Initial commit

2026-04-25 23:09:31 +01:00
commit 3325436017
92 changed files with 18397 additions and 0 deletions
--- a/tests/test_compliance_bundled.py
+++ b/tests/test_compliance_bundled.py
@@ -0,0 +1,148 @@
+"""Bundled mSCP / Lynis resolution (no upstream clones)."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+from applepy.bootstrap_compliance import lynis_bundled_executable
+from applepy.checks import compliance
+from applepy.context import RunContext
+from applepy.mscp import resolve_mscp_root
+
+
+def _fake_pkg_root(tmp_path: Path) -> Path:
+    pkg = tmp_path / "pkg"
+    pkg.mkdir()
+    (pkg / "__init__.py").write_text("", encoding="utf-8")
+    return pkg
+
+
+def test_resolve_mscp_root_uses_bundled_layout(tmp_path: Path, monkeypatch) -> None:
+    import applepy
+
+    pkg = _fake_pkg_root(tmp_path)
+    mroot = pkg / "data" / "macos_security"
+    (mroot / "baselines").mkdir(parents=True)
+    (mroot / "scripts").mkdir()
+    (mroot / "scripts" / "generate_guidance.py").write_text("#\n", encoding="utf-8")
+    monkeypatch.setattr(applepy, "__file__", str(pkg / "__init__.py"))
+    monkeypatch.delenv("APPLEPY_MACOS_SECURITY_ROOT", raising=False)
+    got = resolve_mscp_root(tmp_path / "home", tmp_path / "cwd")
+    assert got is not None
+    assert got.resolve() == mroot.resolve()
+
+
+def test_resolve_mscp_root_env_beats_bundled(tmp_path: Path, monkeypatch) -> None:
+    import applepy
+
+    pkg = _fake_pkg_root(tmp_path)
+    bundled = pkg / "data" / "macos_security"
+    (bundled / "baselines").mkdir(parents=True)
+    (bundled / "scripts").mkdir()
+    (bundled / "scripts" / "generate_guidance.py").write_text("#\n", encoding="utf-8")
+
+    env_root = tmp_path / "from_env"
+    (env_root / "baselines").mkdir(parents=True)
+    (env_root / "scripts").mkdir()
+    (env_root / "scripts" / "generate_guidance.py").write_text("#\n", encoding="utf-8")
+
+    monkeypatch.setattr(applepy, "__file__", str(pkg / "__init__.py"))
+    monkeypatch.setenv("APPLEPY_MACOS_SECURITY_ROOT", str(env_root))
+    got = resolve_mscp_root(tmp_path / "home", tmp_path / "cwd")
+    assert got is not None
+    assert got.resolve() == env_root.resolve()
+
+
+def test_lynis_bundled_executable(tmp_path: Path, monkeypatch) -> None:
+    import applepy
+
+    pkg = _fake_pkg_root(tmp_path)
+    ldir = pkg / "data" / "lynis"
+    ldir.mkdir(parents=True)
+    script = ldir / "lynis"
+    script.write_text("#!/bin/sh\necho\n", encoding="utf-8")
+    monkeypatch.setattr(applepy, "__file__", str(pkg / "__init__.py"))
+    got = lynis_bundled_executable()
+    assert got is not None
+    assert got.resolve() == script.resolve()
+
+
+def test_resolve_lynis_prefers_path_after_which(tmp_path: Path, monkeypatch) -> None:
+    import applepy
+
+    pkg = _fake_pkg_root(tmp_path)
+    ldir = pkg / "data" / "lynis"
+    ldir.mkdir(parents=True)
+    bundled_script = ldir / "lynis"
+    bundled_script.write_text("#\n", encoding="utf-8")
+
+    monkeypatch.setattr(applepy, "__file__", str(pkg / "__init__.py"))
+
+    def fake_run_text(cmd: list[str], timeout: int = 30, cwd=None):
+        if cmd[:2] == ["/usr/bin/which", "lynis"]:
+            return 0, "/usr/local/bin/lynis\n", ""
+        raise AssertionError(f"unexpected cmd: {cmd}")
+
+    monkeypatch.setattr(compliance, "run_text", fake_run_text)
+    assert compliance._resolve_lynis_executable() == "/usr/local/bin/lynis"
+
+
+def test_resolve_lynis_falls_back_to_bundled(tmp_path: Path, monkeypatch) -> None:
+    import applepy
+
+    pkg = _fake_pkg_root(tmp_path)
+    ldir = pkg / "data" / "lynis"
+    ldir.mkdir(parents=True)
+    bundled_script = ldir / "lynis"
+    bundled_script.write_text("#\n", encoding="utf-8")
+    monkeypatch.setattr(applepy, "__file__", str(pkg / "__init__.py"))
+
+    def fake_run_text(cmd: list[str], timeout: int = 30, cwd=None):
+        if cmd[:2] == ["/usr/bin/which", "lynis"]:
+            return 1, "", ""
+        raise AssertionError(f"unexpected cmd: {cmd}")
+
+    monkeypatch.setattr(compliance, "run_text", fake_run_text)
+    assert compliance._resolve_lynis_executable() == str(bundled_script.resolve())
+
+
+def test_truncate_lynis_evidence_short_unchanged() -> None:
+    s = "a" * 100
+    assert compliance._truncate_lynis_evidence(s) == s
+
+
+def test_check_lynis_run_uses_lynis_install_root_as_cwd(tmp_path: Path, monkeypatch) -> None:
+    """Lynis discovers ./include from pwd; cwd must be the directory that contains the script."""
+    nest = tmp_path / "opt" / "lynis"
+    nest.mkdir(parents=True)
+    script = nest / "lynis"
+    script.write_text("#!/bin/sh\necho ok\n", encoding="utf-8")
+    script.chmod(0o755)
+    monkeypatch.setattr(compliance, "_resolve_lynis_executable", lambda: str(script))
+    captured: dict[str, object] = {}
+
+    def capture_run(cmd: list[str], timeout: float = 400, cwd=None):
+        captured["cwd"] = cwd
+        captured["cmd"] = cmd
+        return 0, "ok", ""
+
+    monkeypatch.setattr(compliance, "run_text", capture_run)
+    ctx = RunContext(home=tmp_path, output_dir=tmp_path, phase="unprivileged", dry_run=False)
+    compliance.check_lynis_run(ctx)
+    assert captured["cwd"] == str(nest.resolve())
+    assert captured["cmd"][0] == str(script)
+
+
+def test_truncate_lynis_evidence_long_inserts_ellipsis() -> None:
+    s = "x" * 50_000
+    out = compliance._truncate_lynis_evidence(s, max_chars=1000)
+    assert "omitted" in out
+    assert len(out) < len(s)
+
+
+def test_cap_mscp_transcript_truncates(monkeypatch) -> None:
+    monkeypatch.setenv("APPLEPY_MSCP_COMPLIANCE_LOG_MAX", "8192")
+    long = "Z" * 20_000
+    out = compliance._cap_mscp_transcript("stdout", long)
+    assert "truncated" in out
+    assert len(out) < len(long)