__init__.py 39 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823
  1. # -*- encoding: utf8 -*-
  2. #
  3. # The Qubes OS Project, http://www.qubes-os.org
  4. #
  5. # Copyright (C) 2017 Marek Marczykowski-Górecki
  6. # <marmarek@invisiblethingslab.com>
  7. #
  8. # This program is free software; you can redistribute it and/or modify
  9. # it under the terms of the GNU General Public License as published by
  10. # the Free Software Foundation; either version 2 of the License, or
  11. # (at your option) any later version.
  12. #
  13. # This program is distributed in the hope that it will be useful,
  14. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. # GNU General Public License for more details.
  17. #
  18. # You should have received a copy of the GNU General Public License along
  19. # with this program; if not, see <http://www.gnu.org/licenses/>.
  20. import os
  21. import socket
  22. import unittest.mock
  23. import shutil
  24. import qubes.tests
  25. import qubespolicy
  26. tmp_policy_dir = '/tmp/policy'
  27. system_info = {
  28. 'domains': {
  29. 'dom0': {
  30. 'tags': ['dom0-tag'],
  31. 'type': 'AdminVM',
  32. 'default_dispvm': 'default-dvm',
  33. 'dispvm_allowed': False,
  34. },
  35. 'test-vm1': {
  36. 'tags': ['tag1', 'tag2'],
  37. 'type': 'AppVM',
  38. 'default_dispvm': 'default-dvm',
  39. 'dispvm_allowed': False,
  40. },
  41. 'test-vm2': {
  42. 'tags': ['tag2'],
  43. 'type': 'AppVM',
  44. 'default_dispvm': 'default-dvm',
  45. 'dispvm_allowed': False,
  46. },
  47. 'test-vm3': {
  48. 'tags': [],
  49. 'type': 'AppVM',
  50. 'default_dispvm': 'default-dvm',
  51. 'dispvm_allowed': True,
  52. },
  53. 'default-dvm': {
  54. 'tags': [],
  55. 'type': 'AppVM',
  56. 'default_dispvm': 'default-dvm',
  57. 'dispvm_allowed': True,
  58. },
  59. 'test-invalid-dvm': {
  60. 'tags': ['tag1', 'tag2'],
  61. 'type': 'AppVM',
  62. 'default_dispvm': 'test-vm1',
  63. 'dispvm_allowed': False,
  64. },
  65. 'test-no-dvm': {
  66. 'tags': ['tag1', 'tag2'],
  67. 'type': 'AppVM',
  68. 'default_dispvm': None,
  69. 'dispvm_allowed': False,
  70. },
  71. 'test-template': {
  72. 'tags': ['tag1', 'tag2'],
  73. 'type': 'TemplateVM',
  74. 'default_dispvm': 'default-dvm',
  75. 'dispvm_allowed': False,
  76. },
  77. 'test-standalone': {
  78. 'tags': ['tag1', 'tag2'],
  79. 'type': 'StandaloneVM',
  80. 'default_dispvm': 'default-dvm',
  81. 'dispvm_allowed': False,
  82. },
  83. }
  84. }
  85. class TC_00_PolicyRule(qubes.tests.QubesTestCase):
  86. def test_000_verify_target_value(self):
  87. self.assertTrue(
  88. qubespolicy.verify_target_value(system_info, 'test-vm1'))
  89. self.assertTrue(
  90. qubespolicy.verify_target_value(system_info, 'default-dvm'))
  91. self.assertTrue(
  92. qubespolicy.verify_target_value(system_info, '$dispvm'))
  93. self.assertTrue(
  94. qubespolicy.verify_target_value(system_info, '$dispvm:default-dvm'))
  95. self.assertTrue(
  96. qubespolicy.verify_target_value(system_info, 'test-template'))
  97. self.assertTrue(
  98. qubespolicy.verify_target_value(system_info, 'test-standalone'))
  99. self.assertTrue(
  100. qubespolicy.verify_target_value(system_info, '$adminvm'))
  101. self.assertFalse(
  102. qubespolicy.verify_target_value(system_info, 'no-such-vm'))
  103. self.assertFalse(
  104. qubespolicy.verify_target_value(system_info,
  105. '$dispvm:test-invalid-dvm'))
  106. self.assertFalse(
  107. qubespolicy.verify_target_value(system_info, '$dispvm:test-vm1'))
  108. self.assertFalse(
  109. qubespolicy.verify_target_value(system_info, ''))
  110. self.assertFalse(
  111. qubespolicy.verify_target_value(system_info, '$default'))
  112. self.assertFalse(
  113. qubespolicy.verify_target_value(system_info, '$anyvm'))
  114. self.assertFalse(
  115. qubespolicy.verify_target_value(system_info, '$tag:tag1'))
  116. self.assertFalse(
  117. qubespolicy.verify_target_value(system_info, '$invalid'))
  118. def test_010_verify_special_value(self):
  119. self.assertTrue(qubespolicy.verify_special_value('$tag:tag',
  120. for_target=False))
  121. self.assertTrue(qubespolicy.verify_special_value('$tag:other-tag',
  122. for_target=False))
  123. self.assertTrue(qubespolicy.verify_special_value('$type:AppVM',
  124. for_target=False))
  125. self.assertTrue(qubespolicy.verify_special_value('$adminvm',
  126. for_target=False))
  127. self.assertFalse(qubespolicy.verify_special_value('$default',
  128. for_target=False))
  129. self.assertFalse(qubespolicy.verify_special_value('$dispvm',
  130. for_target=False))
  131. self.assertFalse(qubespolicy.verify_special_value('$dispvm:some-vm',
  132. for_target=False))
