Merge pull request #1084 from fredbi/test/download-release-policy

test(getter): more unit tests
2026-04-15 06:58:11 +00:00 · 2023-02-20 17:55:08 +02:00
parent 8fd9258efa d8f1a25ab7
commit e8a4c2033f
9 changed files with 27450 additions and 16 deletions
--- a/core/cautils/getter/downloadreleasedpolicy.go
+++ b/core/cautils/getter/downloadreleasedpolicy.go
@@ -106,19 +106,6 @@ func (drp *DownloadReleasedPolicy) SetRegoObjects() error {
 	return drp.gs.SetRegoObjects()
 }

-func isNativeFramework(framework string) bool {
-	return contains(NativeFrameworks, framework)
-}
-
-func contains(s []string, str string) bool {
-	for _, v := range s {
-		if strings.EqualFold(v, str) {
-			return true
-		}
-	}
-	return false
-}
-
 func (drp *DownloadReleasedPolicy) GetExceptions(clusterName string) ([]armotypes.PostureExceptionPolicy, error) {
 	exceptions, err := drp.gs.GetSystemPostureExceptionPolicies()
 	if err != nil {
--- a/core/cautils/getter/downloadreleasedpolicy_test.go
+++ b/core/cautils/getter/downloadreleasedpolicy_test.go
@@ -0,0 +1,170 @@
+package getter
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestReleasedPolicy(t *testing.T) {
+	t.Parallel()
+
+	p := NewDownloadReleasedPolicy()
+
+	t.Run("should initialize objects", func(t *testing.T) {
+		t.Parallel()
+
+		// acquire from github or from local fixture
+		hydrateReleasedPolicyFromMock(t, p)
+
+		require.NoError(t, p.SetRegoObjects())
+
+		t.Run("with ListControls", func(t *testing.T) {
+			t.Parallel()
+
+			controlIDs, err := p.ListControls()
+			require.NoError(t, err)
+			require.NotEmpty(t, controlIDs)
+
+			sampleSize := min(len(controlIDs), 10)
+
+			for _, toPin := range controlIDs[:sampleSize] {
+				// Example of a returned "ID": `C-0154|Ensure_that_the_--client-cert-auth_argument_is_set_to_true|`
+				controlString := toPin
+				parts := strings.Split(controlString, "|")
+				controlID := parts[0]
+
+				t.Run(fmt.Sprintf("with GetControl(%q)", controlID), func(t *testing.T) {
+					t.Parallel()
+
+					ctrl, err := p.GetControl(controlID)
+					require.NoError(t, err)
+					require.NotEmpty(t, ctrl)
+					require.Equal(t, controlID, ctrl.ControlID)
+				})
+			}
+
+			t.Run("with unknown GetControl()", func(t *testing.T) {
+				t.Parallel()
+
+				ctrl, err := p.GetControl("zork")
+				require.Error(t, err)
+				require.Nil(t, ctrl)
+			})
+		})
+
+		t.Run("with GetFrameworks", func(t *testing.T) {
+			t.Parallel()
+
+			frameworks, err := p.GetFrameworks()
+			require.NoError(t, err)
+			require.NotEmpty(t, frameworks)
+
+			for _, toPin := range frameworks {
+				framework := toPin
+				require.NotEmpty(t, framework)
+				require.NotEmpty(t, framework.Name)
+
+				t.Run(fmt.Sprintf("with GetFramework(%q)", framework.Name), func(t *testing.T) {
+					t.Parallel()
+
+					fw, err := p.GetFramework(framework.Name)
+					require.NoError(t, err)
+					require.NotNil(t, fw)
+
+					require.EqualValues(t, framework, *fw)
+				})
+			}
+
+			t.Run("with unknown GetFramework()", func(t *testing.T) {
+				t.Parallel()
+
+				ctrl, err := p.GetFramework("zork")
+				require.Error(t, err)
+				require.Nil(t, ctrl)
+			})
+
+			t.Run("with ListFrameworks", func(t *testing.T) {
+				t.Parallel()
+
+				frameworkIDs, err := p.ListFrameworks()
+				require.NoError(t, err)
+				require.NotEmpty(t, frameworkIDs)
+
+				require.Len(t, frameworkIDs, len(frameworks))
+			})
+
+		})
+
+		t.Run("with GetControlsInput", func(t *testing.T) {
+			t.Parallel()
+
+			controlInputs, err := p.GetControlsInputs("") // NOTE: cluster name currently unused
+			require.NoError(t, err)
+			require.NotEmpty(t, controlInputs)
+		})
+
+		t.Run("with GetAttackTracks", func(t *testing.T) {
+			t.Parallel()
+
+			attackTracks, err := p.GetAttackTracks()
+			require.NoError(t, err)
+			require.NotEmpty(t, attackTracks)
+		})
+
+		t.Run("with GetExceptions", func(t *testing.T) {
+			t.Parallel()
+
+			exceptions, err := p.GetExceptions("") // NOTE: cluster name currently unused
+			require.NoError(t, err)
+			require.NotEmpty(t, exceptions)
+		})
+	})
+}
+
+func min(a, b int) int {
+	if a > b {
+		return b
+	}
+
+	return a
+}
+
+func hydrateReleasedPolicyFromMock(t testing.TB, p *DownloadReleasedPolicy) {
+	regoFile := testRegoFile("policy")
+
+	if _, err := os.Stat(regoFile); errors.Is(err, fs.ErrNotExist) {
+		// retrieve fixture from latest released policy from github.
