Fix GUID for cross bundle scan

Added check to make sure the scan we are going to label for the profile GID come from the actully profile being used for the scan, because two profile can potentially have the same name, we want to take bundle name into consideration
ComplianceAsCode · May 6, 2024 · 255819f · 255819f
1 parent 67cac7e
commit 255819f
Show file tree

Hide file tree

Showing 4 changed files with 102 additions and 80 deletions.
diff --git a/pkg/controller/compliancesuite/compliancesuite_controller.go b/pkg/controller/compliancesuite/compliancesuite_controller.go
@@ -433,7 +433,7 @@ func launchScanForSuite(r *ReconcileComplianceSuite, suite *compv1alpha1.Complia
 			return err
 		}
 		for _, profile := range profiles.Items {
-			if profile.ID == scanProfile {
+			if profile.ID == scanProfile && profile.Name == scanWrap.Name {
 				profileUniqueID = profile.GetAnnotations()[compv1alpha1.ProfileGuidAnnotation]
 				break
 			}

diff --git a/tests/e2e/framework/common.go b/tests/e2e/framework/common.go
@@ -1049,16 +1049,30 @@ func (f *Framework) AssertScanIsCompliant(name, namespace string) error {
 	return nil
 }
 
-// AssertScanUUIDMatches checks if the scan has the expected UUID
-func (f *Framework) AssertScanUUIDMatches(name, namespace, expectedUUID string) error {
+// AssertScanGUIDMatches checks if the scan has the expected GUID
+func (f *Framework) AssertScanGUIDMatches(name, namespace, expectedGUID string) error {
 	cs := &compv1alpha1.ComplianceScan{}
 	defer f.logContainerOutput(namespace, name)
 	err := f.Client.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: namespace}, cs)
 	if err != nil {
 		return err
 	}
-	if cs.Labels[compv1alpha1.ProfileGuidLabel] != expectedUUID {
-		return fmt.Errorf("Expected UUID %s for scan %s, got %s", expectedUUID, name, cs.Labels[compv1alpha1.ProfileGuidLabel])
+	if cs.Labels[compv1alpha1.ProfileGuidLabel] != expectedGUID {
+		return fmt.Errorf("Expected GUID %s for scan %s, got %s", expectedGUID, name, cs.Labels[compv1alpha1.ProfileGuidLabel])
+	}
+	return nil
+}
+
+// AssertProfileGUIDMatches checks if the profile has the expected GUID
+func (f *Framework) AssertProfileGUIDMatches(name, namespace, expectedGUID string) error {
+	profile := &compv1alpha1.Profile{}
+	defer f.logContainerOutput(namespace, name)
+	err := f.Client.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: namespace}, profile)
+	if err != nil {
+		return err
+	}
+	if profile.Annotations[compv1alpha1.ProfileGuidAnnotation] != expectedGUID {
+		return fmt.Errorf("Expected GUID %s for profile %s, got %s", expectedGUID, name, profile.Annotations[compv1alpha1.ProfileGuidAnnotation])
 	}
 	return nil
 }

diff --git a/tests/e2e/parallel/main_test.go b/tests/e2e/parallel/main_test.go
@@ -3124,78 +3124,3 @@ func TestScanCleansUpComplianceCheckResults(t *testing.T) {
 		t.Fatal(err)
 	}
 }
-
-func TestScanHasProfileUUID(t *testing.T) {
-	t.Parallel()
-	f := framework.Global
-	bindingName := framework.GetObjNameFromTest(t)
-	tpName := "test-scan-have-profile-uuid-tp"
-	// This is the profileUUID for the redhat_openshift_container_platform_4.1 product and xccdf_org.ssgproject.content_profile_moderate profile
-	const profileUUID = "d625badc-92a1-5438-afd7-19526c26b03c"
-	const profileUUIDTP = "d1359d86-c04f-5aa7-bcbc-e75a40844734"
-	// check if the profileUUID is correct in ocp4-moderate profile
-	profile := &compv1alpha1.Profile{}
-	err := f.Client.Get(context.TODO(), types.NamespacedName{Name: "ocp4-moderate", Namespace: f.OperatorNamespace}, profile)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if profile.Annotations[compv1alpha1.ProfileGuidAnnotation] != profileUUID {
-		t.Fatalf("expected profileUUID %s, got %s", profileUUID, profile.Annotations[compv1alpha1.ProfileGuidAnnotation])
-	}
-
-	tp := &compv1alpha1.TailoredProfile{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      tpName,
-			Namespace: f.OperatorNamespace,
-		},
-		Spec: compv1alpha1.TailoredProfileSpec{
-			Title:       "TestScanHaveProfileUUID",
-			Description: "TestScanHaveProfileUUID",
-			Extends:     "ocp4-moderate",
-		},
-	}
-
-	createTPErr := f.Client.Create(context.TODO(), tp, nil)
-	if createTPErr != nil {
-		t.Fatal(createTPErr)
-	}
-	defer f.Client.Delete(context.TODO(), tp)
-	scanSettingBinding := compv1alpha1.ScanSettingBinding{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      bindingName,
-			Namespace: f.OperatorNamespace,
-		},
-		Profiles: []compv1alpha1.NamedObjectReference{
-			{
-				Name:     tpName,
-				Kind:     "TailoredProfile",
-				APIGroup: "compliance.openshift.io/v1alpha1",
-			},
-			{
-				Name:     "ocp4-moderate",
-				Kind:     "Profile",
-				APIGroup: "compliance.openshift.io/v1alpha1",
-			},
-		},
-		SettingsRef: &compv1alpha1.NamedObjectReference{
-			Name:     "default",
-			Kind:     "ScanSetting",
-			APIGroup: "compliance.openshift.io/v1alpha1",
-		},
-	}
-	// use Context's create helper to create the object and add a cleanup function for the new object
-	err = f.Client.Create(context.TODO(), &scanSettingBinding, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer f.Client.Delete(context.TODO(), &scanSettingBinding)
-	if err := f.WaitForSuiteScansStatus(f.OperatorNamespace, bindingName, compv1alpha1.PhaseDone, compv1alpha1.ResultNonCompliant); err != nil {
-		t.Fatal(err)
-	}
-
-	// check if the profileUUID is correct in the scan's label
-	f.AssertScanUUIDMatches("ocp4-moderate", f.OperatorNamespace, profileUUID)
-	// check if the profileUUID is correct in the tailored profile's label
-	f.AssertScanUUIDMatches(tpName, f.OperatorNamespace, profileUUIDTP)
-
-}
diff --git a/tests/e2e/serial/main_test.go b/tests/e2e/serial/main_test.go
@@ -247,6 +247,89 @@ func TestSuiteScan(t *testing.T) {
 
