Add xfail list for test on pod limits

Note: a waiver shall be created (and merged) in SECCOM
repo before we can merge this patch

Issue-ID: INT-1722

Signed-off-by: mrichomme <morgan.richomme@orange.com>
Change-Id: I1d064275e9b90574e8b90c733d0dcc9b6f2bed74
Signed-off-by: mrichomme <morgan.richomme@orange.com>

3 files changed, 59 insertions, 22 deletions

diff --git a/security/docker/Dockerfile b/security/docker/Dockerfile
index 484e83a..413290d 100644
--- a/security/docker/Dockerfile
+++ b/security/docker/Dockerfile
@@ -53,6 +53,7 @@ RUN set -x && \
     wget -O /jdwp_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/jdwp_ports/jdwp_xfail.txt?h=$ONAP_TAG &&\
     wget -O /nonssl_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/nonssl_endpoints/nonssl_xfail.txt?h=$ONAP_TAG &&\
     wget -O /root_pods_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/root_pods/root_pods_xfail.txt?h=$ONAP_TAG &&\
+    wget -O /unlimitted_pods_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/unlimitted_pods/unlimitted_pods_xfail.txt?h=$ONAP_TAG &&\
     wget -O /check_versions/k8s_bin_versions_inspector.py https://git.onap.org/integration/plain/test/security/check_versions/src/k8s_bin_versions_inspector.py?h=$ONAP_TAG &&\
     wget -O /check_versions/requirements.txt https://git.onap.org/integration/plain/test/security/check_versions/env/requirements.txt?h=$ONAP_TAG &&\
     wget -O /check_versions/recommended_versions.yaml https://git.onap.org/integration/seccom/plain/recommended_versions.yaml?h=$ONAP_TAG &&\
diff --git a/security/onap_security/security_tests.py b/security/onap_security/security_tests.py
index cd26d7d..d0b25ac 100644
--- a/security/onap_security/security_tests.py
+++ b/security/onap_security/security_tests.py
@@ -95,8 +95,6 @@ class SecurityTesting(testcase.TestCase):
 class OnapSecurityDockerRootTest(SecurityTesting):
     """Test that the dockers launched as root."""
     def __init__(self, **kwargs):
-        if "case_name" not in kwargs:
-            kwargs.get("case_name", 'root_pods')
         super(OnapSecurityDockerRootTest, self).__init__(**kwargs)
         self.cmd = ['/check_security_root.sh', 'onap', '-l', '/root_pods_xfail.txt']
         self.error_string = "Pods launched with root users"
@@ -105,18 +103,14 @@ class OnapSecurityDockerRootTest(SecurityTesting):
 class OnapSecurityUnlimittedPodTest(SecurityTesting):
     """Check that no pod is launch without limits."""
     def __init__(self, **kwargs):
-        if "case_name" not in kwargs:
-            kwargs.get("case_name", 'unlimitted_pods')
         super(OnapSecurityUnlimittedPodTest, self).__init__(**kwargs)
-        self.cmd = ['/check_unlimitted_pods.sh']
+        self.cmd = ['/check_unlimitted_pods.sh', 'onap', '-l', '/unlimitted_pods_xfail.txt']
         self.error_string = "Pods lauched without limits"
 
