update more operators for test

tests/dast/Dockerfile

@@ -17,6 +17,7 @@ RUN mkdir -p /tmp/go/bin $GOCACHE \
 
 # Install dependencies required by test cases and debugging
 RUN apt-get update && apt-get install -y jq vim libreadline-dev
+RUN apt-get -y install podman
 
 # Install Chainsaw e2e testing tool
 RUN go install github.com/kyverno/chainsaw@v0.2.0

tests/dast/rapid-lca/oobt_test_data/cr_example.yaml

@@ -0,0 +1,8 @@
+apiVersion: operator.openshift.io/v1
+kind: RunOnceDurationOverride
+metadata:
+  name: cluster
+spec:
+  runOnceDurationOverride:
+    spec:
+      activeDeadlineSeconds: 3600

tests/dast/rapid-lca/oobt_test_data/v5-none-oobt-template.yaml

@@ -0,0 +1,12 @@
+config:
+  configVersion: 5
+
+# `application` contains data related to the application, not to the scans.
+application:
+  shortName: "oobttest"
+
+scanners:
+  generic_trivy:
+    inline: >
+         "trivy k8s --kubeconfig=/home/rapidast/.kube/config -n openshift-operator-lifecycle-manager
+         pod --severity=HIGH,CRITICAL --scanners=misconfig --report all --format json"

tests/dast/rapid-lca/results.sh

@@ -11,9 +11,7 @@ RANDOM_NAME=rapiterm-lca
 
 # Name of PVC in RapiDAST Resource, i.e. which PVC to mount to grab results
 PVC=rapidast-pvc
-
 IMAGE_REPOSITORY=quay.io/redhatproductsecurity/rapidast-term
-
 IMAGE_TAG=latest
 
 cat <<EOF > $TMP_DIR/$RANDOM_NAME

tests/dast/rapid-lca/test_oobt.py

@@ -0,0 +1,52 @@
+import os
+import subprocess
+import random
+
+import subprocess
+import re
+
+
+RAPIDAST_IMAGE = "quay.io/redhatproductsecurity/rapidast:2.5.0"
+def get_vpn_ip_address():
+    try:
+        ip_output = subprocess.check_output(['ip', 'addr']).decode('utf-8')
+        # Use regular expression to extract IP addresses
+        ip_addresses = re.findall(r'10.64.\d+\.\d+', ip_output)
+
+		# Currently return the first IP address
+		# TODO: fix if there are multiple IP addresses and it causes an issue
+
+        return ip_addresses[0]
+    except subprocess.CalledProcessError as e:
+        return f"Error: {e}"
+
+def test_oobt_basic():
+    # 1. place kubeconfig in the TEST_DATA_DIR directory
+
+    TEST_DATA_DIR = "oobt_test_data"
+    RAPIDAST_CFG_FILE = "v5-none-oobt-template.yaml"
+
+    port = random.randint(10000, 30000)
+    ipaddr = get_vpn_ip_address()
+
+    # create a rapidast config
+    sed_cmd = f"sed 's/-p <port> -i <ipaddr>/-p {port} -i {ipaddr}/' {TEST_DATA_DIR}/{RAPIDAST_CFG_FILE} > rapidast_runtime_cfg.yaml"
+    os.system(sed_cmd)
+
+    # prep for testing
+    os.system(f"chmod 666 {TEST_DATA_DIR}/kubeconfig")
+    if not os.path.exists("results"):
+        os.makedirs("results")
+        os.system("podman unshare chown 1000 results")
+
+    # Run the command and capture stdout
+    command = f"podman run -it --rm -v ./{TEST_DATA_DIR}/kubeconfig:/home/rapidast/.kube/config:Z -v ./results:/opt/rapidast/results:Z -v $PWD:/test:Z -p {port}:{port} {RAPIDAST_IMAGE} rapidast.py --config /test/rapidast_runtime_cfg.yaml"
+    print(command)
+
+    process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
+    stdout, stderr = process.communicate()
+#    print(stdout)
+    print("test completed. See the results directory")
+
+if __name__ == "__main__":
+    test_oobt_basic()

tests/dast/rapid-nrop/00-assert.yaml

@@ -0,0 +1,15 @@
+apiVersion: project.openshift.io/v1
+kind: Project
+metadata:
+  labels:
+    kubernetes.io/metadata.name: rapidast-nrop
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged
+    security.openshift.io/scc.podSecurityLabelSync: "false"
+  name: rapidast-nrop
+spec:
+  finalizers:
+    - kubernetes
+status:
+  phase: Active

tests/dast/rapid-nrop/00-create-project.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: rapidast-nrop
+  labels:
+    security.openshift.io/scc.podSecurityLabelSync: "false"
+    pod-security.kubernetes.io/enforce: "privileged"
+    pod-security.kubernetes.io/audit: "privileged"
+    pod-security.kubernetes.io/warn: "privileged"

tests/dast/rapid-nrop/01-assert.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: privileged-sa
+  namespace: rapidast-nrop
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-nrop-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:privileged
+subjects:
+  - kind: ServiceAccount
+    name: privileged-sa
+    namespace: rapidast-nrop
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-nrop-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: privileged-sa
+    namespace: rapidast-nrop

