Skip to content

Commit

Permalink
test: update compliance reconcile tests (aquasecurity#1021)
Browse files Browse the repository at this point in the history
  • Loading branch information
chen-keinan authored Mar 14, 2022
1 parent 74bd63d commit 99de8cf
Show file tree
Hide file tree
Showing 5 changed files with 1,400 additions and 44 deletions.
125 changes: 82 additions & 43 deletions pkg/compliance/clustercompliancereport_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"io/ioutil"
"sort"
"time"

"github.com/aquasecurity/starboard/pkg/apis/aquasecurity/v1alpha1"
"github.com/aquasecurity/starboard/pkg/ext"
Expand Down Expand Up @@ -36,31 +37,37 @@ var _ = ginkgo.Describe("cluster compliance report", func() {
config := etc.Config{
Namespace: "starboard-operator",
}

ginkgo.Context("reconcile compliance spec report", func() {
ginkgo.It("check compliance reconcile with cis-benchmark and config-audit reports", func() {
var cisBenchList v1alpha1.CISKubeBenchReportList
logger := log.Log.WithName("operator")
err := loadResource("./testdata/fixture/cisBenchmarkReportList.json", &cisBenchList)
Expect(err).ToNot(HaveOccurred())
var confAuditList v1alpha1.ConfigAuditReportList
err = loadResource("./testdata/fixture/configAuditReportList.json", &confAuditList)
Expect(err).ToNot(HaveOccurred())
var clusterComplianceSpec v1alpha1.ClusterComplianceReport
err = loadResource("./testdata/fixture/clusterComplianceSpec.json", &clusterComplianceSpec)
Expect(err).ToNot(HaveOccurred())
client := fake.NewClientBuilder().WithScheme(starboard.NewScheme()).WithLists(
&cisBenchList,
&confAuditList,
).WithObjects(
&clusterComplianceSpec,
).Build()
// generate report
instance := ClusterComplianceReportReconciler{Logger: logger, Config: config, Client: client, Mgr: NewMgr(client, logger), Clock: ext.NewSystemClock()}
_, err = instance.generateComplianceReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"})
Expect(err).ToNot(HaveOccurred())

// validate cluster details report
logger := log.Log.WithName("operator")

ginkgo.Context("reconcile compliance spec report with cis-bench anc audit-config data and validate compliance reports data and requeue", func() {
var cisBenchList v1alpha1.CISKubeBenchReportList
err := loadResource("./testdata/fixture/cisBenchmarkReportList.json", &cisBenchList)
Expect(err).ToNot(HaveOccurred())

var confAuditList v1alpha1.ConfigAuditReportList
err = loadResource("./testdata/fixture/configAuditReportList.json", &confAuditList)
Expect(err).ToNot(HaveOccurred())

var clusterComplianceSpec v1alpha1.ClusterComplianceReport
err = loadResource("./testdata/fixture/clusterComplianceSpec.json", &clusterComplianceSpec)
Expect(err).ToNot(HaveOccurred())
// generate client with cis-bench,audit-config and compliance spec
client := fake.NewClientBuilder().WithScheme(starboard.NewScheme()).WithLists(
&cisBenchList,
&confAuditList,
).WithObjects(
&clusterComplianceSpec,
).Build()

// create compliance controller
instance := ClusterComplianceReportReconciler{Logger: logger, Config: config, Client: client, Mgr: NewMgr(client, logger), Clock: ext.NewSystemClock()}

// trigger compliance report generation
_, err = instance.generateComplianceReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"})
Expect(err).ToNot(HaveOccurred())

ginkgo.It("check cluster compliance report detail data match expected result", func() {
// validate cluster compliance detail report data
var clusterComplianceDetialReport v1alpha1.ClusterComplianceDetailReport
err = loadResource("./testdata/fixture/clusterComplianceDetailReport.json", &clusterComplianceDetialReport)
complianceDetailReport, err := getDetailReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa-details"}, client)
Expand All @@ -72,49 +79,81 @@ var _ = ginkgo.Describe("cluster compliance report", func() {
sort.Sort(controlObjectTypeSort(clusterComplianceDetialReport.Report.ControlChecks[i].ScannerCheckResult))
}
Expect(cmp.Equal(complianceDetailReport.Report, clusterComplianceDetialReport.Report, ignoreTimeStamp())).To(BeTrue())
})

// validate cluster compliance report
ginkgo.It("check cluster compliance report status match expected result", func() {
// validate cluster compliance report status
var clusterComplianceReport v1alpha1.ClusterComplianceReport
err = loadResource("./testdata/fixture/clusterComplianceReport.json", &clusterComplianceReport)
complianceReport, err := getReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"}, client)
Expect(err).ToNot(HaveOccurred())
sort.Sort(controlSort(complianceReport.Status.ControlChecks))
sort.Sort(controlSort(clusterComplianceReport.Status.ControlChecks))
Expect(cmp.Equal(complianceReport.Status, clusterComplianceReport.Status, ignoreTimeStamp())).To(BeTrue())
})

