Timothy
103 lines
3.2 KiB
Python
103 lines
3.2 KiB
Python
"""Security/policy tests: zsh refusal, env stripping, destructive catalog."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import pytest
|
|
|
|
|
|
def test_resolve_shell_rejects_zsh():
|
|
from terminal_tools.common.limits import ZshRefused, _resolve_shell
|
|
|
|
for path in ("/bin/zsh", "/usr/bin/zsh", "/usr/local/bin/zsh", "ZSH"):
|
|
with pytest.raises(ZshRefused):
|
|
_resolve_shell(path)
|
|
|
|
|
|
def test_resolve_shell_accepts_bash():
|
|
from terminal_tools.common.limits import _resolve_shell
|
|
|
|
assert _resolve_shell(True) == "/bin/bash"
|
|
assert _resolve_shell("/bin/bash") == "/bin/bash"
|
|
assert _resolve_shell(False) is None
|
|
|
|
|
|
def test_sanitized_env_strips_zsh_vars(monkeypatch):
|
|
from terminal_tools.common.limits import sanitized_env
|
|
|
|
monkeypatch.setenv("ZDOTDIR", "/some/path")
|
|
monkeypatch.setenv("ZSH_VERSION", "5.9")
|
|
monkeypatch.setenv("ZSH_NAME", "zsh")
|
|
monkeypatch.setenv("PATH", "/usr/bin:/bin")
|
|
|
|
env = sanitized_env()
|
|
assert "ZDOTDIR" not in env
|
|
assert "ZSH_VERSION" not in env
|
|
assert "ZSH_NAME" not in env
|
|
# Non-zsh vars survive
|
|
assert env["PATH"] == "/usr/bin:/bin"
|
|
|
|
|
|
def test_destructive_warning_catalog():
|
|
from terminal_tools.common.destructive_warning import get_warning
|
|
|
|
cases = [
|
|
("rm -rf /tmp/foo", "force-remove"),
|
|
("rm -r /tmp/foo", "recursively remove"),
|
|
("git reset --hard HEAD~1", "discard"),
|
|
("git push --force origin main", "remote history"),
|
|
("git push -f origin main", "remote history"),
|
|
("git commit --amend -m 'x'", "rewrite"),
|
|
("DROP TABLE users;", "drop or truncate"),
|
|
("DELETE FROM users;", "delete rows"),
|
|
("kubectl delete pod foo", "Kubernetes"),
|
|
("terraform destroy", "Terraform"),
|
|
]
|
|
for cmd, expected in cases:
|
|
warning = get_warning(cmd)
|
|
assert warning is not None, f"expected warning for {cmd!r}"
|
|
assert expected in warning, f"warning {warning!r} should mention {expected!r}"
|
|
|
|
|
|
def test_destructive_warning_clean_commands():
|
|
from terminal_tools.common.destructive_warning import get_warning
|
|
|
|
for cmd in ["ls -la", "echo hi", "git status", "git commit -m 'x'"]:
|
|
assert get_warning(cmd) is None, f"unexpected warning for {cmd!r}"
|
|
|
|
|
|
def test_semantic_exit_grep():
|
|
from terminal_tools.common.semantic_exit import classify
|
|
|
|
status, msg = classify("grep foo /tmp/x", 0)
|
|
assert status == "ok"
|
|
status, msg = classify("grep foo /tmp/x", 1)
|
|
assert status == "ok"
|
|
assert "No matches" in msg
|
|
status, msg = classify("grep foo /tmp/x", 2)
|
|
assert status == "error"
|
|
|
|
|
|
def test_semantic_exit_default():
|
|
from terminal_tools.common.semantic_exit import classify
|
|
|
|
status, msg = classify("ls", 0)
|
|
assert status == "ok"
|
|
assert msg is None
|
|
status, msg = classify("ls", 1)
|
|
assert status == "error"
|
|
|
|
|
|
def test_semantic_exit_signaled():
|
|
from terminal_tools.common.semantic_exit import classify
|
|
|
|
status, msg = classify("sleep 999", -15, signaled=True)
|
|
assert status == "signal"
|
|
|
|
|
|
def test_semantic_exit_timed_out():
|
|
from terminal_tools.common.semantic_exit import classify
|
|
|
|
status, msg = classify("sleep 999", None, timed_out=True)
|
|
assert status == "error"
|
|
assert "timed out" in msg.lower()
|