From e8230831e36ec427e0cfd5d43e43c8707e74bbcc Mon Sep 17 00:00:00 2001 From: obochan-rh Date: Sun, 29 Sep 2024 12:45:39 +0300 Subject: [PATCH] update more operators for test --- tests/dast/Dockerfile | 1 + .../rapid-lca/oobt_test_data/cr_example.yaml | 8 +++ .../oobt_test_data/v5-none-oobt-template.yaml | 12 ++++ tests/dast/rapid-lca/results.sh | 2 - tests/dast/rapid-lca/test_oobt.py | 52 ++++++++++++++ tests/dast/rapid-nrop/00-assert.yaml | 15 ++++ tests/dast/rapid-nrop/00-create-project.yaml | 9 +++ tests/dast/rapid-nrop/01-assert.yaml | 33 +++++++++ tests/dast/rapid-nrop/01-create-sa.yaml | 33 +++++++++ tests/dast/rapid-nrop/02-assert.yaml | 5 ++ .../rapid-nrop/02-create-rapidast-config.yaml | 4 ++ tests/dast/rapid-nrop/03-assert.yaml | 7 ++ tests/dast/rapid-nrop/03-rapidast-job.yaml | 66 +++++++++++++++++ tests/dast/rapid-nrop/04-assert.yaml | 5 ++ tests/dast/rapid-nrop/chainsaw-test.yaml | 56 +++++++++++++++ .../rapid-nrop/create_rapidast_configmap.sh | 47 ++++++++++++ tests/dast/rapid-nrop/results.sh | 71 +++++++++++++++++++ tests/dast/rapid-ptp/00-assert.yaml | 15 ++++ tests/dast/rapid-ptp/00-create-project.yaml | 9 +++ tests/dast/rapid-ptp/01-assert.yaml | 33 +++++++++ tests/dast/rapid-ptp/01-create-sa.yaml | 33 +++++++++ tests/dast/rapid-ptp/02-assert.yaml | 5 ++ .../rapid-ptp/02-create-rapidast-config.yaml | 4 ++ tests/dast/rapid-ptp/03-assert.yaml | 7 ++ tests/dast/rapid-ptp/03-rapidast-job.yaml | 66 +++++++++++++++++ tests/dast/rapid-ptp/04-assert.yaml | 5 ++ tests/dast/rapid-ptp/chainsaw-test.yaml | 56 +++++++++++++++ .../rapid-ptp/create_rapidast_configmap.sh | 47 ++++++++++++ tests/dast/rapid-ptp/results.sh | 71 +++++++++++++++++++ tests/dast/rapid-talm/00-assert.yaml | 15 ++++ tests/dast/rapid-talm/00-create-project.yaml | 9 +++ tests/dast/rapid-talm/01-assert.yaml | 33 +++++++++ tests/dast/rapid-talm/01-create-sa.yaml | 33 +++++++++ tests/dast/rapid-talm/02-assert.yaml | 5 ++ .../rapid-talm/02-create-rapidast-config.yaml | 4 ++ tests/dast/rapid-talm/03-assert.yaml | 7 ++ tests/dast/rapid-talm/03-rapidast-job.yaml | 66 +++++++++++++++++ tests/dast/rapid-talm/04-assert.yaml | 5 ++ tests/dast/rapid-talm/chainsaw-test.yaml | 56 +++++++++++++++ .../rapid-talm/create_rapidast_configmap.sh | 47 ++++++++++++ tests/dast/rapid-talm/results.sh | 71 +++++++++++++++++++ 41 files changed, 1126 insertions(+), 2 deletions(-) create mode 100644 tests/dast/rapid-lca/oobt_test_data/cr_example.yaml create mode 100644 tests/dast/rapid-lca/oobt_test_data/v5-none-oobt-template.yaml create mode 100644 tests/dast/rapid-lca/test_oobt.py create mode 100644 tests/dast/rapid-nrop/00-assert.yaml create mode 100644 tests/dast/rapid-nrop/00-create-project.yaml create mode 100644 tests/dast/rapid-nrop/01-assert.yaml create mode 100644 tests/dast/rapid-nrop/01-create-sa.yaml create mode 100644 tests/dast/rapid-nrop/02-assert.yaml create mode 100644 tests/dast/rapid-nrop/02-create-rapidast-config.yaml create mode 100644 tests/dast/rapid-nrop/03-assert.yaml create mode 100644 tests/dast/rapid-nrop/03-rapidast-job.yaml create mode 100644 tests/dast/rapid-nrop/04-assert.yaml create mode 100644 tests/dast/rapid-nrop/chainsaw-test.yaml create mode 100755 tests/dast/rapid-nrop/create_rapidast_configmap.sh create mode 100755 tests/dast/rapid-nrop/results.sh create mode 100644 tests/dast/rapid-ptp/00-assert.yaml create mode 100644 tests/dast/rapid-ptp/00-create-project.yaml create mode 100644 tests/dast/rapid-ptp/01-assert.yaml create mode 100644 tests/dast/rapid-ptp/01-create-sa.yaml create mode 100644 tests/dast/rapid-ptp/02-assert.yaml create mode 100644 tests/dast/rapid-ptp/02-create-rapidast-config.yaml create mode 100644 tests/dast/rapid-ptp/03-assert.yaml create mode 100644 tests/dast/rapid-ptp/03-rapidast-job.yaml create mode 100644 tests/dast/rapid-ptp/04-assert.yaml create mode 100644 tests/dast/rapid-ptp/chainsaw-test.yaml create mode 100755 tests/dast/rapid-ptp/create_rapidast_configmap.sh create mode 100755 tests/dast/rapid-ptp/results.sh create mode 100644 