+		//
+		// NOTE: to update the mock, just delete the testdata/policy.json file and run the tests again.
+		t.Logf("updating fixture file %q from github", regoFile)
+
+		require.NoError(t, p.SetRegoObjects())
+		require.NotNil(t, p.gs)
+
+		require.NoError(t,
+			SaveInFile(p.gs, regoFile),
+		)
+
+		return
+	}
+
+	// we have a mock fixture: load this rather than calling github
+	t.Logf("populating rego policy from fixture file %q", regoFile)
+	buf, err := os.ReadFile(regoFile)
+	require.NoError(t, err)
+
+	require.NoError(t,
+		json.Unmarshal(buf, p.gs),
+	)
+}
+
+func testRegoFile(framework string) string {
+	return filepath.Join(currentDir(), "testdata", fmt.Sprintf("%s.json", framework))
+}
--- a/core/cautils/getter/getpoliciesutils.go
+++ b/core/cautils/getter/getpoliciesutils.go
@@ -6,7 +6,6 @@ import (
 	"io"
 	"net/http"
 	"os"
-	"path"
 	"path/filepath"
 	"strings"
 )
@@ -23,7 +22,7 @@ func SaveInFile(policy interface{}, pathStr string) error {
 	err = os.WriteFile(pathStr, encodedData, 0644) //nolint:gosec
 	if err != nil {
 		if os.IsNotExist(err) {
-			pathDir := path.Dir(pathStr)
+			pathDir := filepath.Dir(pathStr)
 			// pathDir could contain subdirectories
 			if erm := os.MkdirAll(pathDir, 0755); erm != nil {
 				return erm
--- a/core/cautils/getter/getpoliciesutils_test.go
+++ b/core/cautils/getter/getpoliciesutils_test.go
@@ -0,0 +1,68 @@
+package getter
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetDefaultPath(t *testing.T) {
+	t.Parallel()
+
+	const name = "mine"
+
+	pth := GetDefaultPath(name)
+	require.Equal(t, name, filepath.Base(pth))
+	require.Equal(t, ".kubescape", filepath.Base(filepath.Dir(pth)))
+}
+
+func TestSaveInFile(t *testing.T) {
+	t.Parallel()
+
+	dir, err := os.MkdirTemp(".", "test")
+	require.NoError(t, err)
+	defer func() {
+		_ = os.RemoveAll(dir)
+	}()
+
+	policy := map[string]interface{}{
+		"key":    "value",
+		"number": 1.00,
+	}
+
+	t.Run("should save data as JSON (target folder exists)", func(t *testing.T) {
+		target := filepath.Join(dir, "target.json")
+		require.NoError(t, SaveInFile(policy, target))
+
+		buf, err := os.ReadFile(target)
+		require.NoError(t, err)
+		var retrieved interface{}
+		require.NoError(t, json.Unmarshal(buf, &retrieved))
+
+		require.EqualValues(t, policy, retrieved)
+	})
+
+	t.Run("should save data as JSON (new target folder)", func(t *testing.T) {
+		target := filepath.Join(dir, "subdir", "target.json")
+		require.NoError(t, SaveInFile(policy, target))
+
+		buf, err := os.ReadFile(target)
+		require.NoError(t, err)
+		var retrieved interface{}
+		require.NoError(t, json.Unmarshal(buf, &retrieved))
+
+		require.EqualValues(t, policy, retrieved)
+	})
+
+	t.Run("should error", func(t *testing.T) {
+		badPolicy := map[string]interface{}{
+			"key":    "value",
+			"number": 1.00,
+			"err":    func() {},
+		}
+		target := filepath.Join(dir, "error.json")
+		require.Error(t, SaveInFile(badPolicy, target))
+	})
+}
--- a/core/cautils/getter/kscloudapi_mocks_test.go
+++ b/core/cautils/getter/kscloudapi_mocks_test.go
@@ -0,0 +1,273 @@
+package getter
+
+import (
+	"github.com/armosec/armoapi-go/armotypes"
+	"github.com/kubescape/opa-utils/reporthandling"
+	"github.com/kubescape/opa-utils/reporthandling/attacktrack/v1alpha1"
+)
+
+func mockAttackTracks() []v1alpha1.AttackTrack {
+	return []v1alpha1.AttackTrack{
+		{
+			ApiVersion: "v1",
+			Kind:       "track",
+			Metadata:   map[string]interface{}{"label": "name"},
+			Spec: v1alpha1.AttackTrackSpecification{
+				Version:     "v2",
+				Description: "a mock",
+				Data: v1alpha1.AttackTrackStep{
+					Name:        "track1",
+					Description: "mock-step",
+					SubSteps: []v1alpha1.AttackTrackStep{
+						{
+							Name:        "track1",
