1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-27 08:58:06 +00:00
kube-bench/check/test_test.go
tonyqui 11136317f2
Fix experimental-encryption-provider-config test on OCP 3.11 - Issue #926 (#1024)
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
2021-10-27 12:56:00 +03:00

1263 lines
43 KiB
Go

// Copyright © 2017-2020 Aqua Security Software Ltd. <info@aquasec.com>
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package check
import (
"fmt"
"io/ioutil"
"os"
"strings"
"testing"
)
var (
in []byte
controls *Controls
)
func init() {
var err error
in, err = ioutil.ReadFile("data")
if err != nil {
panic("Failed reading test data: " + err.Error())
}
// substitute variables in data file
user := os.Getenv("USER")
s := strings.Replace(string(in), "$user", user, -1)
controls, err = NewControls(MASTER, []byte(s), "")
// controls, err = NewControls(MASTER, in)
if err != nil {
panic("Failed creating test controls: " + err.Error())
}
}
func TestTestExecute(t *testing.T) {
cases := []struct {
check *Check
str string
strConfig string
expectedTestResult string
strEnv string
}{
{
check: controls.Groups[0].Checks[0],
str: "2:45 ../kubernetes/kube-apiserver --allow-privileged=false --option1=20,30,40",
strConfig: "",
expectedTestResult: "'--allow-privileged' is present",
},
{
check: controls.Groups[0].Checks[1],
str: "2:45 ../kubernetes/kube-apiserver --allow-privileged=false",
strConfig: "",
expectedTestResult: "'--basic-auth' is not present",
},
{
check: controls.Groups[0].Checks[2],
str: "niinai 13617 2635 99 19:26 pts/20 00:03:08 ./kube-apiserver --insecure-port=0 --anonymous-auth",
strConfig: "",
expectedTestResult: "'--insecure-port' is equal to '0'",
},
{
check: controls.Groups[0].Checks[3],
str: "2:45 ../kubernetes/kube-apiserver --secure-port=0 --audit-log-maxage=40 --option",
strConfig: "",
expectedTestResult: "'--audit-log-maxage' is greater or equal to 30",
},
{
check: controls.Groups[0].Checks[4],
str: "2:45 ../kubernetes/kube-apiserver --max-backlog=20 --secure-port=0 --audit-log-maxage=40 --option",
strConfig: "",
expectedTestResult: "'--max-backlog' is lower than 30",
},
{
check: controls.Groups[0].Checks[5],
str: "2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,RBAC ---audit-log-maxage=40",
strConfig: "",
expectedTestResult: "'--admission-control' does not have 'AlwaysAdmit'",
},
{
check: controls.Groups[0].Checks[6],
str: "2:45 .. --kubelet-clientkey=foo --kubelet-client-certificate=bar --admission-control=Webhook,RBAC",
strConfig: "",
expectedTestResult: "'--kubelet-client-certificate' is present AND '--kubelet-clientkey' is present",
},
{
check: controls.Groups[0].Checks[7],
str: "2:45 .. --secure-port=0 --kubelet-client-certificate=bar --admission-control=Webhook,RBAC",
strConfig: "",
expectedTestResult: "'--secure-port' is equal to '0' OR '--secure-port' is not present",
},
{
check: controls.Groups[0].Checks[8],
str: "permissions=SomeValue",
strConfig: "",
expectedTestResult: "'permissions' is equal to 'SomeValue'",
},
{
check: controls.Groups[0].Checks[9],
str: "permissions=640",
strConfig: "",
expectedTestResult: "permissions has permissions 640, expected 644 or more restrictive",
},
{
check: controls.Groups[0].Checks[9],
str: "permissions=600",
strConfig: "",
expectedTestResult: "permissions has permissions 600, expected 644 or more restrictive",
},
{
check: controls.Groups[0].Checks[10],
str: "2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,RBAC ---audit-log-maxage=40",
strConfig: "",
expectedTestResult: "'--admission-control' has 'RBAC'",
},
{
check: controls.Groups[0].Checks[11],
str: "2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,RBAC ---audit-log-maxage=40",
strConfig: "",
expectedTestResult: "'--admission-control' has 'WebHook'",
},
{
check: controls.Groups[0].Checks[12],
str: "2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,Something,RBAC ---audit-log-maxage=40",
strConfig: "",
expectedTestResult: "'--admission-control' has 'Something'",