  133. self.assertFalse(qubespolicy.verify_special_value('$invalid',
  134. for_target=False))
  135. self.assertFalse(qubespolicy.verify_special_value('vm-name',
  136. for_target=False))
  137. self.assertFalse(qubespolicy.verify_special_value('$tag:',
  138. for_target=False))
  139. self.assertFalse(qubespolicy.verify_special_value('$type:',
  140. for_target=False))
  141. def test_020_line_simple(self):
  142. line = qubespolicy.PolicyRule('$anyvm $anyvm ask', 'filename', 12)
  143. self.assertEqual(line.filename, 'filename')
  144. self.assertEqual(line.lineno, 12)
  145. self.assertEqual(line.action, qubespolicy.Action.ask)
  146. self.assertEqual(line.source, '$anyvm')
  147. self.assertEqual(line.target, '$anyvm')
  148. self.assertEqual(line.full_action, 'ask')
  149. self.assertIsNone(line.override_target)
  150. self.assertIsNone(line.override_user)
  151. self.assertIsNone(line.default_target)
  152. def test_021_line_simple(self):
  153. # also check spaces in action field
  154. line = qubespolicy.PolicyRule(
  155. '$tag:tag1 $type:AppVM ask, target=test-vm2, user=user',
  156. 'filename', 12)
  157. self.assertEqual(line.filename, 'filename')
  158. self.assertEqual(line.lineno, 12)
  159. self.assertEqual(line.action, qubespolicy.Action.ask)
  160. self.assertEqual(line.source, '$tag:tag1')
  161. self.assertEqual(line.target, '$type:AppVM')
  162. self.assertEqual(line.full_action, 'ask, target=test-vm2, user=user')
  163. self.assertEqual(line.override_target, 'test-vm2')
  164. self.assertEqual(line.override_user, 'user')
  165. self.assertIsNone(line.default_target)
  166. def test_022_line_simple(self):
  167. line = qubespolicy.PolicyRule(
  168. '$anyvm $default allow,target=$dispvm:test-vm2',
  169. 'filename', 12)
  170. self.assertEqual(line.filename, 'filename')
  171. self.assertEqual(line.lineno, 12)
  172. self.assertEqual(line.action, qubespolicy.Action.allow)
  173. self.assertEqual(line.source, '$anyvm')
  174. self.assertEqual(line.target, '$default')
  175. self.assertEqual(line.full_action, 'allow,target=$dispvm:test-vm2')
  176. self.assertEqual(line.override_target, '$dispvm:test-vm2')
  177. self.assertIsNone(line.override_user)
  178. self.assertIsNone(line.default_target)
  179. def test_023_line_simple(self):
  180. line = qubespolicy.PolicyRule(
  181. '$anyvm $default ask,default_target=test-vm1',
  182. 'filename', 12)
  183. self.assertEqual(line.filename, 'filename')
  184. self.assertEqual(line.lineno, 12)
  185. self.assertEqual(line.action, qubespolicy.Action.ask)
  186. self.assertEqual(line.source, '$anyvm')
  187. self.assertEqual(line.target, '$default')
  188. self.assertEqual(line.full_action, 'ask,default_target=test-vm1')
  189. self.assertIsNone(line.override_target)
  190. self.assertIsNone(line.override_user)
  191. self.assertEqual(line.default_target, 'test-vm1')
  192. def test_024_line_simple(self):
  193. line = qubespolicy.PolicyRule(
  194. '$anyvm $adminvm ask,default_target=$adminvm',
  195. 'filename', 12)
  196. self.assertEqual(line.filename, 'filename')
  197. self.assertEqual(line.lineno, 12)
  198. self.assertEqual(line.action, qubespolicy.Action.ask)
  199. self.assertEqual(line.source, '$anyvm')
  200. self.assertEqual(line.target, '$adminvm')
  201. self.assertEqual(line.full_action, 'ask,default_target=$adminvm')
  202. self.assertIsNone(line.override_target)
  203. self.assertIsNone(line.override_user)
  204. self.assertEqual(line.default_target, '$adminvm')
  205. def test_030_line_invalid(self):
  206. invalid_lines = [
  207. '$dispvm $default allow', # $dispvm can't be a source
  208. '$default $default allow', # $default can't be a source
  209. '$anyvm $default deny,target=test-vm1', # target= used with deny
  210. '$anyvm $anyvm deny,default_target=test-vm1', # default_target=
  211. # with deny
  212. '$anyvm $anyvm deny,user=user', # user= with deny
  213. '$anyvm $anyvm invalid', # invalid action
  214. '$anyvm $anyvm allow,invalid=xx', # invalid option
  215. '$anyvm $anyvm', # missing action
  216. '$anyvm $anyvm allow,default_target=test-vm1', # default_target=
  217. # with allow
  218. '$invalid $anyvm allow', # invalid source
  219. '$anyvm $invalid deny', # invalid target
  220. '', # empty line
  221. '$anyvm $anyvm allow extra', # trailing words
  222. '$anyvm $default allow', # $default allow without target=
  223. ]
  224. for line in invalid_lines:
  225. with self.subTest(line):
  226. with self.assertRaises(qubespolicy.PolicySyntaxError):
  227. qubespolicy.PolicyRule(line, 'filename', 12)
  228. def test_040_match_single(self):
  229. is_match_single = qubespolicy.PolicyRule.is_match_single
