RedHatTraining/rht-labs-docs.git

donal

2018-04-26 21cad65ce979c7b97626367c5ce2c5ab01a18e07

commit \| author \| age
916556	1
064b38	2	# The Non-Functionals Strike back
5277ca	3	> In this exercise we explore the non-functional side of testing.
5afd94	4
D	5	![death-star-vent](../images/exercise5/death-star-vent.jpeg)
43f2f2	6	_____
D	7
	8	## Learning Outcomes
	9	As a learner you will be able to
007b55	10	- Create additional Jenkins stages to scan for security vulnerabilities in the Apps
064b38	11	- Assess test quality by producing coverage reports as part of a build
007b55	12	- Improve code readability with linting
D	13	- Do some light performance testing to monitor throughput of APIs
43f2f2	14
D	15	## Tools and Frameworks
007b55	16	> Below is a collection of the frameworks that will be used in this lab
43f2f2	17
007b55	18	1. [eslint](https://eslint.org/) - ESLint is an open source JavaScript linting utility originally created by Nicholas C. Zakas in June 2013. Code linting is a type of static analysis that is frequently used to find problematic patterns or code that doesn’t adhere to certain style guidelines. There are code linters for most programming languages, and compilers sometimes incorporate linting into the compilation process.
43f2f2	19
D	20	## Big Picture
	21	This exercise begins cluster containing blah blah
	22
	23	_____
	24
	25	## 10,000 Ft View
064b38	26	> This lesson will use the Exercise 4's Zap Slave and Arachni scanner to improve the pipeline. Linting will be included in the build and code coverage too.
43f2f2	27
007b55	28	2. Add a parallel stage after the e2e tests on the front end to run OWASP Zap and Arachni against the deployed apps.
43f2f2	29
007b55	30	2. Add Code Coverage reporing to the build for gaining greater insight into test improvements.
D	31
	32	2. Add `npm run lint:ci` to the Frontend and report the result using the Checkstyle Plugin in Jenkins.
	33
	34	2. Create a new Jenkins job to run some light performance testing against the API layer using the perf tests tasks.
43f2f2	35
D	36	## Step by Step Instructions
007b55	37	> This is a well structured guide with references to exact filenames and indications as to what should be done.
43f2f2	38
007b55	39	### Part 1 - Add Security scanning to the pipeline
dc377a	40	> _In this exercise the first of our non-functional testing is explored in the form of some security scanning. We will add the scans to our Jenkinsfile and have them run as new stages_
43f2f2	41
dc377a	42	2. Open the `todolist-fe` application's `Jenkinsfile` in your favourite editor. The file is stored in the root of the project.
D	43
	44	2. The file is layed out with a collection of stages that correspond to each part of our build as seen below. We will create a new stage to execute in parallel.
cd34aa	45	![stages](../images/exercise5/stages.png)
dc377a	46
064b38	47	2. Create a new Parallel Stage called `security scanning` underneath the `stage("e2e test") { }` section as shown below. The contents of the `e2e test` have been removed for simplicity.
dc377a	48	```groovy
D	49	stage("e2e test") {
	50	// ... stuff in here ....
	51	}
	52	stage("security scanning") {
	53	parallel {
	54	stage('OWASP Scan') {
	55
	56	}
	57	stage('Arachni Scan') {
	58
	59	}
	60	}
	61	}
43f2f2	62	```
dc377a	63
064b38	64	2. Let's start filling out the configuration for the OWASP Zap scan first. We will set the label to our slave created in previous exercise and a `when` condition of the master or develop branch.
dc377a	65	```groovy
D	66	stage('OWASP Scan') {
	67	agent {
	68	node {
	69	label "jenkins-slave-zap"
	70	}
	71	}
	72	when {
	73	expression { GIT_BRANCH ==~ /(.master\|.develop)/ }
	74	}
	75	}
43f2f2	76	```
dc377a	77
3dce53	78	2. Add a `step` with a `sh` command to run the tool by passing in the URL of the app we're going to test.
dc377a	79	```groovy
D	80	stage('OWASP Scan') {
3dce53	81	agent {
D	82	node {
	83	label "jenkins-slave-zap"
	84	}
dc377a	85	}
3dce53	86	when {
D	87	expression { GIT_BRANCH ==~ /(.master\|.develop)/ }
	88	}
	89	steps {
	90	sh '''
	91	/zap/zap-baseline.py -r index.html -t ${E2E_TEST_ROUTE} \|\| return_code=$?
	92	echo "exit value was - " $return_code
	93	'''
	94	}
dc377a	95	}
D	96	```
	97
	98	2. Finally add the reporting for Jenkins in `post` hook of our Declarative Pipeline. This is to report the findings of the scan in Jenkins as a HTML report.
	99	```groovy
	100	stage('OWASP Scan') {
	101	agent {
	102	node {
	103	label "jenkins-slave-zap"
	104	}
	105	}
	106	when {
	107	expression { GIT_BRANCH ==~ /(.master\|.develop)/ }
	108	}
	109	steps {
	110	sh '''
3dce53	111	/zap/zap-baseline.py -r index.html -t http://${E2E_TEST_ROUTE} \|\| return_code=$?