tests/dast/rapid-talm/00-assert.yaml create mode 100644 tests/dast/rapid-talm/00-create-project.yaml create mode 100644 tests/dast/rapid-talm/01-assert.yaml create mode 100644 tests/dast/rapid-talm/01-create-sa.yaml create mode 100644 tests/dast/rapid-talm/02-assert.yaml create mode 100644 tests/dast/rapid-talm/02-create-rapidast-config.yaml create mode 100644 tests/dast/rapid-talm/03-assert.yaml create mode 100644 tests/dast/rapid-talm/03-rapidast-job.yaml create mode 100644 tests/dast/rapid-talm/04-assert.yaml create mode 100644 tests/dast/rapid-talm/chainsaw-test.yaml create mode 100755 tests/dast/rapid-talm/create_rapidast_configmap.sh create mode 100755 tests/dast/rapid-talm/results.sh diff --git a/tests/dast/Dockerfile b/tests/dast/Dockerfile index f9c0b10..ea4157c 100644 --- a/tests/dast/Dockerfile +++ b/tests/dast/Dockerfile @@ -17,6 +17,7 @@ RUN mkdir -p /tmp/go/bin $GOCACHE \ # Install dependencies required by test cases and debugging RUN apt-get update && apt-get install -y jq vim libreadline-dev +RUN apt-get -y install podman # Install Chainsaw e2e testing tool RUN go install github.com/kyverno/chainsaw@v0.2.0 diff --git a/tests/dast/rapid-lca/oobt_test_data/cr_example.yaml b/tests/dast/rapid-lca/oobt_test_data/cr_example.yaml new file mode 100644 index 0000000..85547d8 --- /dev/null +++ b/tests/dast/rapid-lca/oobt_test_data/cr_example.yaml @@ -0,0 +1,8 @@ +apiVersion: operator.openshift.io/v1 +kind: RunOnceDurationOverride +metadata: + name: cluster +spec: + runOnceDurationOverride: + spec: + activeDeadlineSeconds: 3600 diff --git a/tests/dast/rapid-lca/oobt_test_data/v5-none-oobt-template.yaml b/tests/dast/rapid-lca/oobt_test_data/v5-none-oobt-template.yaml new file mode 100644 index 0000000..5cee815 --- /dev/null +++ b/tests/dast/rapid-lca/oobt_test_data/v5-none-oobt-template.yaml @@ -0,0 +1,12 @@ +config: + configVersion: 5 + +# `application` contains data related to the application, not to the scans. +application: + shortName: "oobttest" + +scanners: + generic_trivy: + inline: > + "trivy k8s --kubeconfig=/home/rapidast/.kube/config -n openshift-operator-lifecycle-manager + pod --severity=HIGH,CRITICAL --scanners=misconfig --report all --format json" diff --git a/tests/dast/rapid-lca/results.sh b/tests/dast/rapid-lca/results.sh index 9e10adc..9f186ef 100755 --- a/tests/dast/rapid-lca/results.sh +++ b/tests/dast/rapid-lca/results.sh @@ -11,9 +11,7 @@ RANDOM_NAME=rapiterm-lca # Name of PVC in RapiDAST Resource, i.e. which PVC to mount to grab results PVC=rapidast-pvc - IMAGE_REPOSITORY=quay.io/redhatproductsecurity/rapidast-term - IMAGE_TAG=latest cat < $TMP_DIR/$RANDOM_NAME diff --git a/tests/dast/rapid-lca/test_oobt.py b/tests/dast/rapid-lca/test_oobt.py new file mode 100644 index 0000000..4e691ad --- /dev/null +++ b/tests/dast/rapid-lca/test_oobt.py @@ -0,0 +1,52 @@ +import os +import subprocess +import random + +import subprocess +import re + + +RAPIDAST_IMAGE = "quay.io/redhatproductsecurity/rapidast:2.5.0" +def get_vpn_ip_address(): + try: + ip_output = subprocess.check_output(['ip', 'addr']).decode('utf-8') + # Use regular expression to extract IP addresses + ip_addresses = re.findall(r'10.64.\d+\.\d+', ip_output) + + # Currently return the first IP address + # TODO: fix if there are multiple IP addresses and it causes an issue + + return ip_addresses[0] + except subprocess.CalledProcessError as e: + return f"Error: {e}" + +def test_oobt_basic(): + # 1. place kubeconfig in the TEST_DATA_DIR directory + + TEST_DATA_DIR = "oobt_test_data" + RAPIDAST_CFG_FILE = "v5-none-oobt-template.yaml" + + port = random.randint(10000, 30000) + ipaddr = get_vpn_ip_address() + + # create a rapidast config + sed_cmd = f"sed 's/-p -i /-p {port} -i {ipaddr}/' {TEST_DATA_DIR}/{RAPIDAST_CFG_FILE} > rapidast_runtime_cfg.yaml" + os.system(sed_cmd) + + # prep for testing + os.system(f"chmod 666 {TEST_DATA_DIR}/kubeconfig") + if not os.path.exists("results"): + os.makedirs("results") + os.system("podman unshare chown 1000 results") + + # Run the command and capture