Remove test file, add coderabbit timeout suggestions

2026-02-25 11:46:04 -05:00 · 2025-12-21 19:30:35 +00:00
parent df40116ed0
commit 492c6e3883
3 changed files with 23 additions and 70 deletions
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -9,7 +9,7 @@
 #
 # Stage 2. Runner builds the bare minimum requirements to create an operational NetAlertX. The primary
 # reason for breaking at this stage is it leaves the system in a proper state for devcontainer operation
-# This image also provides a break-out point for uses who wish to execute the anti-pattern of using a
+# This image also provides a break-out point for users who wish to execute the anti-pattern of using a
 # docker container as a VM for experimentation and various development patterns.
 #
 # Stage 3. Hardened removes root, sudoers, folders, permissions, and locks the system down into a read-only
--- a/test/docker_tests/debug_storage_permission.sh
+++ b/test/docker_tests/debug_storage_permission.sh
@@ -1,66 +0,0 @@
-#!/bin/sh
-
-# 0-storage-permission.sh: Fix permissions if running as root.
-#
-# This script checks if running as root and fixes ownership and permissions
-# for read-write paths to ensure proper operation.
-
-# --- Color Codes ---
-MAGENTA=$(printf '\033[1;35m')
-RESET=$(printf '\033[0m')
-
-# --- Main Logic ---
-
-# Define paths that need read-write access
-READ_WRITE_PATHS="
-${NETALERTX_DATA}
-${NETALERTX_DB}
-${NETALERTX_API}
-${NETALERTX_LOG}
-${SYSTEM_SERVICES_RUN}
-${NETALERTX_CONFIG}
-${NETALERTX_CONFIG_FILE}
-${NETALERTX_DB_FILE}
-"
-
-TARGET_USER="${NETALERTX_USER:-netalertx}"
-
-# If running as root, fix permissions first
-if [ "$(id -u)" -eq 0 ]; then
-    >&2 printf "%s" "${MAGENTA}"
-    >&2 cat <<'EOF'
-══════════════════════════════════════════════════════════════════════════════
-🚨 CRITICAL SECURITY ALERT: NetAlertX is running as ROOT (UID 0)! 🚨
-
-    This configuration bypasses all built-in security hardening measures.
-    You've granted a network monitoring application unrestricted access to
-    your host system. A successful compromise here could jeopardize your
-    entire infrastructure.
-
-    IMMEDIATE ACTION REQUIRED: Switch to the dedicated 'netalertx' user:
-      * Remove any 'user:' directive specifying UID 0 from docker-compose.yml or
-      * switch to the default USER in the image (20211:20211)
-
-    IMPORTANT: This corrective mode automatically adjusts ownership of
-    /data/db and /data/config directories to the netalertx user, ensuring
-    proper operation in subsequent runs.
-
-    Remember: Never operate security-critical tools as root unless you're 
-    actively trying to get pwned.
-
-    https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/running-as-root.md
-══════════════════════════════════════════════════════════════════════════════
-EOF
-    >&2 printf "%s" "${RESET}"
-
-    # Set ownership and permissions for each read-write path individually
-    printf '%s\n' "${READ_WRITE_PATHS}" | while IFS= read -r path; do
-        [ -n "${path}" ] || continue
-        echo "DEBUG: Processing $path"
-        chown -v -R "${TARGET_USER}" "${path}" || echo "DEBUG: chown failed for $path"
-        find "${path}" -type d -exec chmod -v u+rwx {} \;
-        find "${path}" -type f -exec chmod -v u+rw {} \;
-    done
-    echo Permissions fixed for read-write paths. Please restart the container as user ${TARGET_USER}.
-    sleep infinity & wait $!
-fi
--- a/test/docker_tests/test_container_environment.py
+++ b/test/docker_tests/test_container_environment.py
@@ -17,6 +17,7 @@ import pytest
 IMAGE = os.environ.get("NETALERTX_TEST_IMAGE", "netalertx-test")
 GRACE_SECONDS = float(os.environ.get("NETALERTX_TEST_GRACE", "2"))
 DEFAULT_CAPS = ["NET_RAW", "NET_ADMIN", "NET_BIND_SERVICE"]
+SUBPROCESS_TIMEOUT_SECONDS = float(os.environ.get("NETALERTX_TEST_SUBPROCESS_TIMEOUT", "60"))