D	112	echo "exit value was - " $return_code
dc377a	113	'''
D	114	}
	115	post {
	116	always {
	117	// publish html
	118	publishHTML target: [
	119	allowMissing: false,
	120	alwaysLinkToLastBuild: false,
	121	keepAll: true,
	122	reportDir: '/zap/wrk',
	123	reportFiles: 'index.html',
	124	reportName: 'Zap Branniscan'
	125	]
	126	}
	127	}
	128	}
	129	```
	130
064b38	131	2. Let's add our Arachni Scan to the second part of the parallel block. The main difference between these sections is Jenkins will report an XML report too for failing the build accordingly. Below is the snippet for the Arachni scanning.
dc377a	132	```groovy
D	133	stage('Arachni Scan') {
	134	agent {
	135	node {
	136	label "jenkins-slave-arachni"
	137	}
	138	}
	139	when {
	140	expression { GIT_BRANCH ==~ /(.master\|.develop)/ }
	141	}
	142	steps {
	143	sh '''
da9923	144	/arachni/bin/arachni http://${E2E_TEST_ROUTE} --report-save-path=arachni-report.afr
dc377a	145	/arachni/bin/arachni_reporter arachni-report.afr --reporter=xunit:outfile=report.xml --reporter=html:outfile=web-report.zip
D	146	unzip web-report.zip -d arachni-web-report
	147	'''
	148	}
	149	post {
	150	always {
	151	junit 'report.xml'
	152	publishHTML target: [
	153	allowMissing: false,
	154	alwaysLinkToLastBuild: false,
	155	keepAll: true,
	156	reportDir: 'arachni-web-report',
	157	reportFiles: 'index.html',
	158	reportName: 'Arachni Web Crawl'
	159	]
	160	}
	161	}
	162	}
	163	```
	164
7c2c91	165	2. With this config in place run a build on Jenkins. To do this; commit your code (from your terminal):
D	166	```bash
	167	$ git add .
	168	$ git commit -m "ADD - security scanning tools to pipeline"
	169	$ git push
	170	```
	171
3dce53	172	2. Check out the Blue Ocean Jenkins view for how the parallel stage is viewed!
D	173	![jenkins-parallel](../images/exercise5/jenkins-parallel.png)
	174
7c2c91	175	2. Once the Jobs have completed; navigate to the Jobs status and see the scores. You can find the graphs and test reports on overview of the Job. Explore the results!
cd34aa	176	![report-arachni](../images/exercise5/report-arachni.png)
D	177	![jenkins-arachni](../images/exercise5/jenkins-arachni.png)
	178
	179	<p class="tip">
3dce53	180	NOTE - your build may have failed because of the a security failure but the reports should still be generated, it is OK to proceed with the next exercise!
cd34aa	181	</p>
43f2f2	182
2c15b7	183	2. TODO - add solution for failing Security scans!
D	184
007b55	185	### Part 2 - Add Code Coverage & Linting to the pipeline
dabc6f	186	> _Let's continue to enhance our pipeline with some non-functional testing. Static code analysis and testing coverage reports can provide a useful indicator on code quality and testing distribution_
43f2f2	187
dabc6f	188	3. Coverage reports are already being generated as part of the tests. We can have Jenkins produce a HTML report showing in detail where our testing is lacking. Open the `todolist-fe` in your favourite editor.
D	189
3dce53	190	3. Open the `Jenkinsfile` in the root of the project; move to the `stage("node-build"){ ... }` section. In the `post` section add a block for producing a `HTML` report as part of our builds. This is all that is needed for Jenkins to repor the coverage stats.
dabc6f	191	```groovy
D	192	// Post can be used both on individual stages and for the entire build.
	193	post {
	194	always {
	195	archive "**"
	196	junit 'test-report.xml'
	197	// publish html
	198	publishHTML target: [
	199	allowMissing: false,
	200	alwaysLinkToLastBuild: false,
	201	keepAll: true,
	202	reportDir: 'reports/coverage',
	203	reportFiles: 'index.html',
	204	reportName: 'Code Coverage'
	205	]
	206	}
	207	```
	208
3dce53	209	3. To get the linting working; we will add a new step to our `stage("node-build"){ }` section to lint the Javascript code. After the `npm install`; add a command to run the linting.
dabc6f	210	```groovy
D	211	echo '### Install deps ###'
	212	sh 'npm install'
	213	echo '### Running linting ###'
3dce53	214	sh 'npm run lint'
dabc6f	215	```
D	216
	217	3. Save the `Jenkinsfile` and commit it to trigger a build with some more enhancements.
	218	```bash
	219	$ git add .
	220	$ git commit -m "ADD - linting and coverage to the pipeline"
	221	$ git push
	222	```
	223
3dce53	224	3. When the build has completed; fix the linting errors if there are any and commit your changes. Look in Jenkins log for what the issue might be....
D	225	![linting-issue](../images/exercise5/linting-issue.png)
	226
	227	3. To view the coverage graph; go to the job's build page and open the `Code Coverage` report from the nav bar on the side.
