mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-27 08:58:06 +00:00
11136317f2
Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
1263 lines
43 KiB
Go
1263 lines
43 KiB
Go
// Copyright © 2017-2020 Aqua Security Software Ltd. <info@aquasec.com>
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package check
|
|
|
|
import (
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
var (
|
|
in []byte
|
|
controls *Controls
|
|
)
|
|
|
|
func init() {
|
|
var err error
|
|
in, err = ioutil.ReadFile("data")
|
|
if err != nil {
|
|
panic("Failed reading test data: " + err.Error())
|
|
}
|
|
|
|
// substitute variables in data file
|
|
user := os.Getenv("USER")
|
|
s := strings.Replace(string(in), "$user", user, -1)
|
|
|
|
controls, err = NewControls(MASTER, []byte(s), "")
|
|
// controls, err = NewControls(MASTER, in)
|
|
if err != nil {
|
|
panic("Failed creating test controls: " + err.Error())
|
|
}
|
|
}
|
|
|
|
func TestTestExecute(t *testing.T) {
|
|
|
|
cases := []struct {
|
|
check *Check
|
|
str string
|
|
strConfig string
|
|
expectedTestResult string
|
|
strEnv string
|
|
}{
|
|
{
|
|
check: controls.Groups[0].Checks[0],
|
|
str: "2:45 ../kubernetes/kube-apiserver --allow-privileged=false --option1=20,30,40",
|
|
strConfig: "",
|
|
expectedTestResult: "'--allow-privileged' is present",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[1],
|
|
str: "2:45 ../kubernetes/kube-apiserver --allow-privileged=false",
|
|
strConfig: "",
|
|
expectedTestResult: "'--basic-auth' is not present",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[2],
|
|
str: "niinai 13617 2635 99 19:26 pts/20 00:03:08 ./kube-apiserver --insecure-port=0 --anonymous-auth",
|
|
strConfig: "",
|
|
expectedTestResult: "'--insecure-port' is equal to '0'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[3],
|
|
str: "2:45 ../kubernetes/kube-apiserver --secure-port=0 --audit-log-maxage=40 --option",
|
|
strConfig: "",
|
|
expectedTestResult: "'--audit-log-maxage' is greater or equal to 30",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[4],
|
|
str: "2:45 ../kubernetes/kube-apiserver --max-backlog=20 --secure-port=0 --audit-log-maxage=40 --option",
|
|
strConfig: "",
|
|
expectedTestResult: "'--max-backlog' is lower than 30",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[5],
|
|
str: "2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,RBAC ---audit-log-maxage=40",
|
|
strConfig: "",
|
|
expectedTestResult: "'--admission-control' does not have 'AlwaysAdmit'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[6],
|
|
str: "2:45 .. --kubelet-clientkey=foo --kubelet-client-certificate=bar --admission-control=Webhook,RBAC",
|
|
strConfig: "",
|
|
expectedTestResult: "'--kubelet-client-certificate' is present AND '--kubelet-clientkey' is present",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[7],
|
|
str: "2:45 .. --secure-port=0 --kubelet-client-certificate=bar --admission-control=Webhook,RBAC",
|
|
strConfig: "",
|
|
expectedTestResult: "'--secure-port' is equal to '0' OR '--secure-port' is not present",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[8],
|
|
str: "permissions=SomeValue",
|
|
strConfig: "",
|
|
expectedTestResult: "'permissions' is equal to 'SomeValue'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[9],
|
|
str: "permissions=640",
|
|
strConfig: "",
|
|
expectedTestResult: "permissions has permissions 640, expected 644 or more restrictive",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[9],
|
|
str: "permissions=600",
|
|
strConfig: "",
|
|
expectedTestResult: "permissions has permissions 600, expected 644 or more restrictive",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[10],
|
|
str: "2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,RBAC ---audit-log-maxage=40",
|
|
strConfig: "",
|
|
expectedTestResult: "'--admission-control' has 'RBAC'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[11],
|
|
str: "2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,RBAC ---audit-log-maxage=40",
|
|
strConfig: "",
|
|
expectedTestResult: "'--admission-control' has 'WebHook'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[12],
|
|
str: "2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,Something,RBAC ---audit-log-maxage=40",
|
|
strConfig: "",
|
|
expectedTestResult: "'--admission-control' has 'Something'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[13],
|
|
str: "2:45 ../kubernetes/kube-apiserver --option --admission-control=Something ---audit-log-maxage=40",
|
|
strConfig: "",
|
|
expectedTestResult: "'--admission-control' has 'Something'",
|
|
},
|
|
{
|
|
// check for ':' as argument-value separator, with space between arg and val
|
|
check: controls.Groups[0].Checks[14],
|
|
str: "2:45 kube-apiserver some-arg: some-val --admission-control=Something ---audit-log-maxage=40",
|
|
strConfig: "",
|
|
expectedTestResult: "'some-arg' is equal to 'some-val'",
|
|
},
|
|
{
|
|
// check for ':' as argument-value separator, with no space between arg and val
|
|
check: controls.Groups[0].Checks[14],
|
|
str: "2:45 kube-apiserver some-arg:some-val --admission-control=Something ---audit-log-maxage=40",
|
|
strConfig: "",
|
|
expectedTestResult: "'some-arg' is equal to 'some-val'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[15],
|
|
str: "",
|
|
strConfig: "{\"readOnlyPort\": 15000}",
|
|
expectedTestResult: "'{.readOnlyPort}' is equal to '15000' OR '{.readOnlyPort}' is greater or equal to 15000 OR '{.readOnlyPort}' is lower or equal to 15000",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[16],
