Remedy problems in automated tests. (#220)

* Remedy problems in automated tests.

* CIS 1.2.7, CIS 1.2.20 tests: update expected evaluation

* Fix post-merge problems.

* Bring back OPA decision logs.

Automated tests currently depend on these logs.

* Address comments.

Author: yashtewari

JUSTFILE

@@ -1,6 +1,6 @@
 # Refactor via kustomize https://kustomize.io/
 
-image-tag := `git branch --show-current`
+image_tag := `git branch --show-current`
 
 create-kind-cluster:
   kind create cluster --config deploy/k8s/kind/kind-config.yml
@@ -20,6 +20,7 @@ load-cloudbeat-image:
   kind load docker-image cloudbeat:latest --name kind-mono
 
 build-cloudbeat:
+  GOOS=linux go mod vendor
   GOOS=linux go build -v && docker build -t cloudbeat .
 
 deploy-cloudbeat:
@@ -43,7 +44,7 @@ delete-cloudbeat-debug:
 build-deploy-eks-cloudbeat: build-cloudbeat publish-image-to-ecr deploy-eks-cloudbeat
 
 publish-image-to-ecr:
-  aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin 704479110758.dkr.ecr.us-east-2.amazonaws.com && docker tag cloudbeat 704479110758.dkr.ecr.us-east-2.amazonaws.com/cloudbeat:{{image-tag}} && docker push 704479110758.dkr.ecr.us-east-2.amazonaws.com/cloudbeat:{{image-tag}}
+  aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin 704479110758.dkr.ecr.us-east-2.amazonaws.com && docker tag cloudbeat 704479110758.dkr.ecr.us-east-2.amazonaws.com/cloudbeat:{{image_tag}} && docker push 704479110758.dkr.ecr.us-east-2.amazonaws.com/cloudbeat:{{image_tag}}
 
 deploy-eks-cloudbeat:
   kubectl delete -f deploy/eks/cloudbeat-ds.yml -n kube-system & kubectl apply -f deploy/eks/cloudbeat-ds.yml -n kube-system
@@ -80,23 +81,28 @@ expose-ports:
 
 #### TESTS ####
 
-TESTS_RELEASE := "cloudbeat-tests"
-TIMEOUT := "1200s"
+TEST_POD := 'test-pod-v1'
+TESTS_RELEASE := 'cloudbeat-test'
+TEST_LOGS_DIRECTORY := 'test-logs'
+POD_STATUS_UNKNOWN := 'Unknown'
+POD_STATUS_PENDING := 'Pending'
+POD_STATUS_RUNNING := 'Running'
+TIMEOUT := '1200s'
 
 patch-cb-yml-tests:
   kubectl kustomize deploy/k8s/kustomize/test > tests/deploy/cloudbeat-pytest.yml
 
 build-pytest-docker:
-  cd tests; docker build -t cloudbeat-test .
+  cd tests; docker build -t {{TESTS_RELEASE}} .
 
 load-pytest-kind:
-  kind load docker-image cloudbeat-test:latest --name kind-mono
+  kind load docker-image {{TESTS_RELEASE}}:latest --name kind-mono
 
 deploy-tests-helm:
   helm upgrade --wait --timeout={{TIMEOUT}} --install --values tests/deploy/values/ci.yml --namespace kube-system {{TESTS_RELEASE}}  tests/deploy/k8s-cloudbeat-tests/
 
-deploy-local-tests-helm:
-  helm upgrade --wait --timeout={{TIMEOUT}} --install --values tests/deploy/values/local-host.yml --namespace kube-system {{TESTS_RELEASE}}  tests/deploy/k8s-cloudbeat-tests/
+deploy-local-tests-helm target:
+  helm upgrade --wait --timeout={{TIMEOUT}} --install --values tests/deploy/values/local-host.yml --set testData.marker={{target}} --namespace kube-system {{TESTS_RELEASE}}  tests/deploy/k8s-cloudbeat-tests/
 
 purge-tests:
 	helm del {{TESTS_RELEASE}} -n kube-system
@@ -105,8 +111,72 @@ gen-report:
   allure generate tests/allure/results --clean -o tests/allure/reports && cp tests/allure/reports/history/* tests/allure/results/history/. && allure open tests/allure/reports
 
 run-tests:
-  helm test cloudbeat-tests --namespace kube-system --logs
+  helm test {{TESTS_RELEASE}} --namespace kube-system
 
