test: use testing/fstest instead of memoryfs (#264)

Signed-off-by: Nikita Pivkin <[email protected]>
aquasecurity · Nov 28, 2024 · 96ce13a · 96ce13a
1 parent 2b90111
commit 96ce13a
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 153 deletions.
diff --git a/go.mod b/go.mod
@@ -50,7 +50,6 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sts v1.33.1
 	github.com/aws/aws-sdk-go-v2/service/workspaces v1.50.1
 	github.com/liamg/iamgo v0.0.9
-	github.com/liamg/memoryfs v1.6.0
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/viper v1.19.0
 	github.com/stretchr/testify v1.10.0
@@ -235,6 +234,7 @@ require (
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect
 	github.com/liamg/jfather v0.0.7 // indirect
+	github.com/liamg/memoryfs v1.6.0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/lufia/plan9stats v0.0.0-20240226150601-1dcf7310316a // indirect

diff --git a/internal/testutil/util.go b/internal/testutil/util.go
diff --git a/pkg/scanner/scanner_test.go b/pkg/scanner/scanner_test.go
@@ -4,22 +4,22 @@ import (
 	"context"
 	"io/fs"
 	"testing"
+	"testing/fstest"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/trivy-aws/internal/testutil"
 	"github.com/aquasecurity/trivy/pkg/iac/framework"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/iam"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/rds"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/azure"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/azure/authorization"
 	"github.com/aquasecurity/trivy/pkg/iac/rego"
+	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/aquasecurity/trivy/pkg/iac/scanners/options"
 	"github.com/aquasecurity/trivy/pkg/iac/state"
-	trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types"
-	defsecRules "github.com/aquasecurity/trivy/pkg/iac/types/rules"
+	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 )
 
 type testStruct struct {
@@ -62,17 +62,17 @@ func TestScanner_GetRegisteredRules(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			for _, r := range tc.scanner.getRules() {
-				assertRules(t, r, tc)
+				assertRules(t, r.Rule, tc)
 			}
 		})
 	}
 }
 
-func assertRules(t *testing.T, r defsecRules.RegisteredRule, tc testStruct) {
+func assertRules(t *testing.T, r scan.Rule, tc testStruct) {
 	t.Helper()
 
-	if _, ok := r.Rule.Frameworks[tc.fwApplied]; !ok {
-		assert.FailNowf(t, "unexpected rule found", "rule: %s in test case: %s", r.Rule.AVDID, tc.name)
+	if _, ok := r.Frameworks[tc.fwApplied]; !ok {
+		assert.FailNowf(t, "unexpected rule found", "rule: %s in test case: %s", r.AVDID, tc.name)
 	}
 }
 