|
|
str: "",
|
|
strConfig: "{\"stringValue\": \"WebHook,Something,RBAC\"}",
|
|
expectedTestResult: "'{.stringValue}' is not equal to 'None' AND '{.stringValue}' is not equal to 'webhook,Something,RBAC' AND '{.stringValue}' is equal to 'WebHook,Something,RBAC'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[17],
|
|
str: "",
|
|
strConfig: "{\"trueValue\": true}",
|
|
expectedTestResult: "'{.trueValue}' is not equal to 'somethingElse' AND '{.trueValue}' is not equal to 'false' AND '{.trueValue}' is equal to 'true'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[18],
|
|
str: "",
|
|
strConfig: "{\"readOnlyPort\": 15000}",
|
|
expectedTestResult: "'{.notARealField}' is not present",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[19],
|
|
str: "",
|
|
strConfig: "{\"authentication\": { \"anonymous\": {\"enabled\": false}}}",
|
|
expectedTestResult: "'{.authentication.anonymous.enabled}' is equal to 'false'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[20],
|
|
str: "",
|
|
strConfig: "readOnlyPort: 15000",
|
|
expectedTestResult: "'{.readOnlyPort}' is greater than 14999",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[21],
|
|
str: "",
|
|
strConfig: "readOnlyPort: 15000",
|
|
expectedTestResult: "'{.fieldThatIsUnset}' is not present",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[22],
|
|
str: "",
|
|
strConfig: "authentication:\n anonymous:\n enabled: false",
|
|
expectedTestResult: "'{.authentication.anonymous.enabled}' is equal to 'false'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[26],
|
|
str: "",
|
|
strConfig: "currentMasterVersion: 1.12.7",
|
|
expectedTestResult: "'{.currentMasterVersion}' matched by regex expression '^1\\.12.*$'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[27],
|
|
str: "--peer-client-cert-auth",
|
|
strConfig: "",
|
|
expectedTestResult: "'--peer-client-cert-auth' is equal to 'true'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[27],
|
|
str: "--abc=true --peer-client-cert-auth --efg=false",
|
|
strConfig: "",
|
|
expectedTestResult: "'--peer-client-cert-auth' is equal to 'true'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[27],
|
|
str: "--abc --peer-client-cert-auth --efg",
|
|
strConfig: "",
|
|
expectedTestResult: "'--peer-client-cert-auth' is equal to 'true'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[27],
|
|
str: "--peer-client-cert-auth=true",
|
|
strConfig: "",
|
|
expectedTestResult: "'--peer-client-cert-auth' is equal to 'true'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[27],
|
|
str: "--abc --peer-client-cert-auth=true --efg",
|
|
strConfig: "",
|
|
expectedTestResult: "'--peer-client-cert-auth' is equal to 'true'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[28],
|
|
str: "--abc --peer-client-cert-auth=false --efg",
|
|
strConfig: "",
|
|
expectedTestResult: "'--peer-client-cert-auth' is equal to 'false'",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[29],
|
|
str: "2:45 ../kubernetes/kube-apiserver --option1=20,30,40",
|
|
strConfig: "",
|
|
expectedTestResult: "'ALLOW_PRIVILEGED' is present",
|
|
strEnv: "SOME_OTHER_ENV=true\nALLOW_PRIVILEGED=false",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[30],
|
|
str: "2:45 ../kubernetes/kube-apiserver --option1=20,30,40",
|
|
strConfig: "",
|
|
expectedTestResult: "'BASIC_AUTH' is not present",
|
|
strEnv: "",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[31],
|
|
str: "2:45 ../kubernetes/kube-apiserver --option1=20,30,40",
|
|
strConfig: "",
|
|
expectedTestResult: "'INSECURE_PORT' is equal to '0'",
|
|
strEnv: "INSECURE_PORT=0",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[32],
|
|
str: "2:45 ../kubernetes/kube-apiserver --option1=20,30,40",
|
|
strConfig: "",
|
|
expectedTestResult: "'AUDIT_LOG_MAXAGE' is greater or equal to 30",
|
|
strEnv: "AUDIT_LOG_MAXAGE=40",
|
|
},
|
|
{
|
|
check: controls.Groups[0].Checks[33],
|
|
str: "2:45 ../kubernetes/kube-apiserver --option1=20,30,40",
|
|
strConfig: "",
|
|
expectedTestResult: "'MAX_BACKLOG' is lower than 30",
|
|
strEnv: "MAX_BACKLOG=20",
|
|
},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
t.Run(c.check.Text, func(t *testing.T) {
|
|
c.check.AuditOutput = c.str
|
|
c.check.AuditConfigOutput = c.strConfig
|
|
c.check.AuditEnvOutput = c.strEnv
|
|
res, err := c.check.execute()
|
|
if err != nil {
|
|
t.Errorf(err.Error())
|
|
}
|
|
if !res.testResult {
|
|
t.Errorf("Test ID %v - expected:%v, got:%v", c.check.ID, true, res)
|
|
}
|
|
if res.ExpectedResult != c.expectedTestResult {
|
|
t.Errorf("Test ID %v - \nexpected:%v, \ngot: %v", c.check.ID, c.expectedTestResult, res.ExpectedResult)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestTestExecuteExceptions(t *testing.T) {
|
|
|
|
cases := []struct {
|
|
*Check
|
|
str string
|
|
}{
|
|
{
|
|
controls.Groups[0].Checks[23],
|
|
"this is not valid json {} at all",
|
|
},
|
|
{
|
|
controls.Groups[0].Checks[24],
|
|
"{\"key\": \"value\"}",
|
|
},
|
|
{
|
|
controls.Groups[0].Checks[25],
|
|
"broken } yaml\nenabled: true",
|
|
},
|
|
{
|
|
controls.Groups[0].Checks[26],
|
|
"currentMasterVersion: 1.11",
|
|
},
|
|
{
|
|
controls.Groups[0].Checks[26],
|
|
"currentMasterVersion: ",
|
|
},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
t.Run(c.Text, func(t *testing.T) {
|
|
c.Check.AuditConfigOutput = c.str
|
|
res, err := c.Check.execute()
|
|
if err != nil {
|
|
t.Errorf(err.Error())
|
|
}
|
|
if res.testResult {
|
|
