|
12850.4.1
by j.c.sackett
Added audit-security.py script. |
1 |
#! /usr/bin/python -S
|
2 |
||
3 |
# Copyright 2011 Canonical Ltd. This software is licensed under the
|
|
4 |
# GNU Affero General Public License version 3 (see the file LICENSE).
|
|
5 |
||
6 |
"""Check that everything is alright in security.cfg
|
|
7 |
||
8 |
Usage hint:
|
|
9 |
||
10 |
% utilities/audit-security.py
|
|
11 |
"""
|
|
|
12850.4.2
by j.c.sackett
Functional auditing script; finds duplicate settings. |
12 |
__metatype__ = type |
|
12850.4.1
by j.c.sackett
Added audit-security.py script. |
13 |
|
14 |
import os |
|
|
12850.4.6
by j.c.sackett
Renamed audit-security to audit-security-settings, since that's more accurate. |
15 |
import sys |
|
12850.4.2
by j.c.sackett
Functional auditing script; finds duplicate settings. |
16 |
import re |
17 |
||
18 |
from collections import defaultdict |
|
19 |
||
|
12850.4.6
by j.c.sackett
Renamed audit-security to audit-security-settings, since that's more accurate. |
20 |
TEST_DATA = """ |
21 |
[good]
|
|
22 |
public.foo = SELECT
|
|
23 |
public.bar = SELECT, INSERT
|
|
24 |
public.baz = SELECT
|
|
25 |
||
26 |
[bad]
|
|
27 |
public.foo = SELECT
|
|
28 |
public.bar = SELECT, INSERT
|
|
29 |
public.bar = SELECT
|
|
30 |
public.baz = SELECT
|
|
31 |
"""
|
|
32 |
||
|
12850.4.2
by j.c.sackett
Functional auditing script; finds duplicate settings. |
33 |
BRANCH_ROOT = os.path.split( |
34 |
os.path.dirname(os.path.abspath(__file__)))[0] |
|
35 |
SECURITY_PATH = os.path.join( |
|
36 |
BRANCH_ROOT, 'database', 'schema', 'security.cfg') |
|
37 |
||
|
12850.4.3
by j.c.sackett
Lint fixes. |
38 |
|
|
12850.4.2
by j.c.sackett
Functional auditing script; finds duplicate settings. |
39 |
def strip(data): |
|
12850.4.5
by j.c.sackett
Modifications per review. |
40 |
data = [d.strip() for d in data] |
41 |
return [d for d in data if not (d.startswith('#') or d == '')] |
|
42 |
||
43 |
||
44 |
class SettingsAuditor: |
|
45 |
"""Reads the security.cfg file and collects errors.
|
|
46 |
||
47 |
We can't just use ConfigParser for this case, as we're doing our own
|
|
48 |
specialized parsing--not interpreting the settings, but verifying."""
|
|
|
12850.4.2
by j.c.sackett
Functional auditing script; finds duplicate settings. |
49 |
|
50 |
section_regex = re.compile(r'\[.*\]') |
|
|
12850.4.3
by j.c.sackett
Lint fixes. |
51 |
|
|
12850.4.2
by j.c.sackett
Functional auditing script; finds duplicate settings. |
52 |
def __init__(self): |
53 |
self.errors = {} |
|
54 |
self.current_section = '' |
|
55 |
self.observed_settings = defaultdict(lambda: 0) |
|
56 |
||
57 |
def _get_section_name(self, line): |
|
58 |
if line.strip().startswith('['): |
|
59 |
return self.section_regex.match(line).group() |
|
60 |
else: |
|
61 |
return None |
|
62 |
||
63 |
def _get_setting(self, line): |
|
64 |
return line.split()[0] |
|
65 |
||
66 |
def start_new_section(self, new_section): |
|
|
12850.4.5
by j.c.sackett
Modifications per review. |
67 |
for k in self.observed_settings.keys(): |
68 |
if self.observed_settings[k] == 1: |
|
69 |
self.observed_settings.pop(k) |
|
70 |
duplicated_settings = self.observed_settings.keys() |
|
|
12850.4.2
by j.c.sackett
Functional auditing script; finds duplicate settings. |
71 |
if len(duplicated_settings) > 0: |
|
12850.4.5
by j.c.sackett
Modifications per review. |
72 |
self.errors[self.current_section] = self.observed_settings.keys() |
|
12850.4.2
by j.c.sackett
Functional auditing script; finds duplicate settings. |
73 |
self.observed_settings = defaultdict(lambda: 0) |
74 |
self.current_section = new_section |
|
75 |
||
76 |
def readline(self, line): |
|
77 |
new_section = self._get_section_name(line) |
|
78 |
if new_section is not None: |
|
79 |
self.start_new_section(new_section) |
|
80 |
else: |
|
81 |
setting = self._get_setting(line) |
|
82 |
self.observed_settings[setting] += 1 |
|
83 |
||
84 |
def print_error_data(self): |
|
85 |
print "The following errors were found in security.cfg" |
|
86 |
print "-----------------------------------------------" |
|
87 |
for section in self.errors.keys(): |
|
88 |
print "In section: %s" % section |
|
89 |
for setting in self.errors[section]: |
|
90 |
print '\tDuplicate setting found: %s' % setting |
|
|
12850.4.3
by j.c.sackett
Lint fixes. |
91 |
|
|
12850.4.2
by j.c.sackett
Functional auditing script; finds duplicate settings. |
92 |
|
|
12850.4.6
by j.c.sackett
Renamed audit-security to audit-security-settings, since that's more accurate. |
93 |
def main(test=False): |
94 |
# This is a cheap hack to allow testing in the testrunner.
|
|
95 |
if test: |
|
96 |
data = TEST_DATA.split('\n') |
|
97 |
else: |
|
98 |
data = file(SECURITY_PATH).readlines() |
|
|
12850.4.3
by j.c.sackett
Lint fixes. |
99 |
data = strip(data) |
|
12850.4.2
by j.c.sackett
Functional auditing script; finds duplicate settings. |
100 |
auditor = SettingsAuditor() |
101 |
for line in data: |
|
102 |
auditor.readline(line) |
|
|
12850.4.6
by j.c.sackett
Renamed audit-security to audit-security-settings, since that's more accurate. |
103 |
auditor.start_new_section('') |
|
12850.4.2
by j.c.sackett
Functional auditing script; finds duplicate settings. |
104 |
auditor.print_error_data() |
105 |
||
106 |
if __name__ == '__main__': |
|
|
12850.4.6
by j.c.sackett
Renamed audit-security to audit-security-settings, since that's more accurate. |
107 |
# smoketest check is a cheap hack to test the utility in the testrunner.
|
108 |
try: |
|
109 |
test = sys.argv[1] == 'smoketest' |
|
110 |
except IndexError: |
|
111 |
test = False |
|
112 |
main(test=test) |