fleet/server/service/vulnerabilities_test.go

package service

import (
	"context"
	"testing"
	"time"

	"github.com/fleetdm/fleet/v4/server/contexts/viewer"
	"github.com/fleetdm/fleet/v4/server/fleet"
	"github.com/fleetdm/fleet/v4/server/mock"
	"github.com/fleetdm/fleet/v4/server/ptr"
	"github.com/stretchr/testify/require"
)

func TestListVulnerabilities(t *testing.T) {
	ds := new(mock.Store)
	svc, ctx := newTestService(t, ds, nil, nil)
	ctx = viewer.NewContext(ctx, viewer.Viewer{User: &fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)}})

	ds.ListVulnerabilitiesFunc = func(cxt context.Context, opt fleet.VulnListOptions) ([]fleet.VulnerabilityWithMetadata, *fleet.PaginationMetadata, error) {
		return []fleet.VulnerabilityWithMetadata{
			{
				CVE: fleet.CVE{
					CVE:         "CVE-2019-1234",
					Description: ptr.StringPtr("A vulnerability"),
				},
				CreatedAt:  time.Now(),
				HostsCount: 10,
			},
		}, nil, nil
	}

	t.Run("no list options", func(t *testing.T) {
		_, _, err := svc.ListVulnerabilities(ctx, fleet.VulnListOptions{})
		require.NoError(t, err)
	})

	t.Run("can only sort by supported columns", func(t *testing.T) {
		// invalid order key
		opts := fleet.VulnListOptions{ListOptions: fleet.ListOptions{
			OrderKey: "invalid",
		}, ValidSortColumns: freeValidVulnSortColumns}

		_, _, err := svc.ListVulnerabilities(ctx, opts)
		require.Error(t, err)
		require.Contains(t, err.Error(), "invalid order key")

		// valid order key
		opts.OrderKey = "cve"
		_, _, err = svc.ListVulnerabilities(ctx, opts)
		require.NoError(t, err)
	})
}

func TestVulnerabilitesAuth(t *testing.T) {
	ds := new(mock.Store)

	svc, ctx := newTestService(t, ds, nil, nil)

	ds.ListVulnerabilitiesFunc = func(cxt context.Context, opt fleet.VulnListOptions) ([]fleet.VulnerabilityWithMetadata, *fleet.PaginationMetadata, error) {
		return []fleet.VulnerabilityWithMetadata{}, &fleet.PaginationMetadata{}, nil
	}

	ds.VulnerabilityFunc = func(cxt context.Context, cve string, teamID *uint, includeCVEScores bool) (*fleet.VulnerabilityWithMetadata, error) {
		return &fleet.VulnerabilityWithMetadata{}, nil
	}

	ds.CountVulnerabilitiesFunc = func(cxt context.Context, opt fleet.VulnListOptions) (uint, error) {
		return 0, nil
	}

	ds.TeamExistsFunc = func(cxt context.Context, teamID uint) (bool, error) {
		return true, nil
	}

	for _, tc := range []struct {
		name                 string
		user                 *fleet.User
		shouldFailGlobalRead bool
		shouldFailTeamRead   bool
	}{
		{
			name: "global-admin",
			user: &fleet.User{
				ID:         1,
				GlobalRole: ptr.String(fleet.RoleAdmin),
			},
			shouldFailGlobalRead: false,
			shouldFailTeamRead:   false,
		},
		{
			name: "global-maintainer",
			user: &fleet.User{
				ID:         1,
				GlobalRole: ptr.String(fleet.RoleMaintainer),
			},
			shouldFailGlobalRead: false,
			shouldFailTeamRead:   false,
		},
		{
			name: "global-observer",
			user: &fleet.User{
				ID:         1,
				GlobalRole: ptr.String(fleet.RoleObserver),
			},
			shouldFailGlobalRead: false,
			shouldFailTeamRead:   false,
		},
		{
			name: "team-admin-belongs-to-team",
			user: &fleet.User{
				ID: 1,
				Teams: []fleet.UserTeam{{
					Team: fleet.Team{ID: 1},
					Role: fleet.RoleAdmin,
				}},
			},
			shouldFailGlobalRead: true,
			shouldFailTeamRead:   false,
		},
		{
			name: "team-maintainer-belongs-to-team",
			user: &fleet.User{
				ID: 1,
				Teams: []fleet.UserTeam{{
					Team: fleet.Team{ID: 1},
					Role: fleet.RoleMaintainer,
				}},
			},
			shouldFailGlobalRead: true,
			shouldFailTeamRead:   false,
		},
		{
			name: "team-observer-belongs-to-team",
			user: &fleet.User{
				ID: 1,
				Teams: []fleet.UserTeam{{
					Team: fleet.Team{ID: 1},
					Role: fleet.RoleObserver,
				}},
			},
			shouldFailGlobalRead: true,
			shouldFailTeamRead:   false,
		},
		{
			name: "team-admin-does-not-belong-to-team",
			user: &fleet.User{
				ID: 1,
				Teams: []fleet.UserTeam{{
					Team: fleet.Team{ID: 2},
					Role: fleet.RoleAdmin,
				}},
			},
			shouldFailGlobalRead: true,
			shouldFailTeamRead:   true,
		},
	} {
		t.Run(tc.name, func(t *testing.T) {
			ctx = viewer.NewContext(ctx, viewer.Viewer{User: tc.user})
			_, _, err := svc.ListVulnerabilities(ctx, fleet.VulnListOptions{})
			checkAuthErr(t, tc.shouldFailGlobalRead, err)

