new(plugins/container): added fetcher tests.

Also, fixed a small bug in cri engine `get()` method.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Author: FedeDP

plugins/container/go-worker/pkg/container/containerd_test.go

@@ -2,10 +2,10 @@ package container
 
 import (
 	"context"
-	"github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/event"
 	containerd "github.com/containerd/containerd/v2/client"
 	"github.com/containerd/containerd/v2/pkg/namespaces"
 	"github.com/containerd/containerd/v2/pkg/oci"
+	"github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/event"
 	"github.com/google/uuid"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/stretchr/testify/assert"
@@ -14,7 +14,7 @@ import (
 	"testing"
 )
 
-func TestContainerd(t *testing.T) {
+func testContainerd(t *testing.T, withFetcher bool) {
 	usr, err := user.Current()
 	assert.NoError(t, err)
 	if usr.Uid != "0" {
@@ -70,9 +70,6 @@ func TestContainerd(t *testing.T) {
 			oci.WithPrivileged))
 	assert.NoError(t, err)
 
-	events, err := engine.List(context.Background())
-	assert.NoError(t, err)
-
 	expectedEvent := event.Event{
 		Info: event.Info{
 			Container: event.Container{
@@ -103,6 +100,15 @@ func TestContainerd(t *testing.T) {
 		IsCreate: true,
 	}
 
+	if withFetcher {
+		testFetcher(t, engine, expectedEvent.ID, expectedEvent)
+		err = ctr.Delete(namespacedCtx)
+		assert.NoError(t, err)
+		return
+	}
+
+	events, err := engine.List(context.Background())
+	assert.NoError(t, err)
 	found := false
 	for _, evt := range events {
 		if evt.FullID == ctr.ID() {
@@ -143,3 +149,7 @@ func TestContainerd(t *testing.T) {
 	evt := waitOnChannelOrTimeout(t, listCh)
 	assert.Equal(t, expectedEvent, evt)
 }
+
+func TestContainerd(t *testing.T) {
+	testContainerd(t, false)
+}

plugins/container/go-worker/pkg/container/cri.go

@@ -380,7 +380,7 @@ func (c *criEngine) ctrToInfo(ctx context.Context, ctr *v1.ContainerStatus, podS
 }
 
 func (c *criEngine) get(ctx context.Context, containerId string) (*event.Event, error) {
-	ctrs, err := c.client.ListContainers(ctx, &v1.ContainerFilter{State: &v1.ContainerStateValue{}, Id: containerId})
+	ctrs, err := c.client.ListContainers(ctx, &v1.ContainerFilter{Id: containerId})
 	if err != nil || len(ctrs) == 0 {
 		return nil, err
 	}

plugins/container/go-worker/pkg/container/cri_test.go

@@ -200,7 +200,7 @@ func TestCRIInfoMap(t *testing.T) {
 	assert.NoError(t, err)
 }
 
-func TestCRIFake(t *testing.T) {
+func testCRIFake(t *testing.T, withFetcher bool) {
 	endpoint, err := fake.GenerateEndpoint()
 	require.NoError(t, err)
 
@@ -254,9 +254,6 @@ func TestCRIFake(t *testing.T) {
 	})
 	assert.NoError(t, err)
 
-	events, err := engine.List(context.Background())
-	assert.NoError(t, err)
-
 	expectedEvent := event.Event{
 		Info: event.Info{
 			Container: event.Container{
@@ -285,6 +282,17 @@ func TestCRIFake(t *testing.T) {
 		IsCreate: true,
 	}
 
+	if withFetcher {
+		// FakeRuntimeService ListContainers wants the fullID:
+		// https://github.com/kubernetes/cri-api/blob/master/pkg/apis/testing/fake_runtime_service.go#L469
+		testFetcher(t, engine, expectedEvent.FullID, expectedEvent)
+		_, err = fakeRuntime.RemoveContainer(context.Background(), &v1.RemoveContainerRequest{ContainerId: ctr.ContainerId})
+		assert.NoError(t, err)
+		return
+	}
+
+	events, err := engine.List(context.Background())
+	assert.NoError(t, err)
 	// We don't have this before creation
 	found := false
 	for _, evt := range events {
@@ -300,7 +308,11 @@ func TestCRIFake(t *testing.T) {
 	// fakeruntime.GetContainerEvents() returns nil. Cannot be tested.
 }
 
