ROX-30437: add integration tests

Added tests will validate events generated on an overlayfs file properly
shows the event on the upper layer and the access to the underlying FS.
They also validate a mounted path on a container resolves to the correct
host path.

While developing these tests, it became painfully obvious getting the
information of the process running inside the container is not
straightforward. Because containers tend to be fairly static, we should
be able to manually create the information statically in the test and
still have everything work correctly. In order to minimize the amount of
changes on existing tests, the default Process constructor now takes
fields directly and there is a from_proc class method that builds a new
Process object from /proc. Additionally, getting the pid of a process in
a container is virtually impossible, so we make the pid check optional.

Author: Molter73

tests/conftest.py

@@ -84,7 +84,7 @@ def dump_logs(container, file):
 def fact_config(request, monitored_dir, logs_dir):
     cwd = os.getcwd()
     config = {
-        'paths': [monitored_dir],
+        'paths': [monitored_dir, '/mounted', '/container-dir'],
         'grpc': {
             'url': 'http://127.0.0.1:9999',
         },
@@ -106,6 +106,31 @@ def fact_config(request, monitored_dir, logs_dir):
     config_file.close()
 
 
+@pytest.fixture
+def test_container(request, docker_client, ignored_dir):
+    """
+    Run a container for triggering events in.
+    """
+    container = docker_client.containers.run(
+        'quay.io/fedora/fedora:43',
+        detach=True,
+        tty=True,
+        volumes={
+            ignored_dir: {
+                'bind': '/mounted',
+                'mode': 'z',
+            },
+        },
+        name='fedora',
+    )
+    container.exec_run('mkdir /mounted /container-dir')
+
+    yield container
+
+    container.stop(timeout=1)
+    container.remove()
+
+
 @pytest.fixture
 def fact(request, docker_client, fact_config, server, logs_dir):
     """
@@ -124,20 +149,8 @@ def fact(request, docker_client, fact_config, server, logs_dir):
         network_mode='host',
         privileged=True,
         volumes={
-            '/sys/kernel/security': {
-                'bind': '/host/sys/kernel/security',
-                'mode': 'ro',
-            },
-            '/etc': {
-                'bind': '/host/etc',
-                'mode': 'ro',
-            },
-            '/proc/sys/kernel': {
-                'bind': '/host/proc/sys/kernel',
-                'mode': 'ro',
-            },
-            '/usr/lib/os-release': {
-                'bind': '/host/usr/lib/os-release',
+            '/': {
+                'bind': '/host',
                 'mode': 'ro',
             },
             config_file: {

tests/event.py

@@ -37,10 +37,31 @@ class Process:
     Represents a process with its attributes.
     """
 
-    def __init__(self, pid: int | None = None):
-        self._pid: int = pid if pid is not None else os.getpid()
-        proc_dir = os.path.join('/proc', str(self._pid))
-
+    def __init__(self,
+                 pid: int | None,
+                 uid: int,
+                 gid: int,
+                 exe_path: str,
+                 args: str,
+                 name: str,
+                 container_id: str,
+                 loginuid: int):
+        self._pid: int | None = pid
+        self._uid: int = uid
+        self._gid: int = gid
+        self._exe_path: str = exe_path
+        self._args: str = args
+        self._name: str = name
+        self._container_id: str = container_id
+        self._loginuid: int = loginuid
+
+    @classmethod
+    def from_proc(cls, pid: int | None = None):
+        pid: int = pid if pid is not None else os.getpid()
+        proc_dir = os.path.join('/proc', str(pid))
+
+        uid = 0
+        gid = 0
         with open(os.path.join(proc_dir, 'status'), 'r') as f:
             def get_id(line: str, wanted_id: str) -> int | None:
                 if line.startswith(f'{wanted_id}:'):
@@ -50,27 +71,36 @@ def get_id(line: str, wanted_id: str) -> int | None:
                 return None
 
             for line in f.readlines():
-                if (uid := get_id(line, 'Uid')) is not None:
-                    self._uid: int = uid
-                elif (gid := get_id(line, 'Gid')) is not None:
-                    self._gid: int = gid
+                if (id := get_id(line, 'Uid')) is not None:
+                    uid = id
+                elif (id := get_id(line, 'Gid')) is not None:
+                    gid = id
 