},
{
check: controls.Groups[0].Checks[13],
str: "2:45 ../kubernetes/kube-apiserver --option --admission-control=Something ---audit-log-maxage=40",
strConfig: "",
expectedTestResult: "'--admission-control' has 'Something'",
},
{
// check for ':' as argument-value separator, with space between arg and val
check: controls.Groups[0].Checks[14],
str: "2:45 kube-apiserver some-arg: some-val --admission-control=Something ---audit-log-maxage=40",
strConfig: "",
expectedTestResult: "'some-arg' is equal to 'some-val'",
},
{
// check for ':' as argument-value separator, with no space between arg and val
check: controls.Groups[0].Checks[14],
str: "2:45 kube-apiserver some-arg:some-val --admission-control=Something ---audit-log-maxage=40",
strConfig: "",
expectedTestResult: "'some-arg' is equal to 'some-val'",
},
{
check: controls.Groups[0].Checks[15],
str: "",
strConfig: "{\"readOnlyPort\": 15000}",
expectedTestResult: "'{.readOnlyPort}' is equal to '15000' OR '{.readOnlyPort}' is greater or equal to 15000 OR '{.readOnlyPort}' is lower or equal to 15000",
},
{
check: controls.Groups[0].Checks[16],
str: "",
strConfig: "{\"stringValue\": \"WebHook,Something,RBAC\"}",
expectedTestResult: "'{.stringValue}' is not equal to 'None' AND '{.stringValue}' is not equal to 'webhook,Something,RBAC' AND '{.stringValue}' is equal to 'WebHook,Something,RBAC'",
},
{
check: controls.Groups[0].Checks[17],
str: "",
strConfig: "{\"trueValue\": true}",
expectedTestResult: "'{.trueValue}' is not equal to 'somethingElse' AND '{.trueValue}' is not equal to 'false' AND '{.trueValue}' is equal to 'true'",
},
{
check: controls.Groups[0].Checks[18],
str: "",
strConfig: "{\"readOnlyPort\": 15000}",
expectedTestResult: "'{.notARealField}' is not present",
},
{
check: controls.Groups[0].Checks[19],
str: "",
strConfig: "{\"authentication\": { \"anonymous\": {\"enabled\": false}}}",
expectedTestResult: "'{.authentication.anonymous.enabled}' is equal to 'false'",
},
{
check: controls.Groups[0].Checks[20],
str: "",
strConfig: "readOnlyPort: 15000",
expectedTestResult: "'{.readOnlyPort}' is greater than 14999",
},
{
check: controls.Groups[0].Checks[21],
str: "",
strConfig: "readOnlyPort: 15000",
expectedTestResult: "'{.fieldThatIsUnset}' is not present",
},
{
check: controls.Groups[0].Checks[22],
str: "",
strConfig: "authentication:\n anonymous:\n enabled: false",
expectedTestResult: "'{.authentication.anonymous.enabled}' is equal to 'false'",
},
{
check: controls.Groups[0].Checks[26],
str: "",
strConfig: "currentMasterVersion: 1.12.7",
expectedTestResult: "'{.currentMasterVersion}' matched by regex expression '^1\\.12.*$'",
},
{
check: controls.Groups[0].Checks[27],
str: "--peer-client-cert-auth",
strConfig: "",
expectedTestResult: "'--peer-client-cert-auth' is equal to 'true'",
},
{
check: controls.Groups[0].Checks[27],
str: "--abc=true --peer-client-cert-auth --efg=false",
strConfig: "",
expectedTestResult: "'--peer-client-cert-auth' is equal to 'true'",
},
{
check: controls.Groups[0].Checks[27],
str: "--abc --peer-client-cert-auth --efg",
strConfig: "",
expectedTestResult: "'--peer-client-cert-auth' is equal to 'true'",
},
{
check: controls.Groups[0].Checks[27],
str: "--peer-client-cert-auth=true",
strConfig: "",
expectedTestResult: "'--peer-client-cert-auth' is equal to 'true'",
},
{
check: controls.Groups[0].Checks[27],
str: "--abc --peer-client-cert-auth=true --efg",
strConfig: "",
expectedTestResult: "'--peer-client-cert-auth' is equal to 'true'",
},
{
check: controls.Groups[0].Checks[28],
str: "--abc --peer-client-cert-auth=false --efg",
strConfig: "",
expectedTestResult: "'--peer-client-cert-auth' is equal to 'false'",
},
{
check: controls.Groups[0].Checks[29],
str: "2:45 ../kubernetes/kube-apiserver --option1=20,30,40",
strConfig: "",
expectedTestResult: "'ALLOW_PRIVILEGED' is present",
strEnv: "SOME_OTHER_ENV=true\nALLOW_PRIVILEGED=false",
},
{
check: controls.Groups[0].Checks[30],
str: "2:45 ../kubernetes/kube-apiserver --option1=20,30,40",
