more test coverage

2026-05-31 16:50:57 +10:00 · 2026-05-31 16:50:57 +10:00 · 1544dc0295
commit 1544dc0295
parent b25dd1e314
15 changed files with 3150 additions and 424 deletions
--- a/tests/test_ignore.py
+++ b/tests/test_ignore.py
@ -1,3 +1,8 @@
+from __future__ import annotations
+
+import os
+from pathlib import Path
+
 from enroll.ignore import IgnorePolicy


@ -8,3 +13,238 @@ def test_ignore_policy_denies_common_backup_files():
    assert pol.deny_reason("/etc/group-") == "backup_file"
    assert pol.deny_reason("/etc/something~") == "backup_file"
    assert pol.deny_reason("/foobar") == "unreadable"
+
+
+def test_deny_reason_dir_with_denied_path():
+    pol = IgnorePolicy()
+    assert pol.deny_reason_dir("/etc/ssl/private/key") == "denied_path"
+    assert pol.deny_reason_dir("/etc/ssh/ssh_host_key") == "denied_path"
+    assert pol.deny_reason_dir("/etc/ssh") is None
+
+
+def test_deny_reason_dir_unreadable(tmp_path: Path):
+    pol = IgnorePolicy()
+    nonexistent = tmp_path / "nonexistent"
+    assert pol.deny_reason_dir(str(nonexistent)) == "unreadable"
+
+
+def test_deny_reason_dir_symlink(tmp_path: Path):
+    pol = IgnorePolicy()
+    real_dir = tmp_path / "real"
+    real_dir.mkdir()
+    link = tmp_path / "link"
+    os.symlink(str(real_dir), str(link))
+    assert pol.deny_reason_dir(str(link)) == "symlink"
+
+
+def test_deny_reason_dir_not_directory(tmp_path: Path):
+    pol = IgnorePolicy()
+    regular_file = tmp_path / "file.txt"
+    regular_file.write_text("content", encoding="utf-8")
+    assert pol.deny_reason_dir(str(regular_file)) == "not_directory"
+
+
+def test_deny_reason_dir_dangerous_mode(tmp_path: Path):
+    pol = IgnorePolicy(dangerous=True)
+    real_dir = tmp_path / "private"
+    real_dir.mkdir()
+    assert pol.deny_reason_dir(str(real_dir)) is None
+
+
+def test_deny_reason_link_basic(tmp_path: Path):
+    pol = IgnorePolicy()
+    real_file = tmp_path / "real"
+    real_file.write_text("content", encoding="utf-8")
+    link = tmp_path / "link"
+    os.symlink(str(real_file), str(link))
+    assert pol.deny_reason_link(str(link)) is None
+
+
+def test_deny_reason_link_denied_path():
+    pol = IgnorePolicy()
+    assert pol.deny_reason_link("/etc/ssh/ssh_host_rsa_key") == "denied_path"
+
+
+def test_deny_reason_link_unreadable(tmp_path: Path):
+    pol = IgnorePolicy()
+    # Create a symlink in a directory that doesn't exist
+    # This simulates an unreadable path
+    broken_link = tmp_path / "broken_link"
+    os.symlink("/nonexistent/target", str(broken_link))
+    # Broken symlinks are still readable (we can readlink them)
+    # So they return None (allowed) unless they match deny globs
+    result = pol.deny_reason_link(str(broken_link))
+    # Broken symlinks are allowed - we can still read the link target
+    assert result is None
+
+
+def test_deny_reason_link_not_symlink(tmp_path: Path):
+    pol = IgnorePolicy()
+    regular_file = tmp_path / "file.txt"
+    regular_file.write_text("content", encoding="utf-8")
+    assert pol.deny_reason_link(str(regular_file)) == "not_symlink"
+
+
+def test_deny_reason_link_log_file():
+    pol = IgnorePolicy()
+    assert pol.deny_reason_link("/var/log/something.log") == "log_file"
+
+
+def test_deny_reason_link_backup_file():
+    pol = IgnorePolicy()
+    assert pol.deny_reason_link("/etc/passwd-") == "backup_file"
+    assert pol.deny_reason_link("/etc/something~") == "backup_file"
+
+
+def test_deny_reason_link_dangerous_mode(tmp_path: Path):
+    pol = IgnorePolicy(dangerous=True)
+    real_file = tmp_path / "real"
+    real_file.write_text("content", encoding="utf-8")
+    link = tmp_path / "link"
+    os.symlink(str(real_file), str(link))
+    assert pol.deny_reason_link(str(link)) is None
+
+
+def test_iter_effective_lines_with_comments():
+    pol = IgnorePolicy()
+    content = b"""
+# This is a comment
+; This is also a comment
+* continuation
+def main():
+    pass
+"""
+    lines = list(pol.iter_effective_lines(content))