t.Errorf("expected:%v, got:%v", false, res)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestTestUnmarshal(t *testing.T) {
|
|
type kubeletConfig struct {
|
|
Kind string
|
|
ApiVersion string
|
|
Address string
|
|
}
|
|
cases := []struct {
|
|
content string
|
|
jsonInterface interface{}
|
|
expectedToFail bool
|
|
}{
|
|
{
|
|
`{
|
|
"kind": "KubeletConfiguration",
|
|
"apiVersion": "kubelet.config.k8s.io/v1beta1",
|
|
"address": "0.0.0.0"
|
|
}
|
|
`,
|
|
kubeletConfig{},
|
|
false,
|
|
}, {
|
|
`
|
|
kind: KubeletConfiguration
|
|
address: 0.0.0.0
|
|
apiVersion: kubelet.config.k8s.io/v1beta1
|
|
authentication:
|
|
anonymous:
|
|
enabled: false
|
|
webhook:
|
|
cacheTTL: 2m0s
|
|
enabled: true
|
|
x509:
|
|
clientCAFile: /etc/kubernetes/pki/ca.crt
|
|
tlsCipherSuites:
|
|
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
`,
|
|
kubeletConfig{},
|
|
false,
|
|
},
|
|
{
|
|
`
|
|
kind: ddress: 0.0.0.0
|
|
apiVersion: kubelet.config.k8s.io/v1beta
|
|
`,
|
|
kubeletConfig{},
|
|
true,
|
|
},
|
|
}
|
|
|
|
for id, c := range cases {
|
|
t.Run(fmt.Sprintf("%d", id), func(t *testing.T) {
|
|
err := unmarshal(c.content, &c.jsonInterface)
|
|
if err != nil {
|
|
if !c.expectedToFail {
|
|
t.Errorf("should pass, got error:%v", err)
|
|
}
|
|
} else {
|
|
if c.expectedToFail {
|
|
t.Errorf("should fail, but passed")
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestExecuteJSONPath(t *testing.T) {
|
|
type kubeletConfig struct {
|
|
Kind string
|
|
ApiVersion string
|
|
Address string
|
|
}
|
|
cases := []struct {
|
|
name string
|
|
jsonPath string
|
|
jsonInterface kubeletConfig
|
|
expectedResult string
|
|
expectedToFail bool
|
|
}{
|
|
{
|
|
"JSONPath parse works, results don't match",
|
|
"{.resourcesproviders.aescbc}",
|
|
kubeletConfig{
|
|
Kind: "KubeletConfiguration",
|
|
ApiVersion: "kubelet.config.k8s.io/v1beta1",
|
|
Address: "127.0.0.0",
|
|
},
|
|
"blah",
|
|
true,
|
|
},
|
|
{
|
|
"JSONPath parse works, results match",
|
|
"{.Kind}",
|
|
kubeletConfig{
|
|
Kind: "KubeletConfiguration",
|
|
ApiVersion: "kubelet.config.k8s.io/v1beta1",
|
|
Address: "127.0.0.0",
|
|
},
|
|
"KubeletConfiguration",
|
|
false,
|
|
},
|
|
{
|
|
"JSONPath parse fails",
|
|
"{.ApiVersion",
|
|
kubeletConfig{
|
|
Kind: "KubeletConfiguration",
|
|
ApiVersion: "kubelet.config.k8s.io/v1beta1",
|
|
Address: "127.0.0.0",
|
|
},
|
|
"",
|
|
true,
|
|
},
|
|
}
|
|
for _, c := range cases {
|
|
t.Run(c.name, func(t *testing.T) {
|
|
result, err := executeJSONPath(c.jsonPath, c.jsonInterface)
|
|
if err != nil && !c.expectedToFail {
|
|
t.Fatalf("jsonPath:%q, expectedResult:%q got:%v", c.jsonPath, c.expectedResult, err)
|
|
}
|
|
if c.expectedResult != result && !c.expectedToFail {
|
|
t.Errorf("jsonPath:%q, expectedResult:%q got:%q", c.jsonPath, c.expectedResult, result)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestAllElementsValid(t *testing.T) {
|
|
cases := []struct {
|
|
source []string
|
|
target []string
|
|
valid bool
|
|
}{
|
|
{
|
|
source: []string{},
|
|
target: []string{},
|
|
valid: true,
|
|
},
|
|
{
|
|
source: []string{"blah"},
|
|
target: []string{},
|
|
valid: false,
|
|
},
|
|
{
|
|
source: []string{},
|
|
target: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
|
"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"},
|
|
valid: false,
|
|
},
|
|
{
|
|
source: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"},
|
|
target: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
|
"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"},
|
|
valid: true,
|
|
},
|
|
{
|
|
source: []string{"blah"},
|
|
target: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
|
"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"},
|
|
valid: false,
|
|
},
|
|
{
|
|
source: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "blah"},
|
|
target: []string{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
|
"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"},
|
|
valid: false,
|
|
},
|
|
}
|
|
for id, c := range cases {
|
|
t.Run(fmt.Sprintf("%d", id), func(t *testing.T) {
|
|
if !allElementsValid(c.source, c.target) && c.valid {
|
|
t.Errorf("Not All Elements in %q are found in %q", c.source, c.target)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestSplitAndRemoveLastSeparator(t *testing.T) {
|
|
cases := []struct {
|
|
source string
|
|
valid bool
|
|
elementCnt int
|
|
}{
|
|
{
|
|
source: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256",
|
|
valid: true,
|
|
elementCnt: 8,
|
|
},
|
|
{
|
|
source: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,",
|
|
valid: true,
|
|
elementCnt: 2,
|
|
},
|
|
{
|
|
source: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,",
|
|
valid: true,
|
|
elementCnt: 2,
|
|
},
|
|
{
|
|
source: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ",
|
|
valid: true,
|
|
elementCnt: 2,
|
|
},
|
|
{
|
|
source: " TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,",
|
|
valid: true,
|
|
elementCnt: 2,
|
|
},
|
|
}
|
|
|
|
for id, c := range cases {
|
|
t.Run(fmt.Sprintf("%d", id), func(t *testing.T) {
|
|
as := splitAndRemoveLastSeparator(c.source, defaultArraySeparator)
|
|
if len(as) == 0 && c.valid {
|
|
t.Errorf("Split did not work with %q", c.source)
|
|
}
|
|
|
|
if c.elementCnt != len(as) {
|
|
t.Errorf("Split did not work with %q expected: %d got: %d", c.source, c.elementCnt, len(as))
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestCompareOp(t *testing.T) {
|
|
cases := []struct {
|
|
label string
|
|
op string
|
|
flagVal string // Test output.
