update more operators for test

tests/dast/Dockerfile

@@ -17,6 +17,9 @@ RUN mkdir -p /tmp/go/bin $GOCACHE \
 
 # Install dependencies required by test cases and debugging
 RUN apt-get update && apt-get install -y jq vim libreadline-dev
+RUN apt-get -y install podman
+
+
 
 # Install Chainsaw e2e testing tool
 RUN go install github.com/kyverno/[email protected]

tests/dast/rapid-lca/oobt_test_data/cr_example.yaml

@@ -0,0 +1,8 @@
+apiVersion: operator.openshift.io/v1
+kind: RunOnceDurationOverride
+metadata:
+ name: cluster
+spec:
+ runOnceDurationOverride:
+ spec:
+ activeDeadlineSeconds: 3600

tests/dast/rapid-lca/oobt_test_data/v5-none-oobt-template.yaml

@@ -0,0 +1,10 @@
+config:
+ configVersion: 5
+
+# `application` contains data related to the application, not to the scans.
+application:
+ shortName: "oobttest"
+
+scanners:
+ generic_trivy:
+ inline: "trivy k8s --kubeconfig=/home/rapidast/.kube/config -n openshift-operator-lifecycle-manager pod --severity=HIGH,CRITICAL --scanners=misconfig --report all --format json"

tests/dast/rapid-lca/test_oobt.py

@@ -0,0 +1,52 @@
+import os
+import subprocess
+import random
+
+import subprocess
+import re
+
+
+RAPIDAST_IMAGE = "quay.io/redhatproductsecurity/rapidast:2.5.0"
+def get_vpn_ip_address():
+ try:
+ ip_output = subprocess.check_output(['ip', 'addr']).decode('utf-8')
+ # Use regular expression to extract IP addresses
+ ip_addresses = re.findall(r'10.64.\d+\.\d+', ip_output)
+
+ # Currently return the first IP address
+ # TODO: fix if there are multiple IP addresses and it causes an issue
+
+ return ip_addresses[0]
+ except subprocess.CalledProcessError as e:
+ return f"Error: {e}"
+
+def test_oobt_basic():
+ # 1. place kubeconfig in the TEST_DATA_DIR directory
+
+ TEST_DATA_DIR = "oobt_test_data"
+ RAPIDAST_CFG_FILE = "v5-none-oobt-template.yaml"
+
+ port = random.randint(10000, 30000)
+ ipaddr = get_vpn_ip_address()
+
+ # create a rapidast config
+ sed_cmd = f"sed 's/-p <port> -i <ipaddr>/-p {port} -i {ipaddr}/' {TEST_DATA_DIR}/{RAPIDAST_CFG_FILE} > rapidast_runtime_cfg.yaml"
+ os.system(sed_cmd)
+
+ # prep for testing
+ os.system(f"chmod 666 {TEST_DATA_DIR}/kubeconfig")
+ if not os.path.exists("results"):
+ os.makedirs("results")
+ os.system("podman unshare chown 1000 results")
+
+ # Run the command and capture stdout
+ command = f"podman run -it --rm -v ./{TEST_DATA_DIR}/kubeconfig:/home/rapidast/.kube/config:Z -v ./results:/opt/rapidast/results:Z -v $PWD:/test:Z -p {port}:{port} {RAPIDAST_IMAGE} rapidast.py --config /test/rapidast_runtime_cfg.yaml"
+ print(command)
+
+ process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
+ stdout, stderr = process.communicate()
+# print(stdout)
+ print("test completed. See the results directory")
+
+if __name__ == "__main__":
+ test_oobt_basic()

tests/dast/rapid-nrop/00-assert.yaml

@@ -0,0 +1,15 @@
+apiVersion: project.openshift.io/v1
+kind: Project
+metadata:
+ labels:
+ kubernetes.io/metadata.name: rapidast-nrop
+ pod-security.kubernetes.io/audit: privileged
+ pod-security.kubernetes.io/enforce: privileged
+ pod-security.kubernetes.io/warn: privileged
+ security.openshift.io/scc.podSecurityLabelSync: "false"
+ name: rapidast-nrop
+spec:
+ finalizers:
+ - kubernetes
+status:
+ phase: Active

tests/dast/rapid-nrop/00-create-project.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: rapidast-nrop
+ labels:
+ security.openshift.io/scc.podSecurityLabelSync: "false"
+ pod-security.kubernetes.io/enforce: "privileged"
+ pod-security.kubernetes.io/audit: "privileged"
+ pod-security.kubernetes.io/warn: "privileged"

tests/dast/rapid-nrop/01-assert.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: privileged-sa
+ namespace: rapidast-nrop
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: rapidast-nrop-binding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:openshift:scc:privileged
+subjects:
+ - kind: ServiceAccount
+ name: privileged-sa
+ namespace: rapidast-nrop
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: rapidast-nrop-cluster-admin
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cluster-admin
+subjects:
+ - kind: ServiceAccount
+ name: privileged-sa
+ namespace: rapidast-nrop

