go.mondoo.com/cnquery@v0.0.0-20231005093811-59568235f6ea/providers-sdk/v1/inventory/inventory_test.go (about) 1 // Copyright (c) Mondoo, Inc. 2 // SPDX-License-Identifier: BUSL-1.1 3 4 package inventory 5 6 import ( 7 "testing" 8 9 "github.com/stretchr/testify/assert" 10 "github.com/stretchr/testify/require" 11 "go.mondoo.com/cnquery/providers-sdk/v1/vault" 12 ) 13 14 func TestInventoryParser(t *testing.T) { 15 inventory, err := InventoryFromFile("./testdata/inventory.yaml") 16 require.NoError(t, err) 17 require.NotNil(t, inventory) 18 19 assert.Equal(t, "mondoo-inventory", inventory.Metadata.Name) 20 assert.Equal(t, "production", inventory.Metadata.Labels["environment"]) 21 assert.Equal(t, "{ id: 'secret-1' }", inventory.Spec.CredentialQuery) 22 } 23 24 func TestPreprocess(t *testing.T) { 25 t.Run("preprocess empty inventory", func(t *testing.T) { 26 v1inventory := &Inventory{} 27 err := v1inventory.PreProcess() 28 require.NoError(t, err) 29 }) 30 31 t.Run("normal inventory", func(t *testing.T) { 32 inventory, err := InventoryFromFile("./testdata/inventory.yaml") 33 require.NoError(t, err) 34 35 // extract credentials into credential section 36 err = inventory.PreProcess() 37 require.NoError(t, err) 38 39 // ensure that all assets have a valid secret reference 40 err = inventory.Validate() 41 require.NoError(t, err) 42 43 // activate to debug the pre-process output 44 //// write output for debugging, so that we can easily compare the result 45 //data, err := inventory.ToYAML() 46 //require.NoError(t, err) 47 // 48 //err = os.WriteFile("./testdata/inventory.parsed.yml", data, 0o700) 49 //require.NoError(t, err) 50 }) 51 52 t.Run("idempotent preprocess", func(t *testing.T) { 53 v1inventory, err := InventoryFromFile("./testdata/k8s_mount.yaml") 54 require.NoError(t, err) 55 56 err = v1inventory.PreProcess() 57 require.NoError(t, err) 58 59 err = v1inventory.PreProcess() 60 require.NoError(t, err) 61 }) 62 63 t.Run("preprocess private key", func(t *testing.T) { 64 v1inventory := &Inventory{ 65 Spec: &InventorySpec{ 66 Assets: []*Asset{ 67 { 68 Name: "test", 69 Connections: []*Config{ 70 { 71 Type: "ssh", 72 Credentials: []*vault.Credential{ 73 { 74 PrivateKey: "./testdata/private_key_01", 75 }, 76 }, 77 }, 78 }, 79 }, 80 }, 81 }, 82 } 83 err := v1inventory.PreProcess() 84 require.NoError(t, err) 85 secretid := v1inventory.Spec.Assets[0].Connections[0].Credentials[0].SecretId 86 assert.Equal(t, vault.CredentialType_private_key, v1inventory.Spec.Credentials[secretid].Type) 87 }) 88 89 t.Run("preprocess pkcs12 credential with loading from file", func(t *testing.T) { 90 v1inventory := &Inventory{ 91 Spec: &InventorySpec{ 92 Assets: []*Asset{ 93 { 94 Name: "test", 95 Connections: []*Config{ 96 { 97 Type: "ms365", 98 Credentials: []*vault.Credential{ 99 { 100 Type: vault.CredentialType_pkcs12, 101 PrivateKeyPath: "./testdata/private_key_01", 102 }, 103 }, 104 }, 105 }, 106 }, 107 }, 108 }, 109 } 110 err := v1inventory.PreProcess() 111 require.NoError(t, err) 112 secretid := v1inventory.Spec.Assets[0].Connections[0].Credentials[0].SecretId 113 assert.Equal(t, vault.CredentialType_pkcs12, v1inventory.Spec.Credentials[secretid].Type) 114 }) 115 116 t.Run("preprocess pkcs12 credential with loading from file", func(t *testing.T) { 117 v1inventory := &Inventory{ 118 Spec: &InventorySpec{ 119 Assets: []*Asset{ 120 { 121 Name: "test", 122 Connections: []*Config{ 123 { 124 Type: "ms365", 125 Credentials: []*vault.Credential{ 126 { 127 Type: vault.CredentialType_pkcs12, 128 PrivateKey: "secretdata", 129 }, 130 }, 131 }, 132 }, 133 }, 134 }, 135 }, 136 } 137 err := v1inventory.PreProcess() 138 require.NoError(t, err) 139 secretid := v1inventory.Spec.Assets[0].Connections[0].Credentials[0].SecretId 140 assert.Equal(t, vault.CredentialType_pkcs12, v1inventory.Spec.Credentials[secretid].Type) 141 }) 142 } 143 144 func TestParseGCPInventory(t *testing.T) { 145 inventory, err := InventoryFromFile("./testdata/gcp_inventory.yaml") 146 require.NoError(t, err) 147 148 // extract credentials into credential section 149 err = inventory.PreProcess() 150 require.NoError(t, err) 151 152 assert.Equal(t, "gcp", inventory.Spec.Assets[0].Connections[0].Type) 153 // ensure that all assets have a valid secret reference 154 err = inventory.Validate() 155 require.NoError(t, err) 156 } 157 158 func TestParseVsphereInventory(t *testing.T) { 159 inventory, err := InventoryFromFile("./testdata/vsphere_inventory.yaml") 160 require.NoError(t, err) 161 162 // extract credentials into credential section 163 err = inventory.PreProcess() 164 require.NoError(t, err) 165 166 // ensure that all assets have a valid secret reference 167 err = inventory.Validate() 168 require.NoError(t, err) 169 170 // check that the password was pre-processed 171 cred := inventory.Spec.Assets[0].Connections[0].Credentials[0] 172 assert.Equal(t, "", cred.User) 173 assert.Equal(t, "", cred.Password) 174 assert.Equal(t, []byte{}, cred.Secret) 175 176 secret := inventory.Spec.Credentials[cred.SecretId] 177 assert.Equal(t, "root", secret.User) 178 assert.Equal(t, "", secret.Password) 179 assert.Equal(t, []byte("password1!"), secret.Secret) 180 } 181 182 func TestParseSshInventory(t *testing.T) { 183 inventory, err := InventoryFromFile("./testdata/ssh_inventory.yaml") 184 require.NoError(t, err) 185 186 // extract credentials into credential section 187 err = inventory.PreProcess() 188 require.NoError(t, err) 189 190 // ensure that all assets have a valid secret reference 191 err = inventory.Validate() 192 require.NoError(t, err) 193 194 a := findAsset(inventory.Spec.Assets, "linux-with-password") 195 require.NotNil(t, a) 196 197 assert.Equal(t, vault.CredentialType_password, inventory.Spec.Credentials[a.Connections[0].Credentials[0].SecretId].Type) 198 199 a = findAsset(inventory.Spec.Assets, "linux-ssh-agent") 200 require.NotNil(t, a) 201 assert.Equal(t, vault.CredentialType_ssh_agent, inventory.Spec.Credentials[a.Connections[0].Credentials[0].SecretId].Type) 202 203 a = findAsset(inventory.Spec.Assets, "linux-identity-key") 204 require.NotNil(t, a) 205 assert.Equal(t, vault.CredentialType_private_key, inventory.Spec.Credentials[a.Connections[0].Credentials[0].SecretId].Type) 206 } 207 208 func TestParseVaultInventory(t *testing.T) { 209 inventory, err := InventoryFromFile("./testdata/vault_inventory.yaml") 210 require.NoError(t, err) 211 212 // extract credentials into credential section 213 err = inventory.PreProcess() 214 require.NoError(t, err) 215 216 // ensure that all assets have a valid secret reference 217 err = inventory.Validate() 218 require.NoError(t, err) 219 } 220 221 func TestNilPointer(t *testing.T) { 222 inventory, err := InventoryFromFile("./testdata/no_metadata_inventory.yaml") 223 require.NoError(t, err) 224 225 assert.NotNil(t, inventory.Metadata) 226 assert.NotNil(t, inventory.Metadata.Labels) 227 } 228 229 func TestMarkInsecure(t *testing.T) { 230 inventory, err := InventoryFromFile("./testdata/ssh_inventory.yaml") 231 require.NoError(t, err) 232 233 // extract credentials into credential section 234 err = inventory.PreProcess() 235 require.NoError(t, err) 236 237 // check that all assets have no insecure flag set 238 for i := range inventory.Spec.Assets { 239 a := inventory.Spec.Assets[i] 240 for j := range a.Connections { 241 assert.False(t, a.Connections[j].Insecure, a.Name) 242 } 243 } 244 245 inventory.MarkConnectionsInsecure() 246 247 // check that all connections are marked as insecure 248 for i := range inventory.Spec.Assets { 249 a := inventory.Spec.Assets[i] 250 for j := range a.Connections { 251 assert.True(t, a.Connections[j].Insecure, a.Name) 252 } 253 } 254 } 255 256 func findAsset(assets []*Asset, id string) *Asset { 257 for i := range assets { 258 a := assets[i] 259 if a.Id == id { 260 return a 261 } 262 } 263 return nil 264 }