Adding testcases for contaner certification test

Add first container cnf test case

Author: aneeshkp

Makefile

@@ -34,12 +34,17 @@ cnf-tests: build build-cnf-tests run-cnf-tests
 
 operator-cnf-tests: build build-cnf-operator-tests run-operator-tests
 
+container-cnf-tests: build build-cnf-container-tests run-container-tests
+
 build-cnf-tests:
 	PATH=${PATH}:${GOBIN} ginkgo build ./test-network-function
 
 build-cnf-operator-tests:
 	PATH=${PATH}:${GOBIN} ginkgo build ./test-network-function/operator-test --tags operator_suite
 
+build-cnf-container-tests:
+	PATH=${PATH}:${GOBIN} ginkgo build ./test-network-function/container-test --tags container_suite
+
 run-generic-cnf-tests:
 	cd ./test-network-function && ./test-network-function.test -ginkgo.focus="generic" ${COMMON_GINKGO_ARGS}
 
@@ -49,6 +54,9 @@ run-cnf-tests:
 run-operator-tests:
 	cd ./test-network-function/operator-test && ./operator-test.test  $COMMON_GINKGO_ARGS
 
+run-container-tests:
+	cd ./test-network-function/container-test && ./container-test.test  $COMMON_GINKGO_ARGS
+
 deps-update:
 	go mod tidy && \
 	go mod vendor
@@ -71,6 +79,8 @@ clean:
 	rm -f ./test-network-function/cnf-certification-tests_junit.xml
 	rm -f ./test-network-function/operator-test/operator-test.test
 	rm -f ./test-network-function/operator-test/cnf-operator-certification-tests_junit.xml
+	rm -f ./test-network-function/container-test/container-test.test
+	rm -f ./test-network-function/container-test/cnf-container-certification-tests_junit.xml
 
 dependencies:
 	go get github.com/onsi/ginkgo/ginkgo

README.md

@@ -281,7 +281,7 @@ In order to run an operator test suite, `operator-test` for example, issue the f
 
 ```shell script
 make build build-cnf-operator-tests
-cd ./test-network-function/operator-test && ./operator-test.test -ginkgo.v -ginkgo.focus="operatr_test" -junit . -report .
+cd ./test-network-function/operator-test && ./operator-test.test -ginkgo.v -ginkgo.focus="operator_test" -junit . -report .
 ```
 
 Test Configuration
@@ -298,9 +298,67 @@ Sample config.yml
       status: "Succeeded"
       
 ```
-cd ./test-network-function/operator-test && ./operator-test.test -config=config.yml  -ginkgo.v -ginkgo.focus="operatr_test" -junit . -report .
+cd ./test-network-function/operator-test && ./operator-test.test -config=config.yml  -ginkgo.v -ginkgo.focus="operator_test" -junit . -report .
 ```
 
 
 A JUnit report containing results is created at `test-network-function/operator-test/cnf-operator-certification-tests_junit.xml`.
 
