aboutsummaryrefslogtreecommitdiffstats
path: root/test/security/sslendpoints
AgeCommit message (Collapse)AuthorFilesLines
2020-11-25Unify variable initializationPawel Wieczorek1-1/+1
It is not possible to know "expected fails" list length upfront, hence there is no need to call "make" on "xfails" map - there are no optimization profits. Issue-ID: INT-1582 Change-Id: I0e21d83098359359d17661e6265760d7e95739b9 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-11-25Add namespace filtering to SSL endpoints checkPawel Wieczorek1-1/+8
Utility "sslendpoints" now supports scanning only selected Kubernetes cluster namespace. To do so, add "-namespace" flag with namespace of your choice as its argument to the executed command. Default behavior remained unchanged, i.e. scan covers all namespaces. Issue-ID: INT-1582 Change-Id: If5534b76bca94248a5003d735c25328648e478a1 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-11-25Remove build directory nestingPawel Wieczorek1-3/+2
This patch also removes unnecessary directory creation. Command: 'go build -o "${BINARIES}"' creates required file tree on its own. Issue-ID: SECCOM-261 Change-Id: I6b492a2d5f61ce6e139bfe718256357c9d343a6b Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-11-25Simplify composite literalsPawel Wieczorek1-50/+50
Utility "gopls" used to analyse Go source did not support code simplifications as of writing "sslendpoints" tool [1]. Simplifying composite literals is now supported [2]. [1] https://github.com/golang/go/issues/37221 [2] https://github.com/golang/tools/commit/e428a8eca3e395a1b415fd3aee1610aabb61b8b5 Issue-ID: SECCOM-261 Change-Id: I757ff8aefed4c7653f3992f9c1b7b0f3e6c10ea3 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-08-10Drop using symlinks for documentation markup renderingPawel Wieczorek2-136/+135
Keeping only symlinks as the markup indicator does not trigger CI on relevant patches changing documentation contents (there's no change in symlink). This can be resolved by dropping symlinks usage entirely. Sphinx and RTD aren't going anywhere anytime soon. To make sure all symlinks were replaced following one-liner was used: $ find . -type l -name "*.rst" -exec readlink -e {} \; \ | xargs -I% git mv -f %{,.rst} which finds all the symlinks in the repo with "*.rst" suffix, then reads which file they link to and finally replaces given symlink with that file. This solution was suggested by: Bartek Grzybowski <b.grzybowski@partner.samsung.com> Issue-ID: INT-1672 Change-Id: I120e216b0b48032bb7b80c23cad799cd6f7cca53 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-05-08Add missing dependency for port scanningPawel Wieczorek1-0/+7
Issue-ID: SECCOM-261 Change-Id: Id4d14cf0997310b7e039fe3f5e18ea72a4f3d71c Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-05-08Use correct nmap filtersPawel Wieczorek1-1/+11
Both closed and filtered ports should be droppped from scan results to maintain compatibility with "check_for_nonssl_endpoints.sh" script. Issue-ID: SECCOM-261 Change-Id: Ic422bebf6e46bcc42a3e5198e7702bb8b901287f Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-25Add 'build' target for 'sslendpoints' projectBartek Grzybowski1-0/+5
To follow a common protocol of testing Golang based applications in CI we need a 'build' target for doing a local (non-docker) build to verify 'go build' routine. It's however not added to "all" target as that one already references docker based build by default. Change-Id: I2e380ef09a1ae18456d7288f853d085617149338 Issue-ID: SECCOM-261 Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
2020-03-25Reduce cyclomatic complexityPawel Wieczorek3-17/+132
Moving CSV data conversion and "expected failure" filtering away from main function made testing these features easier. Utility behaviour remained unchanged. Issue-ID: SECCOM-261 Change-Id: I4cabfc7b352434c84a613c02f44af3c9630be970 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-25Add "expected failure" support to non-SSL NodePort scannerPawel Wieczorek2-3/+61
This patch makes scanner compatible with its shell predecessor. The same "expected failure" list format is used i.e. # Comment line; will be ignored SERVICE1 NODEPORT1 SERVICE2 NODEPORT2 Single space character is used as a field separator. Issue-ID: SECCOM-261 Change-Id: Ieedd4e98a83ffe242c695133fdf7342e17efa9a2 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-25Run port scanPawel Wieczorek4-2/+78
