feat: add HTTP Basic and HTTP Header authentication e2e tests (#412)

ccronca · web-flow · commit 13903d849402 · 2025-09-17T08:35:25.000+02:00
* feat: add e2e tests for HTTP Basic and HTTP Header authentication

Add end-to-end tests to validate authentication scenarios:

Tests verify both configuration setup (via logs) and actual header
transmission (via scan results), ensuring authentication works
end-to-end.

* feat: add secret scanning protection for authentication e2e tests

Add secret scanning configuration to prevent false positives
from dummy test credentials used in authentication e2e tests.

These configurations should ensure dummy test credentials are not flagged as
real secrets while maintaining security scanning for actual sensitive data.

* feat(k8s): add isolated VAPI deployment for authentication e2e tests

Create dedicated VAPI resources for authentication tests to prevent
resource conflicts with integration tests

* feat(deps): Install gtk3 dependency

Install gtk3 to resolve the "libgtk-3.so.0: cannot open shared
object file" error when validating Firefox version

* feat(deps): Install gtk3 dependency in Garak Containerfile

Install gtk3 to resolve the "libgtk-3.so.0: cannot open shared
object file" error when validating Firefox version
diff --git a/.github/secret_scanning.yml b/.github/secret_scanning.yml
@@ -0,0 +1,8 @@
+# GitHub Secret Scanning configuration
+# https://docs.github.com/en/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning
+
+paths-ignore:
+  # E2E test files with dummy authentication credentials
+  - 'e2e-tests/manifests/rapidast-vapi-configmap-http-basic.yaml'
+  - 'e2e-tests/manifests/rapidast-vapi-configmap-http-header.yaml'
+  - 'e2e-tests/test_authentication.py'
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,11 @@
+# Gitleaks configuration to exclude dummy test secrets
+# https://github.com/gitleaks/gitleaks
+
+# Exclude specific files containing dummy authentication credentials
+[[allowlist]]
+  description = "E2E test files with dummy authentication credentials"
+  paths = [
+    '''e2e-tests/manifests/rapidast-vapi-configmap-http-basic\.yaml''',
+    '''e2e-tests/manifests/rapidast-vapi-configmap-http-header\.yaml''',
+    '''e2e-tests/test_authentication\.py'''
+  ]
diff --git a/.tekton/integration-test.yaml b/.tekton/integration-test.yaml
@@ -210,7 +210,7 @@ spec:
               source /workspace/.tekton/scripts/setup-cachi2-env.sh
 
               python3.12 -m pip install -r requirements-dev.txt
-              pytest -s e2e-tests/test_integration.py --json-report --json-report-summary --json-report-file $(results.TEST_OUTPUT.path)
+              pytest -s e2e-tests/test_integration.py e2e-tests/test_authentication.py --json-report --json-report-summary --json-report-file $(results.TEST_OUTPUT.path)
               cat $(results.TEST_OUTPUT.path)
 
 # XXX temporarily disabled
diff --git a/containerize/Containerfile b/containerize/Containerfile
@@ -22,7 +22,7 @@ ARG FF_FILE=$DEPS_DIR/firefox.tar.bz2
 ARG TRIVY_FILE=$DEPS_DIR/trivy.tar.gz
 ARG KCTL_FILE=$DEPS_DIR/kubectl
 
-RUN microdnf install -y tar gzip bzip2 java-21-openjdk nodejs
+RUN microdnf install -y tar gzip bzip2 java-21-openjdk nodejs gtk3
 
 RUN mkdir "${DEPS_DIR}" /tmp/node_modules && if [ "$PREFETCH" == "true" ]; then \
     echo "PREFETCH is true: Copying dependencies from /cachi2/output/deps..." && \
diff --git a/containerize/Containerfile.garak b/containerize/Containerfile.garak
@@ -22,7 +22,7 @@ ARG FF_FILE=$DEPS_DIR/firefox.tar.bz2
 ARG TRIVY_FILE=$DEPS_DIR/trivy.tar.gz
 ARG KCTL_FILE=$DEPS_DIR/kubectl
 
-RUN microdnf install -y tar gzip bzip2 java-21-openjdk nodejs
+RUN microdnf install -y tar gzip bzip2 java-21-openjdk nodejs gtk3
 