-func TestCRI(t *testing.T) {
+func TestCRIFake(t *testing.T) {
+	testCRIFake(t, false)
+}
+
+func testCRI(t *testing.T, withFetcher bool) {
 	const criSocket = "/run/containerd/containerd.sock"
 	client, err := remote.NewRemoteRuntimeService(criSocket, 5*time.Second, nil, nil)
 	if err != nil {
@@ -358,9 +370,6 @@ func TestCRI(t *testing.T) {
 	}, podSandboxConfig)
 	assert.NoError(t, err)
 
-	events, err := engine.List(context.Background())
-	assert.NoError(t, err)
-
 	expectedEvent := event.Event{
 		Info: event.Info{
 			Container: event.Container{
@@ -390,6 +399,21 @@ func TestCRI(t *testing.T) {
 		IsCreate: true,
 	}
 
+	if withFetcher {
+		// RuntimeService wants the short ID:
+		// https://github.com/cri-o/cri-o/blob/592e805f2423ba55054a16d3a7cc66499e2c0dac/server/container_list.go#L41
+		testFetcher(t, engine, expectedEvent.ID, expectedEvent)
+
+		err = client.RemoveContainer(context.Background(), "test_sandbox_test_container_0")
+		assert.NoError(t, err)
+
+		err = client.RemovePodSandbox(context.Background(), sandboxName)
+		assert.NoError(t, err)
+		return
+	}
+
+	events, err := engine.List(context.Background())
+	assert.NoError(t, err)
 	found := false
 	for _, evt := range events {
 		if evt.FullID == ctr {
@@ -437,3 +461,7 @@ func TestCRI(t *testing.T) {
 		}
 	}
 }
+
+func TestCRI(t *testing.T) {
+	testCRI(t, false)
+}

plugins/container/go-worker/pkg/container/docker_test.go

@@ -2,18 +2,18 @@ package container
 
 import (
 	"context"
-	"github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/event"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/client"
+	"github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/event"
 	"github.com/stretchr/testify/assert"
 	"io"
 	"runtime"
 	"sync"
 	"testing"
 )
 
-func TestDocker(t *testing.T) {
+func testDocker(t *testing.T, withFetcher bool) {
 	dockerClient, err := client.NewClientWithOpts(client.FromEnv,
 		client.WithAPIVersionNegotiation())
 	if err != nil {
@@ -49,9 +49,6 @@ func TestDocker(t *testing.T) {
 	}, nil, nil, "test_container")
 	assert.NoError(t, err)
 
-	events, err := engine.List(context.Background())
-	assert.NoError(t, err)
-
 	imageId := "63b790fccc9078ab8bb913d94a5d869e19fca9b77712b315da3fa45bb8f14636"
 	if runtime.GOARCH == "arm64" {
 		imageId = "511a44083d3a23416fadc62847c45d14c25cbace86e7a72b2b350436978a0450"
@@ -88,6 +85,15 @@ func TestDocker(t *testing.T) {
 		IsCreate: true,
 	}
 
+	if withFetcher {
+		testFetcher(t, engine, expectedEvent.ID, expectedEvent)
+		err = dockerClient.ContainerRemove(context.Background(), ctr.ID, container.RemoveOptions{})
+		assert.NoError(t, err)
+		return
+	}
+
+	events, err := engine.List(context.Background())
+	assert.NoError(t, err)
 	found := false
 	for _, evt := range events {
 		if evt.FullID == ctr.ID {
@@ -126,3 +132,7 @@ func TestDocker(t *testing.T) {
 	evt := waitOnChannelOrTimeout(t, listCh)
 	assert.Equal(t, expectedEvent, evt)
 }
+
+func TestDocker(t *testing.T) {
+	testDocker(t, false)
+}