			_, _, err = svc.ListVulnerabilities(ctx, fleet.VulnListOptions{
				TeamID: 1,
			})
			checkAuthErr(t, tc.shouldFailTeamRead, err)

			_, err = svc.CountVulnerabilities(ctx, fleet.VulnListOptions{})
			checkAuthErr(t, tc.shouldFailGlobalRead, err)

			_, err = svc.CountVulnerabilities(ctx, fleet.VulnListOptions{
				TeamID: 1,
			})
			checkAuthErr(t, tc.shouldFailTeamRead, err)

			_, err = svc.Vulnerability(ctx, "CVE-2019-1234", nil, false)
			checkAuthErr(t, tc.shouldFailGlobalRead, err)

			_, err = svc.Vulnerability(ctx, "CVE-2019-1234", ptr.Uint(1), false)
			checkAuthErr(t, tc.shouldFailTeamRead, err)
		})
	}
}
2 of 2: List Vulnerabilities API (#16695) 2024-02-10 03:54:44 +00:00			`package service`

			`import (`
			`"context"`
			`"testing"`
			`"time"`

			`"github.com/fleetdm/fleet/v4/server/contexts/viewer"`
			`"github.com/fleetdm/fleet/v4/server/fleet"`
			`"github.com/fleetdm/fleet/v4/server/mock"`
			`"github.com/fleetdm/fleet/v4/server/ptr"`
			`"github.com/stretchr/testify/require"`
			`)`

			`func TestListVulnerabilities(t *testing.T) {`
			`ds := new(mock.Store)`
			`svc, ctx := newTestService(t, ds, nil, nil)`
			`ctx = viewer.NewContext(ctx, viewer.Viewer{User: &fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)}})`

			`ds.ListVulnerabilitiesFunc = func(cxt context.Context, opt fleet.VulnListOptions) ([]fleet.VulnerabilityWithMetadata, *fleet.PaginationMetadata, error) {`
			`return []fleet.VulnerabilityWithMetadata{`
			`{`
Bugfix: Use CVE struct in Vuln Responses (#17140) 2024-02-26 18:29:59 +00:00			`CVE: fleet.CVE{`
2 of 2: List Vulnerabilities API (#16695) 2024-02-10 03:54:44 +00:00			`CVE: "CVE-2019-1234",`
Bugfix: Use CVE struct in Vuln Responses (#17140) 2024-02-26 18:29:59 +00:00			`Description: ptr.StringPtr("A vulnerability"),`
2 of 2: List Vulnerabilities API (#16695) 2024-02-10 03:54:44 +00:00			`},`
Pluralize hosts_count (#16907) #16906 IN DRAFT, WAITING ON https://github.com/fleetdm/fleet/pull/16897 - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated tests - [X] Manual QA for all new/changed functionality --------- Co-authored-by: Victor Lyuboslavsky <victor@fleetdm.com> Co-authored-by: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com> 2024-02-20 16:17:07 +00:00			`CreatedAt: time.Now(),`
			`HostsCount: 10,`
2 of 2: List Vulnerabilities API (#16695) 2024-02-10 03:54:44 +00:00			`},`
			`}, nil, nil`
			`}`

			`t.Run("no list options", func(t *testing.T) {`
			`_, _, err := svc.ListVulnerabilities(ctx, fleet.VulnListOptions{})`
			`require.NoError(t, err)`
			`})`

			`t.Run("can only sort by supported columns", func(t *testing.T) {`
			`// invalid order key`
			`opts := fleet.VulnListOptions{ListOptions: fleet.ListOptions{`
			`OrderKey: "invalid",`
			`}, ValidSortColumns: freeValidVulnSortColumns}`

			`_, _, err := svc.ListVulnerabilities(ctx, opts)`
			`require.Error(t, err)`
			`require.Contains(t, err.Error(), "invalid order key")`

			`// valid order key`
			`opts.OrderKey = "cve"`
			`_, _, err = svc.ListVulnerabilities(ctx, opts)`
			`require.NoError(t, err)`
			`})`
			`}`
16475 vuln detail api (#16828) 2024-02-14 21:42:16 +00:00
			`func TestVulnerabilitesAuth(t *testing.T) {`
			`ds := new(mock.Store)`

			`svc, ctx := newTestService(t, ds, nil, nil)`

			`ds.ListVulnerabilitiesFunc = func(cxt context.Context, opt fleet.VulnListOptions) ([]fleet.VulnerabilityWithMetadata, *fleet.PaginationMetadata, error) {`
			`return []fleet.VulnerabilityWithMetadata{}, &fleet.PaginationMetadata{}, nil`
			`}`