  230. self.assertTrue(is_match_single(system_info, '$anyvm', 'test-vm1'))
  231. self.assertTrue(is_match_single(system_info, '$anyvm', '$default'))
  232. self.assertTrue(is_match_single(system_info, '$anyvm', ''))
  233. self.assertTrue(is_match_single(system_info, '$default', ''))
  234. self.assertTrue(is_match_single(system_info, '$default', '$default'))
  235. self.assertTrue(is_match_single(system_info, '$tag:tag1', 'test-vm1'))
  236. self.assertTrue(is_match_single(system_info, '$type:AppVM', 'test-vm1'))
  237. self.assertTrue(is_match_single(system_info,
  238. '$type:TemplateVM', 'test-template'))
  239. self.assertTrue(is_match_single(system_info, '$anyvm', '$dispvm'))
  240. self.assertTrue(is_match_single(system_info,
  241. '$anyvm', '$dispvm:default-dvm'))
  242. self.assertTrue(is_match_single(system_info, '$dispvm', '$dispvm'))
  243. self.assertTrue(is_match_single(system_info, '$adminvm', '$adminvm'))
  244. self.assertTrue(is_match_single(system_info, '$adminvm', 'dom0'))
  245. self.assertTrue(is_match_single(system_info, 'dom0', '$adminvm'))
  246. self.assertTrue(is_match_single(system_info, 'dom0', 'dom0'))
  247. self.assertTrue(is_match_single(system_info,
  248. '$dispvm:default-dvm', '$dispvm:default-dvm'))
  249. self.assertTrue(is_match_single(system_info, '$anyvm', '$dispvm'))
  250. self.assertTrue(is_match_single(system_info, '$anyvm', 'test-vm1'))
  251. self.assertTrue(is_match_single(system_info, '$anyvm', 'test-vm1'))
  252. self.assertTrue(is_match_single(system_info, '$anyvm', 'test-vm1'))
  253. self.assertFalse(is_match_single(system_info, '$default', 'test-vm1'))
  254. self.assertFalse(is_match_single(system_info, '$tag:tag1', 'test-vm3'))
  255. self.assertFalse(is_match_single(system_info, '$anyvm', 'no-such-vm'))
  256. # test-vm1.dispvm_allowed=False
  257. self.assertFalse(is_match_single(system_info,
  258. '$anyvm', '$dispvm:test-vm1'))
  259. # test-vm1.dispvm_allowed=False
  260. self.assertFalse(is_match_single(system_info,
  261. '$dispvm:test-vm1', '$dispvm:test-vm1'))
  262. self.assertFalse(is_match_single(system_info, '$anyvm', 'dom0'))
  263. self.assertFalse(is_match_single(system_info, '$anyvm', '$adminvm'))
  264. self.assertFalse(is_match_single(system_info,
  265. '$tag:dom0-tag', '$adminvm'))
  266. self.assertFalse(is_match_single(system_info,
  267. '$type:AdminVM', '$adminvm'))
  268. self.assertFalse(is_match_single(system_info,
  269. '$tag:dom0-tag', 'dom0'))
  270. self.assertFalse(is_match_single(system_info,
  271. '$type:AdminVM', 'dom0'))
  272. self.assertFalse(is_match_single(system_info, '$tag:tag1', 'dom0'))
  273. self.assertFalse(is_match_single(system_info, '$anyvm', '$tag:tag1'))
  274. self.assertFalse(is_match_single(system_info, '$anyvm', '$type:AppVM'))
  275. self.assertFalse(is_match_single(system_info, '$anyvm', '$invalid'))
  276. self.assertFalse(is_match_single(system_info, '$invalid', '$invalid'))
  277. self.assertFalse(is_match_single(system_info, '$anyvm', 'no-such-vm'))
  278. self.assertFalse(is_match_single(system_info,
  279. 'no-such-vm', 'no-such-vm'))
  280. self.assertFalse(is_match_single(system_info, '$dispvm', 'test-vm1'))
  281. self.assertFalse(is_match_single(system_info, '$dispvm', 'default-dvm'))
  282. self.assertFalse(is_match_single(system_info,
  283. '$dispvm:default-dvm', 'default-dvm'))
  284. self.assertFalse(is_match_single(system_info, '$anyvm', 'test-vm1\n'))
  285. self.assertFalse(is_match_single(system_info, '$anyvm', 'test-vm1 '))
  286. def test_050_match(self):
  287. line = qubespolicy.PolicyRule('$anyvm $anyvm allow')
  288. self.assertTrue(line.is_match(system_info, 'test-vm1', 'test-vm2'))
  289. line = qubespolicy.PolicyRule('$anyvm $anyvm allow')
  290. self.assertFalse(line.is_match(system_info, 'no-such-vm', 'test-vm2'))
  291. line = qubespolicy.PolicyRule('$anyvm $anyvm allow')
  292. self.assertFalse(line.is_match(system_info, 'test-vm1', 'no-such-vm'))
  293. def test_060_expand_target(self):
  294. lines = {
  295. '$anyvm $anyvm allow': ['test-vm1', 'test-vm2', 'test-vm3',
  296. '$dispvm:test-vm3',
  297. 'default-dvm', '$dispvm:default-dvm', 'test-invalid-dvm',
  298. 'test-no-dvm', 'test-template', 'test-standalone', '$dispvm'],
  299. '$anyvm $dispvm allow': ['$dispvm'],
  300. '$anyvm $dispvm:default-dvm allow': ['$dispvm:default-dvm'],
  301. # no DispVM from test-vm1 allowed
  302. '$anyvm $dispvm:test-vm1 allow': [],
  303. '$anyvm test-vm1 allow': ['test-vm1'],
  304. '$anyvm $type:AppVM allow': ['test-vm1', 'test-vm2', 'test-vm3',
  305. 'default-dvm', 'test-invalid-dvm', 'test-no-dvm'],
  306. '$anyvm $type:TemplateVM allow': ['test-template'],
