lp-scanner-team team mailing list archive
-
lp-scanner-team team
-
Mailing list archive
-
Message #00026
lp:~timrchavez/lp-scanner/lp-scanner-handle-unauthorized-access-to-project-owner-info into lp:lp-scanner
Timothy R. Chavez has proposed merging lp:~timrchavez/lp-scanner/lp-scanner-handle-unauthorized-access-to-project-owner-info into lp:lp-scanner.
Requested reviews:
The Launchpad Security Scanner Dev Team (lp-scanner-team)
For more details, see:
https://code.launchpad.net/~timrchavez/lp-scanner/lp-scanner-handle-unauthorized-access-to-project-owner-info/+merge/165727
The scanning user must have access to project owner info. If it does not, it means the project and / or the owner is "private" and that the scanning user must be a member of that maintainer team to properly scan the project. Warnings are logged to the scan report so that appropriate action can be taken.
--
https://code.launchpad.net/~timrchavez/lp-scanner/lp-scanner-handle-unauthorized-access-to-project-owner-info/+merge/165727
Your team The Launchpad Security Scanner Dev Team is requested to review the proposed merge of lp:~timrchavez/lp-scanner/lp-scanner-handle-unauthorized-access-to-project-owner-info into lp:lp-scanner.
=== modified file 'security-scanner.py'
--- security-scanner.py 2013-05-24 17:45:49 +0000
+++ security-scanner.py 2013-05-25 02:59:27 +0000
@@ -263,9 +263,14 @@
# Team owner that's not allowed to own this
wrong_drivers_owners[project] = None
- if project.owner.name not in allowed_owners:
- # Project owner that's not allowed to own the project
- wrong_owners[project] = None
+ try:
+ if project.owner.name not in allowed_owners:
+ # Project owner that's not allowed to own the project
+ wrong_owners[project] = None
+ except ValueError:
+ printf("W: Cannot determine project owner name for project "
+ "'%s' because '%s' is not a member of the maintainer "
+ "team for this project" % (project.name, lp.me.name))
for branch in project.getBranches():
if (not branch.private and
@@ -282,11 +287,16 @@
if str(bug_task.bug.id) not in bug_exceptions:
public_bugs[bug_task.bug] = project
- for ppa in project.owner.ppas:
- # any ppas that are public and not listed as an exception
- if (not ppa.private and
- ppa.name not in ppa_exceptions):
- public_ppas[ppa] = project
+ try:
+ for ppa in project.owner.ppas:
+ # any ppas that are public and not listed as an exception
+ if (not ppa.private and
+ ppa.name not in ppa_exceptions):
+ public_ppas[ppa] = project
+ except (ValueError, lazr.restfulclient.errors.Unauthorized):
+ printf("W: Cannot get list of ppas for project '%s' because "
+ "'%s' is not a member of the maintainer team for this "
+ "project" % (project.name, lp.me.name))
project_team_grantee = False
@@ -682,29 +692,6 @@
"with the project team"
in security_report)
- def test_unauthorized_access_to_grantee_data_is_handled(self):
- """
- Test that unauthorized access of getPillarGranteeData is handled.
- """
- mock_project = self._setup_project(name="project")
- self._setup_project_group("test-project", [mock_project, ])
- self._setup_project_grantee(
- mock_project, name="project-team", permissions=[],
- result_bad=True)
- self.lp.me.name
- self.mocker.result("lexbuilder")
- self.mocker.count(0, None)
- self.mocker.replay()
- outfile = cStringIO.StringIO()
- security_scanner(self.lp, self.sharing, self.config, outfile)
- outfile.seek(0)
- security_report = outfile.read()
- self.assertTrue(
- "W: Cannot determine bug sharing policies for project "
- "'%s' because '%s' is not a member of the driver team "
- "for this project " % (mock_project.name, self.lp.me.name)
- in security_report)
-
def test_project_with_rogue_mailing_lists_on_driver(self):
driver = self._setup_driver(
name="not-in-allowed-mailing-lists",
@@ -757,6 +744,79 @@
"with the project team"
in security_report)
+ def test_unauthorized_access_to_project_owner_name_is_handled(self):
+ """
+ Test that unauthorized access to project owner name is handled.
+ """
+ owner = self._setup_owner(name="joey", ppas=[self._setup_ppa(private=True), ])
+ owner.name
+ self.mocker.throw(ValueError)
+ mock_project = self._setup_project(name="a-project", owner=owner)
+ self._setup_project_group("test-project", [mock_project, ])
+ self._setup_project_grantee(
+ mock_project, name="project-team", permissions=[])
+ self.lp.me.name
+ self.mocker.result("lexbuilder")
+ self.mocker.count(0, None)
+ self.mocker.replay()
+ outfile = cStringIO.StringIO()
+ security_scanner(self.lp, self.sharing, self.config, outfile)
+ outfile.seek(0)
+ security_report = outfile.read()
+ self.assertTrue(
+ "W: Cannot determine project owner name for project "
+ "'%s' because '%s' is not a member of the maintainer "
+ "team for this project" % (mock_project.name, self.lp.me.name)
+ in security_report)
+
+ def test_unauthorized_access_to_project_ppas_is_handled(self):
+ """
+ Test that unauthorized access to project ppas is handled.
+ """
+ owner = self._setup_owner(name="joey", ppas=[self._setup_ppa(private=True), ])
+ owner.ppas
+ self.mocker.throw(ValueError)
+ mock_project = self._setup_project(name="a-project", owner=owner)
+ self._setup_project_group("test-project", [mock_project, ])
+ self._setup_project_grantee(
+ mock_project, name="project-team", permissions=[])
+ self.lp.me.name
+ self.mocker.result("lexbuilder")
+ self.mocker.count(0, None)
+ self.mocker.replay()
+ outfile = cStringIO.StringIO()
+ security_scanner(self.lp, self.sharing, self.config, outfile)
+ outfile.seek(0)
+ security_report = outfile.read()
+ self.assertTrue(
+ "W: Cannot get list of ppas for project '%s' because "
+ "'%s' is not a member of the maintainer team for this "
+ "project" % (mock_project.name, self.lp.me.name)
+ in security_report)
+
+ def test_unauthorized_access_to_grantee_data_is_handled(self):
+ """
+ Test that unauthorized access of getPillarGranteeData is handled.
+ """
+ mock_project = self._setup_project(name="project")
+ self._setup_project_group("test-project", [mock_project, ])
+ self._setup_project_grantee(
+ mock_project, name="project-team", permissions=[],
+ result_bad=True)
+ self.lp.me.name
+ self.mocker.result("lexbuilder")
+ self.mocker.count(0, None)
+ self.mocker.replay()
+ outfile = cStringIO.StringIO()
+ security_scanner(self.lp, self.sharing, self.config, outfile)
+ outfile.seek(0)
+ security_report = outfile.read()
+ self.assertTrue(
+ "W: Cannot determine bug sharing policies for project "
+ "'%s' because '%s' is not a member of the driver team "
+ "for this project " % (mock_project.name, self.lp.me.name)
+ in security_report)
+
except ImportError:
if __name__ == "security-scanner":
Follow ups