-        self._exe_path: str = os.path.realpath(os.path.join(proc_dir, 'exe'))
+        exe_path = os.path.realpath(os.path.join(proc_dir, 'exe'))
 
         with open(os.path.join(proc_dir, 'cmdline'), 'rb') as f:
             content = f.read(4096)
             args = [arg.decode('utf-8')
                     for arg in content.split(b'\x00') if arg]
-            self._args: str = ' '.join(args)
+        args = ' '.join(args)
 
         with open(os.path.join(proc_dir, 'comm'), 'r') as f:
-            self._name: str = f.read().strip()
+            name = f.read().strip()
 
         with open(os.path.join(proc_dir, 'cgroup'), 'r') as f:
-            self._container_id: str = extract_container_id(f.read())
+            container_id = extract_container_id(f.read())
 
         with open(os.path.join(proc_dir, 'loginuid'), 'r') as f:
-            self._loginuid: int = int(f.read())
+            loginuid = int(f.read())
+
+        return Process(pid=pid,
+                       uid=uid,
+                       gid=gid,
+                       exe_path=exe_path,
+                       args=args,
+                       name=name,
+                       container_id=container_id,
+                       loginuid=loginuid)
 
     @property
     def uid(self) -> int:
@@ -81,7 +111,7 @@ def gid(self) -> int:
         return self._gid
 
     @property
-    def pid(self) -> int:
+    def pid(self) -> int | None:
         return self._pid
 
     @property
@@ -107,10 +137,12 @@ def loginuid(self) -> int:
     @override
     def __eq__(self, other: Any) -> bool:
         if isinstance(other, ProcessSignal):
+            if self.pid is not None and self.pid != other.pid:
+                return False
+
             return (
                 self.uid == other.uid and
                 self.gid == other.gid and
-                self.pid == other.pid and
                 self.exe_path == other.exec_file_path and
                 self.args == other.args and
                 self.name == other.name and
@@ -124,7 +156,7 @@ def __str__(self) -> str:
         return (f'Process(uid={self.uid}, gid={self.gid}, pid={self.pid}, '
                 f'exe_path={self.exe_path}, args={self.args}, '
                 f'name={self.name}, container_id={self.container_id}, '
-                f'loginuid={self.loginuid}')
+                f'loginuid={self.loginuid})')
 
 
 class Event:
@@ -136,10 +168,12 @@ class Event:
     def __init__(self,
                  process: Process,
                  event_type: EventType,
-                 file: str):
+                 file: str,
+                 host_path: str = ''):
         self._type: EventType = event_type
         self._process: Process = process
         self._file: str = file
+        self._host_path: str = host_path
 
     @property
     def event_type(self) -> EventType:
@@ -153,22 +187,30 @@ def process(self) -> Process:
     def file(self) -> str:
         return self._file
 
+    @property
+    def host_path(self) -> str:
+        return self._host_path
+
     @override
     def __eq__(self, other: Any) -> bool:
         if isinstance(other, FileActivity):
             if self.process != other.process or self.event_type.name.lower() != other.WhichOneof('file'):
                 return False
 
             if self.event_type == EventType.CREATION:
-                return self.file == other.creation.activity.path
+                return self.file == other.creation.activity.path and \
+                    self.host_path == other.creation.activity.host_path
             elif self.event_type == EventType.OPEN:
-                return self.file == other.open.activity.path
+                return self.file == other.open.activity.path and \
+                    self.host_path == other.open.activity.host_path
             elif self.event_type == EventType.UNLINK:
-                return self.file == other.unlink.activity.path
+                return self.file == other.unlink.activity.path and \
+                    self.host_path == other.unlink.activity.host_path
             return False
         raise NotImplementedError
 
     @override
     def __str__(self) -> str:
         return (f'Event(event_type={self.event_type.name}, '
-                f'process={self.process}, file="{self.file}")')
+                f'process={self.process}, file="{self.file}", '
+                f'host_path="{self.host_path}")')

tests/test_config_hotreload.py

@@ -97,8 +97,9 @@ def test_output_grpc_address_change(fact, fact_config, monitored_dir, server, al
     with open(fut, 'w') as f:
         f.write('This is a test')
 
