Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(tests): replace K8sExecInPod with AssertCommand for consistency in test assertions #1890

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 12 additions & 14 deletions tests/k8s_env/blockposture/block_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,11 +73,10 @@ var _ = Describe("Posture", func() {
wp, "wordpress-mysql", []string{"bash", "-c", "curl google.com"},
MatchRegexp("curl.*Could not resolve host: google.com"), true,
)

out, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"})
Expect(err).To(BeNil())
fmt.Printf("---START---\n%s---END---\n", out)
Expect(out).To(MatchRegexp("<HTML>((?:.*\r?\n?)*)</HTML>"))
AssertCommand(
wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"},
MatchRegexp("<HTML>((?:.*\r?\n?)*)</HTML>"), false,
)
// check policy violation alert
_, alerts, err := KarmorGetLogs(5*time.Second, 1)
Expect(err).To(BeNil())
Expand All @@ -101,16 +100,15 @@ var _ = Describe("Posture", func() {
Expect(err).To(BeNil())

//curl needs UDP for DNS resolution
sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"})
Expect(err).To(BeNil())
fmt.Printf("---START---\n%s---END---\n", sout)
Expect(sout).To(MatchRegexp("cat.*Permission denied"))

AssertCommand(
wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"},
MatchRegexp("cat.*Permission denied"), false,
)
//test that tcp is whitelisted
out, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "cat readme.html"})
Expect(err).To(BeNil())
fmt.Printf("---START---\n%s---END---\n", out)
Expect(out).To(MatchRegexp("<!DOCTYPE html>((?:.*\r?\n?)*)</html>"))
AssertCommand(
wp, "wordpress-mysql", []string{"bash", "-c", "cat readme.html"},
MatchRegexp("<!DOCTYPE html>((?:.*\r?\n?)*)</html>"), false,
)
// check policy violation alert
_, alerts, err := KarmorGetLogs(5*time.Second, 1)
Expect(err).To(BeNil())
Expand Down
111 changes: 54 additions & 57 deletions tests/k8s_env/ksp/ksp_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,9 +84,10 @@ var _ = Describe("Ksp", func() {
err = KarmorLogStart("all", "nginx", "", pods.Items[0].Name)
Expect(err).To(BeNil())

sout, _, err := K8sExecInPod(pods.Items[0].Name, "nginx", []string{"ls"})
Expect(err).To(BeNil())
fmt.Printf("---START---\n%s---END---\n", sout)
AssertCommand(
pods.Items[0].Name, "nginx", []string{"ls"},
MatchRegexp(".*"), false,
)

// check audit logs
logs, _, err := KarmorGetLogs(5*time.Second, 50)
Expand All @@ -110,12 +111,10 @@ var _ = Describe("Ksp", func() {
err = KarmorLogStart("policy", "multiubuntu", "Network", ub1)
Expect(err).To(BeNil())

sout, _, err := K8sExecInPod(ub1, "multiubuntu",
[]string{"bash", "-c", "ping -c 1 127.0.0.1"})
Expect(err).To(BeNil())
fmt.Printf("OUTPUT: %s\n", sout)
Expect(sout).To(MatchRegexp("PING.*127.0.0.1"))

AssertCommand(
ub1, "multiubuntu", []string{"bash", "-c", "ping -c 1 127.0.0.1"},
MatchRegexp("PING.*127.0.0.1"), false,
)
expect := protobuf.Alert{
PolicyName: "ksp-ubuntu-1-audit-net-icmp",
Severity: "8",
Expand Down Expand Up @@ -220,11 +219,10 @@ var _ = Describe("Ksp", func() {
err = KarmorLogStart("policy", "multiubuntu", "Network", ub1)
Expect(err).To(BeNil())

