[CSPM] Compliance module: improve err report and fix tests (#21150)

DataDog · Dec 8, 2023 · 04a5acb · 04a5acb
1 parent e22027f
commit 04a5acb
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 25 deletions.
diff --git a/cmd/system-probe/modules/compliance.go b/cmd/system-probe/modules/compliance.go
@@ -67,7 +67,9 @@ func (m *complianceModule) Register(router *module.Router) error {
 
 func (m *complianceModule) handleError(writer http.ResponseWriter, request *http.Request, status int, err error) {
 	_ = log.Errorf("module compliance: failed to properly handle %s request: %s", request.URL.Path, err)
+	writer.Header().Set("Content-Type", "text/plain")
 	writer.WriteHeader(status)
+	writer.Write([]byte(err.Error()))
 }
 
 func (m *complianceModule) handleScanDBConfig(writer http.ResponseWriter, request *http.Request) {
@@ -78,7 +80,7 @@ func (m *complianceModule) handleScanDBConfig(writer http.ResponseWriter, reques
 	qs := request.URL.Query()
 	pid, err := strconv.ParseInt(qs.Get("pid"), 10, 32)
 	if err != nil {
-		m.handleError(writer, request, http.StatusBadRequest, fmt.Errorf("pid query paramater is not an integer: %w", err))
+		m.handleError(writer, request, http.StatusBadRequest, fmt.Errorf("pid query parameter is not an integer: %w", err))
 		return
 	}
 

diff --git a/cmd/system-probe/modules/compliance_test.go b/cmd/system-probe/modules/compliance_test.go
@@ -28,15 +28,15 @@ func TestComplianceModuleNoProcess(t *testing.T) {
 	{
 		url := "/dbconfig"
 		statusCode, _, respBody := doDBConfigRequest(t, url)
+		require.Contains(t, string(respBody), "pid query parameter is not an integer")
 		require.Equal(t, http.StatusBadRequest, statusCode)
-		require.Len(t, respBody, 0)
 	}
 
 	{
 		url := "/dbconfig?pid=0"
 		statusCode, _, respBody := doDBConfigRequest(t, url)
+		require.Contains(t, "resource not found for pid=0", string(respBody))
 		require.Equal(t, http.StatusNotFound, statusCode)
-		require.Len(t, respBody, 0)
 	}
 }
 
@@ -55,25 +55,29 @@ func TestComplianceCheckModuleWithProcess(t *testing.T) {
 	if err := json.Unmarshal(respBody, &resource); err != nil {
 		t.Fatal(err)
 	}
-	require.Nil(t, resource)
+	require.Equal(t, "db_postgresql", resource.Type)
+	require.Equal(t, "postgres", resource.Config.ProcessName)
+	require.NotEmpty(t, resource.Config.ProcessUser)
+	require.Equal(t, filepath.Join(tmp, "postgresql.conf"), resource.Config.ConfigFilePath)
+	require.NotEmpty(t, resource.Config.ConfigFileUser)
+	require.NotEmpty(t, resource.Config.ConfigFileGroup)
+	require.Equal(t, uint32(0600), resource.Config.ConfigFileMode)
+	require.Equal(t, map[string]interface{}{"foo": "bar"}, resource.Config.ConfigData)
 }
 
 func launchFakeProcess(ctx context.Context, t *testing.T, tmp, procname string) int {
-	// creates a symlink to /usr/bin/sleep to be able to create a fake
-	// postgres process.
-	sleepPath, err := exec.LookPath("sleep")
-	if err != nil {
-		t.Skipf("could not find sleep util")
-	}
-	fakePgPath := filepath.Join(tmp, procname)
-	if err := os.Symlink(sleepPath, fakePgPath); err != nil {
-		t.Fatalf("could not create fake process symlink: %v", err)
+	fakePgBinPath := filepath.Join(tmp, "postgres")
+	fakePgConfPath := filepath.Join(tmp, "postgresql.conf")
+
+	if err := os.WriteFile(fakePgBinPath, []byte("#!/bin/bash\nsleep 10"), 0700); err != nil {
+		t.Fatal(err)
 	}
-	if err := os.Chmod(fakePgPath, 0700); err != nil {
-		t.Fatalf("could not chmod fake process symlink: %v", err)
+
+	if err := os.WriteFile(fakePgConfPath, []byte(`foo = 'bar'`), 0600); err != nil {
+		t.Fatal(err)
 	}
 
-	cmd := exec.CommandContext(ctx, fakePgPath, "5")
+	cmd := exec.CommandContext(ctx, fakePgBinPath, fmt.Sprintf("--config-file=%s", fakePgConfPath))
 	if err := cmd.Start(); err != nil {
 		t.Fatalf("could not start fake process %q: %v", procname, err)
 	}

diff --git a/pkg/compliance/dbconfig/loader.go b/pkg/compliance/dbconfig/loader.go
@@ -89,11 +89,7 @@ func ListProcesses(ctx context.Context) map[utils.ContainerID]int32 {
 		if !ok {
 			continue
 		}
-
-		containerID, ok := utils.GetProcessContainerID(proc.Pid)
-		if !ok {
-			continue
-		}
+		containerID, _ := utils.GetProcessContainerID(proc.Pid)
 		// We dedupe our scans based on the resource type and the container
 		// ID, assuming that we will scan the same configuration for each
 		// containers running the process.
@@ -119,10 +115,7 @@ func LoadDBResourceFromPID(ctx context.Context, pid int32) (resource *DBResource
 	if !ok {
 		return
 	}
-	containerID, ok := utils.GetProcessContainerID(pid)
-	if !ok {
-		return
-	}
+	containerID, _ := utils.GetProcessContainerID(pid)
 	hostroot, ok := utils.GetProcessRootPath(pid)
 	if !ok {
 		return