diff --git a/images/rhwa/dast/Dockerfile b/images/rhwa/dast/Dockerfile index 0141ec353..8022b7663 100644 --- a/images/rhwa/dast/Dockerfile +++ b/images/rhwa/dast/Dockerfile @@ -1,7 +1,6 @@ # Use the official RAPIDast image as the base FROM quay.io/redhatproductsecurity/rapidast:2.8.0 - # Set working directory to the RAPIDast installation WORKDIR /opt/rapidast diff --git a/tests/rhwa/far-operator/tests/dast.go b/tests/rhwa/far-operator/tests/dast.go new file mode 100644 index 000000000..d5e9eee5d --- /dev/null +++ b/tests/rhwa/far-operator/tests/dast.go @@ -0,0 +1,61 @@ +package tests + +import ( + "encoding/json" + "fmt" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + + "github.com/openshift-kni/eco-goinfra/pkg/deployment" + "github.com/openshift-kni/eco-goinfra/pkg/reportxml" + + "github.com/openshift-kni/eco-gotests/tests/rhwa/far-operator/internal/farparams" + . "github.com/openshift-kni/eco-gotests/tests/rhwa/internal/rapidast" + . "github.com/openshift-kni/eco-gotests/tests/rhwa/internal/rhwainittools" + "github.com/openshift-kni/eco-gotests/tests/rhwa/internal/rhwaparams" +) + +var _ = Describe( + "FAR Post Deployment tests", + Ordered, + ContinueOnFailure, + Label(farparams.Label), Label("dast"), func() { + BeforeAll(func() { + By("Get FAR deployment object") + farDeployment, err := deployment.Pull( + APIClient, farparams.OperatorDeploymentName, rhwaparams.RhwaOperatorNs) + Expect(err).ToNot(HaveOccurred(), "Failed to get FAR deployment") + + By("Verify FAR deployment is Ready") + Expect(farDeployment.IsReady(rhwaparams.DefaultTimeout)).To(BeTrue(), "FAR deployment is not Ready") + }) + + It("Verify FAR Operator passes trivy scan without vulnerabilities", reportxml.ID("76877"), func() { + + By("Creating rapidast pod") + dastTestPod := PrepareRapidastPod(APIClient) + + output, err := RunRapidastScan(*dastTestPod, rhwaparams.RhwaOperatorNs) + Expect(err).ToNot(HaveOccurred()) + + By("Checking vulnerability scan results") + var parsableStruct DASTReport + err = json.Unmarshal(output.Bytes(), &parsableStruct) + Expect(err).ToNot(HaveOccurred()) + + var vulnerabilityFound = false + for _, resource := range parsableStruct.Resources { + for _, result := range resource.Results { + if result.MisconfSummary.Failures > 0 { + fmt.Printf("%d vulnerability(s) found in %s\n", result.MisconfSummary.Failures, resource.Name) + for _, misconfiguration := range result.Misconfigurations { + fmt.Printf("- %+v\n", misconfiguration) + } + vulnerabilityFound = true + } + } + } + Expect(vulnerabilityFound).NotTo(BeTrue(), "Found vulnerability(s)") + }) + }) diff --git a/tests/rhwa/far-operator/tests/far.go b/tests/rhwa/far-operator/tests/far.go index cf4246ea5..daddb1491 100644 --- a/tests/rhwa/far-operator/tests/far.go +++ b/tests/rhwa/far-operator/tests/far.go @@ -1,7 +1,6 @@ package tests import ( - "encoding/json" "fmt" . "github.com/onsi/ginkgo/v2" @@ -12,7 +11,6 @@ import ( "github.com/openshift-kni/eco-goinfra/pkg/reportxml" "github.com/openshift-kni/eco-gotests/tests/rhwa/far-operator/internal/farparams" - . "github.com/openshift-kni/eco-gotests/tests/rhwa/internal/rapidast" . "github.com/openshift-kni/eco-gotests/tests/rhwa/internal/rhwainittools" "github.com/openshift-kni/eco-gotests/tests/rhwa/internal/rhwaparams" @@ -46,32 +44,4 @@ var _ = Describe( ) Expect(err).ToNot(HaveOccurred(), "Pod is not ready") }) - - It("Verify FAR Operator passes trivy scan without vulnerabilities", reportxml.ID("76877"), func() { - - By("Creating rapidast pod") - dastTestPod := PrepareRapidastPod(APIClient) - - By("Running vulnerability scan") - command := []string{"bash", "-c", - fmt.Sprintf("NAMESPACE=%s rapidast.py --config ./config/rapidastConfig.yaml 2> /dev/null", rhwaparams.RhwaOperatorNs)} - output, err := dastTestPod.ExecCommand(command) - Expect(err).ToNot(HaveOccurred(), "Command failed") - - By("Checking vulnerability scan results") - var parsableStruct DASTReport - err = json.Unmarshal(output.Bytes(), &parsableStruct) - Expect(err).ToNot(HaveOccurred()) - - var vulnerability_found bool = false - for _, resource := range parsableStruct.Resources { - for _, result := range resource.Results { - if result.MisconfSummary.Failures > 0 { - fmt.Printf("%d vulnerability(s) found in %s\n", result.MisconfSummary.Failures, resource.Name) - vulnerability_found = true - } - } - } - Expect(vulnerability_found).NotTo(BeTrue(), "Found vulnerability(s)") - }) }) diff --git a/tests/rhwa/internal/rapidast/dastreport.go b/tests/rhwa/internal/rapidast/dastreport.go index 567f90695..ffef63449 100644 --- a/tests/rhwa/internal/rapidast/dastreport.go +++ b/tests/rhwa/internal/rapidast/dastreport.go @@ -1,5 +1,6 @@ package rapidast +// DASTReport struct that receives the results of the rapidast scan. type DASTReport struct { ClusterName string Resources []struct { diff --git a/tests/rhwa/internal/rapidast/rapidast.go b/tests/rhwa/internal/rapidast/rapidast.go index 147303b6a..310702b37 100644 --- a/tests/rhwa/internal/rapidast/rapidast.go +++ b/tests/rhwa/internal/rapidast/rapidast.go @@ -1,6 +1,8 @@ package rapidast import ( + "bytes" + "fmt" "time" "github.com/golang/glog" @@ -19,6 +21,7 @@ const ( logLevel = rhwaparams.LogLevel ) +// PrepareRapidastPod initializes the pod in the cluster that allows to run rapidast. func PrepareRapidastPod(apiClient *clients.Settings) *pod.Builder { nodes, err := nodes.List(apiClient) if err != nil { @@ -65,11 +68,6 @@ func PrepareRapidastPod(apiClient *clients.Settings) *pod.Builder { DefineOnNode(nodes[0].Object.Name). WithTolerationToMaster(). WithPrivilegedFlag() - if err != nil { - glog.V(logLevel).Infof( - "Error in rapidast client pod definition %s", err.Error()) - } - dastTestPod.Definition.Spec.ServiceAccountName = "trivy-service-account" _, err = dastTestPod.CreateAndWaitUntilRunning(time.Minute) @@ -79,5 +77,12 @@ func PrepareRapidastPod(apiClient *clients.Settings) *pod.Builder { } return dastTestPod +} + +// RunRapidastScan executes the rapidast scan configured in the container. +func RunRapidastScan(dastTestPod pod.Builder, namespace string) (bytes.Buffer, error) { + command := []string{"bash", "-c", + fmt.Sprintf("NAMESPACE=%s rapidast.py --config ./config/rapidastConfig.yaml 2> /dev/null", namespace)} + return dastTestPod.ExecCommand(command) } diff --git a/tests/rhwa/internal/rhwaparams/const.go b/tests/rhwa/internal/rhwaparams/const.go index 0cb3d324c..122edc3b3 100644 --- a/tests/rhwa/internal/rhwaparams/const.go +++ b/tests/rhwa/internal/rhwaparams/const.go @@ -11,10 +11,10 @@ const ( RhwaOperatorNs = "openshift-workload-availability" // DefaultTimeout represents the default timeout. DefaultTimeout = 300 * time.Second - // TestNamespaceName namespace where all dast test cases are performed + // TestNamespaceName namespace where all dast test cases are performed. TestNamespaceName = "dast-tests" - + // LogLevel for the supporting functions. LogLevel = 90 - + // TestContainerDast specifies the container image to use for rapidast tests. TestContainerDast = "quay.io/frmoreno/eco-dast:latest" )