sout, _, err := K8sExecInPod(ub1, "multiubuntu",
[]string{"bash", "-c", "arping -c 1 127.0.0.1"})
Expect(err).To(BeNil())
fmt.Printf("OUTPUT: %s\n", sout)
Expect(sout).To(MatchRegexp("ARPING 127.0.0.1"))
AssertCommand(
ub1, "multiubuntu", []string{"bash", "-c", "arping -c 1 127.0.0.1"},
MatchRegexp("ARPING 127.0.0.1"), false,
)

expect := protobuf.Alert{
PolicyName: "ksp-ubuntu-1-audit-net-raw",
Expand Down Expand Up @@ -396,10 +394,10 @@ var _ = Describe("Ksp", func() {
err = KarmorLogStart("policy", "multiubuntu", "Process", ub4)
Expect(err).To(BeNil())

sout, _, err := K8sExecInPod(ub4, "multiubuntu",
[]string{"bash", "-c", "sleep 1"})
Expect(err).To(BeNil())
fmt.Printf("OUTPUT: %s\n", sout)
AssertCommand(
ub4, "multiubuntu", []string{"bash", "-c", "sleep 1"},
MatchRegexp(""), false,
)

expect := protobuf.Alert{
PolicyName: "ksp-group-2-audit-proc-path",
Expand Down Expand Up @@ -603,11 +601,10 @@ var _ = Describe("Ksp", func() {
AssertCommand(ub3, "multiubuntu", []string{"bash", "-c", "/home/user1/hello"},
MatchRegexp("hello.*Permission denied"), true,
)
sout, _, err := K8sExecInPod(ub3, "multiubuntu",
[]string{"bash", "-c", "/home/user1/hello"})
Expect(err).To(BeNil())
fmt.Printf("OUTPUT: %s\n", sout)
Expect(sout).To(MatchRegexp("hello.*Permission denied"))
AssertCommand(
ub3, "multiubuntu", []string{"bash", "-c", "/home/user1/hello"},
MatchRegexp("hello.*Permission denied"), false,
)

expect := protobuf.Alert{
PolicyName: "ksp-ubuntu-3-block-proc-path-owner",
Expand Down Expand Up @@ -908,10 +905,10 @@ var _ = Describe("Ksp", func() {
err = KarmorLogStart("policy", "multiubuntu", "File", ub1)
Expect(err).To(BeNil())

sout, _, err := K8sExecInPod(ub1, "multiubuntu",
[]string{"bash", "-c", "touch /home/user1/new1"})
Expect(err).To(BeNil())
fmt.Printf("OUTPUT: %s\n", sout)
AssertCommand(
ub1, "multiubuntu", []string{"bash", "-c", "touch /home/user1/new1"},
MatchRegexp(".*"), false,
)

expect := protobuf.Alert{
PolicyName: "ksp-ubuntu-1-audit-file-access-owner-readonly",
Expand Down Expand Up @@ -1488,10 +1485,11 @@ var _ = Describe("Ksp", func() {
err = KarmorLogStart("system", "multiubuntu", "File", ub4)
Expect(err).To(BeNil())

sout, _, err := K8sExecInPod(ub4, "multiubuntu",
[]string{"bash", "-c", "su - user1 -c 'cat /home/user1/secret_data1.txt'"})
Expect(err).To(BeNil())
fmt.Printf("OUTPUT: %s\n", sout)
AssertCommand(
ub4, "multiubuntu", []string{"bash", "-c", "su - user1 -c 'cat /home/user1/secret_data1.txt'"},
MatchRegexp(".*"), false,
)

// Expect(sout).To(ContainSubstring("secret file user1"))

expectLog := protobuf.Log{
Expand Down Expand Up @@ -1605,10 +1603,10 @@ var _ = Describe("Ksp", func() {