|
|
compareValue string // Flag value to compare with.
|
|
expectedResultPattern string
|
|
flagName string // Compared flag name.
|
|
testResult bool
|
|
}{
|
|
// Test Op not matching
|
|
{label: "empty - op", op: "", flagVal: "", compareValue: "", expectedResultPattern: "", testResult: false, flagName: ""},
|
|
{label: "op=blah", op: "blah", flagVal: "foo", compareValue: "bar", expectedResultPattern: "", testResult: false, flagName: ""},
|
|
|
|
// Test Op "eq"
|
|
{label: "op=eq, both empty", op: "eq", flagVal: "", compareValue: "", expectedResultPattern: "'' is equal to ''", testResult: true, flagName: ""},
|
|
|
|
{label: "op=eq, true==true", op: "eq", flagVal: "true",
|
|
compareValue: "true",
|
|
expectedResultPattern: "'parameterTrue' is equal to 'true'",
|
|
testResult: true,
|
|
flagName: "parameterTrue"},
|
|
|
|
{label: "op=eq, false==false", op: "eq", flagVal: "false",
|
|
compareValue: "false",
|
|
expectedResultPattern: "'parameterFalse' is equal to 'false'",
|
|
testResult: true,
|
|
flagName: "parameterFalse"},
|
|
|
|
{label: "op=eq, false==true", op: "eq", flagVal: "false",
|
|
compareValue: "true",
|
|
expectedResultPattern: "'parameterFalse' is equal to 'true'",
|
|
testResult: false,
|
|
flagName: "parameterFalse"},
|
|
|
|
{label: "op=eq, strings match", op: "eq", flagVal: "KubeletConfiguration",
|
|
compareValue: "KubeletConfiguration",
|
|
expectedResultPattern: "'--FlagNameKubeletConf' is equal to 'KubeletConfiguration'",
|
|
testResult: true,
|
|
flagName: "--FlagNameKubeletConf"},
|
|
|
|
{label: "op=eq, flagVal=empty", op: "eq", flagVal: "",
|
|
compareValue: "KubeletConfiguration",
|
|
expectedResultPattern: "'--FlagNameKubeletConf' is equal to 'KubeletConfiguration'",
|
|
testResult: false,
|
|
flagName: "--FlagNameKubeletConf"},
|
|
|
|
{label: "op=eq, compareValue=empty",
|
|
op: "eq",
|
|
flagVal: "KubeletConfiguration",
|
|
compareValue: "",
|
|
expectedResultPattern: "'--FlagNameKubeletConf' is equal to ''",
|
|
testResult: false,
|
|
flagName: "--FlagNameKubeletConf"},
|
|
|
|
// Test Op "noteq"
|
|
{label: "op=noteq, both empty",
|
|
op: "noteq",
|
|
flagVal: "",
|
|
compareValue: "",
|
|
expectedResultPattern: "'parameter' is not equal to ''",
|
|
testResult: false,
|
|
flagName: "parameter"},
|
|
|
|
{label: "op=noteq, true!=true",
|
|
op: "noteq",
|
|
flagVal: "true",
|
|
compareValue: "true",
|
|
expectedResultPattern: "'parameterTrue' is not equal to 'true'",
|
|
testResult: false,
|
|
flagName: "parameterTrue"},
|
|
|
|
{label: "op=noteq, false!=false",
|
|
op: "noteq",
|
|
flagVal: "false",
|
|
compareValue: "false",
|
|
expectedResultPattern: "'parameterFalse' is not equal to 'false'",
|
|
testResult: false,
|
|
flagName: "parameterFalse"},
|
|
|
|
{label: "op=noteq, false!=true",
|
|
op: "noteq",
|
|
flagVal: "false",
|
|
compareValue: "true",
|
|
expectedResultPattern: "'parameterFalse' is not equal to 'true'",
|
|
testResult: true,
|
|
flagName: "parameterFalse"},
|
|
|
|
{label: "op=noteq, strings match",
|
|
op: "noteq",
|
|
flagVal: "KubeletConfiguration",
|
|
compareValue: "KubeletConfiguration",
|
|
expectedResultPattern: "'--FlagNameKubeletConf' is not equal to 'KubeletConfiguration'",
|
|
testResult: false,
|
|
flagName: "--FlagNameKubeletConf"},
|
|
|
|
{label: "op=noteq, flagVal=empty",
|
|
op: "noteq",
|
|
flagVal: "",
|
|
compareValue: "KubeletConfiguration",
|
|
expectedResultPattern: "'--FlagNameKubeletConf' is not equal to 'KubeletConfiguration'",
|
|
testResult: true,
|
|
flagName: "--FlagNameKubeletConf"},
|
|
|
|
{label: "op=noteq, compareValue=empty",
|
|
op: "noteq",
|
|
flagVal: "KubeletConfiguration",
|
|
compareValue: "",
|
|
expectedResultPattern: "'--FlagNameKubeletConf' is not equal to ''",
|
|
testResult: true,
|
|
flagName: "--FlagNameKubeletConf"},
|
|
|
|
// Test Op "gt"
|
|
{label: "op=gt, both empty",
|
|
op: "gt",
|
|
flagVal: "",
|
|
compareValue: "",
|
|
expectedResultPattern: "Invalid Number(s) used for comparison: '' ''",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=gt, 0 > 0",
|
|
op: "gt",
|
|
flagVal: "0",
|
|
compareValue: "0", expectedResultPattern: "'flagName' is greater than 0",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=gt, 4 > 5",
