From a8c18f9b9418ac42922eee1e31b1e3c9f791c1dc Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 27 Sep 2024 12:20:48 +0100
Subject: [PATCH] test(aa-log): update tests to the last changes.

---
 pkg/aa/file.go       |  8 +++++-
 pkg/aa/parse.go      | 10 ++++----
 pkg/aa/parse_test.go | 12 ++++-----
 pkg/aa/rule_test.go  | 61 +++++++++++++++++++++++---------------------
 4 files changed, 50 insertions(+), 41 deletions(-)

diff --git a/pkg/aa/file.go b/pkg/aa/file.go
index 549ff66de..14ade6997 100644
--- a/pkg/aa/file.go
+++ b/pkg/aa/file.go
@@ -118,14 +118,20 @@ func (r *File) String() string {
 }
 
 func (r *File) Validate() error {
+	if r.Path == "" && r.Target == "" && len(r.Access) == 0 {
+		return nil // rule: `file` or `owner file`
+	}
 	if !isAARE(r.Path) {
 		return fmt.Errorf("'%s' is not a valid AARE", r.Path)
 	}
+	if len(r.Access) == 0 {
+		return fmt.Errorf("missing file access")
+	}
 	for _, v := range r.Access {
 		if v == "" {
 			continue
 		}
-		if !slices.Contains(requirements[r.Kind()]["access"], v) ||
+		if !slices.Contains(requirements[r.Kind()]["access"], v) &&
 			!slices.Contains(requirements[r.Kind()]["transition"], v) {
 			return fmt.Errorf("invalid mode '%s'", v)
 		}
diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go
index b7fb52835..ef8a7acd9 100644
--- a/pkg/aa/parse.go
+++ b/pkg/aa/parse.go
@@ -187,11 +187,11 @@ func parseParagraph(input string) (Rules, error) {
 	}
 
 	res = append(res, rrr...)
-	for _, r := range res {
-		if r.Constraint() == PreambleRule {
-			return nil, fmt.Errorf("Rule not allowed in block: %s", r)
-		}
-	}
+	// for _, r := range res {
+	// 	if r.Constraint() == PreambleRule {
+	// 		return nil, fmt.Errorf("Rule not allowed in block: %s", r)
+	// 	}
+	// }
 	return res, nil
 }
 
diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go
index 9cc011f38..8b54487ff 100644
--- a/pkg/aa/parse_test.go
+++ b/pkg/aa/parse_test.go
@@ -843,7 +843,7 @@ var (
 		raw            string
 		apparmor       *AppArmorProfileFile
 		wParseErr      bool
-		wRules         []Rules
+		wRules         ParaRules
 		wParseRulesErr bool
 	}{
 		{
@@ -851,7 +851,7 @@ var (
 			raw:            "",
 			apparmor:       &AppArmorProfileFile{},
 			wParseErr:      false,
-			wRules:         []Rules{},
+			wRules:         ParaRules{},
 			wParseRulesErr: false,
 		},
 		{
@@ -875,7 +875,7 @@ var (
 				},
 			},
 			wParseErr:      false,
-			wRules:         []Rules{},
+			wRules:         ParaRules{},
 			wParseRulesErr: false,
 		},
 		{
@@ -914,7 +914,7 @@ var (
 				},
 			},
 			wParseErr:      false,
-			wRules:         []Rules{},
+			wRules:         ParaRules{},
 			wParseRulesErr: false,
 		},
 		{
@@ -943,7 +943,7 @@ var (
 				},
 			},
 			wParseErr: false,
-			wRules: []Rules{
+			wRules: ParaRules{
 				{
 					&Include{IsMagic: true, Path: "abstractions/base"},
 					&Include{IsMagic: true, Path: "abstractions/nameservice-strict"},
@@ -1050,7 +1050,7 @@ var (
 				},
 			},
 			wParseErr: false,
-			wRules: []Rules{
+			wRules: ParaRules{
 				{
 					&Include{IsMagic: true, Path: "abstractions/base"},
 					&Include{IsMagic: true, Path: "abstractions/nameservice-strict"},
diff --git a/pkg/aa/rule_test.go b/pkg/aa/rule_test.go
index 77e05e320..ee50532a9 100644
--- a/pkg/aa/rule_test.go
+++ b/pkg/aa/rule_test.go
@@ -124,7 +124,7 @@ var (
 			wString:  "include if exists <local/foo>",
 		},
 		{
-			name:     "include/abs",
+			name:     "include-abs",
 			rule:     &Include{Path: "/usr/share/apparmor.d/", IsMagic: false},
 			other:    &Include{Path: "/usr/share/apparmor.d/", IsMagic: true},
 			wCompare: -1,
@@ -190,7 +190,7 @@ var (
 			wString:  "capability net_admin,",
 		},
 		{
-			name:     "capability/multi",
+			name:     "capability-multi",
 			rule:     &Capability{Names: []string{"dac_override", "dac_read_search"}},
 			other:    capability2,
 			wCompare: -15,
@@ -198,7 +198,7 @@ var (
 			wString:  "capability dac_override dac_read_search,",
 		},
 		{
-			name:     "capability/all",
+			name:     "capability-all",
 			rule:     &Capability{},
 			other:    capability2,
 			wCompare: -1,
@@ -222,7 +222,7 @@ var (
 			log:      mount1Log,
 			rule:     mount1,
 			other:    mount2,
-			wCompare: 38,
+			wCompare: 37,
 			wMerge:   false,
 			wString:  "mount fstype=overlay overlay -> /var/lib/docker/overlay2/opaque-bug-check1209538631/merged/, # failed perms check",
 		},
@@ -250,7 +250,7 @@ var (
 			log:      pivotroot1Log,
 			rule:     pivotroot1,
 			other:    pivotroot2,
-			wCompare: 7,
+			wCompare: -5,
 			wMerge:   false,
 			wString:  "pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,",
 		},
@@ -307,7 +307,7 @@ var (
 			wString:  "signal receive set=kill peer=firefox//&firejail-default,",
 		},
 		{
-			name:     "ptrace/xdg-document-portal",
+			name:     "ptrace-xdg-document-portal",
 			fromLog:  newPtraceFromLog,
 			log:      ptrace1Log,
 			rule:     ptrace1,
@@ -317,7 +317,7 @@ var (
 			wString:  "ptrace read peer=nautilus,",
 		},
 		{
-			name:     "ptrace/snap-update-ns.firefox",
+			name:     "ptrace-snap-update-ns.firefox",
 			fromLog:  newPtraceFromLog,
 			log:      ptrace2Log,
 			rule:     ptrace2,
@@ -355,7 +355,7 @@ var (
 			wString:  "dbus bind bus=session name=org.gnome.evolution.dataserver.Sources5,",
 		},
 		{
-			name:     "dbus/bind",
+			name:     "dbus-bind",
 			rule:     &Dbus{Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*"},
 			other:    dbus2,
 			wCompare: -39,
@@ -381,31 +381,33 @@ var (
 			wString:  "/usr/share/poppler/cMap/Identity-H r,",
 		},
 		{
-			name:     "file/empty",
+			name:     "file-all",
 			rule:     &File{},
 			other:    &File{},
 			wCompare: 0,
 			wMerge:   true,
-			wString:  " ,",
+			wString:  " ,", // FIXME:
 		},
 		{
-			name:     "file/equal",
-			rule:     &File{Path: "/usr/share/poppler/cMap/Identity-H"},
-			other:    &File{Path: "/usr/share/poppler/cMap/Identity-H"},
-			wCompare: 0,
-			wMerge:   true,
-			wString:  "/usr/share/poppler/cMap/Identity-H ,",
+			name:      "file-equal",
+			rule:      &File{Path: "/usr/share/poppler/cMap/Identity-H"},
+			other:     &File{Path: "/usr/share/poppler/cMap/Identity-H"},
+			wValidErr: true,
+			wCompare:  0,
+			wMerge:    true,
+			wString:   "/usr/share/poppler/cMap/Identity-H ,",
 		},
 		{
-			name:     "file/owner",
-			rule:     &File{Path: "/usr/share/poppler/cMap/Identity-H", Owner: true},
-			other:    &File{Path: "/usr/share/poppler/cMap/Identity-H"},
-			wCompare: 1,
-			wMerge:   false,
-			wString:  "owner /usr/share/poppler/cMap/Identity-H ,",
+			name:      "file-owner",
+			rule:      &File{Path: "/usr/share/poppler/cMap/Identity-H", Owner: true},
+			other:     &File{Path: "/usr/share/poppler/cMap/Identity-H"},
+			wCompare:  1,
+			wValidErr: true,
+			wMerge:    false,
+			wString:   "owner /usr/share/poppler/cMap/Identity-H ,",
 		},
 		{
-			name:     "file/access",
+			name:     "file-access",
 			rule:     &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"r"}},
 			other:    &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"w"}},
 			wCompare: -5,
@@ -413,12 +415,13 @@ var (
 			wString:  "/usr/share/poppler/cMap/Identity-H r,",
 		},
 		{
-			name:     "file/close",
-			rule:     &File{Path: "/usr/share/poppler/cMap/"},
-			other:    &File{Path: "/usr/share/poppler/cMap/Identity-H"},
-			wCompare: -10,
-			wMerge:   false,
-			wString:  "/usr/share/poppler/cMap/ ,",
+			name:      "file-close",
+			rule:      &File{Path: "/usr/share/poppler/cMap/"},
+			other:     &File{Path: "/usr/share/poppler/cMap/Identity-H"},
+			wCompare:  -10,
+			wValidErr: true,
+			wMerge:    false,
+			wString:   "/usr/share/poppler/cMap/ ,",
 		},
 		{
 			name:     "link1",