@rancher/shell 3.0.12-rc.1 → 3.0.12-rc.3

package/utils/__tests__/versions.test.ts

@@ -0,0 +1,128 @@
+function makeStoreWithCalls(rancherPromise: Promise<any>, kubePromise: Promise<any>) {
+  let callCount = 0;
+
+  return {
+    dispatch: jest.fn(() => {
+      callCount++;
+
+      return callCount === 1 ? rancherPromise : kubePromise;
+    }),
+  };
+}
+
+describe('versions', () => {
+  let versions: any;
+  let mockSetVersionData: jest.Mock;
+  let mockSetKubeVersionData: jest.Mock;
+
+  beforeEach(() => {
+    jest.resetModules();
+    mockSetVersionData = jest.fn();
+    mockSetKubeVersionData = jest.fn();
+    jest.mock('@shell/config/version', () => ({
+      setVersionData:     mockSetVersionData,
+      setKubeVersionData: mockSetKubeVersionData,
+    }));
+    versions = require('@shell/utils/versions').default;
+  });
+
+  describe('fetch', () => {
+    it('dispatches rancher/request for /rancherversion', async() => {
+      const store = { dispatch: jest.fn(() => Promise.resolve({})) };
+
+      await versions.fetch({ store });
+
+      expect(store.dispatch).toHaveBeenCalledWith('rancher/request', {
+        url:                  '/rancherversion',
+        method:               'get',
+        redirectUnauthorized: false,
+      });
+    });
+
+    it('dispatches rancher/request for /version', async() => {
+      const store = { dispatch: jest.fn(() => Promise.resolve({})) };
+
+      await versions.fetch({ store });
+
+      expect(store.dispatch).toHaveBeenCalledWith('rancher/request', {
+        url:                  '/version',
+        method:               'get',
+        redirectUnauthorized: false,
+      });
+    });
+
+    it('calls setVersionData with the rancher version response', async() => {
+      const rancherResponse = { Version: '2.9.0', GitCommit: 'abc123' };
+      const store = makeStoreWithCalls(Promise.resolve(rancherResponse), Promise.resolve({}));
+
+      await versions.fetch({ store });
+
+      expect(mockSetVersionData).toHaveBeenCalledWith(rancherResponse);
+    });
+
+    it('calls setKubeVersionData with the kube version response', async() => {
+      const kubeResponse = { gitVersion: 'v1.29.0' };
+      const store = makeStoreWithCalls(Promise.resolve({}), Promise.resolve(kubeResponse));
+
+      await versions.fetch({ store });
+
+      expect(mockSetKubeVersionData).toHaveBeenCalledWith(kubeResponse);
+    });
+
+    it('caches the promise — second call does not dispatch again', async() => {
+      const store = { dispatch: jest.fn(() => Promise.resolve({})) };
+
+      await versions.fetch({ store });
+      await versions.fetch({ store });
+
+      expect(store.dispatch).toHaveBeenCalledTimes(2);
+    });
+
+    it('returns the same promise object on repeated calls', () => {
+      const store = { dispatch: jest.fn(() => Promise.resolve({})) };
+
+      versions.fetch({ store });
+      versions.fetch({ store });
+
+      // Both initial calls should dispatch only twice total (2 endpoints, cached after that)
+      expect(store.dispatch).toHaveBeenCalledTimes(2);
+      // Third fetch should not dispatch additional times
+      versions.fetch({ store });
+      expect(store.dispatch).toHaveBeenCalledTimes(2);
+    });
+
+    it('does not throw when rancher request fails', async() => {
+      const store = makeStoreWithCalls(Promise.reject(new Error('network error')), Promise.resolve({}));
+
+      await expect(versions.fetch({ store })).resolves.not.toThrow();
+    });
+
+    it('does not throw when kube request fails', async() => {
+      const store = makeStoreWithCalls(Promise.resolve({}), Promise.reject(new Error('network error')));
+
+      await expect(versions.fetch({ store })).resolves.not.toThrow();
+    });
+
+    it('logs a warning when rancher request fails', async() => {
+      const warnSpy = jest.spyOn(console, 'warn').mockImplementation(() => {});
+      const error = new Error('rancher down');
+      const store = makeStoreWithCalls(Promise.reject(error), Promise.resolve({}));
+
+      await versions.fetch({ store });
+
+      expect(warnSpy).toHaveBeenCalledWith('Failed to fetch Rancher version metadata', error);
+      warnSpy.mockRestore();
+    });
+
+    it('logs a warning when kube request fails', async() => {
+      const warnSpy = jest.spyOn(console, 'warn').mockImplementation(() => {});
+      const error = new Error('kube down');
+      const store = makeStoreWithCalls(Promise.resolve({}), Promise.reject(error));
+
+      await versions.fetch({ store });
+
+      expect(warnSpy).toHaveBeenCalledWith('Failed to fetch Kube version metadata', error);
+      warnSpy.mockRestore();
+    });
+  });
+});