|
|
op: "gt",
|
|
flagVal: "4",
|
|
compareValue: "5",
|
|
expectedResultPattern: "'flagName' is greater than 5",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=gt, 5 > 4",
|
|
op: "gt",
|
|
flagVal: "5",
|
|
compareValue: "4",
|
|
expectedResultPattern: "'flagName' is greater than 4",
|
|
testResult: true,
|
|
flagName: "flagName"},
|
|
{label: "op=gt, 5 > 5",
|
|
op: "gt",
|
|
flagVal: "5",
|
|
compareValue: "5",
|
|
expectedResultPattern: "'flagName' is greater than 5",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=gt, Pikachu > 5",
|
|
op: "gt",
|
|
flagVal: "Pikachu",
|
|
compareValue: "5",
|
|
expectedResultPattern: "Invalid Number(s) used for comparison: 'Pikachu' '5'",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=gt, 5 > Bulbasaur",
|
|
op: "gt",
|
|
flagVal: "5",
|
|
compareValue: "Bulbasaur",
|
|
expectedResultPattern: "Invalid Number(s) used for comparison: '5' 'Bulbasaur'",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
// Test Op "lt"
|
|
{label: "op=lt, both empty",
|
|
op: "lt",
|
|
flagVal: "",
|
|
compareValue: "",
|
|
expectedResultPattern: "Invalid Number(s) used for comparison: '' ''",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=lt, 0 < 0",
|
|
op: "lt",
|
|
flagVal: "0",
|
|
compareValue: "0",
|
|
expectedResultPattern: "'flagName' is lower than 0",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=lt, 4 < 5",
|
|
op: "lt",
|
|
flagVal: "4",
|
|
compareValue: "5",
|
|
expectedResultPattern: "'flagName' is lower than 5",
|
|
testResult: true,
|
|
flagName: "flagName"},
|
|
{label: "op=lt, 5 < 4",
|
|
op: "lt",
|
|
flagVal: "5",
|
|
compareValue: "4",
|
|
expectedResultPattern: "'flagName' is lower than 4",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=lt, 5 < 5",
|
|
op: "lt",
|
|
flagVal: "5",
|
|
compareValue: "5",
|
|
expectedResultPattern: "'flagName' is lower than 5",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=lt, Charmander < 5",
|
|
op: "lt",
|
|
flagVal: "Charmander",
|
|
compareValue: "5",
|
|
expectedResultPattern: "Invalid Number(s) used for comparison: 'Charmander' '5'",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=lt, 5 < Charmeleon",
|
|
op: "lt",
|
|
flagVal: "5",
|
|
compareValue: "Charmeleon",
|
|
expectedResultPattern: "Invalid Number(s) used for comparison: '5' 'Charmeleon'",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
// Test Op "gte"
|
|
{label: "op=gte, both empty",
|
|
op: "gte",
|
|
flagVal: "",
|
|
compareValue: "",
|
|
expectedResultPattern: "Invalid Number(s) used for comparison: '' ''",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=gte, 0 >= 0",
|
|
op: "gte",
|
|
flagVal: "0",
|
|
compareValue: "0",
|
|
expectedResultPattern: "'flagName' is greater or equal to 0",
|
|
testResult: true,
|
|
flagName: "flagName"},
|
|
{label: "op=gte, 4 >= 5",
|
|
op: "gte",
|
|
flagVal: "4",
|
|
compareValue: "5",
|
|
expectedResultPattern: "'flagName' is greater or equal to 5",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=gte, 5 >= 4",
|
|
op: "gte",
|
|
flagVal: "5",
|
|
compareValue: "4",
|
|
expectedResultPattern: "'flagName' is greater or equal to 4",
|
|
testResult: true,
|
|
flagName: "flagName"},
|
|
{label: "op=gte, 5 >= 5",
|
|
op: "gte",
|
|
flagVal: "5",
|
|
compareValue: "5",
|
|
expectedResultPattern: "'flagName' is greater or equal to 5",
|
|
testResult: true,
|
|
flagName: "flagName"},
|
|
{label: "op=gte, Ekans >= 5",
|
|
op: "gte",
|
|
flagVal: "Ekans",
|
|
compareValue: "5",
|
|
expectedResultPattern: "Invalid Number(s) used for comparison: 'Ekans' '5'",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=gte, 4 >= Zubat",
|
|
op: "gte",
|
|
flagVal: "4",
|
|
compareValue: "Zubat",
|
|
expectedResultPattern: "Invalid Number(s) used for comparison: '4' 'Zubat'",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
// Test Op "lte"
|
|
{label: "op=lte, both empty",
|
|
op: "lte",
|
|
flagVal: "",
|
|
compareValue: "",
|
|
expectedResultPattern: "Invalid Number(s) used for comparison: '' ''",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=lte, 0 <= 0",
|
|
op: "lte",
|
|
flagVal: "0",
|
|
compareValue: "0",
|
|