Issue-ID: SECCOM-261 Change-Id: I465282a8793191c45d288284a127e80e1fecf513 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-25Add IP addresses filteringPawel Wieczorek3-0/+148
Each node might be described with 3 types of addresses [1]. Some providers also use node annotations [2] for assigned addresses. This patch filters out all IP addresses from nodes list. External IPs take precedence over internal ones. The first address on the extracted slice will be later used to run the scan on. This behaviour could be later modified to e.g. loop over all extracted IP addresses (if scan fails). [1] https://kubernetes.io/docs/concepts/architecture/nodes/#addresses [2] https://github.com/rancher/rke/blob/master/k8s/node.go#L18 Issue-ID: SECCOM-261 Change-Id: Ifd094447f778da378dfe1aee765f552b6ebd669f Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-25Add temporary "make" target for automated testing compatibilityPawel Wieczorek1-0/+4
Utility "sslendpoints" and related packages make use of idiomatic Go testing commands, i.e. go test [./...]. Thanks to Go Modules [1] nothing else is needed to run internal tests for this tool. Unfortunately it's not the case for all Go-based Integration tools. In order to use a single automated verification script in CI additional "make" target is required. It will provide temporary compatibility layer with utilities setting up test environment on their own with "make test" target. This patch should be reverted upon removal of such cases (currently: after dropping "../k8s/check" tool in favour of Aquasec solution). [1] https://blog.golang.org/using-go-modules (see "Adding a dependency" test execution explanation) Issue-ID: INT-1498 Change-Id: I14c83f7f193c7688590366db988ff02c13c036a4 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-25Add NodePorts filtering with development environment basisPawel Wieczorek11-5/+592
This patch has not made "sslendpoints" fully compatible with "check_for_nonssl_endpoints.sh" script yet. It sets up basic development environment for Golang-based checkers, though. Tool output will be added to the README after reaching full compatibility with previous (script) version. Development environment brought by this patch is heavily based on: https://github.com/SamsungSLAV/boruta Issue-ID: SECCOM-261 Change-Id: I8f035b63bea13785c40971ede5fdbbc9b6810168 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-25Increase verifiability of security checksPawel Wieczorek2-0/+45
This patch introduces a series of patches that will provide tools which will succeed current security check scripts. Its two main reasons are: * increasing tools verifiability by providing internal tests, * improving "expected failure" support by suppressing carefully selected set of special cases. Each tool will use following directory structure (generated with "tree -a --charset=ascii" command): . `-- check_module |-- Dockerfile |-- .dockerignore |-- .gitignore |-- go.mod |-- main.go |-- Makefile |-- README |-- README.rst -> README `-- submodule |-- submodule.go `-- submodule_test.go This will allow using Go Modules mechanism within its limitations [1] for "non-go-get-able modules" [2][3][4] - also in case of separating code into several modules used by multiple "check modules", e.g. . |-- common | |-- common.go | |-- common_test.go | `-- go.mod `-- check_module |-- go.mod `-- ... It would require migration from separate Dockerfiles to a single one (multi-stage), though. Provided Makefiles are intended to simplify local development (Docker-less building) and container images preparation. READMEs clarify utility requirements and usage - file without extension is for VCS reference, symlink for proper syntax rendering. [1] https://github.com/golang/go/wiki/Modules#is-it-possible-to-add-a-module-to-a-multi-module-repository [2] https://github.com/golang/go/wiki/Modules#can-i-work-entirely-outside-of-vcs-on-my-local-filesystem [3] https://github.com/golang/go/issues/26645#issuecomment-408572701 [4] https://www.dim13.org/go-get-cgit Issue-ID: SECCOM-261 Change-Id: I48eeeda66bd5570d249e96e101e431e6bab75cb3 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>