+							Description: "mock-step",
+							Controls: []v1alpha1.IAttackTrackControl{
+								mockControlPtr("control-1"),
+							},
+						},
+					},
+					Controls: []v1alpha1.IAttackTrackControl{
+						mockControlPtr("control-2"),
+						mockControlPtr("control-3"),
+					},
+				},
+			},
+		},
+		{
+			ApiVersion: "v1",
+			Kind:       "track",
+			Metadata:   map[string]interface{}{"label": "stuff"},
+			Spec: v1alpha1.AttackTrackSpecification{
+				Version:     "v1",
+				Description: "another mock",
+				Data: v1alpha1.AttackTrackStep{
+					Name:        "track2",
+					Description: "mock-step2",
+					SubSteps: []v1alpha1.AttackTrackStep{
+						{
+							Name:        "track3",
+							Description: "mock-step",
+							Controls: []v1alpha1.IAttackTrackControl{
+								mockControlPtr("control-4"),
+							},
+						},
+					},
+					Controls: []v1alpha1.IAttackTrackControl{
+						mockControlPtr("control-5"),
+						mockControlPtr("control-6"),
+					},
+				},
+			},
+		},
+	}
+}
+
+func mockFrameworks() []reporthandling.Framework {
+	id1s := []string{"control-1", "control-2"}
+	id2s := []string{"control-3", "control-4"}
+	id3s := []string{"control-5", "control-6"}
+
+	return []reporthandling.Framework{
+		{
+			PortalBase: armotypes.PortalBase{
+				Name: "mock-1",
+			},
+			CreationTime: "now",
+			Description:  "mock-1",
+			Controls: []reporthandling.Control{
+				mockControl("control-1"),
+				mockControl("control-2"),
+			},
+			ControlsIDs: &id1s,
+			SubSections: map[string]*reporthandling.FrameworkSubSection{
+				"section1": {
+					ID:         "section-id",
+					ControlIDs: id1s,
+				},
+			},
+		},
+		{
+			PortalBase: armotypes.PortalBase{
+				Name: "mock-2",
+			},
+			CreationTime: "then",
+			Description:  "mock-2",
+			Controls: []reporthandling.Control{
+				mockControl("control-3"),
+				mockControl("control-4"),
+			},
+			ControlsIDs: &id2s,
+			SubSections: map[string]*reporthandling.FrameworkSubSection{
+				"section2": {
+					ID:         "section-id",
+					ControlIDs: id2s,
+				},
+			},
+		},
+		{
+			PortalBase: armotypes.PortalBase{
+				Name: "nsa",
+			},
+			CreationTime: "tomorrow",
+			Description:  "nsa mock",
+			Controls: []reporthandling.Control{
+				mockControl("control-5"),
+				mockControl("control-6"),
+			},
+			ControlsIDs: &id3s,
+			SubSections: map[string]*reporthandling.FrameworkSubSection{
+				"section2": {
+					ID:         "section-id",
+					ControlIDs: id3s,
+				},
+			},
+		},
+	}
+}
+
+func mockControl(controlID string) reporthandling.Control {
+	return reporthandling.Control{
+		ControlID: controlID,
+	}
+}
+func mockControlPtr(controlID string) *reporthandling.Control {
+	val := mockControl(controlID)
+
+	return &val
+}
+
+func mockExceptions() []armotypes.PostureExceptionPolicy {
+	return []armotypes.PostureExceptionPolicy{
+		{
+			PolicyType:   "postureExceptionPolicy",
+			CreationTime: "now",
+			Actions: []armotypes.PostureExceptionPolicyActions{
+				"alertOnly",
+			},
+			Resources: []armotypes.PortalDesignator{
+				{
+					DesignatorType: "Attributes",
+					Attributes: map[string]string{
+						"kind":      "Pod",
+						"name":      "coredns-[A-Za-z0-9]+-[A-Za-z0-9]+",
+						"namespace": "kube-system",
+					},
+				},
+				{
+					DesignatorType: "Attributes",
+					Attributes: map[string]string{
+						"kind":      "Pod",
+						"name":      "etcd-.*",
+						"namespace": "kube-system",
+					},
+				},
+			},
+			PosturePolicies: []armotypes.PosturePolicy{
+				{
+					FrameworkName: "MITRE",
+					ControlID:     "C-.*",
+				},
+				{
+					FrameworkName: "another-framework",
+					ControlID:     "a regexp",
+				},
+			},
+		},
+		{
+			PolicyType:   "postureExceptionPolicy",
+			CreationTime: "then",
