Add expected failures list for HTTP endpoints tests

This patch is heavily based on previous work by
Morgan Richomme <morgan.richomme@orange.com>
(Change-Id: Ibaed4c5c0e5ae179af0ae317e543c1efdc9ddef2)

It is intended to suppress failure reports on known plain HTTP
endpoints. Introduced list of "expected failures" (or "xfail" for short)
will be shrunk after resolving tickets related to INT-1480 and this
patch will be eventually reverted.

Issue-ID: INT-1480
Change-Id: I4edbf3efaf66bfa2dbe2f265983eb0a27048ed4e
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

diff --git a/test/security/check_for_http_endpoints.sh b/test/security/check_for_http_endpoints.sh
index f86f777..5e2fd85 100755 (executable)
--- a/test/security/check_for_http_endpoints.sh
+++ b/test/security/check_for_http_endpoints.sh
@@ -29,8 +29,16 @@
 # Output: List of pods exposing http endpoints
 #
 
+usage() {
+       cat <<EOF
+Usage: $(basename $0) <k8s-namespace> [-l <list of HTTP endpoints expected to fail this test>]
+    -l: list of HTTP endpoints expected to fail this test
+EOF
+       exit ${1:-0}
+}
+
 #Prerequisities commands list
-REQ_APPS=(kubectl nmap awk column sort paste grep wc)
+REQ_APPS=(kubectl nmap awk column sort paste grep wc mktemp sed cat)
 
 # Check for prerequisites apps
 for cmd in "${REQ_APPS[@]}"; do
@@ -41,11 +49,31 @@ for cmd in "${REQ_APPS[@]}"; do
 done
 
 if [ "$#" -lt 1 ]; then
-    echo "Usage: $0 <k8s-namespace>"
-    exit 1
+       usage 1
 fi
 
 K8S_NAMESPACE=$1
+FILTERED_PORTS_LIST=$(mktemp http_endpoints_XXXXXX)
+XF_RAW_FILE_PATH=$(mktemp raw_filtered_http_endpoints_XXXXXX)
+
+strip_white_list() {
+       if [ ! -f $XF_FILE_PATH ]; then
+               echo "File not found"
+               usage 1
+       fi
+       grep -o '^[^#]*' $XF_FILE_PATH > $XF_RAW_FILE_PATH
+}
+
+### getopts
+while :
+do
+       case $2 in
+               -h|--help|help) usage ;;
+               -l) XF_FILE_PATH=$3; strip_white_list; shift ;;
+               -*) usage 1 ;;
+               *) break ;;
+       esac
+done
 
 # Get both values on single call as this may get slow
 PORTS_SVCS=`kubectl get svc --namespace=$K8S_NAMESPACE -o go-template='{{range $item := .items}}{{range $port := $item.spec.ports}}{{if .nodePort}}{{.nodePort}}{{"\t"}}{{$item.metadata.name}}{{"\n"}}{{end}}{{end}}{{end}}' | column -t | sort -n`
@@ -67,13 +95,24 @@ SCAN_RESULT=`nmap $K8S_NODE -sV -p $PORT_LIST 2>/dev/null | grep \tcp`
 RESULTS=`paste <(printf %s "$SVCS") <(printf %s "$SCAN_RESULT") | column -t`
 
 # Find all plain http ports
-HTTP_PORTS=`grep http <<< "$RESULTS" | grep -v ssl/http`
+HTTP_PORTS=`grep http <<< "$RESULTS" | grep -v ssl/http | tee "$FILTERED_PORTS_LIST"`
+
+# Filter out whitelisted endpoints
+while IFS= read -r line; do
+       # for each line we test if it is in the white list with a regular expression
+       while IFS= read -r wl_line; do
+               wl_name=$(echo $wl_line | awk {'print $1'})
+               wl_port=$(echo $wl_line | awk {'print $2'})
+               if grep -e $wl_name.*$wl_port <<< "$line"; then
+                       # Found in white list, exclude it
+                       sed -i "/$line/d" $FILTERED_PORTS_LIST
+               fi
+       done < $XF_RAW_FILE_PATH
+done < $FILTERED_PORTS_LIST
 
 # Count them
-N_HTTP=`wc -l <<<"$HTTP_PORTS"`
-
-if [ "$N_HTTP" -gt 0 ]; then
-       echo "$HTTP_PORTS"
-fi
-
-exit $N_HTTP
+N_FILTERED_PORTS_LIST=$(cat $FILTERED_PORTS_LIST | wc -l)
+echo "------------------------------------"
+echo "Nb error pod(s): $N_FILTERED_PORTS_LIST"
+cat $FILTERED_PORTS_LIST
+exit $N_FILTERED_PORTS_LIST

diff --git a/test/security/http_xfail.txt b/test/security/http_xfail.txt
new file mode 100644 (file)
index 0000000..a531fc3
--- /dev/null
+++ b/test/security/http_xfail.txt
@@ -0,0 +1,5 @@
+# Expected failure list for plain HTTP endpoints
+robot 30209
+message-router 30227
+sniro-emulator 30288
+aaf-fs 31115