// validate reconcile requeue
ginkgo.It("check requeue interval bigger then 0", func() {
// validate resource requeue with interval
res, err := instance.generateComplianceReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"})
Expect(err).ToNot(HaveOccurred())
Expect(res.RequeueAfter > 0).To(BeTrue())
})

ginkgo.It("check compliance reconcile where cis-benchmark and config-audit reports are not present", func() {
logger := log.Log.WithName("operator")
var clusterComplianceSpec v1alpha1.ClusterComplianceReport
err := loadResource("./testdata/fixture/clusterComplianceSpec.json", &clusterComplianceSpec)
ginkgo.It("check compliance compliance report status is updated following to changes occur with cis-bench and config-audit report", func() {
// update cis-benchmark report with failed tests and compare update compliance report
var updatedCisBench v1alpha1.CISKubeBenchReport
err = loadResource("./testdata/fixture/cisBenchmarkReportUpdate.json", &updatedCisBench)
Expect(err).ToNot(HaveOccurred())
var caUpdated v1alpha1.ConfigAuditReport
err = loadResource("./testdata/fixture/configAuditReportUpdate.json", &caUpdated)
Expect(err).ToNot(HaveOccurred())
err = client.Update(context.Background(), &updatedCisBench)
Expect(err).ToNot(HaveOccurred())
err = client.Update(context.Background(), &caUpdated)
Expect(err).ToNot(HaveOccurred())
client := fake.NewClientBuilder().WithScheme(starboard.NewScheme()).WithObjects(
&clusterComplianceSpec,
).Build()
// generate report
instance := ClusterComplianceReportReconciler{Logger: logger, Config: config, Client: client, Mgr: NewMgr(client, logger), Clock: ext.NewSystemClock()}
// wait for next cron interval
time.Sleep(4 * time.Second)
// generate reconcile report
_, err = instance.generateComplianceReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"})
Expect(err).ToNot(HaveOccurred())

// validate cluster details report
complianceDetailReport, err := getDetailReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa-details"}, client)
// get compliance report
complianceReportUpdate, err := getReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"}, client)
Expect(err).ToNot(HaveOccurred())

var clusterComplianceReportUpdate v1alpha1.ClusterComplianceReport
err = loadResource("./testdata/fixture/clusterComplianceReportUpdate.json", &clusterComplianceReportUpdate)
Expect(err).ToNot(HaveOccurred())
sort.Sort(controlSort(complianceReportUpdate.Status.ControlChecks))
sort.Sort(controlSort(clusterComplianceReportUpdate.Status.ControlChecks))

// validate updated cluster compliance report status
Expect(cmp.Equal(complianceReportUpdate.Status, clusterComplianceReportUpdate.Status, ignoreTimeStamp())).To(BeTrue())
})
})

ginkgo.Context("reconcile compliance spec report without cis-bench and audit-config data and validate compliance reports data", func() {
var clusterComplianceSpec v1alpha1.ClusterComplianceReport
err := loadResource("./testdata/fixture/clusterComplianceSpec.json", &clusterComplianceSpec)
// create new client
clientWithComplianceSpecOnly := fake.NewClientBuilder().WithScheme(starboard.NewScheme()).WithObjects(&clusterComplianceSpec).Build()
// create compliance controller
complianceControllerInstance := ClusterComplianceReportReconciler{Logger: logger, Config: config, Client: clientWithComplianceSpecOnly, Mgr: NewMgr(clientWithComplianceSpecOnly, logger), Clock: ext.NewSystemClock()}
reconcileReport, err := complianceControllerInstance.generateComplianceReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"})
Expect(err).ToNot(HaveOccurred())

ginkgo.It("check compliance reconcile where cis-benchmark and config-audit reports are not present", func() {
// validate compliance reports has no status / data
complianceDetailReport, err := getDetailReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa-details"}, clientWithComplianceSpecOnly)
Expect(err).ToNot(HaveOccurred())
Expect(len(complianceDetailReport.Report.ControlChecks) == 0).To(BeTrue())

// validate cluster compliance report
complianceReport, err := getReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"}, client)
complianceReport, err := getReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"}, clientWithComplianceSpecOnly)
Expect(err).ToNot(HaveOccurred())
Expect(len(complianceReport.Status.ControlChecks) == 0).To(BeTrue())

// validate reconcile requeue
res, err := instance.generateComplianceReport(context.TODO(), types.NamespacedName{Namespace: "", Name: "nsa"})
Expect(err).ToNot(HaveOccurred())
Expect(res.RequeueAfter > 0).To(BeTrue())
Expect(reconcileReport.RequeueAfter == 0).To(BeTrue())
})
})
})
Expand Down
Loading

0 comments on commit 99de8cf

Please sign in to comment.