CI: ensure tests don't alter the repository (#3616)

Author: mmetc

.github/workflows/go-tests.yml

@@ -181,7 +181,18 @@ jobs:
     - name: Unit tests
       run: |
         go install gotest.tools/[email protected]
+        # make the repo read-only, with the exception of coverage output
+        touch coverage.out
+        chmod -R a-w .
+        chmod u+w coverage.out
         make testcover
+        # ignore changes to codecov.yml
+        if [[ $(git status --porcelain -- . ":(exclude).github/codecov.yml") ]]; then
+          echo "Error: Unit tests should not create or alter files inside the repository. Please use the appropriate testing helpers or otherwise temporary locations."
+          git diff --name-only
+          exit 1
+        fi
+        chmod -R u+w .
 
     # check if some component stubs are missing
     - name: "Build profile: minimal"

pkg/acquisition/acquisition_test.go

@@ -68,7 +68,7 @@ func (f *MockSource) StreamingAcquisition(context.Context, chan types.Event, *to
 func (f *MockSource) CanRun() error                            { return nil }
 func (f *MockSource) GetMetrics() []prometheus.Collector       { return nil }
 func (f *MockSource) GetAggregMetrics() []prometheus.Collector { return nil }
-func (f *MockSource) Dump() interface{}                        { return f }
+func (f *MockSource) Dump() any                                { return f }
 func (f *MockSource) GetName() string                          { return "mock" }
 func (f *MockSource) ConfigureByDSN(string, map[string]string, *log.Entry, string) error {
 	return errors.New("not supported")
@@ -236,57 +236,57 @@ func TestLoadAcquisitionFromFile(t *testing.T) {
 		{
 			TestName: "invalid_yaml_file",
 			Config: csconfig.CrowdsecServiceCfg{
-				AcquisitionFiles: []string{"test_files/badyaml.yaml"},
+				AcquisitionFiles: []string{"testdata/badyaml.yaml"},
 			},
-			ExpectedError: "failed to parse test_files/badyaml.yaml: yaml: unmarshal errors",
+			ExpectedError: "failed to parse testdata/badyaml.yaml: yaml: unmarshal errors",
 			ExpectedLen:   0,
 		},
 		{
 			TestName: "invalid_empty_yaml",
 			Config: csconfig.CrowdsecServiceCfg{
-				AcquisitionFiles: []string{"test_files/emptyitem.yaml"},
+				AcquisitionFiles: []string{"testdata/emptyitem.yaml"},
 			},
 			ExpectedLen: 0,
 		},
 		{
 			TestName: "basic_valid",
 			Config: csconfig.CrowdsecServiceCfg{
-				AcquisitionFiles: []string{"test_files/basic_filemode.yaml"},
+				AcquisitionFiles: []string{"testdata/basic_filemode.yaml"},
 			},
 			ExpectedLen: 2,
 		},
 		{
 			TestName: "missing_labels",
 			Config: csconfig.CrowdsecServiceCfg{
-				AcquisitionFiles: []string{"test_files/missing_labels.yaml"},
+				AcquisitionFiles: []string{"testdata/missing_labels.yaml"},
 			},
-			ExpectedError: "missing labels in test_files/missing_labels.yaml",
+			ExpectedError: "missing labels in testdata/missing_labels.yaml",
 		},
 		{
 			TestName: "backward_compat",
 			Config: csconfig.CrowdsecServiceCfg{
-				AcquisitionFiles: []string{"test_files/backward_compat.yaml"},
+				AcquisitionFiles: []string{"testdata/backward_compat.yaml"},
 			},
 			ExpectedLen: 2,
 		},
 		{
 			TestName: "bad_type",
 			Config: csconfig.CrowdsecServiceCfg{
-				AcquisitionFiles: []string{"test_files/bad_source.yaml"},
+				AcquisitionFiles: []string{"testdata/bad_source.yaml"},
 			},
-			ExpectedError: "in file test_files/bad_source.yaml (position 0) - unknown data source does_not_exist",
+			ExpectedError: "in file testdata/bad_source.yaml (position 0) - unknown data source does_not_exist",
 		},
 		{
 			TestName: "invalid_filetype_config",
 			Config: csconfig.CrowdsecServiceCfg{
-				AcquisitionFiles: []string{"test_files/bad_filetype.yaml"},
+				AcquisitionFiles: []string{"testdata/bad_filetype.yaml"},
 			},
-			ExpectedError: "while configuring datasource of type file from test_files/bad_filetype.yaml",
+			ExpectedError: "while configuring datasource of type file from testdata/bad_filetype.yaml",
 		},
 		{
 			TestName: "from_env",
 			Config: csconfig.CrowdsecServiceCfg{
-				AcquisitionFiles: []string{"test_files/env.yaml"},
+				AcquisitionFiles: []string{"testdata/env.yaml"},
 			},
 			ExpectedLen: 1,
 		},
@@ -356,7 +356,7 @@ func (f *MockCat) StreamingAcquisition(context.Context, chan types.Event, *tomb.
 func (f *MockCat) CanRun() error                            { return nil }
 func (f *MockCat) GetMetrics() []prometheus.Collector       { return nil }
 func (f *MockCat) GetAggregMetrics() []prometheus.Collector { return nil }
-func (f *MockCat) Dump() interface{}                        { return f }
+func (f *MockCat) Dump() any                                { return f }
 func (f *MockCat) ConfigureByDSN(string, map[string]string, *log.Entry, string) error {
 	return errors.New("not supported")
 }
@@ -403,7 +403,7 @@ func (f *MockTail) StreamingAcquisition(ctx context.Context, out chan types.Even
 func (f *MockTail) CanRun() error                            { return nil }
 func (f *MockTail) GetMetrics() []prometheus.Collector       { return nil }
 func (f *MockTail) GetAggregMetrics() []prometheus.Collector { return nil }
-func (f *MockTail) Dump() interface{}                        { return f }
+func (f *MockTail) Dump() any                                { return f }
 func (f *MockTail) ConfigureByDSN(string, map[string]string, *log.Entry, string) error {
 	return errors.New("not supported")
 }
@@ -538,7 +538,7 @@ func (f *MockSourceByDSN) StreamingAcquisition(context.Context, chan types.Event
 func (f *MockSourceByDSN) CanRun() error                            { return nil }
 func (f *MockSourceByDSN) GetMetrics() []prometheus.Collector       { return nil }
 func (f *MockSourceByDSN) GetAggregMetrics() []prometheus.Collector { return nil }
-func (f *MockSourceByDSN) Dump() interface{}                        { return f }
+func (f *MockSourceByDSN) Dump() any                                { return f }
 func (f *MockSourceByDSN) GetName() string                          { return "mockdsn" }
 func (f *MockSourceByDSN) ConfigureByDSN(dsn string, labels map[string]string, logger *log.Entry, uuid string) error {
 	dsn = strings.TrimPrefix(dsn, "mockdsn://")

