aboutsummaryrefslogtreecommitdiffstats
path: root/test/security
AgeCommit message (Collapse)AuthorFilesLines
2020-09-14Add timeout on SSL internal cert retrievalmrichomme2-0/+135
In case of SSL issues, the socket timeout is set to 600s by default as we are scanning a liitle bit stupdidly - we try on all the internal ports..it may take a long time if we cumulate the different timeouts. Moreover a new error may occur socker.gaiaerror on internal scans Issue-ID: INT-1570 Signed-off-by: mrichomme <morgan.richomme@orange.com> Change-Id: Ia0e1c7bb133565d6179afa155f6c299a5e012764 Signed-off-by: mrichomme <morgan.richomme@orange.com>
2020-09-07Remove old SECCOM waiver lists sourcePawel Wieczorek4-28/+0
SECCOM waivers are now located in "integration/seccom" repository. Issue-ID: INT-1710 Change-Id: I2598c3d848338a4527c5c49b38b7c9f150d45abe Depends-On: I5f0f11307dd259d2a66a2916ac4ac01e27177b29 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-09-02check_certificates: create result dir if neededmrichomme1-0/+4
an arg allows to specify the results dir but if the dir path is not valid, we got an error try to create the dir before running the test Issue-ID: INT-1570 Signed-off-by: mrichomme <morgan.richomme@orange.com> Change-Id: I32363af1f066dc5e5a0adf45619fb4e1a9052a7d Signed-off-by: mrichomme <morgan.richomme@orange.com>
2020-08-31Add support for detecting Java 8Pawel Wieczorek1-2/+4
For Java 11 there are four ways of checking Java binary version: * -version print product version to the error stream and exit * -showversion print product version to the error stream and continue * --version print product version to the output stream and exit * --show-version print product version to the output stream and continue For Java 8 only error stream options are available. There is no support for output stream (double-hyphenated) options. This patch extends list of executed commands for binary version detection. Java 8 presence will now be shown in results instead of being reported as an error. Issue-ID: INT-1601 Change-Id: I1b538bc1f0826f6000fedb08860d12c15fe2fc14 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-08-26Add MANIFEST.in to include j2 file in the python packagemrichomme3-6/+4
Not sure it is the best way, maybe it can be done with setup.cfg.. it seems to be OK Issue-ID: INT-1570 Signed-off-by: mrichomme <morgan.richomme@orange.com> Change-Id: I7a1ddefba0ec0bbe35a5a51baebdf4a715a4f131 Signed-off-by: mrichomme <morgan.richomme@orange.com>
2020-08-20Reset security xfail list for Guilinmrichomme1-14/+16
Issue-ID: INT-1695 Signed-off-by: mrichomme <morgan.richomme@orange.com> Change-Id: I6885cdbd4354add533999af6b43de267b888a59a
2020-08-10Drop using symlinks for documentation markup renderingPawel Wieczorek4-182/+180
Keeping only symlinks as the markup indicator does not trigger CI on relevant patches changing documentation contents (there's no change in symlink). This can be resolved by dropping symlinks usage entirely. Sphinx and RTD aren't going anywhere anytime soon. To make sure all symlinks were replaced following one-liner was used: $ find . -type l -name "*.rst" -exec readlink -e {} \; \ | xargs -I% git mv -f %{,.rst} which finds all the symlinks in the repo with "*.rst" suffix, then reads which file they link to and finally replaces given symlink with that file. This solution was suggested by: Bartek Grzybowski <b.grzybowski@partner.samsung.com> Issue-ID: INT-1672 Change-Id: I120e216b0b48032bb7b80c23cad799cd6f7cca53 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-07-28Import upstream component version inspection toolPawel Wieczorek16-0/+1360
This patch adds utility to check versions of binaries available in Docker containers run on Kubernetes cluster. It has been contributed by: kkkk-k <kkkk.k@samsung.com> Several minor changes were made to comply with ONAP CI linter rules. Issue-ID: INT-1571 Change-Id: Id0e4b557212dec1bf8d2bac580968d69e2cf5595 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-07-09Update release notes for Frankfurt Maintenance releasemrichomme1-1/+17