expectedResultPattern: "'flagName' is lower or equal to 0",
|
|
testResult: true,
|
|
flagName: "flagName"},
|
|
{label: "op=lte, 4 <= 5",
|
|
op: "lte",
|
|
flagVal: "4",
|
|
compareValue: "5",
|
|
expectedResultPattern: "'flagName' is lower or equal to 5",
|
|
testResult: true,
|
|
flagName: "flagName"},
|
|
{label: "op=lte, 5 <= 4",
|
|
op: "lte",
|
|
flagVal: "5",
|
|
compareValue: "4",
|
|
expectedResultPattern: "'flagName' is lower or equal to 4",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=lte, 5 <= 5",
|
|
op: "lte",
|
|
flagVal: "5",
|
|
compareValue: "5",
|
|
expectedResultPattern: "'flagName' is lower or equal to 5",
|
|
testResult: true,
|
|
flagName: "flagName"},
|
|
{label: "op=lte, Venomoth <= 4",
|
|
op: "lte",
|
|
flagVal: "Venomoth",
|
|
compareValue: "4",
|
|
expectedResultPattern: "Invalid Number(s) used for comparison: 'Venomoth' '4'",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=lte, 5 <= Meowth",
|
|
op: "lte",
|
|
flagVal: "5",
|
|
compareValue: "Meowth",
|
|
expectedResultPattern: "Invalid Number(s) used for comparison: '5' 'Meowth'",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
|
|
// Test Op "has"
|
|
{label: "op=has, both empty",
|
|
op: "has",
|
|
flagVal: "",
|
|
compareValue: "",
|
|
expectedResultPattern: "'flagName' has ''",
|
|
testResult: true,
|
|
flagName: "flagName"},
|
|
{label: "op=has, flagVal=empty",
|
|
op: "has",
|
|
flagVal: "",
|
|
compareValue: "blah",
|
|
expectedResultPattern: "'flagName' has 'blah'",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=has, compareValue=empty",
|
|
op: "has",
|
|
flagVal: "blah",
|
|
compareValue: "",
|
|
expectedResultPattern: "'flagName-blah' has ''",
|
|
testResult: true,
|
|
flagName: "flagName-blah"},
|
|
{label: "op=has, 'blah' has 'la'",
|
|
op: "has",
|
|
flagVal: "blah",
|
|
compareValue: "la",
|
|
expectedResultPattern: "'flagName-blah' has 'la'",
|
|
testResult: true,
|
|
flagName: "flagName-blah"},
|
|
{label: "op=has, 'blah' has 'LA'",
|
|
op: "has",
|
|
flagVal: "blah",
|
|
compareValue: "LA",
|
|
expectedResultPattern: "'flagName-blah' has 'LA'",
|
|
testResult: false,
|
|
flagName: "flagName-blah"},
|
|
{label: "op=has, 'blah' has 'lo'",
|
|
op: "has",
|
|
flagVal: "blah",
|
|
compareValue: "lo",
|
|
expectedResultPattern: "'flagName-blah' has 'lo'",
|
|
testResult: false,
|
|
flagName: "flagName-blah"},
|
|
|
|
// Test Op "nothave"
|
|
{label: "op=nothave, both empty",
|
|
op: "nothave",
|
|
flagVal: "",
|
|
compareValue: "",
|
|
expectedResultPattern: "'flagName' does not have ''",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
{label: "op=nothave, flagVal=empty",
|
|
op: "nothave",
|
|
flagVal: "",
|
|
compareValue: "blah",
|
|
expectedResultPattern: "'flagName' does not have 'blah'",
|
|
testResult: true,
|
|
flagName: "flagName"},
|
|
{label: "op=nothave, compareValue=empty",
|
|
op: "nothave",
|
|
flagVal: "blah",
|
|
compareValue: "",
|
|
expectedResultPattern: "'flagName-blah' does not have ''",
|
|
testResult: false,
|
|
flagName: "flagName-blah"},
|
|
{label: "op=nothave, 'blah' not have 'la'",
|
|
op: "nothave",
|
|
flagVal: "blah",
|
|
compareValue: "la",
|
|
expectedResultPattern: "'flagName-blah' does not have 'la'",
|
|
testResult: false,
|
|
flagName: "flagName-blah"},
|
|
{label: "op=nothave, 'blah' not have 'LA'",
|
|
op: "nothave",
|
|
flagVal: "blah",
|
|
compareValue: "LA",
|
|
expectedResultPattern: "'flagName-blah' does not have 'LA'",
|
|
testResult: true,
|
|
flagName: "flagName-blah"},
|
|
{label: "op=nothave, 'blah' not have 'lo'",
|
|
op: "nothave",
|
|
flagVal: "blah",
|
|
compareValue: "lo",
|
|
expectedResultPattern: "'flagName-blah' does not have 'lo'",
|
|
testResult: true,
|
|
flagName: "flagName-blah"},
|
|
|
|
// Test Op "regex"
|
|
{label: "op=regex, both empty",
|
|
op: "regex",
|
|
flagVal: "",
|
|
compareValue: "",
|
|
expectedResultPattern: "'flagName' matched by regex expression ''",
|
|
testResult: true,
|
|
flagName: "flagName"},
|
|
{label: "op=regex, flagVal=empty",
|
|
op: "regex",
|
|
flagVal: "",
|
|
compareValue: "blah",
|
|
expectedResultPattern: "'flagName' matched by regex expression 'blah'",
|
|
testResult: false,
|
|
flagName: "flagName"},
|
|
|
|
