Skip to content

Harden some problematic release tests. #20155

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adityapatwardhan merged 7 commits into from
Aug 28, 2023
Merged

Harden some problematic release tests. #20155

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
30ad87a
Harden some problematic release tests.
JamesWTruher Aug 23, 2023
493e64c
fix typo in path.
JamesWTruher Aug 23, 2023
c801557
Remove the verbose output as it is handled by `set-itresult`
JamesWTruher Aug 23, 2023
0ac629e
Add appropriate file attributes for Junction-Directory based on arm64
JamesWTruher Aug 23, 2023
c355faf
Add files from branch releasetestfix08
JamesWTruher Aug 24, 2023
5b59287
Change sleep to skip test on Arm64 - Issue 20169 opened
JamesWTruher Aug 25, 2023
b474be7
Missed removing a sleep
JamesWTruher Aug 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 25 additions & 7 deletions test/powershell/Modules/Microsoft.PowerShell.Management/Get-ChildItem.Tests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,14 +226,29 @@ Describe "Get-ChildItem" -Tags "CI" {
}

It 'Works with Windows volume paths' -Skip:(!$IsWindows) {
$volume = (Get-Volume -DriveLetter $env:SystemDrive[0]).Path
$items = Get-ChildItem -LiteralPath "${volume}Windows"
Write-Verbose -Verbose "Trying files in '${volume}Windows'"
if (-not $items) {
$winPath = $env:windir
if (! $winPath) {
Set-ItResult -Skipped -Because "windir is null"
return
}

$driveLetter = $winPath[0]
$winPartialPath = $winPath.SubString(3) # skip the drive letter, colon, and backslash
Write-Verbose -Verbose "Partial path is '$winPartialPath'"
$volume = (Get-Volume -DriveLetter $driveLetter).Path
if (! $volume) {
Set-ItResult -Skipped -Because "Get-Volume returned no volume for system drive '$driveLetter'"
return
}

$items = Get-ChildItem -LiteralPath "${volume}${winPartialPath}"
Write-Verbose -Verbose "Trying files in '${volume}${winPartialPath}'"
if ($items.Count -eq 0) {
Write-Verbose -Verbose "`$items is null!!"
}
$items[0].Parent | Should -BeExactly "${volume}Windows"
$items | Should -HaveCount (Get-ChildItem $env:SystemRoot).Count

$items[0].Parent.FullName | Should -BeExactly "${volume}${winPartialPath}"
$items | Should -HaveCount (Get-ChildItem $winPath).Count
}

It 'Works with Windows pipes' -Skip:(!$IsWindows) {
Expand Down Expand Up @@ -294,7 +309,10 @@ Describe 'FileSystem Provider Formatting' -Tag "CI","RequireAdminOnWindows" {

if ($IsWindows)
{
$testcases += @{ expectedMode = "l----"; expectedModeWithoutHardlink = "l----"; itemType = "Junction"; itemName = "Junction-Directory"; fileAttributes = [System.IO.FileAttributes]::Directory -bor [System.IO.FileAttributes]::ReparsePoint; target = $targetDir1.FullName }
# arm64 adds the archive attribute
$junctionMode = (Test-IsWindowsArm64) ? "la---" : "l----"
$armFileAttributes = (Test-IsWindowsArm64) ? [System.IO.FileAttributes]"Directory,Archive,ReparsePoint" : [System.IO.FileAttributes]"Directory,ReparsePoint"
$testcases += @{ expectedMode = $junctionMode; expectedModeWithoutHardlink = $junctionMode; itemType = "Junction"; itemName = "Junction-Directory"; fileAttributes = $armFileAttributes; target = $targetDir1.FullName }
$testcases += @{ expectedMode = "-a---"; expectedModeWithoutHardlink = "-a---"; itemType = "File"; itemName = "ArchiveFile"; fileAttributes = [System.IO.FileAttributes] "Archive"; target = $null }
$testcases += @{ expectedMode = "la---"; expectedModeWithoutHardlink = "la---"; itemType = "SymbolicLink"; itemName = "SymbolicLink-File"; fileAttributes = [System.IO.FileAttributes]::Archive -bor [System.IO.FileAttributes]::ReparsePoint; target = $targetFile1.FullName }
$testcases += @{ expectedMode = "la---"; expectedModeWithoutHardlink = "-a---"; itemType = "HardLink"; itemName = "HardLink"; fileAttributes = [System.IO.FileAttributes] "Archive"; target = $targetFile2.FullName }
Expand Down
32 changes: 28 additions & 4 deletions test/powershell/Modules/Microsoft.PowerShell.Security/ConstrainedLanguageModules.Tests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -622,6 +622,10 @@ try
Describe "Import mix of trusted and untrusted manifest and module files" -Tags 'Feature','RequireAdminOnWindows' {

