feat(test): e2e integration test for new helpers

aquasecurity · Dec 4, 2024 · 23044a1 · 23044a1
1 parent 8f63209
commit 23044a1
Show file tree

Hide file tree

Showing 8 changed files with 201 additions and 3 deletions.
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -61,6 +61,8 @@ env:
     ICMPv6
     DNS
     HTTP
+    HTTPRequest
+    HTTPResponse
   INSTTESTS: >
     PROCESS_EXECUTE_FAILED
     VFS_WRITE

diff --git a/go.mod b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca
 	github.com/aquasecurity/tracee/api v0.0.0-20241203172838-1f796cb64289
-	github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241009193135-0b23713fa9f9
+	github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241127122336-d1a65073b12d
 	github.com/aquasecurity/tracee/types v0.0.0-20241008181102-d40bc1f81863
 	github.com/containerd/containerd v1.7.21
 	github.com/docker/docker v26.1.5+incompatible

diff --git a/go.sum b/go.sum
@@ -408,8 +408,8 @@ github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca
 github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca/go.mod h1:UpO6kTehEgAGGKR2twztBxvzjTiLiV/cb2xmlYb+TfE=
 github.com/aquasecurity/tracee/api v0.0.0-20241203172838-1f796cb64289 h1:mr7+agMcMRwn9vRwc44MaEFTUZnw0pvIbhteyANG38I=
 github.com/aquasecurity/tracee/api v0.0.0-20241203172838-1f796cb64289/go.mod h1:Gn6xVkaBkVe1pOQ0++uuHl+lMMClv0TPY8mCQ6j88aA=
-github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241009193135-0b23713fa9f9 h1:sB84YYSDgUAYNSonXeMPweaN6dviCld8UNqcKDn1jBM=
-github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241009193135-0b23713fa9f9/go.mod h1:/eGxScU8+vnxYhchZ72Y0lv1HqTSooLvtGCt9x7450I=
+github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241127122336-d1a65073b12d h1:DRHCyvgCuLNg8cSKKEhPFMCTFqlqOa9bffOPL6Wx0TI=
+github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241127122336-d1a65073b12d/go.mod h1:/eGxScU8+vnxYhchZ72Y0lv1HqTSooLvtGCt9x7450I=
 github.com/aquasecurity/tracee/types v0.0.0-20241008181102-d40bc1f81863 h1:domVTTQICTuCvX+ZW5EjvdUBz8EH7FedBj5lRqwpgf4=
 github.com/aquasecurity/tracee/types v0.0.0-20241008181102-d40bc1f81863/go.mod h1:Jwh9OOuiMHXDoGQY12N9ls5YB+j1FlRcXvFMvh1CmIU=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=

