fix: copilot issues

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

Author: gusfcarvalho

main.go

@@ -18,6 +18,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"reflect"
+	"runtime"
 	"slices"
 	"strconv"
 	"strings"
@@ -565,8 +566,14 @@ commandFinished:
 	if resources != nil {
 		result.Resources = resources
 	}
-	logPaths, logTail, logErr := readCustodianLogArtifacts(req.OutputDir, custodianOutputTailBytes)
-	result.LogPaths = logPaths
+	var logTail string
+	var logErr error
+	if req.LogTailDuringRun || err != nil || runCtx.Err() != nil || resourcesErr != nil {
+		logPaths, tail, readErr := readCustodianLogArtifacts(req.OutputDir, custodianOutputTailBytes)
+		result.LogPaths = logPaths
+		logTail = tail
+		logErr = readErr
+	}
 
 	if err != nil {
 		result.Err = fmt.Errorf("custodian execution failed: %w", err)
@@ -728,7 +735,7 @@ func (e *CommandCustodianExecutor) runAWSEndpointDiagnostics(ctx context.Context
 		e.Logger.Error("AWS endpoint diagnostics configuration is invalid", "check_name", req.Check.Name, "resource", req.Check.Resource, "error", endpointErr)
 		return endpointErr
 	}
-	if !knownResource {
+	if !knownResource && len(endpoints) == 0 {
 		err := fmt.Errorf("resource service is not mapped for AWS endpoint diagnostics: %s", req.Check.Resource)
 		e.Logger.Error("AWS endpoint diagnostics failed before custodian execution", "check_name", req.Check.Name, "resource", req.Check.Resource, "error", err)
 		return err
@@ -738,6 +745,9 @@ func (e *CommandCustodianExecutor) runAWSEndpointDiagnostics(ctx context.Context
 		e.Logger.Error("AWS endpoint diagnostics failed before custodian execution", "check_name", req.Check.Name, "resource", req.Check.Resource, "aws_regions", req.AWSRegions, "error", err)
 		return err
 	}
+	if !knownResource {
+		e.Logger.Warn("AWS endpoint diagnostics will use only configured endpoints because resource service is not mapped", "check_name", req.Check.Name, "resource", req.Check.Resource)
+	}
 
 	var diagnosticsErr error
 	for _, endpoint := range endpoints {
@@ -781,18 +791,17 @@ func awsEndpointHostsForCheck(resource string, regions []string) ([]string, bool
 
 func awsDiagnosticEndpointsForCheck(resource string, regions []string, configuredEndpoints []string) ([]networkDiagnosticEndpoint, bool, error) {
 	services, knownResource := awsServicesForResource(resource)
-	if !knownResource {
-		return nil, false, nil
-	}
-
 	endpoints := make([]networkDiagnosticEndpoint, 0)
 	for _, endpointValue := range configuredEndpoints {
 		endpoint, err := parseNetworkDiagnosticEndpoint(endpointValue)
 		if err != nil {
-			return nil, true, err
+			return nil, knownResource, err
 		}
 		endpoints = append(endpoints, endpoint)
 	}
+	if !knownResource {
+		return compactUniqueNetworkDiagnosticEndpoints(endpoints), false, nil
+	}
 
 	diagnosticRegions := make([]string, 0, len(regions))
 	for _, region := range regions {
@@ -854,7 +863,7 @@ func parseNetworkDiagnosticEndpoint(value string) (networkDiagnosticEndpoint, er
 
 func networkDiagnosticEndpointSource(host string) string {
 	host = strings.ToLower(strings.TrimSpace(host))
-	if strings.Contains(host, ".vpce.amazonaws.com") || strings.Contains(host, ".vpce.amazonaws.com.cn") {
+	if strings.HasSuffix(host, ".vpce.amazonaws.com") || strings.HasSuffix(host, ".vpce.amazonaws.com.cn") {
 		return "aws-vpc-endpoint"
 	}
 	return "configured"
@@ -976,6 +985,15 @@ func (e *CommandCustodianExecutor) logCustodianRunLogTail(outputDir, checkName,
 }
 
