fix: resolve critical build bugs and add missing PRD requirements

Critical fixes: - Fix security-hardening.sh live hook: removed broken source from /build/src/ which doesn't exist during live-build; made hook self-contained by inlining all config generation - Fix firewall-setup.sh live hook: removed broken source from /build/src/; hook already had inline nftables config - Fix install-scripts.sh: replaced /workspace/src/ references with embedded inline scripts (installed system has no /workspace) - Fix UKI cmdline in standalone uki_build(): added lockdown=confidentiality and module.sig_enforce=1 to match the inline Secure Boot hook - Fix WiFi blacklist: expanded from 6 entries to 19, now covers all PRD FR-005 driver families (rtl*, iwl*, ath*, brcm*, mwifi*, rt2*) Missing PRD requirements added: - kernel-hardening.sh (FR-007): sysctl parameters for ASLR, ptrace restriction, kptr_restrict, dmesg_restrict, kexec disabled, SUID dumpable disabled, hardlink/symlink protection, network hardening - service-hardening.sh (FR-007): disables and masks avahi-daemon, cups, bluetooth, NetworkManager, ModemManager, whoopsie, apport - sudo-hardening.sh (FR-007): requiretty, logging (input/output), timestamp timeout, env_reset, restricted football user commands - mount-hardening.sh (FR-007): nodev/nosuid/noexec on /tmp, nodev/nosuid on /home, /dev/shm hardening Test improvements: - Rewrote security-hardening_comprehensive_test.bats: tests now source scripts, call functions, and verify generated output files - Rewrote firewall-setup_comprehensive_test.bats: tests now create WireGuard configs, call parse_wg_endpoint, verify nftables output - Added new-hooks_test.bats: 42 tests for kernel hardening, service hardening, sudo hardening, mount hardening, self-containment verification, and WiFi blacklist completeness - Total: 788 tests passing, 0 failures, 0 shellcheck warnings Reference: docs/PRD.md FR-005, FR-007, security-model.md 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-01 09:50:15 -05:00
parent c03d3a793e
commit 62d20604a6
14 changed files with 1022 additions and 467 deletions
--- a/tests/unit/firewall-setup_comprehensive_test.bats
+++ b/tests/unit/firewall-setup_comprehensive_test.bats
@@ -1,176 +1,126 @@
 #!/usr/bin/env bats
-# Comprehensive unit tests for firewall-setup.sh (100% coverage)
+# Behavioral tests for firewall-setup.sh
+# Reference: PRD FR-004

-# Test parse_wg_endpoint function exists
-@test "parse_wg_endpoint function is defined" {
-  source /workspace/src/firewall-setup.sh
-  declare -f parse_wg_endpoint
+setup() {
+    export TEST_TMPDIR=$(mktemp -d)
 }

-@test "parse_wg_endpoint accepts optional config parameter" {
-  grep -q 'wg_config=.*${1:-' /workspace/src/firewall-setup.sh
+teardown() {
+    rm -rf "$TEST_TMPDIR"
 }

-@test "parse_wg_endpoint checks for WireGuard config file" {
-  grep -q '\[\[ ! -f.*wg_config \]\]' /workspace/src/firewall-setup.sh
+# =============================================================================
+# parse_wg_endpoint - PRD FR-004
+# =============================================================================
+
+@test "parse_wg_endpoint extracts endpoint from valid config" {
+    source /workspace/src/firewall-setup.sh
+    cat >"$TEST_TMPDIR/wg0.conf" <<'EOF'
+[Interface]
+PrivateKey = test123
+Address = 10.0.0.2/24
+
+[Peer]
+PublicKey = peer123
+Endpoint = 203.0.113.1:51820
+AllowedIPs = 0.0.0.0/0
+EOF
+    run parse_wg_endpoint "$TEST_TMPDIR/wg0.conf"
+    [ "$status" -eq 0 ]
+    [ "$output" = "203.0.113.1:51820" ]
 }

-@test "parse_wg_endpoint returns error when config not found" {
-  grep -q 'return 1' /workspace/src/firewall-setup.sh
+@test "parse_wg_endpoint fails when config missing" {
+    source /workspace/src/firewall-setup.sh
+    run parse_wg_endpoint "$TEST_TMPDIR/nonexistent.conf"
+    [ "$status" -ne 0 ]
 }

