Add ceilometer to rootwrap check

Ceilometer also makes use of rootwrap (only for ipmitool), so let's make sure its also flagged. Change-Id: Ibbac902f653b3918e78fe27ec89783feff6b5f7d
2015-02-24 07:55:40 -08:00 · 2015-02-24 07:55:40 -08:00 · 0ea9c791b9
commit 0ea9c791b9
parent 6d6f2ce68b
4 changed files with 19 additions and 14 deletions
--- a/bandit.yaml
+++ b/bandit.yaml
@ -38,10 +38,6 @@ profiles:
        include:
            - hardcoded_sql_expressions

-    RunAsRoot:
-        include:
-            - execute_with_run_as_root_equals_true
-
 blacklist_functions:
    bad_name_sets:
        - pickle:
@ -113,3 +109,11 @@ password_config_option_not_marked_secret:
    function_names:
        - oslo.config.cfg.StrOpt
        - oslo_config.cfg.StrOpt
+
+execute_with_run_as_root_equals_true:
+    function_names:
+        - ceilometer.utils.execute
+        - cinder.utils.execute
+        - neutron.agent.linux.utils.execute
+        - nova.utils.execute
+        - nova.utils.trycmd
--- a/bandit/plugins/exec_as_root.py
+++ b/bandit/plugins/exec_as_root.py
@ -16,17 +16,11 @@ import bandit
 from bandit.core.test_properties import *


+@takes_config
@checks('Call')
-def execute_with_run_as_root_equals_true(context):
+def execute_with_run_as_root_equals_true(context, config):

-    function_names = [
-        'cinder.utils.execute',
-        'neutron.agent.linux.utils.execute',
-        'nova.utils.execute',
-        'nova.utils.trycmd',
-    ]
-
-    if (context.call_function_name_qual in function_names):
+    if (context.call_function_name_qual in config['function_names']):
        if context.check_call_arg_value('run_as_root') == 'True':

            return(bandit.INFO, 'execute with run_as_root=True '
--- a/examples/exec-as-root.py
+++ b/examples/exec-as-root.py
@ -1,7 +1,13 @@
+from ceilometer import utils as ceilometer_utils
 from cinder import utils as cinder_utils
 from neutron.agent.linux import utils as neutron_utils
 from nova import utils as nova_utils

+# Ceilometer
+ceilometer_utils.execute('gcc --version')
+ceilometer_utils.execute('gcc --version', run_as_root=False)
+ceilometer_utils.execute('gcc --version', run_as_root=True)
+
 # Cinder
 cinder_utils.execute('gcc --version')
 cinder_utils.execute('gcc --version', run_as_root=False)
--- a/tests/test_functional.py
+++ b/tests/test_functional.py
@ -84,7 +84,8 @@ class FunctionalTests(unittest.TestCase):
        path = os.path.join(os.getcwd(), 'examples', 'exec-as-root.py')
        self.b_mgr.discover_files([path], True)
        self.b_mgr.run_tests()
-        self.assertEqual(4, self.b_mgr.scores[0])
+        expected = 5 * C.SEVERITY_VALUES['INFO']
+        self.assertEqual(expected, self.b_mgr.scores[0])

    def test_hardcoded_passwords(self):
        path = os.path.join(os.getcwd(), 'examples', 'hardcoded-passwords.py')