Merge branch 'dev' of https://github.com/anubhav06/kubescape into azu…

…re-scanning
kubescape · Jan 10, 2023 · 284c8c7 · 284c8c7
2 parents 3441a65 + ddc0b2d
commit 284c8c7
Show file tree

Hide file tree

Showing 32 changed files with 5,365 additions and 100 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -14,30 +14,29 @@ linters:
     - gosec
     - staticcheck
     - nolintlint
+    - gofmt
+    - unused
+    - govet
+    - bodyclose
+    - typecheck
+    - goimports
+    - ineffassign
+    - gosimple
   disable:
     # temporarily disabled
     - varcheck
-    - ineffassign
-    - unused
-    - typecheck
     - errcheck
-    - govet
-    - gosimple
-    - deadcode
-    - gofmt
-    - goimports
-    - bodyclose
     - dupl
-    - gocognit
     - gocritic
-    - goimports
+    - gocognit
     - nakedret
     - revive
     - stylecheck
     - unconvert
     - unparam
     #- forbidigo # <- see later
     # should remain disabled
+    - deadcode   # deprecated linter
     - maligned
     - lll
     - gochecknoinits

diff --git a/cmd/scan/validators_test.go b/cmd/scan/validators_test.go
@@ -1,8 +1,9 @@
 package scan
 
 import (
-	"github.com/kubescape/kubescape/v2/core/cautils"
 	"testing"
+
+	"github.com/kubescape/kubescape/v2/core/cautils"
 )
 
 // Test_validateControlScanInfo tests how scan info is validated for the `scan control` command

diff --git a/core/cautils/getter/getpoliciesutils.go b/core/cautils/getter/getpoliciesutils.go
@@ -26,8 +26,8 @@ func SaveInFile(policy interface{}, pathStr string) error {
 		if os.IsNotExist(err) {
 			pathDir := path.Dir(pathStr)
 			// pathDir could contain subdirectories
-			if err := os.MkdirAll(pathDir, 0755); err != nil {
-				return err
+			if erm := os.MkdirAll(pathDir, 0755); erm != nil {
+				return erm
 			}
 		} else {
 			return err

diff --git a/core/cautils/getter/loadpolicy.go b/core/cautils/getter/loadpolicy.go
@@ -71,27 +71,29 @@ func (lp *LoadPolicy) GetControl(controlID string) (*reporthandling.Control, err
 	return control, nil
 }
 
+// GetFramework retrieves a framework configuration from the policy.
 func (lp *LoadPolicy) GetFramework(frameworkName string) (*reporthandling.Framework, error) {
-	var framework reporthandling.Framework
-	var err error
+	if frameworkName == "" {
+		return &reporthandling.Framework{}, nil
+	}
+
 	for _, filePath := range lp.filePaths {
-		framework = reporthandling.Framework{}
 		f, err := os.ReadFile(filePath)
 		if err != nil {
 			return nil, err
 		}
-		if err = json.Unmarshal(f, &framework); err != nil {
+
+		var fw reporthandling.Framework
+		if err = json.Unmarshal(f, &fw); err != nil {
 			return nil, err
 		}
-		if strings.EqualFold(frameworkName, framework.Name) {
-			break
+
+		if strings.EqualFold(frameworkName, fw.Name) {
+			return &fw, nil
 		}
 	}
-	if frameworkName != "" && !strings.EqualFold(frameworkName, framework.Name) {
 
-		return nil, fmt.Errorf("framework from file not matching")
-	}
-	return &framework, err
+	return nil, fmt.Errorf("framework from file not matching")
 }
 
 func (lp *LoadPolicy) GetFrameworks() ([]reporthandling.Framework, error) {
@@ -103,6 +105,7 @@ func (lp *LoadPolicy) GetFrameworks() ([]reporthandling.Framework, error) {
 func (lp *LoadPolicy) ListFrameworks() ([]string, error) {
 	fwNames := []string{}
 	framework := &reporthandling.Framework{}
+
 	for _, f := range lp.filePaths {
 		file, err := os.ReadFile(f)
 		if err == nil {
@@ -113,6 +116,7 @@ func (lp *LoadPolicy) ListFrameworks() ([]string, error) {
 			}
 		}
 	}
+
 	return fwNames, nil
 }
 

diff --git a/core/cautils/getter/loadpolicy_test.go b/core/cautils/getter/loadpolicy_test.go
@@ -1,13 +1,176 @@
 package getter
 
 import (
+	"fmt"
 	"path/filepath"
-)
+	"testing"
 
