rapidast scan execution as kuttl testsuite

medik8s · Dec 12, 2023 · 74a6c55 · 74a6c55
1 parent 7a1b271
commit 74a6c55
Show file tree

Hide file tree

Showing 13 changed files with 362 additions and 0 deletions.
diff --git a/e2e-rh-sdl/Dockerfile b/e2e-rh-sdl/Dockerfile
@@ -0,0 +1,33 @@
+FROM golang:1.20-bullseye
+
+# Copy the repository files
+COPY . /tmp/self-node-remediation-qe
+
+WORKDIR /tmp
+
+# Set the Go path and Go cache environment variables
+ENV GOPATH=/tmp/go
+ENV GOBIN=/tmp/go/bin
+ENV GOCACHE=/tmp/.cache/go-build
+ENV PATH=$PATH:$GOBIN
+
+# Create the /tmp/go/bin and build cache directories, and grant read and write permissions to all users
+RUN mkdir -p /tmp/go/bin $GOCACHE \
+    && chmod -R 777 /tmp/go/bin $GOPATH $GOCACHE
+
+# Install dependencies required by test cases and debugging
+RUN apt-get update && apt-get install -y jq vim libreadline-dev dnsutils iproute2 python
+
+# Install kuttl
+RUN curl -LO https://github.com/kudobuilder/kuttl/releases/download/v0.15.0/kubectl-kuttl_0.15.0_linux_x86_64 \
+    && chmod +x kubectl-kuttl_0.15.0_linux_x86_64 \
+    && mv kubectl-kuttl_0.15.0_linux_x86_64 /usr/local/bin/kuttl
+
+# Install kubectl and oc
+RUN curl -LO https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest/openshift-client-linux.tar.gz \
+    && tar -xzf openshift-client-linux.tar.gz \
+    && chmod +x oc kubectl \
+    && mv oc kubectl /usr/local/bin/
+
+# Set the working directory
+WORKDIR /tmp/self-node-remediation-qe
diff --git a/e2e-rh-sdl/README.md b/e2e-rh-sdl/README.md
@@ -0,0 +1,23 @@
+# rapidast execution for self-node-remediation operator
+
+This test is running [rapidast](https://github.com/RedHatProductSecurity/rapidast) scan targeting the api extension that the self-node-remediation operator
+provides to the openshift api.
+
+The test steps ensure the generation of the needed token to retrieve the api extension urls, customize the
+rapidast config file, runs the scan in a docker instance and check for the results.
+
+Follow these step to run manually the scan inside the container:
+
+* Create the container image:
+
+`cd test/e2e-rh-sdl`
+
+`podman build . -t e2e-rh-sdl`
+
+* Run the container (adapt the kubeconfig file path to your environment):
+
+`podman run -it -v ~/clusterconfigs/auth/:/kube/config:Z --env KUBECONFIG=/kube/config/kubeconfig e2e-rh-sdl /bin/bash`
+
+* Launch the scan using kuttl utility:
+
+`ARTIFACT_DIR=/tmp KUBECONFIG=$KUBECONFIG kuttl test --timeout=300 --test=snr rapidast/`
diff --git a/e2e-rh-sdl/rapidast/snr/00-assert.yaml b/e2e-rh-sdl/rapidast/snr/00-assert.yaml
@@ -0,0 +1,15 @@
+apiVersion: project.openshift.io/v1
+kind: Project
+metadata:
+  labels:
+    kubernetes.io/metadata.name: rapidast-snr
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged
+    security.openshift.io/scc.podSecurityLabelSync: "false"
+  name: rapidast-snr
+spec:
+  finalizers:
+  - kubernetes
+status:
+  phase: Active
diff --git a/e2e-rh-sdl/rapidast/snr/00-create-project.yaml b/e2e-rh-sdl/rapidast/snr/00-create-project.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: rapidast-snr
+  labels:
+    security.openshift.io/scc.podSecurityLabelSync: "false"
+    pod-security.kubernetes.io/enforce: "privileged"
+    pod-security.kubernetes.io/audit: "privileged"
+    pod-security.kubernetes.io/warn: "privileged"
diff --git a/e2e-rh-sdl/rapidast/snr/01-assert.yaml b/e2e-rh-sdl/rapidast/snr/01-assert.yaml
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: privileged-sa
+  namespace: rapidast-snr
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-snr-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:privileged
