From d6c75bd80af4f5036f99bbeebc8841c78af42e3b Mon Sep 17 00:00:00 2001 From: Anna Cai Date: Fri, 13 Mar 2026 16:59:53 -0400 Subject: [PATCH 01/11] update tests in test_blocklist_auto_inject.py to rely on workload selection instead of deny lists --- .../auto_inject/test_blocklist_auto_inject.py | 87 +++++++++-------- tests/test_the_test/scenarios.json | 6 +- utils/onboarding/injection_log_parser.py | 96 ++++++++++--------- 3 files changed, 104 insertions(+), 85 deletions(-) diff --git a/tests/auto_inject/test_blocklist_auto_inject.py b/tests/auto_inject/test_blocklist_auto_inject.py index c1b631d2803..7595a1a2938 100644 --- a/tests/auto_inject/test_blocklist_auto_inject.py +++ b/tests/auto_inject/test_blocklist_auto_inject.py @@ -5,8 +5,8 @@ from utils.onboarding.injection_log_parser import command_injection_skipped -class _AutoInjectBlockListBaseTest: - """Base class to test the block list on auto instrumentation""" +class _AutoInjectWorkloadSelectionBaseTest: + """Base class to test workload selection policies on auto instrumentation.""" def _execute_remote_command(self, ssh_client, command): """Execute remote command and get remote log file from the vm. You can use this method using env variables or using injection config file""" @@ -32,10 +32,22 @@ def _execute_remote_command(self, ssh_client, command): @features.host_block_list @scenarios.installer_auto_injection @irrelevant(condition=context.weblog_variant == "test-app-dotnet-iis") -class TestAutoInjectBlockListInstallManualHost(_AutoInjectBlockListBaseTest): - builtin_args_commands_block = { +class TestAutoInjectWorkloadSelectionInstallManualHost(_AutoInjectWorkloadSelectionBaseTest): + """Test that auto instrumentation respects workload selection policies (excluded specific commands and args).""" + + # Commands excluded by workload selection policy (should not be instrumented) + no_language_found_commands = [ + "ps -fea", + "touch myfile.txt", + "hello=hola cat myfile.txt", + "ls -la", + "mkdir newdir", + ] + + # Commands with args excluded by workload selection policy per language (should not be instrumented) + commands_excluded_by_workload_policy = { "java": ["java -version", "MY_ENV_VAR=hello java -version"], - "donet": [ + "dotnet": [ "dotnet restore", "dotnet build -c Release", "sudo -E dotnet publish", @@ -43,14 +55,15 @@ class TestAutoInjectBlockListInstallManualHost(_AutoInjectBlockListBaseTest): ], } - builtin_args_commands_injected = { + # Commands with args included by workload selection policy per language (should be instrumented) + commands_not_excluded_by_workload_policy = { "java": [ "java -jar myjar.jar", "sudo -E java -jar myjar.jar", "version=-version java -jar myjar.jar", "java -Dversion=-version -jar myapp.jar", ], - "donet": [ + "dotnet": [ "dotnet run -- -p build", "dotnet build.dll -- -p build", "sudo -E dotnet run myapp.dll -- -p build", @@ -59,58 +72,56 @@ class TestAutoInjectBlockListInstallManualHost(_AutoInjectBlockListBaseTest): ], } - builtin_commands_not_injected = [ - "ps -fea", - "touch myfile.txt", - "hello=hola cat myfile.txt", - "ls -la", - "mkdir newdir", - ] - @irrelevant( condition="container" in context.weblog_variant or "alpine" in context.weblog_variant or "buildpack" in context.weblog_variant ) - def test_builtin_block_commands(self): - """Check that commands are skipped from the auto injection. This commands are defined on the buildIn processes to block""" + def test_no_language_found_commands(self): + """Check that commands with no language found are skipped from auto injection.""" virtual_machine = context.virtual_machine - logger.info(f"[{virtual_machine.get_ip()}] Executing commands that should be blocked") + logger.info(f"[{virtual_machine.get_ip()}] Executing commands with no language found") ssh_client = virtual_machine.get_ssh_connection() - for