Refine posture model and update tests

Author: haasonsaas

agent/internal/posture/default.go

@@ -6,25 +6,29 @@ import "runtime"
 type DefaultCollector struct{}
 
 // CollectPosture returns minimal posture information for unsupported platforms
-func (_ *DefaultCollector) CollectPosture() (*DevicePosture, error) {
+func (c *DefaultCollector) CollectPosture() (*DevicePosture, error) {
+	_ = c
 	posture := &DevicePosture{
-		OS: OperatingSystem{
+		OS: &OperatingSystem{
 			Name:      UnknownValue,
 			Version:   UnknownValue,
 			Build:     UnknownValue,
 			Arch:      runtime.GOARCH,
 			Kernel:    UnknownValue,
 			Supported: false,
 		},
-		Firewall: FirewallStatus{
-			Enabled: false,
-			Rules:   DefaultRules,
+		Firewall: &FirewallStatus{
 			Service: UnknownService,
+			Ports:   nil,
+			Rules:   DefaultRules,
+			Enabled: false,
+		},
+		SecurityFeatureSet: SecurityFeatureSet{
+			AntiVirus:     false,
+			SystemUpdate:  false,
+			DiskEncrypted: false,
+			ScreenLock:    false,
 		},
-		AntiVirus:     false,
-		SystemUpdate:  false,
-		DiskEncrypted: false,
-		ScreenLock:    false,
 	}
 
 	// Calculate trust score (will be low due to unknown status)

agent/internal/posture/linux.go

@@ -8,56 +8,55 @@ import (
 const (
 	// OS constants
 	linuxOSName = "Linux"
-	
+
 	// Service names
 	ufwService      = "ufw"
 	iptablesService = "iptables"
-	
+
 	// Command keywords
 	ufwStatusActive = "status: active"
 	cryptoLUKS      = "crypto_luks"
 	cryptKeyword    = "crypt"
 	trueKeyword     = "true"
-	
+
 	// Firewall rule keywords
 	allowKeyword  = "ALLOW"
 	denyKeyword   = "DENY"
 	acceptKeyword = "ACCEPT"
 	dropKeyword   = "DROP"
 	rejectKeyword = "REJECT"
-	
+
 	// Table headers to ignore
 	chainPrefix  = "Chain"
 	targetPrefix = "target"
 	numPrefix    = "num"
 )
 
-var (
-	// Common Linux antivirus software
-	linuxAntivirusSoftware = []string{"clamav", "sophos", "avast", "bitdefender", "eset"}
-)
+// Common Linux antivirus software
+var linuxAntivirusSoftware = []string{"clamav", "sophos", "avast", "bitdefender", "eset"}
 
 // LinuxCollector collects device posture on Linux systems
 type LinuxCollector struct{}
 
 // CollectPosture collects device posture information on Linux
 func (c *LinuxCollector) CollectPosture() (*DevicePosture, error) {
 	posture := &DevicePosture{
-		OS: OperatingSystem{
+		OS: &OperatingSystem{
 			Name: linuxOSName,
 			Arch: runtime.GOARCH,
 		},
+		Firewall: &FirewallStatus{},
 	}
 
 	// Collect OS information
-	if err := c.collectOSInfo(&posture.OS); err != nil {
+	if err := c.collectOSInfo(posture.OS); err != nil {
 		return nil, err
 	}
 
 	// Collect firewall status
-	if err := c.collectFirewallStatus(&posture.Firewall); err != nil {
+	if err := c.collectFirewallStatus(posture.Firewall); err != nil {
 		// Non-fatal error, continue with default values
-		posture.Firewall = FirewallStatus{Enabled: false, Service: UnknownService}
+		*posture.Firewall = FirewallStatus{Service: UnknownService}
 	}
 
 	// Collect other security posture information
@@ -132,8 +131,8 @@ func checkUFW(fw *FirewallStatus) bool {
 	fw.Enabled = strings.Contains(strings.ToLower(output), ufwStatusActive)
 
 	// Count rules (simplified)
-	lines := strings.Split(output, "\n")
-	ruleCount := 0
+	lines := strings.Split(output, newline)
+	ruleCount := initialCapacity
 	for _, line := range lines {
 		line = strings.TrimSpace(line)
 		if line != "" && !strings.HasPrefix(line, "Status:") &&
@@ -150,6 +149,7 @@ func checkUFW(fw *FirewallStatus) bool {
 
