Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GT-157] Drop messages from banned dns, and add tests for messages saving to the correct queue #238

Open
wants to merge 13 commits into
base: dev
Choose a base branch
from
Open

[GT-157] Drop messages from banned dns, and add tests for messages saving to the correct queue #238

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
5452084
Drop messages from banned dns
rowan04 Jun 15, 2023
728b8d7
Change method of dealing with messsages from banned dns
rowan04 Jun 21, 2023
87a9067
Initial workings on unit test
rowan04 Jul 20, 2023
ded3121
Add mocking of _handle_msg() function to prevent errors
rowan04 Sep 18, 2023
b3ea5fe
Simplify command line output and remove unused queues
rowan04 Sep 19, 2023
4024cf9
Removing unnecessary code
rowan04 Sep 19, 2023
60c8f37
Add assertion tests using LogCapture
rowan04 Sep 20, 2023
e47b15e
Add testing for messages being sent to the reject queue
rowan04 Sep 20, 2023
7ef624b
Address comments from code review
rowan04 Sep 27, 2023
f632de4
Merge branch 'dev' into 184-drop-messages-from-banned-dns
rowan04 Sep 27, 2023
6b5ef75
Add testfixtures to requirements-test.txt
rowan04 Sep 28, 2023
7243862
Add tear-down and remove final print output
rowan04 Sep 28, 2023
0cabbe5
Removes unnecessary try...finally wrapper
rowan04 Sep 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions ssm/agents.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -298,6 +298,10 @@ def run_receiver(protocol, brokers, project, token, cp, log, dn_file):
dns = get_dns(dn_file, log)
ssm.set_dns(dns)

log.info('Fetching banned DNs.')
banned_dns = get_banned_dns(log)
ssm.set_banned_dns(banned_dns)

except Exception as e:
log.fatal('Failed to initialise SSM: %s', e)
log.info(LOG_BREAK)
Expand Down Expand Up @@ -379,3 +383,30 @@ def get_dns(dn_file, log):

log.debug('%s DNs found.', len(dns))
return dns


def get_banned_dns(log):
"""Retrieve the list of banned dns"""
banned_dns_list = []
tofu-rocketry marked this conversation as resolved.
Show resolved Hide resolved
try:
banned_dns_path = cp.get('auth', 'banned-dns')
tofu-rocketry marked this conversation as resolved.
Show resolved Hide resolved
banned_dns_file = os.path.normpath(os.path.expandvars(banned_dns_path))
except ConfigParser.NoOptionError:
banned_dns_file = None
f = None
try:
f = open(banned_dns_file, 'r')
tofu-rocketry marked this conversation as resolved.
Show resolved Hide resolved
lines = f.readlines()
for line in lines:
if line.isspace() or line.strip().startswith('#'):
continue
elif line.strip().startswith('/'):
banned_dns_list.append(line.strip())
else:
log.warning('DN in banned dns list is not in correct format: %s', line)
finally:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now we have a context manager for the file, we can get rid of the try...finally wrapper (and the `f=None') as the file will close as soon as the handler is exited (whether normally or by exception).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

if f is not None:
f.close()

return banned_dns_list

14 changes: 14 additions & 0 deletions ssm/ssm2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ def __init__(self, hosts_and_ports, qpath, cert, key, dest=None, listen=None,
self._dest = dest

self._valid_dns = []
self._banned_dns = []
self._pidfile = pidfile

# Used to differentiate between STOMP and AMS methods
Expand Down Expand Up @@ -189,6 +190,10 @@ def set_dns(self, dn_list):
"""Set the list of DNs which are allowed to sign incoming messages."""
self._valid_dns = dn_list

def set_banned_dns(self, banned_dn_list):
"""Set the list of banned dns, so their messages can be dropped."""
self._banned_dns = banned_dn_list

##########################################################################
# Methods called by stomppy
##########################################################################
Expand Down Expand Up @@ -283,8 +288,10 @@ def _handle_msg(self, text):
Namely:
- decrypt if necessary
- verify signature
- drop the message if the sender is a banned dn
- Return plain-text message, signer's DN and an error/None.
"""

if text is None or text == '':
warning = 'Empty text passed to _handle_msg.'
log.warning(warning)
Expand All @@ -307,6 +314,13 @@ def _handle_msg(self, text):
log.error(error)
return None, None, error

# If the message has been sent from a banned dn,
# don't send the message to the reject queue.
# Instead, just drop the message.
if signer in self._banned_dns:
log.info("Message deleted as was sent from banned dn: %s", signer)
github-advanced-security[bot] marked this conversation as resolved.
Fixed Show resolved Hide resolved
return

if signer not in self._valid_dns:
warning = 'Signer not in valid DNs list: %s' % signer
log.warning(warning)
Expand Down