stdout + command = f"podman run -it --rm -v ./{TEST_DATA_DIR}/kubeconfig:/home/rapidast/.kube/config:Z -v ./results:/opt/rapidast/results:Z -v $PWD:/test:Z -p {port}:{port} {RAPIDAST_IMAGE} rapidast.py --config /test/rapidast_runtime_cfg.yaml" + print(command) + + process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) + stdout, stderr = process.communicate() +# print(stdout) + print("test completed. See the results directory") + +if __name__ == "__main__": + test_oobt_basic() diff --git a/tests/dast/rapid-nrop/00-assert.yaml b/tests/dast/rapid-nrop/00-assert.yaml new file mode 100644 index 0000000..2806caf --- /dev/null +++ b/tests/dast/rapid-nrop/00-assert.yaml @@ -0,0 +1,15 @@ +apiVersion: project.openshift.io/v1 +kind: Project +metadata: + labels: + kubernetes.io/metadata.name: rapidast-nrop + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged + security.openshift.io/scc.podSecurityLabelSync: "false" + name: rapidast-nrop +spec: + finalizers: + - kubernetes +status: + phase: Active diff --git a/tests/dast/rapid-nrop/00-create-project.yaml b/tests/dast/rapid-nrop/00-create-project.yaml new file mode 100644 index 0000000..1c5a1ce --- /dev/null +++ b/tests/dast/rapid-nrop/00-create-project.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: rapidast-nrop + labels: + security.openshift.io/scc.podSecurityLabelSync: "false" + pod-security.kubernetes.io/enforce: "privileged" + pod-security.kubernetes.io/audit: "privileged" + pod-security.kubernetes.io/warn: "privileged" diff --git a/tests/dast/rapid-nrop/01-assert.yaml b/tests/dast/rapid-nrop/01-assert.yaml new file mode 100644 index 0000000..6add7a1 --- /dev/null +++ b/tests/dast/rapid-nrop/01-assert.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: privileged-sa + namespace: rapidast-nrop + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rapidast-nrop-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: + - kind: ServiceAccount + name: privileged-sa + namespace: rapidast-nrop + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rapidast-nrop-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: privileged-sa + namespace: rapidast-nrop diff --git a/tests/dast/rapid-nrop/01-create-sa.yaml b/tests/dast/rapid-nrop/01-create-sa.yaml new file mode 100644 index 0000000..6add7a1 --- /dev/null +++ b/tests/dast/rapid-nrop/01-create-sa.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: privileged-sa + namespace: rapidast-nrop + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rapidast-nrop-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: + - kind: ServiceAccount + name: privileged-sa + namespace: rapidast-nrop + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rapidast-nrop-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: privileged-sa + namespace: rapidast-nrop diff --git a/tests/dast/rapid-nrop/02-assert.yaml b/tests/dast/rapid-nrop/02-assert.yaml new file mode 100644 index 0000000..6c2f7ac --- /dev/null +++ b/tests/dast/rapid-nrop/02-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: rapidast-configmap + namespace: rapidast-nrop diff --git a/tests/dast/rapid-nrop/02-create-rapidast-config.yaml b/tests/dast/rapid-nrop/02-create-rapidast-config.yaml new file mode 100644 index 0000000..fa00b4f --- /dev/null +++ b/tests/dast/rapid-nrop/02-create-rapidast-config.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: ./create_rapidast_configmap.sh diff --git a/tests/dast/rapid-nrop/03-assert.yaml b/tests/dast/rapid-nrop/03-assert.yaml new file mode 100644 index 0000000..4ef3aba --- /dev/null +++ b/tests/dast/rapid-nrop/03-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: rapidast-job + namespace: rapidast-nrop +status: + succeeded: 1 diff --git a/tests/dast/rapid-nrop/03-rapidast-job.yaml b/tests/dast/rapid-nrop/03-rapidast-job.yaml new file mode 100644 index 0000000..7fd4332 --- /dev/null +++ b/tests/dast/rapid-nrop/03-rapidast-job.