vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-05-06 16:16:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
Pulse/internal/agentexec/policy_test.go
rcourtman 778a2577b6 feat: Pulse v6 release
2026-03-18 16:06:30 +00:00

66 lines
2.2 KiB
Go
Raw Blame History

package agentexec
import "testing"
func TestCompilePatternsIgnoresInvalidRegex(t *testing.T) {
res := compilePatterns([]string{"^df(\\s|$)", "["})
if len(res) != 1 {
t.Fatalf("expected 1 compiled regex, got %d", len(res))
}
}
func TestDefaultPolicyEvaluate(t *testing.T) {
p := DefaultPolicy()
cases := []struct {
name string
command string
want PolicyDecision
}{
{"blocked", "rm -rf /", PolicyBlock},
{"blocked sudo", "sudo rm -rf /", PolicyBlock},
{"blocked sudo with flags", "sudo -u root rm -rf /", PolicyBlock},
{"auto approve", "df -h", PolicyAllow},
{"require approval", "systemctl restart nginx", PolicyRequireApproval},
{"unknown defaults to approval", "echo hello", PolicyRequireApproval},
{"sudo with flags remains conservative", "sudo -u root df -h", PolicyRequireApproval},
{"compound command requires approval", "df -h && echo ok", PolicyRequireApproval},
{"find delete requires approval", "find /var -type f -delete", PolicyRequireApproval},
// Proxmox VM control - should require approval, not be blocked
{"qm reboot requires approval", "qm reboot 201", PolicyRequireApproval},
{"qm shutdown requires approval", "qm shutdown 201", PolicyRequireApproval},
{"pct reboot requires approval", "pct reboot 100", PolicyRequireApproval},
{"pct shutdown requires approval", "pct shutdown 100", PolicyRequireApproval},
// Host-level system commands should be blocked
{"bare reboot blocked", "reboot", PolicyBlock},
{"bare shutdown blocked", "shutdown", PolicyBlock},
{"shutdown now blocked", "shutdown now", PolicyBlock},
{"reboot now blocked", "reboot -f", PolicyBlock},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
if got := p.Evaluate(tc.command); got != tc.want {
t.Fatalf("Evaluate(%q) = %q, want %q", tc.command, got, tc.want)
}
})
}
}
func TestPolicyHelpers(t *testing.T) {
p := DefaultPolicy()
if !p.IsBlocked("rm -rf /") {
t.Fatalf("expected rm -rf / to be blocked")
}
if !p.IsBlocked("sudo -u root rm -rf /") {
t.Fatalf("expected sudo -u root rm -rf / to be blocked")
}
if !p.NeedsApproval("echo hello") {
t.Fatalf("expected echo hello to require approval by default")
}
if !p.IsAutoApproved("df -h") {
t.Fatalf("expected df -h to be auto approved")
}
}
Reference in a new issue View git blame Copy permalink