Skip to content

Commit

Permalink
chore(tests): rename args to data field and add tests
Browse files Browse the repository at this point in the history 
Created some tests for args option. The tests need to be deprecated
after removing the args option.
  • Loading branch information
@rscampos
rscampos committed May 27, 2024
1 parent 098dbb4 commit 2e98d6b
Show file tree
Hide file tree
Showing 8 changed files with 310 additions and 158 deletions.
148 changes: 98 additions & 50 deletions pkg/cmd/flags/event_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,36 +171,36 @@ func TestParseEventFlag(t *testing.T) {
},
{
name: "ValidEventFlag",
eventFlag: "openat.args.pathname=/etc/*",
eventFlag: "openat.data.pathname=/etc/*",
expected: []eventFlag{
{
full: "openat.args.pathname=/etc/*",
eventFilter: "openat.args.pathname",
full: "openat.data.pathname=/etc/*",
eventFilter: "openat.data.pathname",
eventName: "openat",
eventOptionType: "args",
eventOptionType: "data",
eventOptionName: "pathname",
operator: "=",
values: "/etc/*",
operatorAndValues: "=/etc/*",
filter: "args.pathname=/etc/*",
filter: "data.pathname=/etc/*",
},
},
expectedError: nil,
},
{
name: "ValidEventFlag",
eventFlag: "openat.args.pathname!=/fo!der/*", // special char (! operator) in value parsed correctly
eventFlag: "openat.data.pathname!=/fo!der/*", // special char (! operator) in value parsed correctly
expected: []eventFlag{
{
full: "openat.args.pathname!=/fo!der/*",
eventFilter: "openat.args.pathname",
full: "openat.data.pathname!=/fo!der/*",
eventFilter: "openat.data.pathname",
eventName: "openat",
eventOptionType: "args",
eventOptionType: "data",
eventOptionName: "pathname",
operator: "!=",
values: "/fo!der/*",
operatorAndValues: "!=/fo!der/*",
filter: "args.pathname!=/fo!der/*",
filter: "data.pathname!=/fo!der/*",
},
},
expectedError: nil,
Expand Down Expand Up @@ -283,9 +283,9 @@ func TestParseEventFlag(t *testing.T) {
},
{
name: "InvalidEventFlagFormat",
eventFlag: "openat.args.pathname=",
eventFlag: "openat.data.pathname=",
expected: []eventFlag{},
expectedError: InvalidFilterFlagFormat("openat.args.pathname="),
expectedError: InvalidFilterFlagFormat("openat.data.pathname="),
},
{
name: "InvalidEventFlagFormat",
Expand All @@ -301,107 +301,107 @@ func TestParseEventFlag(t *testing.T) {
},
{
name: "InvalidEventFlagFormat",
eventFlag: "openat.args.=/etc/*",
eventFlag: "openat.data.=/etc/*",
expected: []eventFlag{},
expectedError: InvalidFilterFlagFormat("openat.args.=/etc/*"),
expectedError: InvalidFilterFlagFormat("openat.data.=/etc/*"),
},
{
name: "InvalidEventFlagFormat",
eventFlag: "openat.args.args.=/etc/*",
eventFlag: "openat.data.data.=/etc/*",
expected: []eventFlag{},
expectedError: InvalidFilterFlagFormat("openat.args.args.=/etc/*"),
expectedError: InvalidFilterFlagFormat("openat.data.data.=/etc/*"),
},
{
name: "InvalidEventFlagFormat",
eventFlag: "openat.args.args.args=/etc/*",
eventFlag: "openat.data.data.data=/etc/*",
expected: []eventFlag{},
expectedError: InvalidFilterFlagFormat("openat.args.args.args=/etc/*"),
expectedError: InvalidFilterFlagFormat("openat.data.data.data=/etc/*"),
},
{
name: "InvalidEventFlagFormat",
eventFlag: "openat. args.args=/etc/*",
eventFlag: "openat. data.data=/etc/*",
expected: []eventFlag{},
expectedError: InvalidFilterFlagFormat("openat. args.args=/etc/*"),
expectedError: InvalidFilterFlagFormat("openat. data.data=/etc/*"),
},
{
name: "InvalidEventFlagFormat",