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: rapidast-pvc + namespace: rapidast-nrop +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + volumeMode: Filesystem + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: rapidast-job + namespace: rapidast-nrop +spec: + backoffLimit: 3 + completionMode: NonIndexed + completions: 1 + parallelism: 1 + suspend: false + template: + metadata: + labels: + job-name: rapidast-job + name: rapidast-job + spec: + serviceAccount: privileged-sa + serviceAccountName: privileged-sa + containers: + - command: + - sh + - -c + - rapidast.py --log-level debug --config + /helm/config/rapidastconfig.yaml && find /opt/rapidast/results/nrop + -name zap-report.json -exec cat {} \; + image: quay.io/redhatproductsecurity/rapidast:latest + imagePullPolicy: Always + name: rapidast-chart + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /helm/config + name: config-volume + - mountPath: /opt/rapidast/results/ + name: results-volume + dnsPolicy: ClusterFirst + restartPolicy: Never + schedulerName: default-scheduler + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + defaultMode: 420 + name: rapidast-configmap + name: config-volume + - name: results-volume + persistentVolumeClaim: null + claimName: rapidast-pvc diff --git a/tests/dast/rapid-nrop/04-assert.yaml b/tests/dast/rapid-nrop/04-assert.yaml new file mode 100644 index 0000000..79a27c5 --- /dev/null +++ b/tests/dast/rapid-nrop/04-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 180 +commands: + - script: ./tests/e2e-rh-sdl/rapidast-nrop/results.sh diff --git a/tests/dast/rapid-nrop/chainsaw-test.yaml b/tests/dast/rapid-nrop/chainsaw-test.yaml new file mode 100644 index 0000000..eda6774 --- /dev/null +++ b/tests/dast/rapid-nrop/chainsaw-test.yaml @@ -0,0 +1,56 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: rapidast-nrop +spec: + steps: + - name: step-00 + try: + - apply: + file: 00-create-project.yaml + - assert: + file: 00-assert.yaml + - name: step-01 + try: + - apply: + file: 01-create-sa.yaml + - assert: + file: 01-assert.yaml + - name: step-02 + try: + - script: + timeout: 30s + content: ./create_rapidast_configmap.sh + - assert: + file: 02-assert.yaml + - name: step-03 + try: + - apply: + file: 03-rapidast-job.yaml + - assert: + file: 03-assert.yaml + - name: step-04 + try: + - script: + timeout: 6m + content: ./results.sh + finally: + - command: + timeout: 1m + entrypoint: oc + args: + - -n + - rapidast-nrop + - delete + - pod + - rapiterm-nrop + - command: + timeout: 1m + entrypoint: oc + args: + - -n + - rapidast-nrop + - delete + - pod + - --selector=batch.kubernetes.io/job-name=rapidast-job diff --git a/tests/dast/rapid-nrop/create_rapidast_configmap.sh b/tests/dast/rapid-nrop/create_rapidast_configmap.sh new file mode 100755 index 0000000..e3f3ef4 --- /dev/null +++ b/tests/dast/rapid-nrop/create_rapidast_configmap.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +nrop_token=$(oc create token privileged-sa -n rapidast-nrop) + +# Define the content for the ConfigMap +configmap_content=$(cat < $TMP_DIR/$RANDOM_NAME +apiVersion: v1 +kind: Pod +metadata: + name: $RANDOM_NAME + namespace: rapidast-nrop +spec: + containers: + - name: terminal + image: '$IMAGE_REPOSITORY:$IMAGE_TAG' + command: ['sleep', '300'] + imagePullPolicy: Always + volumeMounts: + - name: results-volume + mountPath: /zap/results/ + resources: + limits: + cpu: 100m + memory: 500Mi + requests: + cpu: 50m + memory: 100Mi + volumes: + - name: results-volume + persistentVolumeClaim: + claimName: $PVC +EOF + +kubectl apply -f $TMP_DIR/$RANDOM_NAME +rm $TMP_DIR/$RANDOM_NAME +kubectl -n rapidast-nrop wait --for=condition=Ready pod/$RANDOM_NAME +kubectl -n rapidast-nrop cp $RANDOM_NAME:/zap/results $ARTIFACT_DIR + +# Function to search for 'session' file and zap-report.json recursively +search_for_files() { + local dir="$1/nrop" + local found_session=0 + local found_zap_report=0 + + while IFS= read -r -d '' file; do + if [[ "$file" == *"session"* ]]; then + found_session=1 + elif [[ "$file" == *"zap-report.json" ]]; then + found_zap_report=1 + fi + done < <(find "$dir" -type f \( -name "session*" -o -name "zap-report.json" \) -print0) + + if [[ "$found_session" -eq 0 || "$found_zap_report" -eq 0 ]]; then + echo "Either 'session' file or 'zap-report.json' files not found in subdirectories of $dir, failing..." + exit 1 + fi +} + +# Search for 'session' file and zap-report.json in subdirectories of $ARTIFACT_DIR +search_for_files "$ARTIFACT_DIR" diff --git a/tests/dast/rapid-ptp/00-assert.yaml b/tests/dast/rapid-ptp/00-assert.yaml new file mode 100644 index 0000000..410f57f --- /dev/null +++ b/tests/dast/rapid-ptp/00-assert.yaml @@ -0,0 +1,15 @@ +apiVersion: project.openshift.io/v1 +kind: Project +metadata: + labels: + kubernetes.io/metadata.name: rapidast-ptp + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged + security.openshift.io/scc.podSecurityLabelSync: "false" + name: rapidast-ptp +spec: + finalizers: + - kubernetes +status: + phase: Active diff --git a/tests/dast/rapid-ptp/00-create-project.yaml b/tests/dast/rapid-ptp/00-create-project.yaml new file mode 100644 index 0000000..f9f96b1 --- /dev/null +++ b/tests/dast/rapid-ptp/00-create-project.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: rapidast-ptp + labels: + security.openshift.io/scc.podSecurityLabelSync: "false" + pod-security.kubernetes.io/enforce: "privileged" + pod-security.kubernetes.io/audit: "privileged" + pod-security.kubernetes.io/warn: "privileged" diff --git a/tests/dast/rapid-ptp/01-assert.yaml b/tests/dast/rapid-ptp/01-assert.yaml new file mode 100644 index 0000000..84d66ea --- /dev/null +++ b/tests/dast/rapid-ptp/01-assert.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: privileged-sa + namespace: rapidast-ptp + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rapidast-ptp-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: + - kind: ServiceAccount + name: privileged-sa + namespace: rapidast-ptp + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rapidast-ptp-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: privileged-sa + namespace: rapidast-ptp diff --git a/tests/dast/rapid-ptp/01-create-sa.yaml b/tests/dast/rapid-ptp/01-create-sa.yaml new file mode 100644 index 0000000..84d66ea --- /dev/null +++ b/tests/dast/rapid-ptp/01-create-sa.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: privileged-sa + namespace: rapidast-ptp + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rapidast-ptp-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: + - kind: ServiceAccount + name: privileged-sa + namespace: rapidast-ptp + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rapidast-ptp-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: privileged-sa + namespace: rapidast-ptp diff --git a/tests/dast/rapid-ptp/02-assert.yaml b/tests/dast/rapid-ptp/02-assert.yaml new file mode 100644 index 0000000..b8f1eeb --- /dev/null +++ b/tests/dast/rapid-ptp/02-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: rapidast-configmap + namespace: rapidast-ptp diff --git a/tests/dast/rapid-ptp/02-create-rapidast-config.yaml b/tests/dast/rapid-ptp/02-create-rapidast-config.yaml new file mode 100644 index 0000000..fa00b4f --- /dev/null +++ b/tests/dast/rapid-ptp/02-create-rapidast-config.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: ./create_rapidast_configmap.sh diff --git a/tests/dast/rapid-ptp/03-assert.yaml b/tests/dast/rapid-ptp/03-assert.yaml new file mode 100644 index 0000000..59370d5 --- /dev/null +++ b/tests/dast/rapid-ptp/03-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: rapidast-job + namespace: rapidast-ptp +status: + succeeded: 1 diff --git a/tests/dast/rapid-ptp/03-rapidast-job.yaml b/tests/dast/rapid-ptp/03-rapidast-job.yaml new file mode 100644 index 0000000..0f74bef --- /dev/null +++ b/tests/dast/rapid-ptp/03-rapidast-job.