Merge remote-tracking branch 'origin/pr/174'

* origin/pr/174: tests: fix POLICY_PROGRAM and update documentation
QubesOS · Sep 13, 2024 · 7d66382 · 7d66382
2 parents 98e0acd + 34211a2
commit 7d66382
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 14 deletions.
diff --git a/doc/qrexec-policy-daemon.rst b/doc/qrexec-policy-daemon.rst
@@ -20,26 +20,23 @@ Optional arguments:
 - assume_yes_for_ask=yes
 - just_evaluate=yes
 
+End of request is always an empty line.
 
 Response
 --------
 
-`result=allow/deny`
+result=allow/deny
 
+All responses that do not start with result=allow or result=deny are incorrect and will be rejected.
 Any possible extensions may be placed on next lines.
-All responses that do not start with `result=allow` or `result=deny` are
-incorrect and will be rejected.
-
-End of request is always an empty line.
 Response is always terminated by EOF.
 
+- result=allow requires autostart= and either target= or target_uuid= extensions.
+- result=deny forbids autostart=, target= and target_uuid= extensions.
+
 Extensions include:
 
-- `target=`: Name of the target, optionally preceded by `@dispvm:`
-  `@dispvm:` prefix means that this is a disposable VM template and a new disposable VM will be created automatically.
-  In allow responses, ignored if `target_uuid=` is present, required otherwise.
-  Forbidden in deny responses.
-- `autostart=`: `True` to automatically start the VM, `False` to not start it.
-  Anything else is invalid.
-  Required in allow responses, forbidden in deny responses.
-- `requested_target=`: Normalized version of the target domain.
+- target=: The name of the target domain. If prefixed with @dispvm:, it indicates a disposable VM template, and a new disposable VM will be created automatically.
+- target_uuid=: The UUID of the target domain.
+- autostart=: True to automatically start the VM, False to not start it. Anything else is invalid.
+- requested_target=: Normalized version of the target domain.
diff --git a/qrexec/tests/socket/daemon.py b/qrexec/tests/socket/daemon.py
@@ -30,6 +30,7 @@
 import socket
 
 import psutil
+import pytest
 
 from . import qrexec
 from . import util
@@ -49,9 +50,27 @@ class TestDaemon(unittest.TestCase):
     POLICY_PROGRAM = """\
 #!/bin/sh
 
+# -- remote_domain_name target_name service_name
 echo "$@" > {tempdir}/qrexec-policy-params
+
 sleep $(cat {tempdir}/qrexec-policy-sleep || echo 0)
-exit $(cat {tempdir}/qrexec-policy-exitcode || echo 1)
+exit_code=$(cat {tempdir}/qrexec-policy-exitcode || echo 1)
+
+# Prepare the response based on the exit code
+if [ "$exit_code" -eq 0 ]; then
+    # Allow response
+    printf 'result=allow\n'
+    printf 'autostart=True\n'
+    printf 'user=toto\n'
+    printf 'target=%s\n' "$3"
+    printf 'requested_target=%s\n' "$3"
+else
+    # Deny response
+    echo "result=deny"
+fi
+# End of response
+
+exit $exit_code
 """
 
     def setUp(self):
@@ -268,6 +287,58 @@ def recv_refused(agent):
             )
             recv_refused(agent)
 
+    def test_new_style_request(self):
+        """
+        Test that qrexec-daemon accepts request.
+        """
+        agent = self.start_daemon_with_agent()
+        agent.handshake()
+
+        target_domain_name = "target_domain"
+        ident = "ab"
+
+        # check policy program output
+        policy_program_path = os.path.join(self.tempdir, "qrexec-policy-exec")
+
+        # set deny
+        self.set_policy_params(1, 1)
+
+        result = subprocess.run(
+            [policy_program_path, "--", "somedomain", "anotherdomain", "someservice"],
+            capture_output=True,
+            text=True
+        )
+        assert result.stdout == "result=deny\n"
+
+        # set allow
+        self.set_policy_params(1, 0)
+
+        result = subprocess.run(
+            [policy_program_path, "--", "somedomain", "anotherdomain", "someservice"],
+            capture_output=True,
+            text=True
+        )
+        assert result.stdout == """result=allow
+autostart=True
+user=toto
+target=anotherdomain
+requested_target=anotherdomain
+"""
+
+        # check allowed request
+        agent.send_message(
+            qrexec.MSG_TRIGGER_SERVICE3,
+            struct.pack("<64s32s", self.domain_name.encode(), ident.encode())
+            + b"a\0",
+        )
+        message_type, data = agent.recv_message()
+        self.assertEqual(message_type, qrexec.MSG_EXEC_CMDLINE)
+        self.assertTrue(
+            os.path.exists(
+                os.path.join(self.tempdir, "qrexec-policy-params")
+            )
+        )
+
     def test_qsb_089(self):
         """
         Test that qrexec-daemon doesn't corrupt memory on empty request