aboutsummaryrefslogtreecommitdiffstats
path: root/test/security
diff options
context:
space:
mode:
authorPawel Wieczorek <p.wieczorek2@samsung.com>2020-03-10 15:22:55 +0100
committerPawel Wieczorek <p.wieczorek2@samsung.com>2020-03-10 15:30:04 +0100
commit3a474afa535a225e47c8f6e287a46dc8ee65f1d7 (patch)
tree04ee97a78744e1162d3c5ff94f35638625287e12 /test/security
parent331e07bb8bc2834801c61ab8a8062a7a39a8d232 (diff)
Drop filtering out services recognized as HTTP
This patch extends tool used to detect plain HTTP ports to report all non-SSL endpoints. Previously it omitted services not recognized as HTTP. Naming changes were made to reflect purpose of this tool better. Issue-ID: INT-1480 Change-Id: I58a152022d48121bf4b9c6180ddc820dd4a79805 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security')
-rwxr-xr-xtest/security/check_for_nonssl_endpoints.sh (renamed from test/security/check_for_http_endpoints.sh)18
1 files changed, 9 insertions, 9 deletions
diff --git a/test/security/check_for_http_endpoints.sh b/test/security/check_for_nonssl_endpoints.sh
index 5e2fd85ec..6056e0371 100755
--- a/test/security/check_for_http_endpoints.sh
+++ b/test/security/check_for_nonssl_endpoints.sh
@@ -18,21 +18,21 @@
#
# COPYRIGHT NOTICE ENDS HERE
-# Check all ports exposed outside of kubernetes cluster looking for plain http
+# Check all ports exposed outside of kubernetes cluster looking for non-SSL
# endpoints.
#
# Dependencies:
# nmap
# kubectl + config
#
-# Return value: Number of discovered http ports
-# Output: List of pods exposing http endpoints
+# Return value: Number of discovered non-SSL ports
+# Output: List of pods exposing non-SSL endpoints
#
usage() {
cat <<EOF
-Usage: $(basename $0) <k8s-namespace> [-l <list of HTTP endpoints expected to fail this test>]
- -l: list of HTTP endpoints expected to fail this test
+Usage: $(basename $0) <k8s-namespace> [-l <list of non-SSL endpoints expected to fail this test>]
+ -l: list of non-SSL endpoints expected to fail this test
EOF
exit ${1:-0}
}
@@ -53,8 +53,8 @@ if [ "$#" -lt 1 ]; then
fi
K8S_NAMESPACE=$1
-FILTERED_PORTS_LIST=$(mktemp http_endpoints_XXXXXX)
-XF_RAW_FILE_PATH=$(mktemp raw_filtered_http_endpoints_XXXXXX)
+FILTERED_PORTS_LIST=$(mktemp nonssl_endpoints_XXXXXX)
+XF_RAW_FILE_PATH=$(mktemp raw_filtered_nonssl_endpoints_XXXXXX)
strip_white_list() {
if [ ! -f $XF_FILE_PATH ]; then
@@ -94,8 +94,8 @@ SCAN_RESULT=`nmap $K8S_NODE -sV -p $PORT_LIST 2>/dev/null | grep \tcp`
# Concatenate scan result with service name
RESULTS=`paste <(printf %s "$SVCS") <(printf %s "$SCAN_RESULT") | column -t`
-# Find all plain http ports
-HTTP_PORTS=`grep http <<< "$RESULTS" | grep -v ssl/http | tee "$FILTERED_PORTS_LIST"`
+# Find all non-SSL ports
+HTTP_PORTS=`grep -v ssl <<< "$RESULTS" | tee "$FILTERED_PORTS_LIST"`
# Filter out whitelisted endpoints
while IFS= read -r line; do