tests: Refactor duplicate code for checking secure Windows permissions

monkey/tests/monkey_island/utils.py

@@ -0,0 +1,34 @@
+from monkey_island.cc.server_utils.file_utils import is_windows_os
+
+if is_windows_os():
+    import win32api
+    import win32security
+
+    FULL_CONTROL = 2032127
+    ACE_ACCESS_MODE_GRANT_ACCESS = win32security.GRANT_ACCESS
+    ACE_INHERIT_OBJECT_AND_CONTAINER = 3
+
+
+def _get_acl_and_sid_from_path(path: str):
+    sid, _, _ = win32security.LookupAccountName("", win32api.GetUserName())
+    security_descriptor = win32security.GetNamedSecurityInfo(
+        path, win32security.SE_FILE_OBJECT, win32security.DACL_SECURITY_INFORMATION
+    )
+    acl = security_descriptor.GetSecurityDescriptorDacl()
+    return acl, sid
+
+def assert_windows_permissions(path: str):
+    acl, user_sid = _get_acl_and_sid_from_path(path)
+
+    assert acl.GetAceCount() == 1
+
+    ace = acl.GetExplicitEntriesFromAcl()[0]
+
+    ace_access_mode = ace["AccessMode"]
+    ace_permissions = ace["AccessPermissions"]
+    ace_inheritance = ace["Inheritance"]
+    ace_sid = ace["Trustee"]["Identifier"]
+
+    assert ace_sid == user_sid
+    assert ace_permissions == FULL_CONTROL and ace_access_mode == ACE_ACCESS_MODE_GRANT_ACCESS
+    assert ace_inheritance == ACE_INHERIT_OBJECT_AND_CONTAINER

monkey/tests/unit_tests/monkey_island/cc/server_utils/test_file_utils.py

@@ -2,6 +2,7 @@ import os
 import stat
 
 import pytest
+from tests.monkey_island.utils import assert_windows_permissions
 
 from monkey_island.cc.server_utils.file_utils import (
     create_secure_directory,
@@ -10,14 +11,6 @@ from monkey_island.cc.server_utils.file_utils import (
     open_new_securely_permissioned_file,
 )
 
-if is_windows_os():
-    import win32api
-    import win32security
-
-    FULL_CONTROL = 2032127
-    ACE_ACCESS_MODE_GRANT_ACCESS = win32security.GRANT_ACCESS
-    ACE_INHERIT_OBJECT_AND_CONTAINER = 3
-
 
 def test_expand_user(patched_home_env):
     input_path = os.path.join("~", "test")
@@ -47,15 +40,6 @@ def test_path(tmpdir):
     return path
 
 
-def _get_acl_and_sid_from_path(path: str):
-    sid, _, _ = win32security.LookupAccountName("", win32api.GetUserName())
-    security_descriptor = win32security.GetNamedSecurityInfo(
-        path, win32security.SE_FILE_OBJECT, win32security.DACL_SECURITY_INFORMATION
-    )
-    acl = security_descriptor.GetSecurityDescriptorDacl()
-    return acl, sid
-
-
 def test_create_secure_directory__already_exists(test_path):
     os.mkdir(test_path)
     assert os.path.isdir(test_path)
@@ -82,20 +66,7 @@ def test_create_secure_directory__perm_linux(test_path):
 def test_create_secure_directory__perm_windows(test_path):
     create_secure_directory(test_path)
 
-    acl, user_sid = _get_acl_and_sid_from_path(test_path)
+    assert_windows_permissions(test_path)
-
-    assert acl.GetAceCount() == 1
-
-    ace = acl.GetExplicitEntriesFromAcl()[0]
-
-    ace_access_mode = ace["AccessMode"]
-    ace_permissions = ace["AccessPermissions"]
-    ace_inheritance = ace["Inheritance"]
-    ace_sid = ace["Trustee"]["Identifier"]
-
-    assert ace_sid == user_sid
-    assert ace_permissions == FULL_CONTROL and ace_access_mode == ACE_ACCESS_MODE_GRANT_ACCESS
-    assert ace_inheritance == ACE_INHERIT_OBJECT_AND_CONTAINER
 
 
 def test_open_new_securely_permissioned_file__already_exists(test_path):
@@ -131,20 +102,7 @@ def test_open_new_securely_permissioned_file__perm_windows(test_path):
     with open_new_securely_permissioned_file(test_path):
         pass
 
-    acl, user_sid = _get_acl_and_sid_from_path(test_path)
+    assert_windows_permissions(test_path)
-
-    assert acl.GetAceCount() == 1
-
-    ace = acl.GetExplicitEntriesFromAcl()[0]
-
-    ace_access_mode = ace["AccessMode"]
-    ace_permissions = ace["AccessPermissions"]
-    ace_inheritance = ace["Inheritance"]
-    ace_sid = ace["Trustee"]["Identifier"]
-
-    assert ace_sid == user_sid
-    assert ace_permissions == FULL_CONTROL and ace_access_mode == ACE_ACCESS_MODE_GRANT_ACCESS
-    assert ace_inheritance == ACE_INHERIT_OBJECT_AND_CONTAINER
 
 
 def test_open_new_securely_permissioned_file__write(test_path):

monkey/tests/unit_tests/monkey_island/cc/services/test_post_breach_files.py

@@ -1,18 +1,11 @@
 import os
 
 import pytest
+from tests.monkey_island.utils import assert_windows_permissions
 
 from monkey_island.cc.server_utils.file_utils import is_windows_os
 from monkey_island.cc.services.post_breach_files import PostBreachFilesService
 
-if is_windows_os():
-    import win32api
-    import win32security
-
-    FULL_CONTROL = 2032127
-    ACE_ACCESS_MODE_GRANT_ACCESS = win32security.GRANT_ACCESS
-    ACE_INHERIT_OBJECT_AND_CONTAINER = 3
-
 
 def raise_(ex):
     raise ex
@@ -48,33 +41,11 @@ def test_custom_pba_dir_permissions_linux():
     assert st.st_mode == 0o40700
 
 
-def _get_acl_and_sid_from_path(path: str):
-    sid, _, _ = win32security.LookupAccountName("", win32api.GetUserName())
-    security_descriptor = win32security.GetNamedSecurityInfo(
-        path, win32security.SE_FILE_OBJECT, win32security.DACL_SECURITY_INFORMATION
-    )
-    acl = security_descriptor.GetSecurityDescriptorDacl()
-    return acl, sid
-
-
 @pytest.mark.skipif(not is_windows_os(), reason="Tests Windows (not Posix) permissions.")
 def test_custom_pba_dir_permissions_windows():
     pba_dir = PostBreachFilesService.get_custom_pba_directory()
 
-    acl, user_sid = _get_acl_and_sid_from_path(pba_dir)
+    assert_windows_permissions(pba_dir)
-
-    assert acl.GetAceCount() == 1
-
-    ace = acl.GetExplicitEntriesFromAcl()[0]
-
-    ace_access_mode = ace["AccessMode"]
-    ace_permissions = ace["AccessPermissions"]
-    ace_inheritance = ace["Inheritance"]
-    ace_sid = ace["Trustee"]["Identifier"]
-
-    assert ace_sid == user_sid
-    assert ace_permissions == FULL_CONTROL and ace_access_mode == ACE_ACCESS_MODE_GRANT_ACCESS
-    assert ace_inheritance == ACE_INHERIT_OBJECT_AND_CONTAINER
 
 
 def test_remove_failure(monkeypatch):