def test_run_with_mocks(self): upload = self.get_upload('webextension.xpi') assert len(YaraResult.objects.all()) == 0 # This compiled rule will match for all files in the xpi. rules = yara.compile(source='rule always_true { condition: true }') with mock.patch('yara.compile') as yara_compile_mock: yara_compile_mock.return_value = rules run_yara(upload.pk) assert yara_compile_mock.called results = YaraResult.objects.all() assert len(results) == 1 result = results[0] assert result.upload == upload assert len(result.matches) == 2 assert result.matches[0] == { 'rule': 'always_true', 'tags': [], 'meta': { 'filename': 'index.js' }, } assert result.matches[1] == { 'rule': 'always_true', 'tags': [], 'meta': { 'filename': 'manifest.json' }, }
def test_calls_statsd_timer(self, timer_mock): upload = self.get_upload('webextension.xpi') run_yara(upload.pk) assert timer_mock.called timer_mock.assert_called_with('devhub.yara')
def test_run_does_not_raise(self, incr_mock): upload = self.get_upload('webextension.xpi') # This call should not raise even though there will be an error because # YARA_RULES_FILEPATH is configured with a wrong path. run_yara(upload.pk) assert incr_mock.called incr_mock.assert_called_with('devhub.yara.failure')
def test_run_no_matches_with_mocks(self): upload = self.get_upload('webextension.xpi') assert len(YaraResult.objects.all()) == 0 # This compiled rule will never match. rules = yara.compile(source='rule always_false { condition: false }') with mock.patch('yara.compile') as yara_compile_mock: yara_compile_mock.return_value = rules run_yara(upload.pk) result = YaraResult.objects.all()[0] assert result.matches == []
def test_run_ignores_directories(self): upload = self.get_upload('webextension_signed_already.xpi') # This compiled rule will match for all files in the xpi. rules = yara.compile(source='rule always_true { condition: true }') with mock.patch('yara.compile') as yara_compile_mock: yara_compile_mock.return_value = rules run_yara(upload.pk) result = YaraResult.objects.all()[0] assert result.upload == upload # The `webextension_signed_already.xpi` fixture file has 1 directory # and 3 files. assert len(result.matches) == 3
def test_run_with_mocks(self, incr_mock): assert len(YaraResult.objects.all()) == 0 # This compiled rule will match for all files in the xpi. rules = yara.compile(source='rule always_true { condition: true }') with mock.patch('yara.compile') as yara_compile_mock: yara_compile_mock.return_value = rules received_results = run_yara(self.results, self.upload.pk) assert yara_compile_mock.called yara_results = YaraResult.objects.all() assert len(yara_results) == 1 yara_result = yara_results[0] assert yara_result.upload == self.upload assert len(yara_result.matches) == 2 assert yara_result.matches[0] == { 'rule': 'always_true', 'tags': [], 'meta': { 'filename': 'index.js' }, } assert yara_result.matches[1] == { 'rule': 'always_true', 'tags': [], 'meta': { 'filename': 'manifest.json' }, } assert incr_mock.called incr_mock.assert_called_with('devhub.yara.success') # The task should always return the results. assert received_results == self.results
def test_does_not_run_when_results_contain_errors(self, yara_compile_mock): self.results.update({'errors': 1}) received_results = run_yara(self.results, self.upload.pk) assert not yara_compile_mock.called # The task should always return the results. assert received_results == self.results
def test_run_does_not_raise(self, incr_mock): # This call should not raise even though there will be an error because # YARA_RULES_FILEPATH is configured with a wrong path. received_results = run_yara(self.results, self.upload.pk) assert incr_mock.called incr_mock.assert_called_with('devhub.yara.failure') # The task should always return the results. assert received_results == self.results
def test_run_no_matches_with_mocks(self): assert len(YaraResult.objects.all()) == 0 # This compiled rule will never match. rules = yara.compile(source='rule always_false { condition: false }') with mock.patch('yara.compile') as yara_compile_mock: yara_compile_mock.return_value = rules received_results = run_yara(self.results, self.upload.pk) yara_result = YaraResult.objects.all()[0] assert yara_result.matches == [] # The task should always return the results. assert received_results == self.results
def test_skip_non_webextensions_with_mocks(self, yara_compile_mock): upload = self.get_upload('search.xml') results = { **amo.VALIDATOR_SKELETON_RESULTS, 'metadata': { 'is_webextension': False, } } received_results = run_yara(results, upload.pk) assert not yara_compile_mock.called # The task should always return the results. assert received_results == results
