From 328bcfbce8d97a66b975ee45cd69b30cdb727aef Mon Sep 17 00:00:00 2001 From: Pawel Wieczorek Date: Wed, 18 Mar 2020 12:38:30 +0100 Subject: Add "expected failure" support to non-SSL NodePort scanner This patch makes scanner compatible with its shell predecessor. The same "expected failure" list format is used i.e. # Comment line; will be ignored SERVICE1 NODEPORT1 SERVICE2 NODEPORT2 Single space character is used as a field separator. Issue-ID: SECCOM-261 Change-Id: Ieedd4e98a83ffe242c695133fdf7342e17efa9a2 Signed-off-by: Pawel Wieczorek --- test/security/sslendpoints/README | 14 ++++++++++- test/security/sslendpoints/main.go | 50 ++++++++++++++++++++++++++++++++++++-- 2 files changed, 61 insertions(+), 3 deletions(-) diff --git a/test/security/sslendpoints/README b/test/security/sslendpoints/README index bf39f0148..ba21b12ea 100644 --- a/test/security/sslendpoints/README +++ b/test/security/sslendpoints/README @@ -14,6 +14,11 @@ Configuration ``-kubeconfig`` Optional unless ``$HOME`` is not set. Defaults to ``$HOME/.kube/config``. +``-xfail`` + Optional list of services with corresponding NodePorts which do not use SSL + tunnels. These ports are known as "expected failures" and will not be + checked. + Build (local) ~~~~~~~~~~~~~ @@ -70,7 +75,7 @@ Command (local) .. code-block:: shell - $ bin/sslendpoints [-kubeconfig KUBECONFIG] + $ bin/sslendpoints [-kubeconfig KUBECONFIG] [-xfail XFAIL] Command (Docker) ~~~~~~~~~~~~~~~~ @@ -83,6 +88,13 @@ Command (Docker) $ docker run --rm --volume $KUBECONFIG:/opt/config \ sslendpoints-build-img /bin/sslendpoints -kubeconfig /opt/config + $ docker run --rm \ + --volume $KUBECONFIG:/opt/config \ + --volume $XFAIL:/opt/xfail \ + sslendpoints-build-img /bin/sslendpoints \ + -kubeconfig /opt/config + -xfail /opt/xfail + Output ~~~~~~ diff --git a/test/security/sslendpoints/main.go b/test/security/sslendpoints/main.go index e5a76eb78..8c136d5c4 100644 --- a/test/security/sslendpoints/main.go +++ b/test/security/sslendpoints/main.go @@ -1,6 +1,7 @@ package main import ( + "encoding/csv" "flag" "log" "os" @@ -18,17 +19,47 @@ import ( const ( ipv4AddrType = "ipv4" + + xfailComma = ' ' + xfailComment = '#' + xfailFields = 2 +) + +var ( + kubeconfig *string + xfailName *string ) func main() { - var kubeconfig *string if home := os.Getenv("HOME"); home != "" { kubeconfig = flag.String("kubeconfig", filepath.Join(home, ".kube", "config"), "(optional) absolute path to the kubeconfig file") } else { kubeconfig = flag.String("kubeconfig", "", "absolute path to the kubeconfig file") } + xfailName = flag.String("xfail", "", "(optional) absolute path to the expected failures file") flag.Parse() + var xfails [][]string + if *xfailName != "" { + xfailFile, err := os.Open(*xfailName) + if err != nil { + log.Printf("Unable to open expected failures file: %v", err) + log.Println("All non-SSL NodePorts will be reported") + } + defer xfailFile.Close() + + r := csv.NewReader(xfailFile) + r.Comma = xfailComma + r.Comment = xfailComment + r.FieldsPerRecord = xfailFields + + xfails, err = r.ReadAll() + if err != nil { + log.Printf("Unable to read expected failures file: %v", err) + log.Println("All non-SSL NodePorts will be reported") + } + } + // use the current context in kubeconfig config, err := clientcmd.BuildConfigFromFlags("", *kubeconfig) if err != nil { @@ -67,7 +98,22 @@ func main() { os.Exit(0) } - // TODO: filter out expected failures here before running the scan + // filter out expected failures here before running the scan + for _, xfail := range xfails { + port, err := strconv.Atoi(xfail[1]) + if err != nil { + log.Printf("Unable to parse port expected to fail: %v", err) + continue + } + service, ok := nodeports[uint16(port)] + if !ok { + continue + } + if service != xfail[0] { + continue + } + delete(nodeports, uint16(port)) + } // extract ports for running the scan var ports []string -- cgit 1.2.3-korg