1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-21 06:08:06 +00:00
kube-bench/check/test.go

201 lines
4.3 KiB
Go
Raw Normal View History

2017-05-26 09:25:29 +00:00
// Copyright © 2017 Aqua Security Software Ltd. <info@aquasec.com>
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package check
import (
"fmt"
"os"
"regexp"
"strconv"
"strings"
)
// test:
// flag: OPTION
// set: (true|false)
// compare:
// op: (eq|gt|gte|lt|lte|has)
// value: val
type binOp string
const (
and binOp = "and"
or = "or"
)
type testItem struct {
Flag string
Output string
2017-05-26 09:25:29 +00:00
Value string
Set bool
Compare compare
}
type compare struct {
Op string
Value string
}
type testOutput struct {
testResult bool
actualResult string
}
func (t *testItem) execute(s string) *testOutput {
result := &testOutput{}
2017-05-26 09:25:29 +00:00
match := strings.Contains(s, t.Flag)
if t.Set {
var flagVal string
isset := match
if isset && t.Compare.Op != "" {
// Expects flags in the form;
// --flag=somevalue
// --flag
// somevalue
//pttn := `(` + t.Flag + `)(=)*([^\s,]*) *`
pttn := `(` + t.Flag + `)(=)*([^\s]*) *`
2017-05-26 09:25:29 +00:00
flagRe := regexp.MustCompile(pttn)
vals := flagRe.FindStringSubmatch(s)
if len(vals) > 0 {
if vals[3] != "" {
flagVal = vals[3]
} else {
flagVal = vals[1]
}
2017-05-26 09:25:29 +00:00
} else {
fmt.Fprintf(os.Stderr, "invalid flag in testitem definition")
2017-05-26 09:25:29 +00:00
os.Exit(1)
}
result.actualResult = strings.ToLower(flagVal)
2017-05-26 09:25:29 +00:00
switch t.Compare.Op {
case "eq":
2018-05-15 09:52:49 +00:00
value := strings.ToLower(flagVal)
// Do case insensitive comparaison for booleans ...
if value == "false" || value == "true" {
result.testResult = value == t.Compare.Value
} else {
result.testResult = flagVal == t.Compare.Value
}
2017-05-26 09:25:29 +00:00
case "noteq":
2018-05-15 09:52:49 +00:00
value := strings.ToLower(flagVal)
// Do case insensitive comparaison for booleans ...
if value == "false" || value == "true" {
result.testResult = !(value == t.Compare.Value)
} else {
result.testResult = !(flagVal == t.Compare.Value)
}
2017-05-26 09:25:29 +00:00
case "gt":
a, b := toNumeric(flagVal, t.Compare.Value)
result.testResult = a > b
2017-05-26 09:25:29 +00:00
case "gte":
a, b := toNumeric(flagVal, t.Compare.Value)
result.testResult = a >= b
2017-05-26 09:25:29 +00:00
case "lt":
a, b := toNumeric(flagVal, t.Compare.Value)
result.testResult = a < b
2017-05-26 09:25:29 +00:00
case "lte":
a, b := toNumeric(flagVal, t.Compare.Value)
result.testResult = a <= b
2017-05-26 09:25:29 +00:00
case "has":
result.testResult = strings.Contains(flagVal, t.Compare.Value)
2017-05-26 09:25:29 +00:00
case "nothave":
result.testResult = !strings.Contains(flagVal, t.Compare.Value)
2017-05-26 09:25:29 +00:00
}
} else {
result.testResult = isset
2017-05-26 09:25:29 +00:00
}
} else {
notset := !match
result.testResult = notset
2017-05-26 09:25:29 +00:00
}
return result
2017-05-26 09:25:29 +00:00
}
type tests struct {
TestItems []*testItem `yaml:"test_items"`
BinOp binOp `yaml:"bin_op"`
}
func (ts *tests) execute(s string) *testOutput {
finalOutput := &testOutput{}
2019-01-24 15:40:43 +00:00
// If no tests are defined return with empty finalOutput.
// This may be the case for checks of type: "skip".
2019-01-24 15:40:43 +00:00
if ts == nil {
return finalOutput
}
res := make([]testOutput, len(ts.TestItems))
if len(res) == 0 {
return finalOutput
}
2017-05-26 09:25:29 +00:00
for i, t := range ts.TestItems {
res[i] = *(t.execute(s))
2017-05-26 09:25:29 +00:00
}
var result bool
2017-05-26 09:25:29 +00:00
// If no binary operation is specified, default to AND
switch ts.BinOp {
default:
fmt.Fprintf(os.Stderr, "unknown binary operator for tests %s\n", ts.BinOp)
os.Exit(1)
case and, "":
result = true
for i := range res {
result = result && res[i].testResult
2017-05-26 09:25:29 +00:00
}
case or:
result = false
for i := range res {
result = result || res[i].testResult
2017-05-26 09:25:29 +00:00
}
}
finalOutput.testResult = result
finalOutput.actualResult = res[0].actualResult
return finalOutput
2017-05-26 09:25:29 +00:00
}
func toNumeric(a, b string) (c, d int) {
var err error
c, err = strconv.Atoi(a)
if err != nil {
fmt.Fprintf(os.Stderr, "error converting %s: %s\n", a, err)
os.Exit(1)
}
d, err = strconv.Atoi(b)
if err != nil {
fmt.Fprintf(os.Stderr, "error converting %s: %s\n", b, err)
os.Exit(1)
}
return c, d
}