From b667c47587f63f579fd972a1acd6aa5e3bc12cfc Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Fri, 6 Sep 2019 18:54:19 -0700
Subject: [PATCH] update testrunner for
 examples/best_practices/policy_validate_container_security_context.yaml

---
 ..._validate_container_security_context.yaml} | 25 ++++++-------------
 ...e_validate_container_security_context.yaml | 13 ++++++++++
 pkg/testrunner/testrunner_test.go             |  4 +++
 ...o_validate_container_security_context.yaml | 22 ++++++++++++++++
 4 files changed, 46 insertions(+), 18 deletions(-)
 rename examples/best_practices/{validate_container_security_context.yaml => policy_validate_container_security_context.yaml} (61%)
 create mode 100644 examples/best_practices/resources/resource_validate_container_security_context.yaml
 create mode 100644 test/scenarios/test/scenario_validate_container_security_context.yaml

diff --git a/examples/best_practices/validate_container_security_context.yaml b/examples/best_practices/policy_validate_container_security_context.yaml
similarity index 61%
rename from examples/best_practices/validate_container_security_context.yaml
rename to examples/best_practices/policy_validate_container_security_context.yaml
index 0faabd160b..816f63f7cc 100644
--- a/examples/best_practices/validate_container_security_context.yaml
+++ b/examples/best_practices/policy_validate_container_security_context.yaml
@@ -20,12 +20,6 @@ spec:
       - spec:
           securityContext:
             runAsNonRoot: true
-      # pattern:
-      #   spec:
-      #     containers:
-      #     - name: "*"
-      #       securityContext:
-      #         runAsNonRoot: true
   - name: check-privilege
     exclude:
       resources:
@@ -37,15 +31,10 @@ spec:
         - Pod
     validate:
       message: "Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false"
-      anyPattern:
-      - spec:
-        securityContext:
-          allowPrivilegeEscalation: false
-          privileged: false
-      # pattern:
-      #   spec:
-      #     containers:
-      #     - name: "*"
-      #       securityContext:
-      #         allowPrivilegeEscalation: false
-      #         privileged: false
+      pattern:
+        spec:
+          containers:
+          - name: "*"
+            securityContext:
+              allowPrivilegeEscalation: false
+              privileged: false
diff --git a/examples/best_practices/resources/resource_validate_container_security_context.yaml b/examples/best_practices/resources/resource_validate_container_security_context.yaml
new file mode 100644
index 0000000000..48dba8fe6c
--- /dev/null
+++ b/examples/best_practices/resources/resource_validate_container_security_context.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: check-container-security-context
+spec:
+  securityContext:
+    runAsNonRoot: true
+  containers:
+  - name: check-container-security-context
+    image: nginxinc/nginx-unprivileged
+    securityContext:
+      allowPrivilegeEscalation: true
+      privileged: false
diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go
index 05e4fafa8f..5aa74f992c 100644
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@@ -18,6 +18,10 @@ func Test_validate_containerSecurityContext(t *testing.T) {
 	testScenario(t, "/test/scenarios/test/scenario_validate_containerSecurityContext.yaml")
 }
 
+func Test_validate_checkContainerSecurityContext(t *testing.T) {
+	testScenario(t, "/test/scenarios/test/scenario_validate_container_security_context.yaml")
+}
+
 func Test_validate_healthChecks(t *testing.T) {
 	testScenario(t, "/test/scenarios/test/scenario_validate_healthChecks.yaml")
 }
diff --git a/test/scenarios/test/scenario_validate_container_security_context.yaml b/test/scenarios/test/scenario_validate_container_security_context.yaml
new file mode 100644
index 0000000000..6e2c1f1522
--- /dev/null
+++ b/test/scenarios/test/scenario_validate_container_security_context.yaml
@@ -0,0 +1,22 @@
+# file path relative to project root
+input:
+  policy: examples/best_practices/policy_validate_container_security_context.yaml
+  resource: examples/best_practices/resources/resource_validate_container_security_context.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: check-container-security-context
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: check-container-security-context
+      rules:
+        - name: check-root-user
+          type: Validation
+          message: "Validation rule 'check-root-user' anyPattern[0] succesfully validated"
+          success: true
+        - name: check-privilege
+          type: Validation
+          message: "Validation rule 'check-privilege' failed at '/spec/containers/0/securityContext/allowPrivilegeEscalation/' for resource Pod//check-container-security-context. Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false"
+          success: false