From 300ed509f79a533c371c8c69cbb0597a3f6f4c4b Mon Sep 17 00:00:00 2001 From: Jan Jansky Date: Thu, 3 Oct 2024 13:33:50 +0200 Subject: [PATCH] [tests] Scrub tests Adding stageone and stagetwo tests for [system] plugin. Also adding tag scrub for only testing scrub of sensitive data. And updating README with how to call scrub and stagetwo tests. Related: #3788 Related: #3789 Resolves: #3798 Signed-off-by: Jan Jansky --- README.md | 13 ++- tests/report_tests/plugin_tests/apt/apt.py | 2 +- .../plugin_tests/curtin/curtin.py | 2 +- tests/report_tests/plugin_tests/juju/juju.py | 2 +- .../plugin_tests/networking/networking.py | 2 +- tests/report_tests/plugin_tests/sudo/sudo.py | 4 +- tests/report_tests/plugin_tests/system.py | 78 ++++++++++++++++ tests/report_tests/plugin_tests/systemd.py | 91 +++++++++++++++++++ tests/sos_tests.py | 2 +- tests/test_data/system_test_data | 4 + 10 files changed, 191 insertions(+), 9 deletions(-) create mode 100644 tests/report_tests/plugin_tests/system.py create mode 100644 tests/report_tests/plugin_tests/systemd.py create mode 100644 tests/test_data/system_test_data diff --git a/README.md b/README.md index 00ed176f98..b315bbab57 100644 --- a/README.md +++ b/README.md @@ -60,8 +60,17 @@ against the `flake8` linter, the unit tests, and the stage one avocado test suit $ flake8 sos $ nosetests -v tests/unittests/ -# as root -# PYTHONPATH=tests/ avocado run --test-runner=runner -t stageone tests/{cleaner,collect,report,vendor}_tests +# sudo PYTHONPATH=tests/ avocado run --test-runner=runner -t stageone tests/{cleaner,collect,report,vendor}_tests +``` + +For further test run stagetwo tests +``` +# sudo PYTHONPATH=tests/ avocado run --test-runner=runner -t stagetwo tests/{cleaner,collect,report,vendor}_tests +``` + +If you want to check basic scrub tests +``` +# sudo PYTHONPATH=tests/ avocado run --test-runner=runner -t scrub tests/{cleaner,collect,report,vendor}_tests ``` Note that the avocado test suite will generate and remove several reports over its diff --git a/tests/report_tests/plugin_tests/apt/apt.py b/tests/report_tests/plugin_tests/apt/apt.py index d8076fc236..a55b8475d8 100644 --- a/tests/report_tests/plugin_tests/apt/apt.py +++ b/tests/report_tests/plugin_tests/apt/apt.py @@ -15,7 +15,7 @@ class AptConfScrubTest(StageTwoReportTest): """Ensure that sources.list and apt conf are picked up and properly scrubbed - :avocado: tags=stagetwo + :avocado: tags=stagetwo,scrub """ sos_cmd = '-o apt' diff --git a/tests/report_tests/plugin_tests/curtin/curtin.py b/tests/report_tests/plugin_tests/curtin/curtin.py index f9ebe70189..5bd9052775 100644 --- a/tests/report_tests/plugin_tests/curtin/curtin.py +++ b/tests/report_tests/plugin_tests/curtin/curtin.py @@ -12,7 +12,7 @@ class CurtinScrubbedTest(StageTwoReportTest): """Ensure that curtin conf is picked up and properly scrubbed - :avocado: tags=stagetwo + :avocado: tags=stagetwo,scrub """ sos_cmd = '-o curtin' diff --git a/tests/report_tests/plugin_tests/juju/juju.py b/tests/report_tests/plugin_tests/juju/juju.py index 717e69c652..01651c35d6 100644 --- a/tests/report_tests/plugin_tests/juju/juju.py +++ b/tests/report_tests/plugin_tests/juju/juju.py @@ -12,7 +12,7 @@ class JujuAgentConfScrubbedTest(StageTwoReportTest): """Ensure that agent conf is picked up and properly scrubbed - :avocado: tags=stagetwo + :avocado: tags=stagetwo,scrub """ sos_cmd = '-o juju' diff --git a/tests/report_tests/plugin_tests/networking/networking.py b/tests/report_tests/plugin_tests/networking/networking.py index 3b15bc880c..fc4e536a00 100644 --- a/tests/report_tests/plugin_tests/networking/networking.py +++ b/tests/report_tests/plugin_tests/networking/networking.py @@ -46,7 +46,7 @@ class NetplanScrubTest(StageTwoReportTest): ensure that netplan configuration is collected and then the wifi password is scrubbed correctly - :avocado: tags=stagetwo + :avocado: tags=stagetwo,scrub """ sos_cmd = '-o networking' diff --git a/tests/report_tests/plugin_tests/sudo/sudo.py b/tests/report_tests/plugin_tests/sudo/sudo.py index 