Launchpad itself

Merge lp://staging/~jcsackett/launchpad/add-security-audit-utility into lp://staging/launchpad

add-security-audit-utility
Merge into devel

Proposed by j.c.sackett on 2011-04-18

Status:

Merged

Approved by:

j.c.sackett on 2011-04-19

Approved revision:

no longer in the source branch.

Merged at revision:

12896

Proposed branch:

lp://staging/~jcsackett/launchpad/add-security-audit-utility

Merge into:

lp://staging/launchpad

Diff against target:

147 lines (+138/-0)

2 files modified

lib/lp/scripts/utilities/tests/test_audit_security_settings.py (+26/-0)
utilities/audit-security-settings.py (+112/-0)

To merge this branch:

bzr merge lp://staging/~jcsackett/launchpad/add-security-audit-utility

High

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Benji York (community)	code	2011-04-18	Approve on 2011-04-19
Review via email: mp+58199@code.staging.launchpad.net

Commit message

[r=benji][bug=765207][no-qa][incr] Adds utility to check for dupes in security.cfg

Description of the change

Summary
=======
database/schema/security.cfg has duplicate entries for permissions under the same section. This caused an error in bug expiration, and has the potential to be a timebomb. There isn't currently anyway of easily checking for these dupes. This utility is an easy way to check.

This branch does not attempt to remove duplicates--some of the duplicate settings are contradictory (one specifies only SELECT, another says SELECT and UPDATE). Another branch can be landed down the line to correct the file, once all duplicates are checked via this utility.

Preimp
======
Spoke with Curtis Hovey

Implementation
==============
Adds a utility which scans security.cfg and reports and duplicates.

QA
==
Run the script in a branch, it will report any dupes.

Lint
====
make lint:

= Launchpad lint =

Checking for conflicts and issues in changed files.

Linting changed files:
utilities/audit-security.py

Revision history for this message

Benji York (benji) wrote on 2011-04-19:

This branch looks fine. There's nothing keeping this from being merged,
but here are a few things to consider:

If comment lines can also start with whitespace, you might want to strip
before looking for the comment character, like so:

    def strip(data):
        data = [d for d in data if not d.strip().startswith('#')]
        return [d for d in data if d.strip() != '']

It would be nice if this were tested to be sure that it reports the
errors you expect it to report (and more importantly, that it doesn't
stop reporting errors in the future when someone breaks it).

Would it be possible to run this at "make" time or as part of the test
suite? It'd be great if buildbot/jenkins would tell us if we introduced
errors that this code can find.

I see that the standard library's ConfigParser wouldn't work for this
use case; you might add a note explaining why you parse the file
yourself.

Since you use the "__metatype__ = type" trick you don't need to subclass
from object when defining SettingsAuditor.

In start_new_section, I don't see why you have to make a copy of
self.observed_settings because you're going to discard it at the end of
the method anyway.

You use "sys.exit(main())" but main doesn't ever return a non-None
value.

review: Approve (code)

Revision history for this message

j.c.sackett (jcsackett) wrote on 2011-04-19:

Benji--

Thanks for the notes; a fair amount of what you saw were artifacts of the scripts creation--I've cleaned them up, and good spotting on your part.

I think there's a case to hook this up, but like "make lint" I'm not sure it's actually something we always want run--it's not terribly expensive now, and it's only really useful for specific work. We can investigate hooking it in in a future branch; once this lands I'll send out an email to dev about it to start that discussion.

Revision history for this message

j.c.sackett (jcsackett) wrote on 2011-04-19:

And I have added a quick smoketest that will be run as part of testrunner for it. It's a bit ugly, but the utility stuff is difficult to test.