1
// SPDX-License-Identifier: Apache-2.0
2
// Copyright Authors of Tetragon
10
v1 "github.com/cilium/cilium/pkg/hubble/api/v1"
11
"github.com/cilium/tetragon/api/v1/tetragon"
12
"github.com/stretchr/testify/assert"
15
func TestLabelSelectorFilterInvalidFilter(t *testing.T) {
16
filter := []*tetragon.Filter{{Labels: []string{"!@#$%"}}}
17
_, err := BuildFilterList(context.Background(), filter, []OnBuildFilter{&LabelsFilter{}})
21
func TestLabelSelectorFilterInvalidEvent(t *testing.T) {
22
filter := []*tetragon.Filter{{Labels: []string{"key1,key2"}}}
23
fl, err := BuildFilterList(context.Background(), filter, []OnBuildFilter{&LabelsFilter{}})
24
assert.NoError(t, err)
26
// nil pod should not match.
27
exec := tetragon.GetEventsResponse_ProcessExec{
28
ProcessExec: &tetragon.ProcessExec{Process: &tetragon.Process{}},
30
ev := v1.Event{Event: &tetragon.GetEventsResponse{Event: &exec}}
31
assert.False(t, fl.MatchOne(&ev))
33
// nil process should not match.
34
exec.ProcessExec.Process = nil
35
assert.False(t, fl.MatchOne(&ev))
38
func TestLabelSelectorFilterNoValue(t *testing.T) {
39
filter := []*tetragon.Filter{{Labels: []string{"key1,key2"}}}
40
fl, err := BuildFilterList(context.Background(), filter, []OnBuildFilter{&LabelsFilter{}})
41
assert.NoError(t, err)
42
exec := tetragon.GetEventsResponse_ProcessExec{
43
ProcessExec: &tetragon.ProcessExec{Process: &tetragon.Process{Pod: &tetragon.Pod{PodLabels: map[string]string{}}}},
45
ev := v1.Event{Event: &tetragon.GetEventsResponse{Event: &exec}}
46
assert.False(t, fl.MatchOne(&ev))
47
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key3": "val3"}
48
assert.False(t, fl.MatchOne(&ev))
49
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key1": "val1"}
50
assert.False(t, fl.MatchOne(&ev))
51
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key1": "val1", "key2": "val2"}
52
assert.True(t, fl.MatchOne(&ev))
53
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key1": "val1", "key2": "val2", "key3": "val3"}
54
assert.True(t, fl.MatchOne(&ev))
57
func TestLabelSelectorFilterWithValue(t *testing.T) {
58
filter := []*tetragon.Filter{{Labels: []string{"key1=val1,key2=val2"}}}
59
fl, err := BuildFilterList(context.Background(), filter, []OnBuildFilter{&LabelsFilter{}})
60
assert.NoError(t, err)
61
exec := tetragon.GetEventsResponse_ProcessExec{
62
ProcessExec: &tetragon.ProcessExec{Process: &tetragon.Process{Pod: &tetragon.Pod{PodLabels: map[string]string{}}}},
64
ev := v1.Event{Event: &tetragon.GetEventsResponse{Event: &exec}}
65
assert.False(t, fl.MatchOne(&ev))
66
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key3": "val3"}
67
assert.False(t, fl.MatchOne(&ev))
68
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key1": "val1"}
69
assert.False(t, fl.MatchOne(&ev))
70
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key1": "foo", "key2": "bar"}
71
assert.False(t, fl.MatchOne(&ev))
72
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key1": "val1", "key2": "val2"}
73
assert.True(t, fl.MatchOne(&ev))
74
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key1": "val1", "key2": "val2", "key3": "val3"}
75
assert.True(t, fl.MatchOne(&ev))
78
func TestLabelSelectorFilterEmptySelector(t *testing.T) {
79
filter := []*tetragon.Filter{{Labels: []string{""}}}
80
fl, err := BuildFilterList(context.Background(), filter, []OnBuildFilter{&LabelsFilter{}})
81
assert.NoError(t, err)
82
exec := tetragon.GetEventsResponse_ProcessExec{
83
ProcessExec: &tetragon.ProcessExec{Process: &tetragon.Process{Pod: &tetragon.Pod{PodLabels: map[string]string{}}}},
86
// empty selector matches everything.
87
ev := v1.Event{Event: &tetragon.GetEventsResponse{Event: &exec}}
88
assert.True(t, fl.MatchOne(&ev))
89
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key3": "val3"}
90
assert.True(t, fl.MatchOne(&ev))
91
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key1": "val1"}
92
assert.True(t, fl.MatchOne(&ev))
93
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key1": "foo", "key2": "bar"}
94
assert.True(t, fl.MatchOne(&ev))
95
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key1": "val1", "key2": "val2"}
96
assert.True(t, fl.MatchOne(&ev))
97
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key1": "val1", "key2": "val2", "key3": "val3"}
98
assert.True(t, fl.MatchOne(&ev))
101
func TestLabelSelectorFilterSetSelector(t *testing.T) {
102
filter := []*tetragon.Filter{{Labels: []string{"key1 in (foo, bar), key2 notin (baz)"}}}
103
fl, err := BuildFilterList(context.Background(), filter, []OnBuildFilter{&LabelsFilter{}})
104
assert.NoError(t, err)
105
exec := tetragon.GetEventsResponse_ProcessExec{
106
ProcessExec: &tetragon.ProcessExec{Process: &tetragon.Process{Pod: &tetragon.Pod{PodLabels: map[string]string{}}}},
109
ev := v1.Event{Event: &tetragon.GetEventsResponse{Event: &exec}}
110
assert.False(t, fl.MatchOne(&ev))
111
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key1": "foo"}
112
assert.True(t, fl.MatchOne(&ev))
113
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key1": "bar", "key2": "baz"}
114
assert.False(t, fl.MatchOne(&ev))
115
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key1": "foo", "key2": "foo"}
116
assert.True(t, fl.MatchOne(&ev))
117
exec.ProcessExec.Process.Pod.PodLabels = map[string]string{"key1": "foo", "key2": "foo", "key3": "foo"}
118
assert.True(t, fl.MatchOne(&ev))