Add: container-image-scanner-user-flows

Author: nichtsfrei

.github/workflows/functional.yaml

@@ -43,7 +43,7 @@ jobs:
         # TODO: make version robust
       - run: curl -L https://github.com/Orange-OpenSource/hurl/releases/download/7.1.0/hurl_7.1.0_amd64.deb -o hurl.deb
       - run: sudo apt-get install -y ./hurl.deb
-      - run: cd compose && OPENVAS_IMAGE="${{ inputs.image }}" make test-environment-up
+      - run: cd compose && OPENVAS_IMAGE="${{ inputs.image }}" make test-environment-running
       - run: cd compose/tests/smoketest && make
       - run: cd compose && make test-environment-logs
         if: always()

compose/Makefile

@@ -2,15 +2,16 @@ HAS_DOCKER_COMPOSE_V2 := $(shell docker compose version >/dev/null 2>&1 && echo
 HAS_DOCKER_COMPOSE_V1 := $(shell command -v docker-compose 2>/dev/null)
 
 ifeq ($(HAS_DOCKER_COMPOSE_V2),1)
-	# docker compose cannot deal with default veriables?
+	CCMD := docker
 	CMD := docker compose
 else ifneq ($(HAS_DOCKER_COMPOSE_V1),)
 	CMD := docker-compose
 else
+	CCMD := podman
 	CMD := podman-compose
 endif
 
-TEST_ENVIRONMENTS := -f base.yaml -f mtls.yaml -f tests/victim.yaml
+TEST_ENVIRONMENTS := -f base.yaml -f mtls.yaml -f tests/victim.yaml -f local-registry.yaml
 
 ifndef OPENVAS_IMAGE
 	OPENVAS_IMAGE := ghcr.io/greenbone/openvas-scanner:stable
@@ -37,9 +38,8 @@ test-environment-down:
 
 .PHONY: test-environment-logs
 test-environment-logs:
-	${CMD} ${TEST_ENVIRONMENTS} logs openvasd
-	
-	
+	${CMD} ${TEST_ENVIRONMENTS} logs
+
 .PHONY: test-environment-up
 test-environment-up: openvasd-server.key client-certs/client1.pem
 	OPENVAS_IMAGE=${OPENVAS_IMAGE} ${CMD} ${TEST_ENVIRONMENTS} up -d
@@ -49,6 +49,32 @@ local-test-environment-up: openvasd-server.key client-certs/client1.pem
 	cd .. && podman build -f .docker/prod.Dockerfile -t localhost/openvas:latest --build-arg BIN_VERSION=0.0.1 . 
 	OPENVAS_IMAGE=localhost/openvas:latest ${CMD} ${TEST_ENVIRONMENTS} up
 
+define check_container_status
+$(CCMD) ps -a --format '{{.Names}}' \
+| grep '$(1)' \
+| xargs $(CCMD) inspect -f '{{.State.Status}}' \
+| grep -qx '$(2)'
+endef
+
+define wait_for_status
+@printf "Waiting for $(1) to be $(2): "
+while ! $(call check_container_status,$(1),$(2)); do \
+	sleep 1; \
+done
+@printf "$(2)\n"
+endef
+
+.PHONY: wait-for-services
+wait-for-services:
+	@$(call wait_for_status,openvasd,running)
+	@$(call wait_for_status,registry_seed,exited)
+
+.PHONY: test-environment-up
+test-environment-running: test-environment-up wait-for-services
+
+.PHONY: local-test-environment-up
+local-test-environment-running: local-test-environment-up wait-for-services
+
 .PHONY: smoketests
-smoketests: test-environment-up
+smoketests: wait-for-images
 	cd tests && make smoketests

