Split test into more smaller tests (#56)

Sanity/DAST_test/main.fmf

@@ -0,0 +1,28 @@
+summary: DAST test for the tang operator
+description: ''
+contact: Patrik Koncity <[email protected]>
+component:
+  - tang
+test: ./runtest.sh
+recommend:
+  - tang
+  - helm
+require+:
+  - git
+  - wget
+  - jq
+duration: 5m
+enabled: true
+tag:
+  - NoRHEL6
+  - NoRHEL7
+  - NoRHEL8
+  - Tier3
+tier: '3'
+adjust:
+  - enabled: false
+    when: distro < rhel-9
+    continue: false
+  - enabled: false
+    when: distro == rhel-alt-7
+    continue: false

Sanity/DAST_test/runtest.sh

@@ -0,0 +1,138 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/tang-operator/Sanity
+#   Description: Basic functionality tests of the tang operator
+#   Author: Martin Zeleny <[email protected]>
+#   Author: Sergio Arroutbi <[email protected]>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2021 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlRun ". ../../TestHelpers/functions.sh" || rlDie "cannot import function script"
+        if ! command -v helm &> /dev/null; then
+            ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n "$(uname -m)" ;; esac)
+            OS=$(uname | awk '{print tolower($0)}')
+            #download latest helm
+            LATEST_RELEASE_TAG=$(curl -s https://api.github.com/repos/helm/helm/releases/latest | jq -r '.tag_name')
+            RELEASE_URL="https://get.helm.sh/helm-${LATEST_RELEASE_TAG}-${OS}-${ARCH}.tar.gz"
+            TAR_FILE="helm-${LATEST_RELEASE_TAG}-${OS}-${ARCH}.tar.gz"
+            rlRun "curl -LO $RELEASE_URL"
+            rlRun "tar -xzf $TAR_FILE"
+            rlRun "mv ${OS}-${ARCH}/helm /usr/local/bin/helm"
+        fi
+    rlPhaseEnd
+
+    ############# DAST TESTS ##############
+    rlPhaseStartTest "Dynamic Application Security Testing"
+        # 1 - Log helm version
+        dumpVerbose "$(helm version)"
+
+        # 2 - clone rapidast code (development branch)
+        tmpdir=$(mktemp -d)
+        pushd "${tmpdir}" && git clone https://github.com/RedHatProductSecurity/rapidast.git -b development || exit
+
+        # 3 - download configuration file template
+        # WARNING: if tang-operator is changed to OpenShift organization, change this
+        rlRun "wget -O tang_operator.yaml https://raw.githubusercontent.com/latchset/tang-operator/main/tools/scan_tools/tang_operator_template.yaml"
+
+        # 4 - adapt configuration file template (token, machine)
+        if [ "${EXECUTION_MODE}" == "MINIKUBE" ];
+        then
+            API_HOST_PORT=$(minikube ip)
+            DEFAULT_TOKEN="TEST_TOKEN_UNREQUIRED_IN_MINIKUBE"
+        else
+            API_HOST_PORT=$("${OC_CLIENT}" whoami --show-server | tr -d  ' ')
+            DEFAULT_TOKEN=$("${OC_CLIENT}" get secret -n "${OPERATOR_NAMESPACE}" "$("${OC_CLIENT}" get secret -n "${OPERATOR_NAMESPACE}"\
+                            | grep ^tang-operator | grep service-account | awk '{print $1}')" -o json | jq -Mr '.data.token' | base64 -d)
+        fi
+        sed -i s@API_HOST_PORT_HERE@"${API_HOST_PORT}"@g tang_operator.yaml
+        sed -i s@AUTH_TOKEN_HERE@"${DEFAULT_TOKEN}"@g tang_operator.yaml