diff --git a/tests/e2e-net-signatures/e2e-httprequest.go b/tests/e2e-net-signatures/e2e-httprequest.go
@@ -0,0 +1,86 @@
+package main
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/aquasecurity/tracee/signatures/helpers"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/protocol"
+	"github.com/aquasecurity/tracee/types/trace"
+)
+
+//
+// HOWTO: The way to trigger this test signature is to execute:
+//
+//        curl google.com
+//
+//        This will cause it trigger once and reset it status.
+
+type e2eHTTPRequest struct {
+	cb detect.SignatureHandler
+}
+
+func (sig *e2eHTTPRequest) Init(ctx detect.SignatureContext) error {
+	sig.cb = ctx.Callback
+	return nil
+}
+
+func (sig *e2eHTTPRequest) GetMetadata() (detect.SignatureMetadata, error) {
+	return detect.SignatureMetadata{
+		ID:          "HTTPRequest",
+		EventName:   "HTTPRequest",
+		Version:     "0.1.0",
+		Name:        "Network HTTP Request Test",
+		Description: "Network E2E Tests: HTTP Request",
+		Tags:        []string{"e2e", "network"},
+	}, nil
+}
+
+func (sig *e2eHTTPRequest) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
+	return []detect.SignatureEventSelector{
+		{Source: "tracee", Name: "net_packet_http_request"},
+	}, nil
+}
+
+func (sig *e2eHTTPRequest) OnEvent(event protocol.Event) error {
+	eventObj, ok := event.Payload.(trace.Event)
+	if !ok {
+		return fmt.Errorf("failed to cast event's payload")
+	}
+
+	if eventObj.ProcessName != "curl" {
+		return nil
+	}
+
+	if eventObj.EventName == "net_packet_http_request" {
+		// validate tast context
+		if eventObj.HostName == "" {
+			return nil
+		}
+
+		httpRequest, err := helpers.GetProtoHTTPRequestByName(eventObj, "http_request")
+		if err != nil {
+			return err
+		}
+
+		if !strings.HasPrefix(httpRequest.Protocol, "HTTP/") {
+			return nil
+		}
+
+		m, _ := sig.GetMetadata()
+		sig.cb(&detect.Finding{
+			SigMetadata: m,
+			Event:       event,
+			Data:        map[string]interface{}{},
+		})
+	}
+
+	return nil
+}
+
+func (sig *e2eHTTPRequest) OnSignal(s detect.Signal) error {
+	return nil
+}
+
+func (sig *e2eHTTPRequest) Close() {}
diff --git a/tests/e2e-net-signatures/e2e-httpresponse.go b/tests/e2e-net-signatures/e2e-httpresponse.go
@@ -0,0 +1,82 @@
+package main
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/aquasecurity/tracee/signatures/helpers"
+	"github.com/aquasecurity/tracee/types/detect"
+	"github.com/aquasecurity/tracee/types/protocol"
+	"github.com/aquasecurity/tracee/types/trace"
+)
+
+//
+// HOWTO: The way to trigger this test signature is to execute:
+//
+//        curl google.com
+//
+//        This will cause it trigger once and reset it status.
+
+type e2eHTTPResponse struct {
+	cb detect.SignatureHandler
+}
+
+func (sig *e2eHTTPResponse) Init(ctx detect.SignatureContext) error {
+	sig.cb = ctx.Callback
+	return nil
+}
+
+func (sig *e2eHTTPResponse) GetMetadata() (detect.SignatureMetadata, error) {
+	return detect.SignatureMetadata{
+		ID:          "HTTPResponse",
+		EventName:   "HTTPResponse",
+		Version:     "0.1.0",
+		Name:        "Network HTTP Response Test",
+		Description: "Network E2E Tests: HTTP Response",
+		Tags:        []string{"e2e", "network"},
+	}, nil
+}
+
+func (sig *e2eHTTPResponse) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
+	return []detect.SignatureEventSelector{
+		{Source: "tracee", Name: "net_packet_http_response"},
+	}, nil
+}
+
+func (sig *e2eHTTPResponse) OnEvent(event protocol.Event) error {
+	eventObj, ok := event.Payload.(trace.Event)
+	if !ok {
+		return fmt.Errorf("failed to cast event's payload")
+	}
+
+	if eventObj.EventName == "net_packet_http_response" {
+		// validate tast context
+		if eventObj.HostName == "" {
+			return nil
+		}
+
+		httpResponse, err := helpers.GetProtoHTTPResponseByName(eventObj, "http_response")
+		if err != nil {
+			return err
+		}
+
+		if !strings.HasPrefix(httpResponse.Protocol, "HTTP/") {
+			return nil
+		}
+
+		m, _ := sig.GetMetadata()
+		sig.cb(&detect.Finding{
+			SigMetadata: m,
+			Event:       event,
+			Data:        map[string]interface{}{},
+		})
+	}
+
+	return nil
+}
+
+func (sig *e2eHTTPResponse) OnSignal(s detect.Signal) error {
+	return nil
+}
+
+func (sig *e2eHTTPResponse) Close() {}
diff --git a/tests/e2e-net-signatures/export.go b/tests/e2e-net-signatures/export.go
@@ -12,6 +12,8 @@ var ExportedSignatures = []detect.Signature{
 	&e2eICMPv6{},
 	&e2eDNS{},
 	&e2eHTTP{},
+	&e2eHTTPRequest{},
+	&e2eHTTPResponse{},
 }
 
 var ExportedDataSources = []detect.DataSource{

diff --git a/tests/e2e-net-signatures/scripts/httprequest.sh b/tests/e2e-net-signatures/scripts/httprequest.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+HOST="google.com"
+
+exit_err() {
+    echo -n "ERROR: "
+    echo $@
+    exit 1
+}
+
+command -v curl > /dev/null || exit_err "missing curl tool"
+
+curl $HOST
diff --git a/tests/e2e-net-signatures/scripts/httpresponse.sh b/tests/e2e-net-signatures/scripts/httpresponse.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+HOST="google.com"
+
+exit_err() {
+    echo -n "ERROR: "
+    echo $@
+    exit 1
+}
+
+command -v curl > /dev/null || exit_err "missing curl tool"
+
+curl $HOST