diff --git a/.github/workflows/package-build.yml b/.github/workflows/package-build.yml index 8b3e9b5a9..c9055c803 100644 --- a/.github/workflows/package-build.yml +++ b/.github/workflows/package-build.yml @@ -133,29 +133,21 @@ jobs: arch: ${{ matrix.variant.arch }} package-type: ${{ inputs.package-type }} + - name: Copy test collateral + run: | + mkdir -p build/modules/test/recipes + cp -r src/tests/e2e-test-recipes/*.json build/modules/test/recipes/ + + cp src/adapters/pnp/daemon/osconfig.json build/modules/test/osconfig.json + - uses: actions/upload-artifact@v4 - if: ${{ inputs.test && !inputs.build-fuzzers }} with: name: ${{ inputs.artifact }} path: | ./build/osconfig* ./build/*.zip ./build/modules/test/moduletest + ./build/modules/test/osconfig.json + ./build/modules/test/recipes/*.json ./build/modules/bin/*.so - - - uses: actions/upload-artifact@v4 - if: ${{ !inputs.test && inputs.build-fuzzers }} - with: - name: ${{ inputs.artifact }} - path: | - ./build/osconfig* - ./build/*.zip ./build/tests/fuzzer/osconfig-fuzzer - - - uses: actions/upload-artifact@v4 - if: ${{ !inputs.test && !inputs.build-fuzzers }} - with: - name: ${{ inputs.artifact }} - path: | - ./build/osconfig* - ./build/*.zip diff --git a/.github/workflows/universalnrp-test.yml b/.github/workflows/universalnrp-test.yml index c3362f0a9..71f885165 100644 --- a/.github/workflows/universalnrp-test.yml +++ b/.github/workflows/universalnrp-test.yml @@ -3,7 +3,7 @@ name: Universal NRP Test on: workflow_dispatch: inputs: - policyPackageList: + policy_packages: description: 'List of policy packages to test' required: true default: '[]' @@ -11,119 +11,116 @@ on: schedule: - cron: '0 20 * * *' # Every day at 12pm PST (UTC-8) + # TODO: remove + push: + env: - # Default build matrix - this is where additional distros are added, policy-package are defined either through the workflow_dispatch input or the DEFAULT_PACKAGE_LIST - BUILD_MATRIX: | - { - "target": [ - { "os": "centos", "version": 8, "package-type": "RPM", "tag": "" }, - { "os": "debian", "version": 10, "package-type": "DEB", "tag": "" }, - { "os": "debian", "version": 11, "package-type": "DEB", "tag": "" }, - { "os": "mariner", "version": 2, "package-type": "RPM", "tag": "" }, - { "os": "oraclelinux", "version": 8, "package-type": "RPM", "tag": "" }, - { "os": "rhel", "version": 8, "package-type": "RPM", "tag": "" }, - { "os": "rhel", "version": 9, "package-type": "RPM", "tag": "" }, - { "os": "rockylinux", "version": 9, "package-type": "RPM", "tag": "" }, - { "os": "sles", "version": 15, "package-type": "RPM", "tag": "" }, - { "os": "ubuntu", "version": "20.04", "package-type": "DEB", "tag": "" }, - { "os": "ubuntu", "version": "22.04", "package-type": "DEB", "tag": "" } - ], - "policy-package": [], - "arch": ["amd64"], - "mode": ["Audit", "Remediate"] - } - - # Default package list to use if no explicit packages are defined in the workflow_dispatch.policyPackageList input DEFAULT_PACKAGE_LIST: | [ { "name": "LinuxSshServerSecurityBaseline", "short-name": "SSH", "resource-count": 20 }, { "name": "AzureLinuxBaseline", "short-name": "ASB", "resource-count": 168 } ] -jobs: - package: - name: Package - if: ${{ inputs.policyPackageList == '[]' || inputs.policyPackageList == '' }} - uses: ./.github/workflows/package-build.yml - strategy: - matrix: - target: - [ - { os: ubuntu, version: 14.04, arch: amd64, dist: trusty, package-type: DEB }, - ] - with: - target: ${{ matrix.target.os }}-${{ matrix.target.version }} - arch: ${{ matrix.target.arch }} - artifact: nrp-test-package - package-type: ${{ matrix.target.package-type }} - machine-config: true - release: ${{ github.event_name == 'pull_request' && false || true }} - generate-matrix: - name: Generate Matrix - needs: package +jobs: + setup-matrix: + name: Setup Matrix runs-on: ubuntu-latest outputs: - matrix: ${{ steps.matrix.outputs.matrix }} + custom_download: ${{ steps.matrix.outputs.custom_download }} + policy_packages: ${{ steps.matrix.outputs.policy_packages }} if: ${{ always() }} steps: - name: Generate Matrix id: matrix run: | - # OSConfig Test Matrix - matrix="$(cat <<'EOL' - ${{ env.BUILD_MATRIX }} - EOL - )" - # If no explicit packages defined, use the default packages - if [[ '${{ inputs.policyPackageList }}' == '[]' || '${{ inputs.policyPackageList }}' == '' ]]; then - policyPackages="$(cat <<'EOL' - ${{ env.DEFAULT_PACKAGE_LIST }} - EOL - )" - else - policyPackages="$(cat <<'EOL' - ${{ inputs.policyPackageList }} - EOL - )" + if [[ '${{ inputs.policy_packages }}' == '[]' || '${{ inputs.policy_packages }}' == '' ]]; then + custom_download="true" + policy_packages="${{ env.DEFAULT_PACKAGE_LIST }}" + else + custom_download="true" + policy_packages="${{ inputs.policy_packages }}" fi - matrix="$(echo $matrix | jq --argjson policyPackages "$policyPackages" '.["policy-package"] += $policyPackages')" - echo matrix=$matrix >> $GITHUB_OUTPUT + echo custom_download=$custom_download >> $GITHUB_OUTPUT + echo policy_packages=$policy_packages >> $GITHUB_OUTPUT - test: - name: Test - needs: [package, generate-matrix] - if: ${{ always() }} + package: + name: Package + if: ${{ inputs.policy_packages == '[]' || inputs.policy_packages == '' }} + needs: setup-matrix + uses: ./.github/workflows/package-build.yml + with: + target: ubuntu-14.04 + arch: amd64 + artifact: nrp-test + package-type: DEB + test: true + machine-config: true + release: ${{ github.event_name == 'pull_request' && false || true }} + + mc-test: + name: MC Test + needs: [setup-matrix, package] runs-on: [self-hosted, 1ES.Pool=ci-pool, '1ES.ImageOverride=${{ matrix.target.os }}-${{ matrix.target.version }}'] strategy: fail-fast: false - matrix: ${{ fromJSON(needs.generate-matrix.outputs.matrix) }} + matrix: + target: [ + { os: almalinux, version: 9 }, + # { os: amazonlinux, version: 2 }, + { os: centos, version: 7 }, + { os: centos, version: 8 }, + { os: debian, version: 10 }, + { os: debian, version: 11 }, + { os: debian, version: 12 }, + { os: mariner, version: 2 }, + { os: oraclelinux, version: 7 }, + { os: oraclelinux, version: 8 }, + { os: rhel, version: 7 }, + { os: rhel, version: 8 }, + { os: rhel, version: 9 }, + { os: rockylinux, version: 9 }, + { os: sles, version: 12 }, + { os: sles, version: 15 }, + # { os: ubuntu, version: '16.04' }, + { os: ubuntu, version: '18.04' }, + { os: ubuntu, version: '20.04' }, + { os: ubuntu, version: '22.04' } + ] + arch: [amd64] + mode: [Audit, Remediate] + policy-package: ${{ fromJSON(needs.setup-matrix.outputs.policy_packages) }} + steps: - - uses: actions/checkout@v4 + # - uses: actions/checkout@v4 - uses: actions/download-artifact@v4 - if: ${{ inputs.policyPackageList == '[]' || inputs.policyPackageList == '' }} + if: ${{ needs.setup-matrix.outputs.custom_download == 'false' }} id: download with: - name: nrp-test-package + name: nrp-test + + - name: Custom Download + if: ${{ needs.setup-matrix.outputs.custom_download == 'true' }} + id: custom-download + run: | + wget -O PolicyPackage.zip ${{ matrix.policy-package.policy-package-url }} + echo path=$(pwd)/PolicyPackage.zip >> $GITHUB_OUTPUT - name: Normalize variables id: normalize run: | - # Normalize the distro names + architectures to match the published packages - output=${{ matrix.target.os }}-${{ matrix.target.version }}_${{ matrix.policy-package.short-name }}-${{ matrix.mode }} - echo name=${output} >> $GITHUB_OUTPUT + echo name="${{ matrix.target.os }}-${{ matrix.target.version }}_${{ matrix.policy-package.short-name }}-${{ matrix.mode }}" >> $GITHUB_OUTPUT - # Get the Policy Package URL - if [[ '${{ inputs.policyPackageList }}' == '[]' || '${{ inputs.policyPackageList }}' == '' ]]; then - echo PolicyPackagePath=${{ steps.download.outputs.download-path }}/${{ matrix.policy-package.name }}.zip >> $GITHUB_OUTPUT + if [[ ${{ needs.setup-matrix.outputs.custom_download }} == 'true' ]]; then + echo dir=$(pwd) >> $GITHUB_OUTPUT + echo path=$(pwd)/PolicyPackage.zip >> $GITHUB_OUTPUT else - wget -O PolicyPackage.zip ${{ matrix.policy-package.policy-package-url }} - echo PolicyPackagePath=$(pwd)/PolicyPackage.zip >> $GITHUB_OUTPUT + echo dir="${{ steps.download.outputs.download-path }}" >> $GITHUB_OUTPUT + echo path="${{ steps.download.outputs.download-path }}/${{ matrix.policy-package.name }}.zip" >> $GITHUB_OUTPUT fi - echo PolicyPackageDir=$(dirname "$PolicyPackagePath") >> $GITHUB_OUTPUT - name: Run Guest Configuration Test working-directory: ${{ steps.normalize.outputs.PolicyPackageDir }} @@ -135,7 +132,7 @@ jobs: Import-Module Pester -Passthru \$params = @{ - PolicyPackage = '${{ steps.normalize.outputs.PolicyPackagePath }}' + PolicyPackage = '${{ steps.normalize.outputs.path }}' SkipRemediation = if ('${{ matrix.mode }}' -eq 'Audit') { \$true } else { \$false } ResourceCount = ${{ matrix.policy-package.resource-count }} } @@ -156,9 +153,6 @@ jobs: Should = @{ ErrorAction = 'Continue' } - Filter = @{ - Tag = '${{ matrix.tag }}' - } }; Invoke-Pester -Configuration \$pesterConfig EOL @@ -183,7 +177,7 @@ jobs: if: success() || failure() with: name: ${{ steps.normalize.outputs.name }}_report - path: '${{ steps.normalize.outputs.PolicyPackageDir }}/*testResults.xml' + path: '${{ steps.normalize.outputs.dir }}/*testResults.xml' - uses: actions/upload-artifact@v4 if: success() || failure() @@ -191,10 +185,84 @@ jobs: name: ${{ steps.normalize.outputs.name }}_logs path: osconfig-logs/osconfig* + module-test: + name: Module Test + needs: package + runs-on: [self-hosted, 1ES.Pool=ci-pool, '1ES.ImageOverride=${{ matrix.target.os }}-${{ matrix.target.version }}'] + strategy: + fail-fast: false + matrix: + target: [ + { os: almalinux, version: 9 }, + # { os: amazonlinux, version: 2 }, + { os: centos, version: 7 }, + { os: centos, version: 8 }, + { os: debian, version: 10 }, + { os: debian, version: 11 }, + { os: debian, version: 12 }, + { os: mariner, version: 2 }, + { os: oraclelinux, version: 7 }, + { os: oraclelinux, version: 8 }, + { os: rhel, version: 7 }, + { os: rhel, version: 8 }, + { os: rhel, version: 9 }, + { os: rockylinux, version: 9 }, + { os: sles, version: 12 }, + { os: sles, version: 15 }, + # { os: ubuntu, version: '16.04' }, + { os: ubuntu, version: '18.04' }, + { os: ubuntu, version: '20.04' }, + { os: ubuntu, version: '22.04' } + ] + arch: [amd64] + steps: + # - uses: actions/checkout@v4 + + - uses: actions/download-artifact@v4 + id: download + with: + name: nrp-test + + - name: Create osconfig.json + run: | + sudo mkdir -p /etc/osconfig + sudo cp -r ${{ steps.download.outputs.download-path }}/modules/test/osconfig.json /etc/osconfig/osconfig.json + + - name: Run moduletest + working-directory: ${{ steps.download.outputs.download-path }}/modules/test + run: | + sudo chmod +x ./moduletest + + result=0 + recipe="./recipes/SecurityBaselineTests.json" + + name=$(basename $recipe | tr '[:upper:]' '[:lower:]' | sed 's/\.[^.]*$//' | sed 's/\(test\|tests\)$//') + + echo -n "testing $name ... " + + if output=$(sudo ./moduletest $recipe --bin ../bin); then + echo passed + else + echo failed + result=1 + echo "::warning file=$name.log::Error(s) in module-test for '$name'" + fi + + echo "$output" + echo "$output" > ../../$name.log + + exit $result + + - uses: actions/upload-artifact@v4 + if: success() || failure() + with: + name: ${{ matrix.target.os }}-${{ matrix.target.version }}_logs + path: '*.log' + # See for more details: https://github.com/marketplace/actions/publish-test-results report: name: Report - needs: test + needs: mc-test runs-on: ubuntu-latest permissions: checks: write