github.com/DataDog/datadog-agent/pkg/security/secl@v0.55.0-devel.0.20240517055856-10c4965fea94/validators/rule_structure_test.go (about) 1 // Unless explicitly stated otherwise all files in this repository are licensed 2 // under the Apache License Version 2.0. 3 // This product includes software developed at Datadog (https://www.datadoghq.com/). 4 // Copyright 2016-present Datadog, Inc. 5 6 //go:build linux 7 8 // Package validators holds validators related files 9 package validators 10 11 import ( 12 "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval" 13 "testing" 14 ) 15 16 // go test -v github.com/DataDog/datadog-agent/pkg/security/secl/validators --run=TestHasBareWildcardInField 17 // These test cases were originally written for an AlwaysTrue rule check. A more complex AlwaysTrue rule check is currently tabled in favor of a more naive bare wildcard check. 18 func TestHasBareWildcardInField(t *testing.T) { 19 type args struct { 20 ruleExpression string 21 } 22 tests := []struct { 23 name string 24 args args 25 want bool 26 errMessage string 27 }{ 28 { 29 name: "valid wildcard", 30 args: args{ 31 ruleExpression: "open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"]", 32 }, 33 want: false, 34 }, 35 { 36 name: "valid wildcard", 37 args: args{ 38 ruleExpression: "chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]", 39 }, 40 want: false, 41 }, 42 { 43 name: "root path with wildcard", 44 args: args{ 45 ruleExpression: "open.file.path =~ \"/**\"", 46 }, 47 want: true, 48 }, 49 { 50 name: "root path wildcard pattern", 51 args: args{ 52 ruleExpression: "open.file.path =~ ~\"/**\"", 53 }, 54 want: true, 55 }, 56 { 57 name: "bare wildcard", 58 args: args{ 59 ruleExpression: "exec.file.name == \"*\"", 60 }, 61 want: true, 62 }, 63 { 64 name: "bare wildcard in array", 65 args: args{ 66 ruleExpression: "exec.file.name in [\"pwd\", \"*\", \"ls\"]", 67 }, 68 want: true, 69 }, 70 { 71 name: "root path wildcard in array", 72 args: args{ 73 ruleExpression: "open.file.path in [\"/bin/pwd\", ~\"/**\", \"/etc/shadow\"]", 74 }, 75 want: true, 76 }, 77 { 78 name: "bare wildcard regex", 79 args: args{ 80 ruleExpression: "dns.question.name =~ r\".*\"", // matches any character (except for line terminators) >= 0 times 81 }, 82 want: true, 83 }, 84 { 85 name: "always true or", 86 args: args{ 87 ruleExpression: "exec.file.path =~ \"/**\" || exec.file.name == \"ls\"", 88 }, 89 want: true, 90 }, 91 { 92 name: "not always true chained", 93 args: args{ 94 ruleExpression: "exec.file.path =~ \"/**\" && exec.file.name != \"ls\" || open.file.name == \"myfile.txt\"", 95 }, 96 want: true, 97 }, 98 { 99 name: "always true chained", 100 args: args{ 101 ruleExpression: "exec.file.path =~ \"/**\" && open.file.name == \"*\" || exec.file.path != \"/bin/ls\"", 102 }, 103 want: true, 104 }, 105 { 106 name: "parentheses", 107 args: args{ 108 ruleExpression: "exec.file.path =~ \"/**\" && (exec.file.name != \"ls\" || exec.file.name == \"*\")", 109 }, 110 want: true, 111 }, 112 } 113 for _, tt := range tests { 114 t.Run(tt.name, func(t *testing.T) { 115 ruleToEval := eval.NewRule(tt.name, tt.args.ruleExpression, &eval.Opts{}) 116 117 got, err := HasBareWildcardInField(ruleToEval) 118 119 if err != nil { 120 t.Errorf("Error message is `%s`, wanted it to contain `%s`", err.Error(), tt.errMessage) 121 } 122 123 if got != tt.want { 124 t.Errorf("HasBareWildcardInField() = %v, want %v", got, tt.want) 125 } 126 }) 127 } 128 }