Cascading Rules Integration Tests

SebieF · SebieF · commit 3de41bb00e82 · 2020-10-02T15:14:13.000+02:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -440,8 +440,29 @@ jobs:
           helm -n integration-tests install zap ./scanners/zap/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)"
           cd tests/integration/
           npx jest --ci --color zap
-      - name: "Cascading Scans Integration Tests"
+      - name: "cascading Scans Integration Tests"
         run: |
+          # We'll run these in a separate namespace so that only the cascadingRules we want to test will be used
+          kubectl create namespace cascading-tests
+          # Install declarative-subsequent-scans hook
+          helm upgrade --install dssh ./hooks/declarative-subsequent-scans/ -n cascading-tests
+          # Install nmap
+          helm -n cascading-tests install nmap ./scanners/nmap/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)"
+          # Install ncrack
+          printf "root\nadmin\n" > users.txt
+          printf "THEPASSWORDYOUCREATED\n123456\npassword\n" > passwords.txt
+          kubectl create secret generic --from-file users.txt --from-file passwords.txt ncrack-lists -n cascading-tests
+          cat <<EOF | helm -n cascading-tests install ncrack ./scanners/ncrack --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" --values -
+          scannerJob:
+            extraVolumes:
+              - name: ncrack-lists
+                secret:
+                  secretName: ncrack-lists
+            extraVolumeMounts:
+              - name: ncrack-lists
+                mountPath: "/ncrack/"
+          EOF
+          # Actually run the tests
           cd tests/integration/
           npx jest --ci --color cascade
       - name: Inspect Post Failure
diff --git a/tests/integration/helpers.js b/tests/integration/helpers.js
@@ -7,7 +7,7 @@ const k8sCRDApi = kc.makeApiClient(k8s.CustomObjectsApi);
 const k8sBatchApi = kc.makeApiClient(k8s.BatchV1Api);
 const k8sPodsApi = kc.makeApiClient(k8s.CoreV1Api);
 
-const namespace = "integration-tests";
+let namespace = "integration-tests";
 
 const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms * 1000));
 
@@ -109,6 +109,7 @@ async function disasterRecovery(scanName) {
  * @returns {scan.findings} returns findings { categories, severities, count }
  */
 async function scan(name, scanType, parameters = [], timeout = 180) {
+  namespace ="integration-tests"
   const scanDefinition = {
     apiVersion: "execution.experimental.securecodebox.io/v1",
     kind: "Scan",
@@ -165,34 +166,8 @@ async function scan(name, scanType, parameters = [], timeout = 180) {
  * @param {number} timeout in seconds
  * @returns {scan.findings} returns findings { categories, severities, count }
  */
-async function cascadingScan(name, scanType, parameters = [], nameCascade, scanTypeCascade, parametersCascade, intensive, invasive, timeout = 180) {
-  const cascadingDefinition = {
-    apiVersion: "cascading.experimental.securecodebox.io/v1",
-    kind: "CascadingRule",
-    metadata: {
-      generateName: `${nameCascade}-`,
-      labels: {
-        invasive,
-        intensive,
-      },
-    spec: {
-      matches: {
-        anyOf: {
-          category: "Open Port",
-          attributes: {
-            port: 22,
-            state: "open"
-          }
-        }
-      },
-      scanSpec: {
-        scanTypeCascade,
-        parametersCascade
-      }
-    } 
-    }
-  };
-
+async function cascadingScan(name, scanType, parameters = [], { nameCascade, matchLabels }, timeout = 180) {
+  namespace = "cascading-tests";
   
   const scanDefinition = {
     apiVersion: "execution.experimental.securecodebox.io/v1",
@@ -204,22 +179,12 @@ async function cascadingScan(name, scanType, parameters = [], nameCascade, scanT
     spec: {
       scanType,
       parameters,
+      cascades: {
+        matchLabels,
+      }
     },
-    cascades: {
-        matchLabels: {
-            intensive
-          }
-        }
   };
 