 build-load-run-tests: build-pytest-docker load-pytest-kind run-tests
 
-prepare-local-helm-cluster: create-kind-cluster build-cloudbeat load-cloudbeat-image deploy-local-tests-helm
+delete-local-helm-cluster:
+  kind delete cluster --name kind-mono
+
+cleanup-create-local-helm-cluster target: delete-local-helm-cluster create-kind-cluster build-cloudbeat load-cloudbeat-image
+  just deploy-local-tests-helm {{target}}
+
+# TODO(DaveSys911): Move scripts out of JUSTFILE: https://github.com/elastic/security-team/issues/4291
+test-pod-status:
+  #!/usr/bin/env sh
+
+  if [ ${STATUS=`kubectl get pod -n kube-system test-pod-v1 --template {{{{.status.phase}}`} ]; then
+    echo $STATUS
+  else
+    echo {{POD_STATUS_UNKNOWN}}
+  fi
+
+collect-logs target:
+  #!/usr/bin/env sh
+
+  echo 'Collecting logs for target {{target}}...'
+
+  LOG_FILE={{TEST_LOGS_DIRECTORY}}/{{target}}.log
+  LOG_FILE_TMP={{TEST_LOGS_DIRECTORY}}/{{target}}.log.tmp
+
+  mkdir -p {{TEST_LOGS_DIRECTORY}}
+  echo '' > $LOG_FILE
+  
+  STATUS={{POD_STATUS_UNKNOWN}}
+  while [ $STATUS = {{POD_STATUS_UNKNOWN}} ] || [ $STATUS = {{POD_STATUS_PENDING}} ] || [ $STATUS = {{POD_STATUS_RUNNING}} ]; do
+    sleep 5
+
+    STATUS=`just test-pod-status`
+    if [ $STATUS = {{POD_STATUS_UNKNOWN}} ]; then
+      continue
+    fi
+
+    kubectl logs test-pod-v1 -n kube-system 2>&1 > $LOG_FILE_TMP
+
+    if [ `stat -c%s "${LOG_FILE_TMP}"` -gt `stat -c%s "${LOG_FILE}"` ]; then
+      cp $LOG_FILE_TMP $LOG_FILE
+      echo "Wrote logs to ${LOG_FILE}"
+    fi
+  done
+
+  rm $LOG_FILE_TMP
+  echo 'Done collecting logs for target {{target}}.'
+
+run-test-target target:
+  echo 'Cleaning up cluster for running test target: {{target}}'
+  just cleanup-create-local-helm-cluster {{target}}
+
+  echo 'Running test target: {{target}}'
+  just build-load-run-tests &
+
+
+run-test-targets +targets='file_system_rules k8s_object_rules process_api_server_rules process_controller_manager_rules process_etcd_rules process_kubelet_rules process_scheduler_rules':
+  #!/usr/bin/env sh
+
+  echo 'Running tests: {{targets}}'
+
+  for TARGET in {{targets}}; do
+    just run-test-target $TARGET
+    just collect-logs $TARGET
+  done
+

evaluator/opa.go

@@ -51,6 +51,9 @@ var opaConfig = `{
 			"resource": "/bundles/bundle.tar.gz"
 		}
 	},
+	"decision_logs": {
+		"console": true
+	}
 }`
 
 func NewOpaEvaluator(ctx context.Context, log *logp.Logger, cfg config.Config) (Evaluator, error) {

tests/README.md

@@ -172,6 +172,16 @@ Tests execution depends on the developers needs and currently this framework sup
 
