From 616d9f017fb5c87f466b6766e15a497308770b02 Mon Sep 17 00:00:00 2001
From: jvoisin <julien.voisin@dustri.org>
Date: Mon, 15 Apr 2024 14:49:22 +0200
Subject: [PATCH] Add some lightweight typing

---
 kernel_hardening_checker/__init__.py | 11 ++++++-----
 kernel_hardening_checker/checks.py   |  8 ++++----
 kernel_hardening_checker/engine.py   | 19 ++++++++++---------
 3 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/kernel_hardening_checker/__init__.py b/kernel_hardening_checker/__init__.py
index 89c24f7..55b7be4 100644
--- a/kernel_hardening_checker/__init__.py
+++ b/kernel_hardening_checker/__init__.py
@@ -14,6 +14,7 @@ import gzip
 import sys
 from argparse import ArgumentParser
 from collections import OrderedDict
+from typing import List, Tuple
 import re
 import json
 from .__about__ import __version__
@@ -29,7 +30,7 @@ def _open(file: str, *args, **kwargs):
     return open_method(file, *args, **kwargs)
 
 
-def detect_arch(fname, archs):
+def detect_arch(fname: str, archs: List[str]) -> Tuple:
     with _open(fname, 'rt', encoding='utf-8') as f:
         arch_pattern = re.compile(r"CONFIG_[a-zA-Z0-9_]+=y$")
         arch = None
@@ -46,7 +47,7 @@ def detect_arch(fname, archs):
         return arch, 'OK'
 
 
-def detect_kernel_version(fname):
+def detect_kernel_version(fname: str) -> Tuple:
     with _open(fname, 'rt', encoding='utf-8') as f:
         ver_pattern = re.compile(r"^# Linux/.+ Kernel Configuration$|^Linux version .+")
         for line in f.readlines():
@@ -63,7 +64,7 @@ def detect_kernel_version(fname):
         return None, 'no kernel version detected'
 
 
-def detect_compiler(fname):
+def detect_compiler(fname: str):
     gcc_version = None
     clang_version = None
     with _open(fname, 'rt', encoding='utf-8') as f:
@@ -104,7 +105,7 @@ def print_unknown_options(checklist, parsed_options, opt_type):
             print(f'[?] No check for {opt_type} option {option} ({value})')
 
 
-def print_checklist(mode, checklist, with_results):
+def print_checklist(mode: str, checklist, with_results: bool):
     if mode == 'json':
         output = []
         for opt in checklist:
@@ -151,7 +152,7 @@ def print_checklist(mode, checklist, with_results):
         print(f'[+] Config check is finished: \'OK\' - {ok_count}{ok_suppressed} / \'FAIL\' - {fail_count}{fail_suppressed}')
 
 
-def parse_kconfig_file(_mode, parsed_options, fname):
+def parse_kconfig_file(_mode, parsed_options, fname: str):
     with _open(fname, 'rt', encoding='utf-8') as f:
         opt_is_on = re.compile(r"CONFIG_[a-zA-Z0-9_]+=.+$")
         opt_is_off = re.compile(r"# CONFIG_[a-zA-Z0-9_]+ is not set$")
diff --git a/kernel_hardening_checker/checks.py b/kernel_hardening_checker/checks.py
index 94cf950..a263745 100644
--- a/kernel_hardening_checker/checks.py
+++ b/kernel_hardening_checker/checks.py
@@ -14,7 +14,7 @@ This module contains knowledge for checks.
 from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND
 
 
-def add_kconfig_checks(l, arch):
+def add_kconfig_checks(l, arch: str):
     assert(arch), 'empty arch'
 
     # Calling the KconfigCheck class constructor:
@@ -413,7 +413,7 @@ def add_kconfig_checks(l, arch):
         l += [KconfigCheck('harden_userspace', 'a13xp0p0v', 'X86_USER_SHADOW_STACK', 'y')]
 
 
-def add_cmdline_checks(l, arch):
+def add_cmdline_checks(l, arch: str):
     assert(arch), 'empty arch'
 
     # Calling the CmdlineCheck class constructor:
@@ -618,7 +618,7 @@ no_kstrtobool_options = [
 ]
 
 
-def normalize_cmdline_options(option, value):
+def normalize_cmdline_options(option: str, value: str) -> str:
     # Don't normalize the cmdline option values if
     # the Linux kernel doesn't use kstrtobool() for them
     if option in no_kstrtobool_options:
@@ -645,7 +645,7 @@ def normalize_cmdline_options(option, value):
 #    kernel.warn_limit (think about a proper value)
 #    net.ipv4.tcp_syncookies=1 (?)
 
