wip-test

pkg/filters/args_test.go

@@ -7,6 +7,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/aquasecurity/tracee/pkg/events"
+	"github.com/aquasecurity/tracee/types/trace"
 )
 
 func TestArgsFilterClone(t *testing.T) {
@@ -29,3 +30,47 @@ func TestArgsFilterClone(t *testing.T) {
 		t.Errorf("Changes to copied filter affected the original")
 	}
 }
+func TestArgsFilter_Filter(t *testing.T) {
+	filter := NewArgFilter()
+	err := filter.Parse("read.args.fd", "=argval", events.Core.NamesToIDs())
+	require.NoError(t, err)
+
+	tests := []struct {
+		name     string
+		eventID  events.ID
+		args     []trace.Argument
+		expected bool
+	}{
+		{
+			name:     "Matching argument value",
+			eventID:  events.Read,
+			args:     []trace.Argument{{Name: "fd", Value: "argval"}},
+			expected: true,
+		},
+		{
+			name:     "Non-matching argument value",
+			eventID:  events.Read,
+			args:     []trace.Argument{{Name: "fd", Value: "other"}},
+			expected: false,
+		},
+		{
+			name:     "Missing argument",
+			eventID:  events.Read,
+			args:     []trace.Argument{{Name: "other", Value: "argval"}},
+			expected: false,
+		},
+		{
+			name:     "Bypass PrintMemDump event",
+			eventID:  events.PrintMemDump,
+			args:     []trace.Argument{{Name: "fd", Value: "argval"}},
+			expected: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := filter.Filter(tt.eventID, tt.args)
+			require.Equal(t, tt.expected, result)
+		})
+	}
+}