From 6ee0b353ac43c78d97a6b3858f82e6432d4ddefd Mon Sep 17 00:00:00 2001
From: Jason Dellaluce <jasondellaluce@gmail.com>
Date: Wed, 10 Nov 2021 10:02:24 +0000
Subject: [PATCH] test: adding a test for correct json pointer parsing

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
---
 test/falco_k8s_audit_tests.yaml               |  9 ++++++++
 .../single_rule_with_json_pointer.yaml        | 23 +++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 test/rules/k8s_audit/single_rule_with_json_pointer.yaml

diff --git a/test/falco_k8s_audit_tests.yaml b/test/falco_k8s_audit_tests.yaml
index a206ec73..ad8ccd3f 100644
--- a/test/falco_k8s_audit_tests.yaml
+++ b/test/falco_k8s_audit_tests.yaml
@@ -632,3 +632,12 @@ trace_files: !mux
       - ../rules/k8s_audit_rules.yaml
     trace_file: trace_files/k8s_audit/fal_01_003.json
     stderr_contains: 'Could not read k8s audit event line #1, "{"kind": 0}": Data not recognized as a k8s audit event, stopping'
+
+  json_pointer_correct_parse:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - ./rules/k8s_audit/single_rule_with_json_pointer.yaml
+    detect_counts:
+      - json_pointer_example: 1
+    trace_file: trace_files/k8s_audit/create_nginx_pod_unprivileged.json
\ No newline at end of file
diff --git a/test/rules/k8s_audit/single_rule_with_json_pointer.yaml b/test/rules/k8s_audit/single_rule_with_json_pointer.yaml
new file mode 100644
index 00000000..37da1982
--- /dev/null
+++ b/test/rules/k8s_audit/single_rule_with_json_pointer.yaml
@@ -0,0 +1,23 @@
+#
+# Copyright (C) 2021 The Falco Authors.
+#
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+- rule: json_pointer_example
+  desc: A rule example using JSON Pointer (RFC 6901)
+  condition: jevt.value[/annotations/authorization.k8s.io~1decision] exists and not (jevt.value[/a~1~0b] exists)
+  output: "JSON Pointer Test Alert"
+  priority: WARNING
+  source: k8s_audit