 // checkIptables checks iptables firewall status
 func (c *LinuxCollector) checkIptables(fw *FirewallStatus) error {
+	_ = c
 	output, err := runCommand("iptables", "-L")
 	if err != nil {
 		fw.Enabled = false
@@ -160,7 +160,7 @@ func (c *LinuxCollector) checkIptables(fw *FirewallStatus) error {
 	fw.Service = iptablesService
 	// If iptables returns without error and has rules, consider it enabled
 	lines := strings.Split(output, "\n")
-	ruleCount := 0
+	ruleCount := initialCapacity
 	for _, line := range lines {
 		line = strings.TrimSpace(line)
 		if line != "" && !strings.HasPrefix(line, chainPrefix) &&
@@ -180,6 +180,7 @@ func (c *LinuxCollector) checkIptables(fw *FirewallStatus) error {
 
 // checkAntiVirus checks for antivirus software
 func (c *LinuxCollector) checkAntiVirus() bool {
+	_ = c
 	// Check for common Linux antivirus solutions
 	antivirusSoftware := linuxAntivirusSoftware
 
@@ -199,12 +200,14 @@ func (c *LinuxCollector) checkAntiVirus() bool {
 
 // checkSystemUpdated checks if system is up to date
 func (c *LinuxCollector) checkSystemUpdated() bool {
+	_ = c
 	// Check for pending updates (works on Debian/Ubuntu systems)
 	output, err := runCommand("apt", "list", "--upgradable")
 	if err == nil {
-		lines := strings.Split(output, "\n")
+		lines := strings.Split(output, newline)
 		// If only header line, no updates available
-		return len(lines) <= 2
+		const headerAndFooterLines = 2
+		return len(lines) <= headerAndFooterLines
 	}
 
 	// Try yum/dnf for Red Hat systems
@@ -214,11 +217,12 @@ func (c *LinuxCollector) checkSystemUpdated() bool {
 		return true
 	}
 
-	return strings.TrimSpace(output) == ""
+	return strings.TrimSpace(output) == emptyString
 }
 
 // checkDiskEncryption checks if disk encryption is enabled
 func (c *LinuxCollector) checkDiskEncryption() bool {
+	_ = c
 	// Check for LUKS encrypted devices
 	output, err := runCommand("lsblk", "-f")
 	if err != nil {
@@ -232,6 +236,7 @@ func (c *LinuxCollector) checkDiskEncryption() bool {
 
 // checkScreenLock checks if screen lock is configured
 func (c *LinuxCollector) checkScreenLock() bool {
+	_ = c
 	// Check GNOME settings
 	if output, err := runCommand("gsettings", "get", "org.gnome.desktop.screensaver", "lock-enabled"); err == nil {
 		return strings.Contains(strings.ToLower(output), trueKeyword)
@@ -248,6 +253,7 @@ func (c *LinuxCollector) checkScreenLock() bool {
 
 // isOSSupported checks if the OS version is supported
 func (c *LinuxCollector) isOSSupported(osName string) bool {
+	_ = c
 	supportedDistros := []string{
 		"ubuntu", "debian", "centos", "rhel", "fedora",
 		"suse", "opensuse", "arch", "mint", "elementary",

agent/internal/posture/macos.go

@@ -5,27 +5,30 @@ import (
 	"strings"
 )
 
+const macOSDefaultRuleCount = 1
+
 // MacOSCollector collects device posture on macOS systems
 type MacOSCollector struct{}
 
 // CollectPosture collects device posture information on macOS
 func (c *MacOSCollector) CollectPosture() (*DevicePosture, error) {
 	posture := &DevicePosture{
-		OS: OperatingSystem{
+		OS: &OperatingSystem{
 			Name: "macOS",
 			Arch: runtime.GOARCH,
 		},
+		Firewall: &FirewallStatus{},
 	}
 
 	// Collect OS information
-	if err := c.collectOSInfo(&posture.OS); err != nil {
+	if err := c.collectOSInfo(posture.OS); err != nil {
 		return nil, err
 	}
 