eventFlag: "openat.args .args=/etc/*",
eventFlag: "openat.data .data=/etc/*",
expected: []eventFlag{},
expectedError: InvalidFilterFlagFormat("openat.args .args=/etc/*"),
expectedError: InvalidFilterFlagFormat("openat.data .data=/etc/*"),
},
{
name: "InvalidEventFlagFormat",
eventFlag: "openat.args. args=/etc/*",
eventFlag: "openat.data. data=/etc/*",
expected: []eventFlag{},
expectedError: InvalidFilterFlagFormat("openat.args. args=/etc/*"),
expectedError: InvalidFilterFlagFormat("openat.data. data=/etc/*"),
},
{
name: "InvalidEventFlagFormat",
eventFlag: "openat.args.args =/etc/*",
eventFlag: "openat.data.data =/etc/*",
expected: []eventFlag{},
expectedError: InvalidFilterFlagFormat("openat.args.args =/etc/*"),
expectedError: InvalidFilterFlagFormat("openat.data.data =/etc/*"),
},
// InvalidFlagOperator
{
name: "InvalidFlagOperator",
eventFlag: "openat.args.pathname==/etc/*",
eventFlag: "openat.data.pathname==/etc/*",
expected: []eventFlag{},
expectedError: InvalidFlagOperator("openat.args.pathname==/etc/*"),
expectedError: InvalidFlagOperator("openat.data.pathname==/etc/*"),
},
{
name: "InvalidFlagOperator",
eventFlag: "openat.args.pathname=!/etc/*",
eventFlag: "openat.data.pathname=!/etc/*",
expected: []eventFlag{},
expectedError: InvalidFlagOperator("openat.args.pathname=!/etc/*"),
expectedError: InvalidFlagOperator("openat.data.pathname=!/etc/*"),
},
{
name: "InvalidFlagOperator",
eventFlag: "openat.args.pathname!/etc/*",
eventFlag: "openat.data.pathname!/etc/*",
expected: []eventFlag{},
expectedError: InvalidFlagOperator("openat.args.pathname!/etc/*"),
expectedError: InvalidFlagOperator("openat.data.pathname!/etc/*"),
},
{
name: "InvalidFlagOperator",
eventFlag: "openat.args.pathname!!/etc/*",
eventFlag: "openat.data.pathname!!/etc/*",
expected: []eventFlag{},
expectedError: InvalidFlagOperator("openat.args.pathname!!/etc/*"),
expectedError: InvalidFlagOperator("openat.data.pathname!!/etc/*"),
},
{
name: "InvalidFlagOperator",
eventFlag: "openat.args.pid<<1",
eventFlag: "openat.data.pid<<1",
expected: []eventFlag{},
expectedError: InvalidFlagOperator("openat.args.pid<<1"),
expectedError: InvalidFlagOperator("openat.data.pid<<1"),
},
{
name: "InvalidFlagOperator",
eventFlag: "openat.args.pid>>1",
eventFlag: "openat.data.pid>>1",
expected: []eventFlag{},
expectedError: InvalidFlagOperator("openat.args.pid>>1"),
expectedError: InvalidFlagOperator("openat.data.pid>>1"),
},
// InvalidFlagValue
{
name: "InvalidFlagValue",
eventFlag: "openat.args.pathname=v\t",
eventFlag: "openat.data.pathname=v\t",
expected: []eventFlag{},
expectedError: InvalidFlagValue("openat.args.pathname=v\t"),
expectedError: InvalidFlagValue("openat.data.pathname=v\t"),
},
{
name: "InvalidFlagValue",
eventFlag: "openat.args.pathname=\tv",
eventFlag: "openat.data.pathname=\tv",
expected: []eventFlag{},
expectedError: InvalidFlagValue("openat.args.pathname=\tv"),
expectedError: InvalidFlagValue("openat.data.pathname=\tv"),
},
{
name: "InvalidFlagValue",
eventFlag: "openat.args.pathname=v ",
eventFlag: "openat.data.pathname=v ",
expected: []eventFlag{},
expectedError: InvalidFlagValue("openat.args.pathname=v "),
expectedError: InvalidFlagValue("openat.data.pathname=v "),
},
{
name: "InvalidFlagValue",
eventFlag: "openat.args.pathname= v",
eventFlag: "openat.data.pathname= v",
expected: []eventFlag{},
expectedError: InvalidFlagValue("openat.args.pathname= v"),
expectedError: InvalidFlagValue("openat.data.pathname= v"),
},
}

