client/site_tests/security_AccountsBaseline/security_AccountsBaseline.py

# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

import logging
import os
import shutil

from autotest_lib.client.bin import test
from autotest_lib.client.common_lib import error

class security_AccountsBaseline(test.test):
    version = 1

    def load_path(self, fpath):
        """Load the given passwd/group file."""
        return [x.strip().split(':') for x in open(fpath).readlines()]


    def capture_files(self):
        for f in ['passwd','group']:
            shutil.copyfile(os.path.join('/etc', f),
                            os.path.join(self.resultsdir, f))


    def run_once(self):
        failed = False

        self.capture_files()
        # Match users
        passwd_baseline = self.load_path(os.path.join(
            self.bindir, 'baseline.passwd'))
        passwd_actual = self.load_path('/etc/passwd')

        if len(passwd_actual) != len(passwd_baseline):
            failed = True
            logging.error('User baseline mismatch. '
                'Expected: %d users. Got: %d.',
                len(passwd_baseline), len(passwd_actual))
        for expected in passwd_baseline:
            got = [x for x in passwd_actual if x[0] == expected[0]]
            if not got:
                failed = True
                logging.error('No passwd entry for %s', expected[0])
                continue
            got = got[0]
            # Match uid (3rd field) and gid (4th field).
            if (expected[2], expected[3]) != (got[2], got[3]):
                failed = True
                logging.error(
                    'Expected uid/gid (%s, %s) for user %s. Got (%s, %s)',
                    expected[2], expected[3], got[0], got[2], got[3])
        for actual in passwd_actual:
            got = [x for x in passwd_baseline if x[0] == actual[0]]
            if not got:
                failed = True
                logging.error('Unexpected passwd entry for %s', actual[0])

        # Match groups
        group_baseline = self.load_path(os.path.join(
            self.bindir, 'baseline.group'))
        group_actual = self.load_path('/etc/group')

        if len(group_actual) != len(group_baseline):
            failed = True
            logging.error('Group baseline mismatch. '
                'Expected: %d groups. Got: %d.',
                len(group_baseline), len(group_actual))
        for expected in group_baseline:
            got = [x for x in group_actual if x[0] == expected[0]]
            if not got:
                failed = True
                logging.error('No group entry for %s', expected[0])
                continue
            got = got[0]
            # Match gid (3rd field) and members (4th field. comma separated).
            if expected[2] != got[2]:
                failed = True
                logging.error('Expected id %s for group %s). Got %s',
                    expected[2], expected[0], got[2])
            if set(expected[3].split(',')) != set(got[3].split(',')):
                failed = True
                logging.error(
                    'Expected members %s for group %s. Got %s',
                    expected[3], expected[0], got[3])
        for actual in group_actual:
            got = [x for x in group_baseline if x[0] == actual[0]]
            if not got:
                failed = True
                logging.error('Unexpected group entry for %s', actual[0])

        # Fail the test after all mismatches have been reported.
        if failed:
            raise error.TestFail('Baseline mismatch.')