// Test Op "valid_elements"
|
|
{label: "op=valid_elements, valid_elements both empty",
|
|
op: "valid_elements",
|
|
flagVal: "",
|
|
compareValue: "",
|
|
expectedResultPattern: "'flagWithMultipleElements' contains valid elements from ''",
|
|
testResult: true,
|
|
flagName: "flagWithMultipleElements"},
|
|
|
|
{label: "op=valid_elements, valid_elements flagVal empty",
|
|
op: "valid_elements",
|
|
flagVal: "",
|
|
compareValue: "a,b",
|
|
expectedResultPattern: "'flagWithMultipleElements' contains valid elements from 'a,b'",
|
|
testResult: false,
|
|
flagName: "flagWithMultipleElements"},
|
|
|
|
{label: "op=valid_elements, valid_elements compareValue empty",
|
|
op: "valid_elements",
|
|
flagVal: "a,b",
|
|
compareValue: "",
|
|
expectedResultPattern: "'flagWithMultipleElements' contains valid elements from ''",
|
|
testResult: false,
|
|
flagName: "flagWithMultipleElements"},
|
|
{label: "op=valid_elements, valid_elements two list equals",
|
|
op: "valid_elements",
|
|
flagVal: "a,b,c",
|
|
compareValue: "a,b,c",
|
|
expectedResultPattern: "'flagWithMultipleElements' contains valid elements from 'a,b,c'",
|
|
testResult: true,
|
|
flagName: "flagWithMultipleElements"},
|
|
{label: "op=valid_elements, valid_elements partial flagVal valid",
|
|
op: "valid_elements",
|
|
flagVal: "a,c",
|
|
compareValue: "a,b,c",
|
|
expectedResultPattern: "'flagWithMultipleElements' contains valid elements from 'a,b,c'",
|
|
testResult: true,
|
|
flagName: "flagWithMultipleElements"},
|
|
{label: "op=valid_elements, valid_elements partial compareValue valid",
|
|
op: "valid_elements",
|
|
flagVal: "a,b,c",
|
|
compareValue: "a,c",
|
|
expectedResultPattern: "'flagWithMultipleElements' contains valid elements from 'a,c'",
|
|
testResult: false,
|
|
flagName: "flagWithMultipleElements"},
|
|
|
|
// Test Op "bitmask"
|
|
{label: "op=bitmask, 644 AND 640",
|
|
op: "bitmask",
|
|
flagVal: "640",
|
|
compareValue: "644",
|
|
expectedResultPattern: "etc/fileExamplePermission640 has permissions 640, expected 644 or more restrictive",
|
|
testResult: true,
|
|
flagName: "etc/fileExamplePermission640"},
|
|
{label: "op=bitmask, 644 AND 777",
|
|
op: "bitmask",
|
|
flagVal: "777",
|
|
compareValue: "644",
|
|
expectedResultPattern: "etc/fileExamplePermission777 has permissions 777, expected 644 or more restrictive",
|
|
testResult: false,
|
|
flagName: "etc/fileExamplePermission777"},
|
|
{label: "op=bitmask, 644 AND 444",
|
|
op: "bitmask",
|
|
flagVal: "444",
|
|
compareValue: "644",
|
|
expectedResultPattern: "etc/fileExamplePermission444 has permissions 444, expected 644 or more restrictive",
|
|
testResult: true,
|
|
flagName: "etc/fileExamplePermission444"},
|
|
{label: "op=bitmask, 644 AND 211",
|
|
op: "bitmask",
|
|
flagVal: "211",
|
|
compareValue: "644",
|
|
expectedResultPattern: "etc/fileExamplePermission211 has permissions 211, expected 644 or more restrictive",
|
|
testResult: false,
|
|
flagName: "etc/fileExamplePermission211"},
|
|
{label: "op=bitmask, Harry AND 211",
|
|
op: "bitmask",
|
|
flagVal: "Harry",
|
|
compareValue: "644",
|
|
expectedResultPattern: "Not numeric value - flag: Harry",
|
|
testResult: false,
|
|
flagName: "etc/fileExample"},
|
|
{label: "op=bitmask, 644 AND Potter",
|
|
op: "bitmask",
|
|
flagVal: "211",
|
|
compareValue: "Potter",
|
|
expectedResultPattern: "Not numeric value - flag: Potter",
|
|
testResult: false,
|
|
flagName: "etc/fileExample"},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
t.Run(c.label, func(t *testing.T) {
|
|
expectedResultPattern, testResult := compareOp(c.op, c.flagVal, c.compareValue, c.flagName)
|
|
if expectedResultPattern != c.expectedResultPattern {
|
|
t.Errorf("'expectedResultPattern' did not match - op: %q expected:%q got:%q", c.op, c.expectedResultPattern, expectedResultPattern)
|
|
}
|
|
|
|
if testResult != c.testResult {
|
|
t.Errorf("'testResult' did not match - lop: %q expected:%t got:%t", c.op, c.testResult, testResult)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestToNumeric(t *testing.T) {
|
|
cases := []struct {
|
|
firstValue string
|
|
secondValue string
|
|
expectedToFail bool
|
|
}{
|
|
{
|
|
firstValue: "a",
|
|
secondValue: "b",
|
|