pkg/acquisition/modules/file/file_test.go

@@ -103,6 +103,8 @@ func TestConfigureDSN(t *testing.T) {
 
 func TestOneShot(t *testing.T) {
 	ctx := t.Context()
+	tmpDir := t.TempDir()
+	deletedFile := filepath.Join(tmpDir, "test_delete.log")
 
 	permDeniedFile := "/etc/shadow"
 	permDeniedError := "failed opening /etc/shadow: open /etc/shadow: permission denied"
@@ -166,40 +168,40 @@ filename: /do/not/exist`,
 			name: "test.log",
 			config: `
 mode: cat
-filename: test_files/test.log`,
+filename: testdata/test.log`,
 			expectedLines: 5,
 			logLevel:      log.WarnLevel,
 		},
 		{
 			name: "test.log.gz",
 			config: `
 mode: cat
-filename: test_files/test.log.gz`,
+filename: testdata/test.log.gz`,
 			expectedLines: 5,
 			logLevel:      log.WarnLevel,
 		},
 		{
 			name: "unexpected end of gzip stream",
 			config: `
 mode: cat
-filename: test_files/bad.gz`,
-			expectedErr:   "failed to read gz test_files/bad.gz: unexpected EOF",
+filename: testdata/bad.gz`,
+			expectedErr:   "failed to read gz testdata/bad.gz: unexpected EOF",
 			expectedLines: 0,
 			logLevel:      log.WarnLevel,
 		},
 		{
 			name: "deleted file",
-			config: `
+			config: fmt.Sprintf(`
 mode: cat
-filename: test_files/test_delete.log`,
+filename: %s`, deletedFile),
 			setup: func() {
-				f, _ := os.Create("test_files/test_delete.log")
+				f, _ := os.Create(deletedFile)
 				f.Close()
 			},
 			afterConfigure: func() {
-				os.Remove("test_files/test_delete.log")
+				os.Remove(deletedFile)
 			},
-			expectedErr: "could not stat file test_files/test_delete.log",
+			expectedErr: "could not stat file " + deletedFile,
 		},
 	}
 