 CONTAINER_TARGETS: dict[str, str] = {
    "data": "/data",
@@ -263,6 +264,7 @@ def _chown_path(host_path: pathlib.Path, uid: int, gid: int) -> None:
            check=True,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
+            timeout=SUBPROCESS_TIMEOUT_SECONDS,
        )
    except subprocess.CalledProcessError as exc:
        raise RuntimeError(f"Failed to chown {host_path} to {uid}:{gid}") from exc
@@ -282,6 +284,7 @@ def _docker_volume_rm(volume_name: str) -> None:
        check=False,
        stdout=subprocess.DEVNULL,
        stderr=subprocess.DEVNULL,
+        timeout=SUBPROCESS_TIMEOUT_SECONDS,
    )


@@ -291,6 +294,7 @@ def _docker_volume_create(volume_name: str) -> None:
        check=True,
        stdout=subprocess.DEVNULL,
        stderr=subprocess.DEVNULL,
+        timeout=SUBPROCESS_TIMEOUT_SECONDS,
    )


@@ -327,6 +331,7 @@ def _ensure_volume_copy_up(volume_name: str) -> None:
        check=True,
        stdout=subprocess.DEVNULL,
        stderr=subprocess.DEVNULL,
+        timeout=SUBPROCESS_TIMEOUT_SECONDS,
    )


@@ -371,6 +376,7 @@ def _seed_volume_text_file(
        check=True,
        stdout=subprocess.DEVNULL,
        stderr=subprocess.DEVNULL,
+        timeout=SUBPROCESS_TIMEOUT_SECONDS,
    )


@@ -393,6 +399,7 @@ def _volume_has_file(volume_name: str, container_path: str) -> bool:
            check=False,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
+            timeout=SUBPROCESS_TIMEOUT_SECONDS,
        ).returncode
        == 0
    )
@@ -467,6 +474,7 @@ def _run_container(
        check=False,
        stdout=subprocess.DEVNULL,
        stderr=subprocess.DEVNULL,
+        timeout=SUBPROCESS_TIMEOUT_SECONDS,
    )

    cmd: list[str] = ["docker", "run", "--rm", "--name", name]
@@ -549,7 +557,7 @@ def _run_container(
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
        text=True,
-        timeout=sleep_seconds + 30,
+        timeout=max(SUBPROCESS_TIMEOUT_SECONDS, sleep_seconds + 30),
        check=False,
    )
    # Combine and clean stdout and stderr
@@ -1134,7 +1142,13 @@ def test_restrictive_permissions_handling(tmp_path: pathlib.Path) -> None:
            IMAGE,
            "-R", "0:0", "/mnt",
        ]
-        subprocess.run(cmd, check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+        subprocess.run(
+            cmd,
+            check=True,
+            stdout=subprocess.DEVNULL,
+            stderr=subprocess.DEVNULL,
+            timeout=SUBPROCESS_TIMEOUT_SECONDS,
+        )

    # Set up a restrictive directory (root owned, 755)
    target_dir = paths["app_db"]
@@ -1184,7 +1198,12 @@ def test_restrictive_permissions_handling(tmp_path: pathlib.Path) -> None:
    for host_path, target, readonly in volumes:
        check_cmd.extend(["-v", f"{host_path}:{target}"])
    
-    check_result = subprocess.run(check_cmd, capture_output=True, text=True)
+    check_result = subprocess.run(
+        check_cmd,
+        capture_output=True,
+        text=True,
+        timeout=SUBPROCESS_TIMEOUT_SECONDS,
+    )
    
    if check_result.returncode != 0:
        print(f"Check command failed. Cmd: {check_cmd}")