Expand Down Expand Up @@ -430,12 +430,12 @@ func TestPrepareEventMapFromFlags(t *testing.T) {
expected PolicyEventMap
}{
{
name: "ValidFlags",
name: "ValidFlags1",
eventsArr: []string{
"close,-open",
"openat.args.pathname=/etc/*",
"chmod.args.mode=777",
"execve.args.pathname!=/bin/bash,/bin/sh",
"openat.data.pathname=/etc/*",
"chmod.data.mode=777",
"execve.data.pathname!=/bin/bash,/bin/sh",
},
expected: PolicyEventMap{
0: policyEvents{
Expand All @@ -462,6 +462,54 @@ func TestPrepareEventMapFromFlags(t *testing.T) {
operatorAndValues: "",
filter: "",
},
{
full: "openat.data.pathname=/etc/*",
eventFilter: "openat.data.pathname",
eventName: "openat",
eventOptionType: "data",
eventOptionName: "pathname",
operator: "=",
values: "/etc/*",
operatorAndValues: "=/etc/*",
filter: "data.pathname=/etc/*",
},
{
full: "chmod.data.mode=777",
eventFilter: "chmod.data.mode",
eventName: "chmod",
eventOptionType: "data",
eventOptionName: "mode",
operator: "=",
values: "777",
operatorAndValues: "=777",
filter: "data.mode=777",
},
{
full: "execve.data.pathname!=/bin/bash,/bin/sh",
eventFilter: "execve.data.pathname",
eventName: "execve",
eventOptionType: "data",
eventOptionName: "pathname",
operator: "!=",
values: "/bin/bash,/bin/sh",
operatorAndValues: "!=/bin/bash,/bin/sh",
filter: "data.pathname!=/bin/bash,/bin/sh",
},
},
},
},
},
// keep a single args (deprecated) filter test that shall break on future removal
{
name: "ValidFlags2",
eventsArr: []string{
"openat.args.pathname=/etc/*",
"chmod.args.mode=777",
"execve.args.pathname!=/bin/bash,/bin/sh",
},
expected: PolicyEventMap{
0: policyEvents{
eventFlags: []eventFlag{
{
full: "openat.args.pathname=/etc/*",
eventFilter: "openat.args.pathname",
Expand Down
62 changes: 53 additions & 9 deletions pkg/cmd/flags/policy_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -719,7 +719,45 @@ func TestPrepareFilterMapsFromPolicies(t *testing.T) {
// events
//