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: rapidast-pvc + namespace: rapidast-ptp +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + volumeMode: Filesystem + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: rapidast-job + namespace: rapidast-ptp +spec: + backoffLimit: 3 + completionMode: NonIndexed + completions: 1 + parallelism: 1 + suspend: false + template: + metadata: + labels: + job-name: rapidast-job + name: rapidast-job + spec: + serviceAccount: privileged-sa + serviceAccountName: privileged-sa + containers: + - command: + - sh + - -c + - rapidast.py --log-level debug --config + /helm/config/rapidastconfig.yaml && find /opt/rapidast/results/ptp + -name zap-report.json -exec cat {} \; + image: quay.io/redhatproductsecurity/rapidast:latest + imagePullPolicy: Always + name: rapidast-chart + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /helm/config + name: config-volume + - mountPath: /opt/rapidast/results/ + name: results-volume + dnsPolicy: ClusterFirst + restartPolicy: Never + schedulerName: default-scheduler + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + defaultMode: 420 + name: rapidast-configmap + name: config-volume + - name: results-volume + persistentVolumeClaim: null + claimName: rapidast-pvc diff --git a/tests/dast/rapid-ptp/04-assert.yaml b/tests/dast/rapid-ptp/04-assert.yaml new file mode 100644 index 0000000..51410cb --- /dev/null +++ b/tests/dast/rapid-ptp/04-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 180 +commands: + - script: ./tests/e2e-rh-sdl/rapidast-ptp/results.sh diff --git a/tests/dast/rapid-ptp/chainsaw-test.yaml b/tests/dast/rapid-ptp/chainsaw-test.yaml new file mode 100644 index 0000000..83505f3 --- /dev/null +++ b/tests/dast/rapid-ptp/chainsaw-test.yaml @@ -0,0 +1,56 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: rapidast-ptp +spec: + steps: + - name: step-00 + try: + - apply: + file: 00-create-project.yaml + - assert: + file: 00-assert.yaml + - name: step-01 + try: + - apply: + file: 01-create-sa.yaml + - assert: + file: 01-assert.yaml + - name: step-02 + try: + - script: + timeout: 30s + content: ./create_rapidast_configmap.sh + - assert: + file: 02-assert.yaml + - name: step-03 + try: + - apply: + file: 03-rapidast-job.yaml + - assert: + file: 03-assert.yaml + - name: step-04 + try: + - script: + timeout: 6m + content: ./results.sh + finally: + - command: + timeout: 1m + entrypoint: oc + args: + - -n + - rapidast-ptp + - delete + - pod + - rapiterm-ptp + - command: + timeout: 1m + entrypoint: oc + args: + - -n + - rapidast-ptp + - delete + - pod + - --selector=batch.kubernetes.io/job-name=rapidast-job diff --git a/tests/dast/rapid-ptp/create_rapidast_configmap.sh b/tests/dast/rapid-ptp/create_rapidast_configmap.sh new file mode 100755 index 0000000..500c6b7 --- /dev/null +++ b/tests/dast/rapid-ptp/create_rapidast_configmap.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +ptp_token=$(oc create token privileged-sa -n rapidast-ptp) + +# Define the content for the ConfigMap +configmap_content=$(cat < $TMP_DIR/$RANDOM_NAME +apiVersion: v1 +kind: Pod +metadata: + name: $RANDOM_NAME + namespace: rapidast-ptp +spec: + containers: + - name: terminal + image: '$IMAGE_REPOSITORY:$IMAGE_TAG' + command: ['sleep', '300'] + imagePullPolicy: Always + volumeMounts: + - name: results-volume + mountPath: /zap/results/ + resources: + limits: + cpu: 100m + memory: 500Mi + requests: + cpu: 50m + memory: 100Mi + volumes: + - name: results-volume + persistentVolumeClaim: + claimName: $PVC +EOF + +kubectl apply -f $TMP_DIR/$RANDOM_NAME +rm $TMP_DIR/$RANDOM_NAME +kubectl -n rapidast-ptp wait --for=condition=Ready pod/$RANDOM_NAME +kubectl -n rapidast-ptp cp $RANDOM_NAME:/zap/results $ARTIFACT_DIR + +# Function to search for 'session' file and zap-report.json recursively +search_for_files() { + local dir="$1/ptp" + local found_session=0 + local found_zap_report=0 + + while IFS= read -r -d '' file; do + if [[ "$file" == *"session"* ]]; then + found_session=1 + elif [[ "$file" == *"zap-report.json" ]]; then + found_zap_report=1 + fi + done < <(find "$dir" -type f \( -name "session*" -o -name "zap-report.json" \) -print0) + + if [[ "$found_session" -eq 0 || "$found_zap_report" -eq 0 ]]; then + echo "Either 'session' file or 'zap-report.json' files not found in subdirectories of $dir, failing..." + exit 1 + fi +} + +# Search for 'session' file and zap-report.json in subdirectories of $ARTIFACT_DIR +search_for_files "$ARTIFACT_DIR" diff --git a/tests/dast/rapid-talm/00-assert.yaml b/tests/dast/rapid-talm/00-assert.yaml new file mode 100644 index 0000000..ee76718 --- /dev/null +++ b/tests/dast/rapid-talm/00-assert.yaml @@ -0,0 +1,15 @@ +apiVersion: project.openshift.io/v1 +kind: Project +metadata: + labels: + kubernetes.io/metadata.name: rapidast-talm + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged + security.openshift.io/scc.podSecurityLabelSync: "false" + name: rapidast-talm +spec: + finalizers: + - kubernetes +status: + phase: Active diff --git a/tests/dast/rapid-talm/00-create-project.yaml b/tests/dast/rapid-talm/00-create-project.yaml new file mode 100644 index 0000000..1ba33e0 --- /dev/null +++ b/tests/dast/rapid-talm/00-create-project.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: rapidast-talm + labels: + security.openshift.io/scc.podSecurityLabelSync: "false" + pod-security.kubernetes.io/enforce: "privileged" + pod-security.kubernetes.io/audit: "privileged" + pod-security.kubernetes.io/warn: "privileged" diff --git a/tests/dast/rapid-talm/01-assert.yaml b/tests/dast/rapid-talm/01-assert.yaml new file mode 100644 index 0000000..73ff0d5 --- /dev/null +++ b/tests/dast/rapid-talm/01-assert.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: privileged-sa + namespace: rapidast-talm + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rapidast-talm-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: + - kind: ServiceAccount + name: privileged-sa + namespace: rapidast-talm + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rapidast-talm-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: privileged-sa + namespace: rapidast-talm diff --git a/tests/dast/rapid-talm/01-create-sa.yaml b/tests/dast/rapid-talm/01-create-sa.yaml new file mode 100644 index 0000000..73ff0d5 --- /dev/null +++ b/tests/dast/rapid-talm/01-create-sa.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: privileged-sa + namespace: rapidast-talm + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rapidast-talm-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: + - kind: ServiceAccount + name: privileged-sa + namespace: rapidast-talm + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rapidast-talm-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: privileged-sa + namespace: rapidast-talm diff --git a/tests/dast/rapid-talm/02-assert.yaml b/tests/dast/rapid-talm/02-assert.yaml new file mode 100644 index 0000000..c26078c --- /dev/null +++ b/tests/dast/rapid-talm/02-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: rapidast-configmap + namespace: rapidast-talm diff --git a/tests/dast/rapid-talm/02-create-rapidast-config.yaml b/tests/dast/rapid-talm/02-create-rapidast-config.yaml new file mode 100644 index 0000000..fa00b4f --- /dev/null +++ b/tests/dast/rapid-talm/02-create-rapidast-config.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: ./create_rapidast_configmap.sh diff --git a/tests/dast/rapid-talm/03-assert.yaml b/tests/dast/rapid-talm/03-assert.yaml new file mode 100644 index 0000000..b3629a8 --- /dev/null +++ b/tests/dast/rapid-talm/03-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: rapidast-job + namespace: rapidast-talm +status: + succeeded: 1 diff --git a/tests/dast/rapid-talm/03-rapidast-job.yaml b/tests/dast/rapid-talm/03-rapidast-job.yaml new file mode 100644 index 0000000..a354de4 --- /dev/null +++ b/tests/dast/rapid-talm/03-rapidast-job.