// Test 3: write operation on the file by the owner should also be allowed
// No need for AssertCommand here since there is nothing to match
sout, _, err := K8sExecInPod(ub3, "multiubuntu",
[]string{"bash", "-c", "su - user1 -c 'echo user1 >> /home/user1/secret_data1.txt'"})
Expect(err).To(BeNil())
fmt.Printf("OUTPUT: %s\n", sout)
AssertCommand(
ub3, "multiubuntu", []string{"bash", "-c", "su - user1 -c 'echo user1 >> /home/user1/secret_data1.txt'"},
MatchRegexp(".*"), false,
)

})

Expand Down Expand Up @@ -1667,11 +1665,10 @@ var _ = Describe("Ksp", func() {
err = KarmorLogStart("system", "multiubuntu", "File", ub4)
Expect(err).To(BeNil())

sout, _, err := K8sExecInPod(ub4, "multiubuntu",
[]string{"bash", "-c", "./readwrite -r /secret.txt"})
Expect(err).To(BeNil())
fmt.Printf("OUTPUT: %s\n", sout)
Expect(sout).To(ContainSubstring("s"))
AssertCommand(
ub4, "multiubuntu", []string{"bash", "-c", "./readwrite -r /secret.txt"},
MatchRegexp("s"), false,
)

expectLog = protobuf.Log{
Resource: "secret.txt",
Expand Down Expand Up @@ -1705,10 +1702,10 @@ var _ = Describe("Ksp", func() {
err = KarmorLogStart("policy", "multiubuntu", "File", ub4)
Expect(err).To(BeNil())

sout, _, err := K8sExecInPod(ub4, "multiubuntu",
[]string{"bash", "-c", "./readwrite -w /credentials/password"})
Expect(err).To(BeNil())
fmt.Printf("OUTPUT: %s\n", sout)
AssertCommand(
ub4, "multiubuntu", []string{"bash", "-c", "./readwrite -w /credentials/password"},
MatchRegexp(".*"), false,
)

expect := protobuf.Alert{
PolicyName: "DefaultPosture",
Expand All @@ -1724,10 +1721,10 @@ var _ = Describe("Ksp", func() {

// Test 3: reading some other file should be denied as not allowed by the policy

sout, _, err = K8sExecInPod(ub4, "multiubuntu",
[]string{"bash", "-c", "./readwrite -r /secret.txt"})
Expect(err).To(BeNil())
fmt.Printf("OUTPUT: %s\n", sout)
AssertCommand(
ub4, "multiubuntu", []string{"bash", "-c", "./readwrite -r /secret.txt"},
MatchRegexp(".*"), false,
)

expect = protobuf.Alert{
PolicyName: "DefaultPosture",
Expand Down Expand Up @@ -1806,10 +1803,10 @@ var _ = Describe("Ksp", func() {
err = KarmorLogStart("policy", "multiubuntu", "File", ub4)
Expect(err).To(BeNil())

sout, _, err := K8sExecInPod(ub4, "multiubuntu",
[]string{"bash", "-c", "touch /dev/shm/new"})
Expect(err).To(BeNil())
fmt.Printf("OUTPUT: %s\n", sout)
AssertCommand(
ub4, "multiubuntu", []string{"bash", "-c", "touch /dev/shm/new"},
MatchRegexp(".*"), false,
)

expect := protobuf.Alert{
PolicyName: "ksp-ubuntu-4-audit-file-path-readonly",
Expand Down Expand Up @@ -1982,11 +1979,11 @@ var _ = Describe("Ksp", func() {
err = KarmorLogStart("system", "multiubuntu", "File", ub4)
Expect(err).To(BeNil())

sout, _, err := K8sExecInPod(ub4, "multiubuntu",
[]string{"bash", "-c", "cat /credentials/password"})
Expect(err).To(BeNil())
fmt.Printf("OUTPUT: %s\n", sout)
Expect(sout).To(ContainSubstring("password file"))
AssertCommand(
ub4, "multiubuntu", []string{"bash", "-c", "cat /credentials/password"},
ContainSubstring("password file"), false,
)

})

})
Expand Down
Loading
Loading