update more operators for test

Author: obochan-rh

tests/dast/Dockerfile

@@ -17,6 +17,9 @@ RUN mkdir -p /tmp/go/bin $GOCACHE \
 
 # Install dependencies required by test cases and debugging
 RUN apt-get update && apt-get install -y jq vim libreadline-dev
+RUN apt-get -y install podman
+
+
 
 # Install Chainsaw e2e testing tool
 RUN go install github.com/kyverno/chainsaw@v0.2.0

tests/dast/rapid-lca/README.md

@@ -0,0 +1,22 @@
+This is an example to run the oobtkube script contained in  the RapiDAST container image, using podman. It is testing the RODOO operator, using the RODOO CR example shown in the `oobt_test_data/cr_example.yaml`. Replacing the content with another CR example allows to use this example to test another Operator.
+
+See [How it works](https://docs.google.com/document/d/1mcBiSnmackxl3DnoT2zo8XhwWl02lX6Qu1pcYNpO7l0/edit#heading=h.tdyh8uoylg1e) for more information on how oobtkube works.
+
+DISCLAIMER: This example is provided for reference only. The implementation of how to invoke the RapiDAST scan and oobtkube should be determined and carried out by the ENG team responsible for the integration to suit the test environment or pipeline.
+
+## Preparation 
+
+1. It requires an OpenShift cluster where the operator to be tested is running.
+2. Copy your kubeconfig file to `kubeconfig` file into the `oobt_test_data` directory.
+3. (optional, for testing another Operator) Replace the content of `oobt_test_data/cr_example.yaml` with another CR config example to test the Operator. 
+
+
+## Run
+```
+$ python3 test_oobt.py
+```
+The test duration is set to 120 seconds. See `-d 120` in `oobt_test_data/v5-none-oobt-template.yaml`. It can be changed.
+
+No logs during running is shown. If you want to see logs, find your pod that has been created and see the logs `podman logs -f <id>`.
+Once the test is complete, a SARIF result file will be stored in the 'results' directory. Where there is no vulnerability found, it will be just '{}'.
+

tests/dast/rapid-lca/oobt_test_data/cr_example.yaml

@@ -0,0 +1,8 @@
+apiVersion: operator.openshift.io/v1
+kind: RunOnceDurationOverride
+metadata:
+  name: cluster
+spec:
+  runOnceDurationOverride:
+    spec:
+      activeDeadlineSeconds: 3600

tests/dast/rapid-lca/oobt_test_data/v5-none-oobt-template.yaml

@@ -0,0 +1,20 @@
+config:
+  configVersion: 5
+
+# `application` contains data related to the application, not to the scans.
+application:
+  shortName: "oobttest"
+
+scanners:
+  generic_oobt:
+    # results:
+    #   An absolute path to file or directory where results are stored on the host.
+    #   if it is "*stdout" or unspecified, the command's standard output will be selected
+    #   When container.type is 'podman', this needs to be used along with the container.volumes configuration below
+    #   If the result needs to be sent to DefectDojo, this must be a SARIF format file
+    results: "/tmp/oobtkube.sarif.json"   # if None or "*stdout", the command's standard output is selected
+    # toolDir: scanners/generic/tools
+    #inline: "python3 oobtkube.py -d 120 -p <port> -i <ipaddr> -f /test/oobt_test_data/cr_example.yaml -o /tmp/oobtkube.sarif.json"
+
+  generic_trivy:
+    inline: "trivy k8s --kubeconfig=/home/rapidast/.kube/config -n iopenshift-operator-lifecycle-manager pod --severity=HIGH,CRITICAL --scanners=misconfig --report all --format json"

tests/dast/rapid-lca/test_oobt.py

@@ -0,0 +1,52 @@
+import os
+import subprocess
+import random
+
+import subprocess
+import re
+
+
+RAPIDAST_IMAGE = "quay.io/redhatproductsecurity/rapidast:2.5.0"
+def get_vpn_ip_address():
+    try:
+        ip_output = subprocess.check_output(['ip', 'addr']).decode('utf-8')
+        # Use regular expression to extract IP addresses
+        ip_addresses = re.findall(r'10.64.\d+\.\d+', ip_output)
+
+		# Currently return the first IP address
+		# TODO: fix if there are multiple IP addresses and it causes an issue
+
+        return ip_addresses[0]
+    except subprocess.CalledProcessError as e:
+        return f"Error: {e}"
+
+def test_oobt_basic():
+    # 1. place kubeconfig in the TEST_DATA_DIR directory
+
+    TEST_DATA_DIR = "oobt_test_data"
+    RAPIDAST_CFG_FILE = "v5-none-oobt-template.yaml"
+
+    port = random.randint(10000, 30000)
+    ipaddr = get_vpn_ip_address()
+
+    # create a rapidast config
+    sed_cmd = f"sed 's/-p <port> -i <ipaddr>/-p {port} -i {ipaddr}/' {TEST_DATA_DIR}/{RAPIDAST_CFG_FILE} > rapidast_runtime_cfg.yaml"
+    os.system(sed_cmd)
+    
+    # prep for testing
+    os.system(f"chmod 666 {TEST_DATA_DIR}/kubeconfig")
+    if not os.path.exists("results"):
+        os.makedirs("results")
+        os.system("podman unshare chown 1000 results")
+
+    # Run the command and capture stdout
+    command = f"podman run -it --rm -v ./{TEST_DATA_DIR}/kubeconfig:/home/rapidast/.kube/config:Z -v ./results:/opt/rapidast/results:Z -v $PWD:/test:Z -p {port}:{port} {RAPIDAST_IMAGE} rapidast.py --config /test/rapidast_runtime_cfg.yaml"
+    print(command)
+
+    process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
+    stdout, stderr = process.communicate()
+#    print(stdout)
+    print("test completed. See the results directory")
+
+if __name__ == "__main__":
+    test_oobt_basic()