			`ds.VulnerabilityFunc = func(cxt context.Context, cve string, teamID uint, includeCVEScores bool) (fleet.VulnerabilityWithMetadata, error) {`
			`return &fleet.VulnerabilityWithMetadata{}, nil`
			`}`

			`ds.CountVulnerabilitiesFunc = func(cxt context.Context, opt fleet.VulnListOptions) (uint, error) {`
			`return 0, nil`
			`}`

Return 0 count for team vulnerability (#16897) #16891 - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated tests - [X] Manual QA for all new/changed functionality --------- Co-authored-by: Victor Lyuboslavsky <victor@fleetdm.com> Co-authored-by: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com> 2024-02-20 15:49:11 +00:00			`ds.TeamExistsFunc = func(cxt context.Context, teamID uint) (bool, error) {`
			`return true, nil`
			`}`

16475 vuln detail api (#16828) 2024-02-14 21:42:16 +00:00			`for _, tc := range []struct {`
			`name string`
			`user *fleet.User`
			`shouldFailGlobalRead bool`
			`shouldFailTeamRead bool`
			`}{`
			`{`
			`name: "global-admin",`
			`user: &fleet.User{`
			`ID: 1,`
			`GlobalRole: ptr.String(fleet.RoleAdmin),`
			`},`
			`shouldFailGlobalRead: false,`
			`shouldFailTeamRead: false,`
			`},`
			`{`
			`name: "global-maintainer",`
			`user: &fleet.User{`
			`ID: 1,`
			`GlobalRole: ptr.String(fleet.RoleMaintainer),`
			`},`
			`shouldFailGlobalRead: false,`
			`shouldFailTeamRead: false,`
			`},`
			`{`
			`name: "global-observer",`
			`user: &fleet.User{`
			`ID: 1,`
			`GlobalRole: ptr.String(fleet.RoleObserver),`
			`},`
			`shouldFailGlobalRead: false,`
			`shouldFailTeamRead: false,`
			`},`
			`{`
			`name: "team-admin-belongs-to-team",`
			`user: &fleet.User{`
			`ID: 1,`
			`Teams: []fleet.UserTeam{{`
			`Team: fleet.Team{ID: 1},`
			`Role: fleet.RoleAdmin,`
			`}},`
			`},`
			`shouldFailGlobalRead: true,`
			`shouldFailTeamRead: false,`
			`},`
			`{`
			`name: "team-maintainer-belongs-to-team",`
			`user: &fleet.User{`
			`ID: 1,`
			`Teams: []fleet.UserTeam{{`
			`Team: fleet.Team{ID: 1},`
			`Role: fleet.RoleMaintainer,`
			`}},`
			`},`
			`shouldFailGlobalRead: true,`
			`shouldFailTeamRead: false,`
			`},`
			`{`
			`name: "team-observer-belongs-to-team",`
			`user: &fleet.User{`
			`ID: 1,`
			`Teams: []fleet.UserTeam{{`
			`Team: fleet.Team{ID: 1},`
			`Role: fleet.RoleObserver,`
			`}},`
			`},`
			`shouldFailGlobalRead: true,`
			`shouldFailTeamRead: false,`
			`},`
			`{`
			`name: "team-admin-does-not-belong-to-team",`
			`user: &fleet.User{`
			`ID: 1,`
			`Teams: []fleet.UserTeam{{`
			`Team: fleet.Team{ID: 2},`
			`Role: fleet.RoleAdmin,`
			`}},`
			`},`
			`shouldFailGlobalRead: true,`
			`shouldFailTeamRead: true,`
			`},`
			`} {`
			`t.Run(tc.name, func(t *testing.T) {`
			`ctx = viewer.NewContext(ctx, viewer.Viewer{User: tc.user})`
			`_, _, err := svc.ListVulnerabilities(ctx, fleet.VulnListOptions{})`
			`checkAuthErr(t, tc.shouldFailGlobalRead, err)`

			`_, _, err = svc.ListVulnerabilities(ctx, fleet.VulnListOptions{`
			`TeamID: 1,`
			`})`
			`checkAuthErr(t, tc.shouldFailTeamRead, err)`

			`_, err = svc.CountVulnerabilities(ctx, fleet.VulnListOptions{})`
			`checkAuthErr(t, tc.shouldFailGlobalRead, err)`

			`_, err = svc.CountVulnerabilities(ctx, fleet.VulnListOptions{`
			`TeamID: 1,`
			`})`
			`checkAuthErr(t, tc.shouldFailTeamRead, err)`

			`_, err = svc.Vulnerability(ctx, "CVE-2019-1234", nil, false)`
			`checkAuthErr(t, tc.shouldFailGlobalRead, err)`

			`_, err = svc.Vulnerability(ctx, "CVE-2019-1234", ptr.Uint(1), false)`
			`checkAuthErr(t, tc.shouldFailTeamRead, err)`
			`})`
			`}`
			`}`