Skip to content

Commit

Permalink
OCPBUGS-9382: Expose validation issue when creating TailoredProfiles
Browse files Browse the repository at this point in the history
TailoredProfiles can extend existing profiles, which can be either Node
or Platform type.

However, it's possible to create a TailoredProfile that extends a
profile of a patricular type, and then reference rules of the opposite
type. This causes issues during scans because you'd expect the rules to
be excluded, but they're not.

This commit adds an e2e test the exposes the issue. This can be
addressed with improved validation when creating a TailoredProfile.

Related to issue #65.
  • Loading branch information
rhmdnd committed Apr 14, 2023
1 parent 13cb0b4 commit 1db3eb0
Showing 1 changed file with 47 additions and 0 deletions.
47 changes: 47 additions & 0 deletions tests/e2e/parallel/main_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2795,3 +2795,50 @@ func TestScheduledSuiteTimeoutFail(t *testing.T) {
t.Fatal("The scan should have the timeout annotation")
}
}

func TestTailoredProfileRuleValidation(t *testing.T) {
f := framework.Global
t.Parallel()

tpName := framework.GetObjNameFromTest(t)
profileName := "ocp4-cis"
nodeRuleName := "ocp4-kubelet-enable-protect-kernel-defaults"

// Create a tailored profile that extends a Platform profile, but
// excludes a Node rule
tp := &compv1alpha1.TailoredProfile{
ObjectMeta: metav1.ObjectMeta{
Name: tpName,
Namespace: f.OperatorNamespace,
},
Spec: compv1alpha1.TailoredProfileSpec{
Title: tpName,
Description: tpName,
DisableRules: []compv1alpha1.RuleReferenceSpec{
{
Name: nodeRuleName,
Rationale: "Rationale",
},
},
Extends: profileName,
},
}

err := f.Client.Create(context.TODO(), tp, nil)
if err != nil {
t.Fatal(err)
}
defer f.Client.Delete(context.TODO(), tp)

tpGet := &compv1alpha1.TailoredProfile{}
err = f.WaitForObjectToExist(tpName, f.OperatorNamespace, tpGet)
if err != nil {
t.Fatalf("failed waiting for TailoredProfile %s to be created: %s", tpName, err)
}

// FIXME(rhmdnd): Assert that it's possible to create the profile that
// mixes rule types without error.
if tpGet.Status.State != compv1alpha1.TailoredProfileStateError {
t.Fatalf("TailoredProfile %s expected to be in error state, but it's actually in %s", tpName, tpGet.Status.State)
}
}

0 comments on commit 1db3eb0

Please sign in to comment.