aquasecurity · chen-keinan · Mar 14, 2022 · Mar 13, 2022
diff --git a/pkg/compliance/clustercompliancereport_test.go b/pkg/compliance/clustercompliancereport_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"io/ioutil"
 	"sort"
+	"time"
 
 	"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
 	"github.com/aquasecurity/starboard/pkg/ext"
@@ -36,31 +37,37 @@ var _ = ginkgo.Describe("cluster compliance report", func() {
 	config := etc.Config{
 		Namespace: "starboard-operator",
 	}
-
-	ginkgo.Context("reconcile compliance spec report", func() {
-		ginkgo.It("check compliance reconcile with cis-benchmark and config-audit reports", func() {
-			var cisBenchList v1alpha1.CISKubeBenchReportList
-			logger := log.Log.WithName("operator")
-			err := loadResource("./testdata/fixture/cisBenchmarkReportList.json", &cisBenchList)
-			Expect(err).ToNot(HaveOccurred())
-			var confAuditList v1alpha1.ConfigAuditReportList
-			err = loadResource("./testdata/fixture/configAuditReportList.json", &confAuditList)
-			Expect(err).ToNot(HaveOccurred())
-			var clusterComplianceSpec v1alpha1.ClusterComplianceReport
-			err = loadResource("./testdata/fixture/clusterComplianceSpec.json", &clusterComplianceSpec)
-			Expect(err).ToNot(HaveOccurred())
-			client := fake.NewClientBuilder().WithScheme(starboard.NewScheme()).WithLists(
-				&cisBenchList,
-				&confAuditList,
-			).WithObjects(
-				&clusterComplianceSpec,
-			).Build()
-			// generate report
-			instance := ClusterComplianceReportReconciler{Logger: logger, Config: config, Client: client, Mgr: NewMgr(client, logger), Clock: ext.NewSystemClock()}
-			_, err = instance.generateComplianceReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"})
-			Expect(err).ToNot(HaveOccurred())
-
-			// validate cluster details report
+	logger := log.Log.WithName("operator")
+
+	ginkgo.Context("reconcile compliance spec report with cis-bench anc audit-config data and validate compliance reports data and requeue", func() {
+		var cisBenchList v1alpha1.CISKubeBenchReportList
+		err := loadResource("./testdata/fixture/cisBenchmarkReportList.json", &cisBenchList)
+		Expect(err).ToNot(HaveOccurred())
+
+		var confAuditList v1alpha1.ConfigAuditReportList
+		err = loadResource("./testdata/fixture/configAuditReportList.json", &confAuditList)
+		Expect(err).ToNot(HaveOccurred())
+
+		var clusterComplianceSpec v1alpha1.ClusterComplianceReport
+		err = loadResource("./testdata/fixture/clusterComplianceSpec.json", &clusterComplianceSpec)
+		Expect(err).ToNot(HaveOccurred())
+		// generate client with cis-bench,audit-config and compliance spec
+		client := fake.NewClientBuilder().WithScheme(starboard.NewScheme()).WithLists(
+			&cisBenchList,
+			&confAuditList,
+		).WithObjects(
+			&clusterComplianceSpec,
+		).Build()
+
+		// create compliance controller
+		instance := ClusterComplianceReportReconciler{Logger: logger, Config: config, Client: client, Mgr: NewMgr(client, logger), Clock: ext.NewSystemClock()}
+
+		// trigger compliance report generation
+		_, err = instance.generateComplianceReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"})
+		Expect(err).ToNot(HaveOccurred())
+
+		ginkgo.It("check cluster compliance report detail data match expected result", func() {
+			// validate cluster compliance detail report data
 			var clusterComplianceDetialReport v1alpha1.ClusterComplianceDetailReport
 			err = loadResource("./testdata/fixture/clusterComplianceDetailReport.json", &clusterComplianceDetialReport)
 			complianceDetailReport, err := getDetailReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa-details"}, client)
@@ -72,49 +79,81 @@ var _ = ginkgo.Describe("cluster compliance report", func() {
 				sort.Sort(controlObjectTypeSort(clusterComplianceDetialReport.Report.ControlChecks[i].ScannerCheckResult))
 			}
 			Expect(cmp.Equal(complianceDetailReport.Report, clusterComplianceDetialReport.Report, ignoreTimeStamp())).To(BeTrue())
+		})
 
-			// validate cluster compliance report
+		ginkgo.It("check cluster compliance report status match expected result", func() {
+			// validate cluster compliance report status
 			var clusterComplianceReport v1alpha1.ClusterComplianceReport
 			err = loadResource("./testdata/fixture/clusterComplianceReport.json", &clusterComplianceReport)
 			complianceReport, err := getReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"}, client)
 			Expect(err).ToNot(HaveOccurred())
 			sort.Sort(controlSort(complianceReport.Status.ControlChecks))
 			sort.Sort(controlSort(clusterComplianceReport.Status.ControlChecks))
 			Expect(cmp.Equal(complianceReport.Status, clusterComplianceReport.Status, ignoreTimeStamp())).To(BeTrue())
+		})
 
