(action.action, qubespolicy.Action.allow)
|
|
self.assertEqual(action.target, 'test-vm2')
|
|
self.assertEqual(action.target, 'test-vm2')
|
|
- self.assertEqual(action.original_target, '$default')
|
|
|
|
|
|
+ self.assertEqual(action.original_target, '@default')
|
|
self.assertEqual(action.service, 'test.service')
|
|
self.assertEqual(action.service, 'test.service')
|
|
self.assertIsNone(action.targets_for_ask)
|
|
self.assertIsNone(action.targets_for_ask)
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
# action allow should hit, but no target specified (either by
|
|
# action allow should hit, but no target specified (either by
|
|
# caller or policy)
|
|
# caller or policy)
|
|
- policy.evaluate(system_info, 'test-standalone', '$default')
|
|
|
|
|
|
+ policy.evaluate(system_info, 'test-standalone', '@default')
|
|
|
|
|
|
def test_032_eval_ask(self):
|
|
def test_032_eval_ask(self):
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
f.write('test-vm1 test-vm2 allow\n')
|
|
f.write('test-vm1 test-vm2 allow\n')
|
|
- f.write('test-vm1 $default allow,target=test-vm2\n')
|
|
|
|
- f.write('$tag:tag1 test-vm2 ask\n')
|
|
|
|
- f.write('$tag:tag1 test-vm3 ask,default_target=test-vm3\n')
|
|
|
|
- f.write('$tag:tag2 $anyvm allow\n')
|
|
|
|
- f.write('test-vm3 $anyvm deny\n')
|
|
|
|
|
|
+ f.write('test-vm1 @default allow,target=test-vm2\n')
|
|
|
|
+ f.write('@tag:tag1 test-vm2 ask\n')
|
|
|
|
+ f.write('@tag:tag1 test-vm3 ask,default_target=test-vm3\n')
|
|
|
|
+ f.write('@tag:tag2 @anyvm allow\n')
|
|
|
|
+ f.write('test-vm3 @anyvm deny\n')
|
|
|
|
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
action = policy.evaluate(system_info, 'test-standalone', 'test-vm2')
|
|
action = policy.evaluate(system_info, 'test-standalone', 'test-vm2')
|
|
@@ -768,18 +783,18 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
|
|
self.assertEqual(action.original_target, 'test-vm2')
|
|
self.assertEqual(action.original_target, 'test-vm2')
|
|
self.assertEqual(action.service, 'test.service')
|
|
self.assertEqual(action.service, 'test.service')
|
|
self.assertCountEqual(action.targets_for_ask,
|
|
self.assertCountEqual(action.targets_for_ask,
|
|
- ['test-vm1', 'test-vm2', 'test-vm3', '$dispvm:test-vm3',
|
|
|
|
- 'default-dvm', '$dispvm:default-dvm', 'test-invalid-dvm',
|
|
|
|
|
|
+ ['test-vm1', 'test-vm2', 'test-vm3', '@dispvm:test-vm3',
|
|
|
|
+ 'default-dvm', '@dispvm:default-dvm', 'test-invalid-dvm',
|
|
'test-no-dvm', 'test-template', 'test-standalone'])
|
|
'test-no-dvm', 'test-template', 'test-standalone'])
|
|
|
|
|
|
def test_033_eval_ask(self):
|
|
def test_033_eval_ask(self):
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
f.write('test-vm1 test-vm2 allow\n')
|
|
f.write('test-vm1 test-vm2 allow\n')
|
|
- f.write('test-vm1 $default allow,target=test-vm2\n')
|
|
|
|
- f.write('$tag:tag1 test-vm2 ask\n')
|
|
|
|
- f.write('$tag:tag1 test-vm3 ask,default_target=test-vm3\n')
|
|
|
|
- f.write('$tag:tag2 $anyvm allow\n')
|
|
|
|
- f.write('test-vm3 $anyvm deny\n')
|
|
|
|
|
|
+ f.write('test-vm1 @default allow,target=test-vm2\n')
|
|
|
|
+ f.write('@tag:tag1 test-vm2 ask\n')
|
|
|
|
+ f.write('@tag:tag1 test-vm3 ask,default_target=test-vm3\n')
|
|
|
|
+ f.write('@tag:tag2 @anyvm allow\n')
|
|
|
|
+ f.write('test-vm3 @anyvm deny\n')
|
|
|
|
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
action = policy.evaluate(system_info, 'test-standalone', 'test-vm3')
|
|
action = policy.evaluate(system_info, 'test-standalone', 'test-vm3')
|
|
