fw name case-insensitivity

exceptions/exceptionprocessor.go

@@ -3,6 +3,7 @@ package exceptions
 import (
 	"fmt"
 	"regexp"
+	"strings"
 
 	"github.com/armosec/k8s-interface/k8sinterface"
 	"github.com/armosec/k8s-interface/workloadinterface"
@@ -22,15 +23,15 @@ func SetFrameworkExceptions(frameworkReport *reporthandling.FrameworkReport, exc
 // SetControlExceptions add exceptions to control report
 func SetControlExceptions(controlReport *reporthandling.ControlReport, exceptionsPolicies []armotypes.PostureExceptionPolicy, clusterName, frameworkName string) {
 	for r := range controlReport.RuleReports {
-		SetRuleExceptions(&controlReport.RuleReports[r], exceptionsPolicies, clusterName, frameworkName, controlReport.Name)
+		SetRuleExceptions(&controlReport.RuleReports[r], exceptionsPolicies, clusterName, frameworkName, controlReport.Name, controlReport.ControlID)
 	}
 }
 
 // SetRuleExceptions add exceptions to rule report
-func SetRuleExceptions(ruleReport *reporthandling.RuleReport, exceptionsPolicies []armotypes.PostureExceptionPolicy, clusterName, frameworkName, controlName string) {
+func SetRuleExceptions(ruleReport *reporthandling.RuleReport, exceptionsPolicies []armotypes.PostureExceptionPolicy, clusterName, frameworkName, controlName, controlID string) {
 
 	// adding exceptions to the rules
-	ruleExceptions := ListRuleExceptions(exceptionsPolicies, frameworkName, controlName, ruleReport.Name)
+	ruleExceptions := ListRuleExceptions(exceptionsPolicies, frameworkName, controlName, controlID, ruleReport.Name)
 	SetRuleResponsExceptions(ruleReport.RuleResponses, ruleExceptions, clusterName)
 }
 
@@ -52,10 +53,10 @@ func SetRuleResponsExceptions(results []reporthandling.RuleResponse, ruleExcepti
 		results[i].RuleStatus = results[i].GetStatus()
 	}
 }
-func ListRuleExceptions(exceptionPolicies []armotypes.PostureExceptionPolicy, frameworkName, controlName, ruleName string) []armotypes.PostureExceptionPolicy {
+func ListRuleExceptions(exceptionPolicies []armotypes.PostureExceptionPolicy, frameworkName, controlName, controlID, ruleName string) []armotypes.PostureExceptionPolicy {
 	ruleExceptions := []armotypes.PostureExceptionPolicy{}
 	for i := range exceptionPolicies {
-		if ruleHasExceptions(&exceptionPolicies[i], frameworkName, controlName, ruleName) {
+		if ruleHasExceptions(&exceptionPolicies[i], frameworkName, controlName, controlID, ruleName) {
 			ruleExceptions = append(ruleExceptions, exceptionPolicies[i])
 		}
 	}
@@ -64,18 +65,21 @@ func ListRuleExceptions(exceptionPolicies []armotypes.PostureExceptionPolicy, fr
 
 }
 
-func ruleHasExceptions(exceptionPolicy *armotypes.PostureExceptionPolicy, frameworkName, controlName, ruleName string) bool {
+func ruleHasExceptions(exceptionPolicy *armotypes.PostureExceptionPolicy, frameworkName, controlName, controlID, ruleName string) bool {
 	for _, posturePolicy := range exceptionPolicy.PosturePolicies {
 		if posturePolicy.FrameworkName == "" && posturePolicy.ControlName == "" && posturePolicy.RuleName == "" {
 			continue // empty policy -> ignore
 		}
-		if posturePolicy.FrameworkName != "" && posturePolicy.FrameworkName != frameworkName {
+		if posturePolicy.FrameworkName != "" && strings.EqualFold(posturePolicy.FrameworkName, frameworkName) {
 			continue // policy does not match
 		}
-		if posturePolicy.ControlName != "" && posturePolicy.ControlName != controlName {
+		if posturePolicy.ControlName != "" && strings.EqualFold(posturePolicy.ControlName, controlName) {
 			continue // policy does not match
 		}
-		if posturePolicy.RuleName != "" && posturePolicy.RuleName != ruleName {
+		if posturePolicy.ControlID != "" && strings.EqualFold(posturePolicy.ControlID, controlID) {
+			continue // policy does not match
+		}
+		if posturePolicy.RuleName != "" && strings.EqualFold(posturePolicy.RuleName, ruleName) {
 			continue // policy does not match
 		}
 		return true // policies match

exceptions/exceptionprocessor_test.go

@@ -38,11 +38,11 @@ func PostureExceptionPolicyAlertOnlyMock() *armotypes.PostureExceptionPolicy {
 
 func TestListRuleExceptions(t *testing.T) {
 	exceptionPolicies := []armotypes.PostureExceptionPolicy{*PostureExceptionPolicyAlertOnlyMock()}
-	res1 := ListRuleExceptions(exceptionPolicies, "MITRE", "", "")
+	res1 := ListRuleExceptions(exceptionPolicies, "MITRE", "", "", "")
 	if len(res1) != 1 {
 		t.Errorf("expecting 1 exception")
 	}
-	res2 := ListRuleExceptions(exceptionPolicies, "", "hostPath mount", "")
+	res2 := ListRuleExceptions(exceptionPolicies, "", "hostPath mount", "", "")
 	if len(res2) != 0 {
 		t.Errorf("expecting 0 exception")
 	}

go.mod

@@ -3,7 +3,7 @@ module github.com/armosec/opa-utils
 go 1.17
 
 require (
-	github.com/armosec/armoapi-go v0.0.7
+	github.com/armosec/armoapi-go v0.0.23
 	github.com/armosec/k8s-interface v0.0.8
 	github.com/francoispqt/gojay v1.2.13
 	github.com/open-policy-agent/opa v0.33.1

go.sum

@@ -84,8 +84,8 @@ github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armosec/armoapi-go v0.0.2/go.mod h1:vIK17yoKbJRQyZXWWLe3AqfqCRITxW8qmSkApyq5xFs=
-github.com/armosec/armoapi-go v0.0.7 h1:SN13+iYrIkxgatU+MwuWnSlhxP1G7rZP7dC8us2I7v0=
-github.com/armosec/armoapi-go v0.0.7/go.mod h1:iaVVGyc23QGGzAdv4n+szGQg3Rbpixn9yQTU3qWRpaw=
+github.com/armosec/armoapi-go v0.0.23 h1:jqoLIWM5CR7DCD9fpFgN0ePqtHvOCoZv/XzCwsUluJU=
+github.com/armosec/armoapi-go v0.0.23/go.mod h1:iaVVGyc23QGGzAdv4n+szGQg3Rbpixn9yQTU3qWRpaw=
 github.com/armosec/k8s-interface v0.0.8 h1:Eo3Qen4yFXxzVem49FNeij2ckyzHSAJ0w6PZMaSEIm8=
 github.com/armosec/k8s-interface v0.0.8/go.mod h1:xxS+V5QT3gVQTwZyAMMDrYLWGrfKOpiJ7Jfhfa0w9sM=
 github.com/armosec/rbac-utils v0.0.1 h1:N2MI98F/0zbDjmRZ29CNElU1AXkFLk5csd/qAHOBdXY=