	228	![report-location](../images/exercise5/report-location.png)
	229
	230	3. Open the report to drill down into detail of where testing coverage could be improved!
5277ca	231	![report-coverage](../images/exercise5/report-coverage.png)
D	232	<p class="tip">
	233	NOTE - a good practice for teams is to try and increase the code coverage metrics over the life of a project. Teams will often start low and use practices such as retrospective to increase the quality at specific times.
	234	</p>
	235
dabc6f	236	3. (Optional Step) - Install the Checkstyle plugin; and add `checkstyle pattern: 'eslint-report.xml'` below the `publishHTML` block to add reporting to Jenkins!
D	237
5277ca	238	### Part 3 - Nightly light performance testing
D	239	> _In this exercise, we will execute the light performance tasks in our API to collect data about throughtput time in hopes if the API ever has some `Sam` quality code checked in, we will spot it_
dabc6f	240
2c15b7	241	An arbitrary value for the API's to respond in has been chosen. It is set in the `todolist-api/tasks/perf-test.js` file. In this exercise we will get Jenkins to execute the tests and fail based on the score set there!
5277ca	242
2c15b7	243	4. Create a new Item on Jenkins, `nightly-perf-test` and make it a freestyle job.
D	244	![new-job](../images/exercise5/new-job.png)
	245
	246	4. Set the `label` on `Restrict where this project can be run` to `jenkins-slave-npm` one used by the build jobs previously.
	247	![slave-label](../images/exercise5/slave-label.png)
5277ca	248
D	249	4. In the SCM section; set the project to use the `todolist-api` git project. Set the credentials accordingly.
2c15b7	250	![git-settings](../images/exercise5/git-settings.png)
D	251
	252	4. Set the build to execute each night; for example 0300 in the morning. Hit `Build periodically` on the Build Triggers section and set it to `H 3 * * *`.
	253	![build-schedule](../images/exercise5/build-schedule.png)
	254
	255	4. Set the `Color ANSI Console Output` on the Build Environment section.
5277ca	256
964d34	257	4. Create a step to execute shell and add the following to it, replacing `<YOUR_NAME>` and `somedomain` as expected. We will just test the `create` and `show` API for the moment. We are grabbing the response code of the perf-test to keep Jenkins running both shells steps and then exiting with whichever fails:
5277ca	258	```bash
D	259	export E2E_TEST_ROUTE=todolist-api-<YOUR_NAME>-dev.apps.somedomain.com
	260	npm install
	261	set +e
	262	npm run perf-test:create
	263	rc1=$?
	264	npm run perf-test:show
	265	rc2=$?
	266	set -e
	267	exit $(($rc1 \| $rc2))
	268	```
	269
	270	4. On the Post Build actions section we will plot the data from the perf tests in Jenkins. Add a `Post-build Action > Plot Build Data`.
	271
21cad6	272	4. On the new dialog, name the Plot group eg `benchmark-tests` and add `create-api` as the Plot title. Set the `Number of Builds to Include` to a large number like `100`. Set the Data Series file to be `reports/server/perf/create-perf-score.csv` and mark the `Load data from CSV fiel` checkbox. Apply those changes
5277ca	273	![jenkins-plot](../images/exercise5/jenkins-plot.png)
D	274
21cad6	275	4. Hit `Add Plot` to add another. Set Plot group to `benchmark-tests` again but this time setting the Plot title to `show-api`. Set the Data Series file to be `reports/server/perf/show-perf-score.csv` and mark the `Load data from CSV checkbox`. Save those changes and run the job (Job could take a while to execute!).
5277ca	276
D	277	4. Run it a few times to start to generate the data points on the plot. The `bench-tests` plot is available on the job's homepage
	278	![result-plot](../images/exercise5/result-plot.png)
43f2f2	279
D	280	_____
	281
	282	## Extension Tasks
	283	> _Ideas for go-getters. Advanced topic for doers to get on with if they finish early. These will usually not have a solution and are provided for additional scope._
	284
dabc6f	285	- Enhance the `todolist-api` with the security scanning tools as you've done for the `todolist-api`
D	286	- Enhance the `todolist-api` with the coverage reporting as you've done for `todolist-api`
007b55	287	- Add Black Duck or other package scanning tooling for our NodeJS app
D	288	- Add Container Vulnerability scanning tooling to the pipeline
5277ca	289	- Add `Stryker` to create mutants and do additional non functional testing of the App
dabc6f	290	- Add the Checkstyle plugin to Jenkins for reporting scores
43f2f2	291
D	292	## Additional Reading
	293	> List of links or other reading that might be of use / reference for the exercise
	294
01c4da	295	## Slide Links
RH	296
	297	- [Intro](https://docs.google.com/presentation/d/1YQ0hUV3o7DW8O40SiI-BQZXCOSVeQGjo2iTxCL2GZfk/)
	298	- [Wrap-up](https://docs.google.com/presentation/d/102hRHDlC9PUIsMs3m1fZy8QUaB5UKzBlhBPdehRWw38/)
	299	- [All Material](https://drive.google.com/drive/folders/1seT0V3ABHNonvtFvORNt836NgSeYPuWW)