From fe958e606bb4f879114a1b4fb95b1cd0f514332d Mon Sep 17 00:00:00 2001
From: Gustav Westling <gustav@polar.sh>
Date: Mon, 5 Feb 2024 15:01:00 +0100
Subject: [PATCH] scorecard: fix enabling of optional tests with CLI flag

---
 score/optional_test.go                        | 57 +++++++++++++++++++
 ...r-memory-requests-annotation-optional.yaml | 49 ++++++++++++++++
 .../pod-container-memory-requests.yaml        | 47 +++++++++++++++
 scorecard/enabled.go                          |  5 ++
 4 files changed, 158 insertions(+)
 create mode 100644 score/optional_test.go
 create mode 100644 score/testdata/pod-container-memory-requests-annotation-optional.yaml
 create mode 100644 score/testdata/pod-container-memory-requests.yaml

diff --git a/score/optional_test.go b/score/optional_test.go
new file mode 100644
index 0000000..52f329e
--- /dev/null
+++ b/score/optional_test.go
@@ -0,0 +1,57 @@
+package score
+
+import (
+	"testing"
+
+	"github.com/zegl/kube-score/config"
+	ks "github.com/zegl/kube-score/domain"
+	"github.com/zegl/kube-score/scorecard"
+)
+
+func TestOptionalSkippedByDefault(t *testing.T) {
+	t.Parallel()
+	enabledOptionalTests := make(map[string]struct{})
+	wasSkipped(t, config.Configuration{
+		AllFiles:             []ks.NamedReader{testFile("pod-container-memory-requests.yaml")},
+		EnabledOptionalTests: enabledOptionalTests,
+	}, "Container Memory Requests Equal Limits")
+}
+
+func TestOptionalIgnoredAndEnabled(t *testing.T) {
+	t.Parallel()
+
+	enabledOptionalTests := make(map[string]struct{})
+	enabledOptionalTests["container-resource-requests-equal-limits"] = struct{}{}
+
+	ignoredTests := make(map[string]struct{})
+	ignoredTests["container-resource-requests-equal-limits"] = struct{}{}
+
+	wasSkipped(t, config.Configuration{
+		AllFiles:             []ks.NamedReader{testFile("pod-container-memory-requests.yaml")},
+		EnabledOptionalTests: enabledOptionalTests,
+		IgnoredTests:         ignoredTests,
+	}, "Container Memory Requests Equal Limits")
+}
+
+func TestOptionalRunCliFlagEnabledDefault(t *testing.T) {
+	t.Parallel()
+
+	enabledOptionalTests := make(map[string]struct{})
+	enabledOptionalTests["container-resource-requests-equal-limits"] = struct{}{}
+
+	testExpectedScoreWithConfig(t, config.Configuration{
+		AllFiles:             []ks.NamedReader{testFile("pod-container-memory-requests.yaml")},
+		EnabledOptionalTests: enabledOptionalTests,
+	}, "Container Memory Requests Equal Limits", scorecard.GradeCritical)
+}
+
+func TestOptionalRunAnnotationEnabled(t *testing.T) {
+	t.Parallel()
+
+	enabledOptionalTests := make(map[string]struct{})
+
+	testExpectedScoreWithConfig(t, config.Configuration{
+		AllFiles:             []ks.NamedReader{testFile("pod-container-memory-requests-annotation-optional.yaml")},
+		EnabledOptionalTests: enabledOptionalTests,
+	}, "Container Memory Requests Equal Limits", scorecard.GradeCritical)
+}
diff --git a/score/testdata/pod-container-memory-requests-annotation-optional.yaml b/score/testdata/pod-container-memory-requests-annotation-optional.yaml
new file mode 100644
index 0000000..c06b238
--- /dev/null
+++ b/score/testdata/pod-container-memory-requests-annotation-optional.yaml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-test-1
+  namespace: testspace
+  labels:
+    app: foo-all-ok
+  annotations:
+    kube-score/enable: container-resource-requests-equal-limits
+spec:
+  containers:
+    - name: foobar
+      image: foo/bar:123
+      imagePullPolicy: Always
+      resources:
+        requests:
+          cpu: 1
+          memory: 1Gi
+          ephemeral-storage: 500Mi
+        limits:
+          cpu: 1
+          memory: 2Gi
+          ephemeral-storage: 500Mi
+      readinessProbe:
+        httpGet:
+          path: /ready
+          port: 8080
+      livenessProbe:
+        httpGet:
+          path: /live
+          port: 8080
+      securityContext:
+        privileged: False
+        runAsUser: 30000
+        runAsGroup: 30000
+        readOnlyRootFilesystem: True
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: foo-all-ok-netpol
+  namespace: testspace
+spec:
+  podSelector:
+    matchLabels:
+      app: foo-all-ok
+  policyTypes:
+    - Egress
+    - Ingress
\ No newline at end of file
diff --git a/score/testdata/pod-container-memory-requests.yaml b/score/testdata/pod-container-memory-requests.yaml
new file mode 100644
index 0000000..c71cce8
--- /dev/null
+++ b/score/testdata/pod-container-memory-requests.yaml
@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-test-1
+  namespace: testspace
+  labels:
+    app: foo-all-ok
+spec:
+  containers:
+    - name: foobar
+      image: foo/bar:123
+      imagePullPolicy: Always
+      resources:
+        requests:
+          cpu: 1
+          memory: 1Gi
+          ephemeral-storage: 500Mi
+        limits:
+          cpu: 1
+          memory: 2Gi
+          ephemeral-storage: 500Mi
+      readinessProbe:
+        httpGet:
+          path: /ready
+          port: 8080
+      livenessProbe:
+        httpGet:
+          path: /live
+          port: 8080
+      securityContext:
+        privileged: False
+        runAsUser: 30000
+        runAsGroup: 30000
+        readOnlyRootFilesystem: True
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: foo-all-ok-netpol
+  namespace: testspace
+spec:
+  podSelector:
+    matchLabels:
+      app: foo-all-ok
+  policyTypes:
+    - Egress
+    - Ingress
\ No newline at end of file
diff --git a/scorecard/enabled.go b/scorecard/enabled.go
index 1476698..90c53ba 100644
--- a/scorecard/enabled.go
+++ b/scorecard/enabled.go
@@ -37,6 +37,11 @@ func (so *ScoredObject) isEnabled(check ks.Check, annotations, childAnnotations
 		return true
 	}
 
+	// Enabled optional test from command line arguments
+	if _, ok := so.enabledOptionalTests[check.ID]; ok {
+		return true
+	}
+
 	// Optional checks are disabled unless explicitly allowed above
 	if check.Optional {
 		return false