package/utils/__tests__/xccdf.test.ts

@@ -0,0 +1,391 @@
+import { generateXCCDF, generateXCCDFPerNode } from '@shell/utils/xccdf';
+
+describe('xccdf util: generateXCCDF', () => {
+  const baseReport = {
+    version: '1.0',
+    total:   2,
+    pass:    1,
+    nodes:   { master: ['node-a'], node: ['node-b'] },
+    results: [{
+      id:          '5.1',
+      description: 'RBAC and Service Accounts',
+      checks:      [{
+        id:          '5.1.1',
+        description: 'Ensure that the cluster-admin role is only used where required',
+        audit:       'kubectl get clusterrolebindings',
+        remediation: 'Identify all clusterrolebindings to the cluster-admin role',
+        scored:      true,
+        state:       'pass',
+      }, {
+        id:          '5.1.2',
+        description: 'Minimize access to secrets',
+        audit:       'kubectl get roles',
+        remediation: 'Where possible, remove get, list and watch access to Secret objects',
+        scored:      false,
+        state:       'fail',
+      }],
+    }],
+  };
+
+  it('produces an XML document with an XML header and a Benchmark root', () => {
+    const xml = generateXCCDF({ report: baseReport, benchmarkVersion: 'cis-1.7' });
+
+    expect(xml).toMatch(/^<\?xml version="1\.0" encoding="UTF-8"\?>/);
+    expect(xml).toContain('<Benchmark');
+    expect(xml).toContain('xmlns="http://checklists.nist.gov/xccdf/1.2"');
+    expect(xml).toContain('id="xccdf_compliance-operator_benchmark_kubernetes"');
+  });
+
+  it('uses the metadata title when provided, otherwise falls back to a CIS title from benchmarkVersion', () => {
+    const fallback = generateXCCDF({ report: baseReport, benchmarkVersion: 'cis-1.7' });
+
+    expect(fallback).toContain('<title>Kubernetes CIS Benchmark cis-1.7</title>');
+
+    const withTitle = generateXCCDF({
+      report:           baseReport,
+      benchmarkVersion: 'cis-1.7',
+      metadata:         { title: 'Custom Benchmark Title' },
+    });
+
+    expect(withTitle).toContain('<title>Custom Benchmark Title</title>');
+  });
+
+  it('emits one Group per result and one Rule per check', () => {
+    const xml = generateXCCDF({ report: baseReport, benchmarkVersion: 'cis-1.7' });
+
+    expect(xml).toContain('<Group id="5.1">');
+    expect(xml).toContain('id="xccdf_compliance-operator_rule_5.1.1"');
+    expect(xml).toContain('id="xccdf_compliance-operator_rule_5.1.2"');
+  });
+
+  it('maps state values to XCCDF result strings', () => {
+    const report = {
+      ...baseReport,
+      results: [{
+        id:          '1',
+        description: 'g',
+        checks:      [
+          {
+            id: 'a', description: 'a', state: 'pass' as const
+          },
+          {
+            id: 'b', description: 'b', state: 'fail' as const
+          },
+          {
+            id: 'c', description: 'c', state: 'skip' as const
+          },
+          {
+            id: 'd', description: 'd', state: 'warn' as const
+          },
+          {
+            id: 'e', description: 'e', state: 'notApplicable' as const
+          },
+        ],
+      }],
+    };
+
+    const xml = generateXCCDF({ report, benchmarkVersion: 'cis-1.7' });
+
+    expect(xml).toContain('<result>pass</result>');
+    expect(xml).toContain('<result>fail</result>');
+    expect(xml).toContain('<result>notselected</result>');
+    expect(xml).toContain('<result>informational</result>');
+    expect(xml).toContain('<result>notapplicable</result>');
+  });
+
+  it('marks scored checks with severity=medium and weight=10; unscored as low and 0', () => {
