jenkins-plugin/functionaltest-jenkins-plugin/src/test/groovy/ImageScanningTest.groovy at afa58af0f86322ea77fb2e934c023e12fc05de5c · stackrox/jenkins-plugin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
import static com.offbytwo.jenkins.model.BuildResult.FAILURE
import static com.offbytwo.jenkins.model.BuildResult.SUCCESS
import static com.stackrox.model.StorageEnforcementAction.FAIL_BUILD_ENFORCEMENT
import static com.stackrox.model.StorageLifecycleStage.BUILD
import static com.stackrox.model.StorageLifecycleStage.DEPLOY

import com.offbytwo.jenkins.model.BuildResult

import com.stackrox.model.StorageEnforcementAction
import com.stackrox.model.StorageImageNamePolicy
import com.stackrox.model.StorageListPolicy
import com.stackrox.model.StoragePolicy
import com.stackrox.model.StoragePolicyFields

import util.Config

import spock.lang.Unroll

class ImageScanningTest extends BaseSpecification {

    protected static final String CENTRAL_URI = Config.roxEndpoint
    protected static final String QUAY_REPO = "quay.io/openshifttest/"

    @Unroll
    def "image scanning test with toggle enforcement(#imageName, #policyName,  #enforcements, #endStatus)"() {
        given:
        updatePolicy("Fixable CVSS >= 7", "latest", [])
        updatePolicy("Fixable Severity at least Important", "latest", [])

        when:
        StoragePolicy enforcementPolicy = updatePolicy(policyName, "latest", enforcements)

        then:
        assert enforcementPolicy.enforcementActions == enforcements
        assert enforcementPolicy.lifecycleStages == [BUILD, DEPLOY]

        when:
        BuildResult status = jenkins.createAndRunJob(
                getJobConfig(imageName, true, true))

        then:
        assert status == endStatus

        where:
        "data inputs are: "
        imageName             | policyName   | enforcements             | endStatus
        "nginx-alpine:latest" | "Latest tag" | []                       | SUCCESS
        "nginx-alpine:latest" | "Latest tag" | [FAIL_BUILD_ENFORCEMENT] | FAILURE
    }

    @Unroll
    def "image scanning test with images enforcement turned on (#imageName, #policyName, #tag)"() {
        when:
        def enforcements = [FAIL_BUILD_ENFORCEMENT]
        StoragePolicy enforcementPolicy = updatePolicy(policyName, tag, enforcements)

        then:
        assert enforcementPolicy.enforcementActions == enforcements
        assert enforcementPolicy.lifecycleStages == [BUILD, DEPLOY]

        when:
        BuildResult status = jenkins.createAndRunJob(
                getJobConfig(imageName, true, true))

        then:
        assert status == FAILURE

        where:
        "data inputs are: "
        imageName             | policyName          | tag
        "nginx-alpine:1.2.1"  | "Fixable CVSS >= 7" | "1.2.1"
        "nginx-alpine:latest" | "Latest tag"        | "latest"
    }

    @Unroll
    def "Negative image scanning tests (#imageName, #failOnCriticalPluginError,#endStatus)"() {
        when:
        BuildResult status = jenkins.createAndRunJob(
                getJobConfig(imageName, false, failOnCriticalPluginError))

        then:
        assert status == endStatus

        where:
        "data inputs are: "
        imageName             | failOnCriticalPluginError | endStatus
        "nginx-alpine:latest" | true                      | SUCCESS
        "mis-spelled:lts"     | true                      | FAILURE
        "mis-spelled:lts"     | false                     | SUCCESS
    }

    String getJobConfig(String imageName,
                        Boolean policyEvalCheck,
                        Boolean failOnCriticalPluginError,
                        Integer readTimeoutSeconds = null) {
        return new JenkinsClient.Config(
                imageName: QUAY_REPO + imageName,
                portalAddress: CENTRAL_URI,
                token: token,
                policyEvalCheck: policyEvalCheck,
                failOnCriticalPluginError: failOnCriticalPluginError,
                readTimeoutSeconds: readTimeoutSeconds)
                .createJobConfig()
    }

    StoragePolicy updatePolicy(String policyName, String tag, List<StorageEnforcementAction> enforcements) {
        List<StorageListPolicy> policies = restApiClient.policies
        def policyId = policies.find { it.name == policyName }?.id
        assert policyId != null

        def policy = restApiClient.getPolicy(policyId)
        policy.setEnforcementActions(enforcements)
        policy.setFields(new StoragePolicyFields().imageName(new StorageImageNamePolicy().tag(tag)))
        policy.setDisabled(false)
        // Clear exclusions to avoid serialization issues with null scope values
        policy.setExclusions([])
        restApiClient.updatePolicy(policy, policyId)
        return restApiClient.getPolicy(policyId)
    }

}