strConfig: "",
expectedTestResult: "'BASIC_AUTH' is not present",
strEnv: "",
},
{
check: controls.Groups[0].Checks[31],
str: "2:45 ../kubernetes/kube-apiserver --option1=20,30,40",
strConfig: "",
expectedTestResult: "'INSECURE_PORT' is equal to '0'",
strEnv: "INSECURE_PORT=0",
},
{
check: controls.Groups[0].Checks[32],
str: "2:45 ../kubernetes/kube-apiserver --option1=20,30,40",
strConfig: "",
expectedTestResult: "'AUDIT_LOG_MAXAGE' is greater or equal to 30",
strEnv: "AUDIT_LOG_MAXAGE=40",
},
{
check: controls.Groups[0].Checks[33],
str: "2:45 ../kubernetes/kube-apiserver --option1=20,30,40",
strConfig: "",
expectedTestResult: "'MAX_BACKLOG' is lower than 30",
strEnv: "MAX_BACKLOG=20",
},
}
for _, c := range cases {
t.Run(c.check.Text, func(t *testing.T) {
c.check.AuditOutput = c.str
c.check.AuditConfigOutput = c.strConfig
c.check.AuditEnvOutput = c.strEnv
res, err := c.check.execute()
if err != nil {
t.Errorf(err.Error())
}
if !res.testResult {
t.Errorf("Test ID %v - expected:%v, got:%v", c.check.ID, true, res)
}
if res.ExpectedResult != c.expectedTestResult {
t.Errorf("Test ID %v - \nexpected:%v, \ngot: %v", c.check.ID, c.expectedTestResult, res.ExpectedResult)
}
})
}
}
func TestTestExecuteExceptions(t *testing.T) {
cases := []struct {
*Check
str string
}{
{
controls.Groups[0].Checks[23],
"this is not valid json {} at all",
},
{
controls.Groups[0].Checks[24],
"{\"key\": \"value\"}",
},
{
controls.Groups[0].Checks[25],
"broken } yaml\nenabled: true",
},
{
controls.Groups[0].Checks[26],
"currentMasterVersion: 1.11",
},
{
controls.Groups[0].Checks[26],
"currentMasterVersion: ",
},
}
for _, c := range cases {
t.Run(c.Text, func(t *testing.T) {
c.Check.AuditConfigOutput = c.str
res, err := c.Check.execute()
if err != nil {
t.Errorf(err.Error())
}
if res.testResult {
t.Errorf("expected:%v, got:%v", false, res)
}
})
}
}
func TestTestUnmarshal(t *testing.T) {
type kubeletConfig struct {
Kind string
ApiVersion string
Address string
}
cases := []struct {
content string
jsonInterface interface{}
expectedToFail bool
}{
{
`{
"kind": "KubeletConfiguration",
"apiVersion": "kubelet.config.k8s.io/v1beta1",
"address": "0.0.0.0"
}
`,
kubeletConfig{},
false,
}, {
`
kind: KubeletConfiguration
address: 0.0.0.0
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 2m0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
tlsCipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
`,
kubeletConfig{},
false,
},
{
`
kind: ddress: 0.0.0.0
apiVersion: kubelet.config.k8s.io/v1beta
`,
kubeletConfig{},
true,
},
}
for id, c := range cases {
t.Run(fmt.Sprintf("%d", id), func(t *testing.T) {
err := unmarshal(c.content, &c.jsonInterface)
if err != nil {
if !c.expectedToFail {
t.Errorf("should pass, got error:%v", err)
}
} else {
if c.expectedToFail {
t.Errorf("should fail, but passed")
}
}
})
}
}
func TestExecuteJSONPath(t *testing.T) {
type kubeletConfig struct {
Kind string
ApiVersion string
Address string
}
cases := []struct {
name string
jsonPath string
jsonInterface kubeletConfig
expectedResult string
expectedToFail bool
}{
{
"JSONPath parse works, results don't match",
"{.resourcesproviders.aescbc}",
kubeletConfig{
Kind: "KubeletConfiguration",
ApiVersion: "kubelet.config.k8s.io/v1beta1",
Address: "127.0.0.0",
},
"blah",
true,
},
{
"JSONPath parse works, results match",
"{.Kind}",
kubeletConfig{
Kind: "KubeletConfiguration",
ApiVersion: "kubelet.config.k8s.io/v1beta1",
Address: "127.0.0.0",
},
"KubeletConfiguration",
false,
},
{
"JSONPath parse fails",
"{.ApiVersion",
kubeletConfig{
Kind: "KubeletConfiguration",
ApiVersion: "kubelet.config.k8s.io/v1beta1",
Address: "127.0.0.0",
},
"",
true,
},
}
for _, c := range cases {
t.Run(c.name, func(t *testing.T) {
result, err := executeJSONPath(c.jsonPath, c.jsonInterface)
if err != nil && !c.expectedToFail {
t.Fatalf("jsonPath:%q, expectedResult:%q got:%v", c.jsonPath, c.expectedResult, err)
}
if c.expectedResult != result && !c.expectedToFail {
