aboutsummaryrefslogtreecommitdiffstats
path: root/test/security/check_for_http_endpoints.sh
diff options
context:
space:
mode:
authorPawel Wieczorek <p.wieczorek2@samsung.com>2020-03-09 16:33:53 +0100
committerPawel Wieczorek <p.wieczorek2@samsung.com>2020-03-10 15:30:04 +0100
commit331e07bb8bc2834801c61ab8a8062a7a39a8d232 (patch)
treea00e9546ca5aea12a3dd88a350187fc72b40983a /test/security/check_for_http_endpoints.sh
parent57a161d8f533d30a1d27cf72856fe8274aea7aca (diff)
Add expected failures list for HTTP endpoints tests
This patch is heavily based on previous work by Morgan Richomme <morgan.richomme@orange.com> (Change-Id: Ibaed4c5c0e5ae179af0ae317e543c1efdc9ddef2) It is intended to suppress failure reports on known plain HTTP endpoints. Introduced list of "expected failures" (or "xfail" for short) will be shrunk after resolving tickets related to INT-1480 and this patch will be eventually reverted. Issue-ID: INT-1480 Change-Id: I4edbf3efaf66bfa2dbe2f265983eb0a27048ed4e Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security/check_for_http_endpoints.sh')
-rwxr-xr-xtest/security/check_for_http_endpoints.sh61
1 files changed, 50 insertions, 11 deletions
diff --git a/test/security/check_for_http_endpoints.sh b/test/security/check_for_http_endpoints.sh
index f86f77730..5e2fd85ec 100755
--- a/test/security/check_for_http_endpoints.sh
+++ b/test/security/check_for_http_endpoints.sh
@@ -29,8 +29,16 @@
# Output: List of pods exposing http endpoints
#
+usage() {
+ cat <<EOF
+Usage: $(basename $0) <k8s-namespace> [-l <list of HTTP endpoints expected to fail this test>]
+ -l: list of HTTP endpoints expected to fail this test
+EOF
+ exit ${1:-0}
+}
+
#Prerequisities commands list
-REQ_APPS=(kubectl nmap awk column sort paste grep wc)
+REQ_APPS=(kubectl nmap awk column sort paste grep wc mktemp sed cat)
# Check for prerequisites apps
for cmd in "${REQ_APPS[@]}"; do
@@ -41,11 +49,31 @@ for cmd in "${REQ_APPS[@]}"; do
done
if [ "$#" -lt 1 ]; then
- echo "Usage: $0 <k8s-namespace>"
- exit 1
+ usage 1
fi
K8S_NAMESPACE=$1
+FILTERED_PORTS_LIST=$(mktemp http_endpoints_XXXXXX)
+XF_RAW_FILE_PATH=$(mktemp raw_filtered_http_endpoints_XXXXXX)
+
+strip_white_list() {
+ if [ ! -f $XF_FILE_PATH ]; then
+ echo "File not found"
+ usage 1
+ fi
+ grep -o '^[^#]*' $XF_FILE_PATH > $XF_RAW_FILE_PATH
+}
+
+### getopts
+while :
+do
+ case $2 in
+ -h|--help|help) usage ;;
+ -l) XF_FILE_PATH=$3; strip_white_list; shift ;;
+ -*) usage 1 ;;
+ *) break ;;
+ esac
+done
# Get both values on single call as this may get slow
PORTS_SVCS=`kubectl get svc --namespace=$K8S_NAMESPACE -o go-template='{{range $item := .items}}{{range $port := $item.spec.ports}}{{if .nodePort}}{{.nodePort}}{{"\t"}}{{$item.metadata.name}}{{"\n"}}{{end}}{{end}}{{end}}' | column -t | sort -n`
@@ -67,13 +95,24 @@ SCAN_RESULT=`nmap $K8S_NODE -sV -p $PORT_LIST 2>/dev/null | grep \tcp`
RESULTS=`paste <(printf %s "$SVCS") <(printf %s "$SCAN_RESULT") | column -t`
# Find all plain http ports
-HTTP_PORTS=`grep http <<< "$RESULTS" | grep -v ssl/http`
+HTTP_PORTS=`grep http <<< "$RESULTS" | grep -v ssl/http | tee "$FILTERED_PORTS_LIST"`
+
+# Filter out whitelisted endpoints
+while IFS= read -r line; do
+ # for each line we test if it is in the white list with a regular expression
+ while IFS= read -r wl_line; do
+ wl_name=$(echo $wl_line | awk {'print $1'})
+ wl_port=$(echo $wl_line | awk {'print $2'})
+ if grep -e $wl_name.*$wl_port <<< "$line"; then
+ # Found in white list, exclude it
+ sed -i "/$line/d" $FILTERED_PORTS_LIST
+ fi
+ done < $XF_RAW_FILE_PATH
+done < $FILTERED_PORTS_LIST
# Count them
-N_HTTP=`wc -l <<<"$HTTP_PORTS"`
-
-if [ "$N_HTTP" -gt 0 ]; then
- echo "$HTTP_PORTS"
-fi
-
-exit $N_HTTP
+N_FILTERED_PORTS_LIST=$(cat $FILTERED_PORTS_LIST | wc -l)
+echo "------------------------------------"
+echo "Nb error pod(s): $N_FILTERED_PORTS_LIST"
+cat $FILTERED_PORTS_LIST
+exit $N_FILTERED_PORTS_LIST