 ### Dev Mode
 
+To run all test targets with just cloudbeat, without testing against Kibana or Elasticsearch, run
+
+```
+just run-test-targets
+```
+
+Note that this will create and destroy the test cluster several times. Logs can be found in the `test-logs` directory and test results can be found in `tests/allure/results`.
+
+----
+
 Before running tests verify that **System Under Test (SUT) Setup** is done and running.
 Since elasticsearch is deployed inside cluster, for reaching it from outside execute the following command:
 ```shell

tests/commonlib/kubernetes.py

@@ -2,10 +2,18 @@
 This module provides kubernetes functionality based on original kubernetes python library.
 """
 
+from typing import Union
+from pathlib import Path
+
 from kubernetes import client, config, utils
 from kubernetes.client import ApiException
 from kubernetes.watch import watch
 
+from commonlib.io_utils import get_k8s_yaml_objects
+
+
+RESOURCE_POD = 'Pod'
+RESOURCE_SERVICE_ACCOUNT = 'ServiceAccount'
 
 class KubernetesHelper:
 
@@ -23,9 +31,9 @@ def __init__(self, is_in_cluster_config: bool = False):
         self.api_client = client.api_client.ApiClient(configuration=self.config)
 
         self.dispatch_list = {
-            'Pod': self.core_v1_client.list_namespaced_pod,
+            RESOURCE_POD: self.core_v1_client.list_namespaced_pod,
             'ConfigMap': self.core_v1_client.list_namespaced_config_map,
-            'ServiceAccount': self.core_v1_client.list_namespaced_service_account,
+            RESOURCE_SERVICE_ACCOUNT: self.core_v1_client.list_namespaced_service_account,
             'DaemonSet': self.app_api.list_namespaced_daemon_set,
             'Role': self.rbac_api.list_namespaced_role,
             'RoleBinding': self.rbac_api.list_namespaced_role_binding,
@@ -36,9 +44,9 @@ def __init__(self, is_in_cluster_config: bool = False):
         }
 
         self.dispatch_delete = {
-            'Pod': self.core_v1_client.delete_namespaced_pod,
+            RESOURCE_POD: self.core_v1_client.delete_namespaced_pod,
             'ConfigMap': self.core_v1_client.delete_namespaced_config_map,
-            'ServiceAccount': self.core_v1_client.delete_namespaced_service_account,
+            RESOURCE_SERVICE_ACCOUNT: self.core_v1_client.delete_namespaced_service_account,
             'DaemonSet': self.app_api.delete_namespaced_daemon_set,
             'Role': self.rbac_api.delete_namespaced_role,
             'RoleBinding': self.rbac_api.delete_namespaced_role_binding,
@@ -179,7 +187,82 @@ def delete_resources(self, resource_type: str, **kwargs):
     def patch_resources(self, resource_type: str, **kwargs):
         """
         """
-        return self.dispatch_patch[resource_type](**kwargs)
+        if resource_type != RESOURCE_POD:
+            return self.dispatch_patch[resource_type](**kwargs)
+
+        patch_body = kwargs.pop('body')
+
+        pod = self.get_resource(resource_type, **kwargs)
+        self.delete_resources(resource_type=resource_type, **kwargs)
+        deleted = self.wait_for_resource(resource_type=resource_type, status_list=['DELETED'], **kwargs)
+
+        if not deleted:
+            raise ValueError(f'could not delete Pod: {kwargs}')
+
+        return self.create_patched_resource(resource_type, patch_body)
+    
+    def create_patched_resource(self, patch_resource_type, patch_body):
+        """
+        """
+        file_path = Path(__file__).parent / '../deploy/mock-pod.yml'
+        k8s_resources = get_k8s_yaml_objects(file_path=file_path)
+
+        patch_metadata = patch_body['metadata']
+        patch_relevant_metadata = {k: patch_metadata[k] for k in ('name', 'namespace') if k in patch_metadata}
+
+        patched_resource = None
+
+        for yml_resource in k8s_resources:
+            resource_type, metadata = yml_resource['kind'], yml_resource['metadata']
+            relevant_metadata = {k: metadata[k] for k in ('name', 'namespace') if k in metadata}
+
+            if resource_type != patch_resource_type or relevant_metadata != patch_relevant_metadata:
+                continue
+
+            patched_body = self.patch_resource_body(yml_resource, patch_body)
+            created_resource = self.create_from_dict(patched_body, **relevant_metadata)
+
+            done = self.wait_for_resource(resource_type=resource_type, status_list=["RUNNING", "ADDED"], **relevant_metadata)
+            if done:
+                patched_resource = created_resource
+            
+            break
+        
+        return patched_resource
+    
+    def patch_resource_body(self, body: Union[list,dict], patch: Union[list,dict]) -> Union[list,dict]:
+        """
+        """
+        if type(body) != type(patch):
+            raise ValueError(f'Cannot compare {type(body)}: {body} with {type(patch)}: {patch}')
+        
+        if isinstance(body, dict):
+            for key, val in patch.items():
+                if key not in body:
+                    body[key] = val
+                else:
+                    if isinstance(val, list) or isinstance(val, dict):
+                        body[key] = self.patch_resource_body(body[key], val)
+                    else:
+                        body[key] = val