t.Errorf("jsonPath:%q, expectedResult:%q got:%q", c.jsonPath, c.expectedResult, result)
}
})
}
}
func TestAllElementsValid(t *testing.T) {
cases := []struct {
source []string
target []string
valid bool
}{
{
source: []string{},
target: []string{},
valid: true,
},
{
source: []string{"blah"},
target: []string{},
valid: false,
},
{
source: []string{},
target: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"},
valid: false,
},
{
source: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
target: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"},
valid: true,
},
{
source: []string{"blah"},
target: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"},
valid: false,
},
{
source: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "blah"},
target: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"},
valid: false,
},
}
for id, c := range cases {
t.Run(fmt.Sprintf("%d", id), func(t *testing.T) {
if !allElementsValid(c.source, c.target) && c.valid {
t.Errorf("Not All Elements in %q are found in %q", c.source, c.target)
}
})
}
}
func TestSplitAndRemoveLastSeparator(t *testing.T) {
cases := []struct {
source string
valid bool
elementCnt int
}{
{
source: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256",
valid: true,
elementCnt: 8,
},
{
source: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,",
valid: true,
elementCnt: 2,
},
{
source: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,",
valid: true,
elementCnt: 2,
},
{
source: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ",
valid: true,
elementCnt: 2,
},
{
source: " TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,",
valid: true,
elementCnt: 2,
},
}
for id, c := range cases {
t.Run(fmt.Sprintf("%d", id), func(t *testing.T) {
as := splitAndRemoveLastSeparator(c.source, defaultArraySeparator)
if len(as) == 0 && c.valid {
t.Errorf("Split did not work with %q", c.source)
}
if c.elementCnt != len(as) {
t.Errorf("Split did not work with %q expected: %d got: %d", c.source, c.elementCnt, len(as))
}
})
}
}
func TestCompareOp(t *testing.T) {
cases := []struct {
label string
op string
flagVal string // Test output.
compareValue string // Flag value to compare with.
expectedResultPattern string
flagName string // Compared flag name.
testResult bool
}{
// Test Op not matching
{label: "empty - op", op: "", flagVal: "", compareValue: "", expectedResultPattern: "", testResult: false, flagName: ""},
{label: "op=blah", op: "blah", flagVal: "foo", compareValue: "bar", expectedResultPattern: "", testResult: false, flagName: ""},
// Test Op "eq"
{label: "op=eq, both empty", op: "eq", flagVal: "", compareValue: "", expectedResultPattern: "'' is equal to ''", testResult: true, flagName: ""},
{label: "op=eq, true==true", op: "eq", flagVal: "true",
compareValue: "true",
expectedResultPattern: "'parameterTrue' is equal to 'true'",
testResult: true,
flagName: "parameterTrue"},
{label: "op=eq, false==false", op: "eq", flagVal: "false",
compareValue: "false",
expectedResultPattern: "'parameterFalse' is equal to 'false'",
testResult: true,
flagName: "parameterFalse"},
{label: "op=eq, false==true", op: "eq", flagVal: "false",
compareValue: "true",
expectedResultPattern: "'parameterFalse' is equal to 'true'",
testResult: false,
flagName: "parameterFalse"},
{label: "op=eq, strings match", op: "eq", flagVal: "KubeletConfiguration",
compareValue: "KubeletConfiguration",
expectedResultPattern: "'--FlagNameKubeletConf' is equal to 'KubeletConfiguration'",
testResult: true,
flagName: "--FlagNameKubeletConf"},
{label: "op=eq, flagVal=empty", op: "eq", flagVal: "",
compareValue: "KubeletConfiguration",
expectedResultPattern: "'--FlagNameKubeletConf' is equal to 'KubeletConfiguration'",
testResult: false,
flagName: "--FlagNameKubeletConf"},
{label: "op=eq, compareValue=empty",
op: "eq",
flagVal: "KubeletConfiguration",
compareValue: "",
expectedResultPattern: "'--FlagNameKubeletConf' is equal to ''",
testResult: false,
flagName: "--FlagNameKubeletConf"},
// Test Op "noteq"