 
 class OnapSecurityCisKubernetes(SecurityTesting):
     """Check that kubernetes install is CIS compliant"""
     def __init__(self, **kwargs):
-        if "case_name" not in kwargs:
-            kwargs.get("case_name", 'cis_kubernetes')
         super(OnapSecurityCisKubernetes, self).__init__(**kwargs)
         self.cmd = ['/check_cis_kubernetes.sh']
         self.error_string = "Kubernetes Deployment is not CIS compatible"
@@ -126,8 +120,6 @@ class OnapSecurityHttpPorts(SecurityTesting):
     """Check all ports exposed outside of kubernetes cluster looking for plain
        http endpoint."""
     def __init__(self, **kwargs):
-        if "case_name" not in kwargs:
-            kwargs.get("case_name", 'http_public_endpoints')
         super(OnapSecurityHttpPorts, self).__init__(**kwargs)
         self.cmd = ['/check_for_nonssl_endpoints.sh', 'onap', '-l', '/nonssl_xfail.txt']
         self.error_string = "Public http endpoints still found"
@@ -137,8 +129,6 @@ class OnapSecurityNonSSLPorts(SecurityTesting):
     """Check that all ports exposed outside of kubernetes cluster use SSL
        tunnels."""
     def __init__(self, **kwargs):
-        if "case_name" not in kwargs:
-            kwargs.get("case_name", 'nonssl_endpoints')
         super(OnapSecurityNonSSLPorts, self).__init__(**kwargs)
         self.cmd = ['/usr/local/bin/sslendpoints', '-xfail', '/nonssl_xfail.txt']
         self.error_string = "Public non-SSL endpoints still found"
@@ -147,8 +137,6 @@ class OnapSecurityNonSSLPorts(SecurityTesting):
 class OnapSecurityJdwpPorts(SecurityTesting):
     """Check that no jdwp ports are exposed."""
     def __init__(self, **kwargs):
-        if "case_name" not in kwargs:
-            kwargs.get("case_name", 'jdpw_ports')
         super(OnapSecurityJdwpPorts, self).__init__(**kwargs)
         self.cmd = ['/check_for_jdwp.sh', 'onap', '-l', '/jdwp_xfail.txt']
         self.error_string = "JDWP ports found"
@@ -157,8 +145,6 @@ class OnapSecurityJdwpPorts(SecurityTesting):
 class OnapSecurityKubeHunter(SecurityTesting):
     """Check k8s vulnerabilities."""
     def __init__(self, **kwargs):
-        if "case_name" not in kwargs:
-            kwargs.get("case_name", 'kube_hunter')
         super(OnapSecurityKubeHunter, self).__init__(**kwargs)
         config.load_kube_config(config_file='/root/.kube/config')
         client_kubernetes = client.CoreV1Api()
@@ -176,8 +162,6 @@ class OnapSecurityKubeHunter(SecurityTesting):
 class OnapSecurityVersions(SecurityTesting):
     """Check that Java and Python are available only in versions recommended by SECCOM."""
     def __init__(self, **kwargs):
-        if "case_name" not in kwargs:
-            kwargs.get("case_name", 'versions')
         super(OnapSecurityVersions, self).__init__(**kwargs)
         self.cmd = ['/check_versions.sh', 'onap', '-r', '/check_versions/recommended_versions.yaml']
         self.error_string = "Not recommended versions found"
diff --git a/security/scripts/check_unlimitted_pods.sh b/security/scripts/check_unlimitted_pods.sh
index fdef6f3..1fc5e69 100644
--- a/security/scripts/check_unlimitted_pods.sh
+++ b/security/scripts/check_unlimitted_pods.sh
@@ -1,4 +1,40 @@
 #!/bin/bash
+usage() {
+  cat <<EOF
+Usage: $(basename $0) <k8s-namespace> [-l <white list file>]
+    -l: unlimitted pod xfail file
+EOF
+  exit ${1:-0}
+}
+
+if [ "$#" -lt 1 ]; then
+    usage
+    exit 1
+fi
+
+K8S_NAMESPACE=$1
+FILTERED_PODS_LIST=$(mktemp unlimitted_pods_XXXXXX)
+WL_RAW_FILE_PATH=$(mktemp raw_filtered_unlimitted_XXXXXX)
+
+manage_list() {
+  # init filtered port list file
+  if [ ! -f $WL_FILE_PATH ];then
+   echo "File not found"
+   usage
+  fi
+  grep -o '^[^#]*' $WL_FILE_PATH > $WL_RAW_FILE_PATH
+}
+
+### getopts
+while :
+do
+  case $2 in
+      -h|--help|help) usage;;
+       -l) WL_FILE_PATH=$3;manage_list;shift;;
+        -*) usage 1 ;;
+         *) break ;;
+    esac
+done
 
 echo "------------------------------------------------------------------------"
 echo "--------------------  ONAP Security tests   ----------------------------"
@@ -8,19 +44,35 @@ echo "------------------------------------------------------------------------"
 code=0
 
 # get the pod list
-for pod in `kubectl get pod -n onap|grep -v "NAME"|grep "Running\|Completed" |grep -v functest |grep -v integration | awk '{print $1}'`;do
+for pod in `kubectl get pod -n $K8S_NAMESPACE |grep -v "NAME"|grep "Running\|Completed" |grep -v functest |grep -v integration | awk '{print $1}'`;do
   kubectl describe pod $pod -n onap|grep "Limits";
   if [ $? == 1 ] ; then
     echo $pod ;
   fi;
-done | grep -v Limits  > NoLimitContainer.txt
+done | grep -v Limits  > $FILTERED_PODS_LIST
+
+while IFS= read -r line; do
+  # for each line we test if it is in the white list with a regular expression
+  while IFS= read -r wl_line; do
+   wl_name=$(echo $wl_line | awk {'print $1'})
+   if grep -e $K8S_NAMESPACE-$wl_name <<< "$line" > /dev/null ;then
+       # Found in white list, exclude it
+       sed -i "/$line/d" $FILTERED_PODS_LIST
+   fi
+   # tmp ugly workaround to exlude dep (temporary dcae dockers)
+   if grep -e dep-$wl_name <<< "$line" > /dev/null ;then
+       sed -i "/$line/d" $FILTERED_PODS_LIST
+   fi
+  done < $WL_RAW_FILE_PATH
+done < $FILTERED_PODS_LIST
+
 
-if [ -s NoLimitContainer.txt ]
+if [ -s $FILTERED_PODS_LIST ]
 then
    code=1
-   nb_errors=`cat NoLimitContainer.txt | wc -l`
+   nb_errors=`cat $FILTERED_PODS_LIST | wc -l`
    echo "Test FAIL: $nb_errors pod(s) launched without limit"
-   cat NoLimitContainer.txt
+   cat $FILTERED_PODS_LIST
 else
   echo "Test PASS: No pod launched without limit"
 fi