1539294c43..89df566cad 100644 --- a/tests/report_tests/plugin_tests/sudo/sudo.py +++ b/tests/report_tests/plugin_tests/sudo/sudo.py @@ -10,7 +10,7 @@ class SudoPluginTest(StageOneReportTest): - """Basic sanity check to make sure ocmmon config files are collected + """Basic sanity check to make sure common config files are collected :avocado: tags=stageone """ @@ -25,7 +25,7 @@ def test_sudo_conf_collected(self): class SudoLdapScrubbedTest(StageTwoReportTest): """Ensure that sudo conf is picked up and properly scrubbed - :avocado: tags=stagetwo + :avocado: tags=stagetwo,scrub """ sos_cmd = '-o sudo' diff --git a/tests/report_tests/plugin_tests/system.py b/tests/report_tests/plugin_tests/system.py new file mode 100644 index 0000000000..9eae1cd088 --- /dev/null +++ b/tests/report_tests/plugin_tests/system.py @@ -0,0 +1,78 @@ +# This file is part of the sos project: https://github.com/sosreport/sos +# +# This copyrighted material is made available to anyone wishing to use, +# modify, copy, or redistribute it subject to the terms and conditions of +# version 2 of the GNU General Public License. +# +# See the LICENSE file in the source distribution for further information. + +from sos_tests import StageOneReportTest, StageTwoReportTest +import os + + +class SystemPluginTest(StageOneReportTest): + """Basic sanity check to make sure common config files are collected + + :avocado: tags=stageone + """ + + sos_cmd = '-o system' + + def test_system_files_collected(self): + self.assertFileGlobInArchive("/proc/sys") + if os.path.isdir("/etc/sysconfig"): + self.assertFileGlobInArchive("/etc/sysconfig") + self.assertFileGlobInArchive("/etc/default") + self.assertFileGlobInArchive("/etc/environment") + + def test_system_files_forbidden(self): + self.assertFileGlobNotInArchive("/proc/sys/net/ipv4/route/flush") + self.assertFileGlobNotInArchive("/proc/sys/net/ipv6/route/flush") + self.assertFileGlobNotInArchive("/proc/sys/net/ipv6/neigh/" + + "*/retrans_time") + self.assertFileGlobNotInArchive("/proc/sys/net/ipv6/neigh/" + + "*/base_reachable_time") + self.assertFileGlobNotInArchive("/etc/default/grub.d/" + + "50-curtin-settings.cfg") + + def test_system_cmd_collected(self): + self.assertFileGlobInArchive("ld.so_--help") + self.assertFileGlobInArchive("ld.so_--list-diagnostics") + self.assertFileGlobInArchive("ld.so_--list-tunables") + + +class SystemScrubTest(StageTwoReportTest): + """Ensure that environment, default and sysconfig are picked up + and properly scrubbed + + :avocado: tags=stagetwo,scrub + """ + sos_cmd = '-o system' + files = [ + ('../../../tests/test_data/system_test_data', '/etc/environment'), + ('../../../tests/test_data/system_test_data', '/etc/default/proxy'), + ('../../../tests/test_data/system_test_data', '/etc/default/proxy1'), + ('../../../tests/test_data/system_test_data', '/etc/sysconfig/proxy'), + ('../../../tests/test_data/system_test_data', '/etc/sysconfig/proxy1'), + ] + secrets_list = [ + 'foouser', + 'somesecretpassword' + ] + + def test_system_files_collected(self): + for file in self.files: + if "sysconfig" in file[1] and \ + not os.path.isdir("/etc/sysconfig"): + continue + self.assertFileGlobInArchive(file[1]) + + def test_system_scrub(self): + for file in self.files: + for secret in self.secrets_list: + if "sysconfig" in file[1] and \ + not os.path.isdir("/etc/sysconfig"): + continue + self.assertFileNotHasContent(file[1], secret) + +# vim: set et ts=4 sw=4 : diff --git a/tests/report_tests/plugin_tests/systemd.py b/tests/report_tests/plugin_tests/systemd.py new file mode 100644 index 0000000000..2a7344c43f --- /dev/null +++ b/tests/report_tests/plugin_tests/systemd.py @@ -0,0 +1,91 @@ +# This file is part of the sos project: https://github.com/sosreport/sos +# +# This copyrighted material is made available to anyone wishing to use, +# modify, copy, or redistribute it subject to the terms and conditions of +# version 2 of the GNU General Public License. +# +# See the LICENSE file in the source distribution for further information. + +from sos_tests