  307. '$anyvm $tag:tag1 allow': ['test-vm1', 'test-invalid-dvm',
  308. 'test-template', 'test-standalone', 'test-no-dvm'],
  309. '$anyvm $tag:tag2 allow': ['test-vm1', 'test-vm2',
  310. 'test-invalid-dvm', 'test-template', 'test-standalone',
  311. 'test-no-dvm'],
  312. '$anyvm $tag:no-such-tag allow': [],
  313. }
  314. for line in lines:
  315. with self.subTest(line):
  316. policy_line = qubespolicy.PolicyRule(line)
  317. self.assertCountEqual(list(policy_line.expand_target(system_info)),
  318. lines[line])
  319. def test_070_expand_override_target(self):
  320. line = qubespolicy.PolicyRule(
  321. '$anyvm $anyvm allow,target=test-vm2')
  322. self.assertEqual(
  323. line.expand_override_target(system_info, 'test-vm1'),
  324. 'test-vm2')
  325. def test_071_expand_override_target_dispvm(self):
  326. line = qubespolicy.PolicyRule(
  327. '$anyvm $anyvm allow,target=$dispvm')
  328. self.assertEqual(
  329. line.expand_override_target(system_info, 'test-vm1'),
  330. '$dispvm:default-dvm')
  331. def test_072_expand_override_target_dispvm_specific(self):
  332. line = qubespolicy.PolicyRule(
  333. '$anyvm $anyvm allow,target=$dispvm:test-vm3')
  334. self.assertEqual(
  335. line.expand_override_target(system_info, 'test-vm1'),
  336. '$dispvm:test-vm3')
  337. def test_073_expand_override_target_dispvm_none(self):
  338. line = qubespolicy.PolicyRule(
  339. '$anyvm $anyvm allow,target=$dispvm')
  340. self.assertEqual(
  341. line.expand_override_target(system_info, 'test-no-dvm'),
  342. None)
  343. def test_074_expand_override_target_dom0(self):
  344. line = qubespolicy.PolicyRule(
  345. '$anyvm $anyvm allow,target=dom0')
  346. self.assertEqual(
  347. line.expand_override_target(system_info, 'test-no-dvm'),
  348. 'dom0')
  349. def test_075_expand_override_target_dom0(self):
  350. line = qubespolicy.PolicyRule(
  351. '$anyvm $anyvm allow,target=$adminvm')
  352. self.assertEqual(
  353. line.expand_override_target(system_info, 'test-no-dvm'),
  354. '$adminvm')
  355. class TC_10_PolicyAction(qubes.tests.QubesTestCase):
  356. def test_000_init(self):
  357. rule = qubespolicy.PolicyRule('$anyvm $anyvm deny')
  358. with self.assertRaises(qubespolicy.AccessDenied):
  359. qubespolicy.PolicyAction('test.service', 'test-vm1', 'test-vm2',
  360. rule, 'test-vm2')
  361. def test_001_init(self):
  362. rule = qubespolicy.PolicyRule('$anyvm $anyvm ask')
  363. action = qubespolicy.PolicyAction('test.service', 'test-vm1',
  364. None, rule, 'test-vm2', ['test-vm2', 'test-vm3'])
  365. self.assertEqual(action.service, 'test.service')
  366. self.assertEqual(action.source, 'test-vm1')
  367. self.assertIsNone(action.target)
  368. self.assertEqual(action.original_target, 'test-vm2')
  369. self.assertEqual(action.targets_for_ask, ['test-vm2', 'test-vm3'])
  370. self.assertEqual(action.rule, rule)
  371. self.assertEqual(action.action, qubespolicy.Action.ask)
  372. def test_002_init_invalid(self):
  373. rule_ask = qubespolicy.PolicyRule('$anyvm $anyvm ask')
  374. rule_allow = qubespolicy.PolicyRule('$anyvm $anyvm allow')
  375. with self.assertRaises(AssertionError):
  376. qubespolicy.PolicyAction('test.service', 'test-vm1',
  377. None, rule_allow, 'test-vm2', None)
  378. with self.assertRaises(AssertionError):
  379. qubespolicy.PolicyAction('test.service', 'test-vm1',
  380. 'test-vm2', rule_allow, 'test-vm2', ['test-vm2', 'test-vm3'])
  381. with self.assertRaises(AssertionError):
  382. qubespolicy.PolicyAction('test.service', 'test-vm1',
  383. None, rule_ask, 'test-vm2', None)
  384. def test_003_init_default_target(self):
  385. rule_ask = qubespolicy.PolicyRule('$anyvm $anyvm ask')
  386. action = qubespolicy.PolicyAction('test.service', 'test-vm1',
  387. 'test-vm1', rule_ask, 'test-vm2', ['test-vm2'])
  388. self.assertIsNone(action.target)
  389. action = qubespolicy.PolicyAction('test.service', 'test-vm1',
  390. 'test-vm2', rule_ask, 'test-vm2', ['test-vm2'])
  391. self.assertEqual(action.target, 'test-vm2')
  392. def test_010_handle_user_response(self):
  393. rule = qubespolicy.PolicyRule('$anyvm $anyvm ask')
  394. action = qubespolicy.PolicyAction('test.service', 'test-vm1',
  395. None, rule, 'test-vm2', ['test-vm2', 'test-vm3'])
  396. action.handle_user_response(True, 'test-vm2')
  397. self.assertEqual(action.action, qubespolicy.Action.allow)
  398. self.assertEqual(action.target, 'test-vm2')
  399. def test_011_handle_user_response(self):
  400. rule = qubespolicy.PolicyRule('$anyvm $anyvm ask')
  401. action = qubespolicy.PolicyAction('test.service', 'test-vm1',
  402. None, rule, 'test-vm2', ['test-vm2', 'test-vm3'])
  403. with self.assertRaises(AssertionError):
