Add "expected failure" support to non-SSL NodePort scanner

This patch makes scanner compatible with its shell predecessor. The same
"expected failure" list format is used i.e.

 # Comment line; will be ignored
 SERVICE1 NODEPORT1
 SERVICE2 NODEPORT2

Single space character is used as a field separator.

Issue-ID: SECCOM-261
Change-Id: Ieedd4e98a83ffe242c695133fdf7342e17efa9a2
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

2 files changed, 61 insertions, 3 deletions

diff --git a/test/security/sslendpoints/README b/test/security/sslendpoints/README
index bf39f0148..ba21b12ea 100644
--- a/test/security/sslendpoints/README
+++ b/test/security/sslendpoints/README
@@ -14,6 +14,11 @@ Configuration
 ``-kubeconfig``
   Optional unless ``$HOME`` is not set. Defaults to ``$HOME/.kube/config``.
 
+``-xfail``
+  Optional list of services with corresponding NodePorts which do not use SSL
+  tunnels. These ports are known as "expected failures" and will not be
+  checked.
+
 Build (local)
 ~~~~~~~~~~~~~
 
@@ -70,7 +75,7 @@ Command (local)
 
 .. code-block:: shell
 
-    $ bin/sslendpoints [-kubeconfig KUBECONFIG]
+    $ bin/sslendpoints [-kubeconfig KUBECONFIG] [-xfail XFAIL]
 
 Command (Docker)
 ~~~~~~~~~~~~~~~~
@@ -83,6 +88,13 @@ Command (Docker)
     $ docker run --rm --volume $KUBECONFIG:/opt/config \
         sslendpoints-build-img /bin/sslendpoints -kubeconfig /opt/config
 
+    $ docker run --rm \
+        --volume $KUBECONFIG:/opt/config \
+        --volume $XFAIL:/opt/xfail \
+        sslendpoints-build-img /bin/sslendpoints \
+            -kubeconfig /opt/config
+            -xfail /opt/xfail
+
 Output
 ~~~~~~
 
diff --git a/test/security/sslendpoints/main.go b/test/security/sslendpoints/main.go
index e5a76eb78..8c136d5c4 100644
--- a/test/security/sslendpoints/main.go
+++ b/test/security/sslendpoints/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"encoding/csv"
 	"flag"
 	"log"
 	"os"
@@ -18,17 +19,47 @@ import (
 
 const (
 	ipv4AddrType = "ipv4"
+
+	xfailComma   = ' '
+	xfailComment = '#'
+	xfailFields  = 2
+)
+
+var (
+	kubeconfig *string
+	xfailName  *string
 )
 
 func main() {
-	var kubeconfig *string
 	if home := os.Getenv("HOME"); home != "" {
 		kubeconfig = flag.String("kubeconfig", filepath.Join(home, ".kube", "config"), "(optional) absolute path to the kubeconfig file")
 	} else {
 		kubeconfig = flag.String("kubeconfig", "", "absolute path to the kubeconfig file")
 	}
+	xfailName = flag.String("xfail", "", "(optional) absolute path to the expected failures file")
 	flag.Parse()
 
+	var xfails [][]string
+	if *xfailName != "" {
+		xfailFile, err := os.Open(*xfailName)
+		if err != nil {
+			log.Printf("Unable to open expected failures file: %v", err)
+			log.Println("All non-SSL NodePorts will be reported")
+		}
+		defer xfailFile.Close()
+
+		r := csv.NewReader(xfailFile)
+		r.Comma = xfailComma
+		r.Comment = xfailComment
+		r.FieldsPerRecord = xfailFields
+
+		xfails, err = r.ReadAll()
+		if err != nil {
+			log.Printf("Unable to read expected failures file: %v", err)
+			log.Println("All non-SSL NodePorts will be reported")
+		}
+	}
+
 	// use the current context in kubeconfig
 	config, err := clientcmd.BuildConfigFromFlags("", *kubeconfig)
 	if err != nil {
@@ -67,7 +98,22 @@ func main() {
 		os.Exit(0)
 	}
 
-	// TODO: filter out expected failures here before running the scan
+	// filter out expected failures here before running the scan
+	for _, xfail := range xfails {
+		port, err := strconv.Atoi(xfail[1])
+		if err != nil {
+			log.Printf("Unable to parse port expected to fail: %v", err)
+			continue
+		}
+		service, ok := nodeports[uint16(port)]
+		if !ok {
+			continue
+		}
+		if service != xfail[0] {
+			continue
+		}
+		delete(nodeports, uint16(port))
+	}
 
 	// extract ports for running the scan
 	var ports []string