File: loader_test.go

package info (click to toggle)
opensnitch 1.6.9-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 5,980 kB
  • sloc: python: 12,604; ansic: 1,965; sh: 435; makefile: 239; xml: 50; sql: 3
file content (327 lines) | stat: -rw-r--r-- 9,987 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
 
package rule

import (
	"fmt"
	"io"
	"math/rand"
	"os"
	"testing"
	"time"
)

var tmpDir string

func TestMain(m *testing.M) {
	tmpDir = "/tmp/ostest_" + randString()
	os.Mkdir(tmpDir, 0777)
	defer os.RemoveAll(tmpDir)
	os.Exit(m.Run())
}

func TestRuleLoader(t *testing.T) {
	t.Parallel()
	t.Log("Test rules loader")

	var list []Operator
	dur1s := Duration("1s")
	dummyOper, _ := NewOperator(Simple, false, OpTrue, "", list)
	dummyOper.Compile()
	inMem1sRule := Create("000-xxx-name", "rule description xxx", true, false, false, Allow, dur1s, dummyOper)
	inMemUntilRestartRule := Create("000-aaa-name", "rule description aaa", true, false, false, Allow, Restart, dummyOper)

	l, err := NewLoader(false)
	if err != nil {
		t.Fail()
	}
	if err = l.Load("/non/existent/path/"); err == nil {
		t.Error("non existent path test: err should not be nil")
	}

	if err = l.Load("testdata/"); err != nil {
		t.Error("Error loading test rules: ", err)
	}
	// we expect 6 valid rules (2 invalid), loaded from testdata/
	testNumRules(t, l, 6)

	if err = l.Add(inMem1sRule, false); err != nil {
		t.Error("Error adding temporary rule")
	}
	testNumRules(t, l, 7)

	// test auto deletion of temporary rule
	time.Sleep(time.Second * 2)
	testNumRules(t, l, 6)

	if err = l.Add(inMemUntilRestartRule, false); err != nil {
		t.Error("Error adding temporary rule (2)")
	}
	testNumRules(t, l, 7)
	testRulesOrder(t, l)
	testSortRules(t, l)
	testFindMatch(t, l)
	testFindEnabled(t, l)
	testDurationChange(t, l)
}

func TestRuleLoaderInvalidRegexp(t *testing.T) {
	t.Parallel()
	t.Log("Test rules loader: invalid regexp")

	l, err := NewLoader(true)
	if err != nil {
		t.Fail()
	}
	t.Run("loadRule() from disk test (simple)", func(t *testing.T) {
		if err := l.loadRule("testdata/invalid-regexp.json"); err == nil {
			t.Error("invalid regexp rule loaded: loadRule()")
		}
	})

	t.Run("loadRule() from disk test (list)", func(t *testing.T) {
		if err := l.loadRule("testdata/invalid-regexp-list.json"); err == nil {
			t.Error("invalid regexp rule loaded: loadRule()")
		}
	})

	var list []Operator
	dur30m := Duration("30m")
	opListData := `[{"type": "regexp", "operand": "process.path", "sensitive": false, "data": "^(/di(rmngr)$"}, {"type": "simple", "operand": "dest.port", "data": "53", "sensitive": false}]`
	invalidRegexpOp, _ := NewOperator(List, false, OpList, opListData, list)
	invalidRegexpRule := Create("invalid-regexp", "invalid rule description", true, false, false, Allow, dur30m, invalidRegexpOp)

	t.Run("replaceUserRule() test list", func(t *testing.T) {
		if err := l.replaceUserRule(invalidRegexpRule); err == nil {
			t.Error("invalid regexp rule loaded: replaceUserRule()")
		}
	})
}

