From 91b130eec8a32e270f3e52f3ba10c4566383b1b2 Mon Sep 17 00:00:00 2001
From: Pawel Wieczorek <p.wieczorek2@samsung.com>
Date: Wed, 25 Sep 2019 18:30:10 +0200
Subject: k8s: Validate API server request timeout

This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.38).

Issue-ID: SECCOM-235
Change-Id: Ic1f175d577c79013ddb49e02b8de69137535c964
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
---
 test/security/k8s/src/check/cmd/check/check.go     |  2 ++
 .../k8s/src/check/validators/master/api.go         | 26 ++++++++++++++++++++++
 .../k8s/src/check/validators/master/api_test.go    | 11 +++++++++
 3 files changed, 39 insertions(+)

diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index 0447d5bb0..fb63ae632 100644
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -72,6 +72,8 @@ func main() {
 	log.Printf("IsAuditLogMaxBackupValid: %t\n", master.IsAuditLogPathSet(k8sParams))
 	log.Printf("IsAuditLogMaxSizeValid: %t\n", master.IsAuditLogPathSet(k8sParams))
 
+	log.Printf("IsRequestTimeoutValid: %t\n", master.IsRequestTimeoutValid(k8sParams))
+
 	log.Printf("IsKubeletCertificateAuthoritySet: %t\n", master.IsKubeletCertificateAuthoritySet(k8sParams))
 	log.Printf("IsClientCertificateAuthoritySet: %t\n", master.IsClientCertificateAuthoritySet(k8sParams))
 	log.Printf("IsEtcdCertificateAuthoritySet: %t\n", master.IsEtcdCertificateAuthoritySet(k8sParams))
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index bc25d9922..c2a99641e 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -18,6 +18,8 @@ const (
 		"_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM" +
 		"_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM" +
 		"_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
+
+	requestTimeout = 60
 )
 
 // IsBasicAuthFileAbsent validates there is no basic authentication file specified.
@@ -363,3 +365,27 @@ func hasSingleFlagRecommendedNumericArgument(flag string, recommendation int, pa
 	}
 	return true
 }
+
+// IsRequestTimeoutValid validates request timeout is set and it has recommended value.
+func IsRequestTimeoutValid(params []string) bool {
+	return isFlagAbsent("--request-timeout", params) ||
+		hasSingleFlagValidTimeout("--request-timeout", requestTimeout, 2*requestTimeout, params)
+}
+
+// hasSingleFlagValidTimeout checks whether selected flag has valid timeout as an argument in given command.
+func hasSingleFlagValidTimeout(flag string, min int, max int, params []string) bool {
+	found := filterFlags(params, flag)
+	if len(found) != 1 {
+		return false
+	}
+
+	_, value := splitKV(found[0], "=")
+	timeout, err := strconv.Atoi(value) // what about empty parameter?
+	if err != nil {
+		return false
+	}
+	if timeout < min || timeout > max {
+		return false
+	}
+	return true
+}
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index 35860c6b1..0b2021538 100644
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -367,6 +367,17 @@ var _ = Describe("Api", func() {
 			Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
 			Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
 		)
+
+		DescribeTable("Request timeout",
+			func(params []string, expected bool) {
+				Expect(IsRequestTimeoutValid(params)).To(Equal(expected))
+			},
+			Entry("Is empty on insecure cluster", []string{"--request-timeout="}, false),
+			Entry("Is too high on insecure cluster", []string{"--request-timeout=600"}, false),
+			Entry("Should be set only if needed on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+			Entry("Should be set only if needed on Casablanca cluster", kubeApiServerCasablanca, true),
+			Entry("Should be set only if needed on Dublin cluster", kubeApiServerDublin, true),
+		)
 	})
 
 	Describe("Argument list flags", func() {
-- 
cgit 1.2.3-korg