command in self.builtin_commands_not_injected: + for command in self.no_language_found_commands: local_log_file = self._execute_remote_command(ssh_client, command) - assert command_injection_skipped(command, local_log_file), f"The command {command} was instrumented!" + assert command_injection_skipped(command, local_log_file), ( + f"The command {command} was instrumented but should be skipped from auto injection!" + ) @irrelevant( condition="container" in context.weblog_variant or "alpine" in context.weblog_variant or "buildpack" in context.weblog_variant ) - def test_builtin_block_args(self): - """Check that we are blocking command with args. These args are defined in the buildIn args ignore list for each language.""" + def test_commands_denied_by_workload_selection(self): + """Check that commands are skipped from auto injection based on workload selection policies.""" virtual_machine = context.virtual_machine - logger.info(f"[{virtual_machine.get_ip()}] Executing test_builtIn_block_args") + logger.info(f"[{virtual_machine.get_ip()}] Executing commands that are denied by workload selection policies") language = context.library.name - if language in self.builtin_args_commands_block: - ssh_client = virtual_machine.get_ssh_connection() - for command in self.builtin_args_commands_block[language]: - local_log_file = self._execute_remote_command(ssh_client, command) - assert command_injection_skipped(command, local_log_file), f"The command {command} was instrumented!" + if language not in self.commands_excluded_by_workload_policy: + return + ssh_client = virtual_machine.get_ssh_connection() + for command in self.commands_excluded_by_workload_policy[language]: + local_log_file = self._execute_remote_command(ssh_client, command) + assert command_injection_skipped(command, local_log_file), ( + f"The command {command} was instrumented but should be denied by workload selection policies!" + ) @irrelevant( condition="container" in context.weblog_variant or "alpine" in context.weblog_variant or "buildpack" in context.weblog_variant ) - def test_builtin_instrument_args(self): - """Check that we are instrumenting the command with args that it should be instrumented. The args are not included on the buildIn args list""" + def test_commands_allowed_by_workload_selection(self): + """Check that commands are allowed to be instrumented based on workload selection policies.""" virtual_machine = context.virtual_machine - logger.info(f"[{virtual_machine.get_ip()}] Executing test_builtIn_instrument_args") + logger.info(f"[{virtual_machine.get_ip()}] Executing commands that are allowed by workload selection policies") language = context.library.name - if language in self.builtin_args_commands_injected: - ssh_client = virtual_machine.get_ssh_connection() - for command in self.builtin_args_commands_injected[language]: - local_log_file = self._execute_remote_command(ssh_client, command) - assert command_injection_skipped(command, local_log_file) is False, ( - f"The command {command} was not instrumented, but it should be instrumented!" - ) + if language not in self.commands_not_excluded_by_workload_policy: + return + ssh_client = virtual_machine.get_ssh_connection() + for command in self.commands_not_excluded_by_workload_policy[language]: + local_log_file = self._execute_remote_command(ssh_client, command) + assert command_injection_skipped(command, local_log_file) is False, ( + f"The command {command} was denied by workload selection policies but should be allowed!" + ) diff --git a/tests/test_the_test/scenarios.json b/tests/test_the_test/scenarios.json index 9d4fa1c9eeb..e51947ca5cf 100644 --- a/tests/test_the_test/scenarios.json +++ b/tests/test_the_test/scenarios.json @@ -3150,13 +3150,13 @@ "tests/auto_inject/test_auto_inject_install.py::TestContainerAutoInjectInstallScriptAppsec::test_appsec": [ "CONTAINER_AUTO_INJECTION_INSTALL_SCRIPT_APPSEC" ], - "tests/auto_inject/test_blocklist_auto_inject.py::TestAutoInjectBlockListInstallManualHost::test_builtin_block_commands": [ + "tests/auto_inject/test_blocklist_auto_inject.py::TestAutoInjectWorkloadSelectionInstallManualHost::test_commands_excluded_by_workload_policy": [ "INSTALLER_AUTO_INJECTION" ], - "tests/auto_inject/test_blocklist_auto_inject.py::TestAutoInjectBlockListInstallManualHost::test_builtin_block_args": [ + "tests/auto_inject/test_blocklist_auto_inject.py::TestAutoInjectWorkloadSelectionInstallManualHost::test_args_excluded_by_workload_policy": [ "INSTALLER_AUTO_INJECTION" ], - "tests/auto_inject/test_blocklist_auto_inject.py::TestAutoInjectBlockListInstallManualHost::test_builtin_instrument_args": [ + "tests/auto_inject/test_blocklist_auto_inject.py::TestAutoInjectWorkloadSelectionInstallManualHost::test_args_included_by_workload_policy": [ "INSTALLER_AUTO_INJECTION" ], "tests/debugger/test_debugger_code_origins.py::Test_Debugger_Code_Origins::test_code_origin_entry_present": [ diff --git a/utils/onboarding/injection_log_parser.py b/utils/onboarding/injection_log_parser.py index a442e2b564c..0ba08057c30 100644 --- a/utils/onboarding/injection_log_parser.py +++ b/utils/onboarding/injection_log_parser.py @@ -1,50 +1,52 @@ +import re from collections.abc import Callable -import json from pathlib import Path from utils._logger import logger +WLS_DENIED_INJECTION = "Workload selection denied injection" +NO_KNOWN_RUNTIME = "No known runtime was detected - not injecting!" + def exclude_telemetry_logs_filter(line: str): return '"command":"telemetry"' not in line and '"caller":"telemetry/' not in line def command_injection_skipped(command_line: str, log_local_path: str): - """From parsed log, search on the list of logged commands - if one command has been skipped from the instrumentation + """Determine if the given command was skipped from auto injection + (e.g. by workload selection policies or no language matched). """ - command, command_args = _parse_command(command_line) - logger.debug(f"- Checking command: {command_args}") - for command_desc in _get_commands_from_log_file(log_local_path, exclude_telemetry_logs_filter): - # First line contains the name of the intercepted command - first_line_json = json.loads(command_desc[0]) - if command in first_line_json["inFilename"]: - # last line contains the skip message. The command was skipped by build-in deny list or by user deny list - last_line_json = json.loads(command_desc[-1]) - # pylint: disable=R1705 - if last_line_json["msg"] == "not injecting; on deny list": - logger.debug(f" Command {command_args} was skipped by build-in deny list") - return True - elif last_line_json["msg"] == "not injecting; on user deny list": - logger.debug(f" Command {command_args} was skipped by user defined deny process list") - return True - elif last_line_json["msg"] in ["error injecting", "error when parsing", "skipping"] and ( - last_line_json["error"].startswith( - ( - "skipping due to ignore rules for language", - "error when parsing: skipping due to ignore rules for language", - ) - ) - ): - logger.info(f" Command {command_args} was skipped by ignore arguments") - return True - logger.info(f" Missing injection deny: {last_line_json}") - return False + command, _ = _parse_command(command_line) + logger.debug(f"- Checking command: {command_line}") + for process_logs in _get_process_logs_from_log_file(log_local_path, exclude_telemetry_logs_filter): + process_exe = _get_exe_from_log_line(process_logs[0]) + if process_exe is None or command != process_exe: + continue + if _process_chunk_means_skipped(process_logs): + logger.debug( + f" Command '{command}' was skipped (denied by WLS or no known runtime)" + ) + return True + logger.info(f" Command '{command}' was allowed and injected") + return False logger.info(f" Command {command} was NOT FOUND") raise ValueError(f"Command {command} was NOT FOUND") +def _process_chunk_means_skipped(chunk: list[str]) -> bool: + """True if injection was skipped: denied by workload selection or no known runtime detected.""" + text = "\n".join(chunk) + return WLS_DENIED_INJECTION in text or NO_KNOWN_RUNTIME in text + + +def _get_exe_from_log_line(line: str) -> str | None: + """Extract executable name from the log line "process_exe: 'X'".""" + match = re.search(r"process_exe:\s*['\"]([^'\"]+)['\"]", line) + if match: + return Path(match.group(1)).name + return None + def _parse_command(command: str): command_args = command.split() command = None @@ -64,33 +66,39 @@ def _parse_command(command: str): return None, None -def _get_commands_from_log_file(log_local_path: str, line_filter: Callable): - """From instrumentation log file, extract all commands parsed by dd-injection (the log level should be DEBUG)""" +def _get_process_logs_from_log_file(log_local_path: str, line_filter: Callable): + """From instrumentation log file, extract all log lines per process. - store_as_command = False - command_lines = [] + A process chunk starts at the line containing \"process_exe:\" and runs until + \"injector finished\" (or the next \"process_exe:\"). This includes WLS decision + lines and post-WLS lines like \"No known runtime was detected - not injecting!\". + """ + injector_finished = "injector finished" + current: list[str] = [] with open(log_local_path, encoding="utf-8") as f: for line in f: if not line_filter(line): continue - if "starting process" in line: - store_as_command = True + if "process_exe:" in line: + if current: + yield current.copy() + current = [line] continue - if "exiting process" in line: - store_as_command = False - yield command_lines.copy() - command_lines = [] + if injector_finished in line: + if current: + current.append(line) + yield current.copy() + current = [] continue - - if store_as_command: - command_lines.append(line) + if current: + current.append(line) def main(): log_file = "logs_onboarding_host_block_list/host_injection_21711f84-86b3-4125-9a5f-cd129195d99a.log" command = "java -Dversion=-version -jar myapp.jar" skipped = command_injection_skipped(command, log_file) - logger.info(f"The command was skiped? {skipped}") + logger.info(f"The command was skipped? {skipped}") if __name__ == "__main__": From 29af40908a3b003deddc06089f9957335e3e5a82 Mon Sep 17 00:00:00 2001 From: Anna Cai Date: Fri, 13 Mar 2026 17:01:30 -0400 Subject: [PATCH 02/11] change file name --- ...uto_inject.py => test_auto_inject_workload_selection.py} | 0 tests/test_the_test/scenarios.json | 6 +++--- 2 files changed, 3 insertions(+), 3 deletions(-) rename tests/auto_inject/{test_blocklist_auto_inject.py => test_auto_inject_workload_selection.py} (100%) diff --git a/tests/auto_inject/test_blocklist_auto_inject.py b/tests/auto_inject/test_auto_inject_workload_selection.py similarity index 100% rename from tests/auto_inject/test_blocklist_auto_inject.py rename to tests/auto_inject/test_auto_inject_workload_selection.py diff --git a/tests/test_the_test/scenarios.json b/tests/test_the_test/scenarios.json index e51947ca5cf..8610f8805bc 100644 --- a/tests/test_the_test/scenarios.json +++ b/tests/test_the_test/scenarios.json @@ -3150,13 +3150,13 @@ "tests/auto_inject/test_auto_inject_install.py::TestContainerAutoInjectInstallScriptAppsec::test_appsec": [ "CONTAINER_AUTO_INJECTION_INSTALL_SCRIPT_APPSEC" ], - "tests/auto_inject/test_blocklist_auto_inject.py::TestAutoInjectWorkloadSelectionInstallManualHost::test_commands_excluded_by_workload_policy": [ + "tests/auto_inject/test_auto_inject_workload_selection.py::TestAutoInjectWorkloadSelectionInstallManualHost::test_commands_excluded_by_workload_policy": [ "INSTALLER_AUTO_INJECTION" ], - "tests/auto_inject/test_blocklist_auto_inject.py::TestAutoInjectWorkloadSelectionInstallManualHost::test_args_excluded_by_workload_policy": [ + "tests/auto_inject/test_auto_inject_workload_selection.py::TestAutoInjectWorkloadSelectionInstallManualHost::test_args_excluded_by_workload_policy": [ "INSTALLER_AUTO_INJECTION" ], - "tests/auto_inject/test_blocklist_auto_inject.py::TestAutoInjectWorkloadSelectionInstallManualHost::test_args_included_by_workload_policy": [ + "tests/auto_inject/test_auto_inject_workload_selection.py::TestAutoInjectWorkloadSelectionInstallManualHost::test_args_included_by_workload_policy": [ "INSTALLER_AUTO_INJECTION" ], "tests/debugger/test_debugger_code_origins.py::Test_Debugger_Code_Origins::test_code_origin_entry_present": [ From b2e5057b97e06fe951b72c504061893f69570d7f Mon Sep 17 00:00:00 2001 From: Anna Cai Date: Fri, 13 Mar 2026 17:05:33 -0400 Subject: [PATCH 03/11] fix formatting --- utils/onboarding/injection_log_parser.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/utils/onboarding/injection_log_parser.py b/utils/onboarding/injection_log_parser.py index 0ba08057c30..cee7a39462a 100644 --- a/utils/onboarding/injection_log_parser.py +++ b/utils/onboarding/injection_log_parser.py @@ -23,9 +23,7 @@ def command_injection_skipped(command_line: str, log_local_path: str): if process_exe is None or command != process_exe: continue if _process_chunk_means_skipped(process_logs): - logger.debug( - f" Command '{command}' was skipped (denied by WLS or no known runtime)" - ) + logger.debug(f" Command '{command}' was skipped (denied by WLS or no known runtime)") return True logger.info(f" Command '{command}' was allowed and injected") return False @@ -47,6 +45,7 @@ def _get_exe_from_log_line(line: str) -> str | None: return Path(match.group(1)).name return None + def _parse_command(command: str): command_args = command.split() command = None @@ -67,7 +66,7 @@ def _parse_command(command: str): def _get_process_logs_from_log_file(log_local_path: str, line_filter: Callable): - """From instrumentation log file, extract all log lines per process. + r"""From instrumentation log file, extract all log lines per process. A process chunk starts at the line containing \"process_exe:\" and runs until \"injector finished\" (or the next \"process_exe:\"). This includes WLS decision From 6f29385e556865869bce56ad73909e1d34093abc Mon Sep 17 00:00:00 2001 From: Anna Cai Date: Mon, 16 Mar 2026 17:17:37 -0400 Subject: [PATCH 04/11] change ps to busybox --- tests/auto_inject/test_auto_inject_workload_selection.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/tests/auto_inject/test_auto_inject_workload_selection.py b/tests/auto_inject/test_auto_inject_workload_selection.py index 7595a1a2938..094fe88c65f 100644 --- a/tests/auto_inject/test_auto_inject_workload_selection.py +++ b/tests/auto_inject/test_auto_inject_workload_selection.py @@ -37,11 +37,7 @@ class TestAutoInjectWorkloadSelectionInstallManualHost(_AutoInjectWorkloadSelect # Commands excluded by workload selection policy (should not be instrumented) no_language_found_commands = [ - "ps -fea", - "touch myfile.txt", - "hello=hola cat myfile.txt", - "ls -la", - "mkdir newdir", + "busybox" ] # Commands with args excluded by workload selection policy per language (should not be instrumented) From f83350ff2c3b3310a30d990fc18d959867988508 Mon Sep 17 00:00:00 2001 From: Anna Cai Date: Fri, 20 Mar 2026 16:16:36 -0400 Subject: [PATCH 05/11] formatting --- tests/auto_inject/test_auto_inject_workload_selection.