+			Actions: []armotypes.PostureExceptionPolicyActions{
+				"alertOnly",
+			},
+			Resources: []armotypes.PortalDesignator{
+				{
+					DesignatorType: "Attributes",
+					Attributes: map[string]string{
+						"kind": "Deployment",
+						"name": "my-regexp",
+					},
+				},
+				{
+					DesignatorType: "Attributes",
+					Attributes: map[string]string{
+						"kind": "Secret",
+						"name": "another-regexp",
+					},
+				},
+			},
+			PosturePolicies: []armotypes.PosturePolicy{
+				{
+					FrameworkName: "yet-another-framework",
+					ControlID:     "a regexp",
+				},
+			},
+		},
+	}
+}
+
+func mockTenantResponse() *TenantResponse {
+	return &TenantResponse{
+		TenantID:  "id",
+		Token:     "token",
+		Expires:   "expiry-time",
+		AdminMail: "admin@example.com",
+	}
+}
+
+func mockCustomerConfig(cluster, scope string) func() *armotypes.CustomerConfig {
+	if cluster == "" {
+		cluster = "my-cluster"
+	}
+
+	if scope == "" {
+		scope = "default"
+	}
+
+	return func() *armotypes.CustomerConfig {
+		return &armotypes.CustomerConfig{
+			Name: "user",
+			Attributes: map[string]interface{}{
+				"label": "value",
+			},
+			Scope: armotypes.PortalDesignator{
+				DesignatorType: "Attributes",
+				Attributes: map[string]string{
+					"kind":  "Cluster",
+					"name":  cluster,
+					"scope": scope,
+				},
+			},
+			Settings: armotypes.Settings{
+				PostureControlInputs: map[string][]string{
+					"inputs-1": {"x1", "y2"},
+					"inputs-2": {"x2", "y2"},
+				},
+				PostureScanConfig: armotypes.PostureScanConfig{
+					ScanFrequency: armotypes.ScanFrequency("weekly"),
+				},
+				VulnerabilityScanConfig: armotypes.VulnerabilityScanConfig{
+					ScanFrequency:             armotypes.ScanFrequency("daily"),
+					CriticalPriorityThreshold: 1,
+					HighPriorityThreshold:     2,
+					MediumPriorityThreshold:   3,
+					ScanNewDeployment:         true,
+					AllowlistRegistries:       []string{"a", "b"},
+					BlocklistRegistries:       []string{"c", "d"},
+				},
+				SlackConfigurations: armotypes.SlackSettings{
+					Token: "slack-token",
+				},
+			},
+		}
+	}
+}
+
+func mockLoginResponse() *FeLoginResponse {
+	return &FeLoginResponse{
+		Token:        "access-token",
+		RefreshToken: "refresh-token",
+		Expires:      "expiry-time",
+		ExpiresIn:    123,
+	}
+}
--- a/core/cautils/getter/kscloudapi_test.go
+++ b/core/cautils/getter/kscloudapi_test.go
--- a/core/cautils/getter/kscloudapiutils.go
+++ b/core/cautils/getter/kscloudapiutils.go
@@ -184,3 +184,16 @@ func parseHost(host string) (string, string) {
 	// default scheme
 	return "https", strings.Replace(host, "https://", "", 1)
 }
+
+func isNativeFramework(framework string) bool {
+	return contains(NativeFrameworks, framework)
+}
+
+func contains(s []string, str string) bool {
+	for _, v := range s {
+		if strings.EqualFold(v, str) {
+			return true
+		}
+	}
+	return false
+}
--- a/core/cautils/getter/loadpolicy_test.go
+++ b/core/cautils/getter/loadpolicy_test.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"

 	"github.com/stretchr/testify/require"
@@ -386,7 +387,7 @@ func TestLoadPolicy(t *testing.T) {
 }

 func testFrameworkFile(framework string) string {
-	return filepath.Join(".", "testdata", fmt.Sprintf("%s.json", framework))
+	return filepath.Join(currentDir(), "testdata", fmt.Sprintf("%s.json", framework))
 }

 func writeTempJSONControlInputs(t testing.TB) (string, map[string][]string) {
@@ -407,3 +408,9 @@ func writeTempJSONControlInputs(t testing.TB) (string, map[string][]string) {

 	return fileName, mock
 }
+
+func currentDir() string {
+	_, filename, _, _ := runtime.Caller(1)
+
+	return filepath.Dir(filename)
+}
--- a/core/cautils/getter/testdata/policy.json
+++ b/core/cautils/getter/testdata/policy.json