  404. action.handle_user_response(True, 'test-no-dvm')
  405. def test_012_handle_user_response(self):
  406. rule = qubespolicy.PolicyRule('$anyvm $anyvm ask')
  407. action = qubespolicy.PolicyAction('test.service', 'test-vm1',
  408. None, rule, 'test-vm2', ['test-vm2', 'test-vm3'])
  409. with self.assertRaises(qubespolicy.AccessDenied):
  410. action.handle_user_response(False, None)
  411. self.assertEqual(action.action, qubespolicy.Action.deny)
  412. def test_013_handle_user_response_with_default_target(self):
  413. rule = qubespolicy.PolicyRule(
  414. '$anyvm $anyvm ask,default_target=test-vm2')
  415. action = qubespolicy.PolicyAction('test.service', 'test-vm1',
  416. None, rule, 'test-vm2', ['test-vm2', 'test-vm3'])
  417. action.handle_user_response(True, 'test-vm2')
  418. self.assertEqual(action.action, qubespolicy.Action.allow)
  419. self.assertEqual(action.target, 'test-vm2')
  420. @unittest.mock.patch('qubespolicy.qubesd_call')
  421. @unittest.mock.patch('subprocess.call')
  422. def test_020_execute(self, mock_subprocess, mock_qubesd_call):
  423. rule = qubespolicy.PolicyRule('$anyvm $anyvm allow')
  424. action = qubespolicy.PolicyAction('test.service', 'test-vm1',
  425. 'test-vm2', rule, 'test-vm2')
  426. action.execute('some-ident')
  427. self.assertEqual(mock_qubesd_call.mock_calls,
  428. [unittest.mock.call('test-vm2', 'admin.vm.Start')])
  429. self.assertEqual(mock_subprocess.mock_calls,
  430. [unittest.mock.call([qubespolicy.QREXEC_CLIENT, '-d', 'test-vm2',
  431. '-c', 'some-ident', 'DEFAULT:QUBESRPC test.service test-vm1'])])
  432. @unittest.mock.patch('qubespolicy.qubesd_call')
  433. @unittest.mock.patch('subprocess.call')
  434. def test_021_execute_dom0(self, mock_subprocess, mock_qubesd_call):
  435. rule = qubespolicy.PolicyRule('$anyvm dom0 allow')
  436. action = qubespolicy.PolicyAction('test.service', 'test-vm1',
  437. 'dom0', rule, 'dom0')
  438. action.execute('some-ident')
  439. self.assertEqual(mock_qubesd_call.mock_calls, [])
  440. self.assertEqual(mock_subprocess.mock_calls,
  441. [unittest.mock.call([qubespolicy.QREXEC_CLIENT, '-d', 'dom0',
  442. '-c', 'some-ident',
  443. qubespolicy.QUBES_RPC_MULTIPLEXER_PATH +
  444. ' test.service test-vm1 dom0'])])
  445. @unittest.mock.patch('qubespolicy.qubesd_call')
  446. @unittest.mock.patch('subprocess.call')
  447. def test_022_execute_dispvm(self, mock_subprocess, mock_qubesd_call):
  448. rule = qubespolicy.PolicyRule('$anyvm $dispvm:default-dvm allow')
  449. action = qubespolicy.PolicyAction('test.service', 'test-vm1',
  450. '$dispvm:default-dvm', rule, '$dispvm:default-dvm')
  451. mock_qubesd_call.side_effect = (lambda target, call:
  452. b'dispvm-name' if call == 'admin.vm.CreateDisposable' else
  453. unittest.mock.DEFAULT)
  454. action.execute('some-ident')
  455. self.assertEqual(mock_qubesd_call.mock_calls,
  456. [unittest.mock.call('default-dvm', 'admin.vm.CreateDisposable'),
  457. unittest.mock.call('dispvm-name', 'admin.vm.Start'),
  458. unittest.mock.call('dispvm-name', 'admin.vm.Kill')])
  459. self.assertEqual(mock_subprocess.mock_calls,
  460. [unittest.mock.call([qubespolicy.QREXEC_CLIENT, '-d', 'dispvm-name',
  461. '-c', 'some-ident', '-W',
  462. 'DEFAULT:QUBESRPC test.service test-vm1'])])
  463. @unittest.mock.patch('qubespolicy.qubesd_call')
  464. @unittest.mock.patch('subprocess.call')
  465. def test_023_execute_already_running(self, mock_subprocess,
  466. mock_qubesd_call):
  467. rule = qubespolicy.PolicyRule('$anyvm $anyvm allow')
  468. action = qubespolicy.PolicyAction('test.service', 'test-vm1',
  469. 'test-vm2', rule, 'test-vm2')
  470. mock_qubesd_call.side_effect = \
  471. qubespolicy.QubesMgmtException('QubesVMNotHaltedError')
  472. action.execute('some-ident')
  473. self.assertEqual(mock_qubesd_call.mock_calls,
  474. [unittest.mock.call('test-vm2', 'admin.vm.Start')])
  475. self.assertEqual(mock_subprocess.mock_calls,
  476. [unittest.mock.call([qubespolicy.QREXEC_CLIENT, '-d', 'test-vm2',
  477. '-c', 'some-ident', 'DEFAULT:QUBESRPC test.service test-vm1'])])
  478. @unittest.mock.patch('qubespolicy.qubesd_call')
  479. @unittest.mock.patch('subprocess.call')
  480. def test_024_execute_startup_error(self, mock_subprocess,
  481. mock_qubesd_call):
  482. rule = qubespolicy.PolicyRule('$anyvm $anyvm allow')
  483. action = qubespolicy.PolicyAction('test.service', 'test-vm1',
  484. 'test-vm2', rule, 'test-vm2')
  485. mock_qubesd_call.side_effect = \
  486. qubespolicy.QubesMgmtException('QubesVMError')
  487. with self.assertRaises(qubespolicy.QubesMgmtException):
  488. action.execute('some-ident')
  489. self.assertEqual(mock_qubesd_call.mock_calls,