-			// validate reconcile requeue
+		ginkgo.It("check requeue interval bigger then 0", func() {
+			// validate resource requeue with interval
 			res, err := instance.generateComplianceReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"})
 			Expect(err).ToNot(HaveOccurred())
 			Expect(res.RequeueAfter > 0).To(BeTrue())
 		})
 
-		ginkgo.It("check compliance reconcile where cis-benchmark and config-audit reports are not present", func() {
-			logger := log.Log.WithName("operator")
-			var clusterComplianceSpec v1alpha1.ClusterComplianceReport
-			err := loadResource("./testdata/fixture/clusterComplianceSpec.json", &clusterComplianceSpec)
+		ginkgo.It("check compliance compliance report status is updated following to changes occur with cis-bench and config-audit report", func() {
+			// update cis-benchmark report with failed tests and compare update compliance report
+			var updatedCisBench v1alpha1.CISKubeBenchReport
+			err = loadResource("./testdata/fixture/cisBenchmarkReportUpdate.json", &updatedCisBench)
+			Expect(err).ToNot(HaveOccurred())
+			var caUpdated v1alpha1.ConfigAuditReport
+			err = loadResource("./testdata/fixture/configAuditReportUpdate.json", &caUpdated)
+			Expect(err).ToNot(HaveOccurred())
+			err = client.Update(context.Background(), &updatedCisBench)
+			Expect(err).ToNot(HaveOccurred())
+			err = client.Update(context.Background(), &caUpdated)
 			Expect(err).ToNot(HaveOccurred())
-			client := fake.NewClientBuilder().WithScheme(starboard.NewScheme()).WithObjects(
-				&clusterComplianceSpec,
-			).Build()
-			// generate report
-			instance := ClusterComplianceReportReconciler{Logger: logger, Config: config, Client: client, Mgr: NewMgr(client, logger), Clock: ext.NewSystemClock()}
+			// wait for next cron interval
+			time.Sleep(4 * time.Second)
+			// generate reconcile report
 			_, err = instance.generateComplianceReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"})
 			Expect(err).ToNot(HaveOccurred())
 
-			// validate cluster details report
-			complianceDetailReport, err := getDetailReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa-details"}, client)
+			// get compliance report
+			complianceReportUpdate, err := getReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"}, client)
+			Expect(err).ToNot(HaveOccurred())
+
+			var clusterComplianceReportUpdate v1alpha1.ClusterComplianceReport
+			err = loadResource("./testdata/fixture/clusterComplianceReportUpdate.json", &clusterComplianceReportUpdate)
+			Expect(err).ToNot(HaveOccurred())
+			sort.Sort(controlSort(complianceReportUpdate.Status.ControlChecks))
+			sort.Sort(controlSort(clusterComplianceReportUpdate.Status.ControlChecks))
+
+			// validate updated cluster compliance report status
+			Expect(cmp.Equal(complianceReportUpdate.Status, clusterComplianceReportUpdate.Status, ignoreTimeStamp())).To(BeTrue())
+		})
+	})
+
+	ginkgo.Context("reconcile compliance spec report without cis-bench and audit-config data and validate compliance reports data", func() {
+		var clusterComplianceSpec v1alpha1.ClusterComplianceReport
+		err := loadResource("./testdata/fixture/clusterComplianceSpec.json", &clusterComplianceSpec)
+		// create new client
+		clientWithComplianceSpecOnly := fake.NewClientBuilder().WithScheme(starboard.NewScheme()).WithObjects(&clusterComplianceSpec).Build()
+		// create compliance controller
+		complianceControllerInstance := ClusterComplianceReportReconciler{Logger: logger, Config: config, Client: clientWithComplianceSpecOnly, Mgr: NewMgr(clientWithComplianceSpecOnly, logger), Clock: ext.NewSystemClock()}
+		reconcileReport, err := complianceControllerInstance.generateComplianceReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"})
+		Expect(err).ToNot(HaveOccurred())
+
+		ginkgo.It("check compliance reconcile where cis-benchmark and config-audit reports are not present", func() {
+			// validate compliance reports has no status / data
+			complianceDetailReport, err := getDetailReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa-details"}, clientWithComplianceSpecOnly)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(len(complianceDetailReport.Report.ControlChecks) == 0).To(BeTrue())
 
 			// validate cluster compliance report
-			complianceReport, err := getReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"}, client)
+			complianceReport, err := getReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"}, clientWithComplianceSpecOnly)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(len(complianceReport.Status.ControlChecks) == 0).To(BeTrue())
-
 			// validate reconcile requeue
-			res, err := instance.generateComplianceReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"})
-			Expect(err).ToNot(HaveOccurred())
-			Expect(res.RequeueAfter > 0).To(BeTrue())
+			Expect(reconcileReport.RequeueAfter == 0).To(BeTrue())
 		})
 	})
 })