Skip to content

test(presets): add unit tests for base and anonmapexec utility functions#2752

Open
cynox-66 wants to merge 1 commit into
kubearmor:mainfrom
cynox-66:test-presets-base-coverage
Open

test(presets): add unit tests for base and anonmapexec utility functions#2752
cynox-66 wants to merge 1 commit into
kubearmor:mainfrom
cynox-66:test-presets-base-coverage

Conversation

@cynox-66

@cynox-66 cynox-66 commented Jul 8, 2026

Copy link
Copy Markdown

Summary

This PR adds unit test coverage for the pure-Go utility functions in the presets subsystem as part of the test coverage initiative tracked in #2130.

What is covered

presets/base/common_test.go

Adds comprehensive table-driven tests for core helper functions and types:

  • TestAddPolicyLogInfo (6 test cases)

    • Empty policy
    • Policy name only
    • Single tag
    • Multiple tags
    • Severity and message
    • Fully populated policy

    Verifies correct population of:

    • PolicyName
    • Tags
    • ATags
    • Severity
    • Message
    • Type
    • KubeArmorVersion
  • TestUpdateMatchPolicy (5 test cases)

    • Zero-value policy
    • Fully populated policy
    • Missing policyName
    • High severity
    • Single tag

    Verifies correct mapping from SecurityPolicy into MatchPolicy, including metadata, severity conversion, message, and tags.

  • TestPresetConstants

    • Verifies the values of PRESET_ENFORCER, Audit, and Block.
  • TestNsKeyConstruction

    • Verifies construction of NsKey using zero, typical, and maximum namespace values.

presets/anonmapexec/utils_test.go

Adds table-driven tests for utility parsing helpers:

  • TestParseProtectionFlags (9 test cases)

    • Zero flags
    • Individual protection flags
    • Combined protection flags
    • High-bit inputs
  • TestParseMemoryFlags (11 test cases)

    • Individual memory mapping flags
    • Common flag combinations
    • Full flag combination

Out of Scope

The following components are intentionally excluded because they depend on eBPF code generation, kernel runtime support, or live subsystem integration and cannot be reliably exercised through standard Go unit tests:

  • presets/exec/
  • presets/filelessexec/
  • presets/protectenv/
  • presets/protectproc/
  • presets/anonmapexec/preset.go
  • presets.go

This PR is intentionally limited to deterministic, pure-Go utility code to keep the review focused and self-contained.

Validation

The following validations were completed locally:

# Formatting
gofmt -l presets/base/common_test.go presets/anonmapexec/utils_test.go

# Static analysis
GOOS=linux GOARCH=amd64 go vet ./presets/base/... ./presets/anonmapexec/...

# Package compilation
GOOS=linux GOARCH=amd64 go test -c -o /dev/null ./presets/base/...
GOOS=linux GOARCH=amd64 go test -c -o /dev/null ./presets/anonmapexec/...
  • gofmt completed with no formatting issues.
  • go vet completed without warnings.
  • Both packages compiled successfully for the Linux target.

Manual verification

The following scenarios were verified:

  • ParseProtectionFlags() correctly handles zero, individual, combined, and high-bit protection flags.
  • ParseMemoryFlags() correctly parses supported memory mapping flags and common flag combinations.
  • AddPolicyLogInfo() correctly populates log metadata from empty, partial, and fully populated MatchPolicy inputs.
  • UpdateMatchPolicy() correctly maps SecurityPolicy metadata, severity, message, and tags into MatchPolicy.
  • Preset constants retain their expected values.
  • NsKey construction behaves correctly across representative namespace values.

Additional information

This PR is part of the ongoing unit test coverage effort tracked in #2130.

It continues the existing coverage series following:

The goal is to incrementally improve coverage across independent packages using small, reviewable PRs without modifying production code.

Add unit test coverage for the pure-Go utility functions in the presets
subsystem as part of the test coverage audit tracked in kubearmor#2130.

Two packages are covered:

presets/base/common_test.go:
- TestAddPolicyLogInfo: 6 table-driven cases covering empty policy,
  name-only, single tag, multiple tags, severity+message, and all-fields-set
  inputs. Verifies PolicyName, Tags (joined string), ATags (slice),
  Severity, Message, Type, and KubeArmorVersion fields.
- TestUpdateMatchPolicy: 5 table-driven cases covering zero-value policy,
  full policy, missing policyName key, high severity, and single-tag inputs.
  Verifies PolicyName, Severity (strconv.Itoa conversion), Message, and
  Tags fields are correctly mapped from SecurityPolicy.
- TestPresetConstants: verifies PRESET_ENFORCER, Audit, and Block constant
  values match their documented semantics.
- TestNsKeyConstruction: verifies NsKey struct construction with zero,
  typical, and max uint32 values.

presets/anonmapexec/utils_test.go:
- TestParseProtectionFlags: 9 table-driven cases covering all bitmask
  combinations of PROT_READ (0x1), PROT_WRITE (0x2), PROT_EXEC (0x4),
  zero flags, and high-bit passthrough values.
- TestParseMemoryFlags: 11 table-driven cases covering all 6 flag bits
  (MAP_SHARED, MAP_PRIVATE, MAP_FIXED, MAP_ANONYMOUS, MAP_GROWSDOWN,
  MAP_DENYWRITE) individually and in combination.

BPF-dependent sub-packages (exec/, filelessexec/) are intentionally
excluded — they require bpf2go codegen and cannot compile in standard
go test without a kernel BPF runtime.

Validation: GOOS=linux GOARCH=amd64 go vet and go test -c pass cleanly.
Execution is verified on Linux CI (macOS dev env has case-insensitive FS
and Linux-specific syscall constraints in transitive deps).

Part of kubearmor#2130

Signed-off-by: cynox-66 <devj2311@gmail.com>
@cynox-66
cynox-66 force-pushed the test-presets-base-coverage branch from f6751fa to 1190f02 Compare July 8, 2026 12:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant