From 492c6e388367322928ebca7990318b01a160dca0 Mon Sep 17 00:00:00 2001
From: Adam Outler <adamoutler@gmail.com>
Date: Sun, 21 Dec 2025 19:30:35 +0000
Subject: [PATCH] Remove test file, add coderabbit timeout suggestions

---
 .devcontainer/Dockerfile                      |  2 +-
 test/docker_tests/debug_storage_permission.sh | 66 -------------------
 .../test_container_environment.py             | 25 ++++++-
 3 files changed, 23 insertions(+), 70 deletions(-)
 delete mode 100755 test/docker_tests/debug_storage_permission.sh

diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
index 739b0763..bf39de98 100755
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -9,7 +9,7 @@
 #
 # Stage 2. Runner builds the bare minimum requirements to create an operational NetAlertX. The primary
 # reason for breaking at this stage is it leaves the system in a proper state for devcontainer operation
-# This image also provides a break-out point for uses who wish to execute the anti-pattern of using a
+# This image also provides a break-out point for users who wish to execute the anti-pattern of using a
 # docker container as a VM for experimentation and various development patterns.
 #
 # Stage 3. Hardened removes root, sudoers, folders, permissions, and locks the system down into a read-only
diff --git a/test/docker_tests/debug_storage_permission.sh b/test/docker_tests/debug_storage_permission.sh
deleted file mode 100755
index f94b6a47..00000000
--- a/test/docker_tests/debug_storage_permission.sh
+++ /dev/null
@@ -1,66 +0,0 @@
-#!/bin/sh
-
-# 0-storage-permission.sh: Fix permissions if running as root.
-#
-# This script checks if running as root and fixes ownership and permissions
-# for read-write paths to ensure proper operation.
-
-# --- Color Codes ---
-MAGENTA=$(printf '\033[1;35m')
-RESET=$(printf '\033[0m')
-
-# --- Main Logic ---
-
-# Define paths that need read-write access
-READ_WRITE_PATHS="
-${NETALERTX_DATA}
-${NETALERTX_DB}
-${NETALERTX_API}
-${NETALERTX_LOG}
-${SYSTEM_SERVICES_RUN}
-${NETALERTX_CONFIG}
-${NETALERTX_CONFIG_FILE}
-${NETALERTX_DB_FILE}
-"
-
-TARGET_USER="${NETALERTX_USER:-netalertx}"
-
-# If running as root, fix permissions first
-if [ "$(id -u)" -eq 0 ]; then
-    >&2 printf "%s" "${MAGENTA}"
-    >&2 cat <<'EOF'
-══════════════════════════════════════════════════════════════════════════════
-🚨 CRITICAL SECURITY ALERT: NetAlertX is running as ROOT (UID 0)! 🚨
-
-    This configuration bypasses all built-in security hardening measures.
-    You've granted a network monitoring application unrestricted access to
-    your host system. A successful compromise here could jeopardize your
-    entire infrastructure.
-
-    IMMEDIATE ACTION REQUIRED: Switch to the dedicated 'netalertx' user:
-      * Remove any 'user:' directive specifying UID 0 from docker-compose.yml or
-      * switch to the default USER in the image (20211:20211)
-
-    IMPORTANT: This corrective mode automatically adjusts ownership of
-    /data/db and /data/config directories to the netalertx user, ensuring
-    proper operation in subsequent runs.
-
-    Remember: Never operate security-critical tools as root unless you're 
-    actively trying to get pwned.
-
-    https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/running-as-root.md
-══════════════════════════════════════════════════════════════════════════════
-EOF
-    >&2 printf "%s" "${RESET}"
-
-    # Set ownership and permissions for each read-write path individually
-    printf '%s\n' "${READ_WRITE_PATHS}" | while IFS= read -r path; do
-        [ -n "${path}" ] || continue
-        echo "DEBUG: Processing $path"
-        chown -v -R "${TARGET_USER}" "${path}" || echo "DEBUG: chown failed for $path"
-        find "${path}" -type d -exec chmod -v u+rwx {} \;
-        find "${path}" -type f -exec chmod -v u+rw {} \;
-    done
-    echo Permissions fixed for read-write paths. Please restart the container as user ${TARGET_USER}.
-    sleep infinity & wait $!
-fi
diff --git a/test/docker_tests/test_container_environment.py b/test/docker_tests/test_container_environment.py
index 4bd428b8..14155f4b 100644
--- a/test/docker_tests/test_container_environment.py
+++ b/test/docker_tests/test_container_environment.py
@@ -17,6 +17,7 @@ import pytest
 IMAGE = os.environ.get("NETALERTX_TEST_IMAGE", "netalertx-test")
 GRACE_SECONDS = float(os.environ.get("NETALERTX_TEST_GRACE", "2"))
 DEFAULT_CAPS = ["NET_RAW", "NET_ADMIN", "NET_BIND_SERVICE"]
+SUBPROCESS_TIMEOUT_SECONDS = float(os.environ.get("NETALERTX_TEST_SUBPROCESS_TIMEOUT", "60"))
 
