def testSysCVEAllowlist(self): # 1. User(RA) reads the system level CVE allowlist and it's empty. wl = self.system.get_cve_allowlist(**self.USER_RA_CLIENT) self.assertEqual( 0, len(wl.items), "The initial system level CVE allowlist is not empty: %s" % wl.items) # 2. User(RA) updates the system level CVE allowlist, verify it's failed. cves = ['CVE-2019-12310'] self.system.set_cve_allowlist(None, 403, *cves, **self.USER_RA_CLIENT) # 3. Update user(RA) to system admin self.user.update_user_role_as_sysadmin(self.user_ra_id, True, **ADMIN_CLIENT) # 4. User(RA) updates the system level CVE allowlist, verify it's successful. self.system.set_cve_allowlist(None, 200, *cves, **self.USER_RA_CLIENT) # 5. User(RA) reads the system level CVE allowlist, verify the CVE list is updated. expect_wl = [swagger_client.CVEAllowlistItem(cve_id='CVE-2019-12310')] wl = self.system.get_cve_allowlist(**self.USER_RA_CLIENT) self.assertIsNone(wl.expires_at) self.assertEqual(expect_wl, wl.items) # 6. User(RA) updates the expiration date of system level CVE allowlist. exp = int(time.time()) + 3600 self.system.set_cve_allowlist(exp, 200, *cves, **self.USER_RA_CLIENT) # 7. User(RA) reads the system level CVE allowlist, verify the expiration date is updated. wl = self.system.get_cve_allowlist(**self.USER_RA_CLIENT) self.assertEqual(exp, wl.expires_at)
def set_cve_allowlist(self, expires_at=None, expected_status_code=200, *cve_ids, **kwargs): client = self._get_client(**kwargs) cve_list = [swagger_client.CVEAllowlistItem(cve_id=c) for c in cve_ids] allowlist = swagger_client.CVEAllowlist(expires_at=expires_at, items=cve_list) try: r = client.system_cve_allowlist_put_with_http_info(allowlist=allowlist, _preload_content=False) except Exception as e: base._assert_status_code(expected_status_code, e.status) else: base._assert_status_code(expected_status_code, r.status)
def testProjectLevelCVEAllowlist(self): # User(RA) reads the project(PA), verify the "reuse_sys_cve_allowlist" is empty in the metadata, # and the CVE allowlist is empty p = self.project.get_project(self.project_pa_id, **self.USER_RA_CLIENT) self.assertIsNone(p.metadata.reuse_sys_cve_allowlist) self.assertEqual(0, len(p.cve_allowlist.items)) # User(RA) updates the project CVE allowlist, verify it fails with Forbidden error. item_list = [swagger_client.CVEAllowlistItem(cve_id="CVE-2019-12310")] exp = int(time.time()) + 1000 wl = swagger_client.CVEAllowlist(expires_at=exp, items=item_list) self.project.update_project(self.project_pa_id, cve_allowlist=wl, expect_status_code=403, **self.USER_RA_CLIENT) # Admin user updates User(RA) as project admin. self.project.update_project_member_role(self.project_pa_id, self.member_id, 1, **ADMIN_CLIENT) # User(RA) updates the project CVE allowlist with expiration date and one item in the items list. self.project.update_project(self.project_pa_id, cve_allowlist=wl, **self.USER_RA_CLIENT) p = self.project.get_project(self.project_pa_id, **self.USER_RA_CLIENT) self.assertEqual("CVE-2019-12310", p.cve_allowlist.items[0].cve_id) self.assertEqual(exp, p.cve_allowlist.expires_at) # User(RA) updates the project CVE allowlist with empty items list wl2 = swagger_client.CVEAllowlist(items=[]) self.project.update_project(self.project_pa_id, cve_allowlist=wl2, **self.USER_RA_CLIENT) p = self.project.get_project(self.project_pa_id, **self.USER_RA_CLIENT) self.assertEqual(0, len(p.cve_allowlist.items)) self.assertIsNone(p.cve_allowlist.expires_at) # User(RA) updates the project metadata to set "reuse_sys_cve_allowlist" to true. meta = swagger_client.ProjectMetadata(reuse_sys_cve_allowlist="true") self.project.update_project(self.project_pa_id, metadata=meta, **self.USER_RA_CLIENT) p = self.project.get_project(self.project_pa_id, **self.USER_RA_CLIENT) self.assertEqual("true", p.metadata.reuse_sys_cve_allowlist)