From ea01108626400b58c8571f55eece1129a060b7d3 Mon Sep 17 00:00:00 2001
From: Pawel Wieczorek <p.wieczorek2@samsung.com>
Date: Fri, 22 Nov 2019 19:33:56 +0100
Subject: Add security checks

This patch adds initial security validation check. It includes JSON file
containing dictionary of acknowledged NodePorts with corresponding
services [1].

Data required to perform added security check cannot be easily obtained
from within "robot" pod (without granting it access to "kubectl" tool
and as a side effect - cluster modifications). That is why it should be
collected beforehand by the test operator and stored as a JSON file.

Added suite expects having "${ACTUAL_NODEPORTS_FILE}" variable defined.
It will attempt parsing data stored in the file pointed by the said
variable and compare it against expected NodePorts.

[1] https://docs.onap.org/en/elalto/guides/onap-developer/settingup/index.html#nodeports

Issue-ID: SECCOM-261
Change-Id: Ib8078c50e943125f8452120368891c3e3a7056bc
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
---
 robot/assets/security/ExpectedNodePorts.json | 101 +++++++++++++++++++++++++++
 robot/testsuites/security.robot              |  14 ++++
 2 files changed, 115 insertions(+)
 create mode 100644 robot/assets/security/ExpectedNodePorts.json
 create mode 100644 robot/testsuites/security.robot

diff --git a/robot/assets/security/ExpectedNodePorts.json b/robot/assets/security/ExpectedNodePorts.json
new file mode 100644
index 00000000..cb72af1a
--- /dev/null
+++ b/robot/assets/security/ExpectedNodePorts.json
@@ -0,0 +1,101 @@
+{
+    "30200": "vid",
+    "30201": "sdnc-portal",
+    "30202": "sdnc-8282",
+    "30203": "dgbuilder",
+    "30204": "sdc-be",
+    "30205": "sdc-be",
+    "30206": "sdc-fe",
+    "30207": "sdc-fe",
+    "30208": "sdnc-8202",
+    "30209": "httpd",
+    "30210": "aai-modelloader",
+    "30211": "appc-9090",
+    "30212": "portal-sdk",
+    "30213": "portal-app",
+    "30214": "portal-app3",
+    "30215": "portal-app",
+    "30218": "pap-9091",
+    "30219": "pap-8443",
+    "30220": "aai-sparky-be",
+    "30222": "xport-t-6061",
+    "30224": "so-monitor-port",
+    "30225": "portal-app4",
+    "30226": "message-router-3905",
+    "30227": "message-router-3904",
+    "30228": "dgbuilder",
+    "30229": "aai-modelloader-ssl",
+    "30230": "appc-8282",
+    "30231": "appc-1830",
+    "30233": "aai-ssl",
+    "30234": "pomba-kibana",
+    "30235": "xport-t-8080",
+    "30238": "vid-http",
+    "30239": "spike",
+    "30241": "dmaap-bc",
+    "30242": "dmaap-bc2",
+    "30246": "sdnc-8280",
+    "30248": "oof-has-api",
+    "30249": "pomba-data-router",
+    "30253": "log-kibana",
+    "30254": "log-es",
+    "30255": "log-ls",
+    "30256": "sdc-wfd-fe",
+    "30257": "sdc-wfd-be",
+    "30258": "clamp",
+    "30259": "dmaap-dr-prov",
+    "30260": "cli8080",
+    "30263": "dcae-fe",
+    "30264": "dcae-fe2",
+    "30265": "dcae-dt",
+    "30266": "dcae-dt2",
+    "30267": "sdnc-8443",
+    "30268": "aai-crud-service",
+    "30269": "dmaap-dr-prov2",
+    "30270": "consul-ui",
+    "30271": "cli9090",
+    "30274": "api-8080",
+    "30275": "oof-has-api",
+    "30277": "so-apih-port",
+    "30278": "aai-champ",
+    "30279": "babel",
+    "30280": "http-msb-iag",
+    "30281": "http-msb-discovery",
+    "30282": "http-msb-eag",
+    "30283": "https-msb-iag",
+    "30284": "https-msb-eag",
+    "30285": "http-msb-consul",
+    "30286": "client",
+    "30287": "gossip",
+    "30289": "appc-cdt",
+    "30290": "cdash-kibana",
+    "30297": "refrepo",
+    "30299": "https",
+    "30398": "uui",
+    "30399": "uui-server",
+    "30406": "so-vnfm-port",
+    "30415": "config-binding-service",
+    "30417": "xport-t-8443",
+    "30418": "xport-t-8080",
+    "30419": "xport-t-8443",
+    "30420": "api-8080",
+    "30431": "sdc-wfd-fe2",
+    "30470": "xport-u-6162",
+    "30476": "tomcat",
+    "30490": "message-router-kafka-0",
+    "30491": "message-router-kafka-1",
+    "30492": "message-router-kafka-1",
+    "30493": "dmaap-dr-node",
+    "30494": "dmaap-dr-node",
+    "30497": "cds-ui-3000",
+    "30499": "blueprints-processor-http",
+    "31110": "aaf-service",
+    "31111": "aaf-locate",
+    "31112": "aaf-oauth",
+    "31113": "aaf-hello",
+    "31114": "aaf-cm",
+    "31115": "aaf-hello",
+    "31116": "aaf-hello",
+    "31907": "dmaap-dr-prov2",
+    "32010": "xport-t-11011"
+}
diff --git a/robot/testsuites/security.robot b/robot/testsuites/security.robot
new file mode 100644
index 00000000..089e12ed
--- /dev/null
+++ b/robot/testsuites/security.robot
@@ -0,0 +1,14 @@
+*** Settings ***
+| Documentation | Security validation                                    |
+| ...           | This suite requires declaring ${ACTUAL_NODEPORTS_FILE} |
+| Default tags  | security                                               |
+| Library       | ONAPLibrary.JSON                                       |
+
+*** Variables ***
+| ${EXPECTED_NODEPORTS_FILE} | ../assets/security/ExpectedNodePorts.json |
+
+*** Test Cases ***
+Validate present NodePorts
+|   | ${expected_nodeports}=       | Get file               | ${EXPECTED_NODEPORTS_FILE} |
+|   | ${actual_nodeports}=         | Get file               | ${ACTUAL_NODEPORTS_FILE}   |
+|   | JSON should contain sub JSON | ${expected_node_ports} | ${actual_node_ports}       |
-- 
cgit 1.2.3-korg