From 6178ddc98a941394b49a5c27e91140d699bbfda3 Mon Sep 17 00:00:00 2001 From: Sylvain Baubeau Date: Wed, 18 Dec 2024 01:42:17 +0100 Subject: [PATCH] Add test on container scope variables --- pkg/security/tests/container_test.go | 70 ++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/pkg/security/tests/container_test.go b/pkg/security/tests/container_test.go index 7a659481da74b..15d896f1718ef 100644 --- a/pkg/security/tests/container_test.go +++ b/pkg/security/tests/container_test.go @@ -182,3 +182,73 @@ func TestContainerFlagsPodman(t *testing.T) { }) }) } + +func TestContainerVariables(t *testing.T) { + SkipIfNotAvailable(t) + + ruleDefs := []*rules.RuleDefinition{ + { + ID: "test_container_set_variable", + Expression: `container.id != "" && open.file.path == "{{.Root}}/test-open"`, + Actions: []*rules.ActionDefinition{ + { + Set: &rules.SetDefinition{ + Scope: "container", + Value: 1, + Name: "foo", + }, + }, + }, + }, + { + ID: "test_container_check_variable", + Expression: `container.id != "" && open.file.path == "{{.Root}}/test-open2" && ${container.foo} == 1`, + }, + } + test, err := newTestModule(t, nil, ruleDefs) + if err != nil { + t.Fatal(err) + } + defer test.Close() + + testFile, _, err := test.Path("test-open") + if err != nil { + t.Fatal(err) + } + + testFile2, _, err := test.Path("test-open2") + if err != nil { + t.Fatal(err) + } + + dockerWrapper, err := newDockerCmdWrapper(test.Root(), test.Root(), "ubuntu", "") + if err != nil { + t.Skip("Skipping created time in containers tests: Docker not available") + return + } + defer dockerWrapper.stop() + + dockerWrapper.Run(t, "container-variables", func(t *testing.T, _ wrapperType, cmdFunc func(cmd string, args []string, envs []string) *exec.Cmd) { + test.WaitSignal(t, func() error { + cmd := cmdFunc("touch", []string{testFile}, nil) + return cmd.Run() + }, func(event *model.Event, rule *rules.Rule) { + assertTriggeredRule(t, rule, "test_container_set_variable") + assertFieldEqual(t, event, "open.file.path", testFile) + assertFieldNotEmpty(t, event, "container.id", "container id shouldn't be empty") + + test.validateOpenSchema(t, event) + }) + + test.WaitSignal(t, func() error { + cmd := cmdFunc("touch", []string{testFile2}, nil) + return cmd.Run() + }, func(event *model.Event, rule *rules.Rule) { + assertTriggeredRule(t, rule, "test_container_check_variable") + assertFieldEqual(t, event, "open.file.path", testFile2) + assertFieldNotEmpty(t, event, "container.id", "container id shouldn't be empty") + + test.validateOpenSchema(t, event) + }) + }) +}