aboutsummaryrefslogtreecommitdiffstats
path: root/test/security
diff options
context:
space:
mode:
Diffstat (limited to 'test/security')
-rw-r--r--test/security/sslendpoints/README19
-rw-r--r--test/security/sslendpoints/go.mod1
-rw-r--r--test/security/sslendpoints/go.sum2
-rw-r--r--test/security/sslendpoints/main.go58
4 files changed, 78 insertions, 2 deletions
diff --git a/test/security/sslendpoints/README b/test/security/sslendpoints/README
index ffedb11d1..bf39f0148 100644
--- a/test/security/sslendpoints/README
+++ b/test/security/sslendpoints/README
@@ -86,6 +86,25 @@ Command (Docker)
Output
~~~~~~
+.. code-block:: shell
+
+ $ ./sslendpoints -kubeconfig ~/.kube/config.onap
+ 2020/03/17 10:40:29 Host 192.168.2.10
+ 2020/03/17 10:40:29 PORT SERVICE
+ 2020/03/17 10:40:29 30203 sdnc-dgbuilder
+ 2020/03/17 10:40:29 30204 sdc-be
+ 2020/03/17 10:40:29 30207 sdc-fe
+ 2020/03/17 10:40:29 30220 aai-sparky-be
+ 2020/03/17 10:40:29 30226 message-router
+ 2020/03/17 10:40:29 30233 aai
+ 2020/03/17 10:40:29 30256 sdc-wfd-fe
+ 2020/03/17 10:40:29 30257 sdc-wfd-be
+ 2020/03/17 10:40:29 30264 sdc-dcae-fe
+ 2020/03/17 10:40:29 30266 sdc-dcae-dt
+ 2020/03/17 10:40:29 30279 aai-babel
+ 2020/03/17 10:40:29 30406 so-vnfm-adapter
+ 2020/03/17 10:40:29 There are 12 non-SSL NodePorts in the cluster
+
Testing
-------
diff --git a/test/security/sslendpoints/go.mod b/test/security/sslendpoints/go.mod
index 1d9905efa..6037ee0ae 100644
--- a/test/security/sslendpoints/go.mod
+++ b/test/security/sslendpoints/go.mod
@@ -3,6 +3,7 @@ module onap.local/sslendpoints
go 1.13
require (
+ github.com/Ullaakut/nmap v2.0.0+incompatible
github.com/imdario/mergo v0.3.8 // indirect
github.com/onsi/ginkgo v1.10.1
github.com/onsi/gomega v1.7.0
diff --git a/test/security/sslendpoints/go.sum b/test/security/sslendpoints/go.sum
index d0577b3e1..2ed062aa4 100644
--- a/test/security/sslendpoints/go.sum
+++ b/test/security/sslendpoints/go.sum
@@ -3,6 +3,8 @@ github.com/Azure/go-autorest v11.1.2+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSW
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/Ullaakut/nmap v2.0.0+incompatible h1:tNXub052dsnG8+yrgpph9nhVixIBdpRRgzvmQoc8eBA=
+github.com/Ullaakut/nmap v2.0.0+incompatible/go.mod h1:fkC066hwfcoKwlI7DS2ARTggSVtBTZYCjVH1TzuTMaQ=
github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
diff --git a/test/security/sslendpoints/main.go b/test/security/sslendpoints/main.go
index 68d11b361..e5a76eb78 100644
--- a/test/security/sslendpoints/main.go
+++ b/test/security/sslendpoints/main.go
@@ -5,14 +5,21 @@ import (
"log"
"os"
"path/filepath"
+ "strconv"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/clientcmd"
+ "github.com/Ullaakut/nmap"
+
"onap.local/sslendpoints/ports"
)
+const (
+ ipv4AddrType = "ipv4"
+)
+
func main() {
var kubeconfig *string
if home := os.Getenv("HOME"); home != "" {
@@ -59,6 +66,53 @@ func main() {
log.Println("There are no NodePorts in the cluster")
os.Exit(0)
}
- log.Printf("There are %d NodePorts in the cluster\n", len(nodeports))
- os.Exit(len(nodeports))
+
+ // TODO: filter out expected failures here before running the scan
+
+ // extract ports for running the scan
+ var ports []string
+ for port := range nodeports {
+ ports = append(ports, strconv.Itoa(int(port)))
+ }
+
+ // run nmap on the first address found for given cluster [1] filtering out SSL-tunelled ports
+ // [1] https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
+ // "Each node proxies that port (the same port number on every Node) into your Service."
+ scanner, err := nmap.NewScanner(
+ nmap.WithTargets(addresses[0]),
+ nmap.WithPorts(ports...),
+ nmap.WithServiceInfo(),
+ nmap.WithTimingTemplate(nmap.TimingAggressive),
+ nmap.WithFilterPort(func(p nmap.Port) bool {
+ return p.Service.Tunnel == "ssl"
+ }),
+ )
+ if err != nil {
+ log.Panicf("Unable to create nmap scanner: %v", err)
+ }
+
+ result, _, err := scanner.Run()
+ if err != nil {
+ log.Panicf("Scan failed: %v", err)
+ }
+
+ // scan was run on a single host
+ if len(result.Hosts) < 1 {
+ log.Panicln("No host information in scan results")
+ }
+
+ // host address in the results might be ipv4 or mac
+ for _, address := range result.Hosts[0].Addresses {
+ if address.AddrType == ipv4AddrType {
+ log.Printf("Host %s\n", address)
+ }
+ }
+ log.Printf("PORT\tSERVICE")
+ for _, port := range result.Hosts[0].Ports {
+ log.Printf("%d\t%s\n", port.ID, nodeports[port.ID])
+ }
+
+ // report non-SSL services and their number
+ log.Printf("There are %d non-SSL NodePorts in the cluster\n", len(result.Hosts[0].Ports))
+ os.Exit(len(result.Hosts[0].Ports))
}