+subjects:
+- kind: ServiceAccount
+  name: privileged-sa
+  namespace: rapidast-snr
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-snr-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: privileged-sa
+  namespace: rapidast-snr
diff --git a/e2e-rh-sdl/rapidast/snr/01-create-sa.yaml b/e2e-rh-sdl/rapidast/snr/01-create-sa.yaml
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: privileged-sa
+  namespace: rapidast-snr
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-snr-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:privileged
+subjects:
+- kind: ServiceAccount
+  name: privileged-sa
+  namespace: rapidast-snr
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-snr-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: privileged-sa
+  namespace: rapidast-snr
diff --git a/e2e-rh-sdl/rapidast/snr/02-assert.yaml b/e2e-rh-sdl/rapidast/snr/02-assert.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rapidast-configmap
+  namespace: rapidast-snr
diff --git a/e2e-rh-sdl/rapidast/snr/02-create-rapidast-config.yaml b/e2e-rh-sdl/rapidast/snr/02-create-rapidast-config.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: ./create_rapidast_configmap.sh
diff --git a/e2e-rh-sdl/rapidast/snr/03-assert.yaml b/e2e-rh-sdl/rapidast/snr/03-assert.yaml
@@ -0,0 +1,7 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rapidast-job
+  namespace: rapidast-snr
+status:
+  succeeded: 1
diff --git a/e2e-rh-sdl/rapidast/snr/03-rapidast-job.yaml b/e2e-rh-sdl/rapidast/snr/03-rapidast-job.yaml
@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: rapidast-pvc
+  namespace: rapidast-snr
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  volumeMode: Filesystem
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rapidast-job
+  namespace: rapidast-snr
+spec:
+  backoffLimit: 3
+  completionMode: NonIndexed
+  completions: 1
+  parallelism: 1
+  suspend: false
+  template:
+    metadata:
+      labels:
+        job-name: rapidast-job
+      name: rapidast-job
+    spec:
+      serviceAccount: privileged-sa
+      serviceAccountName: privileged-sa
+      containers:
+      - command:
+        - sh
+        - -c
+        - rapidast.py --log-level debug --config /helm/config/rapidastconfig.yaml && find /home/rapidast/results/snr -name zap-report.json -exec cat {} \;
+        image: quay.io/redhatproductsecurity/rapidast:latest
+        imagePullPolicy: Always
+        name: rapidast-chart
+        resources: {}
+        securityContext:
+          privileged: true
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /helm/config
+          name: config-volume
+        - mountPath: /home/rapidast/results/
+          name: results-volume
+      dnsPolicy: ClusterFirst
+      restartPolicy: Never
+      schedulerName: default-scheduler
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 420
+          name: rapidast-configmap
+        name: config-volume
+      - name: results-volume
+        persistentVolumeClaim:
+          claimName: rapidast-pvc
diff --git a/e2e-rh-sdl/rapidast/snr/04-assert.yaml b/e2e-rh-sdl/rapidast/snr/04-assert.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 180
+commands:
+- script: ./rapidast/snr/results.sh
diff --git a/e2e-rh-sdl/rapidast/snr/create_rapidast_configmap.sh b/e2e-rh-sdl/rapidast/snr/create_rapidast_configmap.sh
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+set -eou pipefail
+
+NAMESPACE="rapidast-snr"
+API_CLUSTER=$(grep "server: https://" $KUBECONFIG | sed -r 's#.+?//##' | head -1)
+TOKEN=$(oc create token privileged-sa -n $NAMESPACE)