  490. [unittest.mock.call('test-vm2', 'admin.vm.Start')])
  491. self.assertEqual(mock_subprocess.mock_calls, [])
  492. class TC_20_Policy(qubes.tests.QubesTestCase):
  493. def setUp(self):
  494. super(TC_20_Policy, self).setUp()
  495. if not os.path.exists(tmp_policy_dir):
  496. os.mkdir(tmp_policy_dir)
  497. def tearDown(self):
  498. shutil.rmtree(tmp_policy_dir)
  499. super(TC_20_Policy, self).tearDown()
  500. def test_000_load(self):
  501. with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
  502. f.write('test-vm1 test-vm2 allow\n')
  503. f.write('\n')
  504. f.write('# comment\n')
  505. f.write('test-vm2 test-vm3 ask\n')
  506. f.write(' # comment \n')
  507. f.write('$anyvm $anyvm ask\n')
  508. policy = qubespolicy.Policy('test.service', tmp_policy_dir)
  509. self.assertEqual(policy.service, 'test.service')
  510. self.assertEqual(len(policy.policy_rules), 3)
  511. self.assertEqual(policy.policy_rules[0].source, 'test-vm1')
  512. self.assertEqual(policy.policy_rules[0].target, 'test-vm2')
  513. self.assertEqual(policy.policy_rules[0].action,
  514. qubespolicy.Action.allow)
  515. def test_001_not_existent(self):
  516. with self.assertRaises(qubespolicy.AccessDenied):
  517. qubespolicy.Policy('no-such.service', tmp_policy_dir)
  518. def test_002_include(self):
  519. with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
  520. f.write('test-vm1 test-vm2 allow\n')
  521. f.write('$include:test.service2\n')
  522. f.write('$anyvm $anyvm deny\n')
  523. with open(os.path.join(tmp_policy_dir, 'test.service2'), 'w') as f:
  524. f.write('test-vm3 $default allow,target=test-vm2\n')
  525. policy = qubespolicy.Policy('test.service', tmp_policy_dir)
  526. self.assertEqual(policy.service, 'test.service')
  527. self.assertEqual(len(policy.policy_rules), 3)
  528. self.assertEqual(policy.policy_rules[0].source, 'test-vm1')
  529. self.assertEqual(policy.policy_rules[0].target, 'test-vm2')
  530. self.assertEqual(policy.policy_rules[0].action,
  531. qubespolicy.Action.allow)
  532. self.assertEqual(policy.policy_rules[0].filename,
  533. tmp_policy_dir + '/test.service')
  534. self.assertEqual(policy.policy_rules[0].lineno, 1)
  535. self.assertEqual(policy.policy_rules[1].source, 'test-vm3')
  536. self.assertEqual(policy.policy_rules[1].target, '$default')
  537. self.assertEqual(policy.policy_rules[1].action,
  538. qubespolicy.Action.allow)
  539. self.assertEqual(policy.policy_rules[1].filename,
  540. tmp_policy_dir + '/test.service2')
  541. self.assertEqual(policy.policy_rules[1].lineno, 1)
  542. self.assertEqual(policy.policy_rules[2].source, '$anyvm')
  543. self.assertEqual(policy.policy_rules[2].target, '$anyvm')
  544. self.assertEqual(policy.policy_rules[2].action,
  545. qubespolicy.Action.deny)
  546. self.assertEqual(policy.policy_rules[2].filename,
  547. tmp_policy_dir + '/test.service')
  548. self.assertEqual(policy.policy_rules[2].lineno, 3)
  549. def test_010_find_rule(self):
  550. with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
  551. f.write('test-vm1 test-vm2 allow\n')
  552. f.write('test-vm1 $anyvm ask\n')
  553. f.write('test-vm2 $tag:tag1 deny\n')
  554. f.write('test-vm2 $tag:tag2 allow\n')
  555. f.write('$type:AppVM $default allow,target=test-vm3\n')
  556. f.write('$tag:tag1 $type:AppVM allow\n')
  557. policy = qubespolicy.Policy('test.service', tmp_policy_dir)
  558. self.assertEqual(policy.find_matching_rule(
  559. system_info, 'test-vm1', 'test-vm2'), policy.policy_rules[0])
  560. self.assertEqual(policy.find_matching_rule(
  561. system_info, 'test-vm1', 'test-vm3'), policy.policy_rules[1])
  562. self.assertEqual(policy.find_matching_rule(
  563. system_info, 'test-vm2', 'test-vm2'), policy.policy_rules[3])
  564. self.assertEqual(policy.find_matching_rule(
  565. system_info, 'test-vm2', 'test-no-dvm'), policy.policy_rules[2])
  566. # $anyvm matches $default too
  567. self.assertEqual(policy.find_matching_rule(
  568. system_info, 'test-vm1', ''), policy.policy_rules[1])
  569. self.assertEqual(policy.find_matching_rule(
  570. system_info, 'test-vm2', ''), policy.policy_rules[4])
  571. self.assertEqual(policy.find_matching_rule(
  572. system_info, 'test-vm2', '$default'), policy.policy_rules[4])
  573. self.assertEqual(policy.find_matching_rule(
  574. system_info, 'test-no-dvm', 'test-vm3'), policy.policy_rules[5])
  575. with self.assertRaises(qubespolicy.AccessDenied):
  576. policy.find_matching_rule(
  577. system_info, 'test-no-dvm', 'test-standalone')
  578. with self.assertRaises(qubespolicy.AccessDenied):
  579. policy.find_matching_rule(
  580. system_info, 'test-standalone', '$default')
  581. def test_020_collect_targets_for_ask(self):
