Include files from /usr/local/bin and /usr/local/etc in harvest (assuming they aren't binaries or symlinks) and store in usr_local_custom role, similar to etc_custom.

2025-12-18 17:11:04 +11:00 · 2025-12-18 17:11:04 +11:00 · 4660a0703e
commit 4660a0703e
parent b5d2b99174
11 changed files with 551 additions and 3 deletions
--- a/tests/test_misc_coverage.py
+++ b/tests/test_misc_coverage.py
@ -0,0 +1,96 @@
+import stat
+from pathlib import Path
+
+import pytest
+
+from enroll.cache import _safe_component, new_harvest_cache_dir
+from enroll.ignore import IgnorePolicy
+from enroll.sopsutil import (
+    SopsError,
+    _pgp_arg,
+    decrypt_file_binary_to,
+    encrypt_file_binary,
+)
+
+
+def test_safe_component_sanitizes_and_bounds_length():
+    assert _safe_component("  ") == "unknown"
+    assert _safe_component("a/b c") == "a_b_c"
+    assert _safe_component("x" * 200) == "x" * 64
+
+
+def test_new_harvest_cache_dir_uses_xdg_cache_home(tmp_path: Path, monkeypatch):
+    monkeypatch.setenv("XDG_CACHE_HOME", str(tmp_path / "xdg"))
+    hc = new_harvest_cache_dir(hint="my host/01")
+    assert hc.dir.exists()
+    assert "my_host_01" in hc.dir.name
+    assert str(hc.dir).startswith(str(tmp_path / "xdg"))
+    # best-effort: ensure directory is not world-readable on typical FS
+    try:
+        mode = stat.S_IMODE(hc.dir.stat().st_mode)
+        assert mode & 0o077 == 0
+    except OSError:
+        pass
+
+
+def test_ignore_policy_denies_binary_and_sensitive_content(tmp_path: Path):
+    p_bin = tmp_path / "binfile"
+    p_bin.write_bytes(b"abc\x00def")
+    assert IgnorePolicy().deny_reason(str(p_bin)) == "binary_like"
+
+    p_secret = tmp_path / "secret.conf"
+    p_secret.write_text("password=foo\n", encoding="utf-8")
+    assert IgnorePolicy().deny_reason(str(p_secret)) == "sensitive_content"
+
+    # dangerous mode disables heuristic scanning (but still checks file-ness/size)
+    assert IgnorePolicy(dangerous=True).deny_reason(str(p_secret)) is None
+
+
+def test_ignore_policy_denies_usr_local_shadow_by_glob():
+    # This should short-circuit before stat() (path doesn't need to exist).
+    assert IgnorePolicy().deny_reason("/usr/local/etc/shadow") == "denied_path"
+
+
+def test_sops_pgp_arg_and_encrypt_decrypt_roundtrip(tmp_path: Path, monkeypatch):
+    assert _pgp_arg(["  ABC ", "DEF"]) == "ABC,DEF"
+    with pytest.raises(SopsError):
+        _pgp_arg([])
+
+    # Stub out sops and subprocess.
+    import enroll.sopsutil as s
+
+    monkeypatch.setattr(s, "require_sops_cmd", lambda: "sops")
+
+    class R:
+        def __init__(self, rc: int, out: bytes, err: bytes = b""):
+            self.returncode = rc
+            self.stdout = out
+            self.stderr = err
+
+    calls = []
+
+    def fake_run(cmd, capture_output, check):
+        calls.append(cmd)
+        # Return a deterministic payload so we can assert file writes.
+        if "--encrypt" in cmd:
+            return R(0, b"ENCRYPTED")
+        if "--decrypt" in cmd:
+            return R(0, b"PLAINTEXT")
+        return R(1, b"", b"bad")
+
+    monkeypatch.setattr(s.subprocess, "run", fake_run)
+
+    src = tmp_path / "src.bin"
+    src.write_bytes(b"x")
+    enc = tmp_path / "out.sops"
+    dec = tmp_path / "out.bin"
+
+    encrypt_file_binary(src, enc, pgp_fingerprints=["ABC"], mode=0o600)
+    assert enc.read_bytes() == b"ENCRYPTED"
+
+    decrypt_file_binary_to(enc, dec, mode=0o644)
+    assert dec.read_bytes() == b"PLAINTEXT"
+
+    # Sanity: we invoked encrypt and decrypt.
+    assert any("--encrypt" in c for c in calls)
+    assert any("--decrypt" in c for c in calls)