def test_run_ignores_directories(self): upload = self.get_upload('webextension_signed_already.xpi') results = { **amo.VALIDATOR_SKELETON_RESULTS, 'metadata': { 'is_webextension': True, } } # This compiled rule will match for all files in the xpi. rules = yara.compile(source='rule always_true { condition: true }') with mock.patch('yara.compile') as yara_compile_mock: yara_compile_mock.return_value = rules received_results = run_yara(results, upload.pk) yara_result = YaraResult.objects.all()[0] assert yara_result.upload == upload # The `webextension_signed_already.xpi` fixture file has 1 directory # and 3 files. assert len(yara_result.matches) == 3 # The task should always return the results. assert received_results == results
def test_run_does_not_raise(self): upload = self.get_upload('webextension.xpi') # This call should not raise even though there will be an error because # YARA_RULES_FILEPATH is configured with a wrong path. run_yara(upload.pk)
def test_skip_non_xpi_files_with_mocks(self, yara_compile_mock): upload = self.get_upload('search.xml') run_yara(upload.pk) assert not yara_compile_mock.called
def test_calls_statsd_timer(self, timer_mock): run_yara(self.results, self.upload.pk) assert timer_mock.called timer_mock.assert_called_with('devhub.yara')
def handle_upload_validation_result( results, upload_pk, channel, is_mozilla_signed): """Annotate a set of validation results and save them to the given FileUpload instance.""" upload = FileUpload.objects.get(pk=upload_pk) if waffle.switch_is_active('enable-yara') and results['errors'] == 0: # Run Yara. This cannot be asynchronous because we have no way to know # whether the task will complete before we attach a `Version` to it # later in the submission process... Because we cannot use `chord` # reliably right now (requires Celery 4.2+), this task is actually not # run as a task, it's a simple function call. # # TODO: use `run_yara` as a task in the submission chord once it is # possible. See: https://github.com/mozilla/addons-server/issues/12216 run_yara(upload.pk) if waffle.switch_is_active('enable-customs') and results['errors'] == 0: # Run customs. This cannot be asynchronous because we have no way to # know whether the task will complete before we attach a `Version` to # it later in the submission process... Because we cannot use `chord` # reliably right now (requires Celery 4.2+), this task is actually not # run as a task, it's a simple function call. # # TODO: use `run_customs` as a task in the submission chord once it is # possible. See: https://github.com/mozilla/addons-server/issues/12217 run_customs(upload.pk) if waffle.switch_is_active('enable-wat') and results['errors'] == 0: # Run wat. This cannot be asynchronous because we have no way to know # whether the task will complete before we attach a `Version` to it # later in the submission process... Because we cannot use `chord` # reliably right now (requires Celery 4.2+), this task is actually not # run as a task, it's a simple function call. # # TODO: use `run_wat` as a task in the submission chord once it is # possible. See: https://github.com/mozilla/addons-server/issues/12224 run_wat(upload.pk) # Check for API keys in submissions. # Make sure it is extension-like, e.g. no search plugin try: results = check_for_api_keys_in_file(results=results, upload=upload) except (ValidationError, BadZipfile, IOError): pass # Annotate results with potential webext warnings on new versions. if upload.addon_id and upload.version: annotations.annotate_webext_incompatibilities( results=results, file_=None, addon=upload.addon, version_string=upload.version, channel=channel) upload.validation = json.dumps(results) upload.save() # We want to hit the custom save(). # Track the time it took from first upload through validation # until the results were processed and saved. upload_start = utc_millesecs_from_epoch(upload.created) now = datetime.datetime.now() now_ts = utc_millesecs_from_epoch(now) delta = now_ts - upload_start statsd.timing('devhub.validation_results_processed', delta) if not storage.exists(upload.path): # TODO: actually fix this so we can get stats. It seems that # the file maybe gets moved but it needs more investigation. log.warning('Scaled upload stats were not tracked. File is ' 'missing: {}'.format(upload.path)) return size = Decimal(storage.size(upload.path)) megabyte = Decimal(1024 * 1024) # Stash separate metrics for small / large files. quantifier = 'over' if size > megabyte else 'under' statsd.timing( 'devhub.validation_results_processed_{}_1mb'.format(quantifier), delta) # Scale the upload / processing time by package size (in MB) # so we can normalize large XPIs which naturally take longer to validate. scaled_delta = None size_in_mb = size / megabyte if size > 0: # If the package is smaller than 1MB, don't scale it. This should # help account for validator setup time. unit = size_in_mb if size > megabyte else Decimal(1) scaled_delta = Decimal(delta) / unit statsd.timing('devhub.validation_results_processed_per_mb', scaled_delta) log.info('Time to process and save upload validation; ' 'upload.pk={upload}; processing_time={delta}; ' 'scaled_per_mb={scaled}; upload_size_in_mb={size_in_mb}; ' 'created={created}; now={now}' .format(delta=delta, upload=upload.pk, created=upload.created, now=now, scaled=scaled_delta, size_in_mb=size_in_mb))