  582. with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
  583. f.write('test-vm1 test-vm2 allow\n')
  584. f.write('test-vm1 $anyvm ask\n')
  585. f.write('test-vm2 $tag:tag1 deny\n')
  586. f.write('test-vm2 $tag:tag2 allow\n')
  587. f.write('test-no-dvm $type:AppVM deny\n')
  588. f.write('$type:AppVM $default allow,target=test-vm3\n')
  589. f.write('$tag:tag1 $type:AppVM allow\n')
  590. f.write('test-no-dvm $dispvm allow\n')
  591. f.write('test-standalone $dispvm allow\n')
  592. policy = qubespolicy.Policy('test.service', tmp_policy_dir)
  593. self.assertCountEqual(policy.collect_targets_for_ask(system_info,
  594. 'test-vm1'), ['test-vm1', 'test-vm2', 'test-vm3',
  595. '$dispvm:test-vm3',
  596. 'default-dvm', '$dispvm:default-dvm', 'test-invalid-dvm',
  597. 'test-no-dvm', 'test-template', 'test-standalone'])
  598. self.assertCountEqual(policy.collect_targets_for_ask(system_info,
  599. 'test-vm2'), ['test-vm2', 'test-vm3'])
  600. self.assertCountEqual(policy.collect_targets_for_ask(system_info,
  601. 'test-vm3'), ['test-vm3'])
  602. self.assertCountEqual(policy.collect_targets_for_ask(system_info,
  603. 'test-standalone'), ['test-vm1', 'test-vm2', 'test-vm3',
  604. 'default-dvm', 'test-no-dvm', 'test-invalid-dvm',
  605. '$dispvm:default-dvm'])
  606. self.assertCountEqual(policy.collect_targets_for_ask(system_info,
  607. 'test-no-dvm'), [])
  608. def test_030_eval_simple(self):
  609. with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
  610. f.write('test-vm1 test-vm2 allow\n')
  611. policy = qubespolicy.Policy('test.service', tmp_policy_dir)
  612. action = policy.evaluate(system_info, 'test-vm1', 'test-vm2')
  613. self.assertEqual(action.rule, policy.policy_rules[0])
  614. self.assertEqual(action.action, qubespolicy.Action.allow)
  615. self.assertEqual(action.target, 'test-vm2')
  616. self.assertEqual(action.original_target, 'test-vm2')
  617. self.assertEqual(action.service, 'test.service')
  618. self.assertIsNone(action.targets_for_ask)
  619. with self.assertRaises(qubespolicy.AccessDenied):
  620. policy.evaluate(system_info, 'test-vm2', '$default')
  621. def test_031_eval_default(self):
  622. with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
  623. f.write('test-vm1 test-vm2 allow\n')
  624. f.write('test-vm1 $default allow,target=test-vm2\n')
  625. f.write('$tag:tag1 test-vm2 ask\n')
  626. f.write('$tag:tag2 $anyvm allow\n')
  627. f.write('test-vm3 $anyvm deny\n')
  628. policy = qubespolicy.Policy('test.service', tmp_policy_dir)
  629. action = policy.evaluate(system_info, 'test-vm1', '$default')
  630. self.assertEqual(action.rule, policy.policy_rules[1])
  631. self.assertEqual(action.action, qubespolicy.Action.allow)
  632. self.assertEqual(action.target, 'test-vm2')
  633. self.assertEqual(action.original_target, '$default')
  634. self.assertEqual(action.service, 'test.service')
  635. self.assertIsNone(action.targets_for_ask)
  636. with self.assertRaises(qubespolicy.AccessDenied):
  637. # action allow should hit, but no target specified (either by
  638. # caller or policy)
  639. policy.evaluate(system_info, 'test-standalone', '$default')
  640. def test_032_eval_ask(self):
  641. with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
  642. f.write('test-vm1 test-vm2 allow\n')
  643. f.write('test-vm1 $default allow,target=test-vm2\n')
  644. f.write('$tag:tag1 test-vm2 ask\n')
  645. f.write('$tag:tag1 test-vm3 ask,default_target=test-vm3\n')
  646. f.write('$tag:tag2 $anyvm allow\n')
  647. f.write('test-vm3 $anyvm deny\n')
  648. policy = qubespolicy.Policy('test.service', tmp_policy_dir)
  649. action = policy.evaluate(system_info, 'test-standalone', 'test-vm2')
  650. self.assertEqual(action.rule, policy.policy_rules[2])
  651. self.assertEqual(action.action, qubespolicy.Action.ask)
  652. self.assertIsNone(action.target)
  653. self.assertEqual(action.original_target, 'test-vm2')
  654. self.assertEqual(action.service, 'test.service')
  655. self.assertCountEqual(action.targets_for_ask,
  656. ['test-vm1', 'test-vm2', 'test-vm3', '$dispvm:test-vm3',
  657. 'default-dvm', '$dispvm:default-dvm', 'test-invalid-dvm',
  658. 'test-no-dvm', 'test-template', 'test-standalone'])
  659. def test_033_eval_ask(self):
  660. with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
  661. f.write('test-vm1 test-vm2 allow\n')
  662. f.write('test-vm1 $default allow,target=test-vm2\n')
  663. f.write('$tag:tag1 test-vm2 ask\n')
  664. f.write('$tag:tag1 test-vm3 ask,default_target=test-vm3\n')
  665. f.write('$tag:tag2 $anyvm allow\n')
  666. f.write('test-vm3 $anyvm deny\n')
  667. policy = qubespolicy.Policy('test.service', tmp_policy_dir)
