device interface denied list: special value "all" for removing all items

+ tests for empty payloads

qubes/api/admin.py

@@ -1659,6 +1659,9 @@ async def vm_device_denied_add(self, untrusted_payload):
         payload = untrusted_payload.decode("ascii", errors="strict")
         to_add = DeviceInterface.from_str_bulk(payload)
 
+        if not to_add:
+            return
+
         # may contain duplicates
         self.fire_event_for_permission(interfaces=to_add)
 
@@ -1675,16 +1678,19 @@ async def vm_device_denied_remove(self, untrusted_payload):
 
         Payload:
             Encoded device interface (can be repeated without any separator).
-            If payload is empty, all interfaces are removed.
+            If payload is "all", all interfaces are removed.
         """
         denied = DeviceInterface.from_str_bulk(self.dest.devices_denied)
 
         payload = untrusted_payload.decode("ascii", errors="strict")
-        if payload:
+        if payload != "all":
             to_remove = DeviceInterface.from_str_bulk(payload)
         else:
             to_remove = denied.copy()
 
+        if not to_remove:
+            return
+
         # may contain missing values
         self.fire_event_for_permission(interfaces=to_remove)
 

qubes/tests/api_admin.py

@@ -3955,35 +3955,49 @@ def test_665_vm_device_denied_add_present(self):
                                 b"", b"b******")
         self.assertFalse(self.app.save.called)
 
-    def test_666_vm_device_denied_remove(self):
+    def test_666_vm_device_denied_add_nothing(self):
+        self.vm.devices_denied = "b******p012345p53**2*"
+        with self.assertRaises(qubes.exc.QubesValueError):
+            self.call_mgmt_func(b"admin.vm.device.denied.Add", b"test-vm1",
+                                b"", b"b******")
+        self.assertFalse(self.app.save.called)
+
+    def test_670_vm_device_denied_remove(self):
         self.vm.devices_denied = "b******p012345p53**2*"
         self.call_mgmt_func(b"admin.vm.device.denied.Remove", b"test-vm1",
                             b"", b"b******")
         self.assertEqual(self.vm.devices_denied,
                          "p012345p53**2*")
         self.assertTrue(self.app.save.called)
 
-    def test_667_vm_device_denied_remove_repeated(self):
+    def test_671_vm_device_denied_remove_repeated(self):
         self.vm.devices_denied = "b******p012345p53**2*"
         with self.assertRaises(qubes.exc.QubesValueError):
             self.call_mgmt_func(b"admin.vm.device.denied.Remove", b"test-vm1",
                                 b"", b"b******b******")
         self.assertFalse(self.app.save.called)
 
-    def test_668_vm_device_denied_remove_all(self):
+    def test_672_vm_device_denied_remove_all(self):
         self.vm.devices_denied = "b******p012345p53**2*"
         self.call_mgmt_func(b"admin.vm.device.denied.Remove", b"test-vm1",
-                            b"", b"")
+                            b"", b"all")
         self.assertEqual(self.vm.devices_denied, "")
         self.assertTrue(self.app.save.called)
 
-    def test_669_vm_device_denied_remove_missing(self):
+    def test_673_vm_device_denied_remove_missing(self):
         self.vm.devices_denied = "b******p012345p53**2*"
         with self.assertRaises(qubes.exc.QubesValueError):
             self.call_mgmt_func(b"admin.vm.device.denied.Remove", b"test-vm1",
                                 b"", b"m******")
         self.assertFalse(self.app.save.called)
 
+    def test_674_vm_device_denied_remove_nothing(self):
+        self.vm.devices_denied = "b******p012345p53**2*"
+        with self.assertRaises(qubes.exc.QubesValueError):
+            self.call_mgmt_func(b"admin.vm.device.denied.Remove", b"test-vm1",
+                                b"", b"")
+        self.assertFalse(self.app.save.called)
+
     def test_700_pool_set_revisions_to_keep(self):
         self.app.pools["test-pool"] = unittest.mock.Mock()
         value = self.call_mgmt_func(