From: Pawel Wieczorek <p.wieczorek2@samsung.com>
Date: Mon, 3 Jun 2019 15:03:42 +0000 (+0200)
Subject: k8s: Validate API server address and port flags
X-Git-Tag: 6.0.0-ONAP~460
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F55%2F89155%2F7;p=integration.git

k8s: Validate API server address and port flags

This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.6 and 1.1.7).

Issue-ID: SECCOM-235
Change-Id: I5f215a6642b177e85d7e1c70860ba0c7e558ec4e
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
---

diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index fd4c2aff9..81e96e66f 100644
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -25,4 +25,7 @@ func main() {
 	log.Printf("IsProfilingDisabled: %t\n", master.IsProfilingDisabled(k8sParams))
 	log.Printf("IsRepairMalformedUpdatesDisabled: %t\n", master.IsRepairMalformedUpdatesDisabled(k8sParams))
 	log.Printf("IsServiceAccountLookupEnabled: %t\n", master.IsServiceAccountLookupEnabled(k8sParams))
+
+	log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", master.IsInsecureBindAddressAbsentOrLoopback(k8sParams))
+	log.Printf("IsSecurePortAbsentOrValid: %t\n", master.IsSecurePortAbsentOrValid(k8sParams))
 }
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index bf275c1ca..ac84d8f1c 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -6,7 +6,9 @@ import (
 )
 
 const (
-	disabledPort = 0
+	portDisabled = 0
+	portLowest   = 1
+	portHighest  = 65536
 )
 
 // IsBasicAuthFileAbsent validates there is no basic authentication file specified.
@@ -45,7 +47,7 @@ func IsKubeletHTTPSConnected(params []string) bool {
 
 // IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled).
 func IsInsecurePortUnbound(params []string) bool {
-	return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(disabledPort), params)
+	return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params)
 }
 
 // IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
@@ -93,3 +95,33 @@ func splitKV(s, sep string) (string, string) {
 	ret := strings.SplitN(s, sep, 2)
 	return ret[0], ret[1]
 }
+
+// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
+func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
+	return isFlagAbsent("--insecure-bind-address=", params) ||
+		hasSingleFlagArgument("--insecure-bind-address=", "127.0.0.1", params)
+}
+
+// IsSecurePortAbsentOrValid validates there is no secure port set explicitly or it has legal value.
+func IsSecurePortAbsentOrValid(params []string) bool {
+	return isFlagAbsent("--secure-port=", params) ||
+		hasFlagValidPort("--secure-port=", params)
+}
+
+// hasFlagValidPort checks whether selected flag has valid port as an argument in given command.
+func hasFlagValidPort(flag string, params []string) bool {
+	found := filterFlags(params, flag)
+	if len(found) != 1 {
+		return false
+	}
+
+	_, value := splitKV(found[0], "=")
+	port, err := strconv.Atoi(value) // what about empty parameter?
+	if err != nil {
+		return false
+	}
+	if port < portLowest || port > portHighest {
+		return false
+	}
+	return true
+}