aquasecurity · yoavrotems · Jun 22, 2020 · Apr 19, 2020 · Apr 19, 2020 · May 14, 2020
diff --git a/check/check.go b/check/check.go
@@ -17,10 +17,7 @@ package check
 import (
 	"bytes"
 	"fmt"
-	"io"
-	"os"
 	"os/exec"
-	"regexp"
 	"strings"
 
 	"github.com/golang/glog"
@@ -65,22 +62,20 @@ const (
 // Check contains information about a recommendation in the
 // CIS Kubernetes document.
 type Check struct {
-	ID             string      `yaml:"id" json:"test_number"`
-	Text           string      `json:"test_desc"`
-	Audit          string      `json:"audit"`
-	AuditConfig    string      `yaml:"audit_config"`
-	Type           string      `json:"type"`
-	Commands       []*exec.Cmd `json:"omit"`
-	ConfigCommands []*exec.Cmd `json:"omit"`
-	Tests          *tests      `json:"omit"`
-	Set            bool        `json:"omit"`
-	Remediation    string      `json:"remediation"`
-	TestInfo       []string    `json:"test_info"`
+	ID             string   `yaml:"id" json:"test_number"`
+	Text           string   `json:"test_desc"`
+	Audit          string   `json:"audit"`
+	AuditConfig    string   `yaml:"audit_config"`
+	Type           string   `json:"type"`
+	Tests          *tests   `json:"omit"`
+	Set            bool     `json:"omit"`
+	Remediation    string   `json:"remediation"`
+	TestInfo       []string `json:"test_info"`
 	State          `json:"status"`
 	ActualValue    string `json:"actual_value"`
 	Scored         bool   `json:"scored"`
 	ExpectedResult string `json:"expected_result"`
-	Reason     string `json:"reason,omitempty"`
+	Reason         string `json:"reason,omitempty"`
 }
 
 // Runner wraps the basic Run method.
@@ -128,9 +123,9 @@ func (c *Check) run() State {
 	}
 
 	lastCommand := c.Audit
-	hasAuditConfig := c.ConfigCommands != nil
+	hasAuditConfig := c.AuditConfig != ""
 
-	state, finalOutput, retErrmsgs := performTest(c.Audit, c.Commands, c.Tests)
+	state, finalOutput, retErrmsgs := performTest(c.Audit, c.Tests)
 	if len(state) > 0 {
 		c.Reason = retErrmsgs
 		c.State = state
@@ -166,7 +161,7 @@ func (c *Check) run() State {
 			currentTests.TestItems[i] = nti
 		}
 
-		state, finalOutput, retErrmsgs = performTest(c.AuditConfig, c.ConfigCommands, currentTests)
+		state, finalOutput, retErrmsgs = performTest(c.AuditConfig, currentTests)
 		if len(state) > 0 {
 			c.Reason = retErrmsgs
 			c.State = state
@@ -200,78 +195,13 @@ func (c *Check) run() State {
 	return c.State
 }
 