 	// Collect firewall status
-	if err := c.collectFirewallStatus(&posture.Firewall); err != nil {
+	if err := c.collectFirewallStatus(posture.Firewall); err != nil {
 		// Non-fatal error, continue with default values
-		posture.Firewall = FirewallStatus{Enabled: false, Service: UnknownService}
+		*posture.Firewall = FirewallStatus{Service: UnknownService}
 	}
 
 	// Collect other security posture information
@@ -69,9 +72,9 @@ func (c *MacOSCollector) collectOSInfo(os *OperatingSystem) error {
 				// Extract version number
 				parts = strings.Fields(versionInfo)
 				if len(parts) >= minPartsTriple {
-					os.Name = strings.Join(parts[:2], spaceSeparator)
-					os.Version = parts[2]
-				} else if len(parts) >= 2 {
+					os.Name = strings.Join(parts[:keyValueParts], spaceSeparator)
+					os.Version = parts[versionPartIndex]
+				} else if len(parts) >= keyValueParts {
 					os.Version = parts[len(parts)-indexIncrement]
 				}
 			}
@@ -91,6 +94,7 @@ func (c *MacOSCollector) collectOSInfo(os *OperatingSystem) error {
 
 // collectFirewallStatus checks macOS firewall status
 func (c *MacOSCollector) collectFirewallStatus(fw *FirewallStatus) error {
+	_ = c
 	fw.Service = macOSFirewallService
 
 	// Check if firewall is enabled
@@ -104,14 +108,15 @@ func (c *MacOSCollector) collectFirewallStatus(fw *FirewallStatus) error {
 
 	// Get firewall rules (simplified - macOS firewall is less rule-based)
 	if fw.Enabled {
-		fw.Rules = 1
+		fw.Rules = macOSDefaultRuleCount
 	}
 
 	return nil
 }
 
 // checkAntiVirus checks for antivirus software on macOS
 func (c *MacOSCollector) checkAntiVirus() bool {
+	_ = c
 	// Check for common macOS antivirus applications
 	antivirusApps := []string{
 		"/Applications/Bitdefender Virus Scanner.app",
@@ -147,6 +152,7 @@ func (c *MacOSCollector) checkAntiVirus() bool {
 
 // checkSystemUpdated checks if system updates are available
 func (c *MacOSCollector) checkSystemUpdated() bool {
+	_ = c
 	// Check for available updates
 	output, err := runCommand("softwareupdate", "-l")
 	if err != nil {
@@ -161,6 +167,7 @@ func (c *MacOSCollector) checkSystemUpdated() bool {
 
 // checkDiskEncryption checks if FileVault is enabled
 func (c *MacOSCollector) checkDiskEncryption() bool {
+	_ = c
 	output, err := runCommand("fdesetup", "status")
 	if err != nil {
 		return false
@@ -171,6 +178,7 @@ func (c *MacOSCollector) checkDiskEncryption() bool {
 
 // checkScreenLock checks if screen lock/password is required
 func (c *MacOSCollector) checkScreenLock() bool {
+	_ = c
 	// Check if password is required after screensaver
 	output, err := runCommand(defaultsCommand, readCommand, "com.apple.screensaver", macOSScreenPassword)
 	if err == nil && strings.Contains(output, macOSPasswordEnabled) {
@@ -185,8 +193,7 @@ func (c *MacOSCollector) checkScreenLock() bool {
 	}
 
 	// Check System Preferences security settings
-	output, err = runCommand(defaultsCommand, readCommand, "com.apple.screensaver", macOSScreenDelay)
-	if err == nil {
+	if _, err = runCommand(defaultsCommand, readCommand, "com.apple.screensaver", macOSScreenDelay); err == nil {
 		return true
 	}
 
@@ -195,13 +202,14 @@ func (c *MacOSCollector) checkScreenLock() bool {
 
 // isOSSupported checks if the macOS version is supported
 func (c *MacOSCollector) isOSSupported(version string) bool {
+	_ = c
 	if version == "" {
 		return false
 	}
 
 	// Parse major version (e.g., "12.6.1" -> 12)
 	parts := strings.Split(version, ".")
-	if len(parts) == 0 {
+	if len(parts) == initialCapacity {
 		return false
 	}