diff options
| author |   Krzysztof Opasiak <k.opasiak@samsung.com> | 2019-03-21 22:49:38 +0100 |
|---|---|---|
| committer | Krzysztof Opasiak <k.opasiak@samsung.com> | 2019-03-21 23:01:49 +0100 |
| commit | 28c3d2eda6db3d497b0895c139ec57a79c75f41f (patch) | |
| tree | 8a970c211e75d672019f667f3553609acac0bca6 /test/security/check_for_jdwp.sh | |
| parent | db2fcdd0b3cbb8df0b207bd60f30df17391d5b3e (diff) | |
Add script which looks for open JDWP ports
ONAP should not expose any open JDWP ports even inside a cluser.
Let's start enforcing this by adding test script to integration which
will find all open JDWP ports.
Based on initial work by:
Radoslaw Zeszczuk <r.zeszczuk@samsung.com>
Issue-ID: SECCOM-231
Change-Id: Ica46faad55850c74ed24728d54f6afdb3301a6d2
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Diffstat (limited to 'test/security/check_for_jdwp.sh')
| -rwxr-xr-x | test/security/check_for_jdwp.sh | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/test/security/check_for_jdwp.sh b/test/security/check_for_jdwp.sh new file mode 100755 index 000000000..7bcbade64 --- /dev/null +++ b/test/security/check_for_jdwp.sh @@ -0,0 +1,93 @@ +#!/usr/bin/env bash + +# COPYRIGHT NOTICE STARTS HERE +# +# Copyright 2019 Samsung Electronics Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# COPYRIGHT NOTICE ENDS HERE + +# Check all ports exposed by pods to internal network and look for +# open JDWP ports +# +# Dependencies: +# kubectl + config +# netcat +# +# Return value: Number of discovered JDWP ports +# Output: List of pods and exposing JDWP interface +# + +if [ "$#" -lt 1 ]; then + echo "Usage: $0 <k8s-namespace>" + exit 1 +fi + +K8S_NAMESPACE=$1 +LOCAL_PORT=12543 + +list_pods() { + kubectl get po --namespace=$K8S_NAMESPACE | grep Running | awk '{print $1}' | grep -v NAME +} + +do_jdwp_handshake() { + local ip="127.0.0.1" + local port=$1 + local jdwp_challenge="JDWP-Handshake\n" + local jdwp_response="JDWP-Handshake" + + local response=`nc $ip $port <<<$jdwp_challenge` + if [[ $response == *"$jdwp_response"* ]]; then + return 0 + fi + + return 1 +} +# get open ports from procfs as netstat is not always available +get_open_ports_on_pod() { + local pod=$1 + local open_ports_hex=`kubectl exec --namespace=$K8S_NAMESPACE $pod cat /proc/net/tcp 2>/dev/null| grep -v "local_address" | awk '{ print $2" "$4 }' | grep '0A$' | tr ":" " " | awk '{ print $2 }' | sort | uniq` + for hex_port in $open_ports_hex; do + echo $((16#$hex_port)) + done +} + +N_PORTS=0 + +# go through all pods +for pod in `list_pods`; do + open_ports=`get_open_ports_on_pod $pod` + # if there is no open ports just go to next pod + if [ -z "$open_ports" ]; then + continue + fi + + # let's setup a proxy and check every open port + for port in $open_ports; do + # run proxy + kubectl port-forward --namespace=$K8S_NAMESPACE $pod $LOCAL_PORT:$port &>/dev/null & + sleep 1 + proxy_pid=$! + + do_jdwp_handshake $LOCAL_PORT + if [ $? -eq 0 ]; then + echo $pod $port + ((++N_PORTS)) + fi + kill $proxy_pid 2>/dev/null + wait $proxy_pid 2>/dev/null + done +done + +exit $N_PORTS |