+    assert b"def main():" in lines
+    assert b"# This is a comment" not in lines
+
+
+def test_iter_effective_lines_with_block_comments():
+    pol = IgnorePolicy()
+    content = b"""
+/* This is a block comment
+   spanning multiple lines */
+int x = 5;
+"""
+    lines = list(pol.iter_effective_lines(content))
+    assert b"int x = 5;" in lines
+    assert b"/*" not in lines
+
+
+def test_iter_effective_lines_empty():
+    pol = IgnorePolicy()
+    content = b""
+    lines = list(pol.iter_effective_lines(content))
+    assert lines == []
+
+
+def test_deny_reason_binary_not_allowed(tmp_path: Path):
+    pol = IgnorePolicy()
+    binary = tmp_path / "random.bin"
+    binary.write_bytes(b"\x00\x01\x02\x03")
+    reason = pol.deny_reason(str(binary))
+    assert reason == "binary_like"
+
+
+def test_deny_reason_sensitive_content(tmp_path: Path):
+    pol = IgnorePolicy()
+    config = tmp_path / "config.txt"
+    config.write_text("password=secret123", encoding="utf-8")
+    reason = pol.deny_reason(str(config))
+    assert reason == "sensitive_content"
+
+
+def test_deny_reason_sensitive_api_key(tmp_path: Path):
+    pol = IgnorePolicy()
+    config = tmp_path / "config.txt"
+    config.write_text("api_key=abc123", encoding="utf-8")
+    reason = pol.deny_reason(str(config))
+    assert reason == "sensitive_content"
+
+
+def test_deny_reason_private_key(tmp_path: Path):
+    pol = IgnorePolicy()
+    key = tmp_path / "key.pem"
+    key.write_text(
+        "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA...", encoding="utf-8"
+    )
+    reason = pol.deny_reason(str(key))
+    assert reason == "sensitive_content"
+
+
+def test_deny_reason_too_large(tmp_path: Path):
+    pol = IgnorePolicy(max_file_bytes=100)
+    large = tmp_path / "large.txt"
+    large.write_bytes(b"x" * 200)
+    reason = pol.deny_reason(str(large))
+    assert reason == "too_large"
+
+
+def test_deny_reason_unreadable(tmp_path: Path):
+    pol = IgnorePolicy()
+    nonexistent = tmp_path / "nonexistent"
+    reason = pol.deny_reason(str(nonexistent))
+    assert reason == "unreadable"
+
+
+def test_deny_reason_not_regular_file(tmp_path: Path):
+    pol = IgnorePolicy()
+    directory = tmp_path / "dir"
+    directory.mkdir()
+    reason = pol.deny_reason(str(directory))
+    assert reason == "not_regular_file"
+
+
+def test_deny_reason_symlink_file(tmp_path: Path):
+    pol = IgnorePolicy()
+    real_file = tmp_path / "real"
+    real_file.write_text("content", encoding="utf-8")
+    link = tmp_path / "link"
+    os.symlink(str(real_file), str(link))
+    reason = pol.deny_reason(str(link))
+    assert reason == "not_regular_file"
+
+
+def test_deny_reason_logs(tmp_path: Path):
+    pol = IgnorePolicy()
+    log = tmp_path / "test.log"
+    log.write_text("log content", encoding="utf-8")
+    assert pol.deny_reason(str(log)) == "log_file"
+
+
+def test_deny_reason_backup_file(tmp_path: Path):
+    pol = IgnorePolicy()
+    backup = tmp_path / "file~"
+    backup.write_text("backup", encoding="utf-8")
+    assert pol.deny_reason(str(backup)) == "backup_file"
+
+
+def test_deny_reason_shadow_file():
+    pol = IgnorePolicy()
+    assert pol.deny_reason("/etc/shadow") == "denied_path"
+    assert pol.deny_reason("/etc/gshadow") == "denied_path"
+
+
+def test_deny_reason_ssl_private():
+    pol = IgnorePolicy()
+    assert pol.deny_reason("/etc/ssl/private/key.pem") == "denied_path"
+
+
+def test_deny_reason_ssh_host_keys():
+    pol = IgnorePolicy()
+    assert pol.deny_reason("/etc/ssh/ssh_host_rsa_key") == "denied_path"
+    assert pol.deny_reason("/etc/ssh/ssh_host_ed25519_key") == "denied_path"
+
+
+def test_deny_reason_letsencrypt():
+    pol = IgnorePolicy()
+    assert (
+        pol.deny_reason("/etc/letsencrypt/live/example.com/fullchain.pem")
+        == "denied_path"
+    )
+
+
+def test_deny_reason_shadow_backup():
+    pol = IgnorePolicy()
+    assert pol.deny_reason("/etc/shadow-") == "backup_file"
+    assert pol.deny_reason("/etc/passwd-") == "backup_file"