-@test "parse_wg_endpoint parses endpoint from config" {
-  grep -q 'grep -oP.*Endpoint.*' /workspace/src/firewall-setup.sh
+@test "parse_wg_endpoint fails when no Endpoint line" {
+    source /workspace/src/firewall-setup.sh
+    cat >"$TEST_TMPDIR/wg0.conf" <<'EOF'
+[Interface]
+PrivateKey = test123
+EOF
+    run parse_wg_endpoint "$TEST_TMPDIR/wg0.conf"
+    [ "$status" -ne 0 ]
 }

-@test "parse_wg_endpoint returns error on parse failure" {
-  grep -q 'Could not parse endpoint' /workspace/src/firewall-setup.sh
+# =============================================================================
+# generate_nftables_rules - PRD FR-004
+# =============================================================================
+
+@test "generate_nftables_rules produces valid nftables config" {
+    source /workspace/src/firewall-setup.sh
+    run generate_nftables_rules "203.0.113.1:51820"
+    [ "$status" -eq 0 ]
+    echo "$output" | grep -q "flush ruleset"
+    echo "$output" | grep -q "table inet filter"
 }

-# Test generate_nftables_rules function exists
-@test "generate_nftables_rules function is defined" {
-  source /workspace/src/firewall-setup.sh
-  declare -f generate_nftables_rules
+@test "Firewall input chain has DROP policy" {
+    source /workspace/src/firewall-setup.sh
+    result=$(generate_nftables_rules "203.0.113.1:51820")
+    echo "$result" | grep -q "type filter hook input priority 0; policy drop"
 }

-@test "generate_nftables_rules accepts endpoint parameter" {
-  grep -q 'endpoint="$1"' /workspace/src/firewall-setup.sh
+@test "Firewall forward chain has DROP policy" {
+    source /workspace/src/firewall-setup.sh
+    result=$(generate_nftables_rules "203.0.113.1:51820")
+    echo "$result" | grep -q "type filter hook forward priority 0; policy drop"
 }

-@test "generate_nftables_rules parses IP from endpoint" {
-  grep -q 'local ip=' /workspace/src/firewall-setup.sh
+@test "Firewall output chain has DROP policy" {
+    source /workspace/src/firewall-setup.sh
+    result=$(generate_nftables_rules "203.0.113.1:51820")
+    echo "$result" | grep -q "type filter hook output priority 0; policy drop"
 }

-@test "generate_nftables_rules parses port from endpoint" {
-  grep -q 'local port=' /workspace/src/firewall-setup.sh
+@test "Firewall allows loopback traffic" {
+    source /workspace/src/firewall-setup.sh
+    result=$(generate_nftables_rules "203.0.113.1:51820")
+    echo "$result" | grep -q "iif lo accept"
+    echo "$result" | grep -q "oif lo accept"
 }

-@test "generate_nftables_rules generates nftables config" {
-  grep -q 'cat <<EOF' /workspace/src/firewall-setup.sh
+@test "Firewall allows WireGuard traffic to specific endpoint" {
+    source /workspace/src/firewall-setup.sh
+    result=$(generate_nftables_rules "203.0.113.1:51820")
+    echo "$result" | grep -q "203.0.113.1"
+    echo "$result" | grep -q "51820"
 }

-@test "generate_nftables_rules flushes ruleset" {
-  grep -q 'flush ruleset' /workspace/src/firewall-setup.sh
+@test "Firewall allows ICMP ping" {
+    source /workspace/src/firewall-setup.sh
+    result=$(generate_nftables_rules "203.0.113.1:51820")
+    echo "$result" | grep -q "echo-request"
 }

-@test "generate_nftables_rules defines input chain" {
-  grep -q 'chain input' /workspace/src/firewall-setup.sh
+@test "generate_nftables_rules extracts IP and port correctly" {
+    source /workspace/src/firewall-setup.sh
+    result=$(generate_nftables_rules "10.20.30.40:12345")
+    echo "$result" | grep -q "10.20.30.40"
+    echo "$result" | grep -q "12345"
 }

-@test "generate_nftables_rules sets input policy to drop" {
-  grep -q 'policy drop' /workspace/src/firewall-setup.sh
+# =============================================================================
+# Script Structure
+# =============================================================================
+
+@test "firewall-setup.sh uses strict mode" {
+    head -5 /workspace/src/firewall-setup.sh | grep -q "set -euo pipefail"
 }