import StageOneReportTest, StageTwoReportTest + + +class SystemdPluginTest(StageOneReportTest): + """Basic sanity check to make sure common config files are collected + + :avocado: tags=stageone + """ + + sos_cmd = '-o systemd' + + def test_systemd_files_collected(self): + self.assertFileGlobInArchive("/etc/systemd") + self.assertFileGlobInArchive("/lib/systemd/system") + self.assertFileGlobInArchive("/lib/systemd/user") + self.assertFileGlobInArchive("/etc/vconsole.conf") + self.assertFileGlobInArchive("/run/systemd/generator*") + self.assertFileGlobInArchive("/run/systemd/seats") + self.assertFileGlobInArchive("/run/systemd/sessions") + self.assertFileGlobInArchive("/run/systemd/system") + self.assertFileGlobInArchive("/run/systemd/users") + self.assertFileGlobInArchive("/etc/modules-load.d/*.conf") + self.assertFileGlobInArchive("/etc/yum/protected.d/systemd.conf") + self.assertFileGlobInArchive("/etc/tmpfiles.d/*.conf") + self.assertFileGlobInArchive("/run/tmpfiles.d/*.conf") + self.assertFileGlobInArchive("/usr/lib/tmpfiles.d/*.conf") + + def test_systemd_files_forbidden(self): + self.assertFileGlobNotInArchive("/dev/null") + + def test_systemd_cmd_collected(self): + self.assertFileGlobInArchive("journalctl_--list-boots") + self.assertFileGlobInArchive("ls_-alZR_.lib.systemd") + self.assertFileGlobInArchive("resolvectl_statistics") + self.assertFileGlobInArchive("resolvectl_status") + self.assertFileGlobInArchive("systemctl_list-dependencies") + self.assertFileGlobInArchive("systemctl_list-jobs") + self.assertFileGlobInArchive("systemctl_list-machines") + self.assertFileGlobInArchive("systemctl_list-timers_--all") + self.assertFileGlobInArchive("systemctl_list-unit-files") + self.assertFileGlobInArchive("systemctl_list-units") + self.assertFileGlobInArchive("systemctl_list-units_--all") + self.assertFileGlobInArchive("systemctl_list-units_--failed") + self.assertFileGlobInArchive("systemctl_show_--all") + self.assertFileGlobInArchive("systemctl_show-environment") + self.assertFileGlobInArchive("systemctl_show_service_--all") + self.assertFileGlobInArchive("systemctl_status_--all") + self.assertFileGlobInArchive("systemd-analyze") + self.assertFileGlobInArchive("systemd-analyze_blame") + self.assertFileGlobInArchive("systemd-analyze_dump") + self.assertFileGlobInArchive("systemd-analyze_plot.svg") + self.assertFileGlobInArchive("systemd-delta") + self.assertFileGlobInArchive("systemd-inhibit_--list") + self.assertFileGlobInArchive("timedatectl") + + +class SystemdScrubTest(StageTwoReportTest): + """Ensure that system files are picked up + and properly scrubbed + + :avocado: tags=stagetwo,scrub + """ + sos_cmd = '-o systemd' + files = [ + ('../../../tests/test_data/system_test_data', '/etc/systemd/system'), + ('../../../tests/test_data/system_test_data', '/lib/systemd/system'), + ('../../../tests/test_data/system_test_data', '/run/systemd/system'), + ] + secrets_list = [ + 'foouser', + 'somesecretpassword' + ] + + def test_systemd_files_collected(self): + for file in self.files: + self.assertFileGlobInArchive(file[1]) + + def test_systemd_scrub(self): + for file in self.files: + for secret in self.secrets_list: + self.assertFileNotHasContent(file[1], secret) + +# vim: set et ts=4 sw=4 : diff --git a/tests/sos_tests.py b/tests/sos_tests.py index 6ef91517e2..b4ab855a43 100644 --- a/tests/sos_tests.py +++ b/tests/sos_tests.py @@ -809,7 +809,7 @@ class StageTwoReportTest(BaseSoSReportTest): tests/test_data/fake_plugins :avocado: disable - :avocado: tags=stagetwo,foreman2 + :avocado: tags=stagetwo,scrub,foreman2 """ sos_cmd = '' diff --git a/tests/test_data/system_test_data b/tests/test_data/system_test_data new file mode 100644 index 0000000000..a48eb2f22e --- /dev/null +++ b/tests/test_data/system_test_data @@ -0,0 +1,4 @@ +HTTP_PROXY=http://foouser:somesecretpassword@proxyurl:8080 +HTTPS_PROXY=https://foouser:somesecretpassword@proxyurl:8080 +http_proxy=http://foouser:somesecretpassword@proxyurl:8080 +https_proxy=https://foouser:somesecretpassword@proxyurl:8080