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/auto_inject/test_auto_inject_workload_selection.py b/tests/auto_inject/test_auto_inject_workload_selection.py index 094fe88c65f..86ca75c25f4 100644 --- a/tests/auto_inject/test_auto_inject_workload_selection.py +++ b/tests/auto_inject/test_auto_inject_workload_selection.py @@ -36,9 +36,7 @@ class TestAutoInjectWorkloadSelectionInstallManualHost(_AutoInjectWorkloadSelect """Test that auto instrumentation respects workload selection policies (excluded specific commands and args).""" # Commands excluded by workload selection policy (should not be instrumented) - no_language_found_commands = [ - "busybox" - ] + no_language_found_commands = ["busybox"] # Commands with args excluded by workload selection policy per language (should not be instrumented) commands_excluded_by_workload_policy = { From 564a00bf34e4092cce8d211f4e937f6d6fd95b8b Mon Sep 17 00:00:00 2001 From: Anna Cai Date: Fri, 20 Mar 2026 17:26:30 -0400 Subject: [PATCH 06/11] fix no_language_found_commands --- tests/auto_inject/test_auto_inject_workload_selection.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/auto_inject/test_auto_inject_workload_selection.py b/tests/auto_inject/test_auto_inject_workload_selection.py index 86ca75c25f4..d3f72883cf8 100644 --- a/tests/auto_inject/test_auto_inject_workload_selection.py +++ b/tests/auto_inject/test_auto_inject_workload_selection.py @@ -36,7 +36,12 @@ class TestAutoInjectWorkloadSelectionInstallManualHost(_AutoInjectWorkloadSelect """Test that auto instrumentation respects workload selection policies (excluded specific commands and args).""" # Commands excluded by workload selection policy (should not be instrumented) - no_language_found_commands = ["busybox"] + no_language_found_commands = [ + "touch myfile.txt", + "hello=hola cat myfile.txt", + "ls -la", + "mkdir newdir", + ] # Commands with args excluded by workload selection policy per language (should not be instrumented) commands_excluded_by_workload_policy = { From e95164d210a0a1ebba6d7f98612bbc65fdb38848 Mon Sep 17 00:00:00 2001 From: Anna Cai Date: Tue, 24 Mar 2026 17:00:43 -0400 Subject: [PATCH 07/11] update log parser --- utils/onboarding/injection_log_parser.py | 26 +++++++++++++----------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/utils/onboarding/injection_log_parser.py b/utils/onboarding/injection_log_parser.py index cee7a39462a..e99eeb7b477 100644 --- a/utils/onboarding/injection_log_parser.py +++ b/utils/onboarding/injection_log_parser.py @@ -5,6 +5,7 @@ from utils._logger import logger WLS_DENIED_INJECTION = "Workload selection denied injection" +WLS_ALLOWED_INJECTION = "Workload selection allowed injection: continuing" NO_KNOWN_RUNTIME = "No known runtime was detected - not injecting!" @@ -72,25 +73,26 @@ def _get_process_logs_from_log_file(log_local_path: str, line_filter: Callable): \"injector finished\" (or the next \"process_exe:\"). This includes WLS decision lines and post-WLS lines like \"No known runtime was detected - not injecting!\". """ - injector_finished = "injector finished" - current: list[str] = [] + process_logs = [] with open(log_local_path, encoding="utf-8") as f: for line in f: if not line_filter(line): continue if "process_exe:" in line: - if current: - yield current.copy() - current = [line] + if process_logs: + yield process_logs.copy() + process_logs = [line] continue - if injector_finished in line: - if current: - current.append(line) - yield current.copy() - current = [] + if process_logs and (WLS_ALLOWED_INJECTION in line or WLS_DENIED_INJECTION in line): + process_logs.append(line) + yield process_logs.copy() + process_logs = [] + continue + if "injector finished" in line: + process_logs.append(line) + yield process_logs.copy() + process_logs = [] continue - if current: - current.append(line) def main(): From 2893f659096b31cb05eae1b24cf16fa93e097b7b Mon Sep 17 00:00:00 2001 From: Anna Cai Date: Tue, 24 Mar 2026 18:24:06 -0400 Subject: [PATCH 08/11] fix --- utils/onboarding/injection_log_parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/onboarding/injection_log_parser.py b/utils/onboarding/injection_log_parser.py index e99eeb7b477..ed6eb942f20 100644 --- a/utils/onboarding/injection_log_parser.py +++ b/utils/onboarding/injection_log_parser.py @@ -83,7 +83,7 @@ def _get_process_logs_from_log_file(log_local_path: str, line_filter: Callable): yield process_logs.copy() process_logs = [line] continue - if process_logs and (WLS_ALLOWED_INJECTION in line or WLS_DENIED_INJECTION in line): + if process_logs and WLS_DENIED_INJECTION in line: process_logs.append(line) yield process_logs.copy() process_logs = [] From 36d75c32abd0195502e772b99f6f4191d1ae236c Mon Sep 17 00:00:00 2001 From: Anna Cai Date: Tue, 24 Mar 2026 18:31:42 -0400 Subject: [PATCH 09/11] update assert messages --- tests/auto_inject/test_auto_inject_workload_selection.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/auto_inject/test_auto_inject_workload_selection.py b/tests/auto_inject/test_auto_inject_workload_selection.py index d3f72883cf8..f76e99477cc 100644 --- a/tests/auto_inject/test_auto_inject_workload_selection.py +++ b/tests/auto_inject/test_auto_inject_workload_selection.py @@ -84,7 +84,7 @@ def test_no_language_found_commands(self): for command in self.no_language_found_commands: local_log_file = self._execute_remote_command(ssh_client, command) assert command_injection_skipped(command, local_log_file), ( - f"The command {command} was instrumented but should be skipped from auto injection!" + f"The command '{command}' was allowed by auto injection but should have been denied" ) @irrelevant( @@ -103,7 +103,7 @@ def test_commands_denied_by_workload_selection(self): for command in self.commands_excluded_by_workload_policy[language]: local_log_file = self._execute_remote_command(ssh_client, command) assert command_injection_skipped(command, local_log_file), ( - f"The command {command} was instrumented but should be denied by workload selection policies!" + f"The command '{command}' was allowed by auto injection but should have been denied" ) @irrelevant( @@ -122,5 +122,5 @@ def test_commands_allowed_by_workload_selection(self): for command in self.commands_not_excluded_by_workload_policy[language]: local_log_file = self._execute_remote_command(ssh_client, command) assert command_injection_skipped(command, local_log_file) is False, ( - f"The command {command} was denied by workload selection policies but should be allowed!" + f"The command '{command}' was denied by auto injection but should have been allowed" ) From 415e5cebc56cfd36d7a35aa1a572d15e321569b3 Mon Sep 17 00:00:00 2001 From: Anna Cai Date: Tue, 24 Mar 2026 19:00:09 -0400 Subject: [PATCH 10/11] remove test_no_language_found_commands --- .../test_auto_inject_workload_selection.py | 42 +++++++++---------- utils/onboarding/injection_log_parser.py | 7 +--- 2 files changed, 22 insertions(+), 27 deletions(-) diff --git a/tests/auto_inject/test_auto_inject_workload_selection.py b/tests/auto_inject/test_auto_inject_workload_selection.py index f76e99477cc..754f4c8248a 100644 --- a/tests/auto_inject/test_auto_inject_workload_selection.py +++ b/tests/auto_inject/test_auto_inject_workload_selection.py @@ -36,12 +36,12 @@ class TestAutoInjectWorkloadSelectionInstallManualHost(_AutoInjectWorkloadSelect """Test that auto instrumentation respects workload selection policies (excluded specific commands and args).""" # Commands excluded by workload selection policy (should not be instrumented) - no_language_found_commands = [ - "touch myfile.txt", - "hello=hola cat myfile.txt", - "ls -la", - "mkdir newdir", - ] + # no_language_found_commands = [ + # "touch myfile.txt", + # "hello=hola cat myfile.txt", + # "ls -la", + # "mkdir newdir", + # ] # Commands with args excluded by workload selection policy per language (should not be instrumented) commands_excluded_by_workload_policy = { @@ -71,21 +71,21 @@ class TestAutoInjectWorkloadSelectionInstallManualHost(_AutoInjectWorkloadSelect ], } - @irrelevant( - condition="container" in context.weblog_variant - or "alpine" in context.weblog_variant - or "buildpack" in context.weblog_variant - ) - def test_no_language_found_commands(self): - """Check that commands with no language found are skipped from auto injection.""" - virtual_machine = context.virtual_machine - logger.info(f"[{virtual_machine.get_ip()}] Executing commands with no language found") - ssh_client = virtual_machine.get_ssh_connection() - for command in self.no_language_found_commands: - local_log_file = self._execute_remote_command(ssh_client, command) - assert command_injection_skipped(command, local_log_file), ( - f"The command '{command}' was allowed by auto injection but should have been denied" - ) + # @irrelevant( + # condition="container" in context.weblog_variant + # or "alpine" in context.weblog_variant + # or "buildpack" in context.weblog_variant + # ) + # def test_no_language_found_commands(self): + # """Check that commands with no language found are skipped from auto injection.""" + # virtual_machine = context.virtual_machine + # logger.info(f"[{virtual_machine.get_ip()}] Executing commands with no language found") + # ssh_client = virtual_machine.get_ssh_connection() + # for command in self.no_language_found_commands: + # local_log_file = self._execute_remote_command(ssh_client, command) + # assert command_injection_skipped(command, local_log_file), ( + # f"The command '{command}' was allowed by auto injection but should have been denied" + # ) @irrelevant( condition="container" in context.weblog_variant diff --git a/utils/onboarding/injection_log_parser.py b/utils/onboarding/injection_log_parser.py index ed6eb942f20..5b496329f6a 100644 --- a/utils/onboarding/injection_log_parser.py +++ b/utils/onboarding/injection_log_parser.py @@ -83,12 +83,7 @@ def _get_process_logs_from_log_file(log_local_path: str, line_filter: Callable): yield process_logs.copy() process_logs = [line] continue - if process_logs and WLS_DENIED_INJECTION in line: - process_logs.append(line) - yield process_logs.copy() - process_logs = [] - continue - if "injector finished" in line: + if process_logs and (WLS_DENIED_INJECTION in line or WLS_ALLOWED_INJECTION in line): process_logs.append(line) yield process_logs.copy() process_logs = [] From d7bc01bcc9ba4e0040bfcd6b02f716c547a1f6d4 Mon Sep 17 00:00:00 2001 From: Anna Cai Date: Tue, 24 Mar 2026 19:04:43 -0400 Subject: [PATCH 11/11] remove sudo --- tests/auto_inject/test_auto_inject_workload_selection.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/auto_inject/test_auto_inject_workload_selection.py b/tests/auto_inject/test_auto_inject_workload_selection.py index 754f4c8248a..ca7a008263f 100644 --- a/tests/auto_inject/test_auto_inject_workload_selection.py +++ b/tests/auto_inject/test_auto_inject_workload_selection.py @@ -49,7 +49,7 @@ class TestAutoInjectWorkloadSelectionInstallManualHost(_AutoInjectWorkloadSelect "dotnet": [ "dotnet restore", "dotnet build -c Release", - "sudo -E dotnet publish", + "dotnet publish", "MY_ENV_VAR=hello dotnet build -c Release", ], } @@ -58,15 +58,15 @@ class TestAutoInjectWorkloadSelectionInstallManualHost(_AutoInjectWorkloadSelect commands_not_excluded_by_workload_policy = { "java": [ "java -jar myjar.jar", - "sudo -E java -jar myjar.jar", + "java -jar myjar.jar", "version=-version java -jar myjar.jar", "java -Dversion=-version -jar myapp.jar", ], "dotnet": [ "dotnet run -- -p build", "dotnet build.dll -- -p build", - "sudo -E dotnet run myapp.dll -- -p build", - "sudo dotnet publish", + "dotnet run myapp.dll -- -p build", + "dotnet publish", "MY_ENV_VAR=build dotnet myapp.dll", ], }