compose/local-registry.yaml

@@ -0,0 +1,51 @@
+name: greenbone-community-edition
+
+services:
+  auth_server:
+    image: docker.io/cesanta/docker_auth
+    container_name: auth_server
+    ports:
+      - "127.0.0.1:5001:5001"
+    volumes:
+      # assumes to be started from Makefile above
+      - ./local-registry:/config
+      - ${OPENVASD_SERVER_PEM:-./openvasd-server.pem}:/server.pem:ro
+      - ${OPENVASD_SERVER_KEY:-./openvasd-server.key}:/server.key:ro
+    restart: unless-stopped
+
+  registry:
+    image: docker.io/registry:2
+    container_name: registry
+    ports:
+      - "127.0.0.1:5000:5000"
+    volumes:
+      - ${OPENVASD_SERVER_PEM:-./openvasd-server.pem}:/server.pem:ro
+      - ${OPENVASD_SERVER_KEY:-./openvasd-server.key}:/server.key:ro
+    environment:
+      REGISTRY_AUTH: token
+      REGISTRY_HTTP_TLS_CERTIFICATE: /server.pem
+      REGISTRY_HTTP_TLS_KEY: /server.key
+      REGISTRY_AUTH_TOKEN_REALM: https://auth_server:5001/auth
+      REGISTRY_AUTH_TOKEN_SERVICE: registry:5000
+      REGISTRY_AUTH_TOKEN_ISSUER: MyAuthServer
+      REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: /server.pem
+    depends_on:
+      - auth_server
+    restart: unless-stopped
+
+  registry_seed:
+    build:
+      context: ./local-registry
+      dockerfile: skopeo.Dockerfile
+    depends_on:
+      - registry
+    environment:
+      REGISTRY: registry:5000
+      USERNAME: test
+      PASSWORD: test
+      IMAGES: >
+        docker.io/nichtsfrei/victim:latest
+        docker.io/openeuler/openeuler:latest
+        docker.io/openeuler/openeuler:24.03-lts-sp1
+        docker.io/openeuler/openeuler:20.03-lts-sp4
+    restart: "no"

compose/local-registry/auth_config.yml

@@ -0,0 +1,20 @@
+server:
+  addr: ":5001"
+  certificate: "/server.pem"
+  key: "/server.key"
+
+token:
+  issuer: "MyAuthServer"
+  expiration: 900
+
+# allow all usernames and password
+# we just use to replicate token based registry
+ext_auth:
+  command: "true"
+  args: []
+
+acl:
+  - match: { account: "/.+/" }
+    actions: ["*"]
+    comment: "Allow full access to any user"
+

compose/local-registry/skopeo-push-registry.bash

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+set -e
+
+# debug marker (change this to verify rebuilds)
+echo "gosh i hate infrastructure"
+
+# configurable variables (can be overridden via env)
+REGISTRY="${REGISTRY:-registry:5000}"
+USERNAME="${USERNAME:-dummy}"
+PASSWORD="${PASSWORD:-dummy}"
+
+IMAGES="${IMAGES:-\
+docker.io/nichtsfrei/victim:latest \
+docker.io/openeuler/openeuler:latest \
+docker.io/openeuler/openeuler:24.03-lts-sp1 \
+docker.io/openeuler/openeuler:20.03-lts-sp4\
+}"
+
+echo "Using registry: $REGISTRY"
+echo "Images: $IMAGES"
+
+skopeo login \
+  --tls-verify=false \
+  --username "$USERNAME" \
+  --password "$PASSWORD" \
+  "$REGISTRY"
+
+for img in $IMAGES; do
+  name=${img#docker.io/}
+  echo "Copying $img -> $REGISTRY/$name"
+
+  skopeo copy \
+    --dest-tls-verify=false \
+    "docker://$img" \
+    "docker://$REGISTRY/$name"
+done
+
+touch /state/push-done

compose/local-registry/skopeo.Dockerfile

@@ -0,0 +1,7 @@
+FROM quay.io/skopeo/stable:latest
+
+COPY skopeo-push-registry.bash /usr/local/bin/skopeo-push-registry.bash
+RUN mkdir /state
+RUN chmod +x /usr/local/bin/skopeo-push-registry.bash
+
+ENTRYPOINT ["/usr/local/bin/skopeo-push-registry.bash"]

compose/tests/smoketest/Makefile

@@ -29,7 +29,13 @@ SCANS_USER_FLOW := ${MAKEFILE_PATH}/scans-user-flows
 SCANS_USER_FLOW := $(basename $(notdir $(wildcard $(SCANS_USER_FLOW)/*.json)))
 SCANS_USER_FLOW := $(addprefix scans-user-flow-,$(SCANS_USER_FLOW))
 
-all: up-and-running notus scans-user-flow-victim-simple-auth-ssh
+CONTAINER_IMAGE_SCANNER_USER_FLOW := ${MAKEFILE_PATH}/container-image-scanner-user-flows
+CONTAINER_IMAGE_SCANNER_USER_FLOW := $(basename $(notdir $(wildcard $(CONTAINER_IMAGE_SCANNER_USER_FLOW)/*.json)))
+CONTAINER_IMAGE_SCANNER_USER_FLOW := $(addprefix container-image-scanner-user-flow-,$(CONTAINER_IMAGE_SCANNER_USER_FLOW))
+
+
+
+all: up-and-running notus scans-user-flow-victim-simple-auth-ssh container-image-scanner-user-flow-local-registry-full
 