+        sed -i s@OPERATOR_NAMESPACE_HERE@"${OPERATOR_NAMESPACE}"@g tang_operator.yaml
+        dumpVerbose "API_HOST_PORT:[${API_HOST_PORT}]"
+        dumpVerbose "DEFAULT_TOKEN:[${DEFAULT_TOKEN}]"
+        dumpVerbose "OPERATOR_NAMESPACE provided to DAST:[${OPERATOR_NAMESPACE}]"
+        rlAssertNotEquals "Checking token not empty" "${DEFAULT_TOKEN}" ""
+
+        # 5 - adapt helm
+        pushd rapidast || exit
+        sed -i s@"kubectl --kubeconfig=./kubeconfig "@"${OC_CLIENT} "@g helm/results.sh
+        sed -i s@"secContext: '{}'"@"secContext: '{\"privileged\": true}'"@ helm/chart/values.yaml
+        sed -i s@'tag: "latest"'@'tag: "2.3.0-rc1"'@g helm/chart/values.yaml
+
+        # 6 - run rapidast on adapted configuration file (via helm)
+        rlRun -c "helm install rapidast ./helm/chart/ --set-file rapidastConfig=${tmpdir}/tang_operator.yaml 2>/dev/null" 0 "Installing rapidast helm chart"
+        pod_name=$(getPodNameWithPrefix "rapidast" "default" 5 1)
+        rlRun "checkPodState Completed ${TO_DAST_POD_COMPLETED} default ${pod_name}" 0 "Checking POD ${pod_name} in Completed state [Timeout=${TO_DAST_POD_COMPLETED} secs.]"
+
+        # 7 - extract results
+        rlRun -c "bash ./helm/results.sh 2>/dev/null" 0 "Extracting DAST results"
+
+        # 8 - parse results (do not have to ensure no previous results exist, as this is a temporary directory)
+        # Check no alarm exist ...
+        report_dir=$(ls -1d "${tmpdir}"/rapidast/tangservers/DAST*tangservers/ | head -1 | sed -e 's@/$@@g')
+        dumpVerbose "REPORT DIR:${report_dir}"
+
+        rlAssertNotEquals "Checking report_dir not empty" "${report_dir}" ""
+
+        report_file="${report_dir}/zap/zap-report.json"
+        dumpVerbose "REPORT FILE:${report_file}"
+
+        if [ -n "${report_dir}" ] && [ -f "${report_file}" ];
+        then
+            alerts=$(jq '.site[0].alerts | length' < "${report_dir}/zap/zap-report.json" )
+            dumpVerbose "Alerts:${alerts}"
+            for ((alert=0; alert<alerts; alert++));
+            do
+                risk_desc=$(jq ".site[0].alerts[${alert}].riskdesc" < "${report_dir}/zap/zap-report.json" | awk '{print $1}' | tr -d '"' | tr -d " ")
+                rlLog "Alert[${alert}] -> Priority:[${risk_desc}]"
+                rlAssertNotEquals "Checking alarm is not High Risk" "${risk_desc}" "High"
+            done
+            if [ "${alerts}" != "0" ];
+            then
+                DELETE_TMP_DIR="NO"
+                rlLogWarning "A total of [${alerts}] alerts were detected! Please, review ZAP report: ${report_dir}/zap/zap-report.json"
+            else
+                rlLog "No alerts detected"
+            fi
+        else
+            rlLogWarning "Report file:${report_dir}/zap/zap-report.json does not exist"
+            ### Keep tmp dir for investigation on what could go wrong
+            DELETE_TMP_DIR="NO"
+        fi
+
+        # 9 - clean helm installation
+        helm uninstall rapidast
+
+        # 10 - return
+        popd || exit
+        popd || exit
+
+    rlPhaseEnd
+    ############# /DAST TESTS #############
+
+rlJournalPrintText
+rlJournalEnd