 RUN mkdir "${DEPS_DIR}" /tmp/node_modules && if [ "$PREFETCH" == "true" ]; then \
     echo "PREFETCH is true: Copying dependencies from /cachi2/output/deps..." && \
diff --git a/e2e-tests/manifests/rapidast-vapi-configmap-http-basic.yaml b/e2e-tests/manifests/rapidast-vapi-configmap-http-basic.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+data:
+  config.yaml: |+
+    config:
+      configVersion: 5
+
+    application:
+      shortName: "http-basic-auth-test"
+      url: "http://vapi-auth:5000"
+
+    scanners:
+      zap:
+        apiScan:
+          apis:
+            apiUrl: "http://vapi-auth:5000/docs/openapi.json"
+
+        authentication:
+          type: "http_basic"
+          parameters:
+            # NOTE: These are dummy test credentials for e2e testing - not real secrets
+            username: "user"
+            password: "mypassw0rd"
+
+        passiveScan:
+          # Enable passive scanning to capture authentication headers
+          disabledRules: ""
+
+        container:
+          parameters:
+            executable: "zap.sh"
+
+kind: ConfigMap
+metadata:
+  name: rapidast-vapi-http-basic
diff --git a/e2e-tests/manifests/rapidast-vapi-configmap-http-header.yaml b/e2e-tests/manifests/rapidast-vapi-configmap-http-header.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+data:
+  config.yaml: |+
+    config:
+      configVersion: 5
+
+    application:
+      shortName: "http-header-auth-test"
+      url: "http://vapi-auth:5000"
+
+    scanners:
+      zap:
+        apiScan:
+          apis:
+            apiUrl: "http://vapi-auth:5000/docs/openapi.json"
+
+        authentication:
+          type: "http_header"
+          parameters:
+            name: "Authorization"
+            # NOTE: This is a dummy test header value for e2e testing - not a real secret
+            value: "MySecretHeader"
+
+        passiveScan:
+          # Enable passive scanning to capture authentication headers
+          disabledRules: ""
+
+        container:
+          parameters:
+            executable: "zap.sh"
+
+kind: ConfigMap
+metadata:
+  name: rapidast-vapi-http-header
diff --git a/e2e-tests/manifests/rapidast-vapi-pod-http-basic.yaml b/e2e-tests/manifests/rapidast-vapi-pod-http-basic.yaml
@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+  name: rapidast-vapi-http-basic
+spec:
+  initContainers:
+    # Run rapidast as initContainer, second container prints the results
+  - image: ${IMAGE} # quay.io/redhatproductsecurity/rapidast:latest
+    imagePullPolicy: Always
+    name: rapidast
+    resources:
+      limits:
+        cpu: 1
+        memory: 2Gi
+      requests:
+        cpu: 250m
+        memory: 512Mi
+    volumeMounts:
+    - name: config-volume
+      mountPath: /opt/rapidast/config
+    - name: results
+      mountPath: /opt/rapidast/results
+  containers:
+    # Expects initContainer to already have created results
+  - command: ["bash", "-c", "cat /opt/rapidast/results/*/*/zap/zap-report.json"]
+    image: registry.redhat.io/ubi9/ubi-micro
+    name: results
+    volumeMounts:
+    - name: results
+      mountPath: /opt/rapidast/results
+  volumes:
+  - name: config-volume
+    configMap:
+      name: rapidast-vapi-http-basic
+  - name: results
+    emptyDir: {}
+  restartPolicy: Never
diff --git a/e2e-tests/manifests/rapidast-vapi-pod-http-header.yaml b/e2e-tests/manifests/rapidast-vapi-pod-http-header.yaml
@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+  name: rapidast-vapi-http-header
+spec:
+  initContainers:
+    # Run rapidast as initContainer, second container prints the results
+  - image: ${IMAGE} # quay.io/redhatproductsecurity/rapidast:latest
+    imagePullPolicy: Always
+    name: rapidast
+    resources:
+      limits:
+        cpu: 1
+        memory: 2Gi
+      requests:
+        cpu: 250m
+        memory: 512Mi
+    volumeMounts:
+    - name: config-volume
+      mountPath: /opt/rapidast/config
+    - name: results
+      mountPath: /opt/rapidast/results
+  containers:
+    # Expects initContainer to already have created results
+  - command: ["bash", "-c", "cat /opt/rapidast/results/*/*/zap/zap-report.json"]
+    image: registry.redhat.io/ubi9/ubi-micro
+    name: results
+    volumeMounts:
+    - name: results
+      mountPath: /opt/rapidast/results
+  volumes:
+  - name: config-volume
+    configMap:
+      name: rapidast-vapi-http-header
+  - name: results
+    emptyDir: {}
+  restartPolicy: Never
diff --git a/e2e-tests/manifests/vapi-auth-deployment.yaml b/e2e-tests/manifests/vapi-auth-deployment.yaml
@@ -0,0 +1,40 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+  name: vapi-auth
+  labels:
+    app: vapi-auth
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: vapi-auth
+  template:
+    metadata:
+      labels:
+        app: vapi-auth
+    spec:
+      containers:
+      - command:
+        - bash
+        - -c
+        - . start.sh && sleep infinity
+        image: quay.io/sfowler/vapi:latest
+        imagePullPolicy: Always
+        name: vapi
+        # The pod should only be marked as "ready" once both
+        # the frontend and backend services are listening on their respective ports
+        lifecycle:
+          postStart:
+            exec:
+              command:
+              - /bin/bash
+              - -c
+              - |
+                echo "Checking services..."
+                echo "Waiting for ports 3000 and 5000..."
