fix(host112): verify exact nopasswd sudo entries

This commit is contained in:
ogt
2026-07-14 16:05:24 +08:00
parent 12fc4b8914
commit 9ca6dff2ea
2 changed files with 80 additions and 7 deletions

View File

@@ -49,6 +49,54 @@ def test_sudo_policy_has_exact_correlated_apply_and_dry_run_only() -> None:
assert 'SUDO_LEGACY_UNCORRELATED_APPLY_NOPASSWD' in text
assert 'SUDO_UNSAFE_IDENTITY_NOPASSWD' in text
assert 'SUDO_POLICY_READY' in text
assert 'sudo_policy_is_nopasswd' in text
assert 'Options:' in text
assert '!authenticate' in text
def test_sudo_policy_parser_requires_nopasswd_and_match_in_same_entry() -> None:
text = source()
parser = text[
text.index("sudo_policy_output_has_nopasswd_match() {") : text.index(
"agent99_direct_authorization_ready() {"
)
]
broad_password_rule = """Sudoers entry: /etc/sudoers
RunAsUsers: ALL
Commands:
ALL
Matched: /usr/local/sbin/readiness --apply
"""
exact_nopasswd_rule = broad_password_rule + """Sudoers entry: /etc/sudoers.d/agent99
RunAsUsers: root
Options: !authenticate
Commands:
/usr/local/sbin/readiness ^--apply .*$
Matched: /usr/local/sbin/readiness --apply --trace-id safe
"""
split_entry_false_positive = """Sudoers entry: /etc/sudoers.d/one
Options: !authenticate
Commands:
/usr/bin/true
Sudoers entry: /etc/sudoers
Commands:
ALL
Matched: /usr/local/sbin/readiness --apply
"""
def parse(sample: str) -> subprocess.CompletedProcess[str]:
return subprocess.run(
["bash", "-c", parser + "\nsudo_policy_output_has_nopasswd_match"],
input=sample,
text=True,
capture_output=True,
check=False,
timeout=10,
)
assert parse(broad_password_rule).returncode != 0
assert parse(exact_nopasswd_rule).returncode == 0
assert parse(split_entry_false_positive).returncode != 0
def test_windows99_direct_route_is_fingerprint_bound_and_not_forced() -> None: