From dc7b6388d3f3761652db5f1b5d039f184c7e1d9e Mon Sep 17 00:00:00 2001
From: Amit Schendel <amitschendel@gmail.com>
Date: Thu, 21 Nov 2024 23:04:46 +0000
Subject: [PATCH] Fixing logic

Signed-off-by: Amit Schendel <amitschendel@gmail.com>
---
 go.mod                                        |  2 +-
 ...unexpected_service_account_token_access.go |  3 +-
 ...ected_service_account_token_access_test.go | 69 +++++++------------
 3 files changed, 28 insertions(+), 46 deletions(-)

diff --git a/go.mod b/go.mod
index 9d7b9510..95d2b741 100644
--- a/go.mod
+++ b/go.mod
@@ -44,6 +44,7 @@ require (
 	k8s.io/apimachinery v0.31.1
 	k8s.io/client-go v0.31.1
 	k8s.io/kubectl v0.31.0
+	k8s.io/kubelet v0.31.1
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
 	sigs.k8s.io/yaml v1.4.0
 )
@@ -252,7 +253,6 @@ require (
 	k8s.io/cri-api v0.31.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240812233141-91dab695df6f // indirect
-	k8s.io/kubelet v0.31.1 // indirect
 	oras.land/oras-go/v2 v2.4.0 // indirect
 	sigs.k8s.io/controller-runtime v0.19.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
diff --git a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go
index 4d8fd511..f0531fba 100644
--- a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go
+++ b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go
@@ -168,10 +168,11 @@ func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType uti
 
 	// Normalize the accessed path once
 	normalizedAccessedPath := normalizeTokenPath(openEvent.FullPath)
+	dirPath := filepath.Dir(normalizedAccessedPath)
 
 	// Check against whitelisted paths
 	for _, open := range appProfileOpenList.Opens {
-		if normalizedAccessedPath == normalizeTokenPath(open.Path) {
+		if dirPath == filepath.Dir(normalizeTokenPath(open.Path)) {
 			return nil
 		}
 	}
diff --git a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access_test.go b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access_test.go
index 5feb69ba..70d726e5 100644
--- a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access_test.go
+++ b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access_test.go
@@ -58,70 +58,62 @@ func TestR0006UnexpectedServiceAccountTokenMount(t *testing.T) {
 			expectFailure: false,
 		},
 
-		// Basic token access tests - Kubernetes paths
+		// Directory level whitelist tests
 		{
-			name:  "basic whitelisted kubernetes token access",
+			name:  "access allowed when directory is whitelisted - token",
 			event: createTestEvent0006("test", "/run/secrets/kubernetes.io/serviceaccount/token", []string{"O_RDONLY"}),
 			profile: createTestProfile0006("test", []v1beta1.OpenCalls{{
-				Path:  "/run/secrets/kubernetes.io/serviceaccount/token",
+				Path:  "/run/secrets/kubernetes.io/serviceaccount/namespace",
 				Flags: []string{"O_RDONLY"},
 			}}),
-			expectFailure: false,
+			expectFailure: false, // Should pass because directory is whitelisted
 		},
 		{
-			name:  "unauthorized kubernetes token access",
-			event: createTestEvent0006("test", "/run/secrets/kubernetes.io/serviceaccount/token", []string{"O_RDONLY"}),
+			name:  "access allowed when directory is whitelisted - ca.crt",
+			event: createTestEvent0006("test", "/run/secrets/kubernetes.io/serviceaccount/ca.crt", []string{"O_RDONLY"}),
 			profile: createTestProfile0006("test", []v1beta1.OpenCalls{{
-				Path:  "/some/other/path",
+				Path:  "/run/secrets/kubernetes.io/serviceaccount/token",
 				Flags: []string{"O_RDONLY"},
 			}}),
-			expectFailure: true,
+			expectFailure: false, // Should pass because directory is whitelisted
 		},
 