-    process = Process()
-    e = Event(process=process, event_type=EventType.CREATION, file=fut)
+    process = Process.from_proc()
+    e = Event(process=process, event_type=EventType.CREATION,
+              file=fut, host_path=fut)
     print(f'Waiting for event: {e}')
 
     server.wait_events([e])
@@ -111,30 +112,32 @@ def test_output_grpc_address_change(fact, fact_config, monitored_dir, server, al
     with open(fut, 'w') as f:
         f.write('This is another test')
 
-    e = Event(process=process, event_type=EventType.OPEN, file=fut)
+    e = Event(process=process, event_type=EventType.OPEN,
+              file=fut, host_path=fut)
     print(f'Waiting for event on alternate server: {e}')
 
     alternate_server.wait_events([e])
 
 
 def test_paths(fact, fact_config, monitored_dir, ignored_dir, server):
-    p = Process()
+    p = Process.from_proc()
 
     # Ignored file, must not show up in the server
     ignored_file = os.path.join(ignored_dir, 'test.txt')
     with open(ignored_file, 'w') as f:
         f.write('This is to be ignored')
 
-    ignored_event = Event(
-        process=p, event_type=EventType.CREATION, file=ignored_file)
+    ignored_event = Event(process=p, event_type=EventType.CREATION,
+                          file=ignored_file, host_path=ignored_file)
     print(f'Ignoring: {ignored_event}')
 
     # File Under Test
     fut = os.path.join(monitored_dir, 'test.txt')
     with open(fut, 'w') as f:
         f.write('This is a test')
 
-    e = Event(process=p, event_type=EventType.CREATION, file=fut)
+    e = Event(process=p, event_type=EventType.CREATION,
+              file=fut, host_path=fut)
     print(f'Waiting for event: {e}')
 
     server.wait_events([e], ignored=[ignored_event])
@@ -148,38 +151,40 @@ def test_paths(fact, fact_config, monitored_dir, ignored_dir, server):
     with open(ignored_file, 'w') as f:
         f.write('This is another test')
 
-    e = Event(
-        process=p, event_type=EventType.OPEN, file=ignored_file)
+    e = Event(process=p, event_type=EventType.OPEN,
+              file=ignored_file, host_path=ignored_file)
     print(f'Waiting for event: {e}')
 
     # File Under Test
     with open(fut, 'w') as f:
         f.write('This is another ignored event')
 
-    ignored_event = Event(process=p, event_type=EventType.OPEN, file=fut)
+    ignored_event = Event(
+        process=p, event_type=EventType.OPEN, file=fut, host_path=fut)
     print(f'Ignoring: {ignored_event}')
 
     server.wait_events([e], ignored=[ignored_event])
 
 
 def test_paths_addition(fact, fact_config, monitored_dir, ignored_dir, server):
-    p = Process()
+    p = Process.from_proc()
 
     # Ignored file, must not show up in the server
     ignored_file = os.path.join(ignored_dir, 'test.txt')
     with open(ignored_file, 'w') as f:
         f.write('This is to be ignored')
 
-    ignored_event = Event(
-        process=p, event_type=EventType.CREATION, file=ignored_file)
+    ignored_event = Event(process=p, event_type=EventType.CREATION,
+                          file=ignored_file, host_path=ignored_file)
     print(f'Ignoring: {ignored_event}')
 
     # File Under Test
     fut = os.path.join(monitored_dir, 'test.txt')
     with open(fut, 'w') as f:
         f.write('This is a test')
 
-    e = Event(process=p, event_type=EventType.CREATION, file=fut)
+    e = Event(process=p, event_type=EventType.CREATION,
+              file=fut, host_path=fut)
     print(f'Waiting for event: {e}')
 
     server.wait_events([e], ignored=[ignored_event])
@@ -196,8 +201,9 @@ def test_paths_addition(fact, fact_config, monitored_dir, ignored_dir, server):
         f.write('This is one final event')
 
     events = [
-        Event(process=p, event_type=EventType.OPEN, file=ignored_file),
-        Event(process=p, event_type=EventType.OPEN, file=fut)
+        Event(process=p, event_type=EventType.OPEN,
+              file=ignored_file, host_path=ignored_file),
+        Event(process=p, event_type=EventType.OPEN, file=fut, host_path=fut)
     ]
     print(f'Waiting for events: {events}')