+### Run an Container Test Suite
+
+In order to run an container test suite, `container-test` for example, issue the following command:
+
+```shell script
+make build build-cnf-container-tests
+cd ./test-network-function/container-test && ./container-test.test -ginkgo.v -ginkgo.focus="container_test" -junit . -report .
+```
+
+Test Configuration
+ 
+You can either edit the provided config at `test-network-function/container-test/config.yml`
+or you can pass config with `-config` flag to the test suite
+
+Sample config.yml
+    ---
+    pod:
+      - name: "nginx"
+        namespace: "default"
+        status: "Running"
+        tests:
+          - "PRIVILEGED_POD"
+      
+```shell script
+make build build-cnf-container-tests
+cd ./test-network-function/container-test && ./container-test.test -config=config.yml  -ginkgo.v -ginkgo.focus="container_test" -junit . -report .
+```
+
+Configuring test cases
+
+By default the test suite will run all the default test cases defined by the suite,
+but you can override those test cases by creating a folder named`testcases` and adding test steps under that folder.
+The filenames and contents should match as shown below.    
+
+Example:
+```
+ ./testcases/
+      privileged.yml
+   ```
+
+You can delete or comment the test step for bypassing the tests.
+For an example, if you remove `"HOST_PATH_CHECK"` from the privileged.yml then that test will be skipped.
+1. privileged.yml
+```
+---
+ testconfigured:
+   - "HOST_NETWORK_CHECK"
+   - "HOST_PORT_CHECK"
+   - "HOST_PATH_CHECK"
+   - "HOST_IPC_CHECK"
+   - "HOST_PID_CHECK"
+   - "CAPABILITY_CHECK"
+   - "ROOT_CHECK"
+   - "PRIVILEGE_ESCALATION"`
+```      
+
+A JUnit report containing results is created at `test-network-function/container-test/cnf-operator-certification-tests_junit.xml`.
+

pkg/tnf/handlers/container/doc.go

@@ -0,0 +1,2 @@
+//Package container provides functionality to test pod and container level checks
+package container

pkg/tnf/handlers/container/pod.go

@@ -0,0 +1,117 @@
+package container
+
+import (
+	"fmt"
+	"github.com/redhat-nfvpe/test-network-function/internal/reel"
+	"github.com/redhat-nfvpe/test-network-function/pkg/tnf"
+	"github.com/redhat-nfvpe/test-network-function/pkg/tnf/handlers/container/testcases"
+	"regexp"
+	"strings"
+	"time"
+)
+
+//Pod that is under test.
+type Pod struct {
+	result       int
+	timeout      time.Duration
+	args         []string
+	status       string
+	Command      string
+	Name         string
+	Namespace    string
+	ExpectStatus []string
+	Action       string
+	ResultType   string
+	FailOn       string
+}
+
+// Args returns the command line args for the test.
+func (p *Pod) Args() []string {
+	return p.args
+}
+
+// Timeout return the timeout for the test.
+func (p *Pod) Timeout() time.Duration {
+	return p.timeout
+}
+
+// Result returns the test result.
+func (p *Pod) Result() int {
+	return p.result
+}
+
+// ReelFirst returns a step which expects an pod status for the given pod.
+func (p *Pod) ReelFirst() *reel.Step {
+	return &reel.Step{
+		Expect:  []string{testcases.GetOutRegExp("ALLOW_ALL")},
+		Timeout: p.timeout,
+	}
+}
+
+func contains(arr []string, str string) (found bool) {
+	found = false
+	for _, a := range arr {
+		if a == str {
+			found = true
+			break
+		}
+	}
+	return
+}
+
+// ReelMatch parses the pod status output and set the test result on match.
+// Returns no step; the test is complete.
+func (p *Pod) ReelMatch(_ string, _ string, match string) *reel.Step {
+	//for type: array ,should match for any expected status or fail on any expected status
+	//based on the action type allow (default)|deny
+	if p.ResultType == "array" {
+
+		replacer := strings.NewReplacer(`[`, ``, "\"", ``, `]`, ``, `, `, `,`)
+		match = replacer.Replace(match)
+		matchSlice := strings.Split(match, ",")
+		for _, status := range matchSlice {
+			if contains(p.ExpectStatus, status) {
+				if p.Action == "deny" { //Single deny match is failure.
+					return nil
+				}
+			} else if p.Action == "allow" {
+				return nil //should be in allowed list
+			}
+		}
+	} else {
+		for _, status := range p.ExpectStatus {
+			re := regexp.MustCompile(testcases.GetOutRegExp(status))
+			matched := re.MatchString(match)
+			if !matched {
+				return nil
+			}
+		}
+	}
+
+	p.result = tnf.SUCCESS
+	return nil
+}
+
+// ReelTimeout does nothing;
+func (p *Pod) ReelTimeout() *reel.Step {
+	return nil
+}
+