+        
+        elif isinstance(body, list):
+            for i, val in enumerate(body):
+                if i >= len(patch):
+                    break
+
+                if isinstance(val, list) or isinstance(val, dict):
+                    body[i] = self.patch_resource_body(body[i], val)
+                else:
+                    body[i] = val
+            
+            if len(patch) > len(body):
+                body += val[len(patch):]
+                
+        else:
+            raise ValueError(f'Invalid body {body} of type {type(body)}')
+        
+        return body
 
     def list_resources(self, resource_type: str, **kwargs):
         """
@@ -206,16 +289,21 @@ def wait_for_resource(self, resource_type: str, name: str, status_list: list,
         watches a resources for a status change
         @param resource_type: the resource type
         @param name: resource name
-        @param status_list: excepted statuses e.g., RUNNING, DELETED, MODIFIED, ADDED
+        @param status_list: accepted statuses e.g., RUNNING, DELETED, MODIFIED, ADDED
         @param timeout: until wait
         @return: True if status reached
         """
+        # When pods are being created, MODIFIED events are also of interest to check if
+        # they successfully transition from ContainerCreating to Running state.
+        if (resource_type == RESOURCE_POD) and ('ADDED' in status_list) and ('MODIFIED' not in status_list):
+            status_list.append('MODIFIED')
+
         w = watch.Watch()
         for event in w.stream(func=self.dispatch_list[resource_type],
                               timeout_seconds=timeout,
                               **kwargs):
             if name in event["object"].metadata.name and event["type"] in status_list:
-                if event['object'].status.phase == 'Pending':
+                if (resource_type == RESOURCE_POD) and ('ADDED' in status_list) and (event['object'].status.phase == 'Pending'):
                     continue
                 w.stop()
                 return True

tests/commonlib/utils.py

@@ -1,13 +1,16 @@
 import datetime
+import time
+
+from typing import Union
 
 from commonlib.io_utils import get_logs_from_stream
-import time
 
 
 def get_evaluation(k8s, timeout, pod_name, namespace, rule_tag, exec_timestamp,
-                   resource_identifier=lambda r: True) -> str:
+                   resource_identifier=lambda r: True) -> Union[str,None]:
     """
     This function retrieves pod logs and verifies if evaluation result is equal to expected result.
+    It returns None if no pod logs for evaluation for the given rule_tag can be found.
     @param resource_identifier: function to filter a specific resource
     @param k8s: Kubernetes wrapper instance
     @param timeout: Exit timeout
@@ -28,12 +31,18 @@ def get_evaluation(k8s, timeout, pod_name, namespace, rule_tag, exec_timestamp,
             findings_timestamp = datetime.datetime.strptime(log.time, '%Y-%m-%dT%H:%M:%Sz')
             if (findings_timestamp - exec_timestamp).total_seconds() < 0:
                 continue
-            for finding in log.result.findings:
+            
+            try:
+                findings = log.result.findings
+                resource = log.result.resource
+            except AttributeError:
+                continue
+
+            for finding in findings:
                 if rule_tag in finding.rule.tags:
-                    resource = log.result.resource
                     if resource_identifier(resource):
                         return finding.result.evaluation
-    return "unknown"
+    return None
 
 
 def dict_contains(small, big):

tests/product/tests/conftest.py

@@ -1,15 +1,28 @@
 from pathlib import Path
+import time
 import pytest
 from kubernetes.client import ApiException
 from kubernetes.utils import FailToCreateError
 import json
 from commonlib.io_utils import get_k8s_yaml_objects
 
 
+DEPLOY_YML = "../../deploy/cloudbeat-pytest.yml"
 KUBE_RULES_ENV_YML = "../../deploy/mock-pod.yml"
 POD_RESOURCE_TYPE = "Pod"
 
 
+@pytest.fixture(scope='module')
+def data(k8s, api_client, cloudbeat_agent):
+    file_path = Path(__file__).parent / DEPLOY_YML
+    if k8s.get_agent_pod_instances(agent_name=cloudbeat_agent.name, namespace=cloudbeat_agent.namespace):
+        k8s.delete_from_yaml(get_k8s_yaml_objects(file_path=file_path))
+    k8s.start_agent(yaml_file=file_path, namespace=cloudbeat_agent.namespace)
+    time.sleep(5)
+    yield k8s, api_client, cloudbeat_agent
+    k8s_yaml_list = get_k8s_yaml_objects(file_path=file_path)
+    k8s.delete_from_yaml(yaml_objects_list=k8s_yaml_list)  # stop agent
+
 @pytest.fixture(scope='module')
 def config_node_pre_test(data):
     k8s_client, api_client, cloudbeat_agent = data
@@ -50,7 +63,8 @@ def clean_test_env(data):
         except ApiException as notFound:
             print(f"no {relevant_metadata['name']} online - setting up a new one: {notFound}")
             # create resource
-            k8s_client.create_from_dict(data=yml_resource, **relevant_metadata)
+        
+        k8s_client.create_from_dict(data=yml_resource, **relevant_metadata)
 
     yield k8s_client, api_client, cloudbeat_agent
     # teardown