-// textToCommand transforms an input text representation of commands to be
-// run into a slice of commands.
-// TODO: Make this more robust.
-func textToCommand(s string) []*exec.Cmd {
-	glog.V(3).Infof("textToCommand: %q\n", s)
-	cmds := []*exec.Cmd{}
-
-	cp := strings.Split(s, "|")
-
-	for _, v := range cp {
-		v = strings.Trim(v, " ")
-
-		// TODO:
-		// GOAL: To split input text into arguments for exec.Cmd.
-		//
-		// CHALLENGE: The input text may contain quoted strings that
-		// must be passed as a unit to exec.Cmd.
-		// eg. bash -c 'foo bar'
-		// 'foo bar' must be passed as unit to exec.Cmd if not the command
-		// will fail when it is executed.
-		// eg. exec.Cmd("bash", "-c", "foo bar")
-		//
-		// PROBLEM: Current solution assumes the grouped string will always
-		// be at the end of the input text.
-		re := regexp.MustCompile(`^(.*)(['"].*['"])$`)
-		grps := re.FindStringSubmatch(v)
-
-		var cs []string
-		if len(grps) > 0 {
-			s := strings.Trim(grps[1], " ")
-			cs = strings.Split(s, " ")
-
-			s1 := grps[len(grps)-1]
-			s1 = strings.Trim(s1, "'\"")
-
-			cs = append(cs, s1)
-		} else {
-			cs = strings.Split(v, " ")
-		}
-
-		cmd := exec.Command(cs[0], cs[1:]...)
-		cmds = append(cmds, cmd)
-	}
-
-	return cmds
-}
-
-func isShellCommand(s string) bool {
-	cmd := exec.Command("/bin/sh", "-c", "command -v "+s)
-
-	out, err := cmd.Output()
-	if err != nil {
-		exitWithError(fmt.Errorf("failed to check if command: %q is valid %v", s, err))
-	}
-
-	if strings.Contains(string(out), s) {
-		return true
-	}
-	return false
-}
-
-func performTest(audit string, commands []*exec.Cmd, tests *tests) (State, *testOutput, string) {
+func performTest(audit string, tests *tests) (State, *testOutput, string) {
 	if len(strings.TrimSpace(audit)) == 0 {
 		return "", failTestItem("missing command"), "missing audit command"
 	}
 
 	var out bytes.Buffer
-	state, retErrmsgs := runExecCommands(audit, commands, &out)
-	if len(state) > 0 {
-		return state, nil, retErrmsgs
-	}
-	errmsgs := retErrmsgs
+	errmsgs := runAudit(audit, &out)
 
 	finalOutput := tests.execute(out.String())
 	if finalOutput == nil {
@@ -281,73 +211,17 @@ func performTest(audit string, commands []*exec.Cmd, tests *tests) (State, *test
 	return "", finalOutput, errmsgs
 }
 
-func runExecCommands(audit string, commands []*exec.Cmd, out *bytes.Buffer) (State, string) {
-	var err error
+func runAudit(audit string, out *bytes.Buffer) string {
 	errmsgs := ""
 
-	// Check if command exists or exit with WARN.
-	for _, cmd := range commands {
-		if !isShellCommand(cmd.Path) {
-			errmsgs += fmt.Sprintf("Command '%s' not found\n", cmd.Path)
-			return WARN, errmsgs
-		}
-	}
-
-	// Run commands.
-	n := len(commands)
-	if n == 0 {
-		// Likely a warning message.
-		return WARN, errmsgs
-	}
-
-	// Each command runs,
-	//   cmd0 out -> cmd1 in, cmd1 out -> cmd2 in ... cmdn out -> os.stdout
-	//   cmd0 err should terminate chain
-	cs := commands
-
-	// Initialize command pipeline
-	cs[n-1].Stdout = out
-	i := 1
-
-	for i < n {
-		cs[i-1].Stdout, err = cs[i].StdinPipe()
-		if err != nil {
-			errmsgs += fmt.Sprintf("failed to run: %s, command: %s, error: %s\n", audit, cs[i].Args, err)
-		}
-		i++
-	}
-
-	// Start command pipeline
-	i = 0
-	for i < n {
-		err := cs[i].Start()
-		if err != nil {
-			errmsgs += fmt.Sprintf("failed to run: %s, command: %s, error: %s\n", audit, cs[i].Args, err)
-		}
-		i++
-	}
-
-	// Complete command pipeline
-	i = 0
-	for i < n {
-		err := cs[i].Wait()
-		if err != nil {
-			errmsgs += fmt.Sprintf("failed to run: %s, command: %s, error: %s\n", audit, cs[i].Args, err)
-		}
-
-		if i < n-1 {
-			cs[i].Stdout.(io.Closer).Close()
-		}
-		i++
+	cmd := exec.Command("/bin/sh")
+	cmd.Stdin = strings.NewReader(audit)
+	cmd.Stdout = out
+	cmd.Stderr = out
+	if err := cmd.Run(); err != nil {
+		errmsgs += fmt.Sprintf("failed to run: %q, output: %q, error: %s\n", audit, out.String(), err)
 	}
 
