aboutsummaryrefslogtreecommitdiffstats
path: root/test/security/check_for_jdwp.sh
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2019-03-21 22:49:38 +0100
committerKrzysztof Opasiak <k.opasiak@samsung.com>2019-03-21 23:01:49 +0100
commit28c3d2eda6db3d497b0895c139ec57a79c75f41f (patch)
tree8a970c211e75d672019f667f3553609acac0bca6 /test/security/check_for_jdwp.sh
parentdb2fcdd0b3cbb8df0b207bd60f30df17391d5b3e (diff)
Add script which looks for open JDWP ports
ONAP should not expose any open JDWP ports even inside a cluser. Let's start enforcing this by adding test script to integration which will find all open JDWP ports. Based on initial work by: Radoslaw Zeszczuk <r.zeszczuk@samsung.com> Issue-ID: SECCOM-231 Change-Id: Ica46faad55850c74ed24728d54f6afdb3301a6d2 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Diffstat (limited to 'test/security/check_for_jdwp.sh')
-rwxr-xr-xtest/security/check_for_jdwp.sh93
1 files changed, 93 insertions, 0 deletions
diff --git a/test/security/check_for_jdwp.sh b/test/security/check_for_jdwp.sh
new file mode 100755
index 000000000..7bcbade64
--- /dev/null
+++ b/test/security/check_for_jdwp.sh
@@ -0,0 +1,93 @@
+#!/usr/bin/env bash
+
+# COPYRIGHT NOTICE STARTS HERE
+#
+# Copyright 2019 Samsung Electronics Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# COPYRIGHT NOTICE ENDS HERE
+
+# Check all ports exposed by pods to internal network and look for
+# open JDWP ports
+#
+# Dependencies:
+# kubectl + config
+# netcat
+#
+# Return value: Number of discovered JDWP ports
+# Output: List of pods and exposing JDWP interface
+#
+
+if [ "$#" -lt 1 ]; then
+ echo "Usage: $0 <k8s-namespace>"
+ exit 1
+fi
+
+K8S_NAMESPACE=$1
+LOCAL_PORT=12543
+
+list_pods() {
+ kubectl get po --namespace=$K8S_NAMESPACE | grep Running | awk '{print $1}' | grep -v NAME
+}
+
+do_jdwp_handshake() {
+ local ip="127.0.0.1"
+ local port=$1
+ local jdwp_challenge="JDWP-Handshake\n"
+ local jdwp_response="JDWP-Handshake"
+
+ local response=`nc $ip $port <<<$jdwp_challenge`
+ if [[ $response == *"$jdwp_response"* ]]; then
+ return 0
+ fi
+
+ return 1
+}
+# get open ports from procfs as netstat is not always available
+get_open_ports_on_pod() {
+ local pod=$1
+ local open_ports_hex=`kubectl exec --namespace=$K8S_NAMESPACE $pod cat /proc/net/tcp 2>/dev/null| grep -v "local_address" | awk '{ print $2" "$4 }' | grep '0A$' | tr ":" " " | awk '{ print $2 }' | sort | uniq`
+ for hex_port in $open_ports_hex; do
+ echo $((16#$hex_port))
+ done
+}
+
+N_PORTS=0
+
+# go through all pods
+for pod in `list_pods`; do
+ open_ports=`get_open_ports_on_pod $pod`
+ # if there is no open ports just go to next pod
+ if [ -z "$open_ports" ]; then
+ continue
+ fi
+
+ # let's setup a proxy and check every open port
+ for port in $open_ports; do
+ # run proxy
+ kubectl port-forward --namespace=$K8S_NAMESPACE $pod $LOCAL_PORT:$port &>/dev/null &
+ sleep 1
+ proxy_pid=$!
+
+ do_jdwp_handshake $LOCAL_PORT
+ if [ $? -eq 0 ]; then
+ echo $pod $port
+ ((++N_PORTS))
+ fi
+ kill $proxy_pid 2>/dev/null
+ wait $proxy_pid 2>/dev/null
+ done
+done
+
+exit $N_PORTS