 }
 
+func TestScanHasProfileGUID(t *testing.T) {
+	f := framework.Global
+	bindingName := framework.GetObjNameFromTest(t)
+	tpName := "test-scan-have-profile-guid-tp"
+	// This is the profileGUID for the redhat_openshift_container_platform_4.1 product and xccdf_org.ssgproject.content_profile_moderate profile
+	const profileGUIDOCPModerate = "d625badc-92a1-5438-afd7-19526c26b03c"
+	const profileGUIDTP = "d1359d86-c04f-5aa7-bcbc-e75a40844734"
+	const profileGUIDRHCOSModerate = "eceb9af0-17d4-5c59-9b17-07cfd22a3ba1"
+	const profileGUIDOCPCIS = "a230315d-3e4a-5b58-b00f-f96f1553e036"
+
+	f.AssertProfileGUIDMatches("ocp4-moderate", f.OperatorNamespace, profileGUIDOCPModerate)
+	f.AssertProfileGUIDMatches("rhcos4-moderate", f.OperatorNamespace, profileGUIDRHCOSModerate)
+	f.AssertProfileGUIDMatches("ocp4-cis", f.OperatorNamespace, profileGUIDOCPCIS)
+	tp := &compv1alpha1.TailoredProfile{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      tpName,
+			Namespace: f.OperatorNamespace,
+		},
+		Spec: compv1alpha1.TailoredProfileSpec{
+			Title:       "TestScanHaveProfileGUID",
+			Description: "TestScanHaveProfileGUID",
+			Extends:     "ocp4-moderate",
+		},
+	}
+
+	createTPErr := f.Client.Create(context.TODO(), tp, nil)
+	if createTPErr != nil {
+		t.Fatal(createTPErr)
+	}
+	defer f.Client.Delete(context.TODO(), tp)
+	scanSettingBinding := compv1alpha1.ScanSettingBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      bindingName,
+			Namespace: f.OperatorNamespace,
+		},
+		Profiles: []compv1alpha1.NamedObjectReference{
+			{
+				Name:     "ocp4-cis",
+				Kind:     "Profile",
+				APIGroup: "compliance.openshift.io/v1alpha1",
+			},
+			{
+				Name:     tpName,
+				Kind:     "TailoredProfile",
+				APIGroup: "compliance.openshift.io/v1alpha1",
+			},
+			{
+				Name:     "ocp4-moderate",
+				Kind:     "Profile",
+				APIGroup: "compliance.openshift.io/v1alpha1",
+			},
+			{
+				Name:     "rhcos4-moderate",
+				Kind:     "Profile",
+				APIGroup: "compliance.openshift.io/v1alpha1",
+			},
+		},
+		SettingsRef: &compv1alpha1.NamedObjectReference{
+			Name:     "default",
+			Kind:     "ScanSetting",
+			APIGroup: "compliance.openshift.io/v1alpha1",
+		},
+	}
+	// use Context's create helper to create the object and add a cleanup function for the new object
+	err := f.Client.Create(context.TODO(), &scanSettingBinding, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Client.Delete(context.TODO(), &scanSettingBinding)
+	if err := f.WaitForSuiteScansStatus(f.OperatorNamespace, bindingName, compv1alpha1.PhaseDone, compv1alpha1.ResultNonCompliant); err != nil {
+		t.Fatal(err)
+	}
+
+	// check if the profileGUID is correct in the scan's label
+	f.AssertScanGUIDMatches("ocp4-moderate", f.OperatorNamespace, profileGUIDOCPModerate)
+	f.AssertScanGUIDMatches("rhcos4-moderate", f.OperatorNamespace, profileGUIDRHCOSModerate)
+	f.AssertScanGUIDMatches("ocp4-cis-node-master", f.OperatorNamespace, profileGUIDOCPCIS)
+	f.AssertScanGUIDMatches("ocp4-cis-node-worker", f.OperatorNamespace, profileGUIDOCPCIS)
+	// check if the profileGUID is correct in the tailored profile's label
+	f.AssertScanGUIDMatches(tpName, f.OperatorNamespace, profileGUIDTP)
+
+}
+
 func TestMixProductScan(t *testing.T) {
 	f := framework.Global