{label: "op=noteq, both empty",
op: "noteq",
flagVal: "",
compareValue: "",
expectedResultPattern: "'parameter' is not equal to ''",
testResult: false,
flagName: "parameter"},
{label: "op=noteq, true!=true",
op: "noteq",
flagVal: "true",
compareValue: "true",
expectedResultPattern: "'parameterTrue' is not equal to 'true'",
testResult: false,
flagName: "parameterTrue"},
{label: "op=noteq, false!=false",
op: "noteq",
flagVal: "false",
compareValue: "false",
expectedResultPattern: "'parameterFalse' is not equal to 'false'",
testResult: false,
flagName: "parameterFalse"},
{label: "op=noteq, false!=true",
op: "noteq",
flagVal: "false",
compareValue: "true",
expectedResultPattern: "'parameterFalse' is not equal to 'true'",
testResult: true,
flagName: "parameterFalse"},
{label: "op=noteq, strings match",
op: "noteq",
flagVal: "KubeletConfiguration",
compareValue: "KubeletConfiguration",
expectedResultPattern: "'--FlagNameKubeletConf' is not equal to 'KubeletConfiguration'",
testResult: false,
flagName: "--FlagNameKubeletConf"},
{label: "op=noteq, flagVal=empty",
op: "noteq",
flagVal: "",
compareValue: "KubeletConfiguration",
expectedResultPattern: "'--FlagNameKubeletConf' is not equal to 'KubeletConfiguration'",
testResult: true,
flagName: "--FlagNameKubeletConf"},
{label: "op=noteq, compareValue=empty",
op: "noteq",
flagVal: "KubeletConfiguration",
compareValue: "",
expectedResultPattern: "'--FlagNameKubeletConf' is not equal to ''",
testResult: true,
flagName: "--FlagNameKubeletConf"},
// Test Op "gt"
{label: "op=gt, both empty",
op: "gt",
flagVal: "",
compareValue: "",
expectedResultPattern: "Invalid Number(s) used for comparison: '' ''",
testResult: false,
flagName: "flagName"},
{label: "op=gt, 0 > 0",
op: "gt",
flagVal: "0",
compareValue: "0", expectedResultPattern: "'flagName' is greater than 0",
testResult: false,
flagName: "flagName"},
{label: "op=gt, 4 > 5",
op: "gt",
flagVal: "4",
compareValue: "5",
expectedResultPattern: "'flagName' is greater than 5",
testResult: false,
flagName: "flagName"},
{label: "op=gt, 5 > 4",
op: "gt",
flagVal: "5",
compareValue: "4",
expectedResultPattern: "'flagName' is greater than 4",
testResult: true,
flagName: "flagName"},
{label: "op=gt, 5 > 5",
op: "gt",
flagVal: "5",
compareValue: "5",
expectedResultPattern: "'flagName' is greater than 5",
testResult: false,
flagName: "flagName"},
{label: "op=gt, Pikachu > 5",
op: "gt",
flagVal: "Pikachu",
compareValue: "5",
expectedResultPattern: "Invalid Number(s) used for comparison: 'Pikachu' '5'",
testResult: false,
flagName: "flagName"},
{label: "op=gt, 5 > Bulbasaur",
op: "gt",
flagVal: "5",
compareValue: "Bulbasaur",
expectedResultPattern: "Invalid Number(s) used for comparison: '5' 'Bulbasaur'",
testResult: false,
flagName: "flagName"},
// Test Op "lt"
{label: "op=lt, both empty",
op: "lt",
flagVal: "",
compareValue: "",
expectedResultPattern: "Invalid Number(s) used for comparison: '' ''",
testResult: false,
flagName: "flagName"},
{label: "op=lt, 0 < 0",
op: "lt",
flagVal: "0",
compareValue: "0",
expectedResultPattern: "'flagName' is lower than 0",
testResult: false,
flagName: "flagName"},
{label: "op=lt, 4 < 5",
op: "lt",
flagVal: "4",
compareValue: "5",
expectedResultPattern: "'flagName' is lower than 5",
testResult: true,
flagName: "flagName"},
{label: "op=lt, 5 < 4",
op: "lt",
flagVal: "5",
compareValue: "4",
expectedResultPattern: "'flagName' is lower than 4",
testResult: false,
flagName: "flagName"},
{label: "op=lt, 5 < 5",
op: "lt",
flagVal: "5",
compareValue: "5",
expectedResultPattern: "'flagName' is lower than 5",
testResult: false,
flagName: "flagName"},
{label: "op=lt, Charmander < 5",
op: "lt",
flagVal: "Charmander",
compareValue: "5",
expectedResultPattern: "Invalid Number(s) used for comparison: 'Charmander' '5'",
testResult: false,
flagName: "flagName"},
{label: "op=lt, 5 < Charmeleon",
op: "lt",
flagVal: "5",
compareValue: "Charmeleon",
expectedResultPattern: "Invalid Number(s) used for comparison: '5' 'Charmeleon'",
