From 0003c9b83e5aed353e66202bd44575aca1c36d25 Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Tue, 22 Oct 2019 19:15:55 +0300 Subject: [PATCH 1/4] Update check_test.go Remove this test in order to rebuild it later, and better --- check/check_test.go | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/check/check_test.go b/check/check_test.go index bcd1301..50ddf67 100644 --- a/check/check_test.go +++ b/check/check_test.go @@ -83,25 +83,6 @@ func TestGetFirstValidSubCheck(t *testing.T) { auditer: Audit("ls /home | grep $USER"), }, }, - { - SubChecks: []*SubCheck{ - { - BaseCheck{ - Constraints: map[string][]string{"platform": []string{"ubuntu", "p"}}, - Remediation: "Fake test, check that current user has home directory", - auditer: Audit("ls /home | grep $USER"), - }, - }, - { - BaseCheck{ - Constraints: map[string][]string{"platform": []string{"Fail", "ubuntu", "grub"}}, - Remediation: "Fake test, check that current user has home directory", - auditer: Audit("ls /home | grep $USER"), - }, - }, - }, - Expected: nil, - }, } for _, testCase := range testCases { From eab1d17ff25a3e1e4719505c21fcf74748637c6c Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Tue, 22 Oct 2019 19:19:15 +0300 Subject: [PATCH 2/4] Update check.go --- check/check.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/check/check.go b/check/check.go index d066512..0f9ab97 100644 --- a/check/check.go +++ b/check/check.go @@ -304,12 +304,12 @@ func isSubCheckCompatible(testConstraintKey string, testConstraintVals []string, // For each constraint of the check under the specific key, check if its defined for _, val := range testConstraintVals { - if !contains(definedConstraintsVals, val) { - return false + if contains(definedConstraintsVals, val) { + return true } } - return true + return false } func contains(arr []string, obj string) bool { From b8bdf8d12289aea3dedb74e543f9882bb54e78c6 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Wed, 23 Oct 2019 16:13:47 +0100 Subject: [PATCH 3/4] Change unit tests to check for matching constraints --- check/check_test.go | 115 ++++++++++++++++++++++++++++++++++++-------- 1 file changed, 95 insertions(+), 20 deletions(-) diff --git a/check/check_test.go b/check/check_test.go index 50ddf67..d461361 100644 --- a/check/check_test.go +++ b/check/check_test.go @@ -1,13 +1,14 @@ package check import ( + "testing" + "github.com/aquasecurity/bench-common/auditeval" yaml "gopkg.in/yaml.v2" - "reflect" - "testing" ) -var testDefinedConstraints = map[string][]string{"platform": {"ubuntu", "rhel"}, "boot": {"grub"}} +// For the tests, say that we are running on an ubuntu system using the grub bootloader +var testDefinedConstraints = map[string][]string{"platform": {"ubuntu"}, "boot": {"grub"}} const def1 = ` --- @@ -54,42 +55,116 @@ func TestCheck_Run(t *testing.T) { func TestGetFirstValidSubCheck(t *testing.T) { type TestCase struct { SubChecks []*SubCheck - Chosen *BaseCheck - Expected *BaseCheck + Expected bool } + // For each test case, we want to find the first subcheck that matches the constraints in testDefinedConstraints testCases := []TestCase{ { + // Expect to find the first test because it matches ubuntu + Expected: true, + SubChecks: []*SubCheck{ + { + BaseCheck{ + Constraints: map[string][]string{"platform": []string{"ubuntu"}}, + Remediation: "Expected", + }, + }, + { + BaseCheck{ + Constraints: map[string][]string{"platform": []string{"rhel"}}, + Remediation: "Not expected", + }, + }, + }, + }, + { + // Expect to find the second test because it matches ubuntu + Expected: true, SubChecks: []*SubCheck{ + { + BaseCheck{ + Constraints: map[string][]string{"platform": []string{"rhel"}}, + Remediation: "Not expected", + }, + }, { BaseCheck{ Constraints: map[string][]string{"platform": []string{"ubuntu"}}, - Remediation: "Fake test, check that current user has home directory", - auditer: Audit("ls /home | grep $USER"), + Remediation: "Expected", + }, + }, + }, + }, + { + // Expect to find the second test because it matches ubuntu and grub + Expected: true, + SubChecks: []*SubCheck{ + { + BaseCheck{ + Constraints: map[string][]string{"platform": []string{"rhel"}}, + Remediation: "Not expected", + }, + }, + { + BaseCheck{ + Constraints: map[string][]string{"platform": []string{"ubuntu"}, "boot": []string{"grub"}}, + Remediation: "Expected", + }, + }, + }, + }, + { + // Expect to find the second test because it matches ubuntu and grub + Expected: true, + SubChecks: []*SubCheck{ + { + BaseCheck{ + Constraints: map[string][]string{"platform": []string{"rhel"}}, + Remediation: "Not expected", }, }, { BaseCheck{ - Audit: "ls /home | grep $USER", - Constraints: map[string][]string{"platform": []string{"Fail", "ubuntu", "grub"}}, - Remediation: "Fake test, check that current user has home directory", - auditer: Audit("ls /home | grep $USER"), + Constraints: map[string][]string{"platform": []string{"ubuntu"}, "boot": []string{"grub", "also valid for something else"}}, + Remediation: "Expected", }, }, }, - Expected: &BaseCheck{ - Constraints: map[string][]string{"platform": []string{"ubuntu"}}, - Remediation: "Fake test, check that current user has home directory", - auditer: Audit("ls /home | grep $USER"), + }, + { + Expected: false, + SubChecks: []*SubCheck{ + { + BaseCheck{ + Constraints: map[string][]string{"platform": []string{"rhel", "another"}}, + Remediation: "Not expected", + }, + }, + { + BaseCheck{ + Constraints: map[string][]string{"platform": []string{"ubuntu"}, "boot": []string{"another"}}, + Remediation: "Not expected", + }, + }, }, }, } - for _, testCase := range testCases { - testCase.Chosen = getFirstValidSubCheck(testCase.SubChecks, testDefinedConstraints) - - if !reflect.DeepEqual(testCase.Chosen, testCase.Expected) { - t.Errorf("test fail: expected: %v actual: %v\n", testCase.Chosen, testCase.Expected) + for ii, testCase := range testCases { + chosen := getFirstValidSubCheck(testCase.SubChecks, testDefinedConstraints) + if !testCase.Expected { + if chosen != nil { + t.Errorf("case %d didn't expect to find a matching case: %v\n", ii, chosen) + } + } else { + if chosen == nil { + t.Errorf("case %d expected to find a match but didn't", ii) + } else { + if chosen.Remediation != "Expected" { + t.Errorf("case %d unexpected test selected: actual: %v\n", ii, chosen) + } + } } } } From a4eda80d29dc4932edbef60a6086a3dd9922df20 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Wed, 23 Oct 2019 16:21:40 +0100 Subject: [PATCH 4/4] Add more constraint-matching test cases --- check/check_test.go | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/check/check_test.go b/check/check_test.go index d461361..73df517 100644 --- a/check/check_test.go +++ b/check/check_test.go @@ -149,6 +149,30 @@ func TestGetFirstValidSubCheck(t *testing.T) { }, }, }, + { + // Should match if there are no constraints on the test at all + Expected: true, + SubChecks: []*SubCheck{ + { + BaseCheck{ + Constraints: map[string][]string{}, + Remediation: "Expected", + }, + }, + }, + }, + { + // Should not match if there are constraints on the test that aren't defined for this run + Expected: false, + SubChecks: []*SubCheck{ + { + BaseCheck{ + Constraints: map[string][]string{"something": []string{"not", "defined"}}, + Remediation: "Expected", + }, + }, + }, + }, } for ii, testCase := range testCases {