// args filter
// data filter
{
testName: "data filter",
policy: v1beta1.PolicyFile{
Metadata: v1beta1.Metadata{
Name: "data-filter",
},
Spec: k8s.PolicySpec{
Scope: []string{"global"},
DefaultActions: []string{"log"},
Rules: []k8s.Rule{
{
Event: "security_file_open",
Filters: []string{"data.pathname=/etc/passwd"},
},
},
},
},
expPolicyScopeMap: PolicyScopeMap{},
expPolicyEventMap: PolicyEventMap{
0: {
policyName: "data-filter",
eventFlags: []eventFlag{
{
full: "security_file_open",
eventName: "security_file_open",
operatorAndValues: "",
},
{
full: "security_file_open.data.pathname=/etc/passwd",
eventName: "security_file_open",
eventFilter: "security_file_open.data.pathname",
operatorAndValues: "=/etc/passwd",
},
},
},
},
},
// keep a single args (deprecated) filter test that shall break on future removal
{
testName: "args filter",
policy: v1beta1.PolicyFile{
Expand Down Expand Up @@ -1836,20 +1874,26 @@ func TestCreatePolicies(t *testing.T) {
expectPolicyErr error
}{
{
testName: "invalid argfilter 1",
evtFlags: []string{"open.args"},
testName: "invalid datafilter 1",
evtFlags: []string{"open.data"},
expectPolicyErr: filters.InvalidExpression("open."),
},
{
testName: "invalid argfilter 2",
evtFlags: []string{"open.args.bla=5"},
expectPolicyErr: filters.InvalidEventArgument("bla"),
testName: "invalid datafilter 2",
evtFlags: []string{"open.data.bla=5"},
expectPolicyErr: filters.InvalidEventData("bla"),
},
{
testName: "invalid argfilter 3",
testName: "invalid datafilter 3",
evtFlags: []string{"open.bla=5"},
expectPolicyErr: InvalidFilterFlagFormat("open.bla=5"),
},
// keep a single args (deprecated) filter test that shall break on future removal
{
testName: "invalid argsfilter 1",
evtFlags: []string{"open.args.bla=5"},
expectPolicyErr: filters.InvalidEventData("bla"),
},
{
testName: "invalid scope filter 1",
evtFlags: []string{"open.scope"},
Expand Down Expand Up @@ -1986,7 +2030,7 @@ func TestCreatePolicies(t *testing.T) {
},
{
testName: "argfilter",
evtFlags: []string{"openat.args.pathname=/bin/ls,/tmp/tracee", "openat.args.pathname!=/etc/passwd"},
evtFlags: []string{"openat.data.pathname=/bin/ls,/tmp/tracee", "openat.data.pathname!=/etc/passwd"},
},
{
testName: "retfilter",
Expand Down Expand Up @@ -2022,7 +2066,7 @@ func TestCreatePolicies(t *testing.T) {
},
{
testName: "adding retval filter then argfilter",
evtFlags: []string{"open.retval=5", "security_file_open.args.pathname=/etc/shadow"},
evtFlags: []string{"open.retval=5", "security_file_open.data.pathname=/etc/shadow"},
},

{
Expand Down
6 changes: 3 additions & 3 deletions pkg/events/derive/symbols_collision_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -475,20 +475,20 @@ func TestSymbolsCollision(t *testing.T) {

// Prepare mocked filters for the existing test cases

filterName := "symbols_collision.args.symbols"
filterName := "symbols_collision.data.symbols"
eventsNameToID := map[string]events.ID{"symbols_collision": events.SymbolsCollision}

p := policy.NewPolicy()
p.EventsToTrace = map[events.ID]string{events.SymbolsCollision: "symbols_collision"}

if len(testCase.blackList) > 0 {
operAndValsBlack := fmt.Sprintf("!=%s", strings.Join(testCase.blackList, ","))
err := p.ArgFilter.Parse(filterName, operAndValsBlack, eventsNameToID)
err := p.DataFilter.Parse(filterName, operAndValsBlack, eventsNameToID)
require.NoError(t, err)
}
if len(testCase.whiteList) > 0 {
operAndValsWhite := fmt.Sprintf("=%s", strings.Join(testCase.whiteList, ","))
err := p.ArgFilter.Parse(filterName, operAndValsWhite, eventsNameToID)
err := p.DataFilter.Parse(filterName, operAndValsWhite, eventsNameToID)
require.NoError(t, err)
}

Expand Down
Loading

0 comments on commit 2e98d6b

Please sign in to comment.