+    const xml = generateXCCDF({ report: baseReport, benchmarkVersion: 'cis-1.7' });
+
+    expect(xml).toMatch(/id="xccdf_compliance-operator_rule_5\.1\.1"[^>]*severity="medium"/);
+    expect(xml).toMatch(/id="xccdf_compliance-operator_rule_5\.1\.1"[^>]*weight="10"/);
+    expect(xml).toMatch(/id="xccdf_compliance-operator_rule_5\.1\.2"[^>]*severity="low"/);
+    expect(xml).toMatch(/id="xccdf_compliance-operator_rule_5\.1\.2"[^>]*weight="0"/);
+  });
+
+  it('computes score as pass/total*100, formatted to one decimal', () => {
+    const xml = generateXCCDF({ report: baseReport, benchmarkVersion: 'cis-1.7' });
+
+    expect(xml).toMatch(/<score[^>]*maximum="100\.0"[^>]*>50\.0<\/score>/);
+  });
+
+  it('returns score 0.0 when total is 0', () => {
+    const xml = generateXCCDF({
+      report: {
+        ...baseReport, total: 0, pass: 0, results: [],
+      },
+      benchmarkVersion: 'cis-1.7',
+    });
+
+    expect(xml).toMatch(/<score[^>]*>0\.0<\/score>/);
+  });
+
+  it('uses report.nodes for <target> elements when no clusterName is set', () => {
+    const xml = generateXCCDF({ report: baseReport, benchmarkVersion: 'cis-1.7' });
+
+    expect(xml).toContain('<target>node-a</target>');
+    expect(xml).toContain('<target>node-b</target>');
+  });
+
+  it('clusterName argument overrides metadata.clusterName and node-derived targets', () => {
+    const xml = generateXCCDF({
+      report:           baseReport,
+      benchmarkVersion: 'cis-1.7',
+      metadata:         { clusterName: 'from-metadata' },
+      clusterName:      'from-arg',
+    });
+
+    expect(xml).toContain('<target>from-arg</target>');
+    expect(xml).not.toContain('<target>from-metadata</target>');
+    expect(xml).not.toContain('<target>node-a</target>');
+  });
+
+  it('falls back to "not-applicable" for missing target addresses and target facts', () => {
+    const xml = generateXCCDF({ report: baseReport, benchmarkVersion: 'cis-1.7' });
+
+    expect(xml).toContain('<target-address>not-applicable</target-address>');
+    expect(xml).toContain('<fact name="not-applicable" type="string">not-applicable</fact>');
+  });
+
+  it('emits a single placeholder Group when results is empty', () => {
+    const xml = generateXCCDF({
+      report: {
+        version: '1.0', total: 0, pass: 0, results: [],
+      },
+      benchmarkVersion: 'cis-1.7',
+    });
+
+    expect(xml).toContain('<Group id="not-applicable">');
+  });
+
+  it('uses STIG metadata to override rule id, version, severity, fix, check system, and CCI idents', () => {
+    const xml = generateXCCDF({
+      report: {
+        ...baseReport,
+        results: [{
+          id:          'g1',
+          description: 'g',
+          checks:      [{
+            id: 'V-254553-TLS-apiserver', description: 'STIG check', scored: true, state: 'pass',
+          }],
+        }],
+      },
+      benchmarkVersion: 'rke2-stig-1.31',
+      stigChecks:       {
+        'V-254553': {
+          ruleId: 'SV-254553r1016525_rule', version: 'SV-254553r1016525_rule', severity: 'high', fixId: 'F-254553', checkId: 'C-254553', cci: ['CCI-000366'],
+        },
+      },
+    });
+
+    expect(xml).toContain('idref="SV-254553r1016525_rule_TLS-apiserver"');
+    expect(xml).toContain('severity="high"');
+    expect(xml).toContain('<ident system="http://cyber.mil/cci">CCI-000366</ident>');
+    expect(xml).toContain('fixref="F-254553"');
+    expect(xml).toContain('<check system="C-254553">');
+  });
+
+  it('preserves the operator-style rule id when there is no STIG metadata', () => {