@@ -789,46 +804,46 @@ class TC_20_Policy(qubes.tests.QubesTestCase):
|
|
self.assertEqual(action.original_target, 'test-vm3')
|
|
self.assertEqual(action.original_target, 'test-vm3')
|
|
self.assertEqual(action.service, 'test.service')
|
|
self.assertEqual(action.service, 'test.service')
|
|
self.assertCountEqual(action.targets_for_ask,
|
|
self.assertCountEqual(action.targets_for_ask,
|
|
- ['test-vm1', 'test-vm2', 'test-vm3', '$dispvm:test-vm3',
|
|
|
|
- 'default-dvm', '$dispvm:default-dvm', 'test-invalid-dvm',
|
|
|
|
|
|
+ ['test-vm1', 'test-vm2', 'test-vm3', '@dispvm:test-vm3',
|
|
|
|
+ 'default-dvm', '@dispvm:default-dvm', 'test-invalid-dvm',
|
|
'test-no-dvm', 'test-template', 'test-standalone'])
|
|
'test-no-dvm', 'test-template', 'test-standalone'])
|
|
|
|
|
|
def test_034_eval_resolve_dispvm(self):
|
|
def test_034_eval_resolve_dispvm(self):
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
- f.write('test-vm3 $dispvm allow\n')
|
|
|
|
|
|
+ f.write('test-vm3 @dispvm allow\n')
|
|
|
|
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
- action = policy.evaluate(system_info, 'test-vm3', '$dispvm')
|
|
|
|
|
|
+ action = policy.evaluate(system_info, 'test-vm3', '@dispvm')
|
|
self.assertEqual(action.rule, policy.policy_rules[0])
|
|
self.assertEqual(action.rule, policy.policy_rules[0])
|
|
self.assertEqual(action.action, qubespolicy.Action.allow)
|
|
self.assertEqual(action.action, qubespolicy.Action.allow)
|
|
- self.assertEqual(action.target, '$dispvm:default-dvm')
|
|
|
|
- self.assertEqual(action.original_target, '$dispvm')
|
|
|
|
|
|
+ self.assertEqual(action.target, '@dispvm:default-dvm')
|
|
|
|
+ self.assertEqual(action.original_target, '@dispvm')
|
|
self.assertEqual(action.service, 'test.service')
|
|
self.assertEqual(action.service, 'test.service')
|
|
self.assertIsNone(action.targets_for_ask)
|
|
self.assertIsNone(action.targets_for_ask)
|
|
|
|
|
|
def test_035_eval_resolve_dispvm_fail(self):
|
|
def test_035_eval_resolve_dispvm_fail(self):
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
- f.write('test-no-dvm $dispvm allow\n')
|
|
|
|
|
|
+ f.write('test-no-dvm @dispvm allow\n')
|
|
|
|
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
- policy.evaluate(system_info, 'test-no-dvm', '$dispvm')
|
|
|
|
|
|
+ policy.evaluate(system_info, 'test-no-dvm', '@dispvm')
|
|
|
|
|
|
def test_036_eval_invalid_override_target(self):
|
|
def test_036_eval_invalid_override_target(self):
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
- f.write('test-vm3 $anyvm allow,target=no-such-vm\n')
|
|
|
|
|
|
+ f.write('test-vm3 @anyvm allow,target=no-such-vm\n')
|
|
|
|
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
- policy.evaluate(system_info, 'test-vm3', '$default')
|
|
|
|
|
|
+ policy.evaluate(system_info, 'test-vm3', '@default')
|
|
|
|
|
|
def test_037_eval_ask_no_targets(self):
|
|
def test_037_eval_ask_no_targets(self):
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
|
|
- f.write('test-vm3 $default ask\n')
|
|
|
|
|
|
+ f.write('test-vm3 @default ask\n')
|
|
|
|
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
policy = qubespolicy.Policy('test.service', tmp_policy_dir)
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
with self.assertRaises(qubespolicy.AccessDenied):
|
|
- policy.evaluate(system_info, 'test-vm3', '$default')
|
|
|
|
|
|
+ policy.evaluate(system_info, 'test-vm3', '@default')
|
|
|
|
|
|
|
|
|
|
class TC_30_Misc(qubes.tests.QubesTestCase):
|
|
class TC_30_Misc(qubes.tests.QubesTestCase):
|