Sanity/configuration_test/main.fmf

@@ -0,0 +1,23 @@
+summary: Configuration test of tang operator
+description: ''
+contact: Patrik Koncity <[email protected]>
+component:
+  - tang
+test: ./runtest.sh
+recommend:
+  - tang
+duration: 5m
+enabled: true
+tag:
+  - NoRHEL6
+  - NoRHEL7
+  - NoRHEL8
+  - Tier3
+tier: '3'
+adjust:
+  - enabled: false
+    when: distro < rhel-9
+    continue: false
+  - enabled: false
+    when: distro == rhel-alt-7
+    continue: false

Sanity/configuration_test/runtest.sh

@@ -0,0 +1,93 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/tang-operator/Sanity
+#   Description: Basic functionality tests of the tang operator
+#   Author: Martin Zeleny <[email protected]>
+#   Author: Sergio Arroutbi <[email protected]>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2021 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+rlJournalStart
+    ########## CONFIGURATION TESTS #########
+    rlPhaseStartTest "Minimal Configuration"
+        rlRun ". ../../TestHelpers/functions.sh" || rlDie "cannot import function script"
+        rlRun "${OC_CLIENT} apply -f ${FUNCTION_DIR}/reg_test/conf_test/minimal/" 0 "Creating minimal configuration"
+        rlRun "checkPodAmount 1 ${TO_POD_START} ${TEST_NAMESPACE}" 0 "Checking 1 POD is started [Timeout=${TO_POD_START} secs.]"
+        rlRun "checkServiceAmount 1 ${TO_SERVICE_START} ${TEST_NAMESPACE}" 0 "Checking 1 Service is started [Timeout=${TO_SERVICE_START} secs.]"
+        pod_name=$(getPodNameWithPrefix "tang" "${TEST_NAMESPACE}" 5)
+        rlAssertNotEquals "Checking pod name not empty" "${pod_name}" ""
+        rlRun "checkPodState Running ${TO_POD_START} ${TEST_NAMESPACE} ${pod_name}" 0 "Checking POD in Running state [Timeout=${TO_POD_START} secs.]"
+        rlRun "${OC_CLIENT} delete -f ${FUNCTION_DIR}/reg_test/conf_test/minimal/" 0 "Deleting minimal configuration"
+        rlRun "checkPodAmount 0 ${TO_POD_STOP} ${TEST_NAMESPACE}" 0 "Checking no POD continues running [Timeout=${TO_POD_STOP} secs.]"
+        rlRun "checkServiceAmount 0 ${TO_SERVICE_STOP} ${TEST_NAMESPACE}" 0 "Checking no Services continue running [Timeout=${TO_SERVICE_STOP} secs.]"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Main Configuration"
+        rlRun "${OC_CLIENT} apply -f ${FUNCTION_DIR}/reg_test/conf_test/main/" 0 "Creating main configuration"
+        rlRun "checkPodAmount 3 ${TO_POD_START} ${TEST_NAMESPACE}" 0 "Checking 3 PODs are started [Timeout=${TO_POD_START} secs.]"
+        rlRun "checkServiceAmount 1 ${TO_SERVICE_START} ${TEST_NAMESPACE}" 0 "Checking 1 Service is started [Timeout=${TO_SERVICE_START} secs.]"
+        pod1_name=$(getPodNameWithPrefix "tang" "${TEST_NAMESPACE}" 5 1)
+        pod2_name=$(getPodNameWithPrefix "tang" "${TEST_NAMESPACE}" 5 2)
+        pod3_name=$(getPodNameWithPrefix "tang" "${TEST_NAMESPACE}" 5 3)
+        rlAssertNotEquals "Checking pod name not empty" "${pod1_name}" ""
+        rlAssertNotEquals "Checking pod name not empty" "${pod2_name}" ""
+        rlAssertNotEquals "Checking pod name not empty" "${pod3_name}" ""
+        rlRun "checkPodState Running ${TO_POD_START} ${TEST_NAMESPACE} ${pod1_name}" 0 "Checking POD:[$pod1_name] in Running state [Timeout=${TO_POD_START} secs.]"
+        rlRun "checkPodState Running ${TO_POD_START} ${TEST_NAMESPACE} ${pod2_name}" 0 "Checking POD:[$pod2_name] in Running state [Timeout=${TO_POD_START} secs.]"
+        rlRun "checkPodState Running ${TO_POD_START} ${TEST_NAMESPACE} ${pod3_name}" 0 "Checking POD:[$pod3_name] in Running state [Timeout=${TO_POD_START} secs.]"
+        rlRun "${OC_CLIENT} delete -f ${FUNCTION_DIR}/reg_test/conf_test/main/" 0 "Deleting main configuration"