-var mockFrameworkBasePath = filepath.Join("examples", "mocks", "frameworks")
+	"github.com/stretchr/testify/require"
+)
 
 func MockNewLoadPolicy() *LoadPolicy {
 	return &LoadPolicy{
 		filePaths: []string{""},
 	}
 }
+
+func testFrameworkFile(framework string) string {
+	return filepath.Join(".", "testdata", fmt.Sprintf("%s.json", framework))
+}
+
+func TestLoadPolicy(t *testing.T) {
+	t.Parallel()
+
+	const testFramework = "MITRE"
+
+	t.Run("with GetFramework", func(t *testing.T) {
+		t.Run("should retrieve named framework", func(t *testing.T) {
+			t.Parallel()
+
+			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+			fw, err := p.GetFramework(testFramework)
+			require.NoError(t, err)
+			require.NotNil(t, fw)
+
+			require.Equal(t, testFramework, fw.Name)
+		})
+
+		t.Run("should fail to retrieve framework", func(t *testing.T) {
+			t.Parallel()
+
+			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+			fw, err := p.GetFramework("wrong")
+			require.Error(t, err)
+			require.Nil(t, fw)
+		})
+
+		t.Run("edge case: should return empty framework", func(t *testing.T) {
+			// NOTE(fredbi): this edge case corresponds to the original working of GetFramework.
+			// IMHO, this is a bad request call and it should return an error.
+			t.Parallel()
+
+			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+			fw, err := p.GetFramework("")
+			require.NoError(t, err)
+			require.NotNil(t, fw)
+			require.Empty(t, *fw)
+		})
+
+		t.Run("edge case: corrupted json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidFramework = "invalid-fw"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidFramework)})
+			fw, err := p.GetFramework(invalidFramework)
+			require.Error(t, err)
+			require.Nil(t, fw)
+		})
+
+		t.Run("edge case: missing json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidFramework = "nowheretobefound"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidFramework)})
+			_, err := p.GetFramework(invalidFramework)
+			require.Error(t, err)
+		})
+	})
+
+	t.Run("with GetControl", func(t *testing.T) {
+		t.Run("should retrieve named control", func(t *testing.T) {
+			t.Parallel()
+
+			const (
+				testControl         = "C-0053"
+				expectedControlName = "Access container service account"
+			)
+			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+			ctrl, err := p.GetControl(testControl)
+			require.NoError(t, err)
+			require.NotNil(t, ctrl)
+
+			require.Equal(t, testControl, ctrl.ControlID)
+			require.Equal(t, expectedControlName, ctrl.Name)
+		})
+
+		t.Run("should fail to retrieve named control", func(t *testing.T) {
+			// NOTE(fredbi): IMHO, this case should bubble up an error
+			t.Parallel()
+
+			const testControl = "wrong"
+			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+			ctrl, err := p.GetControl(testControl)
+			require.NoError(t, err)
+			require.NotNil(t, ctrl) // no error, but still don't get the requested control...
+		})
+
+		t.Run("edge case: corrupted json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidControl = "invalid-fw"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidControl)})
+			_, err := p.GetControl(invalidControl)
+			require.Error(t, err)
+		})
+
+		t.Run("edge case: missing json", func(t *testing.T) {
+			t.Parallel()
+
+			const invalidControl = "nowheretobefound"
+			p := NewLoadPolicy([]string{testFrameworkFile(invalidControl)})
+			_, err := p.GetControl(invalidControl)
+			require.Error(t, err)
+		})
+
+		t.Run("edge case: should return empty control", func(t *testing.T) {
+			// NOTE(fredbi): this edge case corresponds to the original working of GetFramework.
+			// IMHO, this is a bad request call and it should return an error.
+			t.Parallel()
+
+			p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+			ctrl, err := p.GetControl("")
+			require.NoError(t, err)
+			require.NotNil(t, ctrl)
+		})
+	})
+
+	t.Run("ListFrameworks should return all frameworks in the policy path", func(t *testing.T) {
+		t.Parallel()
+
+		const extraFramework = "NSA"
+		p := NewLoadPolicy([]string{
+			testFrameworkFile(testFramework),
+			testFrameworkFile(extraFramework),
+		})
+		fws, err := p.ListFrameworks()
+		require.NoError(t, err)
+		require.Len(t, fws, 2)
+
+		require.Equal(t, testFramework, fws[0])
+		require.Equal(t, extraFramework, fws[1])
+	})
+
+	t.Run("edge case: policy without path", func(t *testing.T) {
+		t.Parallel()
+
+		p := NewLoadPolicy([]string{})
+		require.Empty(t, p.filePath())
+	})
+
+	t.Run("GetFrameworks is currently stubbed", func(t *testing.T) {
+		t.Parallel()
+
+		p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+		fws, err := p.GetFrameworks()
+		require.NoError(t, err)
+		require.Empty(t, fws)
+	})
+
+	t.Run("ListControls is currently unsupported", func(t *testing.T) {
+		t.Parallel()
+
+		p := NewLoadPolicy([]string{testFrameworkFile(testFramework)})
+		_, err := p.ListControls()
+		require.Error(t, err)
+	})
+}