| 38 | |
| 39 | # Validates policy files and performs policy testing |
| 40 | class Policy: |
| 41 | |
| 42 | WARNING_DEPRECATED_DIRECTIVES = "\nWARNING: this policy is using deprecated features. Future versions of ssh-audit may remove support for them. Re-generating the policy file is perhaps the most straight-forward way of resolving this issue. Manually converting the 'hostkey_size_*', 'cakey_size_*', and 'dh_modulus_size_*' directives into the new format is another option.\n" |
| 43 | |
| 44 | def __init__(self, policy_file: Optional[str] = None, policy_data: Optional[str] = None, manual_load: bool = False, json_output: bool = False) -> None: |
| 45 | self._name: Optional[str] = None |
| 46 | self._version: Optional[str] = None |
| 47 | self._banner: Optional[str] = None |
| 48 | self._compressions: Optional[List[str]] = None |
| 49 | self._host_keys: Optional[List[str]] = None |
| 50 | self._optional_host_keys: Optional[List[str]] = None |
| 51 | self._kex: Optional[List[str]] = None |
| 52 | self._ciphers: Optional[List[str]] = None |
| 53 | self._macs: Optional[List[str]] = None |
| 54 | self._hostkey_sizes: Optional[Dict[str, Dict[str, Union[int, str, bytes]]]] = None |
| 55 | self._dh_modulus_sizes: Optional[Dict[str, int]] = None |
| 56 | self._server_policy = True |
| 57 | self._allow_algorithm_subset_and_reordering = False |
| 58 | self._allow_larger_keys = False |
| 59 | self._errors: List[Any] = [] |
| 60 | self._updated_builtin_policy_available = False # If True, an outdated built-in policy was loaded. |
| 61 | |
| 62 | self._name_and_version: str = '' |
| 63 | |
| 64 | # If invoked while JSON output is expected, send warnings to stderr instead of stdout (which would corrupt the JSON output). |
| 65 | if json_output: |
| 66 | self._warning_target = sys.stderr |
| 67 | else: |
| 68 | self._warning_target = sys.stdout |
| 69 | |
| 70 | # Ensure that only one mode was specified. |
| 71 | num_modes = 0 |
| 72 | if policy_file is not None: |
| 73 | num_modes += 1 |
| 74 | if policy_data is not None: |
| 75 | num_modes += 1 |
| 76 | if manual_load is True: |
| 77 | num_modes += 1 |
| 78 | |
| 79 | if num_modes != 1: |
| 80 | raise RuntimeError('Exactly one of the following can be specified only: policy_file, policy_data, or manual_load') |
| 81 | |
| 82 | if manual_load: |
| 83 | return |
| 84 | |
| 85 | if policy_file is not None: |
| 86 | try: |
| 87 | with open(policy_file, "r", encoding='utf-8') as f: |
| 88 | policy_data = f.read() |
| 89 | except FileNotFoundError: |
| 90 | print("Error: policy file not found: %s" % policy_file) |
| 91 | sys.exit(exitcodes.UNKNOWN_ERROR) |
| 92 | except PermissionError as e: |
| 93 | # If installed as a Snap package, print a more useful message with potential work-arounds. |
| 94 | if SNAP_PACKAGE: |
| 95 | print(SNAP_PERMISSIONS_ERROR) |
| 96 | else: |
| 97 | print("Error: insufficient permissions: %s" % str(e)) |
no outgoing calls
no test coverage detected