From 82a78c8f9d414a4364660406e30dc208bd02d50f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1t=C3=A9=20Lajk=C3=B3?= Date: Thu, 7 May 2026 22:58:45 +0200 Subject: [PATCH] Add support for space separator when auditing CLI options --- check/test.go | 23 +++++++++++++++++++---- check/test_test.go | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+), 4 deletions(-) diff --git a/check/test.go b/check/test.go index e27b34902..904232f68 100644 --- a/check/test.go +++ b/check/test.go @@ -126,20 +126,35 @@ func (t flagTestItem) findValue(s string) (match bool, value string, err error) // Expects flags in the form; // --flag=somevalue // flag: somevalue + // flag somevalue // --flag // somevalue // DOESN'T COVER - use pathTestItem implementation of findValue() for this // flag: // - wehbook - pttn := `(` + t.Flag + `)(=|: *)*([^\s]*) *` + + // Match the flag of interest: + pttn1 := `(` + t.Flag + `)` + // Consume any number of `=` or `:` separators: + pttn2 := `[=:]*` + // Consume any whitespace after separator: + pttn3 := `\s*` + // Match any number of non-whitespace characters as the flag value: + pttn4 := `(\S*)` + pttn := pttn1 + pttn2 + pttn3 + pttn4 + flagRe := regexp.MustCompile(pttn) vals := flagRe.FindStringSubmatch(s) if len(vals) > 0 { - if vals[3] != "" { - value = vals[3] + // If there is a match + if vals[2] != "" && !strings.HasPrefix(vals[2], "--") { + // If the "flag value" capture group matched text and the match + // does not look like another flag + value = vals[2] } else { - // --bool-flag + // If there is no "flag value" or it is another flag, + // then this is a bool flag if strings.HasPrefix(t.Flag, "--") { value = "true" } else { diff --git a/check/test_test.go b/check/test_test.go index d786f0842..db29c3275 100644 --- a/check/test_test.go +++ b/check/test_test.go @@ -70,6 +70,20 @@ func TestTestExecute(t *testing.T) { strConfig: "", expectedTestResult: "'--insecure-port' is equal to '0'", }, + { + // space separator with -- prefix + check: controls.Groups[0].Checks[2], + str: "2:45 ../kubernetes/kube-apiserver --insecure-port 0 --anonymous-auth", + strConfig: "", + expectedTestResult: "'--insecure-port' is equal to '0'", + }, + { + // space separator with -- prefix, value at end of string + check: controls.Groups[0].Checks[3], + str: "2:45 ../kubernetes/kube-apiserver --secure-port=0 --audit-log-maxage 40", + strConfig: "", + expectedTestResult: "'--audit-log-maxage' is greater or equal to 30", + }, { check: controls.Groups[0].Checks[3], str: "2:45 ../kubernetes/kube-apiserver --secure-port=0 --audit-log-maxage=40 --option", @@ -88,6 +102,13 @@ func TestTestExecute(t *testing.T) { strConfig: "", expectedTestResult: "'--admission-control' does not have 'AlwaysAdmit'", }, + { + // space separator preserves comma-separated value + check: controls.Groups[0].Checks[5], + str: "2:45 ../kubernetes/kube-apiserver --option --admission-control WebHook,RBAC ---audit-log-maxage=40", + strConfig: "", + expectedTestResult: "'--admission-control' does not have 'AlwaysAdmit'", + }, { check: controls.Groups[0].Checks[6], str: "2:45 .. --kubelet-clientkey=foo --kubelet-client-certificate=bar --admission-control=Webhook,RBAC", @@ -106,6 +127,20 @@ func TestTestExecute(t *testing.T) { strConfig: "", expectedTestResult: "'permissions' is equal to 'SomeValue'", }, + { + // space separator with bare flag (no -- prefix) + check: controls.Groups[0].Checks[8], + str: "permissions SomeValue", + strConfig: "", + expectedTestResult: "'permissions' is equal to 'SomeValue'", + }, + { + // space separator with bare flag, value at end of string + check: controls.Groups[0].Checks[8], + str: "permissions SomeValue someFlag someOtherValue", + strConfig: "", + expectedTestResult: "'permissions' is equal to 'SomeValue'", + }, { check: controls.Groups[0].Checks[9], str: "permissions=640",