Merge pull request #221 from pjbgf/fuzz

Refactor Fuzz implementation

.github/workflows/cifuzz.yaml

@@ -0,0 +1,20 @@
+name: CIFuzz
+on:
+  pull_request:
+    branches:
+      - main
+jobs:
+  Fuzzing:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+    - name: Restore Go cache
+      uses: actions/cache@v1
+      with:
+        path: /home/runner/work/_temp/_github_home/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+    - name: Smoke test Fuzzers
+      run: make fuzz-smoketest

.gitignore

@@ -7,7 +7,6 @@ notes
 *.so
 *.dylib
 bin
-testbin
 
 # Test binary, build with `go test -c`
 *.test
@@ -24,3 +23,5 @@ testbin
 *.swp
 *.swo
 *~
+
+build/

Makefile

@@ -114,7 +114,7 @@ ENVTEST = $(shell pwd)/bin/setup-envtest
 setup-envtest: ## Download envtest-setup locally if necessary.
 	$(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
 
-ENVTEST_ASSETS_DIR=$(shell pwd)/testbin
+ENVTEST_ASSETS_DIR=$(shell pwd)/build/testbin
 ENVTEST_KUBERNETES_VERSION?=latest
 install-envtest: setup-envtest
 	mkdir -p ${ENVTEST_ASSETS_DIR}
@@ -133,3 +133,24 @@ GOBIN=$(PROJECT_DIR)/bin go install $(2) ;\
 rm -rf $$TMP_DIR ;\
 }
 endef
+
+# Build fuzzers
+fuzz-build:
+	rm -rf $(shell pwd)/build/fuzz/
+	mkdir -p $(shell pwd)/build/fuzz/out/
+
+	docker build . --tag local-fuzzing:latest -f tests/fuzz/Dockerfile.builder
+	docker run --rm \
+		-e FUZZING_LANGUAGE=go -e SANITIZER=address \
+		-e CIFUZZ_DEBUG='True' -e OSS_FUZZ_PROJECT_NAME=fluxcd \
+		-v "$(shell pwd)/build/fuzz/out":/out \
+		local-fuzzing:latest
+
+# Run each fuzzer once to ensure they are working
+fuzz-smoketest: fuzz-build
+	docker run --rm \
+		-v "$(shell pwd)/build/fuzz/out":/out \
+		-v "$(shell pwd)/tests/fuzz/oss_fuzz_run.sh":/runner.sh \
+		-e ENVTEST_KUBERNETES_VERSION="$(ENVTEST_KUBERNETES_VERSION)" \
+		local-fuzzing:latest \
+		bash -c "/runner.sh"

tests/fuzz/Dockerfile.builder

@@ -0,0 +1,6 @@
+FROM gcr.io/oss-fuzz-base/base-builder-go
+
+COPY ./ $GOPATH/src/github.com/fluxcd/image-reflector-controller/
+COPY ./tests/fuzz/oss_fuzz_build.sh $SRC/build.sh
+
+WORKDIR $SRC

tests/fuzz/README.md

@@ -0,0 +1,45 @@
+# fuzz testing
+
+Flux is part of Google's [oss fuzz] program which provides continuous fuzzing for 
+open source projects. 
+
+The long running fuzzing execution is configured in the [oss-fuzz repository].
+Shorter executions are done on a per-PR basis, configured as a [github workflow].
+
+For fuzzers to be called, they must be compiled within [oss_fuzz_build.sh](./oss_fuzz_build.sh).
+
+### Testing locally
+
+Build fuzzers:
+
+```bash
+make fuzz-build
+```
+All fuzzers will be built into `./build/fuzz/out`. 
+
+Smoke test fuzzers:
+
+```bash
+make fuzz-smoketest
+```
+
+The smoke test runs each fuzzer once to ensure they are fully functional.
+
+Run fuzzer locally:
+```bash
+./build/fuzz/out/fuzz_conditions_match
+```
+
+Run fuzzer inside a container:
+
+```bash
+	docker run --rm -ti \
+		-v "$(pwd)/build/fuzz/out":/out \
+		gcr.io/oss-fuzz/fluxcd \
+		/out/fuzz_conditions_match
+```
+
+
+[oss fuzz]: https://github.com/google/oss-fuzz
+[oss-fuzz repository]: https://github.com/google/oss-fuzz/tree/master/projects/fluxcd
+[github workflow]: .github/workflows/cifuzz.yaml