plugins/container/go-worker/pkg/container/fetcher_test.go

@@ -0,0 +1,66 @@
+package container
+
+import (
+	"context"
+	"github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/event"
+	"github.com/stretchr/testify/assert"
+	"sync"
+	"testing"
+	"time"
+)
+
+func TestDockerFetcher(t *testing.T) {
+	testDocker(t, true)
+}
+
+func TestContainerdFetcher(t *testing.T) {
+	testContainerd(t, true)
+}
+
+func TestPodmanFetcher(t *testing.T) {
+	testPodman(t, true)
+}
+
+func TestCRIFakeFetcher(t *testing.T) {
+	testCRIFake(t, true)
+}
+
+func TestCRIFetcher(t *testing.T) {
+	testCRI(t, true)
+}
+
+func testFetcher(t *testing.T, containerEngine Engine, containerId string, expectedEvent event.Event) {
+	// Create the fetcher engine with the docker engine as the only container engine
+	containerEngines := []Engine{containerEngine}
+	f := NewFetcherEngine(context.Background(), containerEngines)
+	assert.NotNil(t, f)
+
+	// Check that fetcher is able to fetch the container
+	wg := sync.WaitGroup{}
+	cancelCtx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(func() {
+		cancel()
+		wg.Wait()
+	})
+
+	listCh, err := f.Listen(cancelCtx, &wg)
+	assert.NoError(t, err)
+
+	// Send the container ID to the fetcher channel to request its info to be loaded
+	ch := GetFetcherChan()
+	assert.NotNil(t, ch)
+	go func() {
+		time.Sleep(1 * time.Second)
+		ch <- containerId
+	}()
+
+	evt := waitOnChannelOrTimeout(t, listCh)
+	// This needs to be updated on the fly
+	expectedEvent.CreatedTime = evt.CreatedTime
+	// In some cases, the env ordering might differ thus we manually check it and then copy it
+	for _, env := range expectedEvent.Env {
+		assert.Contains(t, evt.Env, env)
+	}
+	expectedEvent.Env = evt.Env
+	assert.Equal(t, expectedEvent, evt)
+}

plugins/container/go-worker/pkg/container/podman_test.go

@@ -5,12 +5,12 @@ package container
 import (
 	"context"
 	"fmt"
-	"github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/event"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/podman/v5/pkg/bindings"
 	"github.com/containers/podman/v5/pkg/bindings/containers"
 	"github.com/containers/podman/v5/pkg/bindings/images"
 	"github.com/containers/podman/v5/pkg/specgen"
+	"github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/event"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/stretchr/testify/assert"
 	"os/user"
@@ -30,7 +30,7 @@ func waitOnChannelOrTimeout(t *testing.T, ch <-chan event.Event) event.Event {
 	return event.Event{}
 }
 
-func TestPodman(t *testing.T) {
+func testPodman(t *testing.T, withFetcher bool) {
 	usr, err := user.Current()
 	assert.NoError(t, err)
 
@@ -85,9 +85,6 @@ func TestPodman(t *testing.T) {
 	}, nil)
 	assert.NoError(t, err)
 
-	events, err := engine.List(context.Background())
-	assert.NoError(t, err)
-
 	imageId := "63b790fccc9078ab8bb913d94a5d869e19fca9b77712b315da3fa45bb8f14636"
 	if runtime.GOARCH == "arm64" {
 		imageId = "511a44083d3a23416fadc62847c45d14c25cbace86e7a72b2b350436978a0450"
@@ -123,6 +120,15 @@ func TestPodman(t *testing.T) {
 		IsCreate: true,
 	}
 
+	if withFetcher {
+		testFetcher(t, engine, expectedEvent.ID, expectedEvent)
+		_, err = containers.Remove(podmanCtx, ctr.ID, nil)
+		assert.NoError(t, err)
+		return
+	}
+
+	events, err := engine.List(context.Background())
+	assert.NoError(t, err)
 	found := false
 	for _, evt := range events {
 		if evt.FullID == ctr.ID {
@@ -165,3 +171,7 @@ func TestPodman(t *testing.T) {
 	evt := waitOnChannelOrTimeout(t, listCh)
 	assert.Equal(t, expectedEvent, evt)
 }
+
+func TestPodman(t *testing.T) {
+	testPodman(t, false)
+}