 func custodianProcessSockets(pid int) ([]string, error) {
+	if runtime.GOOS != "linux" {
+		return []string{}, nil
+	}
+	if _, err := os.Stat("/proc"); err != nil {
+		if errors.Is(err, fs.ErrNotExist) {
+			return []string{}, nil
+		}
+		return nil, err
+	}
 	inodes, err := processSocketInodes(pid)
 	if err != nil {
 		return nil, err
@@ -1059,6 +1077,16 @@ func decodeProcNetAddress(value string, ipv6 bool) string {
 			return fmt.Sprintf("%d.%d.%d.%d:%d", ipBytes[3], ipBytes[2], ipBytes[1], ipBytes[0], port)
 		}
 	}
+	if ipv6 && len(parts[0]) == 32 {
+		ipBytes, err := hex.DecodeString(parts[0])
+		if err == nil && len(ipBytes) == net.IPv6len {
+			for index := 0; index < len(ipBytes); index += 4 {
+				ipBytes[index], ipBytes[index+3] = ipBytes[index+3], ipBytes[index]
+				ipBytes[index+1], ipBytes[index+2] = ipBytes[index+2], ipBytes[index+1]
+			}
+			return net.JoinHostPort(net.IP(ipBytes).String(), strconv.FormatUint(port, 10))
+		}
+	}
 	return fmt.Sprintf("%s:%d", parts[0], port)
 }
 

main_test.go

@@ -566,6 +566,56 @@ touch "$EXECUTED_FILE"
 		}
 	})
 
+	t.Run("network diagnostics allow configured endpoints for unmapped resources", func(t *testing.T) {
+		stubNetworkDiagnostics(
+			t,
+			func(ctx context.Context, host string) ([]string, error) {
+				return []string{"10.0.0.10"}, nil
+			},
+			func(ctx context.Context, endpoint networkDiagnosticEndpoint) (tlsProbeResult, error) {
+				if endpoint.Host != "vpce-123.example.eu-west-1.vpce.amazonaws.com" {
+					t.Fatalf("unexpected endpoint host: %s", endpoint.Host)
+				}
+				return tlsProbeResult{RemoteAddr: "10.0.0.10:443", TLSVersion: "TLS1.3"}, nil
+			},
+		)
+
+		script := `#!/bin/sh
+set -eu
+out=""
+while [ "$#" -gt 0 ]; do
+  if [ "$1" = "-s" ]; then
+    out="$2"
+    shift 2
+    continue
+  fi
+  shift
+done
+mkdir -p "$out/test-policy"
+printf '[]' > "$out/test-policy/resources.json"
+`
+		binary := writeExecutableScript(t, script)
+		executor := &CommandCustodianExecutor{Logger: hclog.NewNullLogger()}
+
+		result := executor.Execute(context.Background(), CustodianExecutionRequest{
+			BinaryPath: binary,
+			Check: CustodianCheck{
+				Name:      "test-policy",
+				Resource:  "aws.future-resource",
+				Provider:  "aws",
+				RawPolicy: map[string]interface{}{"name": "test-policy", "resource": "aws.future-resource"},
+			},
+			Timeout:                    5 * time.Second,
+			OutputDir:                  filepath.Join(t.TempDir(), "out"),
+			NetworkDiagnostics:         true,
+			NetworkDiagnosticEndpoints: []string{"vpce-123.example.eu-west-1.vpce.amazonaws.com"},
+		})
+
+		if result.Err != nil {
+			t.Fatalf("expected successful execution, got error: %v", result.Err)
+		}
+	})
+
 	t.Run("passes debug and verbose args", func(t *testing.T) {
 		argsFile := filepath.Join(t.TempDir(), "args.txt")
 		t.Setenv("ARGS_FILE", argsFile)
@@ -755,6 +805,45 @@ exit 3
 		}
 	})
 