  668. action = policy.evaluate(system_info, 'test-standalone', 'test-vm3')
  669. self.assertEqual(action.rule, policy.policy_rules[3])
  670. self.assertEqual(action.action, qubespolicy.Action.ask)
  671. self.assertEqual(action.target, 'test-vm3')
  672. self.assertEqual(action.original_target, 'test-vm3')
  673. self.assertEqual(action.service, 'test.service')
  674. self.assertCountEqual(action.targets_for_ask,
  675. ['test-vm1', 'test-vm2', 'test-vm3', '$dispvm:test-vm3',
  676. 'default-dvm', '$dispvm:default-dvm', 'test-invalid-dvm',
  677. 'test-no-dvm', 'test-template', 'test-standalone'])
  678. def test_034_eval_resolve_dispvm(self):
  679. with open(os.path.join(tmp_policy_dir, 'test.service'), 'w') as f:
  680. f.write('test-vm3 $dispvm allow\n')
  681. policy = qubespolicy.Policy('test.service', tmp_policy_dir)
  682. action = policy.evaluate(system_info, 'test-vm3', '$dispvm')
  683. self.assertEqual(action.rule, policy.policy_rules[0])
  684. self.assertEqual(action.action, qubespolicy.Action.allow)
  685. self.assertEqual(action.target, '$dispvm:default-dvm')
  686. self.assertEqual(action.original_target, '$dispvm')
  687. self.assertEqual(action.service, 'test.service')
  688. self.assertIsNone(action.targets_for_ask)
  689. class TC_30_Misc(qubes.tests.QubesTestCase):
  690. @unittest.mock.patch('socket.socket')
  691. def test_000_qubesd_call(self, mock_socket):
  692. mock_config = {
  693. 'return_value.makefile.return_value.read.return_value': b'0\x00data'
  694. }
  695. mock_socket.configure_mock(**mock_config)
  696. result = qubespolicy.qubesd_call('test', 'internal.method')
  697. self.assertEqual(result, b'data')
  698. self.assertEqual(mock_socket.mock_calls, [
  699. unittest.mock.call(socket.AF_UNIX, socket.SOCK_STREAM),
  700. unittest.mock.call().connect(qubespolicy.QUBESD_INTERNAL_SOCK),
  701. unittest.mock.call().sendall(b'dom0'),
  702. unittest.mock.call().sendall(b'\x00'),
  703. unittest.mock.call().sendall(b'internal.method'),
  704. unittest.mock.call().sendall(b'\x00'),
  705. unittest.mock.call().sendall(b'test'),
  706. unittest.mock.call().sendall(b'\x00'),
  707. unittest.mock.call().sendall(b'\x00'),
  708. unittest.mock.call().shutdown(socket.SHUT_WR),
  709. unittest.mock.call().makefile('rb'),
  710. unittest.mock.call().makefile().read(),
  711. ])
  712. @unittest.mock.patch('socket.socket')
  713. def test_001_qubesd_call_arg_payload(self, mock_socket):
  714. mock_config = {
  715. 'return_value.makefile.return_value.read.return_value': b'0\x00data'
  716. }
  717. mock_socket.configure_mock(**mock_config)
  718. result = qubespolicy.qubesd_call('test', 'internal.method', 'arg',
  719. b'payload')
  720. self.assertEqual(result, b'data')
  721. self.assertEqual(mock_socket.mock_calls, [
  722. unittest.mock.call(socket.AF_UNIX, socket.SOCK_STREAM),
  723. unittest.mock.call().connect(qubespolicy.QUBESD_INTERNAL_SOCK),
  724. unittest.mock.call().sendall(b'dom0'),
  725. unittest.mock.call().sendall(b'\x00'),
  726. unittest.mock.call().sendall(b'internal.method'),
  727. unittest.mock.call().sendall(b'\x00'),
  728. unittest.mock.call().sendall(b'test'),
  729. unittest.mock.call().sendall(b'\x00'),
  730. unittest.mock.call().sendall(b'arg'),
  731. unittest.mock.call().sendall(b'\x00'),
  732. unittest.mock.call().sendall(b'payload'),
  733. unittest.mock.call().shutdown(socket.SHUT_WR),
  734. unittest.mock.call().makefile('rb'),
  735. unittest.mock.call().makefile().read(),
  736. ])
  737. @unittest.mock.patch('socket.socket')
  738. def test_002_qubesd_call_exception(self, mock_socket):
  739. mock_config = {
  740. 'return_value.makefile.return_value.read.return_value':
  741. b'2\x00SomeError\x00traceback\x00message\x00'
  742. }
  743. mock_socket.configure_mock(**mock_config)
  744. with self.assertRaises(qubespolicy.QubesMgmtException) as e:
  745. qubespolicy.qubesd_call('test', 'internal.method')
  746. self.assertEqual(e.exception.exc_type, 'SomeError')
  747. self.assertEqual(mock_socket.mock_calls, [
  748. unittest.mock.call(socket.AF_UNIX, socket.SOCK_STREAM),
  749. unittest.mock.call().connect(qubespolicy.QUBESD_INTERNAL_SOCK),
  750. unittest.mock.call().sendall(b'dom0'),
  751. unittest.mock.call().sendall(b'\x00'),
  752. unittest.mock.call().sendall(b'internal.method'),
  753. unittest.mock.call().sendall(b'\x00'),
  754. unittest.mock.call().sendall(b'test'),
  755. unittest.mock.call().sendall(b'\x00'),
  756. unittest.mock.call().sendall(b'\x00'),
  757. unittest.mock.call().shutdown(socket.SHUT_WR),
  758. unittest.mock.call().makefile('rb'),
  759. unittest.mock.call().makefile().read(),
  760. ])