+    const xml = generateXCCDF({
+      report:           baseReport,
+      benchmarkVersion: 'cis-1.7',
+    });
+
+    expect(xml).toContain('id="xccdf_compliance-operator_rule_5.1.1"');
+  });
+});
+
+describe('xccdf util: generateXCCDFPerNode', () => {
+  const multiNodeReport = {
+    version: '1.0',
+    total:   3,
+    pass:    1,
+    nodes:   { master: ['m-1'], node: ['w-1', 'w-2'] },
+    results: [{
+      id:          '1.1',
+      description: 'Master Node Configuration',
+      checks:      [{
+        id:          '1.1.1',
+        description: 'master check',
+        scored:      true,
+        state:       'pass' as const,
+      }],
+    }, {
+      id:          '4.1',
+      description: 'Worker Node Configuration',
+      checks:      [{
+        id:          '4.1.1',
+        description: 'mixed check',
+        scored:      true,
+        state:       'mixed' as const,
+        nodes:       ['w-2'],
+      }, {
+        id:          '4.1.2',
+        description: 'failing check',
+        scored:      false,
+        state:       'fail' as const,
+      }],
+    }],
+  };
+
+  it('emits a single <target> equal to the hostname', () => {
+    const xml = generateXCCDFPerNode({
+      report: multiNodeReport, benchmarkVersion: 'cis-1.7', hostname: 'w-1', role: 'node',
+    });
+
+    expect(xml).toContain('<target>w-1</target>');
+    expect(xml).not.toContain('<target>w-2</target>');
+    expect(xml).not.toContain('<target>m-1</target>');
+  });
+
+  it('assigns each per-node document a TestResult id suffixed with the hostname so co-loaded files do not collide', () => {
+    const a = generateXCCDFPerNode({
+      report: multiNodeReport, benchmarkVersion: 'cis-1.7', hostname: 'w-1', role: 'node',
+    });
+    const b = generateXCCDFPerNode({
+      report: multiNodeReport, benchmarkVersion: 'cis-1.7', hostname: 'w-2', role: 'node',
+    });
+
+    expect(a).toContain('<TestResult id="xccdf_compliance-operator_testresult_1_w-1"');
+    expect(b).toContain('<TestResult id="xccdf_compliance-operator_testresult_1_w-2"');
+    expect(a).not.toContain('id="xccdf_compliance-operator_testresult_1_w-2"');
+  });
+
+  it('emits every rule from the cluster report regardless of role', () => {
+    const workerXml = generateXCCDFPerNode({
+      report: multiNodeReport, benchmarkVersion: 'cis-1.7', hostname: 'w-1', role: 'node',
+    });
+    const masterXml = generateXCCDFPerNode({
+      report: multiNodeReport, benchmarkVersion: 'cis-1.7', hostname: 'm-1', role: 'master',
+    });
+
+    [workerXml, masterXml].forEach((xml) => {
+      expect(xml).toContain('xccdf_compliance-operator_rule_1.1.1');
+      expect(xml).toContain('xccdf_compliance-operator_rule_4.1.1');
+      expect(xml).toContain('xccdf_compliance-operator_rule_4.1.2');
+    });
+  });
+
+  it('maps mixed-state checks to fail for dissenting hosts and pass for the rest', () => {
+    const dissenter = generateXCCDFPerNode({
+      report: multiNodeReport, benchmarkVersion: 'cis-1.7', hostname: 'w-2', role: 'node',
+    });
+    const compliant = generateXCCDFPerNode({
+      report: multiNodeReport, benchmarkVersion: 'cis-1.7', hostname: 'w-1', role: 'node',
+    });
+
+    expect(dissenter).toMatch(/idref="xccdf_compliance-operator_rule_4\.1\.1"[\s\S]*?<result>fail<\/result>/);
+    expect(compliant).toMatch(/idref="xccdf_compliance-operator_rule_4\.1\.1"[\s\S]*?<result>pass<\/result>/);
+  });
+
+  it('treats mixed-state checks with no dissent list as pass for all nodes', () => {
+    const report = {
+      ...multiNodeReport,