tests/dast/rapid-nrop/01-create-sa.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: privileged-sa
+ namespace: rapidast-nrop
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: rapidast-nrop-binding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:openshift:scc:privileged
+subjects:
+ - kind: ServiceAccount
+ name: privileged-sa
+ namespace: rapidast-nrop
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: rapidast-nrop-cluster-admin
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cluster-admin
+subjects:
+ - kind: ServiceAccount
+ name: privileged-sa
+ namespace: rapidast-nrop

tests/dast/rapid-nrop/02-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: rapidast-configmap
+ namespace: rapidast-nrop

tests/dast/rapid-nrop/02-create-rapidast-config.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+ - script: ./create_rapidast_configmap.sh

tests/dast/rapid-nrop/03-assert.yaml

@@ -0,0 +1,7 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: rapidast-job
+ namespace: rapidast-nrop
+status:
+ succeeded: 1

tests/dast/rapid-nrop/03-rapidast-job.yaml

@@ -0,0 +1,66 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: rapidast-pvc
+ namespace: rapidast-nrop
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 1Gi
+ volumeMode: Filesystem
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: rapidast-job
+ namespace: rapidast-nrop
+spec:
+ backoffLimit: 3
+ completionMode: NonIndexed
+ completions: 1
+ parallelism: 1
+ suspend: false
+ template:
+ metadata:
+ labels:
+ job-name: rapidast-job
+ name: rapidast-job
+ spec:
+ serviceAccount: privileged-sa
+ serviceAccountName: privileged-sa
+ containers:
+ - command:
+ - sh
+ - -c
+ - rapidast.py --log-level debug --config
+ /helm/config/rapidastconfig.yaml && find /opt/rapidast/results/nrop
+ -name zap-report.json -exec cat {} \;
+ image: quay.io/redhatproductsecurity/rapidast:latest
+ imagePullPolicy: Always
+ name: rapidast-chart
+ resources: {}
+ securityContext:
+ privileged: true
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: /helm/config
+ name: config-volume
+ - mountPath: /opt/rapidast/results/
+ name: results-volume
+ dnsPolicy: ClusterFirst
+ restartPolicy: Never
+ schedulerName: default-scheduler
+ terminationGracePeriodSeconds: 30
+ volumes:
+ - configMap:
+ defaultMode: 420
+ name: rapidast-configmap
+ name: config-volume
+ - name: results-volume
+ persistentVolumeClaim: null
+ claimName: rapidast-pvc

tests/dast/rapid-nrop/04-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 180
+commands:
+ - script: ./tests/e2e-rh-sdl/rapidast-nrop/results.sh

tests/dast/rapid-nrop/chainsaw-test.yaml

@@ -0,0 +1,56 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+ creationTimestamp: null
+ name: rapidast-nrop
+spec:
+ steps:
+ - name: step-00
+ try:
+ - apply:
+ file: 00-create-project.yaml
+ - assert:
+ file: 00-assert.yaml
+ - name: step-01
+ try:
+ - apply:
+ file: 01-create-sa.yaml
+ - assert:
+ file: 01-assert.yaml
+ - name: step-02
+ try:
+ - script:
+ timeout: 30s
+ content: ./create_rapidast_configmap.sh
+ - assert:
+ file: 02-assert.yaml
+ - name: step-03
+ try:
+ - apply:
+ file: 03-rapidast-job.yaml
+ - assert:
+ file: 03-assert.yaml
+ - name: step-04
+ try:
+ - script:
+ timeout: 6m
+ content: ./results.sh
+ finally:
+ - command:
+ timeout: 1m
+ entrypoint: oc
+ args:
+ - -n
+ - rapidast-nrop
+ - delete
+ - pod
+ - rapiterm-nrop
+ - command:
+ timeout: 1m
+ entrypoint: oc
+ args:
+ - -n
+ - rapidast-nrop
+ - delete
+ - pod
+ - --selector=batch.kubernetes.io/job-name=rapidast-job

tests/dast/rapid-nrop/create_rapidast_configmap.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+nrop_token=$(oc create token privileged-sa -n rapidast-nrop)
+
+# Define the content for the ConfigMap
+configmap_content=$(cat <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: rapidast-configmap
+ namespace: rapidast-nrop
+data:
+ rapidastconfig.yaml: |
+ config:
+ configVersion: 4
+
+ application:
+ shortName: "nrop"
+ url: "https://kubernetes.default.svc"
+
+ general:
+ authentication:
+ type: "http_header"
+ parameters:
+ name: "Authorization"
+ value: "Bearer ${nrop_token}"
+ container:
+ type: "none"
+
+ scanners:
+ zap:
+ apiScan:
+ apis:
+ apiUrl: "https://kubernetes.default.svc/openapi/v3/apis/nrop.openshift.io/v1alpha1"
+ passiveScan:
+ disabledRules: "2,10015,10027,10096,10024,10054"
+ activeScan:
+ policy: "Operator-scan"
+ miscOptions:
+ enableUI: False
+ updateAddons: False
+EOF
+)
+
+# Create the ConfigMap
+echo "$configmap_content" | oc -n rapidast-nrop create -f -
+