+                while ! (echo > /dev/tcp/localhost/3000) 2>/dev/null; do echo "Port 3000 not ready" && sleep 1; done
+                while ! (echo > /dev/tcp/localhost/5000) 2>/dev/null; do echo "Port 5000 not ready" && sleep 1; done
+                echo "All ports are ready"
diff --git a/e2e-tests/manifests/vapi-auth-service.yaml b/e2e-tests/manifests/vapi-auth-service.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: vapi-auth
+  name: vapi-auth
+spec:
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - port: 5000
+    protocol: TCP
+    targetPort: 5000
+    name: backend
+  - port: 3000
+    protocol: TCP
+    targetPort: 3000
+    name: frontend
+  selector:
+    app: vapi-auth
+  sessionAffinity: None
+  type: ClusterIP
diff --git a/e2e-tests/test_authentication.py b/e2e-tests/test_authentication.py
@@ -0,0 +1,104 @@
+import base64
+import logging
+from typing import Dict
+
+from test_integration import get_log_from_pod  # pylint: disable=E0611
+
+from conftest import is_pod_with_field_selector_successfully_completed  # pylint: disable=E0611
+from conftest import TestBase  # pylint: disable=E0611
+from conftest import wait_until_ready  # pylint: disable=E0611
+
+
+class TestRapiDASTAuthentication(TestBase):
+    @classmethod
+    def setup_class(cls):
+        """Set up shared VAPI instance for all authentication tests"""
+        super().setup_class()
+        cls.create_from_yaml(cls, f"{cls.tempdir}/vapi-auth-deployment.yaml")
+        cls.create_from_yaml(cls, f"{cls.tempdir}/vapi-auth-service.yaml")
+        assert wait_until_ready(label_selector="app=vapi-auth")
+
+    def test_http_basic_authentication(self):
+        """Test rapidast with HTTP Basic authentication configured"""
+
+        self.create_from_yaml(f"{self.tempdir}/rapidast-vapi-configmap-http-basic.yaml")
+        self.create_from_yaml(f"{self.tempdir}/rapidast-vapi-pod-http-basic.yaml")
+        assert is_pod_with_field_selector_successfully_completed(
+            field_selector="metadata.name=rapidast-vapi-http-basic", timeout=360
+        )
+
+        logs = get_log_from_pod(self.tempdir, "rapidast-vapi-http-basic", container="rapidast", log_format="text")
+        data = get_log_from_pod(
+            self.tempdir,
+            "rapidast-vapi-http-basic",
+            filename_suffix="results",
+            container="results",
+            log_format="json",
+        )
+
+        # Verify that HTTP Basic authentication was configured correctly in logs
+        assert (
+            "ZAP configured with HTTP Basic Authentication" in logs
+        ), "ZAP logs should indicate HTTP Basic authentication was configured"
+
+        # Verify that the Authorization Basic header with correct credentials is present
+        # NOTE: "user:mypassw0rd" are dummy test credentials for e2e testing - not real secrets
+        expected_credentials = base64.b64encode(b"user:mypassw0rd").decode("utf-8")
+        basic_auth_header_found = verify_specific_auth_header_value(
+            data, "Authorization", f"Basic {expected_credentials}"
+        )
+        assert (
+            basic_auth_header_found
+        ), "Authorization header with correct Basic credentials should be found in scan results"
+
+    def test_http_header_authentication(self):
+        """Test rapidast with HTTP Header authentication configured"""
+
+        self.create_from_yaml(f"{self.tempdir}/rapidast-vapi-configmap-http-header.yaml")
+        self.create_from_yaml(f"{self.tempdir}/rapidast-vapi-pod-http-header.yaml")
+        assert is_pod_with_field_selector_successfully_completed(
+            field_selector="metadata.name=rapidast-vapi-http-header", timeout=360
+        )
+
+        logs = get_log_from_pod(self.tempdir, "rapidast-vapi-http-header", container="rapidast", log_format="text")
+        data = get_log_from_pod(
+            self.tempdir,
+            "rapidast-vapi-http-header",
+            filename_suffix="results",
+            container="results",
+            log_format="json",
+        )
+
+        assert (
+            "ZAP configured with Authentication using HTTP Header" in logs
+        ), "ZAP logs should indicate HTTP Header authentication was configured"
+
+        # NOTE: "MySecretHeader" is a dummy test header value for e2e testing - not a real secret
+        custom_header_found = verify_specific_auth_header_value(data, "Authorization", "MySecretHeader")
+        assert (
+            custom_header_found
+        ), "Authorization header with exact custom value 'MySecretHeader' should be found in scan results"
+
+
+def verify_specific_auth_header_value(report_data: Dict, header_name: str, expected_header_value: str) -> bool:
+    """
+    Verifies that a specific authentication header with exact value is present in the ZAP report.
+
+    Args:
+        report_data: The ZAP JSON report data
+        header_name: The name of the header to look for (e.g., "Authorization")
+        expected_header_value: The exact header value to look for
+
+    Returns:
+        bool: True if the exact authentication header value is found, False otherwise
+    """
+    if not report_data:
+        logging.warning("No report data provided")
+        return False
+
+    report_str = str(report_data).lower()
+    header_name_lower = header_name.lower()
+    expected_value_lower = expected_header_value.lower()
+
+    header = f"{header_name_lower}: {expected_value_lower}"
+    return header in report_str