expectedToFail: true,
|
|
},
|
|
{
|
|
firstValue: "5",
|
|
secondValue: "b",
|
|
expectedToFail: true,
|
|
},
|
|
{
|
|
firstValue: "5",
|
|
secondValue: "6",
|
|
expectedToFail: false,
|
|
},
|
|
}
|
|
|
|
for id, c := range cases {
|
|
t.Run(fmt.Sprintf("%d", id), func(t *testing.T) {
|
|
f, s, err := toNumeric(c.firstValue, c.secondValue)
|
|
if c.expectedToFail && err == nil {
|
|
t.Errorf("Expected error while converting %s and %s", c.firstValue, c.secondValue)
|
|
}
|
|
|
|
if !c.expectedToFail && (f != 5 || s != 6) {
|
|
t.Errorf("Expected to return %d,%d - got %d,%d", 5, 6, f, s)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestExecuteJSONPathOnEncryptionConfig(t *testing.T) {
|
|
|
|
type Resources struct {
|
|
Resources []string `json:"resources"`
|
|
Providers []map[string]interface{} `json:"providers"`
|
|
}
|
|
|
|
type EncryptionConfig struct {
|
|
Kind string `json:"kind"`
|
|
ApiVersion string `json:"apiVersion"`
|
|
Resources []Resources `json:"resources"`
|
|
}
|
|
|
|
type Key struct {
|
|
Secret string `json:"secret"`
|
|
Name string `json:"name"`
|
|
}
|
|
|
|
type Aescbc struct {
|
|
Keys []Key `json:"keys"`
|
|
}
|
|
|
|
type SecretBox struct {
|
|
Keys []Key `json:"keys"`
|
|
}
|
|
|
|
type Aesgcm struct {
|
|
Keys []Key `json:"keys"`
|
|
}
|
|
|
|
// identity disable encryption when set as the first parameter
|
|
type Identity struct {}
|
|
|
|
cases := []struct {
|
|
name string
|
|
jsonPath string
|
|
jsonInterface EncryptionConfig
|
|
expectedResult string
|
|
expectedToFail bool
|
|
}{
|
|
{
|
|
"JSONPath parse works, results match",
|
|
"{.resources[*].providers[*].aescbc.keys[*].secret}",
|
|
EncryptionConfig{
|
|
Kind: "EncryptionConfig",
|
|
ApiVersion: "v1",
|
|
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
|
|
{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
|
|
}}}},
|
|
"secret1",
|
|
false,
|
|
},
|
|
{
|
|
"JSONPath parse works, results match",
|
|
"{.resources[*].providers[*].aescbc.keys[*].name}",
|
|
EncryptionConfig{
|
|
Kind: "EncryptionConfig",
|
|
ApiVersion: "v1",
|
|
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
|
|
{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
|
|
}}}},
|
|
"name1",
|
|
false,
|
|
},
|
|
{
|
|
"JSONPath parse works, results don't match",
|
|
"{.resources[*].providers[*].aescbc.keys[*].secret}",
|
|
EncryptionConfig{
|
|
Kind: "EncryptionConfig",
|
|
ApiVersion: "v1",
|
|
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
|
|
{"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
|
|
}}}},
|
|
"secret1",
|
|
true,
|
|
},
|
|
{
|
|
"JSONPath parse works, results match",
|
|
"{.resources[*].providers[*].aesgcm.keys[*].secret}",
|
|
EncryptionConfig{
|
|
Kind: "EncryptionConfig",
|
|
ApiVersion: "v1",
|
|
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
|
|
{"aesgcm": Aesgcm{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
|
|
}}}},
|
|
"secret1",
|
|
false,
|
|
},
|
|
{
|
|
"JSONPath parse works, results match",
|
|
"{.resources[*].providers[*].secretbox.keys[*].secret}",
|
|
EncryptionConfig{
|
|
Kind: "EncryptionConfig",
|
|
ApiVersion: "v1",
|
|
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
|
|
{"secretbox": SecretBox{Keys: []Key{Key{Secret: "secret1", Name: "name1"}}}},
|
|
}}}},
|
|
"secret1",
|
|
false,
|
|
},
|
|
{
|
|
"JSONPath parse works, results match",
|
|
"{.resources[*].providers[*].aescbc.keys[*].secret}",
|
|
EncryptionConfig{
|
|
Kind: "EncryptionConfig",
|
|
ApiVersion: "v1",
|
|
Resources: []Resources{{Resources: []string{"secrets"}, Providers: []map[string]interface{}{
|
|
{"aescbc": Aescbc{Keys: []Key{Key{Secret: "secret1", Name: "name1"}, Key{Secret: "secret2", Name: "name2"}}}},
|
|
}}}},
|
|
"secret1 secret2",
|
|
false,
|
|
},
|
|
}
|
|
for _, c := range cases {
|
|
t.Run(c.name, func(t *testing.T) {
|
|
result, err := executeJSONPath(c.jsonPath, c.jsonInterface)
|
|
if err != nil && !c.expectedToFail {
|
|
t.Fatalf("jsonPath:%q, expectedResult:%q got:%v", c.jsonPath, c.expectedResult, err)
|
|
}
|
|
if c.expectedResult != result && !c.expectedToFail {
|
|
t.Errorf("jsonPath:%q, expectedResult:%q got:%q", c.jsonPath, c.expectedResult, result)
|
|
}
|
|
})
|
|
}
|
|
}
|