mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-22 14:48:07 +00:00
d12a45bba9
* common_test: Add a failing test to show the SISEGV Signed-off-by: Simarpreet Singh <simar@linux.com> * common: Go green by fixing isMaster() to instantiate viper Signed-off-by: Simarpreet Singh <simar@linux.com> * common: Inject a seam for getBinariesFunc to be patched-in. Also adds additional tests to showcase unhappy behaviors. Signed-off-by: Simarpreet Singh <simar@linux.com> * common_test: Rename TestIsMaster() Signed-off-by: Simarpreet Singh <simar@linux.com> * common: init viper with master config Signed-off-by: Simarpreet Singh <simar@linux.com> * common: Add a pre-check if valid yaml is passed but doesn't include master. Also adds additional tests to showcase unhappy behaviors. Signed-off-by: Simarpreet Singh <simar@linux.com> * mod: Upgrade viper to v1.4.0 Signed-off-by: Simarpreet Singh <simar@linux.com> * common: Refactor node only yaml to a file Signed-off-by: Simarpreet Singh <simar@linux.com> * common: Log when master components are not found Signed-off-by: Simarpreet Singh <simar@linux.com> * common_test: Refactor subtests into a table Signed-off-by: Simarpreet Singh <simar@linux.com>
168 lines
4.8 KiB
Go
168 lines
4.8 KiB
Go
// Copyright © 2017-2019 Aqua Security Software Ltd. <info@aquasec.com>
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"errors"
|
|
"github.com/aquasecurity/kube-bench/check"
|
|
"github.com/spf13/viper"
|
|
"github.com/stretchr/testify/assert"
|
|
"testing"
|
|
)
|
|
|
|
func TestNewRunFilter(t *testing.T) {
|
|
|
|
type TestCase struct {
|
|
Name string
|
|
FilterOpts FilterOpts
|
|
Group *check.Group
|
|
Check *check.Check
|
|
|
|
Expected bool
|
|
}
|
|
|
|
testCases := []TestCase{
|
|
{
|
|
Name: "Should return true when scored flag is enabled and check is scored",
|
|
FilterOpts: FilterOpts{Scored: true, Unscored: false},
|
|
Group: &check.Group{},
|
|
Check: &check.Check{Scored: true},
|
|
Expected: true,
|
|
},
|
|
{
|
|
Name: "Should return false when scored flag is enabled and check is not scored",
|
|
FilterOpts: FilterOpts{Scored: true, Unscored: false},
|
|
Group: &check.Group{},
|
|
Check: &check.Check{Scored: false},
|
|
Expected: false,
|
|
},
|
|
|
|
{
|
|
Name: "Should return true when unscored flag is enabled and check is not scored",
|
|
FilterOpts: FilterOpts{Scored: false, Unscored: true},
|
|
Group: &check.Group{},
|
|
Check: &check.Check{Scored: false},
|
|
Expected: true,
|
|
},
|
|
{
|
|
Name: "Should return false when unscored flag is enabled and check is scored",
|
|
FilterOpts: FilterOpts{Scored: false, Unscored: true},
|
|
Group: &check.Group{},
|
|
Check: &check.Check{Scored: true},
|
|
Expected: false,
|
|
},
|
|
|
|
{
|
|
Name: "Should return true when group flag contains group's ID",
|
|
FilterOpts: FilterOpts{Scored: true, Unscored: true, GroupList: "G1,G2,G3"},
|
|
Group: &check.Group{ID: "G2"},
|
|
Check: &check.Check{},
|
|
Expected: true,
|
|
},
|
|
{
|
|
Name: "Should return false when group flag doesn't contain group's ID",
|
|
FilterOpts: FilterOpts{GroupList: "G1,G3"},
|
|
Group: &check.Group{ID: "G2"},
|
|
Check: &check.Check{},
|
|
Expected: false,
|
|
},
|
|
|
|
{
|
|
Name: "Should return true when check flag contains check's ID",
|
|
FilterOpts: FilterOpts{Scored: true, Unscored: true, CheckList: "C1,C2,C3"},
|
|
Group: &check.Group{},
|
|
Check: &check.Check{ID: "C2"},
|
|
Expected: true,
|
|
},
|
|
{
|
|
Name: "Should return false when check flag doesn't contain check's ID",
|
|
FilterOpts: FilterOpts{CheckList: "C1,C3"},
|
|
Group: &check.Group{},
|
|
Check: &check.Check{ID: "C2"},
|
|
Expected: false,
|
|
},
|
|
}
|
|
|
|
for _, testCase := range testCases {
|
|
t.Run(testCase.Name, func(t *testing.T) {
|
|
filter, _ := NewRunFilter(testCase.FilterOpts)
|
|
assert.Equal(t, testCase.Expected, filter(testCase.Group, testCase.Check))
|
|
})
|
|
}
|
|
|
|
t.Run("Should return error when both group and check flags are used", func(t *testing.T) {
|
|
// given
|
|
opts := FilterOpts{GroupList: "G1", CheckList: "C1"}
|
|
// when
|
|
_, err := NewRunFilter(opts)
|
|
// then
|
|
assert.EqualError(t, err, "group option and check option can't be used together")
|
|
})
|
|
|
|
}
|
|
|
|
func TestIsMaster(t *testing.T) {
|
|
testCases := []struct{
|
|
name string
|
|
cfgFile string
|
|
getBinariesFunc func(*viper.Viper) (map[string]string, error)
|
|
isMaster bool
|
|
}{
|
|
{
|
|
name: "valid config, is master and all components are running",
|
|
cfgFile: "../cfg/config.yaml",
|
|
getBinariesFunc: func(viper *viper.Viper) (strings map[string]string, i error) {
|
|
return map[string]string{"apiserver": "kube-apiserver"}, nil
|
|
},
|
|
isMaster: true,
|
|
},
|
|
{
|
|
name: "valid config, is master and but not all components are running",
|
|
cfgFile: "../cfg/config.yaml",
|
|
getBinariesFunc: func(viper *viper.Viper) (strings map[string]string, i error) {
|
|
return map[string]string{}, nil
|
|
},
|
|
isMaster: false,
|
|
},
|
|
{
|
|
name: "valid config, is master, not all components are running and fails to find all binaries",
|
|
cfgFile: "../cfg/config.yaml",
|
|
getBinariesFunc: func(viper *viper.Viper) (strings map[string]string, i error) {
|
|
return map[string]string{}, errors.New("failed to find binaries")
|
|
},
|
|
isMaster: false,
|
|
},
|
|
{
|
|
name: "valid config, does not include master",
|
|
cfgFile: "../cfg/node_only.yaml",
|
|
isMaster: false,
|
|
},
|
|
}
|
|
|
|
for _, tc := range testCases{
|
|
cfgFile = tc.cfgFile
|
|
initConfig()
|
|
|
|
oldGetBinariesFunc := getBinariesFunc
|
|
getBinariesFunc = tc.getBinariesFunc
|
|
defer func() {
|
|
getBinariesFunc = oldGetBinariesFunc
|
|
cfgFile = ""
|
|
}()
|
|
|
|
assert.Equal(t, tc.isMaster, isMaster(), tc.name)
|
|
}
|
|
}
|