tests/dast/rapid-nrop/00-assert.yaml

@@ -0,0 +1,15 @@
+apiVersion: project.openshift.io/v1
+kind: Project
+metadata:
+  labels:
+    kubernetes.io/metadata.name: rapidast-nrop
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged
+    security.openshift.io/scc.podSecurityLabelSync: "false"
+  name: rapidast-nrop
+spec:
+  finalizers:
+    - kubernetes
+status:
+  phase: Active

tests/dast/rapid-nrop/00-create-project.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: rapidast-nrop
+  labels:
+    security.openshift.io/scc.podSecurityLabelSync: "false"
+    pod-security.kubernetes.io/enforce: "privileged"
+    pod-security.kubernetes.io/audit: "privileged"
+    pod-security.kubernetes.io/warn: "privileged"

tests/dast/rapid-nrop/01-assert.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: privileged-sa
+  namespace: rapidast-nrop
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-nrop-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:privileged
+subjects:
+  - kind: ServiceAccount
+    name: privileged-sa
+    namespace: rapidast-nrop
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-nrop-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: privileged-sa
+    namespace: rapidast-nrop

tests/dast/rapid-nrop/01-create-sa.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: privileged-sa
+  namespace: rapidast-nrop
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-nrop-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:privileged
+subjects:
+  - kind: ServiceAccount
+    name: privileged-sa
+    namespace: rapidast-nrop
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-nrop-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: privileged-sa
+    namespace: rapidast-nrop

tests/dast/rapid-nrop/02-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rapidast-configmap
+  namespace: rapidast-nrop

tests/dast/rapid-nrop/02-create-rapidast-config.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: ./create_rapidast_configmap.sh

tests/dast/rapid-nrop/03-assert.yaml

@@ -0,0 +1,7 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rapidast-job
+  namespace: rapidast-nrop
+status:
+  succeeded: 1

tests/dast/rapid-nrop/03-rapidast-job.yaml

@@ -0,0 +1,66 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: rapidast-pvc
+  namespace: rapidast-nrop
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  volumeMode: Filesystem
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rapidast-job
+  namespace: rapidast-nrop
+spec:
+  backoffLimit: 3
+  completionMode: NonIndexed
+  completions: 1
+  parallelism: 1
+  suspend: false
+  template:
+    metadata:
+      labels:
+        job-name: rapidast-job
+      name: rapidast-job
+    spec:
+      serviceAccount: privileged-sa
+      serviceAccountName: privileged-sa
+      containers:
+        - command:
+            - sh
+            - -c
+            - rapidast.py --log-level debug --config
+              /helm/config/rapidastconfig.yaml && find /opt/rapidast/results/nrop
+              -name zap-report.json -exec cat {} \;
+          image: quay.io/redhatproductsecurity/rapidast:latest
+          imagePullPolicy: Always
+          name: rapidast-chart
+          resources: {}
+          securityContext:
+            privileged: true
+            terminationMessagePath: /dev/termination-log
+            terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /helm/config
+              name: config-volume
+            - mountPath: /opt/rapidast/results/
+              name: results-volume
+      dnsPolicy: ClusterFirst
+      restartPolicy: Never
+      schedulerName: default-scheduler
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - configMap:
+            defaultMode: 420
+            name: rapidast-configmap
+          name: config-volume
+        - name: results-volume
+          persistentVolumeClaim: null
+          claimName: rapidast-pvc

tests/dast/rapid-nrop/04-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 180
+commands:
+ - script: ./tests/e2e-rh-sdl/rapidast-nrop/results.sh

tests/dast/rapid-nrop/chainsaw-test.yaml

@@ -0,0 +1,56 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: rapidast-nrop
+spec:
+  steps:
+    - name: step-00
+      try:
+    - apply:
+        file: 00-create-project.yaml
+    - assert:
+        file: 00-assert.yaml
+    - name: step-01
+      try:
+    - apply:
+        file: 01-create-sa.yaml
+    - assert:
+        file: 01-assert.yaml
+    - name: step-02
+      try:
+    - script:
+        timeout: 30s
+        content: ./create_rapidast_configmap.sh
+    - assert:
+        file: 02-assert.yaml
+    - name: step-03
+      try:
+    - apply:
+        file: 03-rapidast-job.yaml
+    - assert:
+        file: 03-assert.yaml
+    - name: step-04
+      try:
+    - script:
+        timeout: 6m
+        content: ./results.sh
+      finally:
+        - command:
+          timeout: 1m
+          entrypoint: oc
+          args:
+            - -n
+            - rapidast-nrop
+            - delete
+            - pod
+            - rapiterm-nrop
+        - command:
+          timeout: 1m
+          entrypoint: oc
+          args:
+            - -n
+            - rapidast-nrop
+            - delete
+            - pod
+            - --selector=batch.kubernetes.io/job-name=rapidast-job