@@ -89,7 +89,7 @@ func Test_AWSInputSelectors(t *testing.T) {
 	}{
 		{
 			name: "selector is not defined",
-			srcFS: testutil.CreateFS(t, map[string]string{
+			srcFS: createFS(map[string]string{
 				"policies/rds_policy.rego": `# METADATA
 # title: "RDS Publicly Accessible"
 # custom:
@@ -114,8 +114,8 @@ deny[res] {
 			state: state.State{AWS: aws.AWS{
 				RDS: rds.RDS{
 					Instances: []rds.Instance{
-						{Metadata: trivyTypes.Metadata{},
-							PublicAccess: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+						{Metadata: iacTypes.Metadata{},
+							PublicAccess: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
 						},
 					},
 				},
@@ -128,7 +128,7 @@ deny[res] {
 		},
 		{
 			name: "selector is empty",
-			srcFS: testutil.CreateFS(t, map[string]string{
+			srcFS: createFS(map[string]string{
 				"policies/rds_policy.rego": `# METADATA
 # title: "RDS Publicly Accessible"
 # custom:
@@ -156,8 +156,8 @@ deny[res] {
 			state: state.State{AWS: aws.AWS{
 				RDS: rds.RDS{
 					Instances: []rds.Instance{
-						{Metadata: trivyTypes.Metadata{},
-							PublicAccess: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+						{Metadata: iacTypes.Metadata{},
+							PublicAccess: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
 						},
 					},
 				},
@@ -169,7 +169,7 @@ deny[res] {
 		},
 		{
 			name: "selector without subtype",
-			srcFS: testutil.CreateFS(t, map[string]string{
+			srcFS: createFS(map[string]string{
 				"policies/rds_policy.rego": `# METADATA
 # title: "RDS Publicly Accessible"
 # custom:
@@ -198,8 +198,8 @@ deny[res] {
 			state: state.State{AWS: aws.AWS{
 				RDS: rds.RDS{
 					Instances: []rds.Instance{
-						{Metadata: trivyTypes.Metadata{},
-							PublicAccess: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+						{Metadata: iacTypes.Metadata{},
+							PublicAccess: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
 						},
 					},
 				},
@@ -212,7 +212,7 @@ deny[res] {
 		},
 		{
 			name: "conflicting selectors",
-			srcFS: testutil.CreateFS(t, map[string]string{
+			srcFS: createFS(map[string]string{
 				"policies/rds_policy.rego": `# METADATA
 # title: "RDS Publicly Accessible"
 # custom:
@@ -235,8 +235,8 @@ deny[res] {
 			state: state.State{AWS: aws.AWS{
 				RDS: rds.RDS{
 					Instances: []rds.Instance{
-						{Metadata: trivyTypes.Metadata{},
-							PublicAccess: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+						{Metadata: iacTypes.Metadata{},
+							PublicAccess: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
 						},
 					},
 				},
@@ -248,7 +248,7 @@ deny[res] {
 		},
 		{
 			name: "selector is defined with empty subtype",
-			srcFS: testutil.CreateFS(t, map[string]string{
+			srcFS: createFS(map[string]string{
 				"policies/rds_policy.rego": `# METADATA
 # title: "RDS Publicly Accessible"
 # custom:
@@ -280,8 +280,8 @@ deny[res] {
 			state: state.State{AWS: aws.AWS{
 				RDS: rds.RDS{
 					Instances: []rds.Instance{
-						{Metadata: trivyTypes.Metadata{},
-							PublicAccess: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+						{Metadata: iacTypes.Metadata{},
+							PublicAccess: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
 						},
 					},
 				},
@@ -294,7 +294,7 @@ deny[res] {
 		},
 		{
 			name: "single cloud, single selector",
-			srcFS: testutil.CreateFS(t, map[string]string{
+			srcFS: createFS(map[string]string{
 				"policies/rds_policy.rego": `# METADATA
 # title: "RDS Publicly Accessible"
 # description: "Ensures RDS instances are not launched into the public cloud."
@@ -360,8 +360,8 @@ deny[res] {
 			state: state.State{AWS: aws.AWS{
 				RDS: rds.RDS{
 					Instances: []rds.Instance{
-						{Metadata: trivyTypes.Metadata{},
-							PublicAccess: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()),
+						{Metadata: iacTypes.Metadata{},
+							PublicAccess: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
 						},
 					},
 				},
@@ -374,7 +374,7 @@ deny[res] {
 		},
 		{
 			name: "multi cloud, single selector, same named service",
-			srcFS: testutil.CreateFS(t, map[string]string{
+			srcFS: createFS(map[string]string{
 				"policies/azure_iam_policy.rego": `# METADATA
 # title: "Azure IAM Policy"
 # custom:
@@ -410,23 +410,23 @@ deny[res] {
 				AWS: aws.AWS{
 					IAM: iam.IAM{
 						PasswordPolicy: iam.PasswordPolicy{
-							MinimumLength: trivyTypes.Int(1, trivyTypes.NewTestMetadata()),
+							MinimumLength: iacTypes.Int(1, iacTypes.NewTestMetadata()),
 						}},
 				},
 				Azure: azure.Azure{
 					Authorization: authorization.Authorization{
 						RoleDefinitions: []authorization.RoleDefinition{{
-							Metadata: trivyTypes.NewTestMetadata(),
+							Metadata: iacTypes.NewTestMetadata(),
 							Permissions: []authorization.Permission{
 								{
-									Metadata: trivyTypes.NewTestMetadata(),
-									Actions: []trivyTypes.StringValue{
-										trivyTypes.String("*", trivyTypes.NewTestMetadata()),
+									Metadata: iacTypes.NewTestMetadata(),
+									Actions: []iacTypes.StringValue{
+										iacTypes.String("*", iacTypes.NewTestMetadata()),
 									},
 								},
 							},
-							AssignableScopes: []trivyTypes.StringValue{
-								trivyTypes.StringUnresolvable(trivyTypes.NewTestMetadata()),
+							AssignableScopes: []iacTypes.StringValue{
+								iacTypes.StringUnresolvable(iacTypes.NewTestMetadata()),
 							}},
 						}},
 				},
@@ -439,7 +439,7 @@ deny[res] {
 		},
 		{
 			name: "single cloud, single selector with config data",
-			srcFS: testutil.CreateFS(t, map[string]string{
+			srcFS: createFS(map[string]string{
 				"policies/rds_policy.rego": `# METADATA
 # title: "RDS Publicly Accessible"
 # description: "Ensures RDS instances are not launched into the public cloud."
@@ -500,7 +500,7 @@ deny[res] {
 }
 `,
 			}),
-			dataFS: testutil.CreateFS(t, map[string]string{
+			dataFS: createFS(map[string]string{
 				"config-data/data.json": `{
     "settings": {
 		"DS0999": {
@@ -516,8 +516,8 @@ deny[res] {
 			state: state.State{AWS: aws.AWS{
 				RDS: rds.RDS{
 					Instances: []rds.Instance{
-						{Metadata: trivyTypes.Metadata{},
-							PublicAccess: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()),
+						{Metadata: iacTypes.Metadata{},
+							PublicAccess: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
 						},
 					},
 				},
@@ -539,7 +539,7 @@ deny[res] {
 			scannerOpts = append(scannerOpts, rego.WithEmbeddedPolicies(false))
 			scannerOpts = append(scannerOpts, rego.WithPolicyFilesystem(tc.srcFS))
 			scannerOpts = append(scannerOpts, options.ScannerWithRegoOnly(true))
-			scannerOpts = append(scannerOpts, rego.WithPolicyDirs("policies/"))
+			scannerOpts = append(scannerOpts, rego.WithPolicyDirs("policies"))
 			scanner := New(scannerOpts...)
 
 			results, err := scanner.Scan(context.TODO(), &tc.state)
@@ -551,3 +551,11 @@ deny[res] {
 		})
 	}
 }
+
+func createFS(files map[string]string) fs.FS {
+	fsys := make(fstest.MapFS)
+	for path, content := range files {
+		fsys[path] = &fstest.MapFile{Data: []byte(content)}
+	}
+	return fsys
+}