Add a white list for jdwp tests
The port scanned can be the default redis port.
A white list must be included to avoid false positive.
Open quesiton, should this list be passed as argument?
It is relatively static so for the moment, I created a list to exclude
through grep -V the false positive
Issue-ID: INT-1435
Signed-off-by: mrichomme <morgan.richomme@orange.com>
Change-Id: Ibaed4c5c0e5ae179af0ae317e543c1efdc9ddef2
Signed-off-by: mrichomme <morgan.richomme@orange.com>
diff --git a/test/security/check_for_jdwp.sh b/test/security/check_for_jdwp.sh
index e79f712..9343d16 100755
--- a/test/security/check_for_jdwp.sh
+++ b/test/security/check_for_jdwp.sh
@@ -28,68 +28,114 @@
# Return value: Number of discovered JDWP ports
# Output: List of pods and exposing JDWP interface
#
+usage() {
+ cat <<EOF
+Usage: $(basename $0) <k8s-namespace> [-l <white list file>]
+ -l: jdpw white list ports file
+EOF
+ exit ${1:-0}
+}
if [ "$#" -lt 1 ]; then
- echo "Usage: $0 <k8s-namespace>"
+ usage
exit 1
fi
K8S_NAMESPACE=$1
LOCAL_PORT=12543
+FILTERED_PORTS_LIST=$(mktemp jdpw_ports_XXXXXX)
+WL_RAW_FILE_PATH=$(mktemp raw_filtered_ports_XXXXXX)
+
+manage_white_list() {
+ # init filtered port list file
+ if [ ! -f $WL_FILE_PATH ];then
+ echo "File not found"
+ usage
+ fi
+ grep -o '^[^#]*' $WL_FILE_PATH > $WL_RAW_FILE_PATH
+}
+
+### getopts
+while :
+do
+ case $2 in
+ -h|--help|help) usage;;
+ -l) WL_FILE_PATH=$3;manage_white_list;shift;;
+ -*) usage 1 ;;
+ *) break ;;
+ esac
+done
list_pods() {
- kubectl get po --namespace=$K8S_NAMESPACE | grep Running | awk '{print $1}' | grep -v NAME
+ kubectl get po --namespace=$K8S_NAMESPACE | grep Running | awk '{print $1}' | grep -v NAME
}
do_jdwp_handshake() {
- local ip="127.0.0.1"
- local port=$1
- local jdwp_challenge="JDWP-Handshake\n"
- local jdwp_response="JDWP-Handshake"
+ local ip="127.0.0.1"
+ local port=$1
+ local jdwp_challenge="JDWP-Handshake\n"
+ local jdwp_response="JDWP-Handshake"
- # 10s timeout to avoid hangs when service doesn't answer at all
- local response=`nc -w 10 $ip $port <<<$jdwp_challenge | tr '\0' '\n'`
- local n_response_lines=`echo "$response" | wc -l`
- if [[ "$n_response_lines" -le 1 ]] && [[ $response == *"$jdwp_response"* ]]; then
- return 0
- fi
+ # 10s timeout to avoid hangs when service doesn't answer at all
+ local response=`nc -w 10 $ip $port <<<$jdwp_challenge | tr '\0' '\n'`
+ local n_response_lines=`echo "$response" | wc -l`
+ if [[ "$n_response_lines" -le 1 ]] && [[ $response == *"$jdwp_response"* ]]; then
+ return 0
+ fi
- return 1
+ return 1
}
# get open ports from procfs as netstat is not always available
get_open_ports_on_pod() {
- local pod=$1
- local open_ports_hex=`kubectl exec --namespace=$K8S_NAMESPACE $pod cat /proc/net/tcp 2>/dev/null| grep -v "local_address" | awk '{ print $2" "$4 }' | grep '0A$' | tr ":" " " | awk '{ print $2 }' | sort | uniq`
- for hex_port in $open_ports_hex; do
- echo $((16#$hex_port))
- done
+ local pod=$1
+ local open_ports_hex=`kubectl exec --namespace=$K8S_NAMESPACE $pod cat /proc/net/tcp 2>/dev/null| grep -v "local_address" | awk '{ print $2" "$4 }' | grep '0A$' | tr ":" " " | awk '{ print $2 }' | sort | uniq`
+ for hex_port in $open_ports_hex; do
+ echo $((16#$hex_port))
+ done
}
N_PORTS=0
# go through all pods
for pod in `list_pods`; do
- open_ports=`get_open_ports_on_pod $pod`
- # if there is no open ports just go to next pod
- if [ -z "$open_ports" ]; then
- continue
- fi
+ open_ports=`get_open_ports_on_pod $pod`
+ # if there is no open ports just go to next pod
+ if [ -z "$open_ports" ]; then
+ continue
+ fi
- # let's setup a proxy and check every open port
- for port in $open_ports; do
- # run proxy
- kubectl port-forward --namespace=$K8S_NAMESPACE $pod $LOCAL_PORT:$port &>/dev/null &
- sleep 1
- proxy_pid=$!
+ # let's setup a proxy and check every open port
+ for port in $open_ports; do
+ # run proxy
+ kubectl port-forward --namespace=$K8S_NAMESPACE $pod $LOCAL_PORT:$port &>/dev/null &
+ sleep 1
+ proxy_pid=$!
- do_jdwp_handshake $LOCAL_PORT
- if [ $? -eq 0 ]; then
- echo $pod $port
- ((++N_PORTS))
- fi
- kill $proxy_pid 2>/dev/null
- wait $proxy_pid 2>/dev/null
- done
+ do_jdwp_handshake $LOCAL_PORT
+ if [ $? -eq 0 ]; then
+ echo $pod $port | tee $FILTERED_PORTS_LIST
+ ((++N_PORTS))
+ fi
+ kill $proxy_pid 2>/dev/null
+ wait $proxy_pid 2>/dev/null
+ done
done
-exit $N_PORTS
+while IFS= read -r line; do
+ # for each line we test if it is in the white list with a regular expression
+ while IFS= read -r wl_line; do
+ wl_name=$(echo $wl_line | awk {'print $1'})
+ wl_port=$(echo $wl_line | awk {'print $2'})
+ if grep -e $wl_name.*$wl_port <<< "$line";then
+ # Found in white list, exclude it
+ sed -i "/$line/d" $FILTERED_PORTS_LIST
+ fi
+ done < $WL_RAW_FILE_PATH
+done < $FILTERED_PORTS_LIST
+
+N_FILTERED_PORTS_LIST=$(cat $FILTERED_PORTS_LIST |wc -l)
+echo "------------------------------------"
+echo "Nb error pod(s): $N_FILTERED_PORTS_LIST"
+cat $FILTERED_PORTS_LIST
+
+exit $N_FILTERED_PORTS_LIST
diff --git a/test/security/jdwp_whitelist.txt b/test/security/jdwp_whitelist.txt
new file mode 100644
index 0000000..34d5f63
--- /dev/null
+++ b/test/security/jdwp_whitelist.txt
@@ -0,0 +1,7 @@
+# White list for JDWP ports
+# JDWP = Java Debug Wire Protocol
+# The following list displays pods and their associated pod that could be
+# considered as False positive
+onap-dcae-redis 6379 # Redis port
+onap-msb-eag 6379 # Redis port
+onap-msb-iag 6379 # Redis port