github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/test/kubernetes_test.go (about) 1 package test 2 3 import ( 4 "context" 5 "fmt" 6 "os" 7 "strings" 8 "testing" 9 10 "github.com/khulnasoft-lab/defsec/pkg/scanners/kubernetes" 11 12 "github.com/khulnasoft-lab/defsec/pkg/scanners/options" 13 14 "github.com/khulnasoft-lab/defsec/pkg/scan" 15 16 "github.com/stretchr/testify/assert" 17 "github.com/stretchr/testify/require" 18 ) 19 20 func Test_Kubernetes_RegoPoliciesFromDisk(t *testing.T) { 21 t.Parallel() 22 23 entries, err := os.ReadDir("./testdata/kubernetes") 24 require.NoError(t, err) 25 26 scanner := kubernetes.NewScanner( 27 options.ScannerWithPerResultTracing(true), 28 options.ScannerWithEmbeddedPolicies(true), 29 options.ScannerWithEmbeddedLibraries(true), 30 ) 31 32 srcFS := os.DirFS("../") 33 34 results, err := scanner.ScanFS(context.TODO(), srcFS, "test/testdata/kubernetes") 35 require.NoError(t, err) 36 37 for _, entry := range entries { 38 if !entry.IsDir() { 39 continue 40 } 41 if entry.Name() == "optional" { 42 continue 43 } 44 t.Run(entry.Name(), func(t *testing.T) { 45 var matched bool 46 for _, result := range results { 47 if result.Rule().HasID(entry.Name()) { 48 49 failCase := fmt.Sprintf("test/testdata/kubernetes/%s/denied.yaml", entry.Name()) 50 passCase := fmt.Sprintf("test/testdata/kubernetes/%s/allowed.yaml", entry.Name()) 51 52 switch result.Range().GetFilename() { 53 case failCase: 54 assert.Equal(t, scan.StatusFailed, result.Status(), "Rule should have failed, but didn't.") 55 assert.Greater(t, result.Range().GetStartLine(), 0, "We should have line numbers for a failure") 56 assert.Greater(t, result.Range().GetEndLine(), 0, "We should have line numbers for a failure") 57 matched = true 58 case passCase: 59 assert.Equal(t, scan.StatusPassed, result.Status(), "Rule should have passed, but didn't.") 60 matched = true 61 default: 62 if strings.Contains(result.Range().GetFilename(), entry.Name()) { 63 t.Fatal(result.Range().GetFilename()) 64 } 65 continue 66 } 67 68 if t.Failed() { 69 fmt.Println("Test failed - rego trace follows:") 70 for _, trace := range result.Traces() { 71 fmt.Println(trace) 72 } 73 } 74 } 75 } 76 assert.True(t, matched, "Neither a pass or fail result was found for %s - did you add example code for it?", entry.Name()) 77 }) 78 } 79 } 80 81 func Test_Kubernetes_RegoPoliciesEmbedded(t *testing.T) { 82 t.Parallel() 83 84 entries, err := os.ReadDir("./testdata/kubernetes") 85 require.NoError(t, err) 86 87 scanner := kubernetes.NewScanner(options.ScannerWithEmbeddedPolicies(true), options.ScannerWithEmbeddedLibraries(true), options.ScannerWithEmbeddedLibraries(true)) 88 89 srcFS := os.DirFS("../") 90 91 results, err := scanner.ScanFS(context.TODO(), srcFS, "test/testdata/kubernetes") 92 require.NoError(t, err) 93 94 for _, entry := range entries { 95 if !entry.IsDir() { 96 continue 97 } 98 if entry.Name() == "optional" { 99 continue 100 } 101 t.Run(entry.Name(), func(t *testing.T) { 102 var matched bool 103 for _, result := range results { 104 if result.Rule().HasID(entry.Name()) { 105 106 failCase := fmt.Sprintf("test/testdata/kubernetes/%s/denied.yaml", entry.Name()) 107 passCase := fmt.Sprintf("test/testdata/kubernetes/%s/allowed.yaml", entry.Name()) 108 109 switch result.Range().GetFilename() { 110 case failCase: 111 assert.Equal(t, scan.StatusFailed, result.Status(), "Rule should have failed, but didn't.") 112 assert.Greater(t, result.Range().GetStartLine(), 0, "We should have line numbers for a failure") 113 assert.Greater(t, result.Range().GetEndLine(), 0, "We should have line numbers for a failure") 114 matched = true 115 case passCase: 116 assert.Equal(t, scan.StatusPassed, result.Status(), "Rule should have passed, but didn't.") 117 matched = true 118 default: 119 continue 120 } 121 122 if t.Failed() { 123 fmt.Println("Test failed - rego trace follows:") 124 for _, trace := range result.Traces() { 125 fmt.Println(trace) 126 } 127 } 128 } 129 } 130 assert.True(t, matched, "Neither a pass or fail result was found for %s - did you add example code for it?", entry.Name()) 131 }) 132 } 133 }