-  const { bodyCascade } = await k8sCRDApi.createNamespacedCustomObject(
-    "cascading.experimental.securecodebox.io",
-    "v1",
-    namespace,
-    "scans",
-    cascadingDefinition
-  );
-
   const { body } = await k8sCRDApi.createNamespacedCustomObject(
     "execution.experimental.securecodebox.io",
     "v1",
@@ -229,7 +194,6 @@ async function cascadingScan(name, scanType, parameters = [], nameCascade, scanT
   );
 
   const actualName = body.metadata.name;
-  const actualNameCascade = bodyCascade.metadata.name;
 
   for (let i = 0; i < timeout; i++) {
     await sleep(1);
@@ -238,41 +202,70 @@ async function cascadingScan(name, scanType, parameters = [], nameCascade, scanT
     if (status && status.state === "Done") {
       // Wait a couple seconds to give kubernetes more time to update the fields
       await sleep(2);
-      
-      for(let j = 0; j < timeout; j++) {
-        await sleep(1)
-        const { statusCascade } = await getScan(actualNameCascade);
-        if (statusCascade && statusCascade.state === "Done") {
-           await sleep(2); 
-           const { statusCascade } = await getScan(actualNameCascade);
-           
-           await deleteScan(actualName);
-           await deleteScan(actualNameCascade);
-           return statusCascade.findings;
-      } else if (statusCascade && statusCascade.state === "Errored") {
-        console.error("Scan Errored");
-        await disasterRecovery(actualNameCascade);
-        throw new Error(
-          `Cascade Scan failed with description "${statusCascade.errorDescription}"`
-        );
-      }
-      console.error("Cascade Scan Timed out!");
-      await disasterRecovery(actualNameCascade);
-
-      throw new Error("timed out while waiting for cascading scan results");
-      }
 
+      break;
     } else if (status && status.state === "Errored") {
       console.error("Scan Errored");
       await disasterRecovery(actualName);
+      throw new Error(
+        `Initial Scan failed with description "${status.errorDescription}"`
+      );
+    }
 
+    if (i === (timeout - 1)) {
       throw new Error(
-        `Scan failed with description "${status.errorDescription}"`
+        `Initial Scan timed out failed`
       );
     }
   }
-  console.error("Scan Timed out!");
+
+  console.log("First Scan finished")
+
+  const { body: scans } = await k8sCRDApi.listNamespacedCustomObject(
+    "execution.experimental.securecodebox.io",
+    "v1",
+    namespace,
+    namespace,
+    "scans"
+  )
+
+  let cascadedScan = null;
+
+  for (const scan of scans.items) {
+    if (scan.metadata.annotations && scan.metadata.annotations["cascading.securecodebox.io/chain"] === nameCascade) {
+      cascadedScan = scan;
+      break;
+    }
+  }
+
+  if (cascadedScan === null) {
+    throw new Error(`Didn't find cascaded Scan for ${nameCascade}`)
+  }
+  const actualNameCascade = cascadedScan.metadata.name;
+
+  for (let j = 0; j < timeout; j++) {
+    await sleep(1)
+    const { status: statusCascade } = await getScan(actualNameCascade);
+
+    if (statusCascade && statusCascade.state === "Done") {
+      await sleep(2);
+      const { status: statusCascade } = await getScan(actualNameCascade);
+
+      await deleteScan(actualName);
+      await deleteScan(actualNameCascade);
+      return statusCascade.findings;
+    } else if (statusCascade && statusCascade.state === "Errored") {
+      console.error("Scan Errored");
+      await disasterRecovery(actualName);
+      await disasterRecovery(actualNameCascade);
+      throw new Error(
+        `Cascade Scan failed with description "${statusCascade.errorDescription}"`
+      );
+    }
+  }
+  console.error("Cascade Scan Timed out!");
   await disasterRecovery(actualName);
+  await disasterRecovery(actualNameCascade);
 
   throw new Error("timed out while waiting for scan results");
 }
diff --git a/tests/integration/scanner/cascade.test.js b/tests/integration/scanner/cascade.test.js
@@ -7,25 +7,27 @@ test(
       "nmap-dummy-ssh",
       "nmap",
       ["-Pn", "-sV", "dummy-ssh.demo-apps.svc"],
-      "ncrack-ssh",
-      "ncrack",
-      ["-v", "--user=root,admin", "--pass=THEPASSWORDYOUCREATED,12345", "ssh://{{location}}"],
-      "high",
-      "invasive",
+      {
+        nameCascade: "ncrack-ssh",
+        matchLabels: {
+          "securecodebox.io/invasive": "invasive",
+          "securecodebox.io/intensive": "high"
+        }
+      },
       120
     );
 
     expect(count).toBe(1);
-        expect(categories).toEqual(
-        {
-            "Discovered Credentials": 1,
-        }
-        );
-        expect(severities).toEqual(
-        {
-            "high": 1,
-        }
-        );
+    expect(categories).toEqual(
+      {
+        "Discovered Credentials": 1,
+      }
+    );
+    expect(severities).toEqual(
+      {
+        "high": 1,
+      }
+    );
   },
   3 * 60 * 1000
 );