update testsuite 1.6.4 fix foc links (submodules lead to broken links) Issue-ID: INT-1652 Signed-off-by: mrichomme <morgan.richomme@orange.com> Change-Id: Id83b1b589216317cd755f9d2eb844c6dfb1029c9
2020-07-06Fix check certification python pakagingmrichomme2-0/+2
- include jinja2 tempalte (__init.py) - include xfail list (scripts in setup.cfg) Issue-ID: INT-1570 Signed-off-by: mrichomme <morgan.richomme@orange.com> Change-Id: I08d1229c939b64aa8e920f75ea05a8aa0404a4c5
2020-07-03Initiate check certificate validity testmrichomme9-0/+686
Issue-ID: INT-1570 Signed-off-by: mrichomme <morgan.richomme@orange.com> Change-Id: I9794ec17a254ac21e87e3a251b6cad849a763742 Signed-off-by: mrichomme <morgan.richomme@orange.com>
2020-07-02Create runtime setup for the scriptBartek Grzybowski4-5/+44
Change-Id: I1a1207173b065c3b88b4b62e134c2fda33e0e6ec Issue-ID: INT-1642 Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
2020-07-02Fix --conf option validationBartek Grzybowski1-7/+9
Native Argparse library facility is used to validate the --conf option value. In case of invalid value error msg is printed together with usage info. Change-Id: I43aee892699c8238176b19a5148d217b3d16102c Issue-ID: INT-1643 Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
2020-07-02Add compare NodePort and Ingress scanLucjan Bryndza1-6/+75
Add compare NodePort and Ingress scan to the ONAP port scanner. Extra option --scan-and-compare scan cluster using NodePort and Ingress and finally compare the results of both scans. Change-Id: Ie480f068c2bda530c8be76c3d8d70d92f7c5b392 Issue-ID: OOM-2437 Signed-off-by: Lucjan Bryndza <l.bryndza@samsung.com>
2020-07-01Fix ingress default http and https portsLucjan Bryndza1-2/+4
Change ingress http and https port in the ingress controller default port configuration. Signed-off-by: Lucjan Bryndza <l.bryndza@samsung.com> Issue-ID: OOM-2434 Change-Id: Ic354510006d9f2d5d56f377d8f628e55a1a4b869 Signed-off-by: Lucjan Bryndza <l.bryndza@samsung.com>
2020-05-08Add missing dependency for port scanningPawel Wieczorek1-0/+7
Issue-ID: SECCOM-261 Change-Id: Id4d14cf0997310b7e039fe3f5e18ea72a4f3d71c Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-05-08Use correct nmap filtersPawel Wieczorek1-1/+11
Both closed and filtered ports should be droppped from scan results to maintain compatibility with "check_for_nonssl_endpoints.sh" script. Issue-ID: SECCOM-261 Change-Id: Ic422bebf6e46bcc42a3e5198e7702bb8b901287f Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-04-27Exclude VFC-redis from xfail listmrichomme1-0/+1
Issue-ID: INT-1564 Signed-off-by: mrichomme <morgan.richomme@orange.com> Change-Id: I32d9e25e4d4d0bfab7fdfa5979db266a0826604c Signed-off-by: mrichomme <morgan.richomme@orange.com>
2020-04-10remove CLI from https xfail listmrichomme1-2/+0
Even if CLI got a NO GO for frankfurt, docker update is planned to fix security issues for frankfurt As a consequence, CLI must be removed from the xfail list Issue-ID: INT-1480 Signed-off-by: mrichomme <morgan.richomme@orange.com> Change-Id: I78dccd2bdabe05515ff8ab64d30e9e5d6f97e74b
2020-03-31Grant a waiver for SO 30277Krzysztof Opasiak1-0/+2
As discussed during SECCOM call on 31.03.2020 SO team pushed hard to finialize AAF integration in F but failed due to AAF issues. Per TSC decision they should be granted a waiver as a project which has been impacted by AAF Issue-ID: OJSI-138 Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I46028f2d3de80f5ca7dc274cf6af26000b766f32
2020-03-25Add 'build' target for 'sslendpoints' projectBartek Grzybowski1-0/+5
To follow a common protocol of testing Golang based applications in CI we need a 'build' target for doing a local (non-docker) build to verify 'go build' routine. It's however not added to "all" target as that one already references docker based build by default. Change-Id: I2e380ef09a1ae18456d7288f853d085617149338 Issue-ID: SECCOM-261 Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
2020-03-25Reduce cyclomatic complexityPawel Wieczorek3-17/+132
Moving CSV data conversion and "expected failure" filtering away from main function made testing these features easier. Utility behaviour remained unchanged. Issue-ID: SECCOM-261 Change-Id: I4cabfc7b352434c84a613c02f44af3c9630be970 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-25Add "expected failure" support to non-SSL NodePort scannerPawel Wieczorek2-3/+61