 	glog.V(3).Infof("Command %q - Output:\n\n %q\n - Error Messages:%q \n", audit, out.String(), errmsgs)
-	return "", errmsgs
-}
-
-func exitWithError(err error) {
-	fmt.Fprintf(os.Stderr, "\n%v\n", err)
-	// flush before exit non-zero
-	glog.Flush()
-	os.Exit(1)
+	return errmsgs
 }
diff --git a/check/check_test.go b/check/check_test.go
@@ -15,7 +15,8 @@
 package check
 
 import (
-	"os/exec"
+	"bytes"
+	"strings"
 	"testing"
 )
 
@@ -33,8 +34,8 @@ func TestCheck_Run(t *testing.T) {
 		{
 			check: Check{ // Not scored checks with passing tests are marked pass
 				Scored: false,
-				Audit:  ":", Commands: []*exec.Cmd{exec.Command("")},
-				Tests: &tests{TestItems: []*testItem{&testItem{}}},
+				Audit:  ":",
+				Tests:  &tests{TestItems: []*testItem{&testItem{}}},
 			},
 			Expected: PASS,
 		},
@@ -44,8 +45,8 @@ func TestCheck_Run(t *testing.T) {
 		{
 			check: Check{ // Scored checks with passing tests are marked pass
 				Scored: true,
-				Audit:  ":", Commands: []*exec.Cmd{exec.Command("")},
-				Tests: &tests{TestItems: []*testItem{&testItem{}}},
+				Audit:  ":",
+				Tests:  &tests{TestItems: []*testItem{&testItem{}}},
 			},
 			Expected: PASS,
 		},
@@ -111,3 +112,66 @@ func TestCheckAuditConfig(t *testing.T) {
 		}
 	}
 }
+
+func Test_runAudit(t *testing.T) {
+	type args struct {
+		audit  string
+		out    *bytes.Buffer
+		output string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		errMsg string
+		output string
+	}{
+		{
+			name: "run success",
+			args: args{
+				audit: "echo 'hello world'",
+				out:   &bytes.Buffer{},
+			},
+			errMsg: "",
+			output: "hello world\n",
+		},
+		{
+			name: "run multiple lines script",
+			args: args{
+				audit: `
+hello() {
+  echo "hello world"
+}
+
+hello
+`,
+				out: &bytes.Buffer{},
+			},
+			errMsg: "",
+			output: "hello world\n",
+		},
+		{
+			name: "run failed",
+			args: args{
+				audit: "unknown_command",
+				out:   &bytes.Buffer{},
+			},
+			errMsg: "failed to run: \"unknown_command\", output: \"/bin/sh: ",
+			output: "not found\n",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			errMsg := runAudit(tt.args.audit, tt.args.out)
+			if errMsg != "" && !strings.Contains(errMsg, tt.errMsg) {
+				t.Errorf("runAudit() errMsg = %q, want %q", errMsg, tt.errMsg)
+			}
+			output := tt.args.out.String()
+			if errMsg == "" && output != tt.output {
+				t.Errorf("runAudit() output = %q, want %q", output, tt.output)
+			}
+			if errMsg != "" && !strings.Contains(output, tt.output) {
+				t.Errorf("runAudit() output = %q, want %q", output, tt.output)
+			}
+		})
+	}
+}
diff --git a/check/controls.go b/check/controls.go
@@ -70,18 +70,6 @@ func NewControls(t NodeType, in []byte) (*Controls, error) {
 		return nil, fmt.Errorf("non-%s controls file specified", t)
 	}
 
-	// Prepare audit commands
-	for _, group := range c.Groups {
-		for _, check := range group.Checks {
-			glog.V(3).Infof("Check.ID %s", check.ID)
-			check.Commands = textToCommand(check.Audit)
-			if len(check.AuditConfig) > 0 {
-				glog.V(3).Infof("Check.ID has audit_config %s", check.ID)
-				check.ConfigCommands = textToCommand(check.AuditConfig)
-			}
-		}
-	}
-
 	return c, nil
 }