From 66eefb845990d01c0296074eabdad3a5ad86281a Mon Sep 17 00:00:00 2001
From: Pawel Wieczorek <p.wieczorek2@samsung.com>
Date: Fri, 7 Aug 2020 11:53:39 +0200
Subject: Add SECCOM-recommended version check in security tests

Issue-ID: INT-1571
Change-Id: Icd215ad5b49dcbf34eb46b973676f5141b589f83
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
---
 security/README.md                       |  2 +
 security/docker/Dockerfile               | 15 +++++-
 security/docker/testcases.yaml           | 10 ++++
 security/onap_security/security_tests.py | 10 ++++
 security/scripts/check_versions.sh       | 92 ++++++++++++++++++++++++++++++++
 security/setup.cfg                       |  1 +
 6 files changed, 129 insertions(+), 1 deletion(-)
 create mode 100644 security/scripts/check_versions.sh

diff --git a/security/README.md b/security/README.md
index 6a5e38e..7dc7c0e 100644
--- a/security/README.md
+++ b/security/README.md
@@ -17,6 +17,8 @@ It includes 6 tests:
 - jdpw_ports: check that there are no internal java ports
 - kube_hunter: security suite to search k8s vulnerabilities (upstream src
   aquasecurity)
+- versions: check that Java and Python are available only in versions
+  recommended by SECCOM
 
 ## Usage
 
diff --git a/security/docker/Dockerfile b/security/docker/Dockerfile
index e38f565..a31ab64 100644
--- a/security/docker/Dockerfile
+++ b/security/docker/Dockerfile
@@ -1,3 +1,9 @@
+FROM golang:1.13 AS build_yq
+WORKDIR /go/src/github.com/mikefarah/
+RUN git clone https://github.com/mikefarah/yq.git --depth 1
+WORKDIR /go/src/github.com/mikefarah/yq
+RUN CGO_ENABLED=0 go install -a -ldflags '-w -s -extldflags "-static"'
+
 FROM golang:1.13 AS build_aqua
 WORKDIR /go/src/github.com/aquasecurity/
 RUN git clone https://github.com/aquasecurity/kube-bench.git --depth 1
@@ -27,23 +33,29 @@ COPY scripts/check_security_root.sh /check_security_root.sh
 COPY scripts/root_pods_xfail.txt /root_pods_xfail.txt
 COPY scripts/check_unlimitted_pods.sh /check_unlimitted_pods.sh
 COPY scripts/check_cis_kubernetes.sh /check_cis_kubernetes.sh
+COPY scripts/check_versions.sh /check_versions.sh
+COPY --from=build_yq /go/bin/yq /usr/local/bin/yq
 COPY --from=build_aqua /go/bin/kube-bench /usr/local/bin/kube-bench
 COPY --from=build_aqua /go/src/github.com/aquasecurity/kube-bench/cfg/ /cfg/
 COPY --from=build_onap /go/bin/sslendpoints /usr/local/bin/sslendpoints
 
 RUN set -x && \
     apk --no-cache add --update curl ca-certificates openssl procps util-linux \
-        nmap nmap-scripts && \
+        nmap nmap-scripts jq && \
     apk --no-cache add --virtual .build-deps --update \
         python3-dev linux-headers gcc  musl-dev && \
     chmod +x /usr/local/bin/kubectl && \
     git clone --depth 1 https://github.com/aquasecurity/kube-hunter.git /kube-hunter && \
+    mkdir /check_versions && \
     adduser kubectl -Du 2342 -h /config && \
     wget https://storage.googleapis.com/kubernetes-helm/helm-${HELM_VERSION}-linux-amd64.tar.gz -O - | tar -xzO linux-amd64/helm > /usr/local/bin/helm && \
     wget -O /check_for_nonssl_endpoints.sh https://git.onap.org/integration/plain/test/security/check_for_nonssl_endpoints.sh?h=$ONAP_TAG &&\
     wget -O /check_for_jdwp.sh https://git.onap.org/integration/plain/test/security/check_for_jdwp.sh?h=$ONAP_TAG &&\
     wget -O /jdwp_xfail.txt https://git.onap.org/integration/plain/test/security/jdwp_xfail.txt?h=$ONAP_TAG &&\
     wget -O /nonssl_xfail.txt https://git.onap.org/integration/plain/test/security/nonssl_xfail.txt?h=$ONAP_TAG &&\
+    wget -O /check_versions/k8s_bin_versions_inspector.py https://git.onap.org/integration/plain/test/security/check_versions/src/k8s_bin_versions_inspector.py?h=$ONAP_TAG &&\
+    wget -O /check_versions/requirements.txt https://git.onap.org/integration/plain/test/security/check_versions/env/requirements.txt?h=$ONAP_TAG &&\
+    wget -O /check_versions/recommended_versions.yaml https://git.onap.org/integration/seccom/plain/recommended_versions.yaml?h=$ONAP_TAG &&\
     chmod +x /usr/local/bin/helm && \
     chmod +x /usr/local/bin/kube-bench && \
     chmod +x /usr/local/bin/sslendpoints && \
@@ -52,6 +64,7 @@ RUN set -x && \
     pip3 install --no-cache-dir \
         git+https://gitlab.com/Orange-OpenSource/lfn/onap/integration/xtesting.git@$ONAP_TESTS_TAG#subdirectory=security && \
     cd /kube-hunter && pip3 install -r /kube-hunter/requirements.txt && \
+    pip3 install -r /check_versions/requirements.txt && \
     apk del .build-deps
 