// Test rules of type operator.list. There're these scenarios:
// - Enabled rules:
//    * operator Data field is ignored if it contains the list of operators as json string.
//    * the operarots list is expanded as json objecs under "list": []
// For new rules (> v1.6.3), Data field will be empty.
//
// - Disabled rules
//    * (old) the Data field contains the list of operators as json string, and the list of operarots is empty.
//    * Data field empty, and the list of operators expanded.
// In all cases the list of operators must be loaded.
func TestRuleLoaderList(t *testing.T) {
	l, err := NewLoader(true)
	if err != nil {
		t.Fail()
	}

	testRules := map[string]string{
		"rule-with-operator-list":                          "testdata/rule-operator-list.json",
		"rule-disabled-with-operators-list-as-json-string": "testdata/rule-disabled-operator-list.json",
		"rule-disabled-with-operators-list-expanded":       "testdata/rule-disabled-operator-list-expanded.json",
		"rule-with-operator-list-data-empty":               "testdata/rule-operator-list-data-empty.json",
	}

	for name, path := range testRules {
		t.Run(fmt.Sprint("loadRule() ", path), func(t *testing.T) {
			if err := l.loadRule(path); err != nil {
				t.Error(fmt.Sprint("loadRule() ", path, " error:"), err)
			}
			t.Log("Test: List rule:", name, path)
			r, found := l.rules[name]
			if !found {
				t.Error(fmt.Sprint("loadRule() ", path, " not in the list:"), l.rules)
			}
			// Starting from > v1.6.3, after loading a rule of type List, the field Operator.Data is emptied, if the Data contained the list of operators as json.
			if len(r.Operator.List) != 2 {
				t.Error(fmt.Sprint("loadRule() ", path, " operator List not loaded:"), r)
			}
			if r.Operator.List[0].Type != Simple ||
				r.Operator.List[0].Operand != OpProcessPath ||
				r.Operator.List[0].Data != "/usr/bin/telnet" {
				t.Error(fmt.Sprint("loadRule() ", path, " operator List 0 not loaded:"), r)
			}
			if r.Operator.List[1].Type != Simple ||
				r.Operator.List[1].Operand != OpDstPort ||
				r.Operator.List[1].Data != "53" {
				t.Error(fmt.Sprint("loadRule() ", path, " operator List 1 not loaded:"), r)
			}
		})
	}
}

func TestLiveReload(t *testing.T) {
	t.Parallel()
	t.Log("Test rules loader with live reload")
	l, err := NewLoader(true)
	if err != nil {
		t.Fail()
	}
	if err = Copy("testdata/000-allow-chrome.json", tmpDir+"/000-allow-chrome.json"); err != nil {
		t.Error("Error copying rule into a temp dir")
	}
	if err = Copy("testdata/001-deny-chrome.json", tmpDir+"/001-deny-chrome.json"); err != nil {
		t.Error("Error copying rule into a temp dir")
	}
	if err = l.Load(tmpDir); err != nil {
		t.Error("Error loading test rules: ", err)
	}
	//wait for watcher to activate
	time.Sleep(time.Second)
	if err = Copy("testdata/live_reload/test-live-reload-remove.json", tmpDir+"/test-live-reload-remove.json"); err != nil {
		t.Error("Error copying rules into temp dir")
	}
	if err = Copy("testdata/live_reload/test-live-reload-delete.json", tmpDir+"/test-live-reload-delete.json"); err != nil {
		t.Error("Error copying rules into temp dir")
	}
	//wait for watcher to pick up the changes
	time.Sleep(time.Second)
	testNumRules(t, l, 4)
	if err = os.Remove(tmpDir + "/test-live-reload-remove.json"); err != nil {
		t.Error("Error Remove()ing file from temp dir")
	}
	if err = l.Delete("test-live-reload-delete"); err != nil {
		t.Error("Error Delete()ing file from temp dir")
	}
	//wait for watcher to pick up the changes
	time.Sleep(time.Second)
	testNumRules(t, l, 2)
}

func randString() string {
	rand.Seed(time.Now().UnixNano())
	var letterRunes = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
	b := make([]rune, 10)
	for i := range b {
		b[i] = letterRunes[rand.Intn(len(letterRunes))]
	}
	return string(b)
}

func Copy(src, dst string) error {
	in, err := os.Open(src)
	if err != nil {
		return err
	}
	defer in.Close()

	out, err := os.Create(dst)
	if err != nil {
		return err
	}
	defer out.Close()