This patch makes scanner compatible with its shell predecessor. The same "expected failure" list format is used i.e. # Comment line; will be ignored SERVICE1 NODEPORT1 SERVICE2 NODEPORT2 Single space character is used as a field separator. Issue-ID: SECCOM-261 Change-Id: Ieedd4e98a83ffe242c695133fdf7342e17efa9a2 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-25Run port scanPawel Wieczorek4-2/+78
Issue-ID: SECCOM-261 Change-Id: I465282a8793191c45d288284a127e80e1fecf513 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-25Add IP addresses filteringPawel Wieczorek3-0/+148
Each node might be described with 3 types of addresses [1]. Some providers also use node annotations [2] for assigned addresses. This patch filters out all IP addresses from nodes list. External IPs take precedence over internal ones. The first address on the extracted slice will be later used to run the scan on. This behaviour could be later modified to e.g. loop over all extracted IP addresses (if scan fails). [1] https://kubernetes.io/docs/concepts/architecture/nodes/#addresses [2] https://github.com/rancher/rke/blob/master/k8s/node.go#L18 Issue-ID: SECCOM-261 Change-Id: Ifd094447f778da378dfe1aee765f552b6ebd669f Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-25Add temporary "make" target for automated testing compatibilityPawel Wieczorek1-0/+4
Utility "sslendpoints" and related packages make use of idiomatic Go testing commands, i.e. go test [./...]. Thanks to Go Modules [1] nothing else is needed to run internal tests for this tool. Unfortunately it's not the case for all Go-based Integration tools. In order to use a single automated verification script in CI additional "make" target is required. It will provide temporary compatibility layer with utilities setting up test environment on their own with "make test" target. This patch should be reverted upon removal of such cases (currently: after dropping "../k8s/check" tool in favour of Aquasec solution). [1] https://blog.golang.org/using-go-modules (see "Adding a dependency" test execution explanation) Issue-ID: INT-1498 Change-Id: I14c83f7f193c7688590366db988ff02c13c036a4 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-25Add NodePorts filtering with development environment basisPawel Wieczorek11-5/+592
This patch has not made "sslendpoints" fully compatible with "check_for_nonssl_endpoints.sh" script yet. It sets up basic development environment for Golang-based checkers, though. Tool output will be added to the README after reaching full compatibility with previous (script) version. Development environment brought by this patch is heavily based on: https://github.com/SamsungSLAV/boruta Issue-ID: SECCOM-261 Change-Id: I8f035b63bea13785c40971ede5fdbbc9b6810168 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-25Increase verifiability of security checksPawel Wieczorek2-0/+45
This patch introduces a series of patches that will provide tools which will succeed current security check scripts. Its two main reasons are: * increasing tools verifiability by providing internal tests, * improving "expected failure" support by suppressing carefully selected set of special cases. Each tool will use following directory structure (generated with "tree -a --charset=ascii" command): . `-- check_module |-- Dockerfile |-- .dockerignore |-- .gitignore |-- go.mod |-- main.go |-- Makefile |-- README |-- README.rst -> README `-- submodule |-- submodule.go `-- submodule_test.go This will allow using Go Modules mechanism within its limitations [1] for "non-go-get-able modules" [2][3][4] - also in case of separating code into several modules used by multiple "check modules", e.g. . |-- common | |-- common.go | |-- common_test.go | `-- go.mod `-- check_module |-- go.mod `-- ... It would require migration from separate Dockerfiles to a single one (multi-stage), though. Provided Makefiles are intended to simplify local development (Docker-less building) and container images preparation. READMEs clarify