 CONTAINER_TARGETS: dict[str, str] = {
     "data": "/data",
@@ -263,6 +264,7 @@ def _chown_path(host_path: pathlib.Path, uid: int, gid: int) -> None:
             check=True,
             stdout=subprocess.DEVNULL,
             stderr=subprocess.DEVNULL,
+            timeout=SUBPROCESS_TIMEOUT_SECONDS,
         )
     except subprocess.CalledProcessError as exc:
         raise RuntimeError(f"Failed to chown {host_path} to {uid}:{gid}") from exc
@@ -282,6 +284,7 @@ def _docker_volume_rm(volume_name: str) -> None:
         check=False,
         stdout=subprocess.DEVNULL,
         stderr=subprocess.DEVNULL,
+        timeout=SUBPROCESS_TIMEOUT_SECONDS,
     )
 
 
@@ -291,6 +294,7 @@ def _docker_volume_create(volume_name: str) -> None:
         check=True,
         stdout=subprocess.DEVNULL,
         stderr=subprocess.DEVNULL,
+        timeout=SUBPROCESS_TIMEOUT_SECONDS,
     )
 
 
@@ -327,6 +331,7 @@ def _ensure_volume_copy_up(volume_name: str) -> None:
         check=True,
         stdout=subprocess.DEVNULL,
         stderr=subprocess.DEVNULL,
+        timeout=SUBPROCESS_TIMEOUT_SECONDS,
     )
 
 
@@ -371,6 +376,7 @@ def _seed_volume_text_file(
         check=True,
         stdout=subprocess.DEVNULL,
         stderr=subprocess.DEVNULL,
+        timeout=SUBPROCESS_TIMEOUT_SECONDS,
     )
 
 
@@ -393,6 +399,7 @@ def _volume_has_file(volume_name: str, container_path: str) -> bool:
             check=False,
             stdout=subprocess.DEVNULL,
             stderr=subprocess.DEVNULL,
+            timeout=SUBPROCESS_TIMEOUT_SECONDS,
         ).returncode
         == 0
     )
@@ -467,6 +474,7 @@ def _run_container(
         check=False,
         stdout=subprocess.DEVNULL,
         stderr=subprocess.DEVNULL,
+        timeout=SUBPROCESS_TIMEOUT_SECONDS,
     )
 
     cmd: list[str] = ["docker", "run", "--rm", "--name", name]
@@ -549,7 +557,7 @@ def _run_container(
         stdout=subprocess.PIPE,
         stderr=subprocess.PIPE,
         text=True,
-        timeout=sleep_seconds + 30,
+        timeout=max(SUBPROCESS_TIMEOUT_SECONDS, sleep_seconds + 30),
         check=False,
     )
     # Combine and clean stdout and stderr
@@ -1134,7 +1142,13 @@ def test_restrictive_permissions_handling(tmp_path: pathlib.Path) -> None:
             IMAGE,
             "-R", "0:0", "/mnt",
         ]
-        subprocess.run(cmd, check=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+        subprocess.run(
+            cmd,
+            check=True,
+            stdout=subprocess.DEVNULL,
+            stderr=subprocess.DEVNULL,
+            timeout=SUBPROCESS_TIMEOUT_SECONDS,
+        )
 
     # Set up a restrictive directory (root owned, 755)
     target_dir = paths["app_db"]
@@ -1184,7 +1198,12 @@ def test_restrictive_permissions_handling(tmp_path: pathlib.Path) -> None:
     for host_path, target, readonly in volumes:
         check_cmd.extend(["-v", f"{host_path}:{target}"])
     
-    check_result = subprocess.run(check_cmd, capture_output=True, text=True)
+    check_result = subprocess.run(
+        check_cmd,
+        capture_output=True,
+        text=True,
+        timeout=SUBPROCESS_TIMEOUT_SECONDS,
+    )
     
     if check_result.returncode != 0:
         print(f"Check command failed. Cmd: {check_cmd}")