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: rapidast-pvc + namespace: rapidast-talm +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + volumeMode: Filesystem + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: rapidast-job + namespace: rapidast-talm +spec: + backoffLimit: 3 + completionMode: NonIndexed + completions: 1 + parallelism: 1 + suspend: false + template: + metadata: + labels: + job-name: rapidast-job + name: rapidast-job + spec: + serviceAccount: privileged-sa + serviceAccountName: privileged-sa + containers: + - command: + - sh + - -c + - rapidast.py --log-level debug --config + /helm/config/rapidastconfig.yaml && find /opt/rapidast/results/talm + -name zap-report.json -exec cat {} \; + image: quay.io/redhatproductsecurity/rapidast:latest + imagePullPolicy: Always + name: rapidast-chart + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /helm/config + name: config-volume + - mountPath: /opt/rapidast/results/ + name: results-volume + dnsPolicy: ClusterFirst + restartPolicy: Never + schedulerName: default-scheduler + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + defaultMode: 420 + name: rapidast-configmap + name: config-volume + - name: results-volume + persistentVolumeClaim: null + claimName: rapidast-pvc diff --git a/tests/dast/rapid-talm/04-assert.yaml b/tests/dast/rapid-talm/04-assert.yaml new file mode 100644 index 0000000..055850b --- /dev/null +++ b/tests/dast/rapid-talm/04-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 180 +commands: + - script: ./tests/e2e-rh-sdl/rapidast-talm/results.sh diff --git a/tests/dast/rapid-talm/chainsaw-test.yaml b/tests/dast/rapid-talm/chainsaw-test.yaml new file mode 100644 index 0000000..a12658c --- /dev/null +++ b/tests/dast/rapid-talm/chainsaw-test.yaml @@ -0,0 +1,56 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: rapidast-talm +spec: + steps: + - name: step-00 + try: + - apply: + file: 00-create-project.yaml + - assert: + file: 00-assert.yaml + - name: step-01 + try: + - apply: + file: 01-create-sa.yaml + - assert: + file: 01-assert.yaml + - name: step-02 + try: + - script: + timeout: 30s + content: ./create_rapidast_configmap.sh + - assert: + file: 02-assert.yaml + - name: step-03 + try: + - apply: + file: 03-rapidast-job.yaml + - assert: + file: 03-assert.yaml + - name: step-04 + try: + - script: + timeout: 6m + content: ./results.sh + finally: + - command: + timeout: 1m + entrypoint: oc + args: + - -n + - rapidast-talm + - delete + - pod + - rapiterm-talm + - command: + timeout: 1m + entrypoint: oc + args: + - -n + - rapidast-talm + - delete + - pod + - --selector=batch.kubernetes.io/job-name=rapidast-job diff --git a/tests/dast/rapid-talm/create_rapidast_configmap.sh b/tests/dast/rapid-talm/create_rapidast_configmap.sh new file mode 100755 index 0000000..49a93e4 --- /dev/null +++ b/tests/dast/rapid-talm/create_rapidast_configmap.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +talm_token=$(oc create token privileged-sa -n rapidast-talm) + +# Define the content for the ConfigMap +configmap_content=$(cat < $TMP_DIR/$RANDOM_NAME +apiVersion: v1 +kind: Pod +metadata: + name: $RANDOM_NAME + namespace: rapidast-talm +spec: + containers: + - name: terminal + image: '$IMAGE_REPOSITORY:$IMAGE_TAG' + command: ['sleep', '300'] + imagePullPolicy: Always + volumeMounts: + - name: results-volume + mountPath: /zap/results/ + resources: + limits: + cpu: 100m + memory: 500Mi + requests: + cpu: 50m + memory: 100Mi + volumes: + - name: results-volume + persistentVolumeClaim: + claimName: $PVC +EOF + +kubectl apply -f $TMP_DIR/$RANDOM_NAME +rm $TMP_DIR/$RANDOM_NAME +kubectl -n rapidast-talm wait --for=condition=Ready pod/$RANDOM_NAME +kubectl -n rapidast-talm cp $RANDOM_NAME:/zap/results $ARTIFACT_DIR + +# Function to search for 'session' file and zap-report.json recursively +search_for_files() { + local dir="$1/talm" + local found_session=0 + local found_zap_report=0 + + while IFS= read -r -d '' file; do + if [[ "$file" == *"session"* ]]; then + found_session=1 + elif [[ "$file" == *"zap-report.json" ]]; then + found_zap_report=1 + fi + done < <(find "$dir" -type f \( -name "session*" -o -name "zap-report.json" \) -print0) + + if [[ "$found_session" -eq 0 || "$found_zap_report" -eq 0 ]]; then + echo "Either 'session' file or 'zap-report.json' files not found in subdirectories of $dir, failing..." + exit 1 + fi +} + +# Search for 'session' file and zap-report.json in subdirectories of $ARTIFACT_DIR +search_for_files "$ARTIFACT_DIR"