[CWS] Add test on container scope variables (#32319)

DataDog · Dec 18, 2024 · a53dc62 · a53dc62
1 parent 469bd66
commit a53dc62
Showing 1 changed file with 70 additions and 0 deletions.
diff --git a/pkg/security/tests/container_test.go b/pkg/security/tests/container_test.go
@@ -182,3 +182,73 @@ func TestContainerFlagsPodman(t *testing.T) {
 		})
 	})
 }
+
+func TestContainerVariables(t *testing.T) {
+	SkipIfNotAvailable(t)
+
+	ruleDefs := []*rules.RuleDefinition{
+		{
+			ID:         "test_container_set_variable",
+			Expression: `container.id != "" && open.file.path == "{{.Root}}/test-open"`,
+			Actions: []*rules.ActionDefinition{
+				{
+					Set: &rules.SetDefinition{
+						Scope: "container",
+						Value: 1,
+						Name:  "foo",
+					},
+				},
+			},
+		},
+		{
+			ID:         "test_container_check_variable",
+			Expression: `container.id != "" && open.file.path == "{{.Root}}/test-open2" && ${container.foo} == 1`,
+		},
+	}
+	test, err := newTestModule(t, nil, ruleDefs)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer test.Close()
+
+	testFile, _, err := test.Path("test-open")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	testFile2, _, err := test.Path("test-open2")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	dockerWrapper, err := newDockerCmdWrapper(test.Root(), test.Root(), "ubuntu", "")
+	if err != nil {
+		t.Skip("Skipping created time in containers tests: Docker not available")
+		return
+	}
+	defer dockerWrapper.stop()
+
+	dockerWrapper.Run(t, "container-variables", func(t *testing.T, _ wrapperType, cmdFunc func(cmd string, args []string, envs []string) *exec.Cmd) {
+		test.WaitSignal(t, func() error {
+			cmd := cmdFunc("touch", []string{testFile}, nil)
+			return cmd.Run()
+		}, func(event *model.Event, rule *rules.Rule) {
+			assertTriggeredRule(t, rule, "test_container_set_variable")
+			assertFieldEqual(t, event, "open.file.path", testFile)
+			assertFieldNotEmpty(t, event, "container.id", "container id shouldn't be empty")
+
+			test.validateOpenSchema(t, event)
+		})
+
+		test.WaitSignal(t, func() error {
+			cmd := cmdFunc("touch", []string{testFile2}, nil)
+			return cmd.Run()
+		}, func(event *model.Event, rule *rules.Rule) {
+			assertTriggeredRule(t, rule, "test_container_check_variable")
+			assertFieldEqual(t, event, "open.file.path", testFile2)
+			assertFieldNotEmpty(t, event, "container.id", "container id shouldn't be empty")
+
+			test.validateOpenSchema(t, event)
+		})
+	})
+}