testResult: false,
flagName: "flagName"},
// Test Op "gte"
{label: "op=gte, both empty",
op: "gte",
flagVal: "",
compareValue: "",
expectedResultPattern: "Invalid Number(s) used for comparison: '' ''",
testResult: false,
flagName: "flagName"},
{label: "op=gte, 0 >= 0",
op: "gte",
flagVal: "0",
compareValue: "0",
expectedResultPattern: "'flagName' is greater or equal to 0",
testResult: true,
flagName: "flagName"},
{label: "op=gte, 4 >= 5",
op: "gte",
flagVal: "4",
compareValue: "5",
expectedResultPattern: "'flagName' is greater or equal to 5",
testResult: false,
flagName: "flagName"},
{label: "op=gte, 5 >= 4",
op: "gte",
flagVal: "5",
compareValue: "4",
expectedResultPattern: "'flagName' is greater or equal to 4",
testResult: true,
flagName: "flagName"},
{label: "op=gte, 5 >= 5",
op: "gte",
flagVal: "5",
compareValue: "5",
expectedResultPattern: "'flagName' is greater or equal to 5",
testResult: true,
flagName: "flagName"},
{label: "op=gte, Ekans >= 5",
op: "gte",
flagVal: "Ekans",
compareValue: "5",
expectedResultPattern: "Invalid Number(s) used for comparison: 'Ekans' '5'",
testResult: false,
flagName: "flagName"},
{label: "op=gte, 4 >= Zubat",
op: "gte",
flagVal: "4",
compareValue: "Zubat",
expectedResultPattern: "Invalid Number(s) used for comparison: '4' 'Zubat'",
testResult: false,
flagName: "flagName"},
// Test Op "lte"
{label: "op=lte, both empty",
op: "lte",
flagVal: "",
compareValue: "",
expectedResultPattern: "Invalid Number(s) used for comparison: '' ''",
testResult: false,
flagName: "flagName"},
{label: "op=lte, 0 <= 0",
op: "lte",
flagVal: "0",
compareValue: "0",
expectedResultPattern: "'flagName' is lower or equal to 0",
testResult: true,
flagName: "flagName"},
{label: "op=lte, 4 <= 5",
op: "lte",
flagVal: "4",
compareValue: "5",
expectedResultPattern: "'flagName' is lower or equal to 5",
testResult: true,
flagName: "flagName"},
{label: "op=lte, 5 <= 4",
op: "lte",
flagVal: "5",
compareValue: "4",
expectedResultPattern: "'flagName' is lower or equal to 4",
testResult: false,
flagName: "flagName"},
{label: "op=lte, 5 <= 5",
op: "lte",
flagVal: "5",
compareValue: "5",
expectedResultPattern: "'flagName' is lower or equal to 5",
testResult: true,
flagName: "flagName"},
{label: "op=lte, Venomoth <= 4",
op: "lte",
flagVal: "Venomoth",
compareValue: "4",
expectedResultPattern: "Invalid Number(s) used for comparison: 'Venomoth' '4'",
testResult: false,
flagName: "flagName"},
{label: "op=lte, 5 <= Meowth",
op: "lte",
flagVal: "5",
compareValue: "Meowth",
expectedResultPattern: "Invalid Number(s) used for comparison: '5' 'Meowth'",
testResult: false,
flagName: "flagName"},
// Test Op "has"
{label: "op=has, both empty",
op: "has",
flagVal: "",
compareValue: "",
expectedResultPattern: "'flagName' has ''",
testResult: true,
flagName: "flagName"},
{label: "op=has, flagVal=empty",
op: "has",
flagVal: "",
compareValue: "blah",
expectedResultPattern: "'flagName' has 'blah'",
testResult: false,
flagName: "flagName"},
{label: "op=has, compareValue=empty",
op: "has",
flagVal: "blah",
compareValue: "",
expectedResultPattern: "'flagName-blah' has ''",
testResult: true,
flagName: "flagName-blah"},
{label: "op=has, 'blah' has 'la'",
op: "has",
flagVal: "blah",
compareValue: "la",
expectedResultPattern: "'flagName-blah' has 'la'",
testResult: true,
flagName: "flagName-blah"},
{label: "op=has, 'blah' has 'LA'",
op: "has",
flagVal: "blah",
compareValue: "LA",
expectedResultPattern: "'flagName-blah' has 'LA'",
testResult: false,
flagName: "flagName-blah"},
{label: "op=has, 'blah' has 'lo'",
op: "has",
flagVal: "blah",
compareValue: "lo",
expectedResultPattern: "'flagName-blah' has 'lo'",
testResult: false,
flagName: "flagName-blah"},
// Test Op "nothave"
{label: "op=nothave, both empty",
op: "nothave",
flagVal: "",
compareValue: "",
expectedResultPattern: "'flagName' does not have ''",
testResult: false,
flagName: "flagName"},
{label: "op=nothave, flagVal=empty",
op: "nothave",
flagVal: "",