-@test "generate_nftables_rules accepts loopback traffic" {
-  grep -q 'iif lo accept' /workspace/src/firewall-setup.sh
+@test "firewall-setup.sh is executable" {
+    [ -x "/workspace/src/firewall-setup.sh" ]
 }

-@test "generate_nftables_rules accepts ping" {
-  grep -q 'icmp type echo-request accept' /workspace/src/firewall-setup.sh
+@test "firewall-setup.sh has valid bash syntax" {
+    run bash -n /workspace/src/firewall-setup.sh
+    [ "$status" -eq 0 ]
 }

-@test "generate_nftables_rules defines forward chain" {
-  grep -q 'chain forward' /workspace/src/firewall-setup.sh
-}
-
-@test "generate_nftables_rules defines output chain" {
-  grep -q 'chain output' /workspace/src/firewall-setup.sh
-}
-
-@test "generate_nftables_rules accepts WireGuard traffic" {
-  grep -q 'udp dport.*ip daddr.*accept' /workspace/src/firewall-setup.sh
-}
-
-@test "generate_nftables_rules uses inet filter table" {
-  grep -q 'table inet filter' /workspace/src/firewall-setup.sh
-}
-
-# Test apply_firewall function exists
-@test "apply_firewall function is defined" {
-  source /workspace/src/firewall-setup.sh
-  declare -f apply_firewall
-}
-
-@test "apply_firewall accepts optional config parameter" {
-  grep -q 'wg_config=.*${1:-' /workspace/src/firewall-setup.sh
-}
-
-@test "apply_firewall checks for WireGuard config" {
-  grep -q '\[\[ -f.*wg_config \]\]' /workspace/src/firewall-setup.sh
-}
-
-@test "apply_firewall calls parse_wg_endpoint" {
-  grep -q 'parse_wg_endpoint' /workspace/src/firewall-setup.sh
-}
-
-@test "apply_firewall generates rules when endpoint found" {
-  grep -q 'generate_nftables_rules' /workspace/src/firewall-setup.sh
-}
-
-@test "apply_firewall writes nftables config" {
-  grep -q '>/etc/nftables.conf' /workspace/src/firewall-setup.sh
-}
-
-@test "apply_firewall enables nftables service" {
-  grep -q 'systemctl enable nftables' /workspace/src/firewall-setup.sh
-}
-
-@test "apply_firewall restarts nftables service" {
-  grep -q 'systemctl restart nftables' /workspace/src/firewall-setup.sh
-}
-
-@test "apply_firewall handles missing config" {
-  grep -q 'Warning: WireGuard config not found' /workspace/src/firewall-setup.sh
-}
-
-@test "apply_firewall handles parse failure" {
-  grep -q 'Warning: Could not parse WireGuard endpoint' /workspace/src/firewall-setup.sh
-}
-
-# Test main function exists
-@test "main function is defined" {
-  source /workspace/src/firewall-setup.sh
-  declare -f main
-}
-
-@test "main calls apply_firewall" {
-  grep -q 'apply_firewall' /workspace/src/firewall-setup.sh
-}
-
-@test "main outputs setup messages" {
-  grep -q 'Setting up' /workspace/src/firewall-setup.sh
-  grep -q 'completed' /workspace/src/firewall-setup.sh
-}
-
-# Test script behavior
-@test "script uses set -euo pipefail" {
-  grep -q "set -euo pipefail" /workspace/src/firewall-setup.sh
-}
-
-@test "script is executable" {
-  [ -x "/workspace/src/firewall-setup.sh" ]
-}
-
-@test "script has proper shebang" {
-  head -n1 /workspace/src/firewall-setup.sh | grep -q "#!/bin/bash"
-}
-
-@test "script has comments explaining functions" {
-  grep -q "# Function to" /workspace/src/firewall-setup.sh
-}
-
-@test "script checks if executed directly" {
-  grep -q 'BASH_SOURCE' /workspace/src/firewall-setup.sh
-}
-
-@test "script calls main only when executed directly" {
-  grep -q '== "${0}"' /workspace/src/firewall-setup.sh
-}
-
-@test "script has proper error messages" {
-  grep -q "Error:" /workspace/src/firewall-setup.sh
-}
-
-@test "script has proper warning messages" {
-  grep -q "Warning:" /workspace/src/firewall-setup.sh
+@test "firewall-setup.sh runs main when executed directly" {
+    grep -q 'BASH_SOURCE\[0\]' /workspace/src/firewall-setup.sh
 }