+        rlRun "checkPodAmount 0 ${TO_POD_STOP} ${TEST_NAMESPACE}" 0 "Checking no PODs continue running [Timeout=${TO_POD_STOP} secs.]"
+        rlRun "checkServiceAmount 0 ${TO_SERVICE_STOP} ${TEST_NAMESPACE}" 0 "Checking no Services continue running [Timeout=${TO_SERVICE_STOP} secs.]"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Multiple Deployment Configuration"
+        rlRun "${OC_CLIENT} apply -f ${FUNCTION_DIR}/reg_test/conf_test/multi_deployment/" 0 "Creating multiple deployment configuration"
+        rlRun "checkPodAmount 5 ${TO_POD_START} ${TEST_NAMESPACE}" 0 "Checking 5 PODs are started [Timeout=${TO_POD_START} secs.]"
+        rlRun "sleep 5" 0 "Waiting to ensure no more than expected replicas are started"
+        rlRun "checkPodAmount 5 ${TO_POD_START} ${TEST_NAMESPACE}" 0 "Checking 5 PODs continue running [Timeout=${TO_POD_START} secs.]"
+        rlRun "checkServiceAmount 2 ${TO_SERVICE_START} ${TEST_NAMESPACE}" 0 "Checking 2 Services are running [Timeout=${TO_SERVICE_START} secs.]"
+        pod1_name=$(getPodNameWithPrefix "tang" "${TEST_NAMESPACE}" 5 1)
+        pod2_name=$(getPodNameWithPrefix "tang" "${TEST_NAMESPACE}" 5 2)
+        pod3_name=$(getPodNameWithPrefix "tang" "${TEST_NAMESPACE}" 5 3)
+        pod4_name=$(getPodNameWithPrefix "tang" "${TEST_NAMESPACE}" 5 4)
+        pod5_name=$(getPodNameWithPrefix "tang" "${TEST_NAMESPACE}" 5 5)
+        rlAssertNotEquals "Checking pod name not empty" "${pod1_name}" ""
+        rlAssertNotEquals "Checking pod name not empty" "${pod2_name}" ""
+        rlAssertNotEquals "Checking pod name not empty" "${pod3_name}" ""
+        rlAssertNotEquals "Checking pod name not empty" "${pod4_name}" ""
+        rlAssertNotEquals "Checking pod name not empty" "${pod5_name}" ""
+        rlRun "checkPodState Running ${TO_POD_START} ${TEST_NAMESPACE} ${pod1_name}" 0 "Checking POD:[$pod1_name] in Running state [Timeout=${TO_POD_START} secs.]"
+        rlRun "checkPodState Running ${TO_POD_START} ${TEST_NAMESPACE} ${pod2_name}" 0 "Checking POD:[$pod2_name] in Running state [Timeout=${TO_POD_START} secs.]"
+        rlRun "checkPodState Running ${TO_POD_START} ${TEST_NAMESPACE} ${pod3_name}" 0 "Checking POD:[$pod3_name] in Running state [Timeout=${TO_POD_START} secs.]"
+        rlRun "checkPodState Running ${TO_POD_START} ${TEST_NAMESPACE} ${pod4_name}" 0 "Checking POD:[$pod2_name] in Running state [Timeout=${TO_POD_START} secs.]"
+        rlRun "checkPodState Running ${TO_POD_START} ${TEST_NAMESPACE} ${pod5_name}" 0 "Checking POD:[$pod3_name] in Running state [Timeout=${TO_POD_START} secs.]"
+        rlRun "${OC_CLIENT} delete -f ${FUNCTION_DIR}/reg_test/conf_test/multi_deployment/" 0 "Deleting multiple deployment configuration"
+        rlRun "checkPodAmount 0 ${TO_POD_STOP} ${TEST_NAMESPACE}" 0 "Checking no PODs continue running [Timeout=${TO_POD_STOP} secs.]"
+        rlRun "checkServiceAmount 0 ${TO_SERVICE_STOP} ${TEST_NAMESPACE}" 0 "Checking no Services continue running [Timeout=${TO_SERVICE_STOP} secs.]"
+    rlPhaseEnd
+    ######### /CONFIGURATION TESTS ########
+
+rlJournalPrintText
+rlJournalEnd

Sanity/functional_test/main.fmf

@@ -0,0 +1,25 @@
+summary: Functionality test for the tang operator
+description: ''
+contact: Patrik Koncity <[email protected]>
+component:
+  - tang
+test: ./runtest.sh
+recommend:
+  - tang
+require+:
+  - clevis
+duration: 5m
+enabled: true
+tag:
+  - NoRHEL6
+  - NoRHEL7
+  - NoRHEL8
+  - Tier3
+tier: '3'
+adjust:
+  - enabled: false
+    when: distro < rhel-9
+    continue: false
+  - enabled: false
+    when: distro == rhel-alt-7
+    continue: false