-def add_sysctl_checks(l, _arch):
+def add_sysctl_checks(l, _arch: str):
 # This function may be called with arch=None
 
 # Calling the SysctlCheck class constructor:
diff --git a/kernel_hardening_checker/engine.py b/kernel_hardening_checker/engine.py
index 56aa80f..0bf0ad5 100644
--- a/kernel_hardening_checker/engine.py
+++ b/kernel_hardening_checker/engine.py
@@ -11,6 +11,7 @@ This module is the engine of checks.
 # pylint: disable=missing-class-docstring,missing-function-docstring
 # pylint: disable=line-too-long,invalid-name,too-many-branches
 
+from typing import Dict, Tuple
 import sys
 
 GREEN_COLOR = '\x1b[32m'
@@ -29,7 +30,7 @@ def colorize_result(input_text):
 
 
 class OptCheck:
-    def __init__(self, reason, decision, name, expected):
+    def __init__(self, reason: str, decision: str, name: str, expected: str):
         assert(name and name == name.strip() and len(name.split()) == 1), \
                f'invalid name "{name}" for {self.__class__.__name__}'
         self.name = name
@@ -100,12 +101,12 @@ class OptCheck:
         else:
             self.result = f'FAIL: "{self.state}"'
 
-    def table_print(self, _mode, with_results):
+    def table_print(self, _mode, with_results: bool):
         print(f'{self.name:<40}|{self.opt_type:^7}|{self.expected:^12}|{self.decision:^10}|{self.reason:^18}', end='')
         if with_results:
             print(f'| {colorize_result(self.result)}', end='')
 
-    def json_dump(self, with_results):
+    def json_dump(self, with_results: bool) -> Dict:
         dump = {
             "option_name": self.name,
             "type": self.opt_type,
@@ -142,7 +143,7 @@ class SysctlCheck(OptCheck):
 
 
 class VersionCheck:
-    def __init__(self, ver_expected):
+    def __init__(self, ver_expected: Tuple):
         assert(ver_expected and isinstance(ver_expected, tuple) and len(ver_expected) == 3), \
                f'invalid expected version "{ver_expected}" for VersionCheck (1)'
         assert(all(map(lambda x: isinstance(x, int), ver_expected))), \
@@ -155,7 +156,7 @@ class VersionCheck:
     def opt_type(self):
         return 'version'
 
-    def set_state(self, data):
+    def set_state(self, data: Tuple):
         assert(data and isinstance(data, tuple) and len(data) >= 3), \
                f'invalid version "{data}" for VersionCheck'
         self.ver = data[:3]
@@ -180,7 +181,7 @@ class VersionCheck:
             return
         self.result = f'FAIL: version < {self.ver_expected}'
 
-    def table_print(self, _mode, with_results):
+    def table_print(self, _mode, with_results: bool):
         ver_req = f'kernel version >= {self.ver_expected}'
         print(f'{ver_req:<91}', end='')
         if with_results:
@@ -210,7 +211,7 @@ class ComplexOptCheck:
     def expected(self):
         return self.opts[0].expected
 
-    def table_print(self, mode, with_results):
+    def table_print(self, mode: str, with_results: bool):
         if mode == 'verbose':
             class_name = f'<<< {self.__class__.__name__} >>>'
             print(f'    {class_name:87}', end='')
@@ -225,7 +226,7 @@ class ComplexOptCheck:
             if with_results:
                 print(f'| {colorize_result(self.result)}', end='')
 
-    def json_dump(self, with_results):
+    def json_dump(self, with_results: bool) -> Dict:
         dump = self.opts[0].json_dump(False)
         if with_results:
             # Add the 'check_result' and 'check_result_bool' keys to the dictionary
@@ -297,7 +298,7 @@ class AND(ComplexOptCheck):
 SIMPLE_OPTION_TYPES = ('kconfig', 'cmdline', 'sysctl', 'version')
 
 
-def populate_simple_opt_with_data(opt, data, data_type):
+def populate_simple_opt_with_data(opt, data, data_type: str):
     assert(opt.opt_type != 'complex'), \
            f'unexpected ComplexOptCheck "{opt.name}"'
     assert(opt.opt_type in SIMPLE_OPTION_TYPES), \
-- 
2.31.1