 COPY docker/testcases.yaml /usr/lib/python3.8/site-packages/xtesting/ci/testcases.yaml
diff --git a/security/docker/testcases.yaml b/security/docker/testcases.yaml
index 6b9d482..92b270d 100644
--- a/security/docker/testcases.yaml
+++ b/security/docker/testcases.yaml
@@ -72,3 +72,13 @@ tiers:
                     Check k8s CVE.
                 run:
                     name: 'kube_hunter'
+            -
+                case_name: versions
+                project_name: security
+                criteria: 100
+                blocking: false
+                description: >-
+                    Check that Java and Python are available only in versions
+                    recommended by SECCOM
+                run:
+                    name: 'versions'
diff --git a/security/onap_security/security_tests.py b/security/onap_security/security_tests.py
index 4136f66..cd26d7d 100644
--- a/security/onap_security/security_tests.py
+++ b/security/onap_security/security_tests.py
@@ -171,3 +171,13 @@ class OnapSecurityKubeHunter(SecurityTesting):
                     kube_hunter_cmd.append(j.address)
         self.cmd = kube_hunter_cmd
         self.error_string = "Vulnerabilties detected."
+
+
+class OnapSecurityVersions(SecurityTesting):
+    """Check that Java and Python are available only in versions recommended by SECCOM."""
+    def __init__(self, **kwargs):
+        if "case_name" not in kwargs:
+            kwargs.get("case_name", 'versions')
+        super(OnapSecurityVersions, self).__init__(**kwargs)
+        self.cmd = ['/check_versions.sh', 'onap', '-r', '/check_versions/recommended_versions.yaml']
+        self.error_string = "Not recommended versions found"
diff --git a/security/scripts/check_versions.sh b/security/scripts/check_versions.sh
new file mode 100644
index 0000000..aadc58e
--- /dev/null
+++ b/security/scripts/check_versions.sh
@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+
+usage() {
+  cat <<EOF
+Usage: $(basename $0) <k8s-namespace> [-r <recommended versions file>]
+    -r: recommended versions file
+EOF
+  exit ${1:-0}
+}
+
+if [ "$#" -lt 1 ]; then
+  usage 1
+fi
+
+K8S_NAMESPACE=$1
+VERSIONS=$(mktemp versions_XXXXXX)
+
+### getopts
+while :
+do
+  case $2 in
+    -h|--help|help) usage ;;
+    -r) RECOMMENDED_VERSIONS_FILE_PATH=$3;shift ;;
+    -*) usage 1 ;;
+     *) break ;;
+  esac
+done
+
+get_recommendation() {
+  local component="$1"
+  local recommendations="${RECOMMENDED_VERSIONS_FILE_PATH:-recommended_versions.yaml}"
+
+  yq read "$recommendations" "${component}.recommended_versions" | sed 's/^- //' # removes YAML list prefix
+}
+
+check_python3_version() {
+  local recommended_versions="${1:-$(get_recommendation python3)}"
+  local versions="${2:-$VERSIONS}"
+
+  local unrecommended="$(cat $versions)" # to be filtered out according to recommendations
+  for rver in $recommended_versions; do
+    unrecommended="$(jq --arg rver "$rver" \
+      '.[] | select(.versions.python[]!=$rver) | "\(.pod) \(.container) \(.versions.python[])"' \
+      <(echo "$unrecommended") \
+      | tr -d '"' \
+      | sort -u)"
+  done
+
+  echo "$unrecommended"
+}
+
+check_java11_version() {
+  local recommended_versions="${1:-$(get_recommendation java11)}"
+  local versions="${2:-$VERSIONS}"
+
+  local unrecommended="$(cat $versions)" # to be filtered out according to recommendations
+  for rver in $recommended_versions; do
+    unrecommended="$(jq --arg rver "$rver" \
+      '.[] | select(.versions.java[]!=$rver) | "\(.pod) \(.container) \(.versions.java[])"' \
+      <(echo "$unrecommended") \
+      | tr -d '"' \
+      | sort -u)"
+  done
+
+  echo "$unrecommended"
+}
+
+echo "------------------------------------------------------------------------"
+echo "--------------------  ONAP Security tests   ----------------------------"
+echo "--------------------  Test components versions in pods   ---------------"
+echo "------------------------------------------------------------------------"
+
+code=0
+
+# get the components versions list
+python3 /check_versions/k8s_bin_versions_inspector.py \
+  -i -c /root/.kube/config -f json \
+  -s "metadata.namespace==$K8S_NAMESPACE" > "$VERSIONS"
+
+unrecommended_python="$(check_python3_version)"
+unrecommended_java="$(check_java11_version)"
+
+if [ -z "$unrecommended_python" -a -z "$unrecommended_java" ]; then
+  echo "Test PASS: All components available in recommended versions only"
+else
+  code=1
+  echo "Test FAIL: Components other than recommended versions found"
+  cat <(echo POD CONTAINER PYTHON) <(echo "$unrecommended_python") | column -t -s' '
+  cat <(echo POD CONTAINER JAVA) <(echo "$unrecommended_java") | column -t -s' '
+fi
+
+exit "$code"
diff --git a/security/setup.cfg b/security/setup.cfg
index 61fe7fa..6e07ada 100644
--- a/security/setup.cfg
+++ b/security/setup.cfg
@@ -14,3 +14,4 @@ xtesting.testcase =
     nonssl_endpoints = onap_security.security_tests:OnapSecurityNonSSLPorts
     jdpw_ports = onap_security.security_tests:OnapSecurityJdwpPorts
     kube_hunter = onap_security.security_tests:OnapSecurityKubeHunter
+    versions = onap_security.security_tests:OnapSecurityVersions
-- 
cgit 1.2.3-korg