From 8a7af5c45393636ab82ff1932b7d14224e449034 Mon Sep 17 00:00:00 2001 From: Pawel Wieczorek Date: Fri, 13 Mar 2020 14:14:55 +0100 Subject: Run port scan Issue-ID: SECCOM-261 Change-Id: I465282a8793191c45d288284a127e80e1fecf513 Signed-off-by: Pawel Wieczorek --- test/security/sslendpoints/README | 19 +++++++++++++ test/security/sslendpoints/go.mod | 1 + test/security/sslendpoints/go.sum | 2 ++ test/security/sslendpoints/main.go | 58 ++++++++++++++++++++++++++++++++++++-- 4 files changed, 78 insertions(+), 2 deletions(-) (limited to 'test/security') diff --git a/test/security/sslendpoints/README b/test/security/sslendpoints/README index ffedb11d1..bf39f0148 100644 --- a/test/security/sslendpoints/README +++ b/test/security/sslendpoints/README @@ -86,6 +86,25 @@ Command (Docker) Output ~~~~~~ +.. code-block:: shell + + $ ./sslendpoints -kubeconfig ~/.kube/config.onap + 2020/03/17 10:40:29 Host 192.168.2.10 + 2020/03/17 10:40:29 PORT SERVICE + 2020/03/17 10:40:29 30203 sdnc-dgbuilder + 2020/03/17 10:40:29 30204 sdc-be + 2020/03/17 10:40:29 30207 sdc-fe + 2020/03/17 10:40:29 30220 aai-sparky-be + 2020/03/17 10:40:29 30226 message-router + 2020/03/17 10:40:29 30233 aai + 2020/03/17 10:40:29 30256 sdc-wfd-fe + 2020/03/17 10:40:29 30257 sdc-wfd-be + 2020/03/17 10:40:29 30264 sdc-dcae-fe + 2020/03/17 10:40:29 30266 sdc-dcae-dt + 2020/03/17 10:40:29 30279 aai-babel + 2020/03/17 10:40:29 30406 so-vnfm-adapter + 2020/03/17 10:40:29 There are 12 non-SSL NodePorts in the cluster + Testing ------- diff --git a/test/security/sslendpoints/go.mod b/test/security/sslendpoints/go.mod index 1d9905efa..6037ee0ae 100644 --- a/test/security/sslendpoints/go.mod +++ b/test/security/sslendpoints/go.mod @@ -3,6 +3,7 @@ module onap.local/sslendpoints go 1.13 require ( + github.com/Ullaakut/nmap v2.0.0+incompatible github.com/imdario/mergo v0.3.8 // indirect github.com/onsi/ginkgo v1.10.1 github.com/onsi/gomega v1.7.0 diff --git a/test/security/sslendpoints/go.sum b/test/security/sslendpoints/go.sum index d0577b3e1..2ed062aa4 100644 --- a/test/security/sslendpoints/go.sum +++ b/test/security/sslendpoints/go.sum @@ -3,6 +3,8 @@ github.com/Azure/go-autorest v11.1.2+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSW github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/Ullaakut/nmap v2.0.0+incompatible h1:tNXub052dsnG8+yrgpph9nhVixIBdpRRgzvmQoc8eBA= +github.com/Ullaakut/nmap v2.0.0+incompatible/go.mod h1:fkC066hwfcoKwlI7DS2ARTggSVtBTZYCjVH1TzuTMaQ= github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= diff --git a/test/security/sslendpoints/main.go b/test/security/sslendpoints/main.go index 68d11b361..e5a76eb78 100644 --- a/test/security/sslendpoints/main.go +++ b/test/security/sslendpoints/main.go @@ -5,14 +5,21 @@ import ( "log" "os" "path/filepath" + "strconv" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/clientcmd" + "github.com/Ullaakut/nmap" + "onap.local/sslendpoints/ports" ) +const ( + ipv4AddrType = "ipv4" +) + func main() { var kubeconfig *string if home := os.Getenv("HOME"); home != "" { @@ -59,6 +66,53 @@ func main() { log.Println("There are no NodePorts in the cluster") os.Exit(0) } - log.Printf("There are %d NodePorts in the cluster\n", len(nodeports)) - os.Exit(len(nodeports)) + + // TODO: filter out expected failures here before running the scan + + // extract ports for running the scan + var ports []string + for port := range nodeports { + ports = append(ports, strconv.Itoa(int(port))) + } + + // run nmap on the first address found for given cluster [1] filtering out SSL-tunelled ports + // [1] https://kubernetes.io/docs/concepts/services-networking/service/#nodeport + // "Each node proxies that port (the same port number on every Node) into your Service." + scanner, err := nmap.NewScanner( + nmap.WithTargets(addresses[0]), + nmap.WithPorts(ports...), + nmap.WithServiceInfo(), + nmap.WithTimingTemplate(nmap.TimingAggressive), + nmap.WithFilterPort(func(p nmap.Port) bool { + return p.Service.Tunnel == "ssl" + }), + ) + if err != nil { + log.Panicf("Unable to create nmap scanner: %v", err) + } + + result, _, err := scanner.Run() + if err != nil { + log.Panicf("Scan failed: %v", err) + } + + // scan was run on a single host + if len(result.Hosts) < 1 { + log.Panicln("No host information in scan results") + } + + // host address in the results might be ipv4 or mac + for _, address := range result.Hosts[0].Addresses { + if address.AddrType == ipv4AddrType { + log.Printf("Host %s\n", address) + } + } + log.Printf("PORT\tSERVICE") + for _, port := range result.Hosts[0].Ports { + log.Printf("%d\t%s\n", port.ID, nodeports[port.ID]) + } + + // report non-SSL services and their number + log.Printf("There are %d non-SSL NodePorts in the cluster\n", len(result.Hosts[0].Ports)) + os.Exit(len(result.Hosts[0].Ports)) } -- cgit 1.2.3-korg