anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dev
DECNET/tests/canary/test_systemd_unit.py
anti f2b3393669 chore: relicense to AGPL-3.0-or-later and add SPDX headers 
Replaces LICENSE (GPLv3 -> AGPLv3) and prepends
`SPDX-License-Identifier: AGPL-3.0-or-later` to every source file
across decnet/, decnet_web/, tests/, scripts/, and tools/.

Rationale: closes the GPLv3 ASP loophole so any party operating a
modified DECNET as a network service must offer their modified
source. Personal copyright (Samuel Paschuan) + inbound=outbound
contributions make a future unilateral relicense infeasible.

- LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt)
- COPYRIGHT: project copyright notice
- tools/add_spdx_headers.py: idempotent header injector
  (shebang- and PEP 263-aware)

Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh).
No behavior change; comments only.
2026-05-22 21:04:16 -04:00

46 lines
1.5 KiB
Python
Raw Permalink Blame History

# SPDX-License-Identifier: AGPL-3.0-or-later
"""Sanity check on the decnet-canary.service unit + decnet.target.
Tests are deliberately static (no rendering, no systemd) — they just
confirm the unit file exists, references the canary CLI command, is
included in the master target, and follows the same security
hardening posture as decnet-webhook.service.
"""
from __future__ import annotations
from pathlib import Path
DEPLOY = Path(__file__).resolve().parents[2] / "deploy"
def test_canary_unit_exists() -> None:
assert (DEPLOY / "decnet-canary.service.j2").exists()
def test_canary_unit_runs_decnet_canary() -> None:
body = (DEPLOY / "decnet-canary.service.j2").read_text()
assert "{{ venv_dir }}/bin/decnet canary" in body
assert "After=" in body and "decnet-bus.service" in body
def test_canary_unit_has_security_hardening() -> None:
"""Canary handles attacker traffic — must mirror webhook's hardening."""
body = (DEPLOY / "decnet-canary.service.j2").read_text()
for required in (
"NoNewPrivileges=yes",
"ProtectSystem=full",
"ProtectHome=read-only",
"PrivateTmp=yes",
"ProtectKernelTunables=yes",
"ProtectKernelModules=yes",
"ProtectControlGroups=yes",
"RestrictSUIDSGID=yes",
"LockPersonality=yes",
):
assert required in body, f"missing hardening directive: {required}"
def test_canary_listed_in_master_target() -> None:
body = (DEPLOY / "decnet.target").read_text()
assert "decnet-canary.service" in body
Reference in New Issue View Git Blame Copy Permalink