From 5a36396e4a760e0c4e39b8203d19ed5efa2f45f3 Mon Sep 17 00:00:00 2001 From: Jay Mundrawala Date: Sat, 14 Dec 2024 10:53:51 -0600 Subject: [PATCH] fix tests --- policy/bundle.go | 2 +- policy/scan/local_scanner_test.go | 103 ++++++++---------- .../scan/testdata/exception-groups.mql.yaml | 9 +- 3 files changed, 51 insertions(+), 63 deletions(-) diff --git a/policy/bundle.go b/policy/bundle.go index 5fcd6cf5..7b8cb559 100644 --- a/policy/bundle.go +++ b/policy/bundle.go @@ -620,7 +620,7 @@ func (c *bundleCache) removeFailing(res *Bundle) { group := policy.Groups[j] group.Queries = explorer.FilterQueryMRNs(c.removeQueries, group.Queries) group.Checks = explorer.FilterQueryMRNs(c.removeQueries, group.Checks) - if len(group.Queries)+len(group.Checks) > 0 { + if len(group.Policies)+len(group.Queries)+len(group.Checks) > 0 { groups = append(groups, group) } } diff --git a/policy/scan/local_scanner_test.go b/policy/scan/local_scanner_test.go index f8d03447..363e939f 100644 --- a/policy/scan/local_scanner_test.go +++ b/policy/scan/local_scanner_test.go @@ -176,7 +176,6 @@ func (s *LocalScannerSuite) TestRunIncognito_ExceptionGroups() { s.job.Bundle = bundle s.job.PolicyFilters = []string{"asset-policy"} - bundleMap := bundle.ToMap() ctx := context.Background() scanner := NewLocalScanner(DisableProgressBar()) @@ -195,18 +194,6 @@ func (s *LocalScannerSuite) TestRunIncognito_ExceptionGroups() { p := full.ResolvedPolicies[k] - // Get the code id for all the executed queries - executedQueries := []string{} - for qCodeId := range p.ExecutionJob.Queries { - executedQueries = append(executedQueries, qCodeId) - } - - expectedQueries := []string{ - bundleMap.Queries["//local.cnspec.io/run/local-execution/queries/ignored-query"].CodeId, - bundleMap.Queries["//local.cnspec.io/run/local-execution/queries/sshd-score-01"].CodeId, - } - s.ElementsMatch(expectedQueries, executedQueries) - queryIdToReportingJob := map[string]*policy.ReportingJob{} for _, rj := range p.CollectorJob.ReportingJobs { _, ok := queryIdToReportingJob[rj.QrId] @@ -215,13 +202,26 @@ func (s *LocalScannerSuite) TestRunIncognito_ExceptionGroups() { } // Make sure the ignored query is ignored - queryRj := queryIdToReportingJob[bundleMap.Queries["//local.cnspec.io/run/local-execution/queries/ignored-query"].CodeId] - s.Require().NotNil(queryRj) - - parent := queryRj.Notify[0] - parentJob := p.CollectorJob.ReportingJobs[parent] - s.Require().NotNil(parentJob) - s.Equal(explorer.ScoringSystem_IGNORE_SCORE, parentJob.ChildJobs[queryRj.Uuid].Scoring) + { + queryRj := queryIdToReportingJob["//local.cnspec.io/run/local-execution/queries/ignored-query"] + s.Require().NotNil(queryRj) + + parent := queryRj.Notify[0] + parentJob := p.CollectorJob.ReportingJobs[parent] + s.Require().NotNil(parentJob) + s.Equal(explorer.ScoringSystem_IGNORE_SCORE, parentJob.ChildJobs[queryRj.Uuid].Scoring) + } + // Make sure the ignored query is reported as disabled + { + queryRj := queryIdToReportingJob["//local.cnspec.io/run/local-execution/queries/deactivate-query"] + s.Require().NotNil(queryRj) + var child string + for c := range queryRj.ChildJobs { + child = c + break + } + s.Equal(explorer.ScoringSystem_DISABLED, queryRj.ChildJobs[child].Scoring) + } } } @@ -230,8 +230,8 @@ func (s *LocalScannerSuite) TestRunIncognito_ExceptionGroups_RejectedReview() { bundle, err := loader.BundleFromPaths("./testdata/exception-groups.mql.yaml") s.Require().NoError(err) - bundle.Policies[1].Groups[0].ReviewStatus = policy.ReviewStatus_REJECTED bundle.Policies[1].Groups[1].ReviewStatus = policy.ReviewStatus_REJECTED + bundle.Policies[1].Groups[2].ReviewStatus = policy.ReviewStatus_REJECTED _, err = bundle.CompileExt(context.Background(), policy.BundleCompileConf{ CompilerConfig: s.conf, @@ -255,8 +255,8 @@ func (s *LocalScannerSuite) TestRunIncognito_ExceptionGroups_RejectedReview() { s.Equal(1, len(full.Reports)) for k, r := range full.Reports { - // Verify the score is 16 - s.Equal(uint32(16), r.GetScore().Value) + // Verify the score is 33 + s.Equal(uint32(33), r.GetScore().Value) p := full.ResolvedPolicies[k] @@ -281,13 +281,15 @@ func (s *LocalScannerSuite) TestRunIncognito_ExceptionGroups_RejectedReview() { } // Make sure the ignored query is ignored - queryRj := queryIdToReportingJob[bundleMap.Queries["//local.cnspec.io/run/local-execution/queries/ignored-query"].CodeId] + queryRj := queryIdToReportingJob["//local.cnspec.io/run/local-execution/queries/ignored-query"] s.Require().NotNil(queryRj) parent := queryRj.Notify[0] parentJob := p.CollectorJob.ReportingJobs[parent] s.Require().NotNil(parentJob) - s.Equal(explorer.ScoringSystem_SCORING_UNSPECIFIED, parentJob.ChildJobs[queryRj.Uuid].Scoring) + impact, ok := parentJob.ChildJobs[queryRj.Uuid] + s.Require().True(ok) + s.Require().Nil(impact) } } @@ -304,7 +306,6 @@ func (s *LocalScannerSuite) TestRunIncognito_QueryExceptions() { s.job.Bundle = bundle s.job.PolicyFilters = []string{"asset-policy"} - bundleMap := bundle.ToMap() ctx := context.Background() scanner := NewLocalScanner(DisableProgressBar()) @@ -323,18 +324,6 @@ func (s *LocalScannerSuite) TestRunIncognito_QueryExceptions() { p := full.ResolvedPolicies[k] - // Get the code id for all the executed queries - executedQueries := []string{} - for qCodeId := range p.ExecutionJob.Queries { - executedQueries = append(executedQueries, qCodeId) - } - - expectedQueries := []string{ - bundleMap.Queries["//local.cnspec.io/run/local-execution/queries/ignored-query"].CodeId, - bundleMap.Queries["//local.cnspec.io/run/local-execution/queries/sshd-score-01"].CodeId, - } - s.ElementsMatch(expectedQueries, executedQueries) - queryIdToReportingJob := map[string]*policy.ReportingJob{} for _, rj := range p.CollectorJob.ReportingJobs { _, ok := queryIdToReportingJob[rj.QrId] @@ -343,7 +332,7 @@ func (s *LocalScannerSuite) TestRunIncognito_QueryExceptions() { } // Make sure the ignored query is ignored - queryRj := queryIdToReportingJob[bundleMap.Queries["//local.cnspec.io/run/local-execution/queries/ignored-query"].CodeId] + queryRj := queryIdToReportingJob["//local.cnspec.io/run/local-execution/queries/ignored-query"] s.Require().NotNil(queryRj) parent := queryRj.Notify[0] @@ -366,7 +355,6 @@ func (s *LocalScannerSuite) TestRunIncognito_QueryExceptions_MultipleGroups() { s.job.Bundle = bundle s.job.PolicyFilters = []string{"asset-policy"} - bundleMap := bundle.ToMap() ctx := context.Background() scanner := NewLocalScanner(DisableProgressBar()) @@ -385,18 +373,6 @@ func (s *LocalScannerSuite) TestRunIncognito_QueryExceptions_MultipleGroups() { p := full.ResolvedPolicies[k] - // Get the code id for all the executed queries - executedQueries := []string{} - for qCodeId := range p.ExecutionJob.Queries { - executedQueries = append(executedQueries, qCodeId) - } - - expectedQueries := []string{ - bundleMap.Queries["//local.cnspec.io/run/local-execution/queries/ignored-query"].CodeId, - bundleMap.Queries["//local.cnspec.io/run/local-execution/queries/sshd-score-01"].CodeId, - } - s.ElementsMatch(expectedQueries, executedQueries) - queryIdToReportingJob := map[string]*policy.ReportingJob{} for _, rj := range p.CollectorJob.ReportingJobs { _, ok := queryIdToReportingJob[rj.QrId] @@ -405,13 +381,26 @@ func (s *LocalScannerSuite) TestRunIncognito_QueryExceptions_MultipleGroups() { } // Make sure the ignored query is ignored - queryRj := queryIdToReportingJob[bundleMap.Queries["//local.cnspec.io/run/local-execution/queries/ignored-query"].CodeId] + queryRj := queryIdToReportingJob["//local.cnspec.io/run/local-execution/queries/ignored-query"] s.Require().NotNil(queryRj) - parent := queryRj.Notify[0] - parentJob := p.CollectorJob.ReportingJobs[parent] - s.Require().NotNil(parentJob) - s.Equal(explorer.ScoringSystem_IGNORE_SCORE, parentJob.ChildJobs[queryRj.Uuid].Scoring) + { + parent := queryRj.Notify[0] + parentJob := p.CollectorJob.ReportingJobs[parent] + s.Require().NotNil(parentJob) + s.Equal(explorer.ScoringSystem_IGNORE_SCORE, parentJob.ChildJobs[queryRj.Uuid].Scoring) + } + // Make sure the ignored query is reported as disabled + { + queryRj := queryIdToReportingJob["//local.cnspec.io/run/local-execution/queries/deactivate-query"] + s.Require().NotNil(queryRj) + var child string + for c := range queryRj.ChildJobs { + child = c + break + } + s.Equal(explorer.ScoringSystem_DISABLED, queryRj.ChildJobs[child].Scoring) + } } } diff --git a/policy/scan/testdata/exception-groups.mql.yaml b/policy/scan/testdata/exception-groups.mql.yaml index a4acd98a..42de561a 100644 --- a/policy/scan/testdata/exception-groups.mql.yaml +++ b/policy/scan/testdata/exception-groups.mql.yaml @@ -13,17 +13,16 @@ policies: - uid: ignored-query - uid: deactivate-query - uid : asset-policy - groups: + groups: + - policies: + - uid: sshd-server-policy - checks: - uid: ignored-query type: 4 - policies: - - uid: sshd-server-policy - checks: - uid: deactivate-query type: 5 - policies: - - uid: sshd-server-policy + queries: - uid: sshd-score-01 title: Ensure SSH MaxAuthTries is set to 4 or less