@@ -252,14 +254,14 @@ func TestLiveAcquisition(t *testing.T) {
 	ctx := t.Context()
 	permDeniedFile := "/etc/shadow"
 	permDeniedError := "unable to read /etc/shadow : open /etc/shadow: permission denied"
-	testPattern := "test_files/*.log"
+	tmpDir := t.TempDir()
+	testPattern := filepath.Join(tmpDir, "*.log")
 
 	if runtime.GOOS == "windows" {
 		// Technically, this is not a permission denied error, but we just want to test what happens
 		// if we do not have access to the file
 		permDeniedFile = `C:\Windows\System32\config\SAM`
 		permDeniedError = `unable to read C:\Windows\System32\config\SAM : open C:\Windows\System32\config\SAM: The process cannot access the file because it is being used by another process`
-		testPattern = `test_files\*.log`
 	}
 
 	tests := []struct {
@@ -320,10 +322,10 @@ force_inotify: true`, testPattern),
 			logLevel:      log.DebugLevel,
 			name:          "GlobInotify",
 			afterConfigure: func() {
-				f, _ := os.Create("test_files/a.log")
+				f, _ := os.Create(filepath.Join(tmpDir, "a.log"))
 				f.Close()
 				time.Sleep(1 * time.Second)
-				os.Remove("test_files/a.log")
+				os.Remove(f.Name())
 			},
 		},
 		{
@@ -336,18 +338,18 @@ force_inotify: true`, testPattern),
 			logLevel:      log.DebugLevel,
 			name:          "GlobInotifyChmod",
 			afterConfigure: func() {
-				f, err := os.Create("test_files/a.log")
+				f, err := os.Create(filepath.Join(tmpDir, "a.log"))
 				require.NoError(t, err)
 				err = f.Close()
 				require.NoError(t, err)
 				time.Sleep(1 * time.Second)
-				err = os.Chmod("test_files/a.log", 0o000)
+				err = os.Chmod(f.Name(), 0o000)
 				require.NoError(t, err)
 			},
 			teardown: func() {
-				err := os.Chmod("test_files/a.log", 0o644)
+				err := os.Chmod(filepath.Join(tmpDir, "a.log"), 0o644)
 				require.NoError(t, err)
-				err = os.Remove("test_files/a.log")
+				err = os.Remove(filepath.Join(tmpDir, "a.log"))
 				require.NoError(t, err)
 			},
 		},
@@ -361,11 +363,11 @@ force_inotify: true`, testPattern),
 			logLevel:      log.DebugLevel,
 			name:          "InotifyMkDir",
 			afterConfigure: func() {
-				err := os.Mkdir("test_files/pouet/", 0o700)
+				err := os.Mkdir(filepath.Join(tmpDir, "pouet"), 0o700)
 				require.NoError(t, err)
 			},
 			teardown: func() {
-				os.Remove("test_files/pouet/")
+				os.Remove(filepath.Join(tmpDir, "pouet"))
 			},
 		},
 	}
@@ -398,6 +400,7 @@ force_inotify: true`, testPattern),
 			if tc.expectedLines != 0 {
 				var stopReading bool
 				defer func() { stopReading = true }()
+
 				go func() {
 					for {
 						select {
@@ -419,7 +422,7 @@ force_inotify: true`, testPattern),
 
 			if tc.expectedLines != 0 {
 				// f.IsTailing is path delimiter sensitive
-				streamLogFile := filepath.Join("test_files", "stream.log")
+				streamLogFile := filepath.Join(tmpDir, "stream.log")
 
 				fd, err := os.Create(streamLogFile)
 				require.NoError(t, err, "could not create test file")
@@ -435,6 +438,7 @@ force_inotify: true`, testPattern),
 							time.Sleep(50 * time.Millisecond)
 							continue
 						}
+
 						waitingForTail = false
 					}
 				}
@@ -475,7 +479,7 @@ force_inotify: true`, testPattern),
 }
 
 func TestExclusion(t *testing.T) {
-	config := `filenames: ["test_files/*.log*"]
+	config := `filenames: ["testdata/*.log*"]
 exclude_regexps: ["\\.gz$"]`
 	logger, hook := test.NewNullLogger()
 	// logger.SetLevel(ts.logLevel)
@@ -487,7 +491,7 @@ exclude_regexps: ["\\.gz$"]`
 
