aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xtest/security/check_for_http_endpoints.sh61
-rw-r--r--test/security/http_xfail.txt5
2 files changed, 55 insertions, 11 deletions
diff --git a/test/security/check_for_http_endpoints.sh b/test/security/check_for_http_endpoints.sh
index f86f77730..5e2fd85ec 100755
--- a/test/security/check_for_http_endpoints.sh
+++ b/test/security/check_for_http_endpoints.sh
@@ -29,8 +29,16 @@
# Output: List of pods exposing http endpoints
#
+usage() {
+ cat <<EOF
+Usage: $(basename $0) <k8s-namespace> [-l <list of HTTP endpoints expected to fail this test>]
+ -l: list of HTTP endpoints expected to fail this test
+EOF
+ exit ${1:-0}
+}
+
#Prerequisities commands list
-REQ_APPS=(kubectl nmap awk column sort paste grep wc)
+REQ_APPS=(kubectl nmap awk column sort paste grep wc mktemp sed cat)
# Check for prerequisites apps
for cmd in "${REQ_APPS[@]}"; do
@@ -41,11 +49,31 @@ for cmd in "${REQ_APPS[@]}"; do
done
if [ "$#" -lt 1 ]; then
- echo "Usage: $0 <k8s-namespace>"
- exit 1
+ usage 1
fi
K8S_NAMESPACE=$1
+FILTERED_PORTS_LIST=$(mktemp http_endpoints_XXXXXX)
+XF_RAW_FILE_PATH=$(mktemp raw_filtered_http_endpoints_XXXXXX)
+
+strip_white_list() {
+ if [ ! -f $XF_FILE_PATH ]; then
+ echo "File not found"
+ usage 1
+ fi
+ grep -o '^[^#]*' $XF_FILE_PATH > $XF_RAW_FILE_PATH
+}
+
+### getopts
+while :
+do
+ case $2 in
+ -h|--help|help) usage ;;
+ -l) XF_FILE_PATH=$3; strip_white_list; shift ;;
+ -*) usage 1 ;;
+ *) break ;;
+ esac
+done
# Get both values on single call as this may get slow
PORTS_SVCS=`kubectl get svc --namespace=$K8S_NAMESPACE -o go-template='{{range $item := .items}}{{range $port := $item.spec.ports}}{{if .nodePort}}{{.nodePort}}{{"\t"}}{{$item.metadata.name}}{{"\n"}}{{end}}{{end}}{{end}}' | column -t | sort -n`
@@ -67,13 +95,24 @@ SCAN_RESULT=`nmap $K8S_NODE -sV -p $PORT_LIST 2>/dev/null | grep \tcp`
RESULTS=`paste <(printf %s "$SVCS") <(printf %s "$SCAN_RESULT") | column -t`
# Find all plain http ports
-HTTP_PORTS=`grep http <<< "$RESULTS" | grep -v ssl/http`
+HTTP_PORTS=`grep http <<< "$RESULTS" | grep -v ssl/http | tee "$FILTERED_PORTS_LIST"`
+
+# Filter out whitelisted endpoints
+while IFS= read -r line; do
+ # for each line we test if it is in the white list with a regular expression
+ while IFS= read -r wl_line; do
+ wl_name=$(echo $wl_line | awk {'print $1'})
+ wl_port=$(echo $wl_line | awk {'print $2'})
+ if grep -e $wl_name.*$wl_port <<< "$line"; then
+ # Found in white list, exclude it
+ sed -i "/$line/d" $FILTERED_PORTS_LIST
+ fi
+ done < $XF_RAW_FILE_PATH
+done < $FILTERED_PORTS_LIST
# Count them
-N_HTTP=`wc -l <<<"$HTTP_PORTS"`
-
-if [ "$N_HTTP" -gt 0 ]; then
- echo "$HTTP_PORTS"
-fi
-
-exit $N_HTTP
+N_FILTERED_PORTS_LIST=$(cat $FILTERED_PORTS_LIST | wc -l)
+echo "------------------------------------"
+echo "Nb error pod(s): $N_FILTERED_PORTS_LIST"
+cat $FILTERED_PORTS_LIST
+exit $N_FILTERED_PORTS_LIST
diff --git a/test/security/http_xfail.txt b/test/security/http_xfail.txt
new file mode 100644
index 000000000..a531fc30a
--- /dev/null
+++ b/test/security/http_xfail.txt
@@ -0,0 +1,5 @@
+# Expected failure list for plain HTTP endpoints
+robot 30209
+message-router 30227
+sniro-emulator 30288
+aaf-fs 31115