diff options
| author |   Pawel Wieczorek <p.wieczorek2@samsung.com> | 2020-03-10 15:22:55 +0100 |
|---|---|---|
| committer | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2020-03-10 15:30:04 +0100 |
| commit | 3a474afa535a225e47c8f6e287a46dc8ee65f1d7 (patch) | |
| tree | 04ee97a78744e1162d3c5ff94f35638625287e12 /test/security/check_for_http_endpoints.sh | |
| parent | 331e07bb8bc2834801c61ab8a8062a7a39a8d232 (diff) | |
Drop filtering out services recognized as HTTP
This patch extends tool used to detect plain HTTP ports to report all
non-SSL endpoints. Previously it omitted services not recognized as
HTTP.
Naming changes were made to reflect purpose of this tool better.
Issue-ID: INT-1480
Change-Id: I58a152022d48121bf4b9c6180ddc820dd4a79805
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security/check_for_http_endpoints.sh')
| -rwxr-xr-x | test/security/check_for_http_endpoints.sh | 118 |
1 files changed, 0 insertions, 118 deletions
diff --git a/test/security/check_for_http_endpoints.sh b/test/security/check_for_http_endpoints.sh deleted file mode 100755 index 5e2fd85ec..000000000 --- a/test/security/check_for_http_endpoints.sh +++ /dev/null @@ -1,118 +0,0 @@ -#!/usr/bin/env bash - -# COPYRIGHT NOTICE STARTS HERE -# -# Copyright 2019 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# COPYRIGHT NOTICE ENDS HERE - -# Check all ports exposed outside of kubernetes cluster looking for plain http -# endpoints. -# -# Dependencies: -# nmap -# kubectl + config -# -# Return value: Number of discovered http ports -# Output: List of pods exposing http endpoints -# - -usage() { - cat <<EOF -Usage: $(basename $0) <k8s-namespace> [-l <list of HTTP endpoints expected to fail this test>] - -l: list of HTTP endpoints expected to fail this test -EOF - exit ${1:-0} -} - -#Prerequisities commands list -REQ_APPS=(kubectl nmap awk column sort paste grep wc mktemp sed cat) - -# Check for prerequisites apps -for cmd in "${REQ_APPS[@]}"; do - if ! [ -x "$(command -v "$cmd")" ]; then - echo "Error: command $cmd is not installed" - exit 1 - fi -done - -if [ "$#" -lt 1 ]; then - usage 1 -fi - -K8S_NAMESPACE=$1 -FILTERED_PORTS_LIST=$(mktemp http_endpoints_XXXXXX) -XF_RAW_FILE_PATH=$(mktemp raw_filtered_http_endpoints_XXXXXX) - -strip_white_list() { - if [ ! -f $XF_FILE_PATH ]; then - echo "File not found" - usage 1 - fi - grep -o '^[^#]*' $XF_FILE_PATH > $XF_RAW_FILE_PATH -} - -### getopts -while : -do - case $2 in - -h|--help|help) usage ;; - -l) XF_FILE_PATH=$3; strip_white_list; shift ;; - -*) usage 1 ;; - *) break ;; - esac -done - -# Get both values on single call as this may get slow -PORTS_SVCS=`kubectl get svc --namespace=$K8S_NAMESPACE -o go-template='{{range $item := .items}}{{range $port := $item.spec.ports}}{{if .nodePort}}{{.nodePort}}{{"\t"}}{{$item.metadata.name}}{{"\n"}}{{end}}{{end}}{{end}}' | column -t | sort -n` - -# Split port number and service name -PORTS=`awk '{print $1}' <<<"$PORTS_SVCS"` -SVCS=`awk '{print $2}' <<<"$PORTS_SVCS"` - -# Create a list in nmap-compatible format -PORT_LIST=`tr "\\n" "," <<<"$PORTS" | sed 's/,$//'; echo ''` - -# Get IP address of some cluster node (both "external-ip" and "ExternalIP" labels are matched) -K8S_NODE=`kubectl describe nodes \`kubectl get nodes | grep -v NAME | head -n 1 | awk '{print $1}'\` | grep "external-ip\|ExternalIP" | awk '{print $2}'` - -# perform scan -SCAN_RESULT=`nmap $K8S_NODE -sV -p $PORT_LIST 2>/dev/null | grep \tcp` - -# Concatenate scan result with service name -RESULTS=`paste <(printf %s "$SVCS") <(printf %s "$SCAN_RESULT") | column -t` - -# Find all plain http ports -HTTP_PORTS=`grep http <<< "$RESULTS" | grep -v ssl/http | tee "$FILTERED_PORTS_LIST"` - -# Filter out whitelisted endpoints -while IFS= read -r line; do - # for each line we test if it is in the white list with a regular expression - while IFS= read -r wl_line; do - wl_name=$(echo $wl_line | awk {'print $1'}) - wl_port=$(echo $wl_line | awk {'print $2'}) - if grep -e $wl_name.*$wl_port <<< "$line"; then - # Found in white list, exclude it - sed -i "/$line/d" $FILTERED_PORTS_LIST - fi - done < $XF_RAW_FILE_PATH -done < $FILTERED_PORTS_LIST - -# Count them -N_FILTERED_PORTS_LIST=$(cat $FILTERED_PORTS_LIST | wc -l) -echo "------------------------------------" -echo "Nb error pod(s): $N_FILTERED_PORTS_LIST" -cat $FILTERED_PORTS_LIST -exit $N_FILTERED_PORTS_LIST |