Skip to content

Commit

Permalink
chore(explain_manifest): bump lief and return matched groups
Browse files Browse the repository at this point in the history
  • Loading branch information
fffonion committed Sep 9, 2024
1 parent ad3e19a commit b32bcad
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 24 deletions.
21 changes: 15 additions & 6 deletions scripts/explain_manifest/expect.py
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ def _print_all_fails(self):

def _compare(self, attr, fn):
self._checks_count += 1
results = []
for f in self._files:
if not hasattr(f, attr):
continue # accept missing attribute for now
Expand All @@ -153,8 +154,8 @@ def _compare(self, attr, fn):
if self._key_name not in v:
return True
v = v[self._key_name]
(ok, err_template) = fn(v)
if (not not ok) == self._logical_reverse:
(r, err_template) = fn(v)
if (not not r) == self._logical_reverse:
_not = "not"
if self._logical_reverse:
_not = "actually"
Expand All @@ -163,7 +164,8 @@ def _compare(self, attr, fn):
f.relpath, attr, err_template.format(v, NOT=_not)
))
return False
return True
results.append(r)
return results

def _exist(self):
self._checks_count += 1
Expand All @@ -179,7 +181,9 @@ def _equal(self, attr, expect):
return self._compare(attr, lambda a: (a == expect, "'{}' does {NOT} equal to '%s'" % expect))

def _match(self, attr, expect):
return self._compare(attr, lambda a: (re.search(expect, a), "'{}' does {NOT} match '%s'" % expect))
r = self._compare(attr, lambda a: (re.search(expect, a), "'{}' does {NOT} match '%s'" % expect))
self.last_macthes = r
return (not not r)

def _less_than(self, attr, expect):
def fn(a):
Expand Down Expand Up @@ -222,8 +226,9 @@ def fn(a):
if isinstance(a, list):
msg = "'%s' is {NOT} found in the list" % expect
for e in a:
if re.search(expect, e):
return True, msg
r = re.search(expect, e)
if r:
return r, msg
return False, msg
else:
return False, "'%s' is not a list" % attr
Expand Down Expand Up @@ -331,3 +336,7 @@ def run(self, suite: ExpectSuite):
s(self.expect, **suite.tests[s])

self._print_result() # cleanup the lazy buffer


def get_last_macthes(self):
return self.last_macthes
17 changes: 9 additions & 8 deletions scripts/explain_manifest/explain.py
Original file line number Diff line number Diff line change
Expand Up @@ -132,15 +132,16 @@ def __init__(self, path, relpath):
if not binary: # not an ELF file, malformed, etc
return

self.arch = binary.header.machine_type.name
# lief._lief.ELF.ARCH.X86_64
self.arch = str(binary.header.machine_type).split(".")[-1]

for d in binary.dynamic_entries:
if d.tag == lief.ELF.DYNAMIC_TAGS.NEEDED:
if d.tag == lief._lief.ELF.DynamicEntry.TAG.NEEDED:
self.needed_libraries.append(d.name)
elif d.tag == lief.ELF.DYNAMIC_TAGS.RPATH:
self.rpath = d.name
elif d.tag == lief.ELF.DYNAMIC_TAGS.RUNPATH:
self.runpath = d.name
elif d.tag == lief._lief.ELF.DynamicEntry.TAG.RPATH:
self.rpath = d.runpath
elif d.tag == lief._lief.ELF.DynamicEntry.TAG.RUNPATH:
self.runpath = d.runpath

# create closures and lazily evaluated
self.get_exported_symbols = lambda: sorted(
Expand Down Expand Up @@ -203,7 +204,7 @@ def __init__(self, path, relpath):
binary = lief.parse(path)

for s in binary.strings:
if re.match("\s*--prefix=/", s):
if re.match(r"\s*--prefix=/", s):
self.nginx_compile_flags = s
for m in re.findall("add(?:-dynamic)?-module=(.*?) ", s):
if m.startswith("../"): # skip bundled modules
Expand All @@ -215,7 +216,7 @@ def __init__(self, path, relpath):
else:
self.nginx_modules.append(os.path.join(pdir, mname))
self.nginx_modules = sorted(self.nginx_modules)
elif m := re.match("^built with (.+) \(running with", s):
elif m := re.match(r"^built with (.+) \(running with", s):
self.nginx_compiled_openssl = m.group(1).strip()

# Fetch DWARF infos
Expand Down
23 changes: 13 additions & 10 deletions scripts/explain_manifest/suites.py
Original file line number Diff line number Diff line change
Expand Up @@ -49,11 +49,11 @@ def common_suites(expect, libxcrypt_no_obsolete_api: bool = False, skip_libsimdj
.exported_symbols.contain("pcre2_general_context_free_8") \
.exported_symbols.do_not().contain("pcre_free") \
.needed_libraries.do_not().contain_match("libpcre.so.+") \
.needed_libraries.do_not().contain_match("libpcre.+.so.+") \
.needed_libraries.do_not().contain_match("libpcre2\-(8|16|32).so.+") \
.needed_libraries.do_not().contain_match(r"libpcre.+.so.+") \
.needed_libraries.do_not().contain_match(r"libpcre2\-(8|16|32).so.+") \

expect("/usr/local/openresty/nginx/sbin/nginx", "nginx should not be compiled with debug flag") \
.nginx_compile_flags.do_not().match("with\-debug")
.nginx_compile_flags.do_not().match(r"with\-debug")

expect("/usr/local/openresty/nginx/sbin/nginx", "nginx should include Kong's patches") \
.functions \
Expand Down Expand Up @@ -96,7 +96,7 @@ def common_suites(expect, libxcrypt_no_obsolete_api: bool = False, skip_libsimdj
.needed_libraries.contain("libcrypt.so.1")

expect("/usr/local/openresty/nginx/sbin/nginx", "nginx compiled with OpenSSL 3.2.x") \
.nginx_compiled_openssl.matches("OpenSSL 3.2.\d") \
.nginx_compiled_openssl.matches(r"OpenSSL 3.2.\d") \
.version_requirement.key("libssl.so.3").less_than("OPENSSL_3.3.0") \
.version_requirement.key("libcrypto.so.3").less_than("OPENSSL_3.3.0") \

Expand Down Expand Up @@ -138,14 +138,17 @@ def arm64_suites(expect):
.arch.equals("AARCH64")

def docker_suites(expect):
kong_uid = 1000
kong_gid = 1000

expect("/etc/passwd", "kong user exists") \
.text_content.matches("kong:x:%d" % kong_uid)
m = expect("/etc/passwd", "kong user exists") \
.text_content.matches(r"kong:x:(\d+)").get_last_macthes()

expect("/etc/group", "kong group exists") \
.text_content.matches("kong:x:%d" % kong_gid)
kong_uid = int(m[0].groups()[0])


m = expect("/etc/group", "kong group exists") \
.text_content.matches(r"kong:x:(\d+)").get_last_macthes()

kong_gid = int(m[0].groups()[0])

for path in ("/usr/local/kong/**", "/usr/local/bin/kong"):
expect(path, "%s owned by kong:root" % path) \
Expand Down

0 comments on commit b32bcad

Please sign in to comment.