It "Verifies that an untrusted manifest with a trusted module will not load under system lockdown" {
if (Test-IsWindowsArm64) {
Set-ItResult -Pending -Because "https://github.com/PowerShell/PowerShell/issues/20169"
return
}

$manifestFileName = Join-Path $TestDrive "ImportUnTrustedManifestWithFnExport.psd1"
$moduleFileName = Join-Path $TestDrive "ImportUnTrustedManifestWithFnExport_System32.psm1"
Expand All @@ -642,8 +646,8 @@ try

try
{
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
Invoke-LanguageModeTestingSupportCmdlet -SetLockdownMode
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

Import-Module -Name $manifestFileName -Force -ErrorAction Stop
throw "No Exception!"
Expand Down Expand Up @@ -704,6 +708,10 @@ try
}

It "Verifies that an untrusted module with nested trusted modules cannot load in a locked down system" {
if (Test-IsWindowsArm64) {
Set-ItResult -Pending -Because "https://github.com/PowerShell/PowerShell/issues/20169"
return
}

$manifestFileName = Join-Path $TestDrive "ImportUnTrustedManifestWithTrustedModule.psd1"
$moduleFileName = Join-Path $TestDrive "ImportUnTrustedManifestWithTrustedModule_System32.psm1"
Expand All @@ -723,8 +731,8 @@ try

try
{
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
Invoke-LanguageModeTestingSupportCmdlet -SetLockdownMode
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

Import-Module -Name $manifestFileName -Force -ErrorAction Stop
throw "No Exception!"
Expand All @@ -742,6 +750,10 @@ try
}

It "Verifies that an untrusted manifest containing all trusted modules does not load under system lock down" {
if (Test-IsWindowsArm64) {
Set-ItResult -Pending -Because "https://github.com/PowerShell/PowerShell/issues/20169"
return
}

$moduleFileName1 = Join-Path $TestDrive "ImportUnTrustedManifestWithTrustedModules1_System32.psm1"
$moduleFileName2 = Join-Path $TestDrive "ImportUnTrustedManifestWithTrustedModules2_System32.psm1"
Expand All @@ -768,8 +780,8 @@ try

try
{
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
Invoke-LanguageModeTestingSupportCmdlet -SetLockdownMode
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

Import-Module -Name $manifestFileName -Force -ErrorAction Stop
throw "No Exception!"
Expand Down Expand Up @@ -1313,6 +1325,10 @@ try
}

It "Verifies that importing untrusted manifest in lock down mode exports all functions by default" {
if (Test-IsWindowsArm64) {
Set-ItResult -Pending -Because "https://github.com/PowerShell/PowerShell/issues/20169"
return
}

CreateManifestNames "ImportUntrustedManifestWithNoFnExport"
@'
Expand All @@ -1330,8 +1346,8 @@ try

try
{
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
Invoke-LanguageModeTestingSupportCmdlet -SetLockdownMode
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
$module = Import-Module -Name $manifestFileName -Force -PassThru
}
finally
Expand Down Expand Up @@ -1376,6 +1392,10 @@ try
}

It "Verifies that importing untrusted module file in lock down mode exports all functions by default" {
if (Test-IsWindowsArm64) {
Set-ItResult -Pending -Because "https://github.com/PowerShell/PowerShell/issues/20169"
return
}

CreateManifestNames "ImportUnTrustedModuleWithNoFnExport"
@'
Expand Down Expand Up @@ -1534,6 +1554,10 @@ try
}

It "New-Module succeeds in creating module with untrusted scriptblock in ConstrainedLanguage" {
if (Test-IsWindowsArm64) {
Set-ItResult -Pending -Because "https://github.com/PowerShell/PowerShell/issues/20169"
return
}

$result = $null

Expand Down
60 changes: 26 additions & 34 deletions ...powershell/Modules/Microsoft.PowerShell.Security/ConstrainedLanguageRestriction.Tests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -966,12 +966,17 @@ try
}

It "Verifies a scriptblock from a trusted script file does not run as trusted" {
if (Test-IsWindowsArm64) {
Set-ItResult -Pending -Because "https://github.com/PowerShell/PowerShell/issues/20169"
return
}

$result = $null

try
{
Invoke-LanguageModeTestingSupportCmdlet -SetLockdownMode
# Wait for the lockdown mode to take effect
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

# Import untrusted module
Expand Down Expand Up @@ -1027,6 +1032,7 @@ try

Import-Module -Name $scriptModulePath -Force


$result1 = ModuleFn
$result2 = ImportModuleFn
}
Expand All @@ -1046,9 +1052,7 @@ try

