Feature/read only hooks

.github/workflows/ci.yaml

@@ -316,7 +316,7 @@ jobs:
 
           # Operator Namespace
           kubectl create namespace securecodebox-system
-          # Install Operator using the images of the current commit 
+          # Install Operator using the images of the current commit
           helm -n securecodebox-system install securecodebox-operator ./operator/ --wait \
             --set="image.tag=sha-$(git rev-parse --short HEAD)" \
             --set="image.digest=null" \
@@ -334,14 +334,14 @@ jobs:
         run: "kubectl create namespace demo-apps"
       - name: "Install Test Dependencies"
         run: |
-          cd tests/integration/ 
+          cd tests/integration/
           npm ci
       # This steps should include Integration tests which are not related to a Specific Scanner
       - name: "Throws NoScanDefiniton Error Integration Tests"
         run: |
           cd tests/integration/
           npx jest --ci --color no-scan-definition-error
-      - name: "Hooks Integration Tests"
+      - name: "Hooks (ReadAndWrite) Integration Tests"
         run: |
           helm -n integration-tests install update-category ./hooks/update-field/ \
             --set="image.tag=sha-$(git rev-parse --short HEAD)" \
@@ -355,6 +355,14 @@ jobs:
           cd tests/integration/
           npx jest --ci --color read-write-hook
           helm -n integration-tests uninstall test-scan update-category update-severity
+      - name: "Hooks (ReadOnly) Integration Tests"
+        run: |
+          helm -n integration-tests install test-scan ./scanner/test-scan/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)"
+          helm -n integration-tests install http-webhook ./demo-apps/http-webhook
+          helm -n integration-tests install ro-hook ./hooks/generic-webhook/ --set="webhookUrl=http://http-webhook/hallo-welt"
+          cd tests/integration/
+          npx jest --ci --color read-only-hook
+          helm -n integration-tests uninstall test-scan http-webhook ro-hook
       - name: "nmap Integration Tests"
         run: |
           helm -n integration-tests install nmap ./scanner/nmap/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)"

scanner/http-webhook/templates/deployment.yaml → demo-apps/http-webhook/templates/deployment.yaml

@@ -37,14 +37,6 @@ spec:
             - name: http
               containerPort: 80
               protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /
-              port: http
-          readinessProbe:
-            httpGet:
-              path: /
-              port: http
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}

tests/integration/generic/read-only-hook.test.js

@@ -2,7 +2,7 @@ const { scan } = require("../helpers");
 const k8s = require('@kubernetes/client-node');
 
 test(
-  "localhost port scan should only find a host finding",
+  "should trigger a webhook",
   async () => {
     await scan(
       "test-scan-read-only-hook",
@@ -11,28 +11,62 @@ test(
       90
     );
 
-    const webhook = "http-webhook";
-    const namespace = "integration-tests";
+    const WEBHOOK = "http-webhook";
+    const NAMESPACE = "integration-tests";
 
     const kc = new k8s.KubeConfig();
     kc.loadFromDefault();
 
     const k8sApi = kc.makeApiClient(k8s.CoreV1Api);
 
     function containsPod(item) {
-      return item.metadata.name.includes(webhook)
+      return item.metadata.name.includes(WEBHOOK)
     }
 
     let podName;
-    await k8sApi.listNamespacedPod(namespace, 'true').then((res) => {
-      let podArray = res.body.items.filter(containsPod);
-      podName = podArray.pop().metadata.name;
+    await k8sApi.listNamespacedPod(NAMESPACE, 'true').then((res) => {
+      let podArray = res.body.items.filter((containsPod));
+      if (podArray.length === 0) {
+        throw new Error(`Did not find Pod for "${WEBHOOK}" Hook`);
+      }
+
+      podName = podArray[0].metadata.name;
     });
 
-    const containerName = webhook;
+    const containerName = WEBHOOK;
+
+    const params = {
+      k8sApi,
+      podName,
+      namespace: NAMESPACE,
+      containerName
+    }
+    const result = await delayedRepeat(isHookTriggered, params, 1000, 10);
 
-    let containerLog = await k8sApi.readNamespacedPodLog(podName, namespace, containerName, false);
-    expect(containerLog.body.includes("path: '/hallo-welt'")).toBe(true);
+    expect(result).toBe(true)
   },
   3 * 60 * 1000
 );
+
+async function isHookTriggered(params) {
+  console.log("Fetch Container Logs...")
+  let containerLog = await params.k8sApi.readNamespacedPodLog(params.podName, params.namespace, params.containerName, false);  
+  return containerLog.body.includes("/hallo-welt");
+}
+
+
+const sleep = durationInMs =>
+  new Promise(resolve => setTimeout(resolve, durationInMs));
+
+async function delayedRepeat(fun, functionParamObject, intervalInMs, maxRetries,) {
+  for (let i = 0; i < maxRetries; i++){
+    const condition = await fun(functionParamObject);
+    if(condition){
+      return condition;
+    }
+
+    await sleep(intervalInMs);
+  }
+
+  throw new Error("Reached max retries")
+}