Add missing ES Auth response to AUTH_RENAME (#576)

* Add missing ES Auth response to AUTH_RENAME * Added unit test cases for benign paths
google · Aug 17, 2021 · c7a58c7 · c7a58c7
1 parent 9a4fe78
commit c7a58c7
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 11 deletions.
diff --git a/Source/santad/EventProviders/SNTEndpointSecurityManager.mm b/Source/santad/EventProviders/SNTEndpointSecurityManager.mm
@@ -335,9 +335,8 @@ - (void)messageHandler:(es_message_t *)m API_AVAILABLE(macos(10.15)) {
           es_respond_auth_result(self.client, m, ES_AUTH_RESULT_DENY, true);
           return;
         }
-        es_respond_auth_result(self.client, m, ES_AUTH_RESULT_ALLOW, true);
-        return;
       }
+      es_respond_auth_result(self.client, m, ES_AUTH_RESULT_ALLOW, true);
       return;
     }
     case ES_EVENT_TYPE_AUTH_KEXTLOAD: {

diff --git a/Source/santad/EventProviders/SNTEndpointSecurityManagerTest.mm b/Source/santad/EventProviders/SNTEndpointSecurityManagerTest.mm
@@ -22,6 +22,7 @@
 
 const NSString *const kEventsDBPath = @"/private/var/db/santa/events.db";
 const NSString *const kRulesDBPath = @"/private/var/db/santa/rules.db";
+const NSString *const kBenignPath = @"/some/other/path";
 
 @interface SNTEndpointSecurityManagerTest : XCTestCase
 @end
@@ -102,7 +103,12 @@ - (void)testDenyOnTimeout {
 }
 
 - (void)testDeleteRulesDB {
-  for (const NSString *testPath in @[ kEventsDBPath, kRulesDBPath ]) {
+  NSDictionary<const NSString *, NSNumber *> *testCases = @{
+    kEventsDBPath : [NSNumber numberWithInt:ES_AUTH_RESULT_DENY],
+    kRulesDBPath : [NSNumber numberWithInt:ES_AUTH_RESULT_DENY],
+    kBenignPath : [NSNumber numberWithInt:ES_AUTH_RESULT_ALLOW],
+  };
+  for (const NSString *testPath in testCases) {
     MockEndpointSecurity *mockES = [MockEndpointSecurity mockEndpointSecurity];
     [mockES reset];
     SNTEndpointSecurityManager *snt = [[SNTEndpointSecurityManager alloc] init];
@@ -148,7 +154,8 @@ - (void)testDeleteRulesDB {
                                    }
                                  }];
 
-    XCTAssertEqual(got.result, ES_AUTH_RESULT_DENY, @"Failed to deny deletion of %@", testPath);
+    XCTAssertEqual(got.result, [testCases objectForKey:testPath].intValue,
+                   @"Incorrect handling of delete of %@", testPath);
     XCTAssertTrue(got.shouldCache, @"Failed to cache deletion decision of %@", testPath);
   }
 }
@@ -203,7 +210,12 @@ - (void)testSkipOtherESEvents {
 }
 
 - (void)testRenameOverwriteRulesDB {
-  for (const NSString *testPath in @[ kEventsDBPath, kRulesDBPath ]) {
+  NSDictionary<const NSString *, NSNumber *> *testCases = @{
+    kEventsDBPath : [NSNumber numberWithInt:ES_AUTH_RESULT_DENY],
+    kRulesDBPath : [NSNumber numberWithInt:ES_AUTH_RESULT_DENY],
+    kBenignPath : [NSNumber numberWithInt:ES_AUTH_RESULT_ALLOW],
+  };
+  for (const NSString *testPath in testCases) {
     MockEndpointSecurity *mockES = [MockEndpointSecurity mockEndpointSecurity];
     [mockES reset];
     SNTEndpointSecurityManager *snt = [[SNTEndpointSecurityManager alloc] init];
@@ -256,14 +268,20 @@ - (void)testRenameOverwriteRulesDB {
                                    }
                                  }];
 
-    XCTAssertEqual(got.result, ES_AUTH_RESULT_DENY, @"Failed to deny rename overwrite of %@",
-                   testPath);
-    XCTAssertTrue(got.shouldCache, @"Failed to cache rename deny decision of %@", testPath);
+    XCTAssertEqual(got.result, [testCases objectForKey:testPath].intValue,
+                   @"Incorrect handling of rename of %@", testPath);
+    XCTAssertTrue(got.shouldCache, @"Failed to cache rename auth decision of %@", testPath);
   }
 }
 
 - (void)testRenameRulesDB {
-  for (const NSString *testPath in @[ kEventsDBPath, kRulesDBPath ]) {
+  NSDictionary<const NSString *, NSNumber *> *testCases = @{
+    kEventsDBPath : [NSNumber numberWithInt:ES_AUTH_RESULT_DENY],
+    kRulesDBPath : [NSNumber numberWithInt:ES_AUTH_RESULT_DENY],
+    kBenignPath : [NSNumber numberWithInt:ES_AUTH_RESULT_ALLOW],
+  };
+
+  for (const NSString *testPath in testCases) {
     MockEndpointSecurity *mockES = [MockEndpointSecurity mockEndpointSecurity];
     [mockES reset];
     SNTEndpointSecurityManager *snt = [[SNTEndpointSecurityManager alloc] init];
@@ -322,9 +340,10 @@ - (void)testRenameRulesDB {
                                      XCTFail(@"Santa auth test timed out with error: %@", error);
                                    }
                                  }];
+    XCTAssertEqual(got.result, [testCases objectForKey:testPath].intValue,
+                   @"Incorrect handling of rename of %@", testPath);
 
-    XCTAssertEqual(got.result, ES_AUTH_RESULT_DENY, @"Failed to deny rename of %@", testPath);
-    XCTAssertTrue(got.shouldCache, @"Failed to cache rename deny decision of %@", testPath);
+    XCTAssertTrue(got.shouldCache, @"Failed to cache rename auth decision of %@", testPath);
   }
 }