 	require.NotNil(t, hook.LastEntry())
 	assert.Contains(t, hook.LastEntry().Message, `Skipping file: matches exclude regex "\\.gz`)
-	assert.Equal(t, filepath.Join("test_files", "test.log.gz"), hook.LastEntry().Data["file"])
+	assert.Equal(t, filepath.Join("testdata", "test.log.gz"), hook.LastEntry().Data["file"])
 	hook.Reset()
 }
 

pkg/acquisition/modules/file/test_files/bad.gz renamed to pkg/acquisition/modules/file/testdata/bad.gz

@@ -280,8 +280,7 @@ journalctl_filter:
 
 func TestMain(m *testing.M) {
 	if os.Getenv("USE_SYSTEM_JOURNALCTL") == "" {
-		currentDir, _ := os.Getwd()
-		fullPath := filepath.Join(currentDir, "test_files")
+		fullPath, _ := filepath.Abs("./testdata")
 		os.Setenv("PATH", fullPath+":"+os.Getenv("PATH"))
 	}
 

pkg/acquisition/modules/file/test_files/test.log renamed to pkg/acquisition/modules/file/testdata/test.log

@@ -4,17 +4,17 @@ import argparse
 import time
 import sys
 
+
 class CustomParser(argparse.ArgumentParser):
-    #small hack to make argparse errors the same as journalctl
+    # small hack to make argparse errors the same as journalctl
     def error(self, message):
         if 'unrecognized arguments:' in message:
-            sys.stderr.write("journalctl: invalid option -- '_'\n")
-            sys.stderr.flush()
-            exit(1)
+            _ = sys.stderr.write("journalctl: invalid option -- '_'\n")
         else:
-            sys.stderr.write(message)
-            sys.stderr.flush()
-            exit(1)
+            _ = sys.stderr.write(message)
+        _ = sys.stderr.flush()
+        exit(1)
+
 
 LOGS = """-- Logs begin at Fri 2019-07-26 17:13:13 CEST, end at Mon 2020-11-23 09:17:34 CET. --
 Nov 22 11:22:19 zeroed sshd[1480]: Invalid user wqeqwe from 127.0.0.1 port 55818
@@ -32,14 +32,14 @@ Nov 22 11:23:27 zeroed sshd[1791]: Invalid user wqeqwe5 from 127.0.0.1 port 5583
 Nov 22 11:23:27 zeroed sshd[1791]: Failed password for invalid user wqeqwe5 from 127.0.0.1 port 55834 ssh2"""
 
 parser = CustomParser()
-parser.add_argument('filter', metavar='FILTER', type=str, nargs='?')
-parser.add_argument('-n', dest='n', type=int)
-parser.add_argument('--follow', dest='follow', action='store_true', default=False)
+_ = parser.add_argument('filter', metavar='FILTER', type=str, nargs='?')
+_ = parser.add_argument('-n', dest='n', type=int)
+_ = parser.add_argument('--follow', dest='follow', action='store_true', default=False)
 
 args = parser.parse_args()
 
 for line in LOGS.split('\n'):
     print(line)
 
 if args.follow:
-    time.sleep(9999)
+    time.sleep(9999)

pkg/acquisition/modules/file/test_files/test.log.gz renamed to pkg/acquisition/modules/file/testdata/test.log.gz

@@ -258,18 +258,18 @@ func TestOneShotAcquisition(t *testing.T) {
 		},
 		{
 			name:          "existing file",
-			dsn:           `wineventlog://test_files/Setup.evtx`,
+			dsn:           `wineventlog://testdata/Setup.evtx`,
 			expectedCount: 24,
 			expectedErr:   "",
 		},
 		{
 			name:          "filter on event_id",
-			dsn:           `wineventlog://test_files/Setup.evtx?event_id=2`,
+			dsn:           `wineventlog://testdata/Setup.evtx?event_id=2`,
 			expectedCount: 1,
 		},
 		{
 			name:          "filter on event_id",
-			dsn:           `wineventlog://test_files/Setup.evtx?event_id=2&event_id=3`,
+			dsn:           `wineventlog://testdata/Setup.evtx?event_id=2&event_id=3`,
 			expectedCount: 24,
 		},
 	}