+      results: [{
+        id:          '4.1',
+        description: 'g',
+        checks:      [{
+          id: '4.1.9', description: 'm', state: 'mixed' as const,
+        }],
+      }],
+    };
+    const xml = generateXCCDFPerNode({
+      report, benchmarkVersion: 'cis-1.7', hostname: 'w-1', role: 'node',
+    });
+
+    expect(xml).toMatch(/idref="xccdf_compliance-operator_rule_4\.1\.9"[\s\S]*?<result>pass<\/result>/);
+  });
+
+  it('recomputes pass count per node while preserving cluster total as the scoring denominator', () => {
+    const report = {
+      version: '1.0',
+      total:   2,
+      pass:    1,
+      nodes:   { node: ['w-1', 'w-2'] },
+      results: [{
+        id:          '1',
+        description: 'g',
+        checks:      [
+          {
+            id: 'a', description: 'a', state: 'pass' as const
+          },
+          {
+            id: 'b', description: 'b', state: 'mixed' as const, nodes: ['w-2'],
+          },
+        ],
+      }],
+    };
+    const compliant = generateXCCDFPerNode({
+      report, benchmarkVersion: 'cis-1.7', hostname: 'w-1', role: 'node',
+    });
+    const dissenter = generateXCCDFPerNode({
+      report, benchmarkVersion: 'cis-1.7', hostname: 'w-2', role: 'node',
+    });
+
+    expect(compliant).toMatch(/<score[^>]*>100\.0<\/score>/);
+    expect(dissenter).toMatch(/<score[^>]*>50\.0<\/score>/);
+  });
+
+  it('preserves full rule metadata (title, fixtext, idents, check) from the cluster report', () => {
+    const report = {
+      version: '1.0',
+      total:   1,
+      pass:    1,
+      nodes:   { node: ['w-1'] },
+      results: [{
+        id:          'V-254554',
+        description: 'controller manager group',
+        checks:      [{
+          id:          'V-254554',
+          description: 'use-service-account-credentials',
+          audit:       '/bin/ps -fC kube-controller-manager',
+          remediation: 'set use-service-account-credentials=true',
+          scored:      true,
+          state:       'pass' as const,
+        }],
+      }],
+    };
+    const xml = generateXCCDFPerNode({
+      report, benchmarkVersion: 'rke2-stig-1.31-rgs', hostname: 'w-1', role: 'node',
+    });
+
+    expect(xml).toContain('<Group id="V-254554">');
+    expect(xml).toContain('<check-content>/bin/ps -fC kube-controller-manager</check-content>');
+    expect(xml).toContain('set use-service-account-credentials=true');
+  });
+
+  it('passes through non-mixed states unchanged', () => {
+    const report = {
+      ...multiNodeReport,
+      results: [{
+        id:          '4.1',
+        description: 'g',
+        checks:      [
+          {
+            id: 'a', description: 'a', state: 'pass' as const
+          },
+          {
+            id: 'b', description: 'b', state: 'fail' as const
+          },
+          {
+            id: 'c', description: 'c', state: 'skip' as const
+          },
+          {
+            id: 'd', description: 'd', state: 'warn' as const
+          },
+          {
+            id: 'e', description: 'e', state: 'notApplicable' as const
+          },
+        ],
+      }],
+    };
+    const xml = generateXCCDFPerNode({
+      report, benchmarkVersion: 'cis-1.7', hostname: 'w-1', role: 'node',
+    });
+
+    expect(xml).toContain('<result>pass</result>');
+    expect(xml).toContain('<result>fail</result>');
+    expect(xml).toContain('<result>notselected</result>');
+    expect(xml).toContain('<result>informational</result>');
+    expect(xml).toContain('<result>notapplicable</result>');
+  });
+});