compareValue: "blah",
expectedResultPattern: "'flagName' does not have 'blah'",
testResult: true,
flagName: "flagName"},
{label: "op=nothave, compareValue=empty",
op: "nothave",
flagVal: "blah",
compareValue: "",
expectedResultPattern: "'flagName-blah' does not have ''",
testResult: false,
flagName: "flagName-blah"},
{label: "op=nothave, 'blah' not have 'la'",
op: "nothave",
flagVal: "blah",
compareValue: "la",
expectedResultPattern: "'flagName-blah' does not have 'la'",
testResult: false,
flagName: "flagName-blah"},
{label: "op=nothave, 'blah' not have 'LA'",
op: "nothave",
flagVal: "blah",
compareValue: "LA",
expectedResultPattern: "'flagName-blah' does not have 'LA'",
testResult: true,
flagName: "flagName-blah"},
{label: "op=nothave, 'blah' not have 'lo'",
op: "nothave",
flagVal: "blah",
compareValue: "lo",
expectedResultPattern: "'flagName-blah' does not have 'lo'",
testResult: true,
flagName: "flagName-blah"},
// Test Op "regex"
{label: "op=regex, both empty",
op: "regex",
flagVal: "",
compareValue: "",
expectedResultPattern: "'flagName' matched by regex expression ''",
testResult: true,
flagName: "flagName"},
{label: "op=regex, flagVal=empty",
op: "regex",
flagVal: "",
compareValue: "blah",
expectedResultPattern: "'flagName' matched by regex expression 'blah'",
testResult: false,
flagName: "flagName"},
// Test Op "valid_elements"
{label: "op=valid_elements, valid_elements both empty",
op: "valid_elements",
flagVal: "",
compareValue: "",
expectedResultPattern: "'flagWithMultipleElements' contains valid elements from ''",
testResult: true,
flagName: "flagWithMultipleElements"},
{label: "op=valid_elements, valid_elements flagVal empty",
op: "valid_elements",
flagVal: "",
compareValue: "a,b",
expectedResultPattern: "'flagWithMultipleElements' contains valid elements from 'a,b'",
testResult: false,
flagName: "flagWithMultipleElements"},
{label: "op=valid_elements, valid_elements compareValue empty",
op: "valid_elements",
flagVal: "a,b",
compareValue: "",
expectedResultPattern: "'flagWithMultipleElements' contains valid elements from ''",
testResult: false,
flagName: "flagWithMultipleElements"},
{label: "op=valid_elements, valid_elements two list equals",
op: "valid_elements",
flagVal: "a,b,c",
compareValue: "a,b,c",
expectedResultPattern: "'flagWithMultipleElements' contains valid elements from 'a,b,c'",
testResult: true,
flagName: "flagWithMultipleElements"},
{label: "op=valid_elements, valid_elements partial flagVal valid",
op: "valid_elements",
flagVal: "a,c",
compareValue: "a,b,c",
expectedResultPattern: "'flagWithMultipleElements' contains valid elements from 'a,b,c'",
testResult: true,
flagName: "flagWithMultipleElements"},
{label: "op=valid_elements, valid_elements partial compareValue valid",
op: "valid_elements",
flagVal: "a,b,c",
compareValue: "a,c",
expectedResultPattern: "'flagWithMultipleElements' contains valid elements from 'a,c'",
testResult: false,
flagName: "flagWithMultipleElements"},
// Test Op "bitmask"
{label: "op=bitmask, 644 AND 640",
op: "bitmask",
flagVal: "640",
compareValue: "644",
expectedResultPattern: "etc/fileExamplePermission640 has permissions 640, expected 644 or more restrictive",
testResult: true,
flagName: "etc/fileExamplePermission640"},
{label: "op=bitmask, 644 AND 777",
op: "bitmask",
flagVal: "777",
compareValue: "644",
expectedResultPattern: "etc/fileExamplePermission777 has permissions 777, expected 644 or more restrictive",
testResult: false,
flagName: "etc/fileExamplePermission777"},
{label: "op=bitmask, 644 AND 444",
op: "bitmask",
flagVal: "444",
compareValue: "644",
expectedResultPattern: "etc/fileExamplePermission444 has permissions 444, expected 644 or more restrictive",
testResult: true,
flagName: "etc/fileExamplePermission444"},
{label: "op=bitmask, 644 AND 211",
op: "bitmask",
flagVal: "211",
compareValue: "644",
expectedResultPattern: "etc/fileExamplePermission211 has permissions 211, expected 644 or more restrictive",
testResult: false,