utility requirements and usage - file without extension is for VCS reference, symlink for proper syntax rendering. [1] https://github.com/golang/go/wiki/Modules#is-it-possible-to-add-a-module-to-a-multi-module-repository [2] https://github.com/golang/go/wiki/Modules#can-i-work-entirely-outside-of-vcs-on-my-local-filesystem [3] https://github.com/golang/go/issues/26645#issuecomment-408572701 [4] https://www.dim13.org/go-get-cgit Issue-ID: SECCOM-261 Change-Id: I48eeeda66bd5570d249e96e101e431e6bab75cb3 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-19Add services with waiver to expected failures list for non-SSL endpoints testsPawel Wieczorek1-0/+6
Issue-ID: INT-1480 Change-Id: Iabd7932e0eb8f8981d064aee0f4d8c44df65a379 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-19Filter out only open non-SSL portsPawel Wieczorek1-1/+1
This patch ignores closed and filtered ports from scan results. It is intended to keep "expected failure" list minimal. Issue-ID: INT-1480 Change-Id: Idb93cf4e19284bc121aa45ea950d28405c29e222 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-12Fix regex for http xfail listmrichomme1-1/+1
in CI we got an error sed: unsupported command o due to space management in the sed command Issue-ID: INT-1480 Signed-off-by: mrichomme <morgan.richomme@orange.com> Change-Id: I44c6ecd7c47ec02b76c7932bb86de0a58726d93d
2020-03-12Unify expected failures lists naming conventionPawel Wieczorek1-1/+1
List of expected failures for non-SSL services test has not been renamed together with corresponding check script and might have been confusing. Issue-ID: INT-1480 Change-Id: I4f88a09ddb90a14500498892f1fda99e1c3febf0 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-12Add upstream services to expected failures list for non-SSL endpoints testsPawel Wieczorek1-0/+4
Issue-ID: INT-1480 Change-Id: I755a3e65897f94e3f42f27bbf798c9bcd9c2868f Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-11Rename white list to xfail list to clarify the role of the listmrichomme1-1/+1
to be consistent with xfail lists introduced in security tests by Pawel Wieczorek [1] Issue-ID: INT-1435 [1]: https://gerrit.onap.org/r/c/integration/+/103444 Signed-off-by: mrichomme <morgan.richomme@orange.com> Change-Id: I5345607931e443f3335f34823c5cd80290425a45 Signed-off-by: mrichomme <morgan.richomme@orange.com>
2020-03-10Drop filtering out services recognized as HTTPPawel Wieczorek1-9/+9
This patch extends tool used to detect plain HTTP ports to report all non-SSL endpoints. Previously it omitted services not recognized as HTTP. Naming changes were made to reflect purpose of this tool better. Issue-ID: INT-1480 Change-Id: I58a152022d48121bf4b9c6180ddc820dd4a79805 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-10Add expected failures list for HTTP endpoints testsPawel Wieczorek2-11/+55
This patch is heavily based on previous work by Morgan Richomme <morgan.richomme@orange.com> (Change-Id: Ibaed4c5c0e5ae179af0ae317e543c1efdc9ddef2) It is intended to suppress failure reports on known plain HTTP endpoints. Introduced list of "expected failures" (or "xfail" for short) will be shrunk after resolving tickets related to INT-1480 and this patch will be eventually reverted. Issue-ID: INT-1480 Change-Id: I4edbf3efaf66bfa2dbe2f265983eb0a27048ed4e Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-03-10Add a white list for jdwp testsmrichomme2-42/+95
The port scanned can be the default redis port. A white list must be included to avoid false positive. Open quesiton, should this list be passed as argument? It is relatively static so for the moment, I created a list to exclude through grep -V the false positive Issue-ID: INT-1435 Signed-off-by: mrichomme <morgan.richomme@orange.com> Change-Id: Ibaed4c5c0e5ae179af0ae317e543c1efdc9ddef2 Signed-off-by: mrichomme <morgan.richomme@orange.com>
2020-03-05Fix linting issues in check_for_ingress_and_nodeports.pyBartek Grzybowski1-6/+6
Change-Id: Ic0d2a32a964a4cf5ff1580ffd06103c450a0e8b0 Issue-ID: INT-1427 Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
2020-03-05Fix indentation and whitespace issues in Python scriptsBartek Grzybowski1-2/+2