package/utils/chart.js

@@ -1,6 +1,9 @@
 import semver from 'semver';
 import { compare } from '@shell/utils/version';
 import { compatibleVersionsFor } from '@shell/store/catalog';
+import {
+  CHART, REPO, REPO_TYPE, VERSION, DEPRECATED
+} from '@shell/config/query-params';
 
 /**
  * Compares two chart versions using SemVer logic, with special handling for Rancher's "up" build metadata.
@@ -80,3 +83,36 @@ export function getLatestCompatibleVersion(chart, workerOSs, showPrerelease) {
 
   return (compatible.length ? compatible[0] : chart.versions[0]) || {};
 }
+
+/**
+ * Builds the route URL for the standalone chart readme page.
+ *
+ * The helper maps chart context into query params so the readme page can fetch
+ * version info directly (instead of relying on local/session storage transfer).
+ */
+export function getStandaloneReadmeUrl(router, {
+  cluster,
+  repoType,
+  repoName,
+  chartName,
+  versionName,
+  deprecated,
+  showAppReadme = true,
+  hideReadmeFirstTitle = true,
+} = {}) {
+  const { href } = router.resolve({
+    name:   'readme',
+    params: { cluster },
+    query:  {
+      [REPO_TYPE]:          repoType,
+      [REPO]:               repoName,
+      [CHART]:              chartName,
+      [VERSION]:            versionName,
+      [DEPRECATED]:         deprecated,
+      showAppReadme:        String(showAppReadme),
+      hideReadmeFirstTitle: String(hideReadmeFirstTitle),
+    }
+  });
+
+  return href;
+}

package/utils/fleet.ts

@@ -33,6 +33,13 @@ function conditionIsTrue(conditions: Condition[] | undefined, type: string): boo
 }
 
 class Application {
+  /**
+   * gitrepos/helmops are already restricted to clusters in their own namespace
+   *
+   * this empty selector means all applicable clusters will be selected
+   */
+  includeAllWorkgroupRule = { clusterSelector: { matchExpressions: [] } }
+
   excludeHarvesterRule = {
     clusterSelector: {
       matchExpressions: [{
@@ -45,7 +52,7 @@ class Application {
     },
   };
 
-  getTargetMode(targets: Target[], namespace: string): TargetMode {
+  getTargetMode(targets: Target[], namespace: string, areHarvesterHostsVisible: boolean): TargetMode {
     if (namespace === 'fleet-local') {
       return 'local';
     }
@@ -83,8 +90,11 @@ class Application {
       return target;
     });
 
-    // Check if targets contains only harvester rule after name normalizing
-    if (isEqual(normalized, [this.excludeHarvesterRule])) {
+    // Check if targets contains only harvester rule or no rule at all after name normalizing
+    // That means the ALL option has been selected previously
+    // one case for feature harvester-baremetal-container-workload ON
+    // and another for feature harvester-baremetal-container-workload OFF
+    if (isEqual(normalized, [this.includeAllWorkgroupRule]) || isEqual(normalized, [this.excludeHarvesterRule])) {
       mode = 'all';
     }