 .PHONY: up-and-running
 up-and-running:
@@ -53,3 +59,9 @@ $(SCANS_USER_FLOW):
 	$(eval SCAN_CONFIG := $(patsubst scans-user-flow-%,%,$@))
 	${HURL_BASE} --variable scan_config=${SCAN_CONFIG}.json ${MAKEFILE_PATH}/scans-user-flows/*.hurl
 
+.PHONY: $(CONTAINER_IMAGE_SCANNER_USER_FLOW)
+$(CONTAINER_IMAGE_SCANNER_USER_FLOW):
+	$(eval SCAN_CONFIG := $(patsubst container-image-scanner-user-flow-%,%,$@))
+	${HURL_BASE} --variable scan_config=${SCAN_CONFIG}.json ${MAKEFILE_PATH}/container-image-scanner-user-flows/*.hurl
+
+

compose/tests/smoketest/container-image-scanner-user-flows/local-registry-full.json

@@ -0,0 +1,22 @@
+{
+  "target": {
+    "hosts": [
+      "oci://registry:5000"
+    ],
+   "credentials": [
+      {
+        "service": "generic",
+        "up": {
+          "username": "holla",
+          "password": "diewaldfee"
+        }
+      }
+    ]
+  },
+  "scan_preferences": [
+    {
+      "id": "accept_invalid_certs",
+      "value": "true"
+    }
+  ]
+}

compose/tests/smoketest/container-image-scanner-user-flows/start-scan-flow.hurl

@@ -0,0 +1,78 @@
+POST {{server}}/container-image-scanner/scans
+Content-Type: application/json
+file,{{scan_config}}; # WARN: scan_config is set on the root of the file, not path of hurl execution 
+HTTP 201
+[Captures]
+scan_id: body replace "\"" ""
+
+GET {{server}}/container-image-scanner/scans/{{scan_id}}
+HTTP 200
+[Asserts]
+jsonpath "$.scan_id" == {{scan_id}}
+
+POST {{server}}/container-image-scanner/scans/{{scan_id}}
+{
+        "action": "start"
+}
+HTTP 204
+
+GET {{server}}/container-image-scanner/scans/{{scan_id}}/status
+HTTP 200
+
+GET {{server}}/container-image-scanner/scans/{{scan_id}}/status
+[Options]
+retry: 3600 # about 60m
+retry-interval: 1s
+HTTP 200
+[Asserts]
+jsonpath "$.status" == "succeeded"
+
+GET {{server}}/container-image-scanner/scans/{{scan_id}}/status
+HTTP 200
+[Captures]
+host_info_all: jsonpath "$.host_info.all"
+[Asserts]
+jsonpath "$.start_time" exists
+jsonpath "$.end_time" exists
+jsonpath "$.host_info.all" > 0
+jsonpath "$.host_info.excluded" == 0
+jsonpath "$.host_info.dead" == 0
+jsonpath "$.host_info.alive" == {{host_info_all}}
+jsonpath "$.host_info.queued" == 0
+jsonpath "$.host_info.finished" == {{host_info_all}}
+
+GET {{server}}/container-image-scanner/scans/{{scan_id}}/results
+HTTP 200
+[Captures]
+result_count: jsonpath "$.*" count 
+[Asserts]
+jsonpath "$.*" count > 3 # needed for further testing
+
+GET {{server}}/container-image-scanner/scans/{{scan_id}}/results/{{result_count}}
+HTTP 404
+
+GET {{server}}/container-image-scanner/scans/{{scan_id}}/results?range={{result_count}}-{{result_count}}
+HTTP 200
+[Asserts]
+jsonpath "$.*" count == 0
+
+GET {{server}}/container-image-scanner/scans/{{scan_id}}/results?range=0-{{result_count}}
+HTTP 200
+[Asserts]
+jsonpath "$.*" count == {{result_count}}
+
+GET {{server}}/container-image-scanner/scans/{{scan_id}}/results?range=0-1
+HTTP 200
+[Asserts]
+jsonpath "$.*" count == 2
+
+GET {{server}}/container-image-scanner/scans/{{scan_id}}/results/2
+HTTP 200
+[Asserts]
+jsonpath "$.id" == 2
+
+DELETE {{server}}/container-image-scanner/scans/{{scan_id}}
+HTTP 204
+
+GET {{server}}/container-image-scanner/scans/{{scan_id}}
+HTTP 404

compose/tests/smoketest/scans-user-flows/start-scan-flow.hurl

@@ -49,7 +49,7 @@ result_count: jsonpath "$.*" count
 jsonpath "$.*" count > 3 # needed for further testing
 
 GET {{server}}/scans/{{scan_id}}/results/{{result_count}}
-HTTP 404 # why not 404?
+HTTP 404
 
 GET {{server}}/scans/{{scan_id}}/results?range={{result_count}}-{{result_count}}
 HTTP 200