	_, err = io.Copy(out, in)
	if err != nil {
		return err
	}
	return out.Close()
}

func testNumRules(t *testing.T, l *Loader, num int) {
	if l.NumRules() != num {
		t.Error("rules number should be (2): ", num)
	}
}

func testRulesOrder(t *testing.T, l *Loader) {
	if l.rulesKeys[0] != "000-aaa-name" {
		t.Error("Rules not in order (0): ", l.rulesKeys)
	}
	if l.rulesKeys[1] != "000-allow-chrome" {
		t.Error("Rules not in order (1): ", l.rulesKeys)
	}
	if l.rulesKeys[2] != "001-deny-chrome" {
		t.Error("Rules not in order (2): ", l.rulesKeys)
	}
}

func testSortRules(t *testing.T, l *Loader) {
	l.rulesKeys[1] = "001-deny-chrome"
	l.rulesKeys[2] = "000-allow-chrome"
	l.sortRules()
	if l.rulesKeys[1] != "000-allow-chrome" {
		t.Error("Rules not in order (1): ", l.rulesKeys)
	}
	if l.rulesKeys[2] != "001-deny-chrome" {
		t.Error("Rules not in order (2): ", l.rulesKeys)
	}
}

func testFindMatch(t *testing.T, l *Loader) {
	conn.Process.Path = "/opt/google/chrome/chrome"

	testFindPriorityMatch(t, l)
	testFindDenyMatch(t, l)
	testFindAllowMatch(t, l)

	restoreConnection()
}

func testFindPriorityMatch(t *testing.T, l *Loader) {
	match := l.FindFirstMatch(conn)
	if match == nil {
		t.Error("FindPriorityMatch didn't match")
	}
	// test 000-allow-chrome, priority == true
	if match.Name != "000-allow-chrome" {
		t.Error("findPriorityMatch: priority rule failed: ", match)
	}

}

func testFindDenyMatch(t *testing.T, l *Loader) {
	l.rules["000-allow-chrome"].Precedence = false
	// test 000-allow-chrome, priority == false
	// 001-deny-chrome must match
	match := l.FindFirstMatch(conn)
	if match == nil {
		t.Error("FindDenyMatch deny didn't match")
	}
	if match.Name != "001-deny-chrome" {
		t.Error("findDenyMatch: deny rule failed: ", match)
	}
}

func testFindAllowMatch(t *testing.T, l *Loader) {
	l.rules["000-allow-chrome"].Precedence = false
	l.rules["001-deny-chrome"].Action = Allow
	// test 000-allow-chrome, priority == false
	// 001-deny-chrome must match
	match := l.FindFirstMatch(conn)
	if match == nil {
		t.Error("FindAllowMatch allow didn't match")
	}
	if match.Name != "001-deny-chrome" {
		t.Error("findAllowMatch: allow rule failed: ", match)
	}
}

func testFindEnabled(t *testing.T, l *Loader) {
	l.rules["000-allow-chrome"].Precedence = false
	l.rules["001-deny-chrome"].Action = Allow
	l.rules["001-deny-chrome"].Enabled = false
	// test 000-allow-chrome, priority == false
	// 001-deny-chrome must match
	match := l.FindFirstMatch(conn)
	if match == nil {
		t.Error("FindEnabledMatch, match nil")
	}
	if match.Name == "001-deny-chrome" {
		t.Error("findEnabledMatch: deny rule shouldn't have matched: ", match)
	}
}

// test that changing the Duration of a temporary rule doesn't delete
// the new one, ignoring the old timer.
func testDurationChange(t *testing.T, l *Loader) {
	l.rules["000-aaa-name"].Duration = "2s"
	if err := l.replaceUserRule(l.rules["000-aaa-name"]); err != nil {
		t.Error("testDurationChange, error replacing rule: ", err)
	}
	l.rules["000-aaa-name"].Duration = "1h"
	if err := l.replaceUserRule(l.rules["000-aaa-name"]); err != nil {
		t.Error("testDurationChange, error replacing rule: ", err)
	}
	time.Sleep(time.Second * 4)
	if _, found := l.rules["000-aaa-name"]; !found {
		t.Error("testDurationChange, error: rule has been deleted")
	}
}