$randomClassName = "class_$(Get-Random -Max 9999)"

$script = @'
class {0} {{ static Hello([string] $msg) {{ [System.Console]::WriteLine("Hello from: $msg") }} }}
'@ -f $randomClassName
$script = "class ${randomClassName} { static [string] GetLanguageMode() { return (Get-Variable -ValueOnly -Name ExecutionContext).SessionState.LanguageMode } }"

$modulePathName = "modulePath_$(Get-Random -Max 9999)"
$modulePath = Join-Path $testdrive $modulePathName
Expand Down Expand Up @@ -1097,46 +1101,34 @@ try

It "Verifies that classes cannot be created in script files running under constrained language" {

try
{
Invoke-LanguageModeTestingSupportCmdlet -SetLockdownMode
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

& ($untrustedScriptFile)
throw "No Error!"
try {
$ps = [powershell]::Create("NewRunspace")
$ps.Runspace.LanguageMode = "ConstrainedLanguage"
$result = $ps.AddScript($untrustedScriptFile).Invoke()
$ps.Streams.Error[0].FullyQualifiedErrorId | Should -BeExactly "ClassesNotAllowedInConstrainedLanguage" -Because "Invoke-Command should fail in constrained language"
}
catch
{
$expectedError = $_
catch {
$_ | Should -BeNullOrEmpty -Because "exception '$_' unexpected."
}
finally
{
Invoke-LanguageModeTestingSupportCmdlet -EnableFullLanguageMode -RevertLockdownMode
finally {
$ps.Dispose()
}

$expectedError.FullyQualifiedErrorId | Should -BeExactly "ClassesNotAllowedInConstrainedLanguage"
}

It "Verifies that classes cannot be created in untrusted script modules running under constrained language" {

try
{
Invoke-LanguageModeTestingSupportCmdlet -SetLockdownMode
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

Import-Module -Name $untrustedScriptModule -ErrorAction Stop
throw "No Error!"
try {
$ps = [powershell]::Create("NewRunspace")
$ps.Runspace.LanguageMode = "ConstrainedLanguage"
# importing the module whilst in constrained language makes it untrusted, even without lockdown mode
$ps.AddCommand("Import-Module").AddParameter("Name", $untrustedScriptModule).Invoke()
$ps.Streams.Error[0].FullyQualifiedErrorId | Should -BeExactly "ClassesNotAllowedInConstrainedLanguage" -Because "Import-Module should fail in constrained language"
}
catch
{
$expectedError = $_
catch {
$_ | Should -BeNullOrEmpty -Because "exception '$_' unexpected."
}
finally
{
Invoke-LanguageModeTestingSupportCmdlet -EnableFullLanguageMode -RevertLockdownMode
finally {
$ps.Dispose()
}

$expectedError.FullyQualifiedErrorId | Should -BeExactly "ClassesNotAllowedInConstrainedLanguage"
}

It "Verifies that classes can be created in trusted script files running under constrained language" {
Expand Down
12 changes: 9 additions & 3 deletions test/powershell/Modules/PackageManagement/PackageManagement.Tests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,9 +67,15 @@ Describe "PackageManagement Acceptance Test" -Tags "Feature" {

AfterAll {
$ProgressPreference = $SavedProgressPreference
Unregister-PackageSource -Source $localSourceName -ErrorAction Ignore
Unregister-PackageSource -Name $gallerySourceName -ErrorAction Ignore
Uninstall-Module NanoServerPackage -ErrorAction Ignore -WarningAction SilentlyContinue
try {
# non-fatal errors
Unregister-PackageSource -Source $localSourceName -ErrorAction Ignore
Unregister-PackageSource -Name $gallerySourceName -ErrorAction Ignore
Uninstall-Module NanoServerPackage -ErrorAction Ignore -WarningAction SilentlyContinue
}
catch {
Write-Warning "Failure in AfterAll: $_"
}
}

It "get-packageprovider" {
Expand Down
2 changes: 1 addition & 1 deletion test/powershell/engine/Module/ModulePath.Tests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,7 @@ Describe "SxS Module Path Basic Tests" -tags "CI" {
try {
$userConfig = '{ "PSModulePath": "myUserPath" }'
Set-Content -Path $userConfigPath -Value $userConfig -Force
$out = & $powershell -noprofile -command 'powershell.exe -noprofile -command $env:PSModulePath'
$out = & $powershell -noprofile -command 'powershell.exe -noprofile -command `$env:PSModulePath'
$out | Should -Not -BeLike 'myUserPath;*'
}
finally {
Expand Down