diff options
| author |   Pawel Wieczorek <p.wieczorek2@samsung.com> | 2020-03-13 14:14:55 +0100 |
|---|---|---|
| committer |   Bartek Grzybowski <b.grzybowski@partner.samsung.com> | 2020-03-25 13:08:24 +0000 |
| commit | 8a7af5c45393636ab82ff1932b7d14224e449034 (patch) | |
| tree | 92b90158725ed694130e772f43b8b590b3d03f83 /test/security/sslendpoints/main.go | |
| parent | 935f1b85d99c2feb619d4e04dbb52201b79c90e7 (diff) | |
Run port scan
Issue-ID: SECCOM-261
Change-Id: I465282a8793191c45d288284a127e80e1fecf513
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security/sslendpoints/main.go')
| -rw-r--r-- | test/security/sslendpoints/main.go | 58 |
1 files changed, 56 insertions, 2 deletions
diff --git a/test/security/sslendpoints/main.go b/test/security/sslendpoints/main.go index 68d11b361..e5a76eb78 100644 --- a/test/security/sslendpoints/main.go +++ b/test/security/sslendpoints/main.go @@ -5,14 +5,21 @@ import ( "log" "os" "path/filepath" + "strconv" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/clientcmd" + "github.com/Ullaakut/nmap" + "onap.local/sslendpoints/ports" ) +const ( + ipv4AddrType = "ipv4" +) + func main() { var kubeconfig *string if home := os.Getenv("HOME"); home != "" { @@ -59,6 +66,53 @@ func main() { log.Println("There are no NodePorts in the cluster") os.Exit(0) } - log.Printf("There are %d NodePorts in the cluster\n", len(nodeports)) - os.Exit(len(nodeports)) + + // TODO: filter out expected failures here before running the scan + + // extract ports for running the scan + var ports []string + for port := range nodeports { + ports = append(ports, strconv.Itoa(int(port))) + } + + // run nmap on the first address found for given cluster [1] filtering out SSL-tunelled ports + // [1] https://kubernetes.io/docs/concepts/services-networking/service/#nodeport + // "Each node proxies that port (the same port number on every Node) into your Service." + scanner, err := nmap.NewScanner( + nmap.WithTargets(addresses[0]), + nmap.WithPorts(ports...), + nmap.WithServiceInfo(), + nmap.WithTimingTemplate(nmap.TimingAggressive), + nmap.WithFilterPort(func(p nmap.Port) bool { + return p.Service.Tunnel == "ssl" + }), + ) + if err != nil { + log.Panicf("Unable to create nmap scanner: %v", err) + } + + result, _, err := scanner.Run() + if err != nil { + log.Panicf("Scan failed: %v", err) + } + + // scan was run on a single host + if len(result.Hosts) < 1 { + log.Panicln("No host information in scan results") + } + + // host address in the results might be ipv4 or mac + for _, address := range result.Hosts[0].Addresses { + if address.AddrType == ipv4AddrType { + log.Printf("Host %s\n", address) + } + } + log.Printf("PORT\tSERVICE") + for _, port := range result.Hosts[0].Ports { + log.Printf("%d\t%s\n", port.ID, nodeports[port.ID]) + } + + // report non-SSL services and their number + log.Printf("There are %d non-SSL NodePorts in the cluster\n", len(result.Hosts[0].Ports)) + os.Exit(len(result.Hosts[0].Ports)) } |