+API_CLUSTER_NAME=$(echo $API_CLUSTER | cut -d ':' -f 1)
+OAST_CALLBACK_PORT=$(python -c "import socket; s=socket.socket(); s.bind((\"\", 0)); print(s.getsockname()[1]); s.close()")
+OAST_CALLBACK_ADDRESS=$(ip -o route get `(dig +short $API_CLUSTER_NAME)` | awk '{ print $3 }')
+
+# Define the content for the ConfigMap
+configmap_content=$(cat <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rapidast-configmap
+  namespace: ${NAMESPACE}
+data:
+  rapidastconfig.yaml: |
+    config:
+      configVersion: 4
+
+    application:
+      shortName: "snr"
+      url: "https://${API_CLUSTER}"
+
+    general:
+      authentication:
+        type: "http_header"
+        parameters:
+          name: "Authorization"
+          value: "Bearer ${TOKEN}"
+      container:
+        type: "none"
+
+    scanners:
+      zap:
+        apiScan:
+          apis:
+            apiUrl: "https://$API_CLUSTER/openapi/v3/apis/self-node-remediation.medik8s.io/v1alpha1"
+        activeScan:
+          policy: "Operator-scan"
+        miscOptions:
+          enableUI: False
+          updateAddons: False
+          overrideConfigs:
+            - formhandler.fields.field(0).fieldId=namespace
+            - formhandler.fields.field(0).value=openshift-operators
+            - oast.callback.port=$OAST_CALLBACK_PORT
+            - oast.callback.remoteaddr=$OAST_CALLBACK_ADDRESS
+EOF
+)
+
+# Create the ConfigMap
+echo "$configmap_content" | oc -n ${NAMESPACE} create -f -
diff --git a/e2e-rh-sdl/rapidast/snr/results.sh b/e2e-rh-sdl/rapidast/snr/results.sh
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+
+set -eou pipefail
+
+# Temp directory to store generated pod yaml
+TMP_DIR=/tmp
+
+# Where to store sync'd results -- defaults to current dir
+ARTIFACT_DIR=${ARTIFACT_DIR}
+
+# Name for rapiterm pod
+RANDOM_NAME=rapiterm-$RANDOM
+
+# Name of PVC in RapiDAST Resource, i.e. which PVC to mount to grab results
+PVC=rapidast-pvc
+
+IMAGE_REPOSITORY=quay.io/redhatproductsecurity/rapidast-term
+IMAGE_TAG=latest
+NAMESPACE=rapidast-snr
+
+cat <<EOF > $TMP_DIR/$RANDOM_NAME
+apiVersion: v1
+kind: Pod
+metadata:
+  name: $RANDOM_NAME
+  namespace: $NAMESPACE
+spec:
+  containers:
+    - name: terminal
+      image: '$IMAGE_REPOSITORY:$IMAGE_TAG'
+      command: ['sleep', '300']
+      imagePullPolicy: Always
+      volumeMounts:
+        - name: results-volume
+          mountPath: /zap/results/
+      resources:
+        limits:
+          cpu: 100m
+          memory: 500Mi
+        requests:
+          cpu: 50m
+          memory: 100Mi
+  volumes:
+    - name: results-volume
+      persistentVolumeClaim:
+        claimName: $PVC
+EOF
+
+kubectl apply -f $TMP_DIR/$RANDOM_NAME
+rm $TMP_DIR/$RANDOM_NAME
+kubectl -n $NAMESPACE wait --for=condition=Ready pod/$RANDOM_NAME
+kubectl -n $NAMESPACE cp $RANDOM_NAME:/zap/results $ARTIFACT_DIR
+
+# Function to search for 'session' file and zap-report.json recursively
+search_for_files() {
+  local dir="$1/snr"
+  local found_session=0
+  local found_zap_report=0
+
+  while IFS= read -r -d '' file; do
+    if [[ "$file" == *"session"* ]]; then
+      found_session=1
+    elif [[ "$file" == *"zap-report.json" ]]; then
+      found_zap_report=1
+    fi
+  done < <(find "$dir" -type f \( -name "session*" -o -name "zap-report.json" \) -print0)
+
+  if [[ "$found_session" -eq 0 || "$found_zap_report" -eq 0 ]]; then
+    echo "Either 'session' file or 'zap-report.json' files not found in subdirectories of $dir, failing..."
+    exit 1
+  fi
+}
+
+# Search for 'session' file and zap-report.json in subdirectories of $ARTIFACT_DIR
+search_for_files "$ARTIFACT_DIR"
+