-		// EKS token path tests with timestamps
+		// Tests with EKS paths and timestamps
 		{
-			name: "whitelisted eks token access - different timestamps",
+			name: "whitelisted eks token access with timestamps",
 			event: createTestEvent0006("test",
 				"/run/secrets/eks.amazonaws.com/serviceaccount/..2024_11_1111_24_34_58.850095521/token",
 				[]string{"O_RDONLY"}),
 			profile: createTestProfile0006("test", []v1beta1.OpenCalls{{
-				Path:  "/run/secrets/eks.amazonaws.com/serviceaccount/..2024_11_21_04_30_58.850095521/token",
+				Path:  "/run/secrets/eks.amazonaws.com/serviceaccount/..2024_11_21_04_30_58.850095521/namespace",
 				Flags: []string{"O_RDONLY"},
 			}}),
-			expectFailure: false,
+			expectFailure: false, // Should pass because normalized directory matches
 		},
+
+		// Different service account path variants
 		{
-			name: "whitelisted eks token access - base path whitelist",
-			event: createTestEvent0006("test",
-				"/run/secrets/eks.amazonaws.com/serviceaccount/..2024_11_1111_24_34_58.850095521/token",
-				[]string{"O_RDONLY"}),
-			profile: createTestProfile0006("test", []v1beta1.OpenCalls{{
-				Path:  "/run/secrets/eks.amazonaws.com/serviceaccount/token",
-				Flags: []string{"O_RDONLY"},
-			}}),
-			expectFailure: false,
-		},
-		// Alternative token files tests
-		{
-			name:  "whitelisted ca.crt access",
-			event: createTestEvent0006("test", "/run/secrets/kubernetes.io/serviceaccount/ca.crt", []string{"O_RDONLY"}),
+			name:  "var/run path variant matches run path whitelist",
+			event: createTestEvent0006("test", "/var/run/secrets/kubernetes.io/serviceaccount/token", []string{"O_RDONLY"}),
 			profile: createTestProfile0006("test", []v1beta1.OpenCalls{{
-				Path:  "/run/secrets/kubernetes.io/serviceaccount/ca.crt",
+				Path:  "/run/secrets/kubernetes.io/serviceaccount/namespace",
 				Flags: []string{"O_RDONLY"},
 			}}),
-			expectFailure: false,
+			expectFailure: true, // Should fail because different base path
 		},
+
+		// No whitelisting tests
 		{
-			name:  "whitelisted namespace access",
-			event: createTestEvent0006("test", "/run/secrets/kubernetes.io/serviceaccount/namespace", []string{"O_RDONLY"}),
+			name:  "unauthorized token access",
+			event: createTestEvent0006("test", "/run/secrets/kubernetes.io/serviceaccount/token", []string{"O_RDONLY"}),
 			profile: createTestProfile0006("test", []v1beta1.OpenCalls{{
-				Path:  "/run/secrets/kubernetes.io/serviceaccount/namespace",
+				Path:  "/some/other/path",
 				Flags: []string{"O_RDONLY"},
 			}}),
-			expectFailure: false,
+			expectFailure: true,
 		},
 
-		// Container name mismatch tests
+		// Container mismatch tests
 		{
 			name:  "different container name",
 			event: createTestEvent0006("test2", "/run/secrets/kubernetes.io/serviceaccount/token", []string{"O_RDONLY"}),
@@ -132,17 +124,6 @@ func TestR0006UnexpectedServiceAccountTokenMount(t *testing.T) {
 			expectFailure: false, // No profile for the container
 		},
 
-		// Alternative path formats
-		{
-			name:  "var/run path variant",
-			event: createTestEvent0006("test", "/var/run/secrets/kubernetes.io/serviceaccount/token", []string{"O_RDONLY"}),
-			profile: createTestProfile0006("test", []v1beta1.OpenCalls{{
-				Path:  "/var/run/secrets/kubernetes.io/serviceaccount/token",
-				Flags: []string{"O_RDONLY"},
-			}}),
-			expectFailure: false,
-		},
-
 		// Edge cases
 		{
 			name:          "no application profile",