Passing the service fqdn from outside

Signed-off-by: Amit Schendel <amitschendel@gmail.com>

core/pkg/opaprocessor/networkscanner.go

@@ -9,27 +9,15 @@ import (
 )
 
 const (
-	ServiceSuffix = ".svc.cluster.local"
-	Timeout       = time.Second * 3
+	Timeout = time.Second * 3
 )
 
 // Check if the service is unauthenticated using kubescape-network-scanner.
-func isUnauthenticatedService(host string, port int, namespace string) bool {
-	// Skip kube-system namespace.
-	if namespace == "kube-system" {
-		return false
-	}
-
-	if namespace == "" {
-		namespace = "default"
-	}
-
-	k8sService := fmt.Sprintf("%s.%s%s", host, namespace, ServiceSuffix)
-
+func isUnauthenticatedService(host string, port int) bool {
 	// Run the network scanner in a goroutine and wait for the result.
 	results := make(chan bool, 1)
 	go func() {
-		discoveryResults, err := servicediscovery.ScanTargets(k8sService, port)
+		discoveryResults, err := servicediscovery.ScanTargets(host, port)
 		if err != nil {
 			results <- false
 		} else if !discoveryResults.IsAuthenticated && discoveryResults.ApplicationLayer != "" {
@@ -43,7 +31,7 @@ func isUnauthenticatedService(host string, port int, namespace string) bool {
 	case result := <-results:
 		return result
 	case <-time.After(Timeout):
-		logger.L().Error(fmt.Sprintf("Timeout while scanning service: %s", k8sService))
+		logger.L().Error(fmt.Sprintf("Timeout while scanning service: %s", host))
 		return false
 	}
 }

core/pkg/opaprocessor/networkscanner_test.go

@@ -8,9 +8,6 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-// In this test, we are testing the function isUnauthenticatedService() in the file core/pkg/opaprocessor/networkscanner.go.
-// The test can't work out of the box because it requires a running Kubernetes cluster in order to communicate with a service.
-// If you want to run the test, you need to modify the function isUnauthenticatedService() to trim the namespace from the service name.
 func TestIsUnauthenticatedService(t *testing.T) {
 	s, err := miniredis.Run()
 	if err != nil {
@@ -34,9 +31,8 @@ func TestIsUnauthenticatedService(t *testing.T) {
 
 	// rego input
 	type args struct {
-		host      string
-		port      int
-		namespace string
+		host string
+		port int
 	}
 
 	tests := []struct {
@@ -51,8 +47,8 @@ func TestIsUnauthenticatedService(t *testing.T) {
 				host: s.Host(),
 				port: port,
 			},
-			false,
-			assert.False,
+			true,
+			assert.True,
 		},
 		{
 			"Authenticated service",
@@ -60,8 +56,6 @@ func TestIsUnauthenticatedService(t *testing.T) {
 				host: s.Host(),
 				port: port,
 			},
-			// false,
-			// assert.False,
 			false,
 			assert.False,
 		},
@@ -69,7 +63,7 @@ func TestIsUnauthenticatedService(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := isUnauthenticatedService(tt.args.host, tt.args.port, tt.args.namespace)
+			got := isUnauthenticatedService(tt.args.host, tt.args.port)
 			assert.Equalf(t, tt.want, got, "isUnauthenticatedService(%v, %v)", tt.args.host, tt.args.port)
 		})
 

core/pkg/opaprocessor/utils.go

@@ -140,5 +140,15 @@ var unauthenticatedServiceDefinition = func(bctx rego.BuiltinContext, a, b, c *a
 		return nil, fmt.Errorf("invalid parameter type: %v", err)
 	}
 
-	return ast.BooleanTerm(isUnauthenticatedService(string(service), portNumber, string(namespace))), nil
+	if namespace == "" {
+		namespace = "default"
+	}
+
+	if namespace == "kube-system" {
+		return ast.BooleanTerm(false), nil
+	}
+
+	k8sService := fmt.Sprintf("%s.%s%s", string(service), string(namespace), ".svc.cluster.local")
+
+	return ast.BooleanTerm(isUnauthenticatedService(k8sService, portNumber)), nil
 }