tests/dast/rapid-nrop/01-create-sa.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: privileged-sa
+  namespace: rapidast-nrop
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-nrop-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:privileged
+subjects:
+  - kind: ServiceAccount
+    name: privileged-sa
+    namespace: rapidast-nrop
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-nrop-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: privileged-sa
+    namespace: rapidast-nrop

tests/dast/rapid-nrop/02-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rapidast-configmap
+  namespace: rapidast-nrop

tests/dast/rapid-nrop/02-create-rapidast-config.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: ./create_rapidast_configmap.sh

tests/dast/rapid-nrop/03-assert.yaml

@@ -0,0 +1,7 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rapidast-job
+  namespace: rapidast-nrop
+status:
+  succeeded: 1

tests/dast/rapid-nrop/03-rapidast-job.yaml

@@ -0,0 +1,66 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: rapidast-pvc
+  namespace: rapidast-nrop
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  volumeMode: Filesystem
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rapidast-job
+  namespace: rapidast-nrop
+spec:
+  backoffLimit: 3
+  completionMode: NonIndexed
+  completions: 1
+  parallelism: 1
+  suspend: false
+  template:
+    metadata:
+      labels:
+        job-name: rapidast-job
+      name: rapidast-job
+    spec:
+      serviceAccount: privileged-sa
+      serviceAccountName: privileged-sa
+      containers:
+        - command:
+            - sh
+            - -c
+            - rapidast.py --log-level debug --config
+              /helm/config/rapidastconfig.yaml && find /opt/rapidast/results/nrop
+              -name zap-report.json -exec cat {} \;
+          image: quay.io/redhatproductsecurity/rapidast:latest
+          imagePullPolicy: Always
+          name: rapidast-chart
+          resources: {}
+          securityContext:
+            privileged: true
+            terminationMessagePath: /dev/termination-log
+            terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /helm/config
+              name: config-volume
+            - mountPath: /opt/rapidast/results/
+              name: results-volume
+      dnsPolicy: ClusterFirst
+      restartPolicy: Never
+      schedulerName: default-scheduler
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - configMap:
+            defaultMode: 420
+            name: rapidast-configmap
+          name: config-volume
+        - name: results-volume
+          persistentVolumeClaim: null
+          claimName: rapidast-pvc

tests/dast/rapid-nrop/04-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 180
+commands:
+ - script: ./tests/e2e-rh-sdl/rapidast-nrop/results.sh

tests/dast/rapid-nrop/chainsaw-test.yaml

@@ -0,0 +1,56 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: rapidast-nrop
+spec:
+  steps:
+    - name: step-00
+      try:
+    - apply:
+        file: 00-create-project.yaml
+    - assert:
+        file: 00-assert.yaml
+    - name: step-01
+      try:
+    - apply:
+        file: 01-create-sa.yaml
+    - assert:
+        file: 01-assert.yaml
+    - name: step-02
+      try:
+    - script:
+        timeout: 30s
+        content: ./create_rapidast_configmap.sh
+    - assert:
+        file: 02-assert.yaml
+    - name: step-03
+      try:
+    - apply:
+        file: 03-rapidast-job.yaml
+    - assert:
+        file: 03-assert.yaml
+    - name: step-04
+      try:
+    - script:
+        timeout: 6m
+        content: ./results.sh
+      finally:
+        - command:
+          timeout: 1m
+          entrypoint: oc
+          args:
+            - -n
+            - rapidast-nrop
+            - delete
+            - pod
+            - rapiterm-nrop
+        - command:
+          timeout: 1m
+          entrypoint: oc
+          args:
+            - -n
+            - rapidast-nrop
+            - delete
+            - pod
+            - --selector=batch.kubernetes.io/job-name=rapidast-job

tests/dast/rapid-nrop/create_rapidast_configmap.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+nrop_token=$(oc create token privileged-sa -n rapidast-nrop)
+
+# Define the content for the ConfigMap
+configmap_content=$(cat <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rapidast-configmap
+  namespace: rapidast-nrop
+data:
+  rapidastconfig.yaml: |
+    config:
+      configVersion: 4
+
+    application:
+      shortName: "nrop"
+      url: "https://kubernetes.default.svc"
+
+    general:
+      authentication:
+        type: "http_header"
+        parameters:
+          name: "Authorization"
+          value: "Bearer ${nrop_token}"
+      container:
+        type: "none"
+
+    scanners:
+      zap:
+        apiScan:
+          apis:
+            apiUrl: "https://kubernetes.default.svc/openapi/v3/apis/nrop.openshift.io/v1alpha1"
+        passiveScan:
+          disabledRules: "2,10015,10027,10096,10024,10054"
+        activeScan:
+          policy: "Operator-scan"
+        miscOptions:
+          enableUI: False
+          updateAddons: False
+EOF
+)
+
+# Create the ConfigMap
+echo "$configmap_content" | oc -n rapidast-nrop create -f -
+