Gitiles
Code Review Sign In
gerrit.nordix.org / onap / integration / 267cbf96e9200642d0457e1d9387d94b2f7cf203 / . / test / security / check_for_jdwp.sh
blob: ec5b5cb160474821a87dd68d92a5dfcf4670daba [file] [log] [blame]
Krzysztof Opasiak28c3d2e2019-03-21 22:49:38 +0100[diff] [blame]1#!/usr/bin/env bash
2
3# COPYRIGHT NOTICE STARTS HERE
4#
5# Copyright 2019 Samsung Electronics Co., Ltd.
6#
7# Licensed under the Apache License, Version 2.0 (the "License");
8# you may not use this file except in compliance with the License.
9# You may obtain a copy of the License at
10#
11# http://www.apache.org/licenses/LICENSE-2.0
12#
13# Unless required by applicable law or agreed to in writing, software
14# distributed under the License is distributed on an "AS IS" BASIS,
15# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16# See the License for the specific language governing permissions and
17# limitations under the License.
18#
19# COPYRIGHT NOTICE ENDS HERE
20
21# Check all ports exposed by pods to internal network and look for
22# open JDWP ports
23#
24# Dependencies:
25# kubectl + config
26# netcat
27#
28# Return value: Number of discovered JDWP ports
29# Output: List of pods and exposing JDWP interface
30#
mrichomme99b8b9e2020-02-11 09:46:48 +0100[diff] [blame]31usage() {
32 cat <<EOF
33Usage: $(basename $0) <k8s-namespace> [-l <white list file>]
34 -l: jdpw white list ports file
35EOF
36 exit ${1:-0}
37}
Krzysztof Opasiak28c3d2e2019-03-21 22:49:38 +0100[diff] [blame]38
39if [ "$#" -lt 1 ]; then
mrichomme99b8b9e2020-02-11 09:46:48 +0100[diff] [blame]40 usage
Krzysztof Opasiak28c3d2e2019-03-21 22:49:38 +0100[diff] [blame]41 exit 1
42fi
43
44K8S_NAMESPACE=$1
45LOCAL_PORT=12543
mrichomme99b8b9e2020-02-11 09:46:48 +0100[diff] [blame]46FILTERED_PORTS_LIST=$(mktemp jdpw_ports_XXXXXX)
47WL_RAW_FILE_PATH=$(mktemp raw_filtered_ports_XXXXXX)
48
49manage_white_list() {
50 # init filtered port list file
51 if [ ! -f $WL_FILE_PATH ];then
52 echo "File not found"
53 usage
54 fi
55 grep -o '^[^#]*' $WL_FILE_PATH > $WL_RAW_FILE_PATH
56}
57
58### getopts
59while :
60do
61 case $2 in
62 -h|--help|help) usage;;
63 -l) WL_FILE_PATH=$3;manage_white_list;shift;;
64 -*) usage 1 ;;
65 *) break ;;
66 esac
67done
Krzysztof Opasiak28c3d2e2019-03-21 22:49:38 +0100[diff] [blame]68
69list_pods() {
mrichomme99b8b9e2020-02-11 09:46:48 +0100[diff] [blame]70 kubectl get po --namespace=$K8S_NAMESPACE | grep Running | awk '{print $1}' | grep -v NAME
Krzysztof Opasiak28c3d2e2019-03-21 22:49:38 +0100[diff] [blame]71}
72
73do_jdwp_handshake() {
mrichomme99b8b9e2020-02-11 09:46:48 +0100[diff] [blame]74 local ip="127.0.0.1"
75 local port=$1
76 local jdwp_challenge="JDWP-Handshake\n"
77 local jdwp_response="JDWP-Handshake"
Krzysztof Opasiak28c3d2e2019-03-21 22:49:38 +0100[diff] [blame]78
mrichomme99b8b9e2020-02-11 09:46:48 +0100[diff] [blame]79 # 10s timeout to avoid hangs when service doesn't answer at all
80 local response=`nc -w 10 $ip $port <<<$jdwp_challenge | tr '\0' '\n'`
81 local n_response_lines=`echo "$response" | wc -l`