+// ReelEOF does nothing.
+func (p *Pod) ReelEOF() {
+}
+
+// NewPod creates a `Container` test  on the configured test cases.
+func NewPod(command, name, namespace string, expectedStatus []string, resultType string, action string, timeout time.Duration) *Pod {
+	args := strings.Split(fmt.Sprintf(command, name, namespace), " ")
+	return &Pod{
+		Name:         name,
+		Namespace:    namespace,
+		ExpectStatus: expectedStatus,
+		Action:       action,
+		ResultType:   resultType,
+		result:       tnf.ERROR,
+		timeout:      timeout,
+		args:         args,
+	}
+}

pkg/tnf/handlers/container/pod_test.go

@@ -0,0 +1,96 @@
+package container_test
+
+import (
+	"fmt"
+	"github.com/redhat-nfvpe/test-network-function/pkg/tnf"
+	"github.com/redhat-nfvpe/test-network-function/pkg/tnf/handlers/container"
+	"github.com/redhat-nfvpe/test-network-function/pkg/tnf/handlers/container/testcases"
+	"github.com/stretchr/testify/assert"
+	"strings"
+	"testing"
+	"time"
+)
+
+const (
+	testTimeoutDuration = time.Second * 2
+	name                = "HOST_NETWORK_CHECK"
+	namespace           = "test"
+	command             = "oc get pod  %s  -n %s -o json  | jq -r '.spec.hostNetwork'"
+	actionAllow         = "allow"
+	actionDeny          = "deny"
+)
+
+var (
+	stringExpectedStatus = []string{"NULL_FALSE"}
+	sliceExpectedStatus  = []string{"NET_ADMIN", "SYS_TIME"}
+)
+
+func TestPod_Args(t *testing.T) {
+	c := container.NewPod(command, name, namespace, stringExpectedStatus, actionAllow, "string", testTimeoutDuration)
+	args := strings.Split(fmt.Sprintf(command, c.Name, c.Namespace), " ")
+	assert.Equal(t, args, c.Args())
+}
+
+func TestPod_ReelFirst(t *testing.T) {
+	c := container.NewPod(command, name, namespace, stringExpectedStatus, actionAllow, "string", testTimeoutDuration)
+	step := c.ReelFirst()
+	assert.Equal(t, "", step.Execute)
+	assert.Equal(t, []string{testcases.GetOutRegExp("ALLOW_ALL")}, step.Expect)
+	assert.Equal(t, testTimeoutDuration, step.Timeout)
+}
+
+func TestPod_ReelEof(t *testing.T) {
+	c := container.NewPod(command, name, namespace, stringExpectedStatus, "string", actionAllow, testTimeoutDuration)
+	// just ensures lack of panic
+	c.ReelEOF()
+}
+
+func TestPod_ReelTimeout(t *testing.T) {
+	c := container.NewPod(command, name, namespace, stringExpectedStatus, "string", actionAllow, testTimeoutDuration)
+	step := c.ReelTimeout()
+	assert.Nil(t, step)
+}
+func TestPodTest_ReelMatchString(t *testing.T) {
+	c := container.NewPod(command, name, namespace, stringExpectedStatus, "string", actionAllow, testTimeoutDuration)
+	step := c.ReelMatch("", "", "null")
+	assert.Nil(t, step)
+	assert.Equal(t, tnf.SUCCESS, c.Result())
+}
+
+func TestPodTest_ReelMatchStringNoFound(t *testing.T) {
+	c := container.NewPod(command, name, namespace, stringExpectedStatus, "string", actionAllow, testTimeoutDuration)
+	step := c.ReelMatch("", "", "not_null")
+	assert.Nil(t, step)
+	assert.Equal(t, tnf.ERROR, c.Result())
+}
+
+func TestPodTest_ReelMatchArray_Allow_Match(t *testing.T) {
+	c := container.NewPod(command, name, namespace, sliceExpectedStatus, "array", actionAllow, testTimeoutDuration)
+	step := c.ReelMatch("", "", `["NET_ADMIN", "SYS_TIME"]`)
+	assert.Nil(t, step)
+	assert.Equal(t, tnf.SUCCESS, c.Result())
+}
+
+func TestPodTest_ReelMatchArray_Allow_NoMatch(t *testing.T) {
+	c := container.NewPod(command, name, namespace, sliceExpectedStatus, "array", actionAllow, testTimeoutDuration)
+	step := c.ReelMatch("", "", `["NET_ADMIN", "NO_SYS_TIME"]`)
+	assert.Nil(t, step)
+	assert.Equal(t, tnf.ERROR, c.Result())
+}
+func TestPodTest_ReelMatchArray_Deny_Match(t *testing.T) {
+	c := container.NewPod(command, name, namespace, sliceExpectedStatus, "array", actionDeny, testTimeoutDuration)
+	step := c.ReelMatch("", "", `["NET_ADMIN", "SYS_TIME"]`)
+	assert.Nil(t, step)
+	assert.Equal(t, tnf.ERROR, c.Result())
+}
+func TestPodTest_ReelMatchArray_Deny_NotMatch(t *testing.T) {
+	c := container.NewPod(command, name, namespace, sliceExpectedStatus, "array", actionDeny, testTimeoutDuration)
+	step := c.ReelMatch("", "", `["NOT_NET_ADMIN", "NOT_SYS_TIME"]`)
+	assert.Nil(t, step)
+	assert.Equal(t, tnf.SUCCESS, c.Result())
+}
+func TestNewPod(t *testing.T) {
+	c := container.NewPod(command, name, namespace, stringExpectedStatus, "string", actionAllow, testTimeoutDuration)
+	assert.Equal(t, tnf.ERROR, c.Result())
+	assert.Equal(t, testTimeoutDuration, c.Timeout())
+}