Reported by pylint. Change-Id: I9d5ee152f3587bb2d7e8abee919e4ffe47d8ae85 Issue-ID: INT-1427 Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
2020-02-21Fix YAML files linter errors for duplicated keysBartek Grzybowski1-1/+0
Change-Id: I77bcf667d4a639b001258d026f2633fce2bfb0e6 Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com> Issue-ID: INT-1451
2020-01-29k8s: Drop support for CasablancaPawel Wieczorek12-467/+5
Casablanca release reached End of Life (EOL) stage on July 8th 2019 [1]. This patch also fixes comments for test fixtures. This whole test subtree will be deleted upon migrating Aquasec kube-bench [2] for CIS Benchmark [3] integrated by Orange [4] to ONAP xtesting [5]. [1] https://wiki.onap.org/display/DW/Long+Term+Roadmap [2] https://github.com/aquasecurity/kube-bench [3] https://www.cisecurity.org/benchmark/kubernetes/ [4] https://gitlab.com/Orange-OpenSource/lfn/onap/integration/xtesting [5] https://git.onap.org/integration/xtesting/ Issue-ID: SECCOM-235 Change-Id: Ifc7d9c775c27d4cfafdd1932809288530cffceff Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-01-29k8s: Drop process name trimming from etcd on RKEPawel Wieczorek1-1/+5
Information for etcd extracted from container on a RKE-based cluster does not include process name. Issue-ID: SECCOM-235 Change-Id: Ie6aee550868431d5f4d27c3b3d262e17e1aa6156 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-01-29k8s: Mock etcd information collectionPawel Wieczorek5-2/+42
Rancher does not provide information on etcd as container arguments. Its collection requires implementation of a new information extraction method. RKE does not include etcd process name in container arguments. Issue-ID: SECCOM-235 Change-Id: I7576474fb2848962360771d2850aeb3f3869790a Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-01-29k8s: Validate controller manager flags requiring appropriate valuesPawel Wieczorek3-0/+58
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.3.1 and 1.3.4 - 1.3.5). Issue-ID: SECCOM-235 Change-Id: I418034ea98423142f4875b97a8e6a22e8b4cd112 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-01-28Extend label matching for cluster node's External IPPawel Wieczorek1-2/+2
This patch also fixes minor typo. Issue-ID: SECCOM-261 Change-Id: I4326106f14381ec652eb493bf0a87fb1d82ea3fb Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-12-18Ingress controller and node port scannerLucjan Bryndza1-0/+266
This tool reads K8S NodePort and Ingress service configurations and scans for service availability Signed-off-by: Lucjan Bryndza <l.bryndza@samsung.com> Change-Id: Ie9681ffe957317ed1f1c77ac9d6c90d677df294b Issue-ID: OOM-2240 Signed-off-by: Lucjan Bryndza <l.bryndza@samsung.com>
2019-10-01k8s: Validate controller manager flags requiring specific valuesPawel Wieczorek3-1/+60
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.3.2 - 1.3.3 and 1.3.6). Issue-ID: SECCOM-235 Change-Id: I9c2921faf40ad9445e983f2b9bd0610e556cfe15 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-30k8s: Resolve Docker response formatting issuePawel Wieczorek2-0/+18
Checker collects information on cluster by Docker queries: $ docker ps ARGS... # Casablanca $ docker inspect ARGS... # Dublin Arrays of values are then filtered from those. They include: * opening bracket ('['), * closing bracket (']'), * new line. Additional characters affect check results if last flag (including "]\n") requires specific value. Issue-ID: SECCOM-235 Change-Id: I6838342b7e2ecdc44a47ffe02286266003e0b4d3 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-30k8s: Resolve address conflicts in virtual environmentsPawel Wieczorek3-7/+7
Running Casablanca and Dublin virtual environments at the same time led to networking issues - the same IP had been assigned to cluster nodes. Issue-ID: SECCOM-235 Change-Id: I2a59d023115326f5b132782a32190fd8f7dc1f48 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-27k8s: Validate controller manager address flagPawel Wieczorek5-1/+98
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.3.7). Issue-ID: SECCOM-235 Change-Id: Id3f4bcb9a506dae3c7c0a884ad6c704dfae2a6d8 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>