82 if [[ "$n_response_lines" -le 1 ]] && [[ $response == *"$jdwp_response"* ]]; then
83 return 0
84 fi
Krzysztof Opasiak28c3d2e2019-03-21 22:49:38 +0100[diff] [blame]85
mrichomme99b8b9e2020-02-11 09:46:48 +0100[diff] [blame]86 return 1
Krzysztof Opasiak28c3d2e2019-03-21 22:49:38 +0100[diff] [blame]87}
88# get open ports from procfs as netstat is not always available
89get_open_ports_on_pod() {
mrichomme99b8b9e2020-02-11 09:46:48 +0100[diff] [blame]90 local pod=$1
91 local open_ports_hex=`kubectl exec --namespace=$K8S_NAMESPACE $pod cat /proc/net/tcp 2>/dev/null| grep -v "local_address" | awk '{ print $2" "$4 }' | grep '0A$' | tr ":" " " | awk '{ print $2 }' | sort | uniq`
92 for hex_port in $open_ports_hex; do
93 echo $((16#$hex_port))
94 done
Krzysztof Opasiak28c3d2e2019-03-21 22:49:38 +0100[diff] [blame]95}
96
Virginieb50d5782020-11-03 10:03:18 +0100[diff] [blame]97echo "------------------------------------------------------------------------"
98# Display the waivers
99if [ -s $XL_FILE_PATH ]; then
Virginiee0e21332020-11-05 17:39:26 +0100[diff] [blame]100 echo "-------------------- *** WARNING XFail List *** ------------------------"
Virginieb50d5782020-11-03 10:03:18 +0100[diff] [blame]101 cat $WL_FILE_PATH
102 echo "------------------------------------------------------------------------"
103fi
104
Krzysztof Opasiak28c3d2e2019-03-21 22:49:38 +0100[diff] [blame]105N_PORTS=0
106
107# go through all pods
108for pod in `list_pods`; do
mrichomme99b8b9e2020-02-11 09:46:48 +0100[diff] [blame]109 open_ports=`get_open_ports_on_pod $pod`
110 # if there is no open ports just go to next pod
111 if [ -z "$open_ports" ]; then
112 continue
113 fi
Krzysztof Opasiak28c3d2e2019-03-21 22:49:38 +0100[diff] [blame]114
mrichomme99b8b9e2020-02-11 09:46:48 +0100[diff] [blame]115 # let's setup a proxy and check every open port
116 for port in $open_ports; do
117 # run proxy
118 kubectl port-forward --namespace=$K8S_NAMESPACE $pod $LOCAL_PORT:$port &>/dev/null &
119 sleep 1
120 proxy_pid=$!
Krzysztof Opasiak28c3d2e2019-03-21 22:49:38 +0100[diff] [blame]121
mrichomme99b8b9e2020-02-11 09:46:48 +0100[diff] [blame]122 do_jdwp_handshake $LOCAL_PORT
123 if [ $? -eq 0 ]; then
124 echo $pod $port | tee $FILTERED_PORTS_LIST
125 ((++N_PORTS))
126 fi
127 kill $proxy_pid 2>/dev/null
128 wait $proxy_pid 2>/dev/null
129 done
Krzysztof Opasiak28c3d2e2019-03-21 22:49:38 +0100[diff] [blame]130done
131
mrichomme99b8b9e2020-02-11 09:46:48 +0100[diff] [blame]132while IFS= read -r line; do
133 # for each line we test if it is in the white list with a regular expression
134 while IFS= read -r wl_line; do
135 wl_name=$(echo $wl_line | awk {'print $1'})
136 wl_port=$(echo $wl_line | awk {'print $2'})
137 if grep -e $wl_name.*$wl_port <<< "$line";then
138 # Found in white list, exclude it
139 sed -i "/$line/d" $FILTERED_PORTS_LIST
140 fi
141 done < $WL_RAW_FILE_PATH
142done < $FILTERED_PORTS_LIST
143
144N_FILTERED_PORTS_LIST=$(cat $FILTERED_PORTS_LIST |wc -l)
145echo "------------------------------------"
146echo "Nb error pod(s): $N_FILTERED_PORTS_LIST"
147cat $FILTERED_PORTS_LIST
148
149exit $N_FILTERED_PORTS_LIST