From 7cc468db53be104ca28514e42765435ffca85be3 Mon Sep 17 00:00:00 2001
From: Evgeny Slutsky <eslutsky@redhat.com>
Date: Tue, 5 Mar 2024 23:46:10 +0200
Subject: [PATCH] USHIFT-2464: scan FIPS on container images

Signed-off-by: Evgeny Slutsky <eslutsky@redhat.com>
---
 .../group1/rhel92-source-isolated.toml        |  4 ++
 test/suites/fips/validate-fips.robot          | 39 +++++++++++++++++--
 2 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/test/image-blueprints/layer3-periodic/group1/rhel92-source-isolated.toml b/test/image-blueprints/layer3-periodic/group1/rhel92-source-isolated.toml
index 3be02daf7f..02910138e5 100644
--- a/test/image-blueprints/layer3-periodic/group1/rhel92-source-isolated.toml
+++ b/test/image-blueprints/layer3-periodic/group1/rhel92-source-isolated.toml
@@ -25,6 +25,10 @@ version = "{{ .Env.SOURCE_VERSION }}"
 name = "microshift-test-agent"
 version = "*"
 
+[[packages]]
+name = "microshift-release-info"
+version = "*"
+
 [[packages]]
 name = "qemu-guest-agent"
 version = "*"
diff --git a/test/suites/fips/validate-fips.robot b/test/suites/fips/validate-fips.robot
index a21d0d9f8d..8d6ecc4bec 100644
--- a/test/suites/fips/validate-fips.robot
+++ b/test/suites/fips/validate-fips.robot
@@ -17,6 +17,7 @@ ${USHIFT_USER}              ${EMPTY}
 ${USHIFT_LIBS_DUMP_FILE}    /tmp/microshift-libs
 ${FIPS_PATTERN}             ossl-modules/fips.so$
 ${CHECK_PAYLOAD_IMAGE}      registry.ci.openshift.org/ci/check-payload:latest
+${PULL_SECRET_PATH}         /etc/crio/openshift-pull-secret
 
 
 *** Test Cases ***
@@ -32,6 +33,10 @@ Verify Node RPMs FIPS Compliant
     [Documentation]    Performs a FIPS validation against the Installed RPMs
     Check Payload Tool Must Pass
 
+Verify Container Images FIPS Compliant
+    [Documentation]    Performs a FIPS validation against the Released payload
+    Check Container Images In Release Must Pass
+
 
 *** Keywords ***
 Setup
@@ -39,8 +44,8 @@ Setup
     Check Required Env Variables
     Login MicroShift Host
     Setup Kubeconfig
+    Start MicroShift
     Wait Until Greenboot Health Check Exited
-    Stop MicroShift
 
 Teardown
     [Documentation]    Test suite teardown
@@ -49,6 +54,8 @@ Teardown
     ...    SSHLibrary.Get File    ${USHIFT_LIBS_DUMP_FILE}*    ${OUTPUTDIR}/
     Run Keyword And Ignore Error
     ...    SSHLibrary.Get File    ${CHECK_PAYLOAD_OUTPUT_FILE}    ${OUTPUTDIR}/check-payload.log
+    Run Keyword And Ignore Error
+    ...    SSHLibrary.Get File    ${CHECK_PAYLOAD_REL_OUTPUT_FILE}    ${OUTPUTDIR}/check-release-payload.log
     Start MicroShift
     Wait For MicroShift
     Logout MicroShift Host
@@ -57,8 +64,7 @@ Check Payload Tool Must Pass
     [Documentation]    Run check-paylod Tool
     ${podman_args}=    Set Variable    --authfile /etc/crio/openshift-pull-secret --privileged -i -v /:/myroot
     ${scan_command}=    Set Variable    scan node --root /myroot
-    ${rand}=    Generate Random String
-    ${path}=    Join Path    /tmp    ${rand}
+    ${path}=    Create Random Temp File
     Set Global Variable    ${CHECK_PAYLOAD_OUTPUT_FILE}    ${path}
     ${rc}=    Execute Command    rpm -qi microshift >${CHECK_PAYLOAD_OUTPUT_FILE} 2>&1
     ...    sudo=True    return_rc=True    return_stdout=False    return_stderr=False
@@ -68,6 +74,22 @@ Check Payload Tool Must Pass
     ...    sudo=True    return_rc=True    return_stdout=False    return_stderr=False
     Should Be Equal As Integers    0    ${rc}
 
+Check Container Images In Release Must Pass
+    [Documentation]    Run check-paylod Tool for Release containers
+    ${podman_pull_secret}=    Set Variable    /root/.config/containers/auth.json
+    ${podman_mounts}=    Set Variable    -v ${PULL_SECRET_PATH}:${podman_pull_secret}
+    ${podman_args}=    Set Variable    --rm --authfile ${PULL_SECRET_PATH} --privileged ${podman_mounts}
+    ${path}=    Create Random Temp File
+    Set Global Variable    ${CHECK_PAYLOAD_REL_OUTPUT_FILE}    ${path}
+    @{images}=    Get Images From Release File
+    FOR    ${image}    IN    @{images}
+        ${scan_command}=    Set Variable    scan operator --spec ${image}
+        ${rc}=    Execute Command
+        ...    podman run ${podman_args} ${CHECK_PAYLOAD_IMAGE} ${scan_command} >>${CHECK_PAYLOAD_REL_OUTPUT_FILE} 2>&1
+        ...    sudo=True    return_rc=True    return_stdout=False    return_stderr=False
+        Should Be Equal As Integers    0    ${rc}
+    END
+
 Microshift Binary Should Dynamically Link FIPS Ossl Module
     [Documentation]    Check if Microshift binary is FIPS compliant.
     ${stdout}    ${stderr}    ${rc}=    Execute Command
@@ -86,3 +108,14 @@ Fips Should Be Enabled
     ...    sudo=True    return_rc=True    return_stdout=True    return_stderr=True
     Should Be Equal As Integers    0    ${rc}
     Should Match    ${stdout}    FIPS mode is enabled.
+
+Get Images From Release File
+    [Documentation]    Obtains list of Images from Release.
+    ${stdout}    ${stderr}    ${rc}=    Execute Command
+    ...    jq -r '.images | .[]' /usr/share/microshift/release/release-$(uname -m).json
+    ...    return_stdout=True    return_stderr=True    return_rc=True
+    Should Be Equal As Integers    0    ${rc}
+    Log Many    ${stdout}    ${stderr}    ${rc}
+
+    @{images}=    Split String    ${stdout}    \n
+    RETURN    @{images}