flagName: "etc/fileExamplePermission211"},
{label: "op=bitmask, Harry AND 211",
op: "bitmask",
flagVal: "Harry",
compareValue: "644",
expectedResultPattern: "Not numeric value - flag: Harry",
testResult: false,
flagName: "etc/fileExample"},
{label: "op=bitmask, 644 AND Potter",
op: "bitmask",
flagVal: "211",
compareValue: "Potter",
expectedResultPattern: "Not numeric value - flag: Potter",
testResult: false,
flagName: "etc/fileExample"},
}
for _, c := range cases {
t.Run(c.label, func(t *testing.T) {
expectedResultPattern, testResult := compareOp(c.op, c.flagVal, c.compareValue, c.flagName)
if expectedResultPattern != c.expectedResultPattern {
t.Errorf("'expectedResultPattern' did not match - op: %q expected:%q got:%q", c.op, c.expectedResultPattern, expectedResultPattern)
}
if testResult != c.testResult {
t.Errorf("'testResult' did not match - lop: %q expected:%t got:%t", c.op, c.testResult, testResult)
}
})
}
}
func TestToNumeric(t *testing.T) {
cases := []struct {
firstValue string
secondValue string
expectedToFail bool
}{
{
firstValue: "a",
secondValue: "b",
expectedToFail: true,
},
{
firstValue: "5",
secondValue: "b",
expectedToFail: true,
},
{
firstValue: "5",
secondValue: "6",
expectedToFail: false,
},
}
for id, c := range cases {
t.Run(fmt.Sprintf("%d", id), func(t *testing.T) {
f, s, err := toNumeric(c.firstValue, c.secondValue)
if c.expectedToFail && err == nil {
t.Errorf("Expected error while converting %s and %s", c.firstValue, c.secondValue)
}
if !c.expectedToFail && (f != 5 || s != 6) {
t.Errorf("Expected to return %d,%d - got %d,%d", 5, 6, f, s)
}
})
}
}
func TestExecuteJSONPathOnEncryptionConfig(t *testing.T) {
type Resources struct {
Resources []string `json:"resources"`
Providers []map[string]interface{} `json:"providers"`
}
type EncryptionConfig struct {
Kind string `json:"kind"`
ApiVersion string `json:"apiVersion"`
Resources []Resources `json:"resources"`
}
type Key struct {
Secret string `json:"secret"`
Name string `json:"name"`
}
type Aescbc struct {
Keys []Key `json:"keys"`
}
type SecretBox struct {
Keys []Key `json:"keys"`
}
type Aesgcm struct {
Keys []Key `json:"keys"`
}
// identity disable encryption when set as the first parameter
type Identity struct {}
cases := []struct {
name string
jsonPath string
jsonInterface EncryptionConfig
expectedResult string
expectedToFail bool
}{
{
"JSONPath parse works, results match",
"{.resources[*].providers[*].aescbc.keys[*].secret}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
}}}},
"secret1",
false,
},
{
"JSONPath parse works, results match",
"{.resources[*].providers[*].aescbc.keys[*].name}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
}}}},
"name1",
false,
},
{
"JSONPath parse works, results don't match",
"{.resources[*].providers[*].aescbc.keys[*].secret}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
}}}},
"secret1",
true,
},
{
"JSONPath parse works, results match",
"{.resources[*].providers[*].aesgcm.keys[*].secret}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
}}}},
"secret1",
false,
},
{
"JSONPath parse works, results match",
"{.resources[*].providers[*].secretbox.keys[*].secret}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"secretbox": SecretBox{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
}}}},
"secret1",
false,
},
{
"JSONPath parse works, results match",
"{.resources[*].providers[*].aescbc.keys[*].secret}",
EncryptionConfig{
Kind: "EncryptionConfig",
ApiVersion: "v1",
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}, Key{Secret: "secret2", Name: "name2"}}}},
}}}},
"secret1 secret2",
false,
},
}
for _, c := range cases {
t.Run(c.name, func(t *testing.T) {
result, err := executeJSONPath(c.jsonPath, c.jsonInterface)
if err != nil && !c.expectedToFail {
t.Fatalf("jsonPath:%q, expectedResult:%q got:%v", c.jsonPath, c.expectedResult, err)
}
if c.expectedResult != result && !c.expectedToFail {
t.Errorf("jsonPath:%q, expectedResult:%q got:%q", c.jsonPath, c.expectedResult, result)
}
})
}
}