+	t.Run("does not read custodian log artifacts on success by default", func(t *testing.T) {
+		script := `#!/bin/sh
+set -eu
+out=""
+while [ "$#" -gt 0 ]; do
+  if [ "$1" = "-s" ]; then
+    out="$2"
+    shift 2
+    continue
+  fi
+  shift
+done
+mkdir -p "$out/test-policy/us-east-1/test-policy"
+printf 'success log detail\n' > "$out/test-policy/us-east-1/test-policy/custodian-run.log"
+printf '[]' > "$out/test-policy/resources.json"
+`
+		binary := writeExecutableScript(t, script)
+		executor := &CommandCustodianExecutor{Logger: hclog.NewNullLogger()}
+
+		result := executor.Execute(context.Background(), CustodianExecutionRequest{
+			BinaryPath: binary,
+			Check: CustodianCheck{
+				Name:      "test-policy",
+				Resource:  "aws.backup-vault",
+				Provider:  "aws",
+				RawPolicy: map[string]interface{}{"name": "test-policy", "resource": "aws.backup-vault"},
+			},
+			Timeout:   5 * time.Second,
+			OutputDir: filepath.Join(t.TempDir(), "out"),
+		})
+
+		if result.Err != nil {
+			t.Fatalf("expected successful execution, got error: %v", result.Err)
+		}
+		if len(result.LogPaths) != 0 {
+			t.Fatalf("expected successful execution not to walk log artifacts by default, got %#v", result.LogPaths)
+		}
+	})
+
 	t.Run("strips plugin-only policy fields before custodian execution", func(t *testing.T) {
 		script := `#!/bin/sh
 set -eu
@@ -891,6 +980,15 @@ func TestDiagnosticHelpers(t *testing.T) {
 		}
 	})
 
+	t.Run("uses strict vpc endpoint suffix classification", func(t *testing.T) {
+		if got := networkDiagnosticEndpointSource("evil.vpce.amazonaws.com.attacker.com"); got != "configured" {
+			t.Fatalf("expected attacker suffix not to be classified as vpc endpoint, got %s", got)
+		}
+		if got := networkDiagnosticEndpointSource("vpce-123.backup.eu-west-1.vpce.amazonaws.com"); got != "aws-vpc-endpoint" {
+			t.Fatalf("expected vpc endpoint classification, got %s", got)
+		}
+	})
+
 	t.Run("rejects invalid configured endpoint ports", func(t *testing.T) {
 		_, _, err := awsDiagnosticEndpointsForCheck("aws.backup-vault", nil, []string{"vpce-123.backup.eu-west-1.vpce.amazonaws.com:not-a-port"})
 		if err == nil {
@@ -908,6 +1006,19 @@ func TestDiagnosticHelpers(t *testing.T) {
 		}
 	})
 
+	t.Run("allows configured endpoints for unknown resource types", func(t *testing.T) {
+		endpoints, known, err := awsDiagnosticEndpointsForCheck("aws.not-yet-mapped", []string{"eu-west-1"}, []string{"vpce-123.example.eu-west-1.vpce.amazonaws.com"})
+		if err != nil {
+			t.Fatalf("unexpected endpoint parse error: %v", err)
+		}
+		if known {
+			t.Fatalf("expected resource to remain unknown")
+		}
+		if len(endpoints) != 1 || endpoints[0].Host != "vpce-123.example.eu-west-1.vpce.amazonaws.com" {
+			t.Fatalf("expected configured endpoint for unknown resource, got %#v", endpoints)
+		}
+	})
+
 	t.Run("maps known policy resource services", func(t *testing.T) {
 		resources := []string{
 			"aws.app-elb",
@@ -955,6 +1066,10 @@ func TestDiagnosticHelpers(t *testing.T) {
 		if got != "127.0.0.1:443" {
 			t.Fatalf("unexpected decoded address: %s", got)
 		}
+		got = decodeProcNetAddress("00000000000000000000000001000000:01BB", true)
+		if got != "[::1]:443" {
+			t.Fatalf("unexpected decoded IPv6 address: %s", got)
+		}
 	})
 
 	t.Run("upserts environment values", func(t *testing.T) {