diff options
author | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2020-03-09 16:33:53 +0100 |
---|---|---|
committer | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2020-03-10 15:30:04 +0100 |
commit | 331e07bb8bc2834801c61ab8a8062a7a39a8d232 (patch) | |
tree | a00e9546ca5aea12a3dd88a350187fc72b40983a /test/security/check_for_http_endpoints.sh | |
parent | 57a161d8f533d30a1d27cf72856fe8274aea7aca (diff) |
Add expected failures list for HTTP endpoints tests
This patch is heavily based on previous work by
Morgan Richomme <morgan.richomme@orange.com>
(Change-Id: Ibaed4c5c0e5ae179af0ae317e543c1efdc9ddef2)
It is intended to suppress failure reports on known plain HTTP
endpoints. Introduced list of "expected failures" (or "xfail" for short)
will be shrunk after resolving tickets related to INT-1480 and this
patch will be eventually reverted.
Issue-ID: INT-1480
Change-Id: I4edbf3efaf66bfa2dbe2f265983eb0a27048ed4e
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security/check_for_http_endpoints.sh')
-rwxr-xr-x | test/security/check_for_http_endpoints.sh | 61 |
1 files changed, 50 insertions, 11 deletions
diff --git a/test/security/check_for_http_endpoints.sh b/test/security/check_for_http_endpoints.sh index f86f77730..5e2fd85ec 100755 --- a/test/security/check_for_http_endpoints.sh +++ b/test/security/check_for_http_endpoints.sh @@ -29,8 +29,16 @@ # Output: List of pods exposing http endpoints # +usage() { + cat <<EOF +Usage: $(basename $0) <k8s-namespace> [-l <list of HTTP endpoints expected to fail this test>] + -l: list of HTTP endpoints expected to fail this test +EOF + exit ${1:-0} +} + #Prerequisities commands list -REQ_APPS=(kubectl nmap awk column sort paste grep wc) +REQ_APPS=(kubectl nmap awk column sort paste grep wc mktemp sed cat) # Check for prerequisites apps for cmd in "${REQ_APPS[@]}"; do @@ -41,11 +49,31 @@ for cmd in "${REQ_APPS[@]}"; do done if [ "$#" -lt 1 ]; then - echo "Usage: $0 <k8s-namespace>" - exit 1 + usage 1 fi K8S_NAMESPACE=$1 +FILTERED_PORTS_LIST=$(mktemp http_endpoints_XXXXXX) +XF_RAW_FILE_PATH=$(mktemp raw_filtered_http_endpoints_XXXXXX) + +strip_white_list() { + if [ ! -f $XF_FILE_PATH ]; then + echo "File not found" + usage 1 + fi + grep -o '^[^#]*' $XF_FILE_PATH > $XF_RAW_FILE_PATH +} + +### getopts +while : +do + case $2 in + -h|--help|help) usage ;; + -l) XF_FILE_PATH=$3; strip_white_list; shift ;; + -*) usage 1 ;; + *) break ;; + esac +done # Get both values on single call as this may get slow PORTS_SVCS=`kubectl get svc --namespace=$K8S_NAMESPACE -o go-template='{{range $item := .items}}{{range $port := $item.spec.ports}}{{if .nodePort}}{{.nodePort}}{{"\t"}}{{$item.metadata.name}}{{"\n"}}{{end}}{{end}}{{end}}' | column -t | sort -n` @@ -67,13 +95,24 @@ SCAN_RESULT=`nmap $K8S_NODE -sV -p $PORT_LIST 2>/dev/null | grep \tcp` RESULTS=`paste <(printf %s "$SVCS") <(printf %s "$SCAN_RESULT") | column -t` # Find all plain http ports -HTTP_PORTS=`grep http <<< "$RESULTS" | grep -v ssl/http` +HTTP_PORTS=`grep http <<< "$RESULTS" | grep -v ssl/http | tee "$FILTERED_PORTS_LIST"` + +# Filter out whitelisted endpoints +while IFS= read -r line; do + # for each line we test if it is in the white list with a regular expression + while IFS= read -r wl_line; do + wl_name=$(echo $wl_line | awk {'print $1'}) + wl_port=$(echo $wl_line | awk {'print $2'}) + if grep -e $wl_name.*$wl_port <<< "$line"; then + # Found in white list, exclude it + sed -i "/$line/d" $FILTERED_PORTS_LIST + fi + done < $XF_RAW_FILE_PATH +done < $FILTERED_PORTS_LIST # Count them -N_HTTP=`wc -l <<<"$HTTP_PORTS"` - -if [ "$N_HTTP" -gt 0 ]; then - echo "$HTTP_PORTS" -fi - -exit $N_HTTP +N_FILTERED_PORTS_LIST=$(cat $FILTERED_PORTS_LIST | wc -l) +echo "------------------------------------" +echo "Nb error pod(